com/android/server/am/SafeActivityOptions.java - platform/prebuilts/fullsdk/sources/android-28 - Git at Google

 /*
  * Copyright (C) 2018 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License
  */

 package com.android.server.am;

 import static android.Manifest.permission.CONTROL_REMOTE_APP_TRANSITION_ANIMATIONS;
 import static android.Manifest.permission.START_TASKS_FROM_RECENTS;
 import static android.content.pm.PackageManager.PERMISSION_DENIED;
 import static android.content.pm.PackageManager.PERMISSION_GRANTED;
 import static android.view.Display.INVALID_DISPLAY;
 import static com.android.server.am.ActivityManagerDebugConfig.TAG_AM;
 import static com.android.server.am.ActivityManagerDebugConfig.TAG_WITH_CLASS_NAME;
 import static com.android.server.am.TaskRecord.INVALID_TASK_ID;

 import android.annotation.Nullable;
 import android.app.ActivityOptions;
 import android.app.PendingIntent;
 import android.content.Intent;
 import android.content.pm.ActivityInfo;
 import android.os.Binder;
 import android.os.Bundle;
 import android.os.UserHandle;
 import android.util.Slog;
 import android.view.RemoteAnimationAdapter;

 import com.android.internal.annotations.VisibleForTesting;

 /**
  * Wraps {@link ActivityOptions}, records binder identity, and checks permission when retrieving
  * the inner options. Also supports having two set of options: Once from the original caller, and
  * once from the caller that is overriding it, which happens when sending a {@link PendingIntent}.
  */
 class SafeActivityOptions {

     private static final String TAG = TAG_WITH_CLASS_NAME ? "SafeActivityOptions" : TAG_AM;

     private final int mOriginalCallingPid;
     private final int mOriginalCallingUid;
     private int mRealCallingPid;
     private int mRealCallingUid;
     private final @Nullable ActivityOptions mOriginalOptions;
     private @Nullable ActivityOptions mCallerOptions;

     /**
      * Constructs a new instance from a bundle and records {@link Binder#getCallingPid}/
      * {@link Binder#getCallingUid}. Thus, calling identity MUST NOT be cleared when constructing
      * this object.
      *
      * @param bOptions The {@link ActivityOptions} as {@link Bundle}.
      */
     static SafeActivityOptions fromBundle(Bundle bOptions) {
         return bOptions != null
                 ? new SafeActivityOptions(ActivityOptions.fromBundle(bOptions))
                 : null;
     }

     /**
      * Constructs a new instance and records {@link Binder#getCallingPid}/
      * {@link Binder#getCallingUid}. Thus, calling identity MUST NOT be cleared when constructing
      * this object.
      *
      * @param options The options to wrap.
      */
     SafeActivityOptions(@Nullable ActivityOptions options) {
         mOriginalCallingPid = Binder.getCallingPid();
         mOriginalCallingUid = Binder.getCallingUid();
         mOriginalOptions = options;
     }

     /**
      * Overrides options with options from a caller and records {@link Binder#getCallingPid}/
      * {@link Binder#getCallingUid}. Thus, calling identity MUST NOT be cleared when calling this
      * method.
      */
     void setCallerOptions(@Nullable ActivityOptions options) {
         mRealCallingPid = Binder.getCallingPid();
         mRealCallingUid = Binder.getCallingUid();
         mCallerOptions = options;
     }

     /**
      * Performs permission check and retrieves the options.
      *
      * @param r The record of the being started activity.
      */
     ActivityOptions getOptions(ActivityRecord r) throws SecurityException {
         return getOptions(r.intent, r.info, r.app, r.mStackSupervisor);
     }

     /**
      * Performs permission check and retrieves the options when options are not being used to launch
      * a specific activity (i.e. a task is moved to front).
      */
     ActivityOptions getOptions(ActivityStackSupervisor supervisor) throws SecurityException {
         return getOptions(null, null, null, supervisor);
     }

     /**
      * Performs permission check and retrieves the options.
      *
      * @param intent The intent that is being launched.
      * @param aInfo The info of the activity being launched.
      * @param callerApp The record of the caller.
      */
     ActivityOptions getOptions(@Nullable Intent intent, @Nullable ActivityInfo aInfo,
             @Nullable ProcessRecord callerApp,
             ActivityStackSupervisor supervisor) throws SecurityException {
         if (mOriginalOptions != null) {
             checkPermissions(intent, aInfo, callerApp, supervisor, mOriginalOptions,
                     mOriginalCallingPid, mOriginalCallingUid);
             if (mOriginalOptions.getRemoteAnimationAdapter() != null) {
                 mOriginalOptions.getRemoteAnimationAdapter().setCallingPid(mOriginalCallingPid);
             }
         }
         if (mCallerOptions != null) {
             checkPermissions(intent, aInfo, callerApp, supervisor, mCallerOptions,
                     mRealCallingPid, mRealCallingUid);
             if (mCallerOptions.getRemoteAnimationAdapter() != null) {
                 mCallerOptions.getRemoteAnimationAdapter().setCallingPid(mRealCallingPid);
             }
         }
         return mergeActivityOptions(mOriginalOptions, mCallerOptions);
     }

     /**
      * @see ActivityOptions#popAppVerificationBundle
      */
     Bundle popAppVerificationBundle() {
         return mOriginalOptions != null ? mOriginalOptions.popAppVerificationBundle() : null;
     }

     private void abort() {
         if (mOriginalOptions != null) {
             ActivityOptions.abort(mOriginalOptions);
         }
         if (mCallerOptions != null) {
             ActivityOptions.abort(mCallerOptions);
         }
     }

     static void abort(@Nullable SafeActivityOptions options) {
         if (options != null) {
             options.abort();
         }
     }

     /**
      * Merges two activity options into one, with {@code options2} taking precedence in case of a
      * conflict.
      */
     @VisibleForTesting
     @Nullable ActivityOptions mergeActivityOptions(@Nullable ActivityOptions options1,
             @Nullable ActivityOptions options2) {
         if (options1 == null) {
             return options2;
         }
         if (options2 == null) {
             return options1;
         }
         final Bundle b1 = options1.toBundle();
         final Bundle b2 = options2.toBundle();
         b1.putAll(b2);
         return ActivityOptions.fromBundle(b1);
     }

     private void checkPermissions(@Nullable Intent intent, @Nullable ActivityInfo aInfo,
             @Nullable ProcessRecord callerApp, ActivityStackSupervisor supervisor,
             ActivityOptions options, int callingPid, int callingUid) {
         // If a launch task id is specified, then ensure that the caller is the recents
         // component or has the START_TASKS_FROM_RECENTS permission
         if (options.getLaunchTaskId() != INVALID_TASK_ID
                 && !supervisor.mRecentTasks.isCallerRecents(callingUid)) {
             final int startInTaskPerm = supervisor.mService.checkPermission(
                     START_TASKS_FROM_RECENTS, callingPid, callingUid);
             if (startInTaskPerm == PERMISSION_DENIED) {
                 final String msg = "Permission Denial: starting " + getIntentString(intent)
                         + " from " + callerApp + " (pid=" + callingPid
                         + ", uid=" + callingUid + ") with launchTaskId="
                         + options.getLaunchTaskId();
                 Slog.w(TAG, msg);
                 throw new SecurityException(msg);
             }
         }
         // Check if someone tries to launch an activity on a private display with a different
         // owner.
         final int launchDisplayId = options.getLaunchDisplayId();
         if (aInfo != null && launchDisplayId != INVALID_DISPLAY
                 && !supervisor.isCallerAllowedToLaunchOnDisplay(callingPid, callingUid,
                         launchDisplayId, aInfo)) {
             final String msg = "Permission Denial: starting " + getIntentString(intent)
                     + " from " + callerApp + " (pid=" + callingPid
                     + ", uid=" + callingUid + ") with launchDisplayId="
                     + launchDisplayId;
             Slog.w(TAG, msg);
             throw new SecurityException(msg);
         }
         // Check if someone tries to launch an unwhitelisted activity into LockTask mode.
         final boolean lockTaskMode = options.getLockTaskMode();
         if (aInfo != null && lockTaskMode
                 && !supervisor.mService.getLockTaskController().isPackageWhitelisted(
                         UserHandle.getUserId(callingUid), aInfo.packageName)) {
             final String msg = "Permission Denial: starting " + getIntentString(intent)
                     + " from " + callerApp + " (pid=" + callingPid
                     + ", uid=" + callingUid + ") with lockTaskMode=true";
             Slog.w(TAG, msg);
             throw new SecurityException(msg);
         }

         // Check permission for remote animations
         final RemoteAnimationAdapter adapter = options.getRemoteAnimationAdapter();
         if (adapter != null && supervisor.mService.checkPermission(
                 CONTROL_REMOTE_APP_TRANSITION_ANIMATIONS, callingPid, callingUid)
                         != PERMISSION_GRANTED) {
             final String msg = "Permission Denial: starting " + getIntentString(intent)
                     + " from " + callerApp + " (pid=" + callingPid
                     + ", uid=" + callingUid + ") with remoteAnimationAdapter";
             Slog.w(TAG, msg);
             throw new SecurityException(msg);
         }
     }

     private String getIntentString(Intent intent) {
         return intent != null ? intent.toString() : "(no intent)";
     }
 }
	/*
	* Copyright (C) 2018 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License
	*/

	package com.android.server.am;

	import static android.Manifest.permission.CONTROL_REMOTE_APP_TRANSITION_ANIMATIONS;
	import static android.Manifest.permission.START_TASKS_FROM_RECENTS;
	import static android.content.pm.PackageManager.PERMISSION_DENIED;
	import static android.content.pm.PackageManager.PERMISSION_GRANTED;
	import static android.view.Display.INVALID_DISPLAY;
	import static com.android.server.am.ActivityManagerDebugConfig.TAG_AM;
	import static com.android.server.am.ActivityManagerDebugConfig.TAG_WITH_CLASS_NAME;
	import static com.android.server.am.TaskRecord.INVALID_TASK_ID;

	import android.annotation.Nullable;
	import android.app.ActivityOptions;
	import android.app.PendingIntent;
	import android.content.Intent;
	import android.content.pm.ActivityInfo;
	import android.os.Binder;
	import android.os.Bundle;
	import android.os.UserHandle;
	import android.util.Slog;
	import android.view.RemoteAnimationAdapter;

	import com.android.internal.annotations.VisibleForTesting;

	/**
	* Wraps {@link ActivityOptions}, records binder identity, and checks permission when retrieving
	* the inner options. Also supports having two set of options: Once from the original caller, and
	* once from the caller that is overriding it, which happens when sending a {@link PendingIntent}.
	*/
	class SafeActivityOptions {

	private static final String TAG = TAG_WITH_CLASS_NAME ? "SafeActivityOptions" : TAG_AM;

	private final int mOriginalCallingPid;
	private final int mOriginalCallingUid;
	private int mRealCallingPid;
	private int mRealCallingUid;
	private final @Nullable ActivityOptions mOriginalOptions;
	private @Nullable ActivityOptions mCallerOptions;

	/**
	* Constructs a new instance from a bundle and records {@link Binder#getCallingPid}/
	* {@link Binder#getCallingUid}. Thus, calling identity MUST NOT be cleared when constructing
	* this object.
	*
	* @param bOptions The {@link ActivityOptions} as {@link Bundle}.
	*/
	static SafeActivityOptions fromBundle(Bundle bOptions) {
	return bOptions != null
	? new SafeActivityOptions(ActivityOptions.fromBundle(bOptions))
	: null;
	}

	/**
	* Constructs a new instance and records {@link Binder#getCallingPid}/
	* {@link Binder#getCallingUid}. Thus, calling identity MUST NOT be cleared when constructing
	* this object.
	*
	* @param options The options to wrap.
	*/
	SafeActivityOptions(@Nullable ActivityOptions options) {
	mOriginalCallingPid = Binder.getCallingPid();
	mOriginalCallingUid = Binder.getCallingUid();
	mOriginalOptions = options;
	}

	/**
	* Overrides options with options from a caller and records {@link Binder#getCallingPid}/
	* {@link Binder#getCallingUid}. Thus, calling identity MUST NOT be cleared when calling this
	* method.
	*/
	void setCallerOptions(@Nullable ActivityOptions options) {
	mRealCallingPid = Binder.getCallingPid();
	mRealCallingUid = Binder.getCallingUid();
	mCallerOptions = options;
	}

	/**
	* Performs permission check and retrieves the options.
	*
	* @param r The record of the being started activity.
	*/
	ActivityOptions getOptions(ActivityRecord r) throws SecurityException {
	return getOptions(r.intent, r.info, r.app, r.mStackSupervisor);
	}

	/**
	* Performs permission check and retrieves the options when options are not being used to launch
	* a specific activity (i.e. a task is moved to front).
	*/
	ActivityOptions getOptions(ActivityStackSupervisor supervisor) throws SecurityException {
	return getOptions(null, null, null, supervisor);
	}

	/**
	* Performs permission check and retrieves the options.
	*
	* @param intent The intent that is being launched.
	* @param aInfo The info of the activity being launched.
	* @param callerApp The record of the caller.
	*/
	ActivityOptions getOptions(@Nullable Intent intent, @Nullable ActivityInfo aInfo,
	@Nullable ProcessRecord callerApp,
	ActivityStackSupervisor supervisor) throws SecurityException {
	if (mOriginalOptions != null) {
	checkPermissions(intent, aInfo, callerApp, supervisor, mOriginalOptions,
	mOriginalCallingPid, mOriginalCallingUid);
	if (mOriginalOptions.getRemoteAnimationAdapter() != null) {
	mOriginalOptions.getRemoteAnimationAdapter().setCallingPid(mOriginalCallingPid);
	}
	}
	if (mCallerOptions != null) {
	checkPermissions(intent, aInfo, callerApp, supervisor, mCallerOptions,
	mRealCallingPid, mRealCallingUid);
	if (mCallerOptions.getRemoteAnimationAdapter() != null) {
	mCallerOptions.getRemoteAnimationAdapter().setCallingPid(mRealCallingPid);
	}
	}
	return mergeActivityOptions(mOriginalOptions, mCallerOptions);
	}

	/**
	* @see ActivityOptions#popAppVerificationBundle
	*/
	Bundle popAppVerificationBundle() {
	return mOriginalOptions != null ? mOriginalOptions.popAppVerificationBundle() : null;
	}

	private void abort() {
	if (mOriginalOptions != null) {
	ActivityOptions.abort(mOriginalOptions);
	}
	if (mCallerOptions != null) {
	ActivityOptions.abort(mCallerOptions);
	}
	}

	static void abort(@Nullable SafeActivityOptions options) {
	if (options != null) {
	options.abort();
	}
	}

	/**
	* Merges two activity options into one, with {@code options2} taking precedence in case of a
	* conflict.
	*/
	@VisibleForTesting
	@Nullable ActivityOptions mergeActivityOptions(@Nullable ActivityOptions options1,
	@Nullable ActivityOptions options2) {
	if (options1 == null) {
	return options2;
	}
	if (options2 == null) {
	return options1;
	}
	final Bundle b1 = options1.toBundle();
	final Bundle b2 = options2.toBundle();
	b1.putAll(b2);
	return ActivityOptions.fromBundle(b1);
	}

	private void checkPermissions(@Nullable Intent intent, @Nullable ActivityInfo aInfo,
	@Nullable ProcessRecord callerApp, ActivityStackSupervisor supervisor,
	ActivityOptions options, int callingPid, int callingUid) {
	// If a launch task id is specified, then ensure that the caller is the recents
	// component or has the START_TASKS_FROM_RECENTS permission
	if (options.getLaunchTaskId() != INVALID_TASK_ID
	&& !supervisor.mRecentTasks.isCallerRecents(callingUid)) {
	final int startInTaskPerm = supervisor.mService.checkPermission(
	START_TASKS_FROM_RECENTS, callingPid, callingUid);
	if (startInTaskPerm == PERMISSION_DENIED) {
	final String msg = "Permission Denial: starting " + getIntentString(intent)
	+ " from " + callerApp + " (pid=" + callingPid
	+ ", uid=" + callingUid + ") with launchTaskId="
	+ options.getLaunchTaskId();
	Slog.w(TAG, msg);
	throw new SecurityException(msg);
	}
	}
	// Check if someone tries to launch an activity on a private display with a different
	// owner.
	final int launchDisplayId = options.getLaunchDisplayId();
	if (aInfo != null && launchDisplayId != INVALID_DISPLAY
	&& !supervisor.isCallerAllowedToLaunchOnDisplay(callingPid, callingUid,
	launchDisplayId, aInfo)) {
	final String msg = "Permission Denial: starting " + getIntentString(intent)
	+ " from " + callerApp + " (pid=" + callingPid
	+ ", uid=" + callingUid + ") with launchDisplayId="
	+ launchDisplayId;
	Slog.w(TAG, msg);
	throw new SecurityException(msg);
	}
	// Check if someone tries to launch an unwhitelisted activity into LockTask mode.
	final boolean lockTaskMode = options.getLockTaskMode();
	if (aInfo != null && lockTaskMode
	&& !supervisor.mService.getLockTaskController().isPackageWhitelisted(
	UserHandle.getUserId(callingUid), aInfo.packageName)) {
	final String msg = "Permission Denial: starting " + getIntentString(intent)
	+ " from " + callerApp + " (pid=" + callingPid
	+ ", uid=" + callingUid + ") with lockTaskMode=true";
	Slog.w(TAG, msg);
	throw new SecurityException(msg);
	}

	// Check permission for remote animations
	final RemoteAnimationAdapter adapter = options.getRemoteAnimationAdapter();
	if (adapter != null && supervisor.mService.checkPermission(
	CONTROL_REMOTE_APP_TRANSITION_ANIMATIONS, callingPid, callingUid)
	!= PERMISSION_GRANTED) {
	final String msg = "Permission Denial: starting " + getIntentString(intent)
	+ " from " + callerApp + " (pid=" + callingPid
	+ ", uid=" + callingUid + ") with remoteAnimationAdapter";
	Slog.w(TAG, msg);
	throw new SecurityException(msg);
	}
	}

	private String getIntentString(Intent intent) {
	return intent != null ? intent.toString() : "(no intent)";
	}
	}