Age | Commit message (Collapse) | Author |
|
2891071, 2891269, 2891072, 2891073, 2891074, 2891075, 2891077, 2891079, 2891081, 2890238, 2890239, 2891231, 2891088, 2891349, 2891350, 2890242] into nyc-mr1-security-a-release
Change-Id: Idf8d968641844fb159b03a0493095be1f8d87dbb
|
|
GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.
This CL changes writeToParcel() to make serialization and
deserialization consistent, thus fixing the issue.
Bug: 62998805
Test: use the debug app (see bug)
Change-Id: Ie1c64172c454c3a4b7a0919eb3454f0e38efcd09
(cherry picked from commit e74cae8f7c3e6b12f2bf2b75427ee8f5b53eca3c)
|
|
Test:
1. Set lock screen, set keyguard policy. Lock the device.
Observe that double tap is not showing camera
2. Set lock screen, unset the keyguard policy. Lock the device.
Observe that double tap is showing camera
3. Unset lock screen (swipe), set the keyguard policy. Lock the device.
Observe that double tap is showing camera.
4. Unset lock screen (swipe), unset the keyguard policy. Lock the device.
Observe that double tap is showing camera.
Bug: 63787722
Merged-In: I104688eaad719528376e2851f837d5956a6a1169
Change-Id: I42e6d9015682998176fe41971356bde22e1b37b2
(cherry picked from commit 65f02e8ba7a9f013d6971b3d6d1bd95f1785cb3d)
|
|
2606890, 2606657, 2606891, 2606658, 2606892, 2606660, 2606661, 2606662, 2606663, 2606893, 2606894, 2606666, 2606667, 2606668, 2606896, 2606898, 2606899, 2606900, 2606901, 2606669, 2606902, 2606904, 2606930, 2606931, 2606906, 2606907, 2606908, 2606970, 2606933, 2606934, 2606935, 2606936, 2606972, 2606973, 2606974, 2606937, 2606976, 2606977] into nyc-mr1-security-a-release
Change-Id: I00f46e9845f5efbbad4959ac858c836afd0d2245
|
|
Bug: 62196835
Test: Created an accessibility service that displays a system
and a toast overlay, confirmed that it disappeared when we
reached the accessibility permission screen that uses this
flag.
Change-Id: Ic51ead670fc480e549512ba1d02f49d9c13bc3f0
(cherry picked from commit 41ff5389daa6e6ce4aa853bfae96e5ced0b1d8df)
|
|
2420098, 2420099, 2420100, 2420153, 2420120, 2420208, 2420281, 2420209, 2420282, 2420301, 2420192, 2420302, 2420193, 2420211, 2420264, 2420247, 2420157, 2420265, 2420216, 2420307, 2420217, 2420250, 2420341, 2420219, 2420326, 2420180, 2420254] into nyc-mr1-security-a-release
Change-Id: I22125245d36f5490654aaa415324c6e69cd0892a
|
|
Otherwise the (CTS) server might run out of connections.
Bug: 38391487
Bug: 22771132
Test: build, run CTS, stream music
Change-Id: I92c782a6799ab36eec8df3f7c3217bea667b838a
(cherry picked from commit 46132afee7783665ae12538edd024770dbd93ecb)
|
|
2315983, 2315964, 2316107, 2316086, 2316109, 2315977, 2316145, 2316016, 2316110, 2316221, 2316088, 2316210, 2316242, 2316222, 2316075, 2316076, 2316077, 2316089, 2316243, 2316183, 2316078, 2316112, 2316211, 2316149, 2316113, 2316212, 2316151, 2316215, 2316131, 2316115, 2316245, 2316216, 2316116, 2316217, 2316279, 2316186, 2316187, 2316246, 2316247, 2316249, 2316218, 2316092, 2316094, 2316323, 2316360, 2316379] into nyc-mr1-security-a-release
Change-Id: If872a582e1b45688316c26c85472e7a938a84a10
|
|
Please see commit 3082eb7c7253c62a06aa151a80487a4eabd49914 for an
explanation of this change.
This capability is not used by system_server.
Bug: 34951864
Bug: 38496951
Test: code compiles, device boots, no selinux errors ever reported.
Change-Id: I4242b1abaa8679b9bfa0d31a1df565b46b7b3cc3
(cherry picked from commit 35775783fc6609035136184e3843bc743b59945d)
(cherry picked from commit 4911af2b8ced29dc5035dca301dc80939c9bdab5)
|
|
Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. system_server uses this capability to collect
smaps from managed processes. Presumably this was done to avoid the
implications of granting CAP_SYS_PTRACE to system_server.
However, with SELinux enforcement, we can grant CAP_SYS_PTRACE but not
allow ptrace attach() to other processes. The net result of this is that
CAP_SYS_PTRACE and CAP_SYS_RESOURCE have identical security controls, as
long as system_server:process ptrace is never granted.
Add CAP_SYS_PTRACE to the set of capabilities granted to system_server.
Don't delete CAP_SYS_RESOURCE for now. SELinux has blocked the use of
CAP_SYS_RESOURCE, but we still want to generate audit logs if it's
triggered. CAP_SYS_RESOURCE can be deleted in a future commit.
Bug: 34951864
Bug: 38496951
Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Change-Id: I2570266165396dba2b600eac7c42c94800d9c65b
(cherry picked from commit 3082eb7c7253c62a06aa151a80487a4eabd49914)
(cherry picked from commit 966619d0ab6950fb6c90127b47d493b4c8617878)
|
|
Fix a bug where a malformed Parceled representation
of an AccessibilityNodeInfo could be used to mess with
Bundles as they get reparceled.
Bug: 36491278
Test: Verified that POC no longer works, a11y cts still passes.
Change-Id: I10f24747e3ab87d77cd1deba56db4526e3aa5441
(cherry picked from commit 687bb44b437f7bb24dd3dddf072c2f646308e2ca)
(cherry picked from commit 475719d03d9199433edfccb0e1e0e456552e59d7)
|
|
Prevent apps to change permission protection level to dangerous
from any other type as this would allow a privilege escalation
where an app adds a normal permission in other app's group and
then redefines it as dangerous leading to the group auto-grant.
Test: Added a CTS test which passes.
Bug: 33860747
Change-Id: I1ccf546f78ee79ff027cb98124be81c8e5265a82
(cherry picked from commit fe430be9f102893c95258cc81589df132b7d02b3)
|
|
Previously the process would crash, which is OK, but complicates testing.
Test: cts-tradefed run cts --module CtsContentTestCases
--test android.content.cts.ContentProviderCursorWindowTest
Bug: 34128677
Change-Id: I5b50982d77ec65c442fbb973d14c85a5c29c43c7
(cherry picked from commit eb6de6f5f10148b9f81f9c0074d1e1f7af21bfb0)
(cherry picked from commit 676f703f746391cfdf05bafd2289226f7a6e5255)
|
|
Check whether specified offset belongs to mData.
Also added a default argument bufferSize to check the end offset.
Size of the ashmem descriptor can be modified between
ashmem_get_size_region call and mmap. createFromParcel method was updated
to check ashmem size again immediately after memory is mapped.
Test: manual - using the test app from the bug
Bug: 34128677
Change-Id: I3ecd1616a870ce20941ce9b20a1843d2b4295750
(cherry picked from commit 45e2e95c2ffeb2d978e2cce80b729ef6ada3b8d2)
(cherry picked from commit acede24109412a4c09e6e4e93d7b96bc9b1ad440)
|
|
Saving device policy managers settings to clear out
password stats was happening before initializing mAdminList
so could wipe active admins.
Test: manual - flash with N2G05C add google account with dmagent flash wth this fix, check dmagent is still an active admin, reboot check admin is still active.
Test: runtest -c com.android.server.devicepolicy.DevicePolicyManagerTest frameworks-services
Bug: 34277435
Change-Id: I13660b47f30e9aba001eb13f2e457c3b3f36da3e
(cherry picked from commit adbda7474cc1968b66e9948aee566dc346e71340)
(cherry picked from commit f98ed6863a7f64c535a66006852a934b05d550bc)
|
|
into nyc-mr1-release branches Non-system apps could send these, and accept OPP transfers without user interaction." into nyc-mr1-security-a-release
|
|
fix conflict in nyc-mr2-release
Change-Id: I97ef31536cd06495a08a3f94f81df2d1376186e0
|
|
fix merge conflict into nyc-mr1-release branches
Non-system apps could send these, and accept OPP transfers without user
interaction.
Test: run POC code, see that it crashes instaed of accepting
Bug: 35258579
Change-Id: I37bf2e17b4d612258f9dbaa879727ac7c72e5969
|
|
Note DPM.wipeData() on a secondary user is now blocking, just like
it's been always blocking on the primary user.
Test: Manually tested wipeData() with ApiDemos, both on 1) the primary user,
2) a secondary user and 3) work profile.
Test: adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest -w com.android.frameworks.servicestests
Bug 30681079
Change-Id: Ia832bed0f22396998d6307ab46e262dae9463838
Merged-in: Ia832bed0f22396998d6307ab46e262dae9463838
(cherry picked from commit efdec8f5688ce6b0a287eddb6d5dad93ffa0e1ee)
(cherry picked from commit 2317451acc84174cbe30d1899428d1b2953a4363)
|
|
Previously we only re-evaluate provisioning for SIM swap case
The new logic covers both SIM swap case
(ABSENT->NOT_READY->UNKNOWN->READY->LOADED) and modem reset
case (NOT_READY->READY->LOADED)
Test: Manual
bug: 33815946
Change-Id: I9960123605b10d3fa5f3584c6c8b70b616acd6f8
(cherry picked from commit 91a0bc956445c1a0fa099d3e8e87affe217519f7)
|
|
a206a0f17e am: d417e54872 am: 3380a77516 am: 0a8978f04b am: 1684e5f344 am: d28eef0cc2 am: 1f458fdc66 am: d82f8a67fc am: 1ac8affd51 am: 56098f81b6 am: 7cec76de0f
am: 2da05d0f9e
Change-Id: I8c94a06f5fa722312436484609bafcb0585d6d18
(cherry picked from commit 3b7d90c024126b9728c0f73e01e4867a188ec64b)
|
|
Saving device policy managers settings to clear out
password stats was happening before initializing mAdminList
so could wipe active admins.
Test: manual - flash with N2G05C add google account with dmagent flash wth this fix, check dmagent is still an active admin, reboot check admin is still active.
Test: runtest -c com.android.server.devicepolicy.DevicePolicyManagerTest frameworks-services
Bug: 34277435
Change-Id: I13660b47f30e9aba001eb13f2e457c3b3f36da3e
(cherry picked from commit adbda7474cc1968b66e9948aee566dc346e71340)
(cherry picked from commit f98ed6863a7f64c535a66006852a934b05d550bc)
|
|
Change-Id: I97ef31536cd06495a08a3f94f81df2d1376186e0
(cherry picked from commit eb35ad9969a173ac4d6279a5e322e8176c2ae6d1)
|
|
To understand this change it's first helpful to review Toasts.
The ViewRoot is constructed on the client side, but it's added,
to a window token controlled by the NotificationManagerService.
When we call NotificationManagerService#cancelToast, the system
will remove this window token. With the window token removed,
the WindowManager needs to destroy the surface to prevent orphaned
windows. If we destroy the Surface before removing the toast on the
client side however, we've never asked the ViewRoot to stop rendering
and we could have a crash. To solve this we just have to ensure we call
removeView before cancelToast.
Bug: 31547288
Bug: 30150688
Change-Id: Ic7e8914a7fb2134a8b9e0c2f3810d7f075c8391e
(cherry picked from commit 016c9c8cb58c6940ae8296291ee33148a17ede65)
|
|
Change-Id: I1024f2a56badde5c123d025d6fe02f42559cbcb1
Test: manual
Bug: 30352311
(cherry picked from commit f6f1d627483b4dad9d65176769a1ee92c59a4810)
(cherry picked from commit 71d2a41dd9c8be8c4bca5eba339802e1e0c2be3c)
|
|
Avoid potential race condition between FRP wipe and write operations
during factory reset by making the FRP partition unwritable after
wipe.
Bug: 30352311
Test: manual
Change-Id: If3f024a1611366c0677a996705724458094fcfad
(cherry picked from commit a629c772f4a7a5ddf7ff9f78fb19f7ab86c2a9c2)
(cherry picked from commit a9437bd1caeeb38780d920a81bde8cc7ca280fe0)
|
|
bug:33039926
bug:33042690
Change-Id: If0431b77ec546c72f8cc25bb605a851572bb22a6
(cherry picked from commit c3db570a0064b2dcbe806ddb5de3f678623612ca)
|
|
MemoryIntArray was using the size of the undelying
ashmem region to mmap the data but the ashmem size
can be changed until the former is memory mapped.
Since we use the ashmem region size for boundary
checking and memory unmapping if it does not match
the size used while mapping an attacker can force
the system to unmap memory or to access undefined
memory and crash.
Also we were passing the memory address where the
ashmem region is mapped in the owner process to
support cases where the client can pass back the
MemoryIntArray instance. This allows an attacker
to put invalid address and cause arbitrary memory
to be freed.
Now we no longer support passing back the instance
to the owner process (the passed back instance is
read only), so no need to pass the memory adress
of the owner's mapping, thus not allowing freeing
arbitrary memory.
Further, we now check the memory mapped size against
the size of the underlying ashmem region after we do
the memory mapping (to fix the ahsmem size) and if
an attacker changed the size under us we throw.
Tests: Updated the tests and they pass.
bug:33039926
bug:33042690
Change-Id: I1004579181ff7a223ef659e85c46100c47ab2409
(cherry picked from commit a97171ec499fd876722733f35e51d0d6dbd8d223)
|
|
As part of fixing a recent security issue, DownloadManager now needs
to issue Uri permission grants for all downloads. However, if an app
that requested a download is upgraded or otherwise force-stopped,
the required permission grants are removed.
We could tell DownloadManager about the app being stopped, but that
would be racy (due to background broadcast), and waking it up would
degrade system health. Instead, as a special case we now only
consider clearing DownloadManager permission grants when app data
is being cleared.
Bug: 32172542, 30537115
Test: builds, boots, app upgrade doesn't clear grants
Change-Id: I7e3d4546fd12bfe5f81b9fb9857ece58d574a6b9
(cherry picked from commit 23ec811266fb728cf159a90ce4882b3c9bac1887)
(cherry picked from commit 6eee8e37fd06bd47dd19b8503bc30cc8ccaf72a7)
|
|
For an app to either send or receive content change notifications,
require that they have some level of access to the underlying
provider.
Without these checks, a malicious app could sniff sensitive user data
from the notifications of otherwise private providers.
Test: builds, boots, PoC app now fails
Bug: 32555637
Change-Id: If2dcd45cb0a9f1fb3b93e39fc7b8ae9c34c2fdef
(cherry picked from commit c813f5dae231bd8f01864227c5dba10d43a89249)
|
|
We close the android logging related sockets prior as late as possible
before every fork to avoid having to whitelist them. If one of the
zygote's children dies after this point (but prior to the fork), we can
end up reopening the logging sockets from the SIGCHLD signal handler.
To prevent this from happening, block SIGCHLD during this critical
section.
Bug: 32693692
Test: Manual
(cherry picked from commit e9a525829a354c92983a35455ccab16d1b0d3892)
Zygote: Unblock SIGCHLD in the parent after fork.
Follow up to change e9a525829a354c92983a. Allows the zygote to
receive SIGCHLD again and prevents the zygote from getting into a
zombie state if it's killed.
Contributed-By: rhed_jao <rhed_jao@htc.com>
Bug: 32693692
Test: manual
(cherry picked from commit c7161f756e86b98f2244a04d9207b47149965fd7)
Change-Id: If89903a29c84dfc9b056f9e19618046874bba689
(cherry picked from commit dfcc79ee8ecd4166cba19be7493c6175cb0c65a9)
|
|
Fix a idmap leak in AssetManager::addSystemOverlays.
And, The fix could also prevent fd leak of idmap.
Test: none
Bug: 32691930
Signed-off-by: Hyangseok Chae <neo.chae@lge.com>
(cherry picked from commit 6a742a38509693f8b39ee9a5ad2803fca12688bf)
Change-Id: Idc4af77db2b0cb739bd6b009b6af0f9123be1aac
(cherry picked from commit 0244ca8d10dfc27e14f481fe649b89f7638c48eb)
|
|
On M and below, we provide a blanket whitelist for all files under
"/vendor/zygote_whitelist". This path is whitelisted purely to allow
this patch to be applied easily on legacy devices and configurations.
Note that this does not amount to a loosening of our security policy
because whitelisted files are reopened anyway.
Bug: 32691930
Test: manual
Change-Id: If5b53f6f0a707f8d36603c09bfd3f72dbfbbbb99
(cherry picked from commit 5e2f7c6229d7191183888d685b57a7d0a2835fce)
|
|
Partially cherry picked from commit 1c15c635785c64a.
These files are safe to reopen for the same reason that files in
/system/framework are. They're regular files and will not change after
the first zygote fork.
Bug: 32618130
Change-Id: I119e0bfcbf397cb331064adf148d92a5cd3ea92f
(cherry picked from commit 25cd01cc69fcad34756b00e52a79c0c54178f2e6)
|
|
When a public (vfat) device is inserted, it's strongly associated
with the current foreground user, and no other users should be able
to access it, since otherwise that would be a cross-user data leak.
To use the device under a different user, switch users and then
eject/remount the device.
Test: verified user isolation of USB drive
Bug: 32523490
Change-Id: I590c791996f1fea8d78f625dc942d149f1f41614
(cherry picked from commit 8b38d083c42e2706e1ff5a1410fa61d1f5dea3f5)
|
|
Test: unit test passes
Bug: 31850211
Change-Id: I47f9db1f2c50ccd4fc90b80a9ffc1e9e43078f5f
(cherry picked from commit a0289894718c230c746f7e85207d30fee431dab8)
|
|
This patch adds an explicit check in the DHCP packet parser for
rejecting packets without a magic cookie, instead of relying on the
top-level try-catch-all in the parser.
This allows to add to DHCP error metrics this specific error.
It also allows to add two poor man's fuzzing tests that tries to find
additional gaps in the DHCP packet parser by
- trying to parse all subslices of a valid offer packet.
- trying to parse random byte arrays.
Test: covered by previously introduced malformed DHCP packet unit tests
+ additional fuzzing tests.
Bug: 31850211
Change-Id: If53c9ba9df78d7604ec018c9d67c237ae59c4833
(cherry picked from commit 006e0613016c1a0e0627f992f5a93a7b7198edba)
|
|
Fix merge conflict into nyc-mr1-security-a-release
This patch adds a try catch all to DHCP packet parsing so that
DhcpClient does not choke on malformed packets, brinding down with it
the whole framework.
Test: added new unit tests catching the issue fixed in this patch.
Bug: 31850211
Change-Id: I3c50a149fed6b2cbc4f40bb4f0e5bb2b56859b44
|
|
Test: docs only, no test apart from verifying that it builds
Bug: #32158219 clean up InputConnection.commitContent() javadocs
Change-Id: I9b438d6b14aa8bc868fe41f7e0fe22b0e83800fb
(cherry picked from commit 5c0af8876468869f21baa204c498f0c975553bf3)
|
|
The setting apps' version code is 25 for both DR and MR1, so the
shortcut manager will not notice when it's changed.
Let's just always scan this app.
Bug 32554059
Change-Id: Ia05363b30a5eeb989dc4c44cf5dbd71cde96de96
(cherry picked from commit ac2898228edea493c76287338adf6dd8ca21303a)
|
|
Calculate size of installed APKs only when INSTALL_EXTERNAL flag is set.
calculateInstalledSize is expensive and may take up to 20% of total
installation time.
Bug: 32180551
Bug: 29932779
Change-Id: I173d2b38820cc86cbfacecd1bacef57369d10af7
(cherry picked from commit b87a491de63069fb903c95727f57511c7e4eeaa0)
|
|
We never unbind, so we only ever need one bind request; creating more
bind requests just wastes resources.
Test: builds
Bug: 32446301
Change-Id: I7d6c4a93b8f5bb8d9aed7a5041b193e19a2d65fc
(cherry picked from commit 7765d7320d8435a0e814d9f10039c7866f9d76a2)
|
|
Enabling BLE in airplane mode puts BluetoothManagerService in an
unexpected state which causes Bluetooth to be on when airplane mode
is disabled.
Also fixes a bug where a crash of a BLE client would trigger a restart
into ON mode.
Test: SL4A BleBackgroundScanTest:test_airplane_mode_disables_ble
Bug: 32140251
Bug: 32140271
Bug: 32369494
Change-Id: Ie65157e65c3a1ca914f567a7a0c631175d1e5835
(cherry picked from commit bd93b7b3dc6141cef6236cf0ca7dcc5acf5bfeed)
(cherry picked from commit a80d745c656f1e09aa9331002f613883220ca029)
|
|
Apps on the system image can change their package by declaring
their old one in the manifest. If a package is renamed it is
internally referred by its old name.
The reconciliation code was using the new package name for
renamed packages and was concluding the apk is orphaned thus
deleting it. This puts the package in a bad state where the app
is gone and the version on the system partition is disabled.
Also Play was showing an update for a renamed system app as
an install while it is an update because of the same reason,
it was using the new package name while the app is internally
referred by the old one.
The fix for both above is to internally normalize the package
name by using the old one if the package was renamed or the
package name as is.
Test: With the fix put the old calculator on the system image
and booted, then put the renamed calculator and booted, updated
calculator from play and rebooted - calculator keeps working.
Also did the above steps without the patch to put calculator
in a bad state and flashed the system with the patch which
fixed the broken calculator app.
bug:32321269
Change-Id: I98bfc05c399edfc9854ebcce44182fefa55ceeff
(cherry picked from commit e2c85890ac3941525288e08962b33d30618de801)
|
|
|
|
|
|
nyc-mr1-dev
|
|
The split ambient settings default to on - which is a bad experience
if the user explicitly turned it off before the split.
Change-Id: Id80d62727952f63b363f87c19b5befbde8ab5c31
Merged-In: I986d35a1a28e97f4c8d7d3d47ed5658e1836a44f
Merged-In: I346a53b0dc9cdf578c238113f4f33056ba0f3aea
Fixes: 32332195
Test: Flash angler to NYC, disable ambient, upgrade to NYC-MR1, check if "Lift to check phone" is still off.
|
|
am: fb4f5497b7
Change-Id: I1c550fa22586145ec949fe54ef727be814624340
|
|
am: afbf16f908
Change-Id: I6fa42074ba2fe6019f0bf817a7b21650d2a0dd43
|