RESTRICT AUTOMERGE TextClassifier cross-user vulnerability in direct-reply
Sys UI runs on user 0. This can lead to the TextClassifier (TC)
running for the wrong user. Consequencies are user A can launch apps
in user B via the TC's predicted actions and selected text being
unintentionally shared from user A to an app running in user B.
This fix ensures that the correct user id is passed and verified for
every TC request going across process boundaries (i.e. via SystemTC).
- Sys UI sets the appropriate user id in the TextView
- TextClassificationManager (TCM) system service is constructed using
a context generated from this user id
- SystemTC sets this user id before querying the TCMService
- TCMService validates the user id before forwarding the request to
the TCService belonging to that user id.
Test: atest android.view.textclassifier
(manual) See I2fdffd8eb4221782cb1f34d2ddbe41dd3d36595c
(cherry picked from commit 34e380cdd64230db81a5754b7b6e2654509af180)
12 files changed