diff options
| author | 2023-06-22 14:27:51 +0000 | |
|---|---|---|
| committer | 2023-07-10 13:07:08 +0000 | |
| commit | 0a0778e96d7da3fa8169abdf9261ed62809539fa (patch) | |
| tree | 1a7d9568187e77dbc043779bbb1517068172973f | |
| parent | cbba85d2331e51e00dcbc7054ed8c6781d93d3e1 (diff) | |
Rescind BAL privilege when ShortcutService sends the callback PI
When AppWidgetManager.requestPinAppWidget is called from a client,
The passed in callback PendingIntent is called from the system
server. This allows the PendingIntent to be able to bypass BAL
checks.
Bug: 278722815
Test: manual test. BackgroundActivityLaunchTest. Regression like
RequestPinAppWidgetTest, PeopleSpaceWidgetManagerTest, etc.
Merged-In: I2df9de272192c9a149a9ff519c96e6e0e8304040
Change-Id: I2df9de272192c9a149a9ff519c96e6e0e8304040
(cherry picked from commit eb90469587d908ac89121baf4f4dca3d1da5b817)
| -rw-r--r-- | services/core/java/com/android/server/pm/ShortcutService.java | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java index 5b3514c01f9f..710e0b72ecfb 100644 --- a/services/core/java/com/android/server/pm/ShortcutService.java +++ b/services/core/java/com/android/server/pm/ShortcutService.java @@ -15,6 +15,7 @@ */ package com.android.server.pm; +import static android.app.ActivityOptions.MODE_BACKGROUND_ACTIVITY_START_DENIED; import static android.provider.DeviceConfig.NAMESPACE_SYSTEMUI; import android.Manifest.permission; @@ -24,6 +25,7 @@ import android.annotation.Nullable; import android.annotation.UserIdInt; import android.app.ActivityManager; import android.app.ActivityManagerInternal; +import android.app.ActivityOptions; import android.app.AppGlobals; import android.app.IUidObserver; import android.app.IUriGrantsManager; @@ -4407,8 +4409,11 @@ public class ShortcutService extends IShortcutService.Stub { return; } try { + ActivityOptions options = ActivityOptions.makeBasic() + .setPendingIntentBackgroundActivityStartMode( + MODE_BACKGROUND_ACTIVITY_START_DENIED); intentSender.sendIntent(mContext, /* code= */ 0, extras, - /* onFinished=*/ null, /* handler= */ null); + /* onFinished=*/ null, /* handler= */ null, null, options.toBundle()); } catch (SendIntentException e) { Slog.w(TAG, "sendIntent failed().", e); } |