Google Git
Sign in
android / platform / frameworks / base / d88b5baa7b5a^! / .
commitd88b5baa7b5a5b2bbe8636a835949110bdd34e30[log] [tgz]
authorBernardo Rufino <brufino@google.com>Wed May 26 16:25:39 2021 +0100
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Mon Aug 16 04:14:51 2021 +0000
treed867dac25fb9b7d62e6dffdf8d9b1e1cb7c35e87
parent4399aeddfeafeaed5e00307813277538b80d20a8 [diff]
Fix background bypass via notifications

This is a CP of ag/14736230 to qt-dev.

Apps were able to bypass BAL and BG-FGS restrictions by retrieving their
own notifications and firing their PI since those were allowlisted for
those operations.

Now we strip the token that granted them that ability
from notifications returned via NM.getActiveNotifications(), which
returns the notifications of the caller.

Notifications returned via notification listener APIs still contain such
token, as they should.

Bug: 185388103
Bug: 169821287
Test: Manually tested
Change-Id: I2ede0d639a560f6acacec3864a0a7d23af152ba5
Merged-In: I2ede0d639a560f6acacec3864a0a7d23af152ba5
(cherry picked from commit 5fbeff59df3ea1441c3843aa1834616876ef1985)
(cherry picked from commit 14c1c7b4a732c517ba18f5dd0598adb9f3b72221)

diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
index c273cf08..132afab 100644
--- a/core/java/android/app/Notification.java
+++ b/core/java/android/app/Notification.java

@@ -3029,6 +3029,19 @@
     }
 
     /**
+     * Sets the token used for background operations for the pending intents associated with this
+     * notification.
+     *
+     * This token is automatically set during deserialization for you, you usually won't need to
+     * call this unless you want to change the existing token, if any.
+     *
+     * @hide
+     */
+    public void setAllowlistToken(@Nullable IBinder token) {
+        mWhitelistToken = token;
+    }
+
+    /**
      * @hide
      */
     public static void addFieldsFromContext(Context context, Notification notification) {

diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
index dc551e1..629a918 100755
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java

@@ -3859,6 +3859,7 @@
             }
         }
 
+        /** Notifications returned here will have allowlistToken stripped from them. */
         private StatusBarNotification sanitizeSbn(String pkg, int userId,
                 StatusBarNotification sbn) {
             if (sbn.getUserId() == userId) {
@@ -3866,11 +3867,16 @@
                     // We could pass back a cloneLight() but clients might get confused and
                     // try to send this thing back to notify() again, which would not work
                     // very well.
+                    Notification notification = sbn.getNotification().clone();
+                    // Remove background token before returning notification to untrusted app, this
+                    // ensures the app isn't able to perform background operations that are
+                    // associated with notification interactions.
+                    notification.setAllowlistToken(null);
                     return new StatusBarNotification(
                             sbn.getPackageName(),
                             sbn.getOpPkg(),
                             sbn.getId(), sbn.getTag(), sbn.getUid(), sbn.getInitialPid(),
-                            sbn.getNotification().clone(),
+                            notification,
                             sbn.getUser(), sbn.getOverrideGroupKey(), sbn.getPostTime());
                 }
             }