Limit Activity taskAffinity to application uid

Currently, activities with same affinity will be in the same task even
if they don't have the same uid. As a result, malicious apps may set
the same task affinity with attacked app, and hijack intents to get
permissions.
This patch limits activity task affinity to application uid. Activities
must have the same task affinity and uid to be in the same task.

fixes: 139128211
fixes: 144435022
Bug: 35954083
Test: test attacker with steps in attached video from b/139128211#comment9
Test: atest ActivityTaskAffinityTests
Change-Id: I4f1ab7e132f850a7ff8d207f927d862644513bde

1 files changed, 7 insertions, 1 deletions

diff --git a/services/core/java/com/android/server/wm/ActivityRecord.java b/services/core/java/com/android/server/wm/ActivityRecord.java
index 3de3578a09f1..077e735d9d60 100644
--- a/services/core/java/com/android/server/wm/ActivityRecord.java
+++ b/services/core/java/com/android/server/wm/ActivityRecord.java
@@ -1520,7 +1520,13 @@ final class ActivityRecord extends WindowToken implements WindowManagerService.A
         hasBeenLaunched = false;
         mStackSupervisor = supervisor;
 
-        taskAffinity = aInfo.taskAffinity;
+        // b/35954083: Limit task affinity to uid to avoid various issues associated with sharing
+        // affinity across uids.
+        final String uid = Integer.toString(info.applicationInfo.uid);
+        if (info.taskAffinity != null && !info.taskAffinity.startsWith(uid)) {
+            info.taskAffinity = uid + ":" + info.taskAffinity;
+        }
+        taskAffinity = info.taskAffinity;
         stateNotNeeded = (aInfo.flags & FLAG_STATE_NOT_NEEDED) != 0;
         nonLocalizedLabel = aInfo.nonLocalizedLabel;
         labelRes = aInfo.labelRes;