Skip to content

Commit

Permalink
[RESTRICT AUTOMERGE] Pass correct realCallingUid to startActivity() f…
Browse files Browse the repository at this point in the history 
…rom startActivityInPackage

Previously startActivity would assume that the system was the calling user when
startActivityInPackage was called. Now the uid of the calling application is
forwarded by the system.

Test: manual; we added logging statements to check the value of realCallingUid
when launching the calendar app from the calendar widget and verified that it
was the calendar uid rather than the system uid.

Bug: 123013720
Change-Id: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
Merged-In: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
  • Loading branch information
Bryan Ferris committed Jun 25, 2019
1 parent f951ac1 commit bab818f
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 17 deletions.
17 changes: 12 additions & 5 deletions services/core/java/com/android/server/am/ActivityManagerService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4703,9 +4703,9 @@ final int startActivityInPackage(int uid, String callingPackage,
userId, false, ALLOW_FULL_ONLY, "startActivityInPackage", null);

// TODO: Switch to user app stacks here.
int ret = mActivityStarter.startActivityMayWait(null, uid, callingPackage, intent,
resolvedType, null, null, resultTo, resultWho, requestCode, startFlags,
null, null, null, bOptions, false, userId, container, inTask);
int ret = mActivityStarter.startActivityMayWait(null, uid, ActivityStarter.PID_NULL, uid,
callingPackage, intent, resolvedType, null, null, resultTo, resultWho, requestCode,
startFlags, null, null, null, bOptions, false, userId, container, inTask);
return ret;
}

Expand All @@ -4725,12 +4725,19 @@ public final int startActivities(IApplicationThread caller, String callingPackag
final int startActivitiesInPackage(int uid, String callingPackage,
Intent[] intents, String[] resolvedTypes, IBinder resultTo,
Bundle bOptions, int userId) {
return startActivitiesInPackage(uid, ActivityStarter.PID_NULL, UserHandle.USER_NULL,
callingPackage, intents, resolvedTypes, resultTo, bOptions, userId);
}

final int startActivitiesInPackage(int uid, int realCallingPid, int realCallingUid,
String callingPackage, Intent[] intents, String[] resolvedTypes,
IBinder resultTo, Bundle bOptions, int userId) {

userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(),
userId, false, ALLOW_FULL_ONLY, "startActivityInPackage", null);
// TODO: Switch to user app stacks here.
int ret = mActivityStarter.startActivities(null, uid, callingPackage, intents, resolvedTypes,
resultTo, bOptions, userId);
int ret = mActivityStarter.startActivities(null, uid, realCallingPid, realCallingUid,
callingPackage, intents, resolvedTypes, resultTo, bOptions, userId);
return ret;
}

Expand Down
57 changes: 45 additions & 12 deletions services/core/java/com/android/server/am/ActivityStarter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,8 @@
* an activity and associated task and stack.
*/
class ActivityStarter {
public static final int PID_NULL = 0;

private static final String TAG = TAG_WITH_CLASS_NAME ? "ActivityStarter" : TAG_AM;
private static final String TAG_RESULTS = TAG + POSTFIX_RESULTS;
private static final String TAG_FOCUS = TAG + POSTFIX_FOCUS;
Expand Down Expand Up @@ -677,12 +679,24 @@ void startConfirmCredentialIntent(Intent intent) {
UserHandle.CURRENT);
}

final int startActivityMayWait(IApplicationThread caller, int callingUid, String callingPackage,
Intent intent, String resolvedType, IVoiceInteractionSession voiceSession,
IVoiceInteractor voiceInteractor, IBinder resultTo, String resultWho, int requestCode,
int startFlags, ProfilerInfo profilerInfo, IActivityManager.WaitResult outResult,
Configuration config, Bundle bOptions, boolean ignoreTargetSecurity, int userId,
IActivityContainer iContainer, TaskRecord inTask) {
return startActivityMayWait(caller, callingUid, PID_NULL, UserHandle.USER_NULL,
callingPackage, intent, resolvedType, voiceSession, voiceInteractor, resultTo,
resultWho, requestCode, startFlags, profilerInfo, outResult, config, bOptions,
ignoreTargetSecurity, userId, iContainer, inTask);
}

final int startActivityMayWait(IApplicationThread caller, int callingUid,
String callingPackage, Intent intent, String resolvedType,
IVoiceInteractionSession voiceSession, IVoiceInteractor voiceInteractor,
IBinder resultTo, String resultWho, int requestCode, int startFlags,
ProfilerInfo profilerInfo, IActivityManager.WaitResult outResult, Configuration config,
Bundle bOptions, boolean ignoreTargetSecurity, int userId,
int requestRealCallingPid, int requestRealCallingUid, String callingPackage,
Intent intent, String resolvedType, IVoiceInteractionSession voiceSession,
IVoiceInteractor voiceInteractor, IBinder resultTo, String resultWho, int requestCode,
int startFlags, ProfilerInfo profilerInfo, IActivityManager.WaitResult outResult,
Configuration config, Bundle bOptions, boolean ignoreTargetSecurity, int userId,
IActivityContainer iContainer, TaskRecord inTask) {
// Refuse possible leaked file descriptors
if (intent != null && intent.hasFileDescriptors()) {
Expand Down Expand Up @@ -733,8 +747,14 @@ final int startActivityMayWait(IApplicationThread caller, int callingUid,
// Cannot start a child activity if the parent is not resumed.
return ActivityManager.START_CANCELED;
}
final int realCallingPid = Binder.getCallingPid();
final int realCallingUid = Binder.getCallingUid();

final int realCallingPid = requestRealCallingPid != PID_NULL
? requestRealCallingPid
: Binder.getCallingPid();
final int realCallingUid = requestRealCallingUid != UserHandle.USER_NULL
? requestRealCallingUid
: Binder.getCallingUid();

int callingPid;
if (callingUid >= 0) {
callingPid = -1;
Expand All @@ -745,6 +765,7 @@ final int startActivityMayWait(IApplicationThread caller, int callingUid,
callingPid = callingUid = -1;
}


final ActivityStack stack;
if (container == null || container.mStack.isOnHomeDisplay()) {
stack = mSupervisor.mFocusedStack;
Expand Down Expand Up @@ -886,8 +907,16 @@ final int startActivityMayWait(IApplicationThread caller, int callingUid,
}

final int startActivities(IApplicationThread caller, int callingUid, String callingPackage,
Intent[] intents, String[] resolvedTypes, IBinder resultTo,
Bundle bOptions, int userId) {
Intent[] intents, String[] resolvedTypes, IBinder resultTo, Bundle bOptions,
int userId) {
return startActivities(caller, callingUid, PID_NULL, UserHandle.USER_NULL, callingPackage,
intents, resolvedTypes, resultTo, bOptions, userId);
}

final int startActivities(IApplicationThread caller, int callingUid,
int incomingRealCallingPid, int incomingRealCallingUid, String callingPackage,
Intent[] intents, String[] resolvedTypes, IBinder resultTo, Bundle bOptions,
int userId) {
if (intents == null) {
throw new NullPointerException("intents is null");
}
Expand All @@ -898,13 +927,17 @@ final int startActivities(IApplicationThread caller, int callingUid, String call
throw new IllegalArgumentException("intents are length different than resolvedTypes");
}


int callingPid;
if (callingUid >= 0) {
callingPid = -1;
} else if (caller == null) {
callingPid = Binder.getCallingPid();
callingUid = Binder.getCallingUid();
callingPid = incomingRealCallingPid != PID_NULL
? incomingRealCallingPid
: Binder.getCallingPid();

callingUid = incomingRealCallingUid != UserHandle.USER_NULL
? incomingRealCallingUid
: Binder.getCallingUid();
} else {
callingPid = callingUid = -1;
}
Expand Down

0 comments on commit bab818f

Please sign in to comment.