From 337a2353aee7576b3aa637089852aa405c26bbef Mon Sep 17 00:00:00 2001
From: Jeff Chang <chengjeff@google.com>
Date: Wed, 14 Sep 2022 17:32:53 +0800
Subject: [RESTRICT AUTOMERGE] Allow activity to be reparent while
 allowTaskReparenting is applied
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Any malicious application could hijack tasks by
android:allowTaskReparenting. This vulnerability can perform UI
spoofing or spying on user’s activities.

This CL only allows activities to be reparent while
android:allowTaskReparenting is applied and the affinity of activity
is same with the target task.

Bug: 240663194
Bug: 252853095
Test: atest IntentTests
Change-Id: I73abb9ec05af95bc14f887ae825a9ada9600f771
Merged-In: I73abb9ec05af95bc14f887ae825a9ada9600f771
(cherry picked from commit 7af50c4d5f0354438872167b0e446930caca9deb)
---
 services/core/java/com/android/server/wm/ResetTargetTaskHelper.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/core/java/com/android/server/wm/ResetTargetTaskHelper.java b/services/core/java/com/android/server/wm/ResetTargetTaskHelper.java
index 2626b87b93e5..7e479679e1a2 100644
--- a/services/core/java/com/android/server/wm/ResetTargetTaskHelper.java
+++ b/services/core/java/com/android/server/wm/ResetTargetTaskHelper.java
@@ -146,15 +146,16 @@ class ResetTargetTaskHelper {
             return false;
 
         } else {
-            mResultActivities.add(r);
             if (r.resultTo != null) {
                 // If this activity is sending a reply to a previous activity, we can't do
                 // anything with it now until we reach the start of the reply chain.
                 // NOTE: that we are assuming the result is always to the previous activity,
                 // which is almost always the case but we really shouldn't count on.
+                mResultActivities.add(r);
                 return false;
             } else if (mTargetTaskFound && allowTaskReparenting && mTargetTask.affinity != null
                     && mTargetTask.affinity.equals(r.taskAffinity)) {
+                mResultActivities.add(r);
                 // This activity has an affinity for our task. Either remove it if we are
                 // clearing or move it over to our task. Note that we currently punt on the case
                 // where we are resetting a task that is not at the top but who has activities
-- 
cgit v1.2.3-59-g8ed1b