Merge "Fix background bypass via notifications" into qt-dev

2021-06-30 07:18:28 +00:00
parent 92ed82502c 14c1c7b4a7
commit 22500563c1
2 changed files with 20 additions and 1 deletions
--- a/core/java/android/app/Notification.java
+++ b/core/java/android/app/Notification.java
@@ -2950,6 +2950,19 @@ public class Notification implements Parcelable
        builder.build(); // callers expect this notification to be ready to use
    }

+    /**
+     * Sets the token used for background operations for the pending intents associated with this
+     * notification.
+     *
+     * This token is automatically set during deserialization for you, you usually won't need to
+     * call this unless you want to change the existing token, if any.
+     *
+     * @hide
+     */
+    public void setAllowlistToken(@Nullable IBinder token) {
+        mWhitelistToken = token;
+    }
+
    /**
     * @hide
     */
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
@@ -3067,6 +3067,7 @@ public class NotificationManagerService extends SystemService {
            }
        }

+        /** Notifications returned here will have allowlistToken stripped from them. */
        private StatusBarNotification sanitizeSbn(String pkg, int userId,
                StatusBarNotification sbn) {
            if (sbn.getUserId() == userId) {
@@ -3074,11 +3075,16 @@ public class NotificationManagerService extends SystemService {
                    // We could pass back a cloneLight() but clients might get confused and
                    // try to send this thing back to notify() again, which would not work
                    // very well.
+                    Notification notification = sbn.getNotification().clone();
+                    // Remove background token before returning notification to untrusted app, this
+                    // ensures the app isn't able to perform background operations that are
+                    // associated with notification interactions.
+                    notification.setAllowlistToken(null);
                    return new StatusBarNotification(
                            sbn.getPackageName(),
                            sbn.getOpPkg(),
                            sbn.getId(), sbn.getTag(), sbn.getUid(), sbn.getInitialPid(),
-                            sbn.getNotification().clone(),
+                            notification,
                            sbn.getUser(), sbn.getOverrideGroupKey(), sbn.getPostTime());
                }
            }