6 months worth of security patches! #18
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… no privilege" This reverts commit fa8d6362348738284b3f33a13e1fa5cdd0af67b2. Reason for revert: apps crashed due to the top activity info trimmed Bug: 264269392 263434196 263438172 Change-Id: I57d37649acb31bd93bd5aa10507f548cd77fc8f2 (cherry picked from commit b37e4e7e6f465c4b6a291be6c65587dbd75b4ae4) Merged-In: I57d37649acb31bd93bd5aa10507f548cd77fc8f2
Occasionally ILockSettings can fail to be initialized otherwise Fixes: 232714129 Test: boot (and eventually bootstress/reboot-long) Change-Id: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002 Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002 (cherry picked from commit 8e27854) (cherry picked from commit d262fa6) Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002
The NotificationManagerService registers a LockPatternUtils.StrongAuthTracker to observe the StrongAuth changes of every user. More specifically, it’s the STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN flag. Via this flag, NotificationManagerService can perform the following operations when the user enter or exit lockdown mode: Enter lockdown: 1. Remove all the notifications belonging to the user. 2. Set the local flag to indicate the lockdown is on for the user. The local flag will suppress the user's notifications on the post, remove and update functions. Exit lockdown: 1. Clear the local flag to indicate the lockdown is off for the user. 2. Repost the user’s notifications (suppressed during lockdown mode). The CL also updates corresponding tests. Bug: 173721373 Bug: 250743174 Test: atest NotificationManagerServiceTest Test: atest NotificationListenersTest Ignore-AOSP-First: pending fix for a security issue. Change-Id: I4f30e56550729db7d673a92d2a1250509713f36d Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d (cherry picked from commit de3b12fca23178d8c821058261572449b67d5967) (cherry picked from commit 0b56ec9aa245f7bbdf065a4b33b5ef00a558dbe4) Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d
Prior to this CL, WorkSources would Parcel their list of WorkChains as -1 if null, or the size of the list followed by the list itself if non-null. When reading it back in, on the other hand, they would check if the size was positive, and only then read the list from the Parcel. This works for all cases except when the WorkSource has an empty but non-null list of WorkChains as the list would get written to the parcel, but then never read on the other side. If parceling a list was a no-op when empty this wouldn't be an issue, but it must write at least its size into the parcel to know how many elements to extract. In the empty list case, this single element is left unread as the size is not positive which essentially corrupts any future items read from that same parcelable. Bug: 220302519 Test: atest android.security.cts.WorkSourceTest#testWorkChainParceling Change-Id: I2fec40dfced420ca38e717059b0e95ee8ef9946a (cherry picked from commit 266b3bddcf14d448c0972db64b42950f76c759e3) Merged-In: I2fec40dfced420ca38e717059b0e95ee8ef9946a
…package name This change makes sure that the extracted component name in a MediaButtonReceiverHolder matches the Media Session owner's package name. This avoids incorrectly routing media button events and potential security issues. Bug: 244312001 Bug: 238177121 Test: atest CtsMediaBetterTogetherTestCases Change-Id: Ifac9cf53889222e31d18c14c1e096ee68c0a346c (cherry picked from commit 185c3e252397bfa37592edbb5b2f5ae97db92eda) Merged-In: Ifac9cf53889222e31d18c14c1e096ee68c0a346c (cherry picked from commit 48c388277880e56ab5cc29e145e4d00aa383ce01) Merged-In: Ifac9cf53889222e31d18c14c1e096ee68c0a346c
Adds check that enforces ComponentName's package belongs to calling app. This avoids privileged execution of arbitrary code through media button events. This is a partial revert revert of ag/19338169. Bug: 238177121 Test: atest CtsMediaBetterTogetherTestCases Change-Id: I4aba866a9758366175ea4af0d434729ad98fa48d (cherry picked from commit 1b2fa2486cc97fd9515300f858d4da2af8d8908c) Merged-In: I4aba866a9758366175ea4af0d434729ad98fa48d (cherry picked from commit 863d396f4ccabee91d51b04f72f44c34ffe351f0) (cherry picked from commit 833af484ecbe732ec086ee08a068c6010cd070c9) Merged-In: I4aba866a9758366175ea4af0d434729ad98fa48d
This reverts commit c4d3106e347922610f8c554de3ae238175ed393e. Reason for revert: b/264884187, b/264885689 Change-Id: I9fb0d66327f3f872a92e6b9d682d58489e81e6ba (cherry picked from commit 7bb933f48ff15d8f08d2185005b7b3e212915276) Merged-In: I9fb0d66327f3f872a92e6b9d682d58489e81e6ba
…L only now. Or, if an instrumentation starts another instrumentation and so on, and the original instrumentation is started from SHELL, allow all Context#startInstrumentation calls in this chain. Otherwise, it'll throw a SecurityException. Bug: 237766679 Test: atest CtsAppTestCases:InstrumentationTest Merged-In: Ia08f225c21a3933067d066a578ea4af9c23e7d4c Merged-In: I1b76f61c5fd6c9f7e738978592260945a606f40c Merged-In: I3ea7aa27bd776fec546908a37f667f680da9c892 Change-Id: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406 (cherry picked from commit 5985225e777cdb96b738aeda859dff49f6c6f853) Merged-In: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406
The checkKeyIntentParceledCorrectly method was added in checkKeyIntent, which was originaly only invoked when AccountManagerService deserializes the KEY_INTENT value as not NULL. However, due to the self-changing bundle technique in Parcel mismatch problems, the Intent value can change after reparceling; hence would bypass the added checkKeyIntentParceledCorrectly call. This CL did the following: - Ensure the checkKeyIntent method is also called when result.getParcelable(AccountManager.KEY_INTENT) == null. Bug: 260567867 Bug: 262230405 Test: local test, see b/262230405 Test: atest CtsAccountManagerTestCases Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477 Change-Id: I7b528f52c41767ae12731838fdd36aa26a8f3477 (cherry picked from commit 9f623983a8d4ec48d58b0eda56fa461fc6748981) Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477
Test: manual testing done on device by installing test APK and checking if receiver can register Bug: 242040055 Change-Id: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d (cherry picked from commit 790a8d0dd329460bc60456681cb446accf2a27e0) (cherry picked from commit 8460609f01147d2a7e849eca1ca895211530b589) Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
Avoids deserialization error when the scheme contains a reserved character. Bug: 261858325 Test: atest android.content.cts.IntentTest#testEncoding Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470 Change-Id: Ic34b3f796b762763db5aa7b5d7c109ae70607470 (cherry picked from commit bfe7e8bab48caff53dbcf2913f724de2e4f5aa81) Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470
…f no privilege The activity info could be from another uid which is different from the app that hosts the task. The information should be trimmed if the caller app doesn't have the privilege. However, removing the entire info may result in app compatibility issues. So, only swiping the info that are sensitive to empty string. Bug: 243130512 Test: verified market app locally Test: atest RecentTasksTest Change-Id: I5b6775dd3c4e2ccdacd30741884d336b2eaa70da Merged-In: I5b6775dd3c4e2ccdacd30741884d336b2eaa70da (cherry picked from commit 5ba72200f6a66b5da48c9c3abd103a73aea1ef95) (cherry picked from commit 7be9e6efb63884f8f4bb647e537a29746bbeb9fa) Merged-In: I5b6775dd3c4e2ccdacd30741884d336b2eaa70da
Same as exists for channels This is a backport of the fix in ag/16659457, including the adjustment from ag/20920023 (changed the max value from 50000 to 6000). Test: PreferencesHelperTest Bug: 210114537 Bug: 261723753 Change-Id: Ic27efba4c54e22eebca16fc948879e652df4467b (cherry picked from commit 37b3549 & I3f3a99765c161369e1b026686a0e5f0c83ed839e) Merged-In: I3f3a99765c161369e1b026686a0e5f0c83ed839e (cherry picked from commit 38257af19e18d19075483dfa351c7e5cbb9cbf75) Merged-In: Ic27efba4c54e22eebca16fc948879e652df4467b
Bug: 235823542 Test: atest LocationProviderManagerTest and manual tests Change-Id: I2a0fa7b99c3ad5ae839d8018ec70cb5c26e33240 (cherry picked from commit 750af79d5ccb282bb79ef40932858fbae801a48b) Merged-In: I2a0fa7b99c3ad5ae839d8018ec70cb5c26e33240
Opt-in for BAL of PendingIntent for following APIs: * PackageInstaller.uninstall() * PackageInstaller.installExistingPackage() * PackageInstaller.uninstallExistingPackage() * PackageInstaller.Session.commit() * PackageInstaller.Session.commitTransferred() * PackageManager.freeStorage() Bug: 230492955 Bug: 243377226 Test: atest android.security.cts.PackageInstallerTest Test: atest CtsStagedInstallHostTestCases Change-Id: I9b6f801d69ea6d2244a38dbe689e81afa4e798bf (cherry picked from commit 5f00e89989392c9ae00b360e1388d0179dfb36d7) Merged-In: I9b6f801d69ea6d2244a38dbe689e81afa4e798bf
This reverts commit 22261fa. Reason for revert: Re-release due to functional regression Change-Id: I9ca1fa2f140d640159fabec1424c52867cf01a60 (cherry picked from commit 23bf0bda7d9b97a82ea04257318bb90677561476) Merged-In: I9ca1fa2f140d640159fabec1424c52867cf01a60
…wer than preload Also remove misleading commandline output. BUG: 256202273 Test: manual 1. Install preload system app v90, reboot 2. (W/O data, W/ Flag, 90->80 NOK) adb install -d ~/Downloads/PrivApplication_80.apk Performing Streamed Install adb: failed to install /usr/local/google/home/schfan/Downloads/PrivApplication_80.apk: Failure [INSTALL_FAILED_VERSION_DOWNGRADE: System app: com.example.privapplication cannot be downgraded to older than its preloaded version on the system image. Update version code 80 is older than current 90] 3. (90->100) Install data app v100 4. (W/ data, W/O Flag, 100->90 NOK) adb install ~/Downloads/PrivApplication_90.apk Performing Streamed Install adb: failed to install /usr/local/google/home/schfan/Downloads/PrivApplication_90.apk: Failure [INSTALL_FAILED_VERSION_DOWNGRADE: Downgrade detected: Update version code 90 is older than current 100] 5. (W/ data, W/ Flag, 100->90 downgrade OK) adb install -d ~/Downloads/PrivApplication_90.apk Performing Streamed Install Success 6. (90->100) Install v100 6. (W/data, W/ Flag, 100->80 NOK) adb install -d ~/Downloads/PrivApplication_80.apk Performing Streamed Install adb: failed to install /usr/local/google/home/schfan/Downloads/PrivApplication_80.apk: Failure [INSTALL_FAILED_VERSION_DOWNGRADE: System app: com.example.privapplication cannot be downgraded to older than its preloaded version on the system image. Update version code 80 is older than current 90] Change-Id: I5a8ee9e29a3a58f6e3fd188e0122355744b8b0ce (cherry picked from commit a4484d7f1be1fa413258fe18644d61f85611f586) (cherry picked from commit on googleplex-android-review.googlesource.com host: cc9d3867082ac1518b7264c3752442f5ca112aa1) Merged-In: I5a8ee9e29a3a58f6e3fd188e0122355744b8b0ce
…ades Turns out we do have internal tests that downgrades system apps, so adding this exception to allow for that. BUG: 267232653 BUG: 256202273 Test: manual Change-Id: Ie281bbdc8788ee64ff99a7c5150da7ce7926235e (cherry picked from commit ceeca68b8c3f0ed8427b0212f63defe2f075146e) (cherry picked from commit on googleplex-android-review.googlesource.com host: 636cdf22b90ccb4866f380c307b7e1b92da03ed9) Merged-In: Ie281bbdc8788ee64ff99a7c5150da7ce7926235e
- If too large when parsing service XMLs then skip this service. - If too large when a service attempts to update its own info then throw an error. Bug: 261589597 Test: atest AccessibilityServiceInfoTest Change-Id: Iffc0cd48cc713f7904d68059e141cb7de5a4b906 Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906 (cherry picked from commit on googleplex-android-review.googlesource.com host: 553232c29079fbeab28f95307d025c1426aa7142) Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
The interpretation of the path depends on whether the scheme or authority are specified and should be observed when unparcelling URIs. Bug: 171966843 Test: atest FrameworksCoreTests:android.net.UriTest Test: atest com.android.devicehealthchecks.SystemAppCheck Change-Id: I06981d1c6e387b16df792494523994518848db37 (cherry picked from commit f37a94ae920fa5879c557603fc285942ec4b84b1) (cherry picked from commit on googleplex-android-review.googlesource.com host: d83281c73070f2428754912ede95ecb0e3d69cd5) Merged-In: I06981d1c6e387b16df792494523994518848db37
- include disable accounts when looking up accounts for a package to check if the limit is reached (10) - put a new limit of 10 supported schemes - put a new limit of 256 characters per scheme - put a new limit of 256 characters per address - ensure the Icon can write to memory w/o throwing an exception bug: 259064622 bug: 256819769 Test: cts + unit Change-Id: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7 Merged-In: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7 (cherry picked from commit on googleplex-android-review.googlesource.com host: 6a02885f90fa64d88bac31efbcdbc2bfe0a9328f) Merged-In: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7
Block touches from passing through activities by adding a dedicated surface that consumes all touches that would otherwise pass through the bounds availble to the Activity. + Keep displayId in sync for ActivityRecord Bug: 194480991 Test: atest CtsWindowManagerDeviceTestCases:ActivityRecordInputSinkTests Test: atest CtsWindowManagerDeviceTestCases:CrossAppDragAndDropTests Test: atest CtsWindowManagerDeviceTestCases:PinnedStackTests Test: Used "System > Developer Options > Simulate secondary display" to test that moving activites between displays work as intended. Change-Id: Ie74674c87c81c571089463349ac6233717ed9f33 (cherry picked from commit on googleplex-android-review.googlesource.com host: a418847bb8de788905aced4f59437de7cbfc5360) Merged-In: Ie74674c87c81c571089463349ac6233717ed9f33
This is a backport of ag/20581190 and includes the fix in ag/20778075. Note that on this branch, clearData doesn't seem to actually clear persistent storage. Bug: 258422365 Test: atest NotificationManagerServiceTest SnoozeHelperTest Change-Id: If7c7db6694330ffbac551d044efadb26219fe17f Merged-In: I5a2823f10053ea8c83c612a567d6d4f1b6af23e7 Merged-In: Ie809cb4d648a40622618e0fb374f36b6d8dc972a (cherry picked from commit on googleplex-android-review.googlesource.com host: b8a07871459ed895fc814730e198df4a0b5860dc) Merged-In: If7c7db6694330ffbac551d044efadb26219fe17f
This is a second attempt at fixing the issue, the previous CL ag/20642213 was reverted because it simply throws an exception when the limit is reached, which causes apps to crash since chat apps tends to be sending large amount of conversation shortcuts and they have no way to know how many of these shortcuts are still cached by the system. Instead of throwing an exception, this CL simply removes excessive shortcuts to avoid crashes. Currently there is a limit on the number of shortcuts an app can publish in respect to each launcher activity. This CL further implements a global maximum of total number of shortcuts that can be retained for an app to mitigate from any potential system health issue. When the global maximum is reached, ShortcutService will proactively removes shortcuts from system memory. Cached shortcuts are removed first, followed by dynamic shortcuts, using last updated time as tie-breaker. This CL additionally addresses an unexpected flow where re-publishing previously removed shortcuts that are still retained by the system could cause the total number of shortcuts to exceed previously set limit. Bug: 250576066 233155034 Test: manual Change-Id: I001c7a87b62aefa9487bf8efaf3cd02d7cb21521 Merged-In: I001c7a87b62aefa9487bf8efaf3cd02d7cb21521 (cherry picked from commit on googleplex-android-review.googlesource.com host: 94437e989c0391b2dbf28d33120fdc28a4ce8d4d) Merged-In: I001c7a87b62aefa9487bf8efaf3cd02d7cb21521
The conditional permission was introduced for TaskFragmentOrganizer, but not really needed. Remove the conditional check. Bug: 259938771 Test: pass existing tests Merged-In: I666b9ee6b6076766513b97e675fdbaa002428601 Change-Id: I666b9ee6b6076766513b97e675fdbaa002428601 (cherry picked from commit on googleplex-android-review.googlesource.com host: 6d848929eab6249b0ba1b8bd6d454744850b1718) Merged-In: I666b9ee6b6076766513b97e675fdbaa002428601
This is to prevent malicious app entering PiP without being visible first, like blocking onResume from completion. Which in turn leaves the PiP window in limbo and non-interactable. Bug: 265293293 Test: atest PinnedStackTests (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4fad1456409b79d6e649a29d5116a4fe3160bd21) Merged-In: I458a9508662e72a1adb9d9818105f2e9d7096d44 Change-Id: I458a9508662e72a1adb9d9818105f2e9d7096d44
…g notifications NotificationContentInflater waits on SysUiBg thread for images to load, with a timeout of 1000ms. Test: 1. Build a test app that posts MessagingStyle notifications with a huge image (8k+) set as data Uri. 2. SystemUi should not ANR 3. adb logcat | grep NotificationInlineImageCache - shows timeout/cancellation logs Bug: 252766417 Bug: 223859644 (cherry picked from commit 195043f40e46ddcd2fe534a9dac344792d39d91c) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b9cd15ad8a2f87893164ad2ab518039bb0b61424) Merged-In: I341db60223214cf2282b5c0270e343e1ce95fa01 Change-Id: I341db60223214cf2282b5c0270e343e1ce95fa01
Catch canvas drawing exceptions caused by unsuported image sizes. Test: 1. Post a custom view notification with a layout containing an ImageView that references a 5k x 5k image 2. Add an App Widget to the home screen with that has the layout mentioned above as preview/initial layout. Bug: 268193777 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c3db1e4451490ddc7f6033a6ab7d54e71ebda9d8) Merged-In: Ib3bda769c499b4069b49c566b1b227f98f707a8a Change-Id: Ib3bda769c499b4069b49c566b1b227f98f707a8a Change-Id: Ibbaa234b663bc8e40d2a0a0f076a8676b6b1bc16
This change updates the privapp allowlist to grant the MANAGE_USERS
permission to Traceur. This permission is needed to query admin user
status, as Traceur shouldn't be able to start if the current user is not
an admin.
Test: Using ABTD, apply this change with ag/22119816 to verify that
Traceur still works as intended (opening app, tracing, etc.).
Bug: 262243665
Bug: 262244249
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f42db15239663604eb5d36edb04a0f9a04576568)
Merged-In: I8e2174065b686c052cb080b3590ea4d89e7a7783
Change-Id: I8e2174065b686c052cb080b3590ea4d89e7a7783
Bug: 265015796 Test: atest FrameworksServicesTests: com.android.server.accounts.AccountManagerServiceTest (cherry picked from commit e53a96304352e2965176c8d32ac1b504e52ef185) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e01f68bdabe8aa7154e1ed936235b5304f4c0cd) Merged-In: Ie16f8654337bd75eaad3156817470674b4f0cee3 Change-Id: Ie16f8654337bd75eaad3156817470674b4f0cee3
Test: ServiceListingTest Bug: 260570119 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a9c75de2b4ae92f4b7e7aade8433fd44ef376e11) Merged-In: Ib4740ba401667de62fa1a33334c2c1fbee25b760 Change-Id: Ib4740ba401667de62fa1a33334c2c1fbee25b760
…dbyController When deciding an app's standby bucket, check if the app has its user control disabled by an IT admin. If so, the app should be the exempted restricted bucket. Bug: 272042183 Test: atest AppStandbyControllerTests (cherry picked from commit 269fcb6873dee199dd8023831f882aafff1f6291) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3dbab873d6d8f78c4d498a575ad37fd0dc20efbe) Merged-In: I4279dc37f0e17aedb1c2a87468478248443a253e Change-Id: I4279dc37f0e17aedb1c2a87468478248443a253e
Bug: 274759612 Test: atest NotificationInterruptStateProviderImplTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1bc1be92ce0d8bd8abd9efa13e85ac0d33556a3b) Merged-In: I40e1aa6377b8a60d91cb2f4189df1e9a4a4578a2 Change-Id: I40e1aa6377b8a60d91cb2f4189df1e9a4a4578a2
Bug: 261036568 Test: manually via supplied tool (see bug) (cherry picked from commit 3062b80fb28014a7482d5fa8b2a5c852134a5845) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:08809fa8c938ccc6f0cd21036fcc464a96d93384) Merged-In: I21accf6f753d2f676f1602d6e1ce829c5ef29e9a Change-Id: I21accf6f753d2f676f1602d6e1ce829c5ef29e9a
This commit will try to sanitize the content of VpnDialog. This commit creates a function which will try to sanitize the VPN label, if the sanitized VPN label is different from the original one, which means the VPN label might contain HTML tag or the VPN label violates the words restriction(may contain some wording which will mislead the user). For this kind of case, show the package name instead of the VPN label to prevent misleading the user. The malicious VPN app might be able to add a large number of line breaks with HTML in order to hide the system-displayed text from the user in the connection request dialog. Thus, sanitizing the content of the dialog is needed. Bug: 204554636 Test: N/A (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2178216b98bf9865edee198f45192f0b883624ab) Merged-In: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d Change-Id: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
The v1 and v2 APK Signature Schemes support multiple signers; this
was intended to allow multiple entities to sign an APK. Previously,
the platform had no limits placed on the number of signers supported
in an APK, but this commit sets a hard limit of 10 supported signers
for these signature schemes to ensure a large number of signers
does not place undue burden on the platform.
Bug: 266580022
Test: Manually verified the platform only allowed an APK with the
maximum number of supported signers.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6f6ee8a55f37c2b8c0df041b2bd53ec928764597)
Merged-In: I6aa86b615b203cdc69d58a593ccf8f18474ca091
Change-Id: I6aa86b615b203cdc69d58a593ccf8f18474ca091
This will also verify that the caller app can actually grant them. Fix: 274592467 Test: atest NotificationManagerServiceTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4dee5aab12e95cd8b4d663ad050f07b0f2433596) Merged-In: I83429f9e63e51c615a6e3f03befb76bb5b8ea7fc Change-Id: I83429f9e63e51c615a6e3f03befb76bb5b8ea7fc
Bug: 243794108 Test: atest CtsSecurityBulletinHostTestCases:android.security.cts.CVE_2023_20918 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c62d2e1021a030f4f0ae5fcfc8fe8e0875fa669f) Merged-In: I5d329beecef1902c36704e93d0bc5cb60d0e2f5b Change-Id: I5d329beecef1902c36704e93d0bc5cb60d0e2f5b
security method is none. This is mostly to fix the case where we auth sim pin in the set up wizard and it goes straight to keyguard instead of the setup wizard activity. This works with the prevent bypass keyguard flag because the device should be noe secure in this case. Fixes: 222446076 Test: turn locked sim on, which opens the sim pin screen. Auth the screen and observe that keyguard is not shown. (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6) Cherry-picking this CL as a security fix Bug: 222446076 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:65ea56f54c059584eb27ec53d486dba8161316ab) Merged-In: Id302c41f63028bc6dd58ba686e23d73565de9675 Change-Id: Id302c41f63028bc6dd58ba686e23d73565de9675
Also added the person URIs in the test, since they weren't being checked. Test: atest NotificationManagerServiceTest & tested with POC from bug Bug: 276729064 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43b1711332763788c7abf05c3baa931296c45bbb) Merged-In: I848545f7aee202495c515f47a32871a2cb6ae707 Change-Id: I848545f7aee202495c515f47a32871a2cb6ae707
Creating Conversation with a ShortcutId longer than 65_535 (max unsigned short), we did not save the conversation settings into the notification_policy.xml due to a restriction in FastDataOutput. This put us to a state where the user changing the importance or turning off the notifications for the given conversation had no effect on notification behavior. Fixes: 273729476 Test: atest ShortcutManagerTest2 Test: Create a test app which creates a Conversation with a long shortcutId. Go to the Conversation Settings and turn off Notifications. Post a new Notification to this Conversation and see if it is displayed. (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab0c8ac5b47509a71f27c4e5e9ce104d51bab0a8) Merged-In: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5 Change-Id: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
Bug: 277740848 Test: atest RemoteViewsTest NotificationManagerServiceTest & tested with POC from bug (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b4692946c10d11c1e935869e11dc709a9cdcba69) Merged-In: I7d3d35df0ec38945019f71755bed8797b7af4517 Change-Id: I7d3d35df0ec38945019f71755bed8797b7af4517
…s from using Alarm Manager to bypass BAL restrictions. Test: atest-src BackgroundActivityLaunchTest Bug: 195756028 Change-Id: I33112ff59d913d8a7244289fe1a43512844e902a (cherry picked from commit 7a41e2fbc983ce0083b288e9489288de60dc8d8b) Merged-In: I33112ff59d913d8a7244289fe1a43512844e902a
…'s own app only unless it's a system app. Bug: 239423414 Bug: 223376078 Test: atest CtsAppTestCases:ActivityManagerTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d1c95670b248df945784b0f2830acf83b5682de3) Merged-In: Iac6baa889965b8ffecd9a43179a4c96632ad1d02 Change-Id: Iac6baa889965b8ffecd9a43179a4c96632ad1d02
Apps should not have direct access to this entry point. Check that the caller is a vendor, system, or product package. Test: Ran PoC app and CtsMediaPlayerTestCases. Bug: 236688380 (cherry picked from commit d0ba7467c2cb2815f94f6651cbb1c2f405e8e9c7) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e37820e47c383aecf9d1173a0676c27e6a59ce4f) Merged-In: I0335496d28fa5fc3bfe1fecd4be90040b0b3687f Change-Id: I0335496d28fa5fc3bfe1fecd4be90040b0b3687f
with content URI. This prevents the primary user from accessing the secondary user's photos for QAW card images. Test: manually, atest Bug: 272020068 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ff753ae693065685d85bbda6af2953905fdf434c) Merged-In: I6932c5131b3c795bac4ea9b537938e7ef4f3ea4e Change-Id: I6932c5131b3c795bac4ea9b537938e7ef4f3ea4e
Bug: 277593270 Test: atest NotificationManagerServiceTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:beb185c5cd60edc68f4ef386c4407eba9c02c698) Merged-In: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1 Change-Id: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1
The following APIs now enforce limits and throw IllegalArgumentException when limits are violated: * DPM.setTrustAgentConfiguration() limits agent packgage name, component name, and strings within configuration bundle. * DPM.setPermittedAccessibilityServices() limits package names. * DPM.setPermittedInputMethods() limits package names. * DPM.setAccountManagementDisabled() limits account name. * DPM.setLockTaskPackages() limits package names. * DPM.setAffiliationIds() limits id. * DPM.transferOwnership() limits strings inside the bundle. Package names are limited at 223, because they become directory names and it is a filesystem restriction, see FrameworkParsingPackageUtils. All other strings are limited at 65535, because longer ones break binary XML serializer. The following APIs silently truncate strings that are long beyond reason: * DPM.setShortSupportMessage() truncates message at 200. * DPM.setLongSupportMessage() truncates message at 20000. * DPM.setOrganizationName() truncates org name at 200. Bug: 260729089 Test: atest com.android.server.devicepolicy (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:12c201509e911f4dddabf371bd22c93e097e5d99) Merged-In: Idcf54e408722f164d16bf2f24a00cd1f5b626d23 Change-Id: Idcf54e408722f164d16bf2f24a00cd1f5b626d23
Manual test steps: 1. Enable app pinning and disable "Ask for PIN before unpinning" setting 2. Pin an app (ie: Settings) 3. Lockdown from the power menu Observe: user is brought to the keyguard, primary auth is required to enter the device. After entering credential, the device is still in app pinning mode. Test: atest KeyguardViewMediatorTest Test: manual steps outlined above Bug: 218495634 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b23c2d5fb6630ea0da503b937f62880594b13e94) Merged-In: I9a7c5e1acadabd4484e58573331f98dba895f2a2 Change-Id: I9a7c5e1acadabd4484e58573331f98dba895f2a2 Change-Id: Ia967920c8b3f2388d7a1d4ce7a717525b2680923
PermissionManagerServiceImpl.restorePermissionState() creates a new UID permission state for non-shared-UID packages that have been updated (i.e. replaced), however the existing logic for non-runtime permission never carried over the flags from the old state. This wasn't an issue for much older platforms because permission flags weren't used for non-runtime permissions, however since we are starting to use them for role protected permissions (ROLE_GRANTED) and app op permissions (USER_SET), we do need to preserver the permission flags. This change merges the logic for granting and revoking a non-runtime permission in restorePermissionState() into a single if branch, and appends the logic to copy the flag from the old state in that branch. Bug: 283006437 Test: PermissionFlagsTest#nonRuntimePermissionFlagsPreservedAfterReinstall (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e1ebd84e27f5d4fa8bc6577705293251bcbac4f) Merged-In: Iea3c66710e7d28c6fc730b1939da64f1172b08db Change-Id: Iea3c66710e7d28c6fc730b1939da64f1172b08db
Bug: 276294099 Test: atest NotificationManagerServiceTest NotificationVisitUrisTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67cd169d073486c7c047b80ab83843cdee69bf53) Merged-In: I670198b213abb2cb29a9865eb9d1e897700508b4 Change-Id: I670198b213abb2cb29a9865eb9d1e897700508b4
This is to prevent a vulnerability where notifications can show resources belonging to other users, since the URI in the nested views was not being checked. Bug: 277740082 Test: atest RemoteViewsTest NotificationVisitUrisTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:850fd984e5f346645b5a941ed7307387c7e4c4de) Merged-In: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8 Change-Id: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8
This is a security fix for b/270049379. Bug: 270049379 Test: atest CtsMediaMiscTestCases (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c573c83a2aa36ca022302f675d705518dd723a3c) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba546a306217389a8ff9e5e948612651fd496081) Merged-In: I05626f7abf1efef86c9e01ee3f077d7177d7f662 Change-Id: I05626f7abf1efef86c9e01ee3f077d7177d7f662
Bug: 277741109 Test: atest RemoteViewsTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ae0d45137b0f8ea49a085bbce4d39f901685c4a5) Merged-In: Iceb33606da3a49b9638ab21aeae17a168c1b411a Change-Id: Iceb33606da3a49b9638ab21aeae17a168c1b411a
Bug: 281807669 Test: Manual, i.e. posting the following sequence of events (within few milliseconds) to the scheduler and observe the behaviour with and without the fix: Mic in use -> Mic not in use -> Mic in use (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a45e1d045770eaabfdbf0e1212c9eb84caf1d565) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:20ea049a4a52dbc8d4e5ed957a2b6b9aa02a2f34) Merged-In: I9851e6ed4cb956d0459ef56251eb0ef3210764b8 Change-Id: I9851e6ed4cb956d0459ef56251eb0ef3210764b8
Bug: 281018094 Test: atest RemoteViewsTest NotificationVisitUrisTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:634a69b7700017eac534f3f58cdcc2572f3cc659) Merged-In: I2014bf21cf90267f7f1b3f370bf00ab7001b064e Change-Id: I2014bf21cf90267f7f1b3f370bf00ab7001b064e
…re user specific settings are used" into rvc-dev am: d198f5165c am: 886d492c8c Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/23475765 Signed-off-by: Automerger Merge Worker <[email protected]> (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f37a92b8c8c98ca40f858782fe3720362565c16c) Merged-In: Idda8cdb4c853b6046ba19d35eeea2a1a6ee73541 Change-Id: Idda8cdb4c853b6046ba19d35eeea2a1a6ee73541
Bug: 213170822 Remove the code that CursorWindow::writeToParcel() uses to ensure slot data is 4-byte aligned. Because mAllocOffset and mSlotsOffset are already 4-byte aligned, the alignment step here is unnecessary. CursorWindow::spaceInUse() returns the total space used. The tests verify that the total space used is always a multiple of 4 bytes. Test: atest * libandroidfw_tests (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d4afa0986cbc440f458b4b8db05fd176ef3e6d2) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:548b0a183859fb023dee7ecd7d9f05bf7fed00f8) Merged-In: I720699093d5c5a584283e5b76851938f449ffa21 Change-Id: I720699093d5c5a584283e5b76851938f449ffa21
Add a check for URI permission to make sure that user can access the URI set in MediaMetadata. If permission is denied, clear the URI string set in metadata. Bug: 271851153 Test: atest MediaSessionTest Test: Verified by POC app attached in bug, image of second user is not the UMO background of the first user. (cherry picked from commit b8a7fd8e6f41ee54d27c1e7aaa15b4a3f5365a02) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91705f7cc95a87a5cc7814f543669adcd3b35f09) Merged-In: I384f8e230c909d8fc8e5f147e2fd3558fec44626 Change-Id: I384f8e230c909d8fc8e5f147e2fd3558fec44626
…m: 543e6febbf am: 8c3d465b5e Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/23438530 Fixes: 285650146 Fixes: 280797684 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:06456af560729b8a8d209613bb117ede3496fd9d) Merged-In: I7822bf2bb75c775faaaa7023fd2c9af9f6d6888f Change-Id: I7822bf2bb75c775faaaa7023fd2c9af9f6d6888f
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.