Allow activity to be reparent while allowTaskReparenting is applied

Any malicious application could hijack tasks by android:allowTaskReparenting. This vulnerability can perform UI spoofing or spying on user’s activities. This CL only allows activities to be reparent while android:allowTaskReparenting is applied and the affinity of activity is same with the target task. Bug: 240663194 Test: atest IntentTests Change-Id: I73abb9ec05af95bc14f887ae825a9ada9600f771 Merged-In: I73abb9ec05af95bc14f887ae825a9ada9600f771 (cherry picked from commit f19d69f26fefb95d2f349cc66459691f434ac0a6)
author: Jeff Chang <chengjeff@google.com> 2022-09-05 21:38:50 +0800
committer: Jeff Chang <chengjeff@google.com> 2022-09-19 04:07:08 +0000
commit: f63ee3bb84b6a6ebf34475f433471cf4c28fb3c7 (patch)
tree: 34c399d0d6ceb2ca5c485869d4b515eb5bfd0d64
parent: 1ee47fe22436ae0bcb7fbeb705b34c5f9ac38212 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/wm/ResetTargetTaskHelper.java b/services/core/java/com/android/server/wm/ResetTargetTaskHelper.java
index 1fd66fc2c2bc..d497d8cbf9cd 100644
--- a/services/core/java/com/android/server/wm/ResetTargetTaskHelper.java
+++ b/services/core/java/com/android/server/wm/ResetTargetTaskHelper.java
@@ -141,15 +141,16 @@ class ResetTargetTaskHelper implements Consumer<Task>, Predicate<ActivityRecord>
             return false;
 
         } else {
-            mResultActivities.add(r);
             if (r.resultTo != null) {
                 // If this activity is sending a reply to a previous activity, we can't do
                 // anything with it now until we reach the start of the reply chain.
                 // NOTE: that we are assuming the result is always to the previous activity,
                 // which is almost always the case but we really shouldn't count on.
+                mResultActivities.add(r);
                 return false;
             } else if (mTargetTaskFound && allowTaskReparenting && mTargetTask.affinity != null
                     && mTargetTask.affinity.equals(r.taskAffinity)) {
+                mResultActivities.add(r);
                 // This activity has an affinity for our task. Either remove it if we are
                 // clearing or move it over to our task. Note that we currently punt on the case
                 // where we are resetting a task that is not at the top but who has activities
author	Jeff Chang <chengjeff@google.com>	2022-09-05 21:38:50 +0800
committer	Jeff Chang <chengjeff@google.com>	2022-09-19 04:07:08 +0000
commit	f63ee3bb84b6a6ebf34475f433471cf4c28fb3c7 (patch)
tree	34c399d0d6ceb2ca5c485869d4b515eb5bfd0d64
parent	1ee47fe22436ae0bcb7fbeb705b34c5f9ac38212 (diff)