Fix security whole in lock task

When flags NEW_TASK and CLEAR_TASK are set, the task gets reused which causes the lock task to be ignored. Add a special check for this to be a lock task violation. Bug: 20893212 Change-Id: Ibf3c71f40e197f0830410eb4e20429e901998378
author: Jason Monk <jmonk@google.com> 2015-06-19 10:39:39 -0400
committer: Jason Monk <jmonk@google.com> 2015-06-19 11:15:38 -0400
commit: 25d237b8ea8f573c1d6c27f7d9e87b5ebd5b5429 (patch)
tree: 76b7f37f8be08258be928c5c7bd5b935a3d5c999
parent: 909705601e94ffb4f4bfa4b48fa9e50f8302636a (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/am/ActivityStackSupervisor.java b/services/core/java/com/android/server/am/ActivityStackSupervisor.java
index 9e33f2a99607..4e98576e6fb9 100644
--- a/services/core/java/com/android/server/am/ActivityStackSupervisor.java
+++ b/services/core/java/com/android/server/am/ActivityStackSupervisor.java
@@ -1915,7 +1915,12 @@ public final class ActivityStackSupervisor implements DisplayListener {
                 ActivityRecord intentActivity = !launchSingleInstance ?
                         findTaskLocked(r) : findActivityLocked(intent, r.info);
                 if (intentActivity != null) {
-                    if (isLockTaskModeViolation(intentActivity.task)) {
+                    // When the flags NEW_TASK and CLEAR_TASK are set, then the task gets reused
+                    // but still needs to be a lock task mode violation since the task gets
+                    // cleared out and the device would otherwise leave the locked task.
+                    if (isLockTaskModeViolation(intentActivity.task,
+                            (launchFlags & (FLAG_ACTIVITY_NEW_TASK | FLAG_ACTIVITY_CLEAR_TASK))
+                            == (FLAG_ACTIVITY_NEW_TASK | FLAG_ACTIVITY_CLEAR_TASK))) {
                         showLockTaskToast();
                         Slog.e(TAG, "startActivityUnchecked: Attempt to violate Lock Task Mode");
                         return ActivityManager.START_RETURN_LOCK_TASK_MODE_VIOLATION;
@@ -3780,7 +3785,11 @@ public final class ActivityStackSupervisor implements DisplayListener {
     }
 
     boolean isLockTaskModeViolation(TaskRecord task) {
-        if (getLockedTaskLocked() == task) {
+        return isLockTaskModeViolation(task, false);
+    }
+
+    boolean isLockTaskModeViolation(TaskRecord task, boolean isNewClearTask) {
+        if (getLockedTaskLocked() == task && !isNewClearTask) {
             return false;
         }
         final int lockTaskAuth = task.mLockTaskAuth;
author	Jason Monk <jmonk@google.com>	2015-06-19 10:39:39 -0400
committer	Jason Monk <jmonk@google.com>	2015-06-19 11:15:38 -0400
commit	25d237b8ea8f573c1d6c27f7d9e87b5ebd5b5429 (patch)
tree	76b7f37f8be08258be928c5c7bd5b935a3d5c999
parent	909705601e94ffb4f4bfa4b48fa9e50f8302636a (diff)