From 8b896f2c6ce8281558a74222ef0bfb068fd46db0 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Fri, 19 Jun 2020 14:01:02 -0600 Subject: [PATCH] Collect Uri grants for startActivities(). It looks like the implementation of startActivities() was resolving the target ActivityInfo, but it wasn't collecting the needed Uri permission grants. This change updates startActivities() to use the same logic used by ActivityStarter.Request.resolverActivity(), where we collect the grants immediately after ActivityStackSupervisor.resolveActivity(). Bug: 159412574 Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.AppSecurityTests#testPermissionDiffCert Change-Id: I4e92701b7b9bb23307a4eeca27d33b78537c2805 --- .../android/server/wm/ActivityStartController.java | 11 +++++++++++ .../java/com/android/server/wm/ActivityStarter.java | 5 +++++ 2 files changed, 16 insertions(+) diff --git a/services/core/java/com/android/server/wm/ActivityStartController.java b/services/core/java/com/android/server/wm/ActivityStartController.java index 6fbfa68d9309f..16ca60d1519b2 100644 --- a/services/core/java/com/android/server/wm/ActivityStartController.java +++ b/services/core/java/com/android/server/wm/ActivityStartController.java @@ -52,6 +52,7 @@ import com.android.internal.annotations.VisibleForTesting; import com.android.internal.util.ArrayUtils; import com.android.server.am.ActivityManagerService; import com.android.server.am.PendingIntentRecord; +import com.android.server.uri.NeededUriGrants; import com.android.server.wm.ActivityStackSupervisor.PendingActivityLaunch; import com.android.server.wm.ActivityStarter.DefaultFactory; import com.android.server.wm.ActivityStarter.Factory; @@ -402,6 +403,7 @@ public class ActivityStartController { // potentially acquire activity manager lock that leads to deadlock. for (int i = 0; i < intents.length; i++) { Intent intent = intents[i]; + NeededUriGrants intentGrants = null; // Refuse possible leaked file descriptors. if (intent.hasFileDescriptors()) { @@ -418,6 +420,14 @@ public class ActivityStartController { 0 /* startFlags */, null /* profilerInfo */, userId, filterCallingUid); aInfo = mService.mAmInternal.getActivityInfoForUser(aInfo, userId); + // Carefully collect grants without holding lock + if (aInfo != null) { + intentGrants = mSupervisor.mService.mUgmInternal + .checkGrantUriPermissionFromIntent(intent, filterCallingUid, + aInfo.applicationInfo.packageName, + UserHandle.getUserId(aInfo.applicationInfo.uid)); + } + if (aInfo != null) { if ((aInfo.applicationInfo.privateFlags & ApplicationInfo.PRIVATE_FLAG_CANT_SAVE_STATE) != 0) { @@ -433,6 +443,7 @@ public class ActivityStartController { ? options : null; starters[i] = obtainStarter(intent, reason) + .setIntentGrants(intentGrants) .setCaller(caller) .setResolvedType(resolvedTypes[i]) .setActivityInfo(aInfo) diff --git a/services/core/java/com/android/server/wm/ActivityStarter.java b/services/core/java/com/android/server/wm/ActivityStarter.java index daa97b56ed66f..3f74b9fb00bf4 100644 --- a/services/core/java/com/android/server/wm/ActivityStarter.java +++ b/services/core/java/com/android/server/wm/ActivityStarter.java @@ -2632,6 +2632,11 @@ class ActivityStarter { return mRequest.intent; } + ActivityStarter setIntentGrants(NeededUriGrants intentGrants) { + mRequest.intentGrants = intentGrants; + return this; + } + ActivityStarter setReason(String reason) { mRequest.reason = reason; return this;