[RESTRICT AUTOMERGE] Pass correct realCallingUid to startActivity() from startActivityInPackageandroid-7.1.1_r61 nougat-mr1-security-release

Previously startActivity would assume that the system was the calling user when startActivityInPackage was called. Now the uid of the calling application is forwarded by the system. Test: manual; we added logging statements to check the value of realCallingUid in startActivitiesMayWait when launching the calendar app from the calendar widget and verified that it was the calendar uid rather than the system uid. Bug: 123013720 Change-Id: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e Merged-In: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e (cherry picked from commit 216f65bf60a9fb6f3a495d083e5fbb54ae2a9f66)
author: Bryan Ferris <bferris@google.com> 2019-05-21 12:38:19 -0700
committer: JP Sugarbroad <jpsugar@google.com> 2019-08-07 14:12:06 -0700
commit: df4251b0a58b6a354da67d535a732b17b4e5d89b (patch)
tree: f64d94200aeba991a44e87fceef32515508f977d
parent: ee577ce589e9d52b1e27166140817120bad123f1 (diff)
download: base-nougat-mr1-security-release.tar.gz
2 files changed, 57 insertions, 16 deletions
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index bc9d58eec3b1..f1299f6b3945 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -4738,9 +4738,9 @@ public final class ActivityManagerService extends ActivityManagerNative
                 userId, false, ALLOW_FULL_ONLY, "startActivityInPackage", null);
 
         // TODO: Switch to user app stacks here.
-        int ret = mActivityStarter.startActivityMayWait(null, uid, callingPackage, intent,
-                resolvedType, null, null, resultTo, resultWho, requestCode, startFlags,
-                null, null, null, bOptions, false, userId, container, inTask);
+        int ret = mActivityStarter.startActivityMayWait(null, uid, ActivityStarter.PID_NULL, uid,
+                callingPackage, intent, resolvedType, null, null, resultTo, resultWho, requestCode,
+                startFlags, null, null, null, bOptions, false, userId, container, inTask);
         return ret;
     }
 
@@ -4760,12 +4760,19 @@ public final class ActivityManagerService extends ActivityManagerNative
     final int startActivitiesInPackage(int uid, String callingPackage,
             Intent[] intents, String[] resolvedTypes, IBinder resultTo,
             Bundle bOptions, int userId) {
+        return startActivitiesInPackage(uid, ActivityStarter.PID_NULL, UserHandle.USER_NULL,
+                callingPackage, intents, resolvedTypes, resultTo, bOptions, userId);
+    }
+
+    final int startActivitiesInPackage(int uid, int realCallingPid, int realCallingUid,
+                                       String callingPackage, Intent[] intents, String[] resolvedTypes,
+                                       IBinder resultTo, Bundle bOptions, int userId) {
 
         userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(),
                 userId, false, ALLOW_FULL_ONLY, "startActivityInPackage", null);
         // TODO: Switch to user app stacks here.
-        int ret = mActivityStarter.startActivities(null, uid, callingPackage, intents, resolvedTypes,
-                resultTo, bOptions, userId);
+        int ret = mActivityStarter.startActivities(null, uid, realCallingPid, realCallingUid,
+                callingPackage, intents, resolvedTypes, resultTo, bOptions, userId);
         return ret;
     }
 
diff --git a/services/core/java/com/android/server/am/ActivityStarter.java b/services/core/java/com/android/server/am/ActivityStarter.java
index 06d8e4875e0a..0a2ef6ad3be7 100644
--- a/services/core/java/com/android/server/am/ActivityStarter.java
+++ b/services/core/java/com/android/server/am/ActivityStarter.java
@@ -127,6 +127,8 @@ import java.util.ArrayList;
  * an activity and associated task and stack.
  */
 class ActivityStarter {
+    public static final int PID_NULL = 0;
+
     private static final String TAG = TAG_WITH_CLASS_NAME ? "ActivityStarter" : TAG_AM;
     private static final String TAG_RESULTS = TAG + POSTFIX_RESULTS;
     private static final String TAG_FOCUS = TAG + POSTFIX_FOCUS;
@@ -712,12 +714,24 @@ class ActivityStarter {
                 UserHandle.CURRENT);
     }
 
+  final int startActivityMayWait(IApplicationThread caller, int callingUid, String callingPackage,
+            Intent intent, String resolvedType, IVoiceInteractionSession voiceSession,
+            IVoiceInteractor voiceInteractor, IBinder resultTo, String resultWho, int requestCode,
+            int startFlags, ProfilerInfo profilerInfo, IActivityManager.WaitResult outResult,
+            Configuration config, Bundle bOptions, boolean ignoreTargetSecurity, int userId,
+            IActivityContainer iContainer, TaskRecord inTask) {
+        return startActivityMayWait(caller, callingUid, PID_NULL, UserHandle.USER_NULL,
+             callingPackage, intent, resolvedType, voiceSession, voiceInteractor, resultTo,
+             resultWho, requestCode, startFlags, profilerInfo, outResult, config, bOptions,
+             ignoreTargetSecurity, userId, iContainer, inTask);
+    }
+
     final int startActivityMayWait(IApplicationThread caller, int callingUid,
-            String callingPackage, Intent intent, String resolvedType,
-            IVoiceInteractionSession voiceSession, IVoiceInteractor voiceInteractor,
-            IBinder resultTo, String resultWho, int requestCode, int startFlags,
-            ProfilerInfo profilerInfo, IActivityManager.WaitResult outResult, Configuration config,
-            Bundle bOptions, boolean ignoreTargetSecurity, int userId,
+            int requestRealCallingPid, int requestRealCallingUid, String callingPackage,
+            Intent intent, String resolvedType, IVoiceInteractionSession voiceSession,
+            IVoiceInteractor voiceInteractor, IBinder resultTo, String resultWho, int requestCode,
+            int startFlags, ProfilerInfo profilerInfo, IActivityManager.WaitResult outResult,
+            Configuration config, Bundle bOptions, boolean ignoreTargetSecurity, int userId,
             IActivityContainer iContainer, TaskRecord inTask) {
         // Refuse possible leaked file descriptors
         if (intent != null && intent.hasFileDescriptors()) {
@@ -768,8 +782,14 @@ class ActivityStarter {
                 // Cannot start a child activity if the parent is not resumed.
                 return ActivityManager.START_CANCELED;
             }
-            final int realCallingPid = Binder.getCallingPid();
-            final int realCallingUid = Binder.getCallingUid();
+
+            final int realCallingPid = requestRealCallingPid != PID_NULL
+                ? requestRealCallingPid
+                : Binder.getCallingPid();
+            final int realCallingUid = requestRealCallingUid != UserHandle.USER_NULL
+                ? requestRealCallingUid
+                : Binder.getCallingUid();
+
             int callingPid;
             if (callingUid >= 0) {
                 callingPid = -1;
@@ -780,6 +800,7 @@ class ActivityStarter {
                 callingPid = callingUid = -1;
             }
 
+
             final ActivityStack stack;
             if (container == null || container.mStack.isOnHomeDisplay()) {
                 stack = mSupervisor.mFocusedStack;
@@ -921,8 +942,16 @@ class ActivityStarter {
     }
 
     final int startActivities(IApplicationThread caller, int callingUid, String callingPackage,
-            Intent[] intents, String[] resolvedTypes, IBinder resultTo,
-            Bundle bOptions, int userId) {
+            Intent[] intents, String[] resolvedTypes, IBinder resultTo, Bundle bOptions,
+            int userId) {
+        return startActivities(caller, callingUid, PID_NULL, UserHandle.USER_NULL, callingPackage,
+             intents, resolvedTypes, resultTo, bOptions, userId);
+    }
+
+    final int startActivities(IApplicationThread caller, int callingUid,
+            int incomingRealCallingPid, int incomingRealCallingUid, String callingPackage,
+            Intent[] intents, String[] resolvedTypes, IBinder resultTo, Bundle bOptions,
+            int userId) {
         if (intents == null) {
             throw new NullPointerException("intents is null");
         }
@@ -933,8 +962,13 @@ class ActivityStarter {
             throw new IllegalArgumentException("intents are length different than resolvedTypes");
         }
 
-        final int realCallingPid = Binder.getCallingPid();
-        final int realCallingUid = Binder.getCallingUid();
+        final int realCallingPid = incomingRealCallingPid != PID_NULL
+                     ? incomingRealCallingPid
+                     : Binder.getCallingPid();
+
+        final int realCallingUid = incomingRealCallingUid != UserHandle.USER_NULL
+                     ? incomingRealCallingUid
+                     : Binder.getCallingUid();
 
         int callingPid;
         if (callingUid >= 0) {
author	Bryan Ferris <bferris@google.com>	2019-05-21 12:38:19 -0700
committer	JP Sugarbroad <jpsugar@google.com>	2019-08-07 14:12:06 -0700
commit	df4251b0a58b6a354da67d535a732b17b4e5d89b (patch)
tree	f64d94200aeba991a44e87fceef32515508f977d
parent	ee577ce589e9d52b1e27166140817120bad123f1 (diff)
download	base-nougat-mr1-security-release.tar.gz