commit 4fb753d22e6a2505b1667950d153bc03ad8ae422
author Edgar Wang <edgarwang@google.com> Thu Jan 06 20:53:48 2022 +0800
committer Edgar Wang <edgarwang@google.com> Fri Jan 07 04:25:25 2022 +0000
tree 97f65673d3ff7d950737737d8cb6048ceb75cafc
parent 56abfbd85e142870f3da1e1066ee0ba6dfde7589

Fix bypass CALL_PRIVILEGED permission in AppRestrictionsFragment

In onReceive of AppRestrictionsFragment.java, there is a possible way to
start a phone call without permissions due to a confused deputy.
This could lead to local escalation of privilege with no additional
execution privileges needed.

We should not allow the restrictionsIntent to startActivity simply
because it resolves to multiple activities.
Instead, we should call resolveActivity and check the result's package
name is same as current package name, then it is safe to startActivity.

Bug: 200688991
Test: manual verify
Change-Id: Iaa2d3a9497c3266babe0789961befc9776a4db7a
Merged-In: Iaa2d3a9497c3266babe0789961befc9776a4db7a
(cherry picked from commit 359512cd9553c940af3c9045b856647b7529731a)

src/com/android/settings/users/AppRestrictionsFragment.java

diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
index a23aeef..c67a687 100644
--- a/src/com/android/settings/users/AppRestrictionsFragment.java
+++ b/src/com/android/settings/users/AppRestrictionsFragment.java
@@ -18,6 +18,7 @@
 
 import android.app.Activity;
 import android.app.settings.SettingsEnums;
+import android.content.ActivityNotFoundException;
 import android.content.BroadcastReceiver;
 import android.content.Context;
 import android.content.Intent;
@@ -37,6 +38,7 @@
 import android.os.ServiceManager;
 import android.os.UserHandle;
 import android.os.UserManager;
+import android.util.EventLog;
 import android.util.Log;
 import android.view.View;
 import android.view.View.OnClickListener;
@@ -641,7 +643,15 @@
             } else if (restrictionsIntent != null) {
                 preference.setRestrictions(restrictions);
                 if (invokeIfCustom && AppRestrictionsFragment.this.isResumed()) {
-                    assertSafeToStartCustomActivity(restrictionsIntent);
+                    try {
+                        assertSafeToStartCustomActivity(restrictionsIntent);
+                    } catch (ActivityNotFoundException | SecurityException e) {
+                        // return without startActivity
+                        Log.e(TAG, "Cannot start restrictionsIntent " + e);
+                        EventLog.writeEvent(0x534e4554, "200688991", -1 /* UID */, "");
+                        return;
+                    }
+
                     int requestCode = generateCustomActivityRequestCode(
                             RestrictionsResultReceiver.this.preference);
                     AppRestrictionsFragment.this.startActivityForResult(
@@ -655,14 +665,14 @@
             if (intent.getPackage() != null && intent.getPackage().equals(packageName)) {
                 return;
             }
-            // Activity can be started if intent resolves to multiple activities
-            List<ResolveInfo> resolveInfos = AppRestrictionsFragment.this.mPackageManager
-                    .queryIntentActivities(intent, 0 /* no flags */);
-            if (resolveInfos.size() != 1) {
-                return;
+            ResolveInfo resolveInfo = mPackageManager.resolveActivity(
+                    intent, PackageManager.MATCH_DEFAULT_ONLY);
+
+            if (resolveInfo == null) {
+                throw new ActivityNotFoundException("No result for resolving " + intent);
             }
             // Prevent potential privilege escalation
-            ActivityInfo activityInfo = resolveInfos.get(0).activityInfo;
+            ActivityInfo activityInfo = resolveInfo.activityInfo;
             if (!packageName.equals(activityInfo.packageName)) {
                 throw new SecurityException("Application " + packageName
                         + " is not allowed to start activity " + intent);