| Age | Commit message (Collapse) | Author |
|---|
|
Saving device policy managers settings to clear out
password stats was happening before initializing mAdminList
so could wipe active admins.
Test: manual - flash with N2G05C add google account with dmagent flash wth this fix, check dmagent is still an active admin, reboot check admin is still active.
Test: runtest -c com.android.server.devicepolicy.DevicePolicyManagerTest frameworks-services
Bug: 34277435
Change-Id: I13660b47f30e9aba001eb13f2e457c3b3f36da3e
(cherry picked from commit adbda7474cc1968b66e9948aee566dc346e71340)
(cherry picked from commit f98ed6863a7f64c535a66006852a934b05d550bc)
|
|
Change-Id: I97ef31536cd06495a08a3f94f81df2d1376186e0
(cherry picked from commit eb35ad9969a173ac4d6279a5e322e8176c2ae6d1)
|
|
a206a0f17e am: d417e54872 am: 3380a77516 am: 0a8978f04b am: 1684e5f344 am: d28eef0cc2 am: 1f458fdc66 am: d82f8a67fc am: 1ac8affd51 am: 56098f81b6 am: 7cec76de0f
am: 2da05d0f9e
Change-Id: I8c94a06f5fa722312436484609bafcb0585d6d18
(cherry picked from commit 3b7d90c024126b9728c0f73e01e4867a188ec64b)
|
|
To understand this change it's first helpful to review Toasts.
The ViewRoot is constructed on the client side, but it's added,
to a window token controlled by the NotificationManagerService.
When we call NotificationManagerService#cancelToast, the system
will remove this window token. With the window token removed,
the WindowManager needs to destroy the surface to prevent orphaned
windows. If we destroy the Surface before removing the toast on the
client side however, we've never asked the ViewRoot to stop rendering
and we could have a crash. To solve this we just have to ensure we call
removeView before cancelToast.
Bug: 31547288
Bug: 30150688
Change-Id: Ic7e8914a7fb2134a8b9e0c2f3810d7f075c8391e
(cherry picked from commit 016c9c8cb58c6940ae8296291ee33148a17ede65)
|
|
Change-Id: I1024f2a56badde5c123d025d6fe02f42559cbcb1
Test: manual
Bug: 30352311
(cherry picked from commit f6f1d627483b4dad9d65176769a1ee92c59a4810)
(cherry picked from commit 71d2a41dd9c8be8c4bca5eba339802e1e0c2be3c)
|
|
Avoid potential race condition between FRP wipe and write operations
during factory reset by making the FRP partition unwritable after
wipe.
Bug: 30352311
Test: manual
Change-Id: If3f024a1611366c0677a996705724458094fcfad
(cherry picked from commit a629c772f4a7a5ddf7ff9f78fb19f7ab86c2a9c2)
(cherry picked from commit a9437bd1caeeb38780d920a81bde8cc7ca280fe0)
|
|
bug:33039926
bug:33042690
Change-Id: If0431b77ec546c72f8cc25bb605a851572bb22a6
(cherry picked from commit c3db570a0064b2dcbe806ddb5de3f678623612ca)
|
|
MemoryIntArray was using the size of the undelying
ashmem region to mmap the data but the ashmem size
can be changed until the former is memory mapped.
Since we use the ashmem region size for boundary
checking and memory unmapping if it does not match
the size used while mapping an attacker can force
the system to unmap memory or to access undefined
memory and crash.
Also we were passing the memory address where the
ashmem region is mapped in the owner process to
support cases where the client can pass back the
MemoryIntArray instance. This allows an attacker
to put invalid address and cause arbitrary memory
to be freed.
Now we no longer support passing back the instance
to the owner process (the passed back instance is
read only), so no need to pass the memory adress
of the owner's mapping, thus not allowing freeing
arbitrary memory.
Further, we now check the memory mapped size against
the size of the underlying ashmem region after we do
the memory mapping (to fix the ahsmem size) and if
an attacker changed the size under us we throw.
Tests: Updated the tests and they pass.
bug:33039926
bug:33042690
Change-Id: I1004579181ff7a223ef659e85c46100c47ab2409
(cherry picked from commit a97171ec499fd876722733f35e51d0d6dbd8d223)
|
|
As part of fixing a recent security issue, DownloadManager now needs
to issue Uri permission grants for all downloads. However, if an app
that requested a download is upgraded or otherwise force-stopped,
the required permission grants are removed.
We could tell DownloadManager about the app being stopped, but that
would be racy (due to background broadcast), and waking it up would
degrade system health. Instead, as a special case we now only
consider clearing DownloadManager permission grants when app data
is being cleared.
Bug: 32172542, 30537115
Test: builds, boots, app upgrade doesn't clear grants
Change-Id: I7e3d4546fd12bfe5f81b9fb9857ece58d574a6b9
(cherry picked from commit 23ec811266fb728cf159a90ce4882b3c9bac1887)
(cherry picked from commit 6eee8e37fd06bd47dd19b8503bc30cc8ccaf72a7)
|
|
For an app to either send or receive content change notifications,
require that they have some level of access to the underlying
provider.
Without these checks, a malicious app could sniff sensitive user data
from the notifications of otherwise private providers.
Test: builds, boots, PoC app now fails
Bug: 32555637
Change-Id: If2dcd45cb0a9f1fb3b93e39fc7b8ae9c34c2fdef
(cherry picked from commit c813f5dae231bd8f01864227c5dba10d43a89249)
|
|
Fix merge conflict into nyc-mr1-security-a-release
This patch adds a try catch all to DHCP packet parsing so that
DhcpClient does not choke on malformed packets, brinding down with it
the whole framework.
Test: added new unit tests catching the issue fixed in this patch.
Bug: 31850211
Change-Id: I3c50a149fed6b2cbc4f40bb4f0e5bb2b56859b44
(cherry picked from commit 1af48bbbabdf276b7e7a5a86b28f67332ae6b04d)
|
|
We close the android logging related sockets prior as late as possible
before every fork to avoid having to whitelist them. If one of the
zygote's children dies after this point (but prior to the fork), we can
end up reopening the logging sockets from the SIGCHLD signal handler.
To prevent this from happening, block SIGCHLD during this critical
section.
Bug: 32693692
Test: Manual
(cherry picked from commit e9a525829a354c92983a35455ccab16d1b0d3892)
Zygote: Unblock SIGCHLD in the parent after fork.
Follow up to change e9a525829a354c92983a. Allows the zygote to
receive SIGCHLD again and prevents the zygote from getting into a
zombie state if it's killed.
Contributed-By: rhed_jao <rhed_jao@htc.com>
Bug: 32693692
Test: manual
(cherry picked from commit c7161f756e86b98f2244a04d9207b47149965fd7)
Change-Id: If89903a29c84dfc9b056f9e19618046874bba689
(cherry picked from commit dfcc79ee8ecd4166cba19be7493c6175cb0c65a9)
|
|
Fix a idmap leak in AssetManager::addSystemOverlays.
And, The fix could also prevent fd leak of idmap.
Test: none
Bug: 32691930
Signed-off-by: Hyangseok Chae <neo.chae@lge.com>
(cherry picked from commit 6a742a38509693f8b39ee9a5ad2803fca12688bf)
Change-Id: Idc4af77db2b0cb739bd6b009b6af0f9123be1aac
(cherry picked from commit 0244ca8d10dfc27e14f481fe649b89f7638c48eb)
|
|
On M and below, we provide a blanket whitelist for all files under
"/vendor/zygote_whitelist". This path is whitelisted purely to allow
this patch to be applied easily on legacy devices and configurations.
Note that this does not amount to a loosening of our security policy
because whitelisted files are reopened anyway.
Bug: 32691930
Test: manual
Change-Id: If5b53f6f0a707f8d36603c09bfd3f72dbfbbbb99
(cherry picked from commit 5e2f7c6229d7191183888d685b57a7d0a2835fce)
|
|
Partially cherry picked from commit 1c15c635785c64a.
These files are safe to reopen for the same reason that files in
/system/framework are. They're regular files and will not change after
the first zygote fork.
Bug: 32618130
Change-Id: I119e0bfcbf397cb331064adf148d92a5cd3ea92f
(cherry picked from commit 25cd01cc69fcad34756b00e52a79c0c54178f2e6)
|
|
When a public (vfat) device is inserted, it's strongly associated
with the current foreground user, and no other users should be able
to access it, since otherwise that would be a cross-user data leak.
To use the device under a different user, switch users and then
eject/remount the device.
Test: verified user isolation of USB drive
Bug: 32523490
Change-Id: I590c791996f1fea8d78f625dc942d149f1f41614
(cherry picked from commit 8b38d083c42e2706e1ff5a1410fa61d1f5dea3f5)
|
|
Test: unit test passes
Bug: 31850211
Change-Id: I47f9db1f2c50ccd4fc90b80a9ffc1e9e43078f5f
(cherry picked from commit a0289894718c230c746f7e85207d30fee431dab8)
|
|
|
|
A second attempt to fix the upgrade problem due to SID == 0
in the above upgrade path. The previous fix contains a bug
where it would cause future attempts to unify work challenge
to silently fail, and crash SystemUi when unlocking.
This fix adds a check for non-zero SID before doing the initial work
profile unification (which caused the upgrade crash when SID == 0).
This means the initial work profile unification would only happen when
the user has unlocked the lockscreen and SID is generated.
Bug: 32490092
Bug: 33050562
Change-Id: Ib28951b2ec26b4f091df7763d9902f55616fcb5c
(cherry picked from commit bfc7faaf353ea75ab04e986edbc79478679d40f6)
|
|
This reverts commit c8fa5ed8f2d492aa5e005fcdb5991c3f980de045.
Change-Id: Ia1425e649e102cb79280d75e5f49db670214cec3
(cherry picked from commit e61672ab087df4857a4f0923258b945800046589)
|
|
When device upgrades from L->N, sid(in gatekeeper) could be 0
even primary profile screenlock is set.
We are now trying to catch the exception so when sid==0 happens,
it will try to tie profile lock again when primary profile is unlocked.
Bug: 32490092
Change-Id: I73011d872ac15e7e09be9bda0165cf7f6a75493a
(cherry picked from commit c8fa5ed8f2d492aa5e005fcdb5991c3f980de045)
|
|
The emergency call was not launched in the current user
and therefore was only launching once the user had switched.
Change-Id: If6f3bcf77d88a0658b6e0f91f7e4da5d6264b04f
Fixes: 32424103
Test: manual: switch to secondary user and launch emergency affordance
(cherry picked from commit b8a7f78d242cafb0c3ec10868c28583e8aacdf7a)
|
|
|
|
When device upgrades from L->N, sid(in gatekeeper) could be 0
even primary profile screenlock is set.
We are now trying to catch the exception so when sid==0 happens,
it will try to tie profile lock again when primary profile is unlocked.
Bug: 32490092
Change-Id: I73011d872ac15e7e09be9bda0165cf7f6a75493a
(cherry picked from commit c8fa5ed8f2d492aa5e005fcdb5991c3f980de045)
|
|
The emergency call was not launched in the current user
and therefore was only launching once the user had switched.
Change-Id: If6f3bcf77d88a0658b6e0f91f7e4da5d6264b04f
Fixes: 32424103
Test: manual: switch to secondary user and launch emergency affordance
(cherry picked from commit b8a7f78d242cafb0c3ec10868c28583e8aacdf7a)
|
|
Test: docs only, no test apart from verifying that it builds
Bug: #32158219 clean up InputConnection.commitContent() javadocs
Change-Id: I9b438d6b14aa8bc868fe41f7e0fe22b0e83800fb
(cherry picked from commit 5c0af8876468869f21baa204c498f0c975553bf3)
|
|
The setting apps' version code is 25 for both DR and MR1, so the
shortcut manager will not notice when it's changed.
Let's just always scan this app.
Bug 32554059
Change-Id: Ia05363b30a5eeb989dc4c44cf5dbd71cde96de96
(cherry picked from commit ac2898228edea493c76287338adf6dd8ca21303a)
|
|
Calculate size of installed APKs only when INSTALL_EXTERNAL flag is set.
calculateInstalledSize is expensive and may take up to 20% of total
installation time.
Bug: 32180551
Bug: 29932779
Change-Id: I173d2b38820cc86cbfacecd1bacef57369d10af7
(cherry picked from commit b87a491de63069fb903c95727f57511c7e4eeaa0)
|
|
We never unbind, so we only ever need one bind request; creating more
bind requests just wastes resources.
Test: builds
Bug: 32446301
Change-Id: I7d6c4a93b8f5bb8d9aed7a5041b193e19a2d65fc
(cherry picked from commit 7765d7320d8435a0e814d9f10039c7866f9d76a2)
|
|
Enabling BLE in airplane mode puts BluetoothManagerService in an
unexpected state which causes Bluetooth to be on when airplane mode
is disabled.
Also fixes a bug where a crash of a BLE client would trigger a restart
into ON mode.
Test: SL4A BleBackgroundScanTest:test_airplane_mode_disables_ble
Bug: 32140251
Bug: 32140271
Bug: 32369494
Change-Id: Ie65157e65c3a1ca914f567a7a0c631175d1e5835
(cherry picked from commit bd93b7b3dc6141cef6236cf0ca7dcc5acf5bfeed)
(cherry picked from commit a80d745c656f1e09aa9331002f613883220ca029)
|
|
Apps on the system image can change their package by declaring
their old one in the manifest. If a package is renamed it is
internally referred by its old name.
The reconciliation code was using the new package name for
renamed packages and was concluding the apk is orphaned thus
deleting it. This puts the package in a bad state where the app
is gone and the version on the system partition is disabled.
Also Play was showing an update for a renamed system app as
an install while it is an update because of the same reason,
it was using the new package name while the app is internally
referred by the old one.
The fix for both above is to internally normalize the package
name by using the old one if the package was renamed or the
package name as is.
Test: With the fix put the old calculator on the system image
and booted, then put the renamed calculator and booted, updated
calculator from play and rebooted - calculator keeps working.
Also did the above steps without the patch to put calculator
in a bad state and flashed the system with the patch which
fixed the broken calculator app.
bug:32321269
Change-Id: I98bfc05c399edfc9854ebcce44182fefa55ceeff
(cherry picked from commit e2c85890ac3941525288e08962b33d30618de801)
|
|
|
|
|
|
nyc-mr1-dev
|
|
The split ambient settings default to on - which is a bad experience
if the user explicitly turned it off before the split.
Change-Id: Id80d62727952f63b363f87c19b5befbde8ab5c31
Merged-In: I986d35a1a28e97f4c8d7d3d47ed5658e1836a44f
Merged-In: I346a53b0dc9cdf578c238113f4f33056ba0f3aea
Fixes: 32332195
Test: Flash angler to NYC, disable ambient, upgrade to NYC-MR1, check if "Lift to check phone" is still off.
|
|
am: fb4f5497b7
Change-Id: I1c550fa22586145ec949fe54ef727be814624340
|
|
am: afbf16f908
Change-Id: I6fa42074ba2fe6019f0bf817a7b21650d2a0dd43
|
|
|
|
|
|
|
|
b/31781348
Change-Id: I7e374dcec975ba45b03f1cde656a438f986c5093
|
|
Change-Id: I9b8b5245f61dbab513ee5de6ff9c71b2bd41f3ab
Auto-generated-cl: translation import
|
|
|
|
Change-Id: I8fe6b5f09b7c3daf9c630b5c36d02199248c11b3
Auto-generated-cl: translation import
|
|
9748d76be9
am: e8e196d007
Change-Id: I3d804611d1290eb6cf0fa525e492864220fb85fa
|
|
am: 9748d76be9
Change-Id: I976128eb4c14ee2587c9cfa9c34f4b3dc006aa38
|
|
If we call it before, SystemUI will not dismiss the Keyguard as
it is still occluded in that state.
Change-Id: I15cf9cc43b9a2b747bfd224a6dfbd769eee19d69
Fixes: 32202560
|
|
Bug: 32357457
Change-Id: I8f2b8dae5472cb81313417e85c092dca0aae5bd9
|
|
Updated Update startService() and bindService() docs to mention that they
no longer support implicit intent. And mentioned that the Intellegent
job scheduling is now the preferred method for launching services.
We also performed a copy edit, implementing Google styles.
Bug: 18333456
Change-Id: I2b2ec666be870aea15045d30fbc822256d1b9a81
|
|
|
