fix: Unbind an A11yService from onNullBinding

With this fix, a service which returns null in onBind() will no longer
stay bound by system_server and will no longer be able to launch
activities from the background.

Bug: 386950836
Test: Follow steps in the bug to reproduce the issue; observe that BAL
      is no longer allowed.
Test: atest android.security.cts.Bug_386950836
Flag: EXEMPT security bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36ebe84ca60f19e039a5700e361ad0c32c852b1a)
Merged-In: Id04111b061881d23346aa90a0b5d08a28bed2c6f
Change-Id: Id04111b061881d23346aa90a0b5d08a28bed2c6f

1 files changed, 10 insertions, 0 deletions

diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityServiceConnection.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityServiceConnection.java
index 6cba3633b940..41733221cde1 100644
--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityServiceConnection.java
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityServiceConnection.java
@@ -310,6 +310,16 @@ class AccessibilityServiceConnection extends AbstractAccessibilityServiceConnect
     }
 
     @Override
+    public void onNullBinding(ComponentName componentName) {
+        // Per guidance from ServiceConnection we must call Context#unbindService here to
+        // release the tracking resources associated with the ServiceConnection, to prevent
+        // Background Activity Launches (BAL).
+        synchronized (mLock) {
+            unbindLocked();
+        }
+    }
+
+    @Override
     protected boolean hasRightsToCurrentUserLocked() {
         // We treat calls from a profile as if made by its parent as profiles
         // share the accessibility state of the parent. The call below