From 70876ce13f2e334d5b75597f3a2a0717d0c944ff Mon Sep 17 00:00:00 2001
From: Da Xing <qiyueliuhuo813@gmail.com>
Date: Sun, 18 Nov 2018 20:10:17 +0800
Subject: [PATCH] Crash app on foreground service notification error.

Resolved issue 118612296.

On any notification error, the NMS silently cancels the notification,
including foreground service notifications. Thus, an app could pass in a
garbage notification deliberately and start a foreground service silently.

This patch resolved this issue by judging the notification's flag, and if
it is a foreground notification, still crash the app as previous platforms,
and if it is a normal notification, don't crash the app.

Background: In 3ad4cdd1, which was merged into Android 9 release, the crash
behaviour is removed. But it is an important rule that foreground services
guaranteed to show an ongoing notification.

Test: Run the sample apk provided in the issue, it's main thread received
 a RemoteServiceException: Bad notification posted from package...
as intended behaviour.

Bug: 118612296
Merged-In: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
Change-Id: Ice6faab055e2dacd3d2d12803fcf51e13d3b0f21
---
 .../notification/NotificationManagerService.java   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
index bd198dd74af72..f12c6896172d6 100644
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
@@ -892,8 +892,22 @@ public class NotificationManagerService extends SystemService {
         @Override
         public void onNotificationError(int callingUid, int callingPid, String pkg, String tag,
                 int id, int uid, int initialPid, String message, int userId) {
+            final boolean fgService;
+            synchronized (mNotificationLock) {
+                NotificationRecord r = findNotificationLocked(pkg, tag, id, userId);
+                fgService = r != null && (r.getNotification().flags & FLAG_FOREGROUND_SERVICE) != 0;
+            }
             cancelNotification(callingUid, callingPid, pkg, tag, id, 0, 0, false, userId,
                     REASON_ERROR, null);
+            if (fgService) {
+                // Still crash for foreground services, preventing the not-crash behaviour abused
+                // by apps to give us a garbage notification and silently start a fg service.
+                Binder.withCleanCallingIdentity(
+                        () -> mAm.crashApplication(uid, initialPid, pkg, -1,
+                            "Bad notification(tag=" + tag + ", id=" + id + ") posted from package "
+                                + pkg + ", crashing app(uid=" + uid + ", pid=" + initialPid + "): "
+                                + message));
+            }
         }
 
         @Override