OSDN Git Service
Chih-Wei Huang [Tue, 2 Mar 2021 14:56:56 +0000 (22:56 +0800)]
Merge tag 'android-8.1.0_r81' into oreo-x86
Android 8.1.0 Release 81 (
6780335)
Steve Elliott [Mon, 3 Aug 2020 17:45:44 +0000 (13:45 -0400)]
Mark implicit PendingIntents as immutable
Bug:
156020795
Test: manual, atest
Change-Id: I72206c7a52b067b77d6542d170a6483713dfeee7
(cherry picked from commit
84e08280d3882cfe4bad12ab426016c6d0efc7fb)
(cherry picked from commit
a5d52884d01bc21848f3dcaf5425e0aed9516162)
Patrick Baumann [Fri, 6 Mar 2020 18:34:17 +0000 (10:34 -0800)]
RESTRICT AUTOMERGE
Do not set referrerUri on SessionInfo for non-owners
This change leaves the referrerUri field null when the caller leading to
its production is not the owner of the session.
Bug:
142125338
Test: Manual via test app in related bug
Change-Id: I84679ea0636aa2097e25e23813c48134c9cc1d75
(cherry picked from commit
929ab61a147bc1866fed7a8d01a4e8f6affa39ac)
John Reck [Mon, 6 Jul 2020 23:10:49 +0000 (16:10 -0700)]
Add missing isShellUser check
Bug:
160390416
Test: verified command still works from shell
Change-Id: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit
03542611973e4ce3ddca522ee12bcc85e59ce901)
Merged-In: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit
3a5cd5bbe3418f79970f5c37f45583a0323b0d41)
Yu-Han Yang [Mon, 8 Jun 2020 21:59:23 +0000 (14:59 -0700)]
Remove unused intent in NiNotification
Bug:
154319182
Test: manual
Change-Id: I5958a8fb442cf4506e1824243493f91aea34a7cc
Merged-In: I5958a8fb442cf4506e1824243493f91aea34a7cc
(cherry picked from commit
8b7811ce591b323549ce12e431a9f3c67a5372d9)
Christopher Tate [Fri, 29 May 2020 00:49:53 +0000 (17:49 -0700)]
Only autoVerify at install for new hosts
Re-run app link verification at update time only when the set of hosts
has expanded. Intentionally revoke verify history when an app stops
using autoVerify, as a one-time measure to place it back into the
non-autoverify model for tracking the user's launch preferences. If the
app starts using autoVerify again later, it behaves identically to an
app that has never done so before.
Bug:
151475497
Bug:
146204120
Test: described on master CL
Merged-In: I200d85085ce79842a3ed39377d1f75ec381c8991
Change-Id: Ibaf087946966ad82d60c7b255e3ee75990716b63
(cherry picked from commit
153de338c182dbdbcbc3b32186cf783805fb7757)
Winson [Thu, 23 Apr 2020 17:45:55 +0000 (10:45 -0700)]
DO NOT MERGE: Verify INSTALL_PACKAGES permissions when adding installer package
Without this check, any package can set the installer package of
another package whose installer has been removed or was never set.
This provides access to other privileged actions and is undesired.
Bug:
150857253
Test: manual verify with proof of concept in linked bug
Test: atest android.appsecurity.cts.PackageSetInstallerTest
Change-Id: I2159c357911ff39ffd819054b42f96ae86bc98bc
(cherry picked from commit
40ca8b51fa90457cc49b91eac00636d1626b3a1b)
Chris Tate [Fri, 20 Mar 2020 18:33:28 +0000 (18:33 +0000)]
Revert "Revoke 'always' web handler status when not autoverifying"
This reverts commit
ef5220e5b2a4b90d4260eb058475fdcdf30d861d.
Reason for revert: Inadvertently broke link handling stickiness even for well behaved apps
Bug:
146204120
Test: install app that handles web urls; set to 'always' in Settings;
install same apk again. Verify that app is still in 'always' state via
'adb shell dumpsys package d'
Merged-In: Ife6cd66e0bae5738c08962a8fa9397973e33f28e
Merged-In: If9046cb420961b8ef0333e9f1115eb69fb92242e
Change-Id: I2b108064794b961904811c5d9f54c37dd2c7f482
(cherry picked from commit
8cd8797876e5e6feae4bc6b5d407e594db2d2eec)
Ahan Wu [Tue, 2 Jun 2020 20:21:45 +0000 (04:21 +0800)]
DO NOT MERGE Prevent ImageWallpaper from keeping crashing
GLUtil.texImage2D may throw exception that indicates bad image format.
We should catch this exception, otherwise, systemui may keep crashing.
Bug:
156087409
Test: Set a 16-bit rgb image as wallpaper
Test: Systemui shouldn't keep crashing
Change-Id: I6c9715c049b7848ecd5559ab76612a98dcd4ee6f
(cherry picked from commit
a3bff94e184590351fd95f630e8b8313d1d2053b)
Julia Reynolds [Thu, 28 May 2020 14:45:19 +0000 (10:45 -0400)]
DO NOT MERGE Make intents immutable
Test: make
Fixes:
154719656
Change-Id: I212ca5f1a48174ed85311b551259da314718f082
(cherry picked from commit
36b3352784ae90326a2b308542b1d2cfe18661a0)
(cherry picked from commit
5571013bfb5d60a7c6292746f9a380cd135da9f5)
Jing Ji [Fri, 25 Oct 2019 19:03:30 +0000 (12:03 -0700)]
More fixes towards the race conditions in AMS
Bug:
142986887
Bug:
140108616
Test: Manual
Change-Id: I6e0bdc8c02bab54f6278096b3a3acadd97c064c6
Merged-In: I6e0bdc8c02bab54f6278096b3a3acadd97c064c6
(cherry picked from commit
b2e84f0406139156442984943d8de7dd37d51368)
(cherry picked from commit
9450069de999f21156943dba175f0b29dc91b56e)
Linus Tufvesson [Tue, 5 May 2020 10:13:51 +0000 (11:13 +0100)]
RESTRICT AUTOMERGE
This change is the union of
I2aaab1903dee54190338f7b6e49888aa51437108 and I58834636e092f992e403342e36b475dc60e8f20ai
Original CL descriptions:
*** I2aaab1903dee54190338f7b6e49888aa51437108
Block TYPE_PRESENTATION windows on default display
... and any other display that isn't considered a public presentation
display, as per Display.isPublicPresentation()
*** I58834636e092f992e403342e36b475dc60e8f20a
Use TYPE_PRIVATE_PRESENTATION for private presentations
Detect if the Presenation is targeting a private virtual display, and if they
are use the windowType TYPE_PRIVATE_PRESENTATION.
***
Bug:
141745510
Test: cts-tradefed run cts -m CtsDisplayTestCases -t android.display.cts.VirtualDisplayTest
Test: Manually verfied that presentations are blocked on main display
Change-Id: I67c79c84ec2adfcdaf3b0f7bc7f0f41d30618e85
(cherry picked from commit
2bf126d042afc9678781146a36866e7b70365439)
Christopher Tate [Tue, 4 Feb 2020 02:35:13 +0000 (18:35 -0800)]
DO NOT MERGE - Kill apps outright for API contract violations
...rather than relying on in-app code to perform the shutdown.
Backport of security fix.
Bug:
128649910
Bug:
140108616
Test: manual
Test: atest OsHostTests#testForegroundServiceBadNotification
Change-Id: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
Merged-In: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
(cherry picked from commit
874c974f73839da761177a4e0a53b7f4a7d29288)
Eugene Susla [Thu, 28 Mar 2019 20:50:17 +0000 (13:50 -0700)]
RESTRICT AUTOMERGE
Prevent accessing companion records from arbitrary uids
Test: manual
Fixes:
129476618
Change-Id: I7b18cfcdf58e62a445cbb508116c6ce7c1cea8d7
(cherry picked from commit
98f45443e1cf397ab92b4cecd9200c2dcccf099b)
Chih-Wei Huang [Fri, 8 May 2020 02:59:29 +0000 (10:59 +0800)]
Merge tag 'android-8.1.0_r76' into oreo-x86
Android 8.1.0 release 76
Christopher Tate [Wed, 26 Feb 2020 01:48:49 +0000 (17:48 -0800)]
Verify all possible hosts that match web nav
Even if an <intent-filter> matches non-web schemes in addition to http
or https, make sure to include its cited hosts in the autoVerify
evaluation.
Bug:
150038428
Test: atest OsHostTests#testIntentFilterHostValidation
Change-Id: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
Merged-In: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
(cherry picked from commit
1fba0f897f276d5d47962534867e764da8061105)
(cherry picked from commit
a481c86cd3742c7792f8607c004e0eeb4016b894)
Christopher Tate [Wed, 26 Feb 2020 01:48:49 +0000 (17:48 -0800)]
Verify all possible hosts that match web nav
Even if an <intent-filter> matches non-web schemes in addition to http
or https, make sure to include its cited hosts in the autoVerify
evaluation.
Bug:
150038428
Test: atest OsHostTests#testIntentFilterHostValidation
Change-Id: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
Merged-In: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
(cherry picked from commit
1fba0f897f276d5d47962534867e764da8061105)
(cherry picked from commit
a481c86cd3742c7792f8607c004e0eeb4016b894)
Eugene Susla [Thu, 28 Mar 2019 20:50:17 +0000 (13:50 -0700)]
RESTRICT AUTOMERGE
Prevent accessing companion records from arbitrary uids
Test: manual
Fixes:
129476618
Change-Id: I7b18cfcdf58e62a445cbb508116c6ce7c1cea8d7
(cherry picked from commit
98f45443e1cf397ab92b4cecd9200c2dcccf099b)
Anis Assi [Tue, 28 Apr 2020 18:45:07 +0000 (11:45 -0700)]
Revert "DO NOT MERGE - Kill apps outright for API contract violations"
This reverts commit
c6fd63a7a80f06a89b34aa1894694922c3af9f20.
Riddle Hsu [Sat, 22 Feb 2020 15:20:41 +0000 (23:20 +0800)]
RESTRICT AUTOMERGE Create separated tasks for different apps from startActivities
Assume there are 2 applications A, B with different uids.
There are 4 activities A1, A2, B1, B2 with default task
affinity and launch mode.
After A1 called startActivities(B1, A2, B2):
Original : Task(A1, B1, A2, B2)
This Change: Task(A1, B1), Task(A2, B2)
In other words, the source caller cannot launch its activity
above the activity of other application in the same task, and
it can still launch activity of other application in its task.
Bug:
145669109
Test: run cts --test android.server.cts.StartActivityTests \
-m CtsServicesHostTestCases
Change-Id: I97bd875146a52f62b8fe82235487ccefb2955e8e
(cherry picked from commit
973ecc619c0bb87a03481774ea9e86d2924601e4)
Chih-Wei Huang [Wed, 18 Mar 2020 10:55:14 +0000 (18:55 +0800)]
Work around GMS crashing issue on 32-bit image
Chih-Wei Huang [Mon, 16 Mar 2020 10:41:39 +0000 (18:41 +0800)]
Merge tag 'android-8.1.0_r74' into oreo-x86
Android 8.1.0 release 74
Riddle Hsu [Tue, 3 Mar 2020 06:36:21 +0000 (14:36 +0800)]
RESTRICT AUTOMERGE Use consistent calling uid and package in navigateUpTo
Originally, if the caller of navigateUpTo is alive, even the calling
uid is set to the caller who launched the existing destination activity,
the uid from caller process has higher priority to replace the given
calling uid. So this change doesn't modify the existing behavior if
the caller process is valid. Besides, the case of delivering new intent
uses the source record as calling identity too, so the case of starting
new activity should be consistent.
Also forbid attaching null application thread to avoid unexpected state
in process record.
Bug:
144285917
Test: bit FrameworksServicesTests:com.android.server.am.ActivityStackTests
Change-Id: I60732f430256d37cb926d08d093581f051c4afed
(cherry picked from commit
0d7e27af30e39fbb6dcafedc854daa639074e5cc)
Christopher Tate [Tue, 4 Feb 2020 02:35:13 +0000 (18:35 -0800)]
DO NOT MERGE - Kill apps outright for API contract violations
...rather than relying on in-app code to perform the shutdown.
Backport of security fix.
Bug:
128649910
Bug:
140108616
Test: manual
Test: atest OsHostTests#testForegroundServiceBadNotification
Change-Id: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
Merged-In: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
(cherry picked from commit
874c974f73839da761177a4e0a53b7f4a7d29288)
Ryan Mitchell [Wed, 15 Jan 2020 19:43:47 +0000 (11:43 -0800)]
Fix potential double destroy of AssetManager
Assume there is a XmlBlock [X] created by a AssetManager [A]
([A] will have mNumRefs = 2). After [A].close is called
(mNumRefs = 1) and then both [X] and [A] are going to be GCed,
if [A].finalize is called first (nativeDestroy), the later
[X].finalize will invoke [A].xmlBlockGone that triggers the
second nativeDestroy of [A] and leads to crash.
By clearing the mObject in AssetManager.finalize, the
decRefsLocked from other paths won't call nativeDestroy again.
Bug:
144028297
Test: atest android.security.cts.AssetManagerTest
Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
(cherry picked from commit
93320661ca9a23c7b38b3f166d0facf048f2a8a3)
Christopher Tate [Tue, 17 Dec 2019 19:21:02 +0000 (11:21 -0800)]
Revoke 'always' web handler status when not autoverifying
If an app has previously used autoVerify to make claims about its status
re handling web navigation intents, but is updated such that it no
longer makes those claims, step down its "official handler" status as
though it had never invoked autoVerify in the first place.
Bug:
146204120
Test: manual: as described in bug; observe policy before/after via
'adb shell dumpsys package d'
Test: atest CtsOsHostTestCases
Change-Id: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
Merged-In: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
(cherry picked from commit
ef5220e5b2a4b90d4260eb058475fdcdf30d861d)
Philip P. Moltmann [Sat, 18 Jan 2020 00:17:49 +0000 (16:17 -0800)]
Add STATUS_BAR permission to dialer in oc-rm1
Similar to pie-dev
Change-Id: Iaab5f82ba008603ba5996ec012d38352e86c2f1b
Merged-In: If88aa90f4dcab51b6e11562cadbe003948b6c149
Fixes:
147301827
Patrick Baumann [Wed, 6 Nov 2019 18:36:39 +0000 (10:36 -0800)]
Fixes NPE when preparing app data during init
When deleting an unused static shared library on Q, the user manager was
fetched via mContext.getSystemService. At this time during boot, the
service wasn't registered and so null was returned. This has already
been addressed in R with a move to injecting dependencies in the
PackageManagerService constructor.
Bug:
142083996
Bug:
141413692
Test: manual; remove static dependency on eng Q build and reboot
Change-Id: I8ae4e331d09b4734c54cdc6887b273705dce88b1
Merged-In: I8ae4e331d09b4734c54cdc6887b273705dce88b1
(cherry picked from commit
5d3fc339b57950fd8621cb410865e8800ccb6873)
Patrick Baumann [Thu, 10 Oct 2019 22:50:28 +0000 (15:50 -0700)]
Use KNOWN_PACKAGES when shared lib consumers
This change ensures we find ALL known packages that could be consuming a
shared library, not only currently installed ones. Without this check,
the system may get into a state in which we have currently uninstalled
but on-device apps that depend on a shared library that does not exist
on device.
This change also leaves static shared library packages on device even if
it's not installed for any of the remaining users as it could still be
used, but marked uninstalled for users in which it is consumed.
Bug:
141413692
Bug:
142083996
Test: Manual; attempt to remove shared lib after marking its consumer uninstalled.
Test: atest StaticSharedLibsHostTests
Change-Id: Id4e37c3e4d3ea3ad5fddae5d2c7305e56f50eeea
Merged-In: Id4e37c3e4d3ea3ad5fddae5d2c7305e56f50eeea
(cherry picked from commit
08315953bc42fb392c32293418dfb2a3e4ffbe53)
Patrick Baumann [Fri, 23 Aug 2019 20:50:23 +0000 (13:50 -0700)]
Handles null outInfo in deleteSystemPackageLI
This change adds null checks before accessing outInfo in
deleteSystemPackageLI.
Bug:
142083996
Bug:
141413692
Test: manual; remove static dependency on eng build and reboot
Change-Id: If0fd48343e89cbb77ccd25826656194195d5b0cd
(cherry picked from commit
17471016508bb9c9ffb8c3946dda0b4897d722f1)
Merged-In: If0fd48343e89cbb77ccd25826656194195d5b0cd
(cherry picked from commit
6afabce549f5725988b9c03de932c34e9d22f10e)
paulhu [Mon, 16 Dec 2019 10:24:05 +0000 (18:24 +0800)]
Fix security problem on PermissionMonitor#hasPermission
PermissionMonitor#hasPermission only checks permssions that app
requested but it doesn't check whether the permission can be
granted to this app. If requested permission doens't be granted
to app, this method still returns that app has this permission.
Then PermissionMonitor will pass this info to netd that means
this app still can use network even restricted network without
granted privileged permission like CONNECTIVITY_INTERNAL or
CONNECTIVITY_USE_RESTRICTED_NETWORKS.
Bug:
144679405
Test: Build, flash, manual test
Change-Id: I5eba4909e4c2e1d9f275f66be90ac36466b93e90
Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
Merged-In: Iae9c273af822b18c2e6fce04848a86f8dea6410a
(cherry picked from commit
305946b910a9ab3974daa4277f155614a3fc27a4)
Sterling Huber [Thu, 7 Nov 2019 19:04:03 +0000 (11:04 -0800)]
RESTRICT AUTOMERGE
Make toasts non-clickable
Since enforcement was only on client-side, in Toast class, an app could
use reflection (or other means) to make the Toast clickable. This is a
security vulnerability since it allows tapjacking, that is, intercept touch
events and do stuff like steal PINs and passwords.
This CL brings the enforcement to the system by applying flag
FLAG_NOT_TOUCHABLE.
Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
log click events. Then:
1) Observe click events are logged without this CL.
2) Observer click events are not logged with this CL.
Bug:
128674520
Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0
(cherry picked from commit
54e6a3c4fbf2eb70541932074ed650dcf22113ed)
Yohei Yukawa [Sat, 19 Jan 2019 19:49:37 +0000 (11:49 -0800)]
DO NOT MERGE back porting for fixing sysui direct reply
Root cause: systemui run as user 0 service to handle all of users'
notifications. And, the users can user the copy/cut/paste
functionality.
Solution: To crate @hide API in TextView let SystemUI to mark the
TextView instance should check if the power of
INTERACT_ACROSS_USER_FULL is needed to be restricted.
e.x. Keyguard password textview/Notificaiton entries
Bug:
123232892
Test: manual test
Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139
Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393
Reference: I975baa748c821538e5a733bb98a33ac609bf40a7
Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139
Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937
Merged-In: I6d11e4d6a84570bc2991a8552349e8b216b0d139
(cherry picked from commit
08aae90860c4ece4d3448b32a31e5417c8490b47)
Tarandeep Singh [Mon, 1 Jul 2019 21:27:25 +0000 (14:27 -0700)]
DO NOT MERGE: Disable SpellChecker in secondary user's direct reply
For secondary users, when AOSP keyboard is used to type in
direct-reply, unknown words can be added to dictionary.
It's *not* OK for SpellCheckerService of primary user to
check unknown words typed by a secondary user.
The dialog to add these words shows up in primary user instead.
TextView uses TextView#isSuggestionsEnabled() to determine if
SpellChecker is enabled. This can be disabled by setting the flag
TYPE_TEXT_FLAG_NO_SUGGESTIONS in inputType.
Note: This doesn't affect workprofile users on P or older versions since
they use same SpellCheckerService for all workprofiles.
Bug:
123232892
Test: Manually tested using the steps mentioned in the bug.
1. Flash latest P build.
2. Install AOSP keyboard (LatinIME) and set it as default.
3. Install and open EditTextVariations
4. Initiate direct reply in primary user and type non-english
words like "ggggg hhhhh".
5. Observe that they get red underline and tapping it brings "add
to dictionary" popup.
6. Create a new secondary user and switch to it.
7. Once the setup completes, initiate a direct reply and type words
similar to step 4.
8. Verify that red underlines dont appear.
9. switch back to primary user and verify direct reply still has red
underlines.
Change-Id: I93918eb2c12e37908e03a7951a9e2c5375bc0ecc
(cherry picked from commit
b52efcb9d58348d2bcb9c83d36b0f1ae1244482b)
Evan Laird [Wed, 6 Nov 2019 19:04:59 +0000 (14:04 -0500)]
Force FGS notifications to show for a minimum time
It's possible for a service to do a start/stop foreground and cause a
couple of things to happen:
NotificationManagerService will enqueue a EnqueueNotificationRunnable,
post a PostNotificationRunnable (for the startForeground), and then also
enqueue a CancelNotificationRunnable. There is some racy behavior here
in that the cancel runnable can get triggered in between enqueue and
post runnables. If the cancel happens first, then
NotificationListenerServices will never get the message.
This behavior is technically allowed, however for foreground services we
want to ensure that there is a minmum amount of time that notification
listeners are aware of the foreground service so that (for instance) the
FGS notification can be shown.
This CL does two things to mitigate this problem:
1. Introduce checking in the CancelNotificationRunnable such that it
will not cancel until after PostNotificationRunnable has finished
executing.
2. Introduce a NotificationLifetimeExtender method that will allow a
lifetime extender to manage the lifetime of a notification that has been
enqueued but not inflated yet.
Bug:
119041698
Test: atest NotificationManagerServiceTest
Test: atest ForegroundServiceLifetimeExtenderTest
Change-Id: I0680034ed9315aa2c05282524d48faaed066ebd0
Merged-In: I0680034ed9315aa2c05282524d48faaed066ebd0
(cherry picked from commit
3692a6d231cef34f0a47a9b2802590d59eaf51e5)
Jing Ji [Mon, 4 Nov 2019 22:22:27 +0000 (14:22 -0800)]
Prevent system uid component from running in an isolated app process
Bug:
140055304
Test: Manua
Change-Id: Ie7f6ed23f0c6009aad0f67a00af119b02cdceac3
Merged-In: I5a1618fab529cb0300d4a8e9c7762ee218ca09eb
(cherry picked from commit
0bfebadf304bdd5f921e80f93de3e0d13b88b79c)
Todd Kennedy [Fri, 20 Sep 2019 20:45:15 +0000 (13:45 -0700)]
Only allow INSTALL_ALLOW_TEST from shell or root
Bug:
141169173
Test: Manual. App can't be installed as test-only
Change-Id: Ib6dcca7901aa549d620448c0165c22270a3042be
Merged-In: Ib6dcca7901aa549d620448c0165c22270a3042be
(cherry picked from commit
702d394762a9b162cb2a2b04bb726fd8053f24d3)
Ahan Wu [Thu, 26 Sep 2019 11:00:26 +0000 (19:00 +0800)]
DO NOT MERGE Validate wallpaper dimension while generating crop
If dimensions of cropped wallpaper image exceed max texture size that
GPU can support, it will cause ImageWallpaper keep crashing
because hwui crashes by invalid operation (0x502).
Bug:
120847476.
Test: Write a custom app to set a 8000x800 bitmap as wallpaper.
Test: The cropped file will be 29600x2960 and make sysui keep crashing.
Test: After applyed this cl, wallpaper will use fallback.
Test: Sysui will not keep crashing any more.
Change-Id: Ifaf2085a0bc94448e49fa2f30066f47310586236
(cherry picked from commit
160c28c36d728e932ceac5babc512cf2aa59c857)
Chih-Wei Huang [Thu, 24 Oct 2019 04:31:17 +0000 (12:31 +0800)]
Merge tag 'android-8.1.0_r69' into oreo-x86
Android 8.1.0 Release 69 (
5794017)
Seigo Nonaka [Wed, 16 Oct 2019 21:48:30 +0000 (14:48 -0700)]
RESTRICT AUTOMERGE
Revive runLimit check logic
The runLimit check logic was accidentally removed by
I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735
Bug:
142134328
Bug:
140632678
Test: Manually done with reported step
Test: StaticLayoutTest passes
Change-Id: Ib1d5efdcb9adcc18a6a43370dc016ea464f48148
(cherry picked from commit
7b05578d9c87eee4ce5af64d9aee94e709f809cd)
Seigo Nonaka [Mon, 16 Sep 2019 21:49:49 +0000 (14:49 -0700)]
RESTRICT AUTOMERGE
Do not compute outside given range in TextLine
This is second attempt of I646851973b3816bf9ba32dfe26748c0345a5a081
which breaks various layout test on application.
The empty string must be also handled by the TextLine since it
retrieves the default line height from the empty string.
Bug:
140632678
Test: StaticLayoutTest
Test: Manually done
Change-Id: I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735
(cherry picked from commit
4ce901e4058d93336dca3413dc53b81bbdf9d3e8)
Jeff Sharkey [Thu, 18 Jul 2019 00:51:28 +0000 (18:51 -0600)]
RESTRICT AUTOMERGE
Enable stricter SQLiteQueryBuilder options.
Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.
This change starts using setStrictColumns() and setStrictGrammar()
on SQLiteQueryBuilder to block this class of attacks. This means we
now need to define the projection mapping of valid columns, which
consists of both the columns defined in the public API and columns
read internally by DownloadInfo.Reader.
We're okay growing sAppReadableColumnsSet like this, since we're
relying on our trusted WHERE clause to filter away any rows that
don't belong to the calling UID.
Remove the legacy Lexer code, since we're now internally relying on
the robust and well-tested SQLiteTokenizer logic.
Bug:
135270103,
135269143
Test: cts-tradefed run cts -m CtsAppTestCases -t android.app.cts.DownloadManagerTest
Change-Id: Iec1e8ce18dc4a9564318e0473d9d3863c8c2988a
(cherry picked from commit
f683c688d5fcd1c178aad2dc154ae5d7b5c60aa9)
Jeff Sharkey [Tue, 16 Jul 2019 22:50:42 +0000 (16:50 -0600)]
RESTRICT AUTOMERGE
Strict SQLiteQueryBuilder needs to be stricter.
Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.
This change offers setStrictGrammar() to prevent this by outright
blocking subqueries in WHERE and HAVING clauses, and by requiring
that GROUP BY and ORDER BY clauses be composed only of valid columns.
This change also offers setStrictColumns() to require that all
untrusted column names are valid, such as those in ContentValues.
Relaxes to always allow aggregation operators on returned columns,
since untrusted callers can always calculate these manually.
Bug:
135270103,
135269143
Test: cts-tradefed run cts -m CtsDatabaseTestCases -t android.database.sqlite.cts.SQLiteQueryBuilderTest
Change-Id: I6290afd19c966a8bdca71c377c88210d921a9f25
(cherry picked from commit
92e5e5e45c171f88cb30d8044e43e40fd5437416)
Zongheng Wang [Thu, 5 Sep 2019 20:44:28 +0000 (13:44 -0700)]
Set default phonebook access to ACCESS_REJECTED when user didn't choose
one
When there's no users' choice to tell us whether to share their
phonebook information to the Bluetooth device, set the phonebook access
permission to ACCESS_REJECTED.
Bug:
138529441
Test: Manual test
Change-Id: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
Merged-In: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
(cherry picked from commit
02046b4f2ce82f6a3b6fd733c4b45f47acf51296)
Jonathan Scott [Tue, 25 Jun 2019 09:58:06 +0000 (10:58 +0100)]
Add MANAGED_PROVISIONING_DPC_DOWNLOADED (nyc).
Test: Just adding a constant
Bug:
132261064
Change-Id: I1527be03a10fa1a2fde09e3e41d6b7e83a986fc0
Merged-In: I2bce277ff8f2de4614e19d5385fe6712b076f9c9
(cherry picked from commit
20e5d92613268c196b508865b7275b59f00688f5)
Bryan Ferris [Tue, 21 May 2019 19:38:19 +0000 (12:38 -0700)]
[RESTRICT AUTOMERGE] Pass correct realCallingUid to startActivity() if provided by PendingIntentRecord#sendInner()
Previously we'd ignore realCallingPid and realCallingUid that
PendingIntentRecord#sendInner() provided to startActivityInPackage().
Now we correctly pass it on, preserving past behaviour if none
provided.
Test: manual; we added logging statements to check the value of realCallingUid
in startActivitiesMayWait when launching the calendar app from the calendar widget
and verified that it was the calendar uid rather than the system uid.
Bug:
123013720
Change-Id: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
Merged-In: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
(cherry picked from commit
f5e5af7f3d01e35d43faef897f625b954cfbcc3c)
Christopher Dombroski [Tue, 16 Apr 2019 20:21:39 +0000 (13:21 -0700)]
OP_REQUEST_INSTALL_PACKAGES denied by default
Some system apps may download unknown content and the user should
be explicitly asked whether they trust these files. System apps should
explicitly use the extra NOT_UNKNOWN_SOURCE to bypass this check.
Test: Builds, boots, existing tests pass:
atest CtsPackageInstallTestCases
Locally verified they pass if CtsPackageInstallTestCases.apk was signed by
the platform cert.
Bug:
123700348
Change-Id: I3028bf8ff3f79a41521deeee43fba3c32bb1b2ca
Merged-In: I2578251906f6656b83464d1c4fc4db99165841c9
(cherry picked from commit
43e682abef2a1c65585bef510c390480f0c4a2fd)
Mihai Popa [Tue, 25 Jun 2019 10:15:18 +0000 (11:15 +0100)]
Fix Layout.primaryIsTrailingPreviousAllLineOffsets
The CL fixes a crash in Layout.primaryIsTrailingPreviousAllLineOffsets.
The crash was happening when the method was called for a line beginning
with an empty bidi run. This could happen, for example, for empty text -
I was unable to find any other case. The CL improves the existing test
for the method with this case, which was previously crashing.
The CL also fixes a potential crash in getLineHorizontals. However, this
bug could never happen as in the current code path clamped is always
false (and kept as parameter for parity with getHorizontal).
Bug:
135444178
Bug:
78464361
Test: atest FrameworksCoreTests:android.text.LayoutTest\#testPrimaryIsTrailingPrevious
Change-Id: I47157abe1d74675884734e3810628a566e40c1b4
(cherry picked from commit
7ad499d00716f45fffdf7331493ed21d1b8d9b77)
(cherry picked from commit
42a6af7a11842cea3faa97d24dba209a97101bb3)
Chienyuan [Tue, 9 Jul 2019 07:09:56 +0000 (15:09 +0800)]
HidProfile: sync isPreferred() with HidHostService
HidHostService allow to connect when priority is PRIORITY_UNDEFINED.
HidProfile should return ture when priority is PRIORITY_UNDEFINED.
Otherwise, the "Input device" toggle in off state when HID device
connected.
Bug:
132456322
Test: manual
Change-Id: Id7bae694c57aec17e019d591c0a677e3cb64f845
(cherry picked from commit
830217f277e31e63d9ab8acd21ee2a8f81ee1c8f)
Michael Wachenschwanz [Thu, 16 May 2019 05:58:15 +0000 (22:58 -0700)]
Clear the Parcel before writing an exception during a transaction
This prevents any object data from being accidentally overwritten by the
exception, which could cause unexpected malformed objects to be sent
across the transaction.
Test: atest CtsOsTestCases:ParcelTest#testExceptionOverwritesObject
Bug:
34175893
Change-Id: Iaf80a0ad711762992b8ae60f76d861c97a403013
Merged-In: Iaf80a0ad711762992b8ae60f76d861c97a403013
(cherry picked from commit
f8ef5bcf21c87d8617f5e11810cc94350298d114)
Chalard Jean [Mon, 20 May 2019 04:11:37 +0000 (13:11 +0900)]
Protect VPN dialogs against overlay.
Bug:
130568701
Test: manual. After this, can't display on top of it
Change-Id: Ib032f800edb0416cc15f01a34954340d0d0ffa78
Merged-In: Ib032f800edb0416cc15f01a34954340d0d0ffa78
(cherry picked from commit
4e80dc2861614d25a1f957f50040a8cf04812d11)
(cherry picked from commit
016c72c8abfbae08eda269afb8923e8fc8a4ce44)
Jonathan Scott [Thu, 9 May 2019 10:52:47 +0000 (11:52 +0100)]
[RESTRICT AUTOMERGE] Make Lock task default consistent w/ Settings (oc-mr1-dev).
Bug:
127605586
Test: Manual
Change-Id: I40c9a29935d9e5a27cdcdf90187efe61035448fd
(cherry picked from commit
cd6c636800b62c2c823d53b973171070fe5d8aba)
Chih-Wei Huang [Wed, 5 Jun 2019 09:28:50 +0000 (17:28 +0800)]
Merge tag 'android-8.1.0_r65' into oreo-x86
Android 8.1.0 release 65
Chih-Wei Huang [Mon, 20 May 2019 09:27:39 +0000 (17:27 +0800)]
Merge tag 'android-8.1.0_r64' into oreo-x86
Android 8.1.0 Release 64 (OPM8.190505.001)
Steven Moreland [Thu, 18 Apr 2019 23:32:42 +0000 (16:32 -0700)]
HwBlob: s/malloc/calloc/
Since this blob is passed between processes.
We could potentially only memset portions of the blob as it is
written to. However, the JHwBlob API itself doesn't have to have
writes in order (even though known usages of it do write in order).
Because of this, keeping track of which bytes to pad would be too
expensive.
Bug:
131356202
Test: boot, hidl_test_java
Change-Id: I48f4d7cb20c4bfe747dd323ae3744d323ad097c9
Merged-In: I48f4d7cb20c4bfe747dd323ae3744d323ad097c9
(cherry picked from commit
d8157bc094569bee74976df2585d632f1793e226)
Greg Wroblewski [Fri, 19 Apr 2019 21:42:18 +0000 (14:42 -0700)]
SUPL ES Extension - June 2019 rollup
Bug:
112159033
ASB: 2019-06
Change-Id: Iaf4b0295e726658852272de1cf857d9d55b63276
android-build-team Robot [Tue, 16 Apr 2019 22:37:45 +0000 (22:37 +0000)]
Merge cherrypicks of [
7077328,
7074021,
7074022,
7077576,
7077577,
7077578,
7077579] into oc-m8-release
Change-Id: Iec63c3117aa78ca05775724fb9afd8d048730755
Eran Messeri [Mon, 25 Mar 2019 14:31:04 +0000 (14:31 +0000)]
Permission Check For DPM.getPermittedAccessibilityServices
Bug:
128599660
Test: com.android.server.devicepolicy.DevicePolicyManagerTest
Test: com.google.android.gts.devicepolicy.DeviceOwnerTest
Change-Id: I8be915bd6a4ff99884d23005a4c6f0100806dbe8
Merged-In: I8ee3f876fcaffa63636645f0f59709cd147254ef
(cherry picked from commit
4fd13eefcf99d9b9b0d5f5ea99fdc7c799c83d23)
Julia Reynolds [Wed, 27 Mar 2019 16:15:57 +0000 (12:15 -0400)]
[RESTRICT_AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage
Test: atest
Fixes:
128599467
Change-Id: I13a0ca7590f8c4b44379730e0ee2088aba400c2a
(cherry picked from commit
657d164136199126ae241848887de0230699cea0)
(cherry picked from commit
bed6193b5954565f60afb5f5f9868d89991354d7)
Julia Reynolds [Wed, 27 Mar 2019 16:15:57 +0000 (12:15 -0400)]
[RESTRICT_AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage
Test: atest
Fixes:
128599467
Change-Id: I13a0ca7590f8c4b44379730e0ee2088aba400c2a
(cherry picked from commit
657d164136199126ae241848887de0230699cea0)
(cherry picked from commit
bed6193b5954565f60afb5f5f9868d89991354d7)
Pavel Grafov [Wed, 10 Apr 2019 11:47:25 +0000 (12:47 +0100)]
Limit IsSeparateProfileChallengeAllowed to system callers
Fixes:
128599668
Test: build, set up separate challenge
Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a
(cherry picked from commit
1b6301cf2430f192c9842a05fc22984d782bade9)
Varun Shah [Wed, 20 Mar 2019 18:10:33 +0000 (11:10 -0700)]
Added missing permission check to isPackageDeviceAdminOnAnyUser.
Added a check for the MANAGE_USERS permission to
PackageManagerService#isPackageDeviceAdminOnAnyUser.
To test that the method is still usable:
1) Enable virtual storage via: adb shell sm set-virtual-disk true
2) Follow instructions by clicking on notification to set up virtual storage
3) Go to Settings -> Apps & notifications -> See all X apps
4) Click on any non-system app (example Instagram)
5) Tap Storage and you should see a "Change" button (if not, choose another app)
6) Tap Change and you should see Internal and Virtual storage options listed
7) The above step confirms the method is still usable by Settings
Bug:
128599183
Test: SafetyNet logging (steps listed above)
Change-Id: I989f1daf52a71f6c778ebd81baa6f1bf83e9a718
Merged-In: I36521fa43daab399e08869647326a7ac32d1e512
(cherry picked from commit
18e7dedf6c35f07daf8b7239d501737745ac7f43)
Eran Messeri [Mon, 25 Mar 2019 14:31:04 +0000 (14:31 +0000)]
Permission Check For DPM.getPermittedAccessibilityServices
Bug:
128599660
Test: com.android.server.devicepolicy.DevicePolicyManagerTest
Test: com.google.android.gts.devicepolicy.DeviceOwnerTest
Change-Id: I8be915bd6a4ff99884d23005a4c6f0100806dbe8
Merged-In: I8ee3f876fcaffa63636645f0f59709cd147254ef
(cherry picked from commit
4fd13eefcf99d9b9b0d5f5ea99fdc7c799c83d23)
android-build-team Robot [Wed, 13 Mar 2019 20:14:54 +0000 (20:14 +0000)]
Merge cherrypicks of [
6714499,
6716593,
6716594,
6716595,
6716596,
6716597,
6716977,
6718226,
6717773,
6716978,
6717663] into oc-m8-release
Change-Id: I96f75f93b03721c801d8f0d237995b6a7ae07564
WyattRiley [Thu, 28 Feb 2019 19:43:12 +0000 (11:43 -0800)]
DO NOT MERGE - SUPL ES Extension - Safer Init and Not After Boot
Safe order of pointer setting and background thread start
Verifying mCallEndElapsedRealtimeMillis is not the initial value
Bug:
112159033
Bug:
115361555
Bug:
125124724
Test: Verified not-after-boot with test code b/
115361555#comment14
Test: Reproed NPE with test thread sleep and verify fix
Change-Id: Icd2ea91d71da71c8fda109ceb70514733d35060b
(cherry picked from commit
a7cb82eb85cd361b90c9700ff935ba614c94f490)
WyattRiley [Thu, 28 Feb 2019 19:43:12 +0000 (11:43 -0800)]
DO NOT MERGE - SUPL ES Extension - Safer Init and Not After Boot
Safe order of pointer setting and background thread start
Verifying mCallEndElapsedRealtimeMillis is not the initial value
Bug:
112159033
Bug:
115361555
Bug:
125124724
Test: Verified not-after-boot with test code b/
115361555#comment14
Test: Reproed NPE with test thread sleep and verify fix
Change-Id: Icd2ea91d71da71c8fda109ceb70514733d35060b
(cherry picked from commit
a7cb82eb85cd361b90c9700ff935ba614c94f490)
Mauro Rossi [Sun, 3 Mar 2019 15:28:41 +0000 (16:28 +0100)]
android_view_ThreadedRenderer: prevent Null Pointer Exception in createBitmap
To avoid Playstore crashes with nouveau and Hardware Bitmap,
a check is added to bitmap returned by Bitmap::createFrom(buffer)
inspired by similar behavior in Bitmap.cpp Bitmap_createHardwareBitmap()
Fixes the following crash:
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Android-x86/android_x86/x86:8.1.0/OPM8.181005.003/uten01131829:userdebug/test-keys'
Revision: '0'
ABI: 'x86'
pid: 4644, tid: 4644, name: android.vending >>> com.android.vending <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xc
Cause: null pointer dereference
eax
89195380 ebx
b1d36290 ecx
00000000 edx
ae783074
esi
00000000 edi
ae7a9380
xcs
00000073 xds
0000007b xes
0000007b xfs
0000003b xss
0000007b
eip
b1c4f7c8 ebp
bff902c8 esp
bff9028c flags
00010246
backtrace:
#00 pc
000fd7c8 /system/lib/libandroid_runtime.so (android::bitmap::createBitmap(_JNIEnv*, android::Bitmap*, int, _jbyteArray*, _jobject*, int)+104)
#01 pc
000d08ca /system/lib/libandroid_runtime.so (android::android_view_ThreadedRenderer_createHardwareBitmapFromRenderNode(_JNIEnv*, _jobject*, long long, int, int)+1002)
JP Sugarbroad [Mon, 25 Feb 2019 21:55:30 +0000 (13:55 -0800)]
Revert "Adding SUPL NI Emergency Extension Time"
This reverts commit
8315a530d3378705ba5ef29152b3c51c006bc697.
android-build-team Robot [Wed, 16 Jan 2019 18:56:56 +0000 (18:56 +0000)]
Merge cherrypicks of [
6072696,
6072074,
6072757,
6072120,
6072121,
6072122,
6072123,
6072575,
6072576,
6072577,
6072578,
6072579,
6072193,
6072131,
6072194,
6072076,
6072210,
6072759,
6072760,
6072698,
6072699,
6072700,
6072701,
6072702,
6072703,
6072704,
6072905,
6072906,
6072907,
6072761] into oc-m8-release
Change-Id: Ia83e95b299ccfe815cca1abec869db1456fca295
Adrian Roos [Mon, 7 Jan 2019 15:57:31 +0000 (16:57 +0100)]
DPM: Fix regression from I54376f60ac53451ace22965d331b47cd8c2e614e
Fixes an issue where setting a password via DPM would never
satisfy a QUALITY_COMPLEX password requirement.
Change-Id: I3fbc952bd44291ac22728c626b128fc0c1aae232
Merged-In: I3fbc952bd44291ac22728c626b128fc0c1aae232
Fixes:
120915644
Bug:
110172241
Test: atest 'com.android.cts.devicepolicy.DeviceAdminHostSideTestApi24#testRunDeviceOwnerPasswordTest'
Test: Set credential via DPM.resetPassword(), factory reset device to trigger FRP, verify FRP shows.
(cherry picked from commit
48d06522c66cac586a859a628729d26c6fa5d64c)
Abodunrinwa Toki [Fri, 4 Jan 2019 17:18:39 +0000 (17:18 +0000)]
RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.
Also don't show smart actions for selections in text with unsupported
characters.
Bug:
116321860
Test: runtest -x cts/tests/tests/text/src/android/text/util/cts/LinkifyTest.java
Change-Id: Ib2ee544b5783234fba8ee2f93adf0b36b039520f
(cherry picked from commit
4e3507d544741ba08d871a235b6ec11e1e674853)
WyattRiley [Thu, 6 Dec 2018 19:43:58 +0000 (11:43 -0800)]
Adding SUPL NI Emergency Extension Time
Configurable by carrier config.xml resource
Bug:
118839234
Bug:
115361555
Bug:
112159033
Test: On device, see b/
115361555#comment14
Change-Id: I52e61656cca8b6fa6468d32d2e69bf60f4c83c61
Merged-In: I52e61656cca8b6fa6468d32d2e69bf60f4c83c61
(cherry picked from commit
1cd7883a76d7bb28edc9c29bdabb3753a0c63396)
Adrian Roos [Thu, 6 Dec 2018 16:50:41 +0000 (17:50 +0100)]
FRP: save password quality in DPM.resetPassword
When setting a password from DPM.resetPassword(), the actual quality of the
password was not passed to LockSettingsService (instead, the minimum required
quality was passed which is often UNSPECIFIED). As a result, during FRP we
would see inconsistent state and skip it.
Bug:
110172241
Test: Set credential via DPM.resetPassword(), factory reset device to trigger FRP, verify FRP shows.
Change-Id: I54376f60ac53451ace22965d331b47cd8c2e614e
Merged-In: I54376f60ac53451ace22965d331b47cd8c2e614e
(cherry picked from commit
ef116def7c91fd4492a8df03355e1dbdbde02a85)
Adrian Roos [Mon, 7 Jan 2019 15:57:31 +0000 (16:57 +0100)]
DPM: Fix regression from I54376f60ac53451ace22965d331b47cd8c2e614e
Fixes an issue where setting a password via DPM would never
satisfy a QUALITY_COMPLEX password requirement.
Change-Id: I3fbc952bd44291ac22728c626b128fc0c1aae232
Merged-In: I3fbc952bd44291ac22728c626b128fc0c1aae232
Fixes:
120915644
Bug:
110172241
Test: atest 'com.android.cts.devicepolicy.DeviceAdminHostSideTestApi24#testRunDeviceOwnerPasswordTest'
Test: Set credential via DPM.resetPassword(), factory reset device to trigger FRP, verify FRP shows.
(cherry picked from commit
48d06522c66cac586a859a628729d26c6fa5d64c)
Abodunrinwa Toki [Fri, 4 Jan 2019 17:18:39 +0000 (17:18 +0000)]
RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.
Also don't show smart actions for selections in text with unsupported
characters.
Bug:
116321860
Test: runtest -x cts/tests/tests/text/src/android/text/util/cts/LinkifyTest.java
Change-Id: Ib2ee544b5783234fba8ee2f93adf0b36b039520f
(cherry picked from commit
4e3507d544741ba08d871a235b6ec11e1e674853)
WyattRiley [Thu, 6 Dec 2018 19:43:58 +0000 (11:43 -0800)]
Adding SUPL NI Emergency Extension Time
Configurable by carrier config.xml resource
Bug:
118839234
Bug:
115361555
Bug:
112159033
Test: On device, see b/
115361555#comment14
Change-Id: I52e61656cca8b6fa6468d32d2e69bf60f4c83c61
Merged-In: I52e61656cca8b6fa6468d32d2e69bf60f4c83c61
(cherry picked from commit
1cd7883a76d7bb28edc9c29bdabb3753a0c63396)
Adrian Roos [Thu, 6 Dec 2018 16:50:41 +0000 (17:50 +0100)]
FRP: save password quality in DPM.resetPassword
When setting a password from DPM.resetPassword(), the actual quality of the
password was not passed to LockSettingsService (instead, the minimum required
quality was passed which is often UNSPECIFIED). As a result, during FRP we
would see inconsistent state and skip it.
Bug:
110172241
Test: Set credential via DPM.resetPassword(), factory reset device to trigger FRP, verify FRP shows.
Change-Id: I54376f60ac53451ace22965d331b47cd8c2e614e
Merged-In: I54376f60ac53451ace22965d331b47cd8c2e614e
(cherry picked from commit
ef116def7c91fd4492a8df03355e1dbdbde02a85)
Wayne Lin [Thu, 13 Sep 2018 07:34:10 +0000 (15:34 +0800)]
[DO NOT MERGE] Changing SUPL_ES=1 for SUPL end point control
SUPL_ES=1 ensures the GnssLocationProvider and related framework code
accepts incoming SMS SUPL_INIT messages with ES-bit=1
(which allow redirection of the ESLP
end-point e.g. to the current local emergency services provider when
you are travelling) only during an emergency call
Bug:
115331218
Bug:
112159033
Test: Build pass
Change-Id: I5075f7887a184ce18bb1815b35a2ce7acd8bca10
(cherry picked from commit
02f38c7284f183d5e1fc39fe56903a567ff3fc20)
Jakub Pawlowski [Thu, 29 Nov 2018 17:54:21 +0000 (18:54 +0100)]
Bluetooth: Check descriptors size in BluetoothHidDeviceAppSdpSettings
Bug:
119819889
Test: compilation
Change-Id: If51d0e2af74d99758f79a603d40cc2f5c84e4dde
Merged-In: If51d0e2af74d99758f79a603d40cc2f5c84e4dde
(cherry picked from commit
f843ccbf9e3791b426af78389e276c46dbec75e1)
JP Sugarbroad [Thu, 10 Jan 2019 22:42:03 +0000 (14:42 -0800)]
Revert "[DO NOT MERGE] Changing SUPL_ES=1 for SUPL end point control"
This reverts commit
7334c95f01b36158188485a21e056faa30c2b985.
Chih-Wei Huang [Fri, 21 Dec 2018 08:57:42 +0000 (16:57 +0800)]
Merge tag 'android-8.1.0_r53' into oreo-x86
Android 8.1.0 release 53
android-build-team Robot [Fri, 7 Dec 2018 21:43:17 +0000 (21:43 +0000)]
Merge cherrypicks of [
5745882,
5746123,
5746124,
5746125,
5745544,
5745819,
5746700,
5745883,
5745545,
5746720,
5746344,
5745884,
5745885,
5745886,
5746740,
5746741] into oc-m8-release
Change-Id: Id37012cba82213c4eceac91277a0914ce7c50cf8
Jakub Pawlowski [Thu, 29 Nov 2018 17:54:21 +0000 (18:54 +0100)]
Bluetooth: Check descriptors size in BluetoothHidDeviceAppSdpSettings
Bug:
119819889
Test: compilation
Change-Id: If51d0e2af74d99758f79a603d40cc2f5c84e4dde
Merged-In: If51d0e2af74d99758f79a603d40cc2f5c84e4dde
(cherry picked from commit
f843ccbf9e3791b426af78389e276c46dbec75e1)
Varun Shah [Sat, 27 Oct 2018 00:03:23 +0000 (17:03 -0700)]
RESTRICT AUTOMERGE: Added an app id security check in isAppForeground.
ActivityManagerService#isAppForeground now checks if the caller has the
permission to view if an app is in the foreground.
Bug:
115384617
Test: cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.ActivityManagerTest#testIsAppInForegroundNormal
Test: cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.ActivityManagerTest#testIsAppInForegroundMalicious
Change-Id: I9602c89b2d40036e525c38960a08326dc74c6682
(cherry picked from commit
ad02e59ac2cd3e6180e02fd60e6dedd8177c7b6e)
android-build-team Robot [Fri, 19 Oct 2018 16:33:31 +0000 (16:33 +0000)]
Merge cherrypicks of [
5313290,
5313323,
5313343,
5313415,
5313291,
5313441,
5313557,
5313344,
5313383,
5313384,
5313324,
5313325,
5313326,
5313294,
5313295,
5313296,
5313498] into oc-m8-release
Change-Id: I46b1483089554a4bec18c984d21c8b56ee8bcb85
Jeff Sharkey [Mon, 24 Sep 2018 19:23:57 +0000 (13:23 -0600)]
RESTRICT AUTOMERGE: Recover shady content:// paths.
The path-permission element offers prefix or regex style matching of
paths, but most providers internally use UriMatcher to decide what
to do with an incoming Uri.
This causes trouble because UriMatcher uses Uri.getPathSegments(),
which quietly ignores "empty" paths. Consider this example:
<path-permission android:pathPrefix="/private" ... />
uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);
content://com.example//private
The Uri above will pass the security check, since it's not
technically a prefix match. But the UriMatcher will then match it
as CODE_PRIVATE, since it ignores the "//" zero-length path.
Since we can't safely change the behavior of either path-permission
or UriMatcher, we're left with recovering these shady paths by
trimming away zero-length paths.
Bug:
112555574
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
Change-Id: Ibadbfa4fc904ec54780c8102958735b03293fb9a
(cherry picked from commit
a1ec7b115cc378f0547f10cf1074a5248d42d94f)
Wayne Lin [Thu, 13 Sep 2018 07:34:10 +0000 (15:34 +0800)]
[DO NOT MERGE] Changing SUPL_ES=1 for SUPL end point control
SUPL_ES=1 ensures the GnssLocationProvider and related framework code
accepts incoming SMS SUPL_INIT messages with ES-bit=1
(which allow redirection of the ESLP
end-point e.g. to the current local emergency services provider when
you are travelling) only during an emergency call
Bug:
115331218
Bug:
112159033
Test: Build pass
Change-Id: I5075f7887a184ce18bb1815b35a2ce7acd8bca10
(cherry picked from commit
02f38c7284f183d5e1fc39fe56903a567ff3fc20)
Chih-Wei Huang [Thu, 18 Oct 2018 07:47:19 +0000 (15:47 +0800)]
pm: ignore restorecon failure
On the 9p filesystem, restorecon won't work. It causes apk can't be
installed. Just ignore the errors to workaround it.
Jeff Sharkey [Mon, 24 Sep 2018 19:23:57 +0000 (13:23 -0600)]
RESTRICT AUTOMERGE: Recover shady content:// paths.
The path-permission element offers prefix or regex style matching of
paths, but most providers internally use UriMatcher to decide what
to do with an incoming Uri.
This causes trouble because UriMatcher uses Uri.getPathSegments(),
which quietly ignores "empty" paths. Consider this example:
<path-permission android:pathPrefix="/private" ... />
uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);
content://com.example//private
The Uri above will pass the security check, since it's not
technically a prefix match. But the UriMatcher will then match it
as CODE_PRIVATE, since it ignores the "//" zero-length path.
Since we can't safely change the behavior of either path-permission
or UriMatcher, we're left with recovering these shady paths by
trimming away zero-length paths.
Bug:
112555574
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
Change-Id: Ibadbfa4fc904ec54780c8102958735b03293fb9a
(cherry picked from commit
a1ec7b115cc378f0547f10cf1074a5248d42d94f)
Wayne Lin [Thu, 13 Sep 2018 07:34:10 +0000 (15:34 +0800)]
[DO NOT MERGE] Changing SUPL_ES=1 for SUPL end point control
SUPL_ES=1 ensures the GnssLocationProvider and related framework code
accepts incoming SMS SUPL_INIT messages with ES-bit=1
(which allow redirection of the ESLP
end-point e.g. to the current local emergency services provider when
you are travelling) only during an emergency call
Bug:
115331218
Bug:
112159033
Test: Build pass
Change-Id: I5075f7887a184ce18bb1815b35a2ce7acd8bca10
(cherry picked from commit
02f38c7284f183d5e1fc39fe56903a567ff3fc20)
Chih-Wei Huang [Tue, 9 Oct 2018 09:32:55 +0000 (17:32 +0800)]
Merge tag 'android-8.1.0_r48' into oreo-x86
Android 8.1.0 release 48
android-build-team Robot [Fri, 28 Sep 2018 23:14:06 +0000 (23:14 +0000)]
Merge cherrypicks of [
5141855] into oc-m8-release
Change-Id: I6cad0b3abf3d6310ad835765629eaa5fc57d2e2f
Atanas Kirilov [Fri, 28 Sep 2018 20:22:08 +0000 (20:22 +0000)]
RESTRICT AUTOMERGE: Revert "RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions."
This reverts commit
05dc947c63a2304adce53a0aef6b0e0a9db9343a.
Reason for revert: Not a security fix and the security fix needs this cl is reverted.
Bug:
114365189
Change-Id: Id667b1c4d1a1af27837f553d7461283b22e5e41f
(cherry picked from commit
bb4dcd1099cac4e0b3602e3d2ac088b796df3691)
Wale Ogunwale [Wed, 16 May 2018 23:42:29 +0000 (16:42 -0700)]
RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission.
1: Cherry-pick ag/
4067454 - Setting PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS
updateNonSystemOverlayWindowsVisibilityIfNeeded on relayoutWindow
2: Cherry-pick ag/
3650369 - If PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS changed on
relayoutWindow() then updateNonSystemOverlayWindowsVisibilityIfNeeded
3: Add permissions to SystemUI to allow it to hide non-system overlays
Bug:
34170870
Test: manual (see bug for poc)
Change-Id: I57cb0f390d9a78e721c5ddce49a377d385002753
(cherry picked from commit
40f7b5832291ec81b921d9d7598447653d926604)
Michael Wachenschwanz [Sat, 25 Aug 2018 04:50:35 +0000 (21:50 -0700)]
Verify number of Map entries written to Parcel
Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.
Fixes:
112859604
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
(cherry picked from commit
057a01d1f38e9b46d3faa4059fdd7c8717681ea0)
android-build-team Robot [Tue, 11 Sep 2018 23:09:12 +0000 (23:09 +0000)]
Merge cherrypicks of [
4995494,
4995495,
4995496,
4995497,
4997652,
4997881,
4997052,
4997883,
4995518,
4997653,
4997654] into oc-m8-release
Change-Id: Ib795e893dd306cb76180e8b18e1af21e2cd0598a
Michael Wachenschwanz [Sat, 25 Aug 2018 04:50:35 +0000 (21:50 -0700)]
Verify number of Map entries written to Parcel
Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.
Fixes:
112859604
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
(cherry picked from commit
057a01d1f38e9b46d3faa4059fdd7c8717681ea0)
akirilov [Fri, 24 Aug 2018 22:43:05 +0000 (15:43 -0700)]
RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions.
Bug:
111752150
Test: Manual local test
Change-Id: I0b48a20525f87fc6f5ab8d7e70aa7d11cd747f97
(cherry picked from commit
05dc947c63a2304adce53a0aef6b0e0a9db9343a)
Wale Ogunwale [Wed, 16 May 2018 23:42:29 +0000 (16:42 -0700)]
RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission.
1: Cherry-pick ag/
4067454 - Setting PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS
updateNonSystemOverlayWindowsVisibilityIfNeeded on relayoutWindow
2: Cherry-pick ag/
3650369 - If PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS changed on
relayoutWindow() then updateNonSystemOverlayWindowsVisibilityIfNeeded
3: Add permissions to SystemUI to allow it to hide non-system overlays
Bug:
34170870
Test: manual (see bug for poc)
Change-Id: I57cb0f390d9a78e721c5ddce49a377d385002753
(cherry picked from commit
40f7b5832291ec81b921d9d7598447653d926604)
Chih-Wei Huang [Mon, 10 Sep 2018 15:47:11 +0000 (23:47 +0800)]
Merge tag 'android-8.1.0_r46' into oreo-x86
Android 8.1.0 Release 46 (OPM6.171019.030.K1)