diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-09-07 21:55:53 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-09-07 21:55:53 +0000 |
commit | ea401cfebfaff76b11e0a847d6ae7f2e97b53d0b (patch) | |
tree | ddb961f258b6f8db8cbea926f6ae4b500c190362 | |
parent | 9213632dc5e8e183e5117d05e7490bac1d2ab098 (diff) | |
parent | d1c31f24075cbfca84c6d14950cf68139d7b594f (diff) | |
download | base-ea401cfebfaff76b11e0a847d6ae7f2e97b53d0b.tar.gz |
Merge cherrypicks of ['googleplex-android-review.googlesource.com/23983047', 'googleplex-android-review.googlesource.com/24324114', 'googleplex-android-review.googlesource.com/24309763', 'googleplex-android-review.googlesource.com/24181420', 'googleplex-android-review.googlesource.com/24424817'] into security-aosp-rvc-release.android-security-11.0.0_r73
Change-Id: Id39cacf2271b29c8cbaf21b8dd45543ce56e46c2
7 files changed, 89 insertions, 8 deletions
diff --git a/cmds/statsd/src/StatsService.cpp b/cmds/statsd/src/StatsService.cpp index 6f952f637506..8ec668a6c5b5 100644 --- a/cmds/statsd/src/StatsService.cpp +++ b/cmds/statsd/src/StatsService.cpp @@ -163,12 +163,15 @@ StatsService::StatsService(const sp<Looper>& handlerLooper, shared_ptr<LogEventQ init_system_properties(); if (mEventQueue != nullptr) { - std::thread pushedEventThread([this] { readLogs(); }); - pushedEventThread.detach(); + mLogsReaderThread = std::make_unique<std::thread>([this] { readLogs(); }); } } StatsService::~StatsService() { + if (mEventQueue != nullptr) { + stopReadingLogs(); + mLogsReaderThread->join(); + } } /* Runs on a dedicated thread to process pushed events. */ @@ -177,6 +180,13 @@ void StatsService::readLogs() { while (1) { // Block until an event is available. auto event = mEventQueue->waitPop(); + + // Below flag will be set when statsd is exiting and log event will be pushed to break + // out of waitPop. + if (mIsStopRequested) { + break; + } + // Pass it to StatsLogProcess to all configs/metrics // At this point, the LogEventQueue is not blocked, so that the socketListener // can read events from the socket and write to buffer to avoid data drop. @@ -1335,6 +1345,15 @@ void StatsService::statsCompanionServiceDiedImpl() { mPullerManager->SetStatsCompanionService(nullptr); } +void StatsService::stopReadingLogs() { + mIsStopRequested = true; + // Push this event so that readLogs will process and break out of the loop + // after the stop is requested. + int64_t timeStamp; + std::unique_ptr<LogEvent> logEvent = std::make_unique<LogEvent>(/*uid=*/0, /*pid=*/0); + mEventQueue->push(std::move(logEvent), &timeStamp); +} + } // namespace statsd } // namespace os } // namespace android diff --git a/cmds/statsd/src/StatsService.h b/cmds/statsd/src/StatsService.h index b49fa1d42e66..a12d82eedca9 100644 --- a/cmds/statsd/src/StatsService.h +++ b/cmds/statsd/src/StatsService.h @@ -338,6 +338,13 @@ private: */ void statsCompanionServiceDiedImpl(); + /* + * This method is used to stop log reader thread. + */ + void stopReadingLogs(); + + std::atomic<bool> mIsStopRequested = false; + /** * Tracks the uid <--> package name mapping. */ @@ -380,6 +387,7 @@ private: */ mutable mutex mShellSubscriberMutex; std::shared_ptr<LogEventQueue> mEventQueue; + std::unique_ptr<std::thread> mLogsReaderThread; MultiConditionTrigger mBootCompleteTrigger; static const inline string kBootCompleteTag = "BOOT_COMPLETE"; diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java index f65f7db4ea52..0b6df309d652 100644 --- a/core/java/android/app/Notification.java +++ b/core/java/android/app/Notification.java @@ -3069,8 +3069,11 @@ public class Notification implements Parcelable * * @hide */ - public void setAllowlistToken(@Nullable IBinder token) { - mWhitelistToken = token; + public void clearAllowlistToken() { + mWhitelistToken = null; + if (publicVersion != null) { + publicVersion.clearAllowlistToken(); + } } /** diff --git a/core/java/android/hardware/usb/UsbConfiguration.java b/core/java/android/hardware/usb/UsbConfiguration.java index 66269cb772f8..b25f47b11532 100644 --- a/core/java/android/hardware/usb/UsbConfiguration.java +++ b/core/java/android/hardware/usb/UsbConfiguration.java @@ -172,7 +172,8 @@ public class UsbConfiguration implements Parcelable { String name = in.readString(); int attributes = in.readInt(); int maxPower = in.readInt(); - Parcelable[] interfaces = in.readParcelableArray(UsbInterface.class.getClassLoader()); + Parcelable[] interfaces = in.readParcelableArray( + UsbInterface.class.getClassLoader(), UsbInterface.class); UsbConfiguration configuration = new UsbConfiguration(id, name, attributes, maxPower); configuration.setInterfaces(interfaces); return configuration; diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java index 9561f2cec96d..d3c10574ea13 100644 --- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java +++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java @@ -1781,6 +1781,9 @@ public class SettingsProvider extends ContentProvider { cacheName = Settings.System.ALARM_ALERT_CACHE; } if (cacheName != null) { + if (!isValidAudioUri(name, value)) { + return false; + } final File cacheFile = new File( getRingtoneCacheDir(owningUserId), cacheName); cacheFile.delete(); @@ -1813,6 +1816,34 @@ public class SettingsProvider extends ContentProvider { } } + private boolean isValidAudioUri(String name, String uri) { + if (uri != null) { + Uri audioUri = Uri.parse(uri); + if (Settings.AUTHORITY.equals( + ContentProvider.getAuthorityWithoutUserId(audioUri.getAuthority()))) { + // Don't accept setting the default uri to self-referential URIs like + // Settings.System.DEFAULT_RINGTONE_URI, which is an alias to the value of this + // setting. + return false; + } + final String mimeType = getContext().getContentResolver().getType(audioUri); + if (mimeType == null) { + Slog.e(LOG_TAG, + "mutateSystemSetting for setting: " + name + " URI: " + audioUri + + " ignored: failure to find mimeType (no access from this context?)"); + return false; + } + if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg") + || mimeType.equals("application/x-flac"))) { + Slog.e(LOG_TAG, + "mutateSystemSetting for setting: " + name + " URI: " + audioUri + + " ignored: associated mimeType: " + mimeType + " is not an audio type"); + return false; + } + } + return true; + } + private boolean hasWriteSecureSettingsPermission() { // Write secure settings is a more protected permission. If caller has it we are good. if (getContext().checkCallingOrSelfPermission(Manifest.permission.WRITE_SECURE_SETTINGS) diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java index 8e9c762de041..aadc12e05b03 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java @@ -3280,6 +3280,22 @@ public class ActivityManagerService extends IActivityManager.Stub } } + /** + * Enforces that the uid of the caller matches the uid of the package. + * + * @param packageName the name of the package to match uid against. + * @param callingUid the uid of the caller. + * @throws SecurityException if the calling uid doesn't match uid of the package. + */ + private void enforceCallingPackage(String packageName, int callingUid) { + final int userId = UserHandle.getUserId(callingUid); + final int packageUid = getPackageManagerInternalLocked().getPackageUid(packageName, + /*flags=*/ 0, userId); + if (packageUid != callingUid) { + throw new SecurityException(packageName + " does not belong to uid " + callingUid); + } + } + @Override public void setPackageScreenCompatMode(String packageName, int mode) { mActivityTaskManager.setPackageScreenCompatMode(packageName, mode); @@ -15452,13 +15468,16 @@ public class ActivityManagerService extends IActivityManager.Stub // A backup agent has just come up @Override public void backupAgentCreated(String agentPackageName, IBinder agent, int userId) { + final int callingUid = Binder.getCallingUid(); + enforceCallingPackage(agentPackageName, callingUid); + // Resolve the target user id and enforce permissions. - userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), + userId = mUserController.handleIncomingUser(Binder.getCallingPid(), callingUid, userId, /* allowAll */ false, ALLOW_FULL_ONLY, "backupAgentCreated", null); if (DEBUG_BACKUP) { Slog.v(TAG_BACKUP, "backupAgentCreated: " + agentPackageName + " = " + agent + " callingUserId = " + UserHandle.getCallingUserId() + " userId = " + userId - + " callingUid = " + Binder.getCallingUid() + " uid = " + Process.myUid()); + + " callingUid = " + callingUid + " uid = " + Process.myUid()); } synchronized(this) { diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java index 1c4d69136ece..8626f2277fe8 100755 --- a/services/core/java/com/android/server/notification/NotificationManagerService.java +++ b/services/core/java/com/android/server/notification/NotificationManagerService.java @@ -3942,7 +3942,7 @@ public class NotificationManagerService extends SystemService { // Remove background token before returning notification to untrusted app, this // ensures the app isn't able to perform background operations that are // associated with notification interactions. - notification.setAllowlistToken(null); + notification.clearAllowlistToken(); return new StatusBarNotification( sbn.getPackageName(), sbn.getOpPkg(), |