Fix security bug for startActivityInTaskFragment
A malicious application uses startActivityInTaskFragment to launch
activity from the background in case the setting application is in
the foreground. System allows activity to start if the realCallingUid
has a visible window from
ActivityStarter#shouldAbortBackgroundActivityStart. For this case,
resolving the caller’s reallCallingUid is a system uid while using the
Binder.getCallingUid() after clearCallingIdentity(). If the setting
app in the forground that make system believe there is a visible
window now and allow the background activity to start.
This CL passes in the caller realCallingUid/Pid for activity starter
instead of using Binder.getCallingUid() after clearCallingIdentity()
to fix.
Bug: 230493191
Test: atest WmTests:TaskFragmentOrganizerControllerTest
1. Install the PoC APP and open it.
2. open the Settings APP and then check if the activity has
started.
Change-Id: I8b427de13eac760924bf5a2e7975a60b202a559c
1 file changed