Proper PendingIntent.queryIntentComponents implementation
PendingIntent.queryIntentComponents currently does not take the pending
intent creator UID into account when performing component resolution.
This will return incorrect results, since explicit intents with
non-matching intent filter can only be resolved if the sender is the
same UID as the target component.
Bug: 238415222
Bug: 271845008
Test: atest CtsContentTestCases:PackageManagerTest
Change-Id: Ib4e1c04c8de4e9bcee35d584dfb213954ec65449
Merged-In: Ib4e1c04c8de4e9bcee35d584dfb213954ec65449
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index ecfa1f8..cd221a8 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -450,6 +450,7 @@
import java.util.List;
import java.util.Locale;
import java.util.Map;
+import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.CopyOnWriteArrayList;
@@ -5535,7 +5536,7 @@
IIntentSender pendingResult, int matchFlags) {
enforceCallingPermission(Manifest.permission.GET_INTENT_SENDER_INTENT,
"queryIntentComponentsForIntentSender()");
- Preconditions.checkNotNull(pendingResult);
+ Objects.requireNonNull(pendingResult);
final PendingIntentRecord res;
try {
res = (PendingIntentRecord) pendingResult;
@@ -5547,17 +5548,19 @@
return null;
}
final int userId = res.key.userId;
+ final int uid = res.uid;
+ final String resolvedType = res.key.requestResolvedType;
switch (res.key.type) {
case ActivityManager.INTENT_SENDER_ACTIVITY:
- return new ParceledListSlice<>(mContext.getPackageManager()
- .queryIntentActivitiesAsUser(intent, matchFlags, userId));
+ return new ParceledListSlice<>(mPackageManagerInt.queryIntentActivities(
+ intent, resolvedType, matchFlags, uid, userId));
case ActivityManager.INTENT_SENDER_SERVICE:
case ActivityManager.INTENT_SENDER_FOREGROUND_SERVICE:
- return new ParceledListSlice<>(mContext.getPackageManager()
- .queryIntentServicesAsUser(intent, matchFlags, userId));
+ return new ParceledListSlice<>(mPackageManagerInt.queryIntentServices(
+ intent, matchFlags, uid, userId));
case ActivityManager.INTENT_SENDER_BROADCAST:
- return new ParceledListSlice<>(mContext.getPackageManager()
- .queryBroadcastReceiversAsUser(intent, matchFlags, userId));
+ return new ParceledListSlice<>(mPackageManagerInt.queryIntentReceivers(
+ intent, resolvedType, matchFlags, uid, userId, false));
default: // ActivityManager.INTENT_SENDER_ACTIVITY_RESULT
throw new IllegalStateException("Unsupported intent sender type: " + res.key.type);
}
diff --git a/services/core/java/com/android/server/pm/Computer.java b/services/core/java/com/android/server/pm/Computer.java
index eb63550..3d9e89a 100644
--- a/services/core/java/com/android/server/pm/Computer.java
+++ b/services/core/java/com/android/server/pm/Computer.java
@@ -113,6 +113,8 @@
@PackageManagerInternal.PrivateResolveFlags long privateResolveFlags,
int filterCallingUid, int userId, boolean resolveForStart, boolean allowDynamicSplits);
@NonNull List<ResolveInfo> queryIntentActivitiesInternal(Intent intent, String resolvedType,
+ long flags, int filterCallingUid, int userId);
+ @NonNull List<ResolveInfo> queryIntentActivitiesInternal(Intent intent, String resolvedType,
long flags, int userId);
@NonNull List<ResolveInfo> queryIntentServicesInternal(Intent intent, String resolvedType,
long flags, int userId, int callingUid, boolean includeInstantApps);
diff --git a/services/core/java/com/android/server/pm/ComputerEngine.java b/services/core/java/com/android/server/pm/ComputerEngine.java
index 259ca65..4a640ce 100644
--- a/services/core/java/com/android/server/pm/ComputerEngine.java
+++ b/services/core/java/com/android/server/pm/ComputerEngine.java
@@ -599,6 +599,15 @@
resolveForStart, userId, intent);
}
+ @NonNull
+ @Override
+ public final List<ResolveInfo> queryIntentActivitiesInternal(Intent intent, String resolvedType,
+ @PackageManager.ResolveInfoFlagsBits long flags, int filterCallingUid, int userId) {
+ return queryIntentActivitiesInternal(
+ intent, resolvedType, flags, 0 /*privateResolveFlags*/, filterCallingUid,
+ userId, false /*resolveForStart*/, true /*allowDynamicSplits*/);
+ }
+
public final @NonNull List<ResolveInfo> queryIntentActivitiesInternal(Intent intent,
String resolvedType, @PackageManager.ResolveInfoFlagsBits long flags, int userId) {
return queryIntentActivitiesInternal(
diff --git a/services/core/java/com/android/server/pm/PackageManagerInternalBase.java b/services/core/java/com/android/server/pm/PackageManagerInternalBase.java
index 652847a..96f3742 100644
--- a/services/core/java/com/android/server/pm/PackageManagerInternalBase.java
+++ b/services/core/java/com/android/server/pm/PackageManagerInternalBase.java
@@ -308,7 +308,8 @@
public final List<ResolveInfo> queryIntentActivities(
Intent intent, String resolvedType, @PackageManager.ResolveInfoFlagsBits long flags,
int filterCallingUid, int userId) {
- return snapshot().queryIntentActivitiesInternal(intent, resolvedType, flags, userId);
+ return snapshot().queryIntentActivitiesInternal(intent, resolvedType, flags,
+ filterCallingUid, userId);
}
@Override
