Age | Commit message (Collapse) | Author |
|
Even if an <intent-filter> matches non-web schemes in addition to http
or https, make sure to include its cited hosts in the autoVerify
evaluation.
Bug: 150038428
Test: atest OsHostTests#testIntentFilterHostValidation
Change-Id: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
Merged-In: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
(cherry picked from commit 1fba0f897f276d5d47962534867e764da8061105)
(cherry picked from commit bfa779601082d9021ea4e7d4cca571575bd0b13b)
|
|
Prevent accessing companion records from arbitrary uids
Test: manual
Fixes: 129476618
Change-Id: I7b18cfcdf58e62a445cbb508116c6ce7c1cea8d7
(cherry picked from commit 84cccfe6cdbc57ee372ee1a0fea64c7a11c53766)
|
|
This reverts commit ca006a7de870f58587dbd9054aa98b3ea21157f6.
|
|
Originally, if the caller of navigateUpTo is alive, even the calling
uid is set to the caller who launched the existing destination activity,
the uid from caller process has higher priority to replace the given
calling uid. So this change doesn't modify the existing behavior if
the caller process is valid. Besides, the case of delivering new intent
uses the source record as calling identity too, so the case of starting
new activity should be consistent.
Also forbid attaching null application thread to avoid unexpected state
in process record.
Bug: 144285917
Test: atest ActivityStackTests#testNavigateUpTo
Test: atest CtsSecurityTestCases:ActivityManagerTest# \
testActivityManager_attachNullApplication
Change-Id: I60732f430256d37cb926d08d093581f051c4afed
(cherry picked from commit da78af4d6696dda77c692a7c6f2f49d4277cf341)
|
|
startActivities
Assume there are 2 applications A, B with different uids.
There are 4 activities A1, A2, B1, B2 with default task
affinity and launch mode.
After A1 called startActivities(B1, A2, B2):
Original : Task(A1, B1, A2, B2)
This Change: Task(A1, B1), Task(A2, B2)
In other words, the source caller cannot launch its activity
above the activity of other application in the same task, and
it can still launch activity of other application in its task.
Bug: 145669109
Test: atest StartActivityTests# \
testStartActivitiesWithDiffUidNotInSameTask
Change-Id: I97bd875146a52f62b8fe82235487ccefb2955e8e
(cherry picked from commit 48d8d370f3d1dac06719ca6a52bda5f45a1a533a)
|
|
...rather than relying on in-app code to perform the shutdown.
Backport of security fix.
Bug: 128649910
Bug: 140108616
Test: manual
Test: atest OsHostTests#testForegroundServiceBadNotification
Change-Id: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
Merged-In: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
(cherry picked from commit a79b6ba5c59dc6aaa8adbe1ffa3ee4b761f45e7f)
|
|
Bug: 145981139
Test: manually tested ensureSystemPackageName() returns null for non-system app
Change-Id: I1d23910cbd282f6702785c9dfb059d7be6b0e895
(cherry picked from commit 6a56247200e1a8afc4dacc2497ec384efa200b92)
(cherry picked from commit 584d73a0b066e01b0877b475c8e2b1a85fcf5328)
|
|
Update keyguard locked state from TrustManagerService
TrustManagerService holds the ground truth about whether a user is
locked or not, so update keystore using the information there,
instead of doing it from KeyguardStateMonitor. This fixes the issue
of work profile locked state not being correctly pushed to keystore.
Note: since this change is likely to be backported as a security
patch, I'm refraining from doing major refactoring right now.
Bug: 141329041
Bug: 144430870
Test: manually with KeyPairSampleApp
Change-Id: I3472ece73d573a775345ebcceeeb2cc460374c9b
(cherry picked from commit 0860a5c5c303426073c36763bef28644673ff441)
|
|
Test: manual
Bug: 148059175
Change-Id: I50ee768e792266ad2091f1913168e89d5d1463ed
Merged-In: I50ee768e792266ad2091f1913168e89d5d1463ed
(cherry picked from commit 1c943a2670c1ff499669b42ef72dcd9f07db08c3)
(cherry picked from commit adc39de3a148a2058d63bd7a1b8b71ee0a3524ac)
(cherry picked from commit eb4f716bf3a0ee3ac8015cde48305aeb82724039)
|
|
Assume there is a XmlBlock [X] created by a AssetManager [A]
([A] will have mNumRefs = 2). After [A].close is called
(mNumRefs = 1) and then both [X] and [A] are going to be GCed,
if [A].finalize is called first (nativeDestroy), the later
[X].finalize will invoke [A].xmlBlockGone that triggers the
second nativeDestroy of [A] and leads to crash.
By clearing the mObject in AssetManager.finalize, the
decRefsLocked from other paths won't call nativeDestroy again.
Bug: 136721562
Bug: 144028297
Test: atest AssetManagerTest
Test: Build and install CorePerfTests
adb shell am instrument -w -r --no-hidden-api-checks -e class \
android.app.ResourcesPerfTest#getLayoutAndTravese,android.graphics.perftests.RenderNodePerfTest \
com.android.perftests.core/androidx.test.runner.AndroidJUnitRunner
Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
(cherry picked from commit 0a8a1e9d40a3cdff06150c43c623fa4c415226b6)
|
|
If an app has previously used autoVerify to make claims about its status
re handling web navigation intents, but is updated such that it no
longer makes those claims, step down its "official handler" status as
though it had never invoked autoVerify in the first place.
Bug: 146204120
Test: manual: as described in bug; observe policy before/after via
'adb shell dumpsys package d'
Test: atest CtsOsHostTestCases
Change-Id: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
Merged-In: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
(cherry picked from commit ce22265eeda3a96613b9a7bb7dd898c69d295964)
|
|
When deleting an unused static shared library on Q, the user manager was
fetched via mContext.getSystemService. At this time during boot, the
service wasn't registered and so null was returned. This has already
been addressed in R with a move to injecting dependencies in the
PackageManagerService constructor.
Bug: 142083996
Bug: 141413692
Test: manual; remove static dependency on eng Q build and reboot
Change-Id: I8ae4e331d09b4734c54cdc6887b273705dce88b1
Merged-In: I8ae4e331d09b4734c54cdc6887b273705dce88b1
(cherry picked from commit 5d3fc339b57950fd8621cb410865e8800ccb6873)
|
|
This change ensures we find ALL known packages that could be consuming a
shared library, not only currently installed ones. Without this check,
the system may get into a state in which we have currently uninstalled
but on-device apps that depend on a shared library that does not exist
on device.
This change also leaves static shared library packages on device even if
it's not installed for any of the remaining users as it could still be
used, but marked uninstalled for users in which it is consumed.
Bug: 141413692
Bug: 142083996
Test: Manual; attempt to remove shared lib after marking its consumer uninstalled.
Test: atest StaticSharedLibsHostTests
Change-Id: Id4e37c3e4d3ea3ad5fddae5d2c7305e56f50eeea
Merged-In: Id4e37c3e4d3ea3ad5fddae5d2c7305e56f50eeea
(cherry picked from commit 08315953bc42fb392c32293418dfb2a3e4ffbe53)
|
|
This change adds null checks before accessing outInfo in
deleteSystemPackageLI.
Bug: 142083996
Bug: 141413692
Test: manual; remove static dependency on eng build and reboot
Change-Id: If0fd48343e89cbb77ccd25826656194195d5b0cd
(cherry picked from commit 17471016508bb9c9ffb8c3946dda0b4897d722f1)
Merged-In: If0fd48343e89cbb77ccd25826656194195d5b0cd
(cherry picked from commit 6afabce549f5725988b9c03de932c34e9d22f10e)
|
|
PermissionMonitor#hasPermission only checks permssions that app
requested but it doesn't check whether the permission can be
granted to this app. If requested permission doens't be granted
to app, this method still returns that app has this permission.
Then PermissionMonitor will pass this info to netd that means
this app still can use network even restricted network without
granted privileged permission like CONNECTIVITY_INTERNAL or
CONNECTIVITY_USE_RESTRICTED_NETWORKS.
Bug: 144679405
Test: Build, flash, manual test
Change-Id: Iae9c273af822b18c2e6fce04848a86f8dea6410a
Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
Merged-In: I2da730feda4d7ebed1f158b073167bb3964b3e7d
(cherry picked from commit d0205a3469dc8d8122e89072c19d0e9f18e7452f)
|
|
Currently, strict mode private DNS does not work on VPNs because
NetworkMonitor does not validate VPNs. When a VPN connects, it
immediately transitions to ValidatedState, skipping private DNS
hostname resolution.
This change makes NetworkMonitor perform private DNS hostname
resolution and evaluation even on VPNs.
In order to ensure that the system always immediately switches to
the VPN as soon as it connects, remove the unvalidated penalty
for VPN networks. This ensures that the VPN score is always 101
and the VPN always outscores other networks as soon as it
connects. Previously, it would only outscore other networks
when no-op validation completed.
Backport of 414b8c8b1ce8ae2ad6ef95c1ffba19062077d3e6.
Bug: 122652057
Test: atest FrameworksNetTests
Test: manually ran a VPN with private DNS in strict mode
Test: atest android.net.cts.ConnectivityManagerTest com.android.cts.net.HostsideVpnTests
Change-Id: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
Merged-In: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
(cherry picked from commit 029d9ea11921b7ca5652d24a9563b66c2b70fafc)
|
|
Support faking out the DNS lookups used by NetworkMonitor to
resolve strict mode DNS, and add more test coverage.
These tests were partly adapted from tests we have in Q but
also contain new coverage. This is because in Q the interface
between ConnectivityService and NetworkMonitor changed
substantially, and it is impractical to backport
NetworkMonitorTest.
Bug: 122652057
Test: atest FrameworksNetTests
Change-Id: I6497b7efa539267576d38d3036eef0af0df4e9cb
Merged-In: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
(cherry picked from commit 60cd85533d3a9ad4e3758de4804d1716e7fe0371)
|
|
Make toasts non-clickable
Since enforcement was only on client-side, in Toast class, an app could
use reflection (or other means) to make the Toast clickable. This is a
security vulnerability since it allows tapjacking, that is, intercept touch
events and do stuff like steal PINs and passwords.
This CL brings the enforcement to the system by applying flag
FLAG_NOT_TOUCHABLE.
Test: atest CtsWindowManagetDeviceTestCases:ToastTest
Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
log click events. Then:
1) Observe click events are logged without this CL.
2) Observer click events are not logged with this CL.
Bug: 128674520
Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0
(cherry picked from commit 6bf18c39d9fc727523fa3201567b836032bb2114)
|
|
Root cause: systemui run as user 0 service to handle all of users'
notifications. And, the users can user the copy/cut/paste
functionality.
Solution: To crate @hide API in TextView let SystemUI to mark the
TextView instance should check if the power of
INTERACT_ACROSS_USER_FULL is needed to be restricted.
e.x. Keyguard password textview/Notificaiton entries
Bug: 123232892
Test: manual test
Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139
Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393
Reference: I975baa748c821538e5a733bb98a33ac609bf40a7
Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139
Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937
(cherry picked from commit 08391b3da7e2da3b0220eb5766e0a1774d28e9a5)
|
|
Sys UI runs in the primary user. This means that TextView components
such as RemoteInputView and KeyguardPasswordView running in it could
leak data across users.
This CL disables the TextClassifier for RemoteInputView.
It also logs when fixed issue is "potentially" exercised.
There is no need to explicitly disable the TextClassifier for
KeyguardPasswordView. It is a password field
(TYPE_CLASS_TEXT | TYPE_TEXT_VARIATION_PASSWORD) and the
TextClassifier does not run for such fields.
Test: manually attempt to excercise the bug.
See the bug in 123232892 for more information.
Bug: 136483597
Bug: 123232892
Change-Id: Ia1e4843d1505e204f2e78d2459da198c9988f7f2
(cherry picked from commit 579abbd2d8ad37c4e07e1396002ad5be5bd41365)
|
|
For secondary users, when AOSP keyboard is used to type in
direct-reply, unknown words can be added to dictionary.
It's *not* OK for SpellCheckerService of primary user to
check unknown words typed by a secondary user.
The dialog to add these words shows up in primary user instead.
TextView uses TextView#isSuggestionsEnabled() to determine if
SpellChecker is enabled. This can be disabled by setting the flag
TYPE_TEXT_FLAG_NO_SUGGESTIONS in inputType.
Note: This doesn't affect workprofile users on P or older versions since
they use same SpellCheckerService for all workprofiles.
Bug: 123232892
Test: Manually tested using the steps mentioned in the bug.
1. Flash latest P build.
2. Install AOSP keyboard (LatinIME) and set it as default.
3. Install and open EditTextVariations
4. Initiate direct reply in primary user and type non-english
words like "ggggg hhhhh".
5. Observe that they get red underline and tapping it brings "add
to dictionary" popup.
6. Create a new secondary user and switch to it.
7. Once the setup completes, initiate a direct reply and type words
similar to step 4.
8. Verify that red underlines dont appear.
9. switch back to primary user and verify direct reply still has red
underlines.
Change-Id: I93918eb2c12e37908e03a7951a9e2c5375bc0ecc
(cherry picked from commit b5c0e01aca6f19ae3e305ce6d1c1ecec6aba0532)
|
|
Bug: 140055304
Test: Manua
Change-Id: Ie7f6ed23f0c6009aad0f67a00af119b02cdceac3
Merged-In: I5a1618fab529cb0300d4a8e9c7762ee218ca09eb
(cherry picked from commit 0bfebadf304bdd5f921e80f93de3e0d13b88b79c)
|
|
Bug: 141169173
Test: Manual. App can't be installed as test-only
Change-Id: Ib6dcca7901aa549d620448c0165c22270a3042be
Merged-In: Ib6dcca7901aa549d620448c0165c22270a3042be
(cherry picked from commit 702d394762a9b162cb2a2b04bb726fd8053f24d3)
|
|
If dimensions of cropped wallpaper image exceed max texture size that
GPU can support, it will cause ImageWallpaper keep crashing
because hwui crashes by invalid operation (0x502).
Bug: 120847476.
Test: Write a custom app to set a 8000x800 bitmap as wallpaper.
Test: The cropped file will be 29600x2960 and make sysui keep crashing.
Test: After applyed this cl, wallpaper will use fallback.
Test: Sysui will not keep crashing any more.
Change-Id: I8ed5931298c652a2230858cf62df3f6fcd345c5a
(cherry picked from commit f1e1f4f04d0165ed065637a4ba556583a7c79ef0)
|
|
Revive runLimit check logic
The runLimit check logic was accidentally removed by
I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735
Bug: 142134328
Bug: 140632678
Test: Manually done with reported step
Test: StaticLayoutTest passes
Change-Id: Ib1d5efdcb9adcc18a6a43370dc016ea464f48148
(cherry picked from commit fd1a7e8663feb23ba912e1c519630a2385b452fc)
|
|
It's possible for a service to do a start/stop foreground and cause a
couple of things to happen:
NotificationManagerService will enqueue a EnqueueNotificationRunnable,
post a PostNotificationRunnable (for the startForeground), and then also
enqueue a CancelNotificationRunnable. There is some racy behavior here
in that the cancel runnable can get triggered in between enqueue and
post runnables. If the cancel happens first, then
NotificationListenerServices will never get the message.
This behavior is technically allowed, however for foreground services we
want to ensure that there is a minmum amount of time that notification
listeners are aware of the foreground service so that (for instance) the
FGS notification can be shown.
This CL does two things to mitigate this problem:
1. Introduce checking in the CancelNotificationRunnable such that it
will not cancel until after PostNotificationRunnable has finished
executing.
2. Introduce a NotificationLifetimeExtender method that will allow a
lifetime extender to manage the lifetime of a notification that has been
enqueued but not inflated yet.
Bug: 119041698
Test: atest NotificationManagerServiceTest
Test: atest ForegroundServiceLifetimeExtenderTest
Change-Id: I0680034ed9315aa2c05282524d48faaed066ebd0
Merged-In: I0680034ed9315aa2c05282524d48faaed066ebd0
(cherry picked from commit 3b8c4743f630dcd370bfc5dc9683b551983fbe28)
|
|
Do not compute outside given range in TextLine
This is second attempt of I646851973b3816bf9ba32dfe26748c0345a5a081
which breaks various layout test on application.
The empty string must be also handled by the TextLine since it
retrieves the default line height from the empty string.
Bug: 140632678
Test: StaticLayoutTest
Test: Manually done
Change-Id: I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735
(cherry picked from commit f582b9bc9834c80f48070b032637dd1c94ebe6f4)
|
|
Revoking an apps authorizations to use camera and record or play audio
while suspended. Appops watchers will also be notified of this change to
re-evaluate privileges at the time of suspension.
Test: atest FrameworksServicesTests:SuspendPackagesTest
Bug: 138636979
Change-Id: Ie95555856afdd56728125f7e60b6a78cf9fc0e58
Merged-In: Ie95555856afdd56728125f7e60b6a78cf9fc0e58
Merged-In: Ic5fb1807deceabfd956b666fa76f8bcc94020ac3
(cherry picked from commit ed5edb77dcdbf0e65acb58188698027036fb8d05)
|
|
Strict SQLiteQueryBuilder needs to be stricter.
Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.
This change offers setStrictGrammar() to prevent this by outright
blocking subqueries in WHERE and HAVING clauses, and by requiring
that GROUP BY and ORDER BY clauses be composed only of valid columns.
This change also offers setStrictColumns() to require that all
untrusted column names are valid, such as those in ContentValues.
Relaxes to always allow aggregation operators on returned columns,
since untrusted callers can always calculate these manually.
Bug: 135270103
Bug: 135269143
Test: atest android.database.sqlite.cts.SQLiteQueryBuilderTest
Test: atest FrameworksCoreTests:android.database.sqlite.SQLiteTokenizerTest
Exempt-From-Owner-Approval: already approved in downstream branch
Change-Id: I6290afd19c966a8bdca71c377c88210d921a9f25
(cherry picked from commit 216bbc2a2e4f697d88f8fd633646e3c0433246f1)
|
|
one
When there's no users' choice to tell us whether to share their
phonebook information to the Bluetooth device, set the phonebook access
permission to ACCESS_REJECTED.
Bug: 138529441
Test: Manual test
Change-Id: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
Merged-In: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
(cherry picked from commit 9b3cb0f06b7c4907c293aa65e68c7ed6e4962d4b)
|
|
Enable stricter SQLiteQueryBuilder options.
Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.
This change starts using setStrictColumns() and setStrictGrammar()
on SQLiteQueryBuilder to block this class of attacks. This means we
now need to define the projection mapping of valid columns, which
consists of both the columns defined in the public API and columns
read internally by DownloadInfo.Reader.
We're okay growing sAppReadableColumnsSet like this, since we're
relying on our trusted WHERE clause to filter away any rows that
don't belong to the calling UID.
Remove the legacy Lexer code, since we're now internally relying on
the robust and well-tested SQLiteTokenizer logic.
Bug: 135270103
Bug: 135269143
Test: atest DownloadProviderTests
Test: atest CtsAppTestCases:android.app.cts.DownloadManagerTest
Change-Id: Iec1e8ce18dc4a9564318e0473d9d3863c8c2988a
(cherry picked from commit 382d5c0c199f3743514e024d2fd921248f7b14b3)
|
|
Bug: 138441555
Test: Manual
Change-Id: Ib1b4fba54ebd3599fe11021d21dc9b09d34e8965
Merged-In: Ib1b4fba54ebd3599fe11021d21dc9b09d34e8965
(cherry picked from commit 2b415a4c4465a6294e51ad1a8fcf2e6c1497853b)
(cherry picked from commit 46368e4f5cf4ff4582942bcc8ab23636c702daa3)
|
|
Test: Just adding a constant
Bug: 132261064
Change-Id: I1527be03a10fa1a2fde09e3e41d6b7e83a986fc0
Merged-In: I2bce277ff8f2de4614e19d5385fe6712b076f9c9
(cherry picked from commit 20e5d92613268c196b508865b7275b59f00688f5)
|
|
provided by PendingIntentRecord#sendInner()
Previously we'd ignore realCallingPid and realCallingUid that
PendingIntentRecord#sendInner() provided to startActivityInPackage().
Now we correctly pass it on, preserving past behaviour if none
provided.
Test: manual; we added logging statements to check the value of realCallingUid
in startActivitiesMayWait when launching the calendar app from the calendar widget
and verified that it was the calendar uid rather than the system uid.
Bug: 123013720
Change-Id: If0c0b67880c2e7a8774f31fbb1ba5f50544d2972
(cherry picked from commit b255e64a5d282f860bd58ae8f85158b5badce7ba)
|
|
Some system apps may download unknown content and the user should
be explicitly asked whether they trust these files. System apps should
explicitly use the extra NOT_UNKNOWN_SOURCE to bypass this check.
Test: Builds, boots, existing tests pass:
atest CtsPackageInstallTestCases
Locally verified they pass if CtsPackageInstallTestCases.apk was signed by
the platform cert.
Bug: 123700348
Change-Id: I3028bf8ff3f79a41521deeee43fba3c32bb1b2ca
Merged-In: I2578251906f6656b83464d1c4fc4db99165841c9
(cherry picked from commit 43e682abef2a1c65585bef510c390480f0c4a2fd)
|
|
If we have a display size change, make sure to set different
scaling mode such that we can show the buffer even if there is
a size mismatch.
Test: Rotate screen
Test: Change cutout type
Bug: 112876936
Change-Id: Iedc7774d69730a95b98ba46d4f274bc3b7e66bd1
(cherry picked from commit da4997312c79bfb5b5c6fb31833fc2ce401c4457)
|
|
The CL fixes a crash in Layout.primaryIsTrailingPreviousAllLineOffsets.
The crash was happening when the method was called for a line beginning
with an empty bidi run. This could happen, for example, for empty text -
I was unable to find any other case. The CL improves the existing test
for the method with this case, which was previously crashing.
The CL also fixes a potential crash in getLineHorizontals. However, this
bug could never happen as in the current code path clamped is always
false (and kept as parameter for parity with getHorizontal).
Bug: 135444178
Bug: 78464361
Test: atest FrameworksCoreTests:android.text.LayoutTest\#testPrimaryIsTrailingPrevious
Change-Id: I47157abe1d74675884734e3810628a566e40c1b4
(cherry picked from commit 7ad499d00716f45fffdf7331493ed21d1b8d9b77)
(cherry picked from commit 9109ce6b0af6fc94b79cf855a10d85e107c768c2)
|
|
HidHostService allow to connect when priority is PRIORITY_UNDEFINED.
HidProfile should return ture when priority is PRIORITY_UNDEFINED.
Otherwise, the "Input device" toggle in off state when HID device
connected.
Bug: 132456322
Test: manual
Change-Id: Id7bae694c57aec17e019d591c0a677e3cb64f845
(cherry picked from commit 830217f277e31e63d9ab8acd21ee2a8f81ee1c8f)
|
|
The function 'checkAccess' recieves the uid and pid in that order and
forwards them to checkSlicePermission in the same order. However,
checkSlicePermission expects them in the opposite order.
Bug: 135551349
Test: atest FrameworksUiServicesTests
Change-Id: I6e49efeab08f0e2a29d9830e6f81905598ae410c
(cherry picked from commit d2432fc3e35eacb308b620174849b29aa74eee05)
|
|
This prevents any object data from being accidentally overwritten by the
exception, which could cause unexpected malformed objects to be sent
across the transaction.
Test: atest CtsOsTestCases:ParcelTest#testExceptionOverwritesObject
Bug: 34175893
Change-Id: Iaf80a0ad711762992b8ae60f76d861c97a403013
Merged-In: Iaf80a0ad711762992b8ae60f76d861c97a403013
(cherry picked from commit f8ef5bcf21c87d8617f5e11810cc94350298d114)
|
|
Bug: 130568701
Test: manual. After this, can't display on top of it
Change-Id: Ib032f800edb0416cc15f01a34954340d0d0ffa78
(cherry picked from commit 4e80dc2861614d25a1f957f50040a8cf04812d11)
(cherry picked from commit 27d47340496580d66f36a734a115e47eaf550972)
|
|
Missed a call-point in last refactoring.
This CL should have been included in https://googleplex-android-review.git.corp.google.com/q/topic:%22bp-secure-screen-rotation%22+(status:open%20OR%20status:merged)
Bug: 130211665
Bug: 133054270
Test: Manual
Change-Id: I43fa93eea7d79f5b773497e3bb65750866eca2cb
(cherry picked from commit bf9298f1c9b848ff0db4ae0be3913ad531bafa9e)
(cherry picked from commit fbc22c2b6d54a8a9b589746be67d3992f01212cc)
|
|
When Zygote starts a process with a pid, system_server may have this
pid associate with a old process which is killed by the OS but
system_server has not finished cleanup. In this case, clean up the old
ProcessRecord so the new process can use the pid.
This problem is exposed because the asynchronous process start change.
attachApplicationLocked() may happen before handleProcessStartedLocked() and
the mPidsSelfLocked may still have the old ProcessRecord associate with
the new process's pid.
Bug: 131105245
Test: POC test steps in b/131105245.
Change-Id: I775acda5147291d0cf9836b6ffb3f52d1bf9bffe
Merged-In: I775acda5147291d0cf9836b6ffb3f52d1bf9bffe
Merged-In: I5d421f6c68f6b3437d51c94f4aef77e08a7bf002
(cherry picked from commit 3d47e0ceca4e6528a1bec2a7e94a833b8951d93a)
|
|
Make it clear that ending an emergency call is not possible with this
method.
Test: Compile; this is a docs change.
Bug: 132438333
Change-Id: I736b90e31723ee2055cedf16142c4d0f494bf49b
(cherry picked from commit 3acf511895d8d19d5f9189d0159ae1d677a89a42)
|
|
Test: atest LockTaskControllerTest
Bug: 132593073
Change-Id: I1bfacd5992569d67cdaa526b18d1c426a366babb
(cherry picked from commit fa1b986746ad7d9ebab6a34a0bfafd0a93267d5b)
|
|
ScreenPinningSettings.
Fixes: 127605586
Test: atest LockTaskControllerTest
Change-Id: I7d4c53fd6740f500d1a0ce18b47b83ed895300a5
(cherry picked from commit 5d6c1e8f451a920695e92fd321bbffe9c75f9aaa)
|
|
For purposes of the screen rotation animation the system server is allowed
to capture secure (not protected) layers and trusted not to persist screenshots
which may contain secure layers. However when displaying the screen rotation animation,
the layer the screenshot is placed on will itself not be secure, so if we record
the animation the recording will contain persisted versions of the secure content. Make sure
we use the new API from SurfaceFlinger to set FLAG_SECURE if our screenshot contains secure
content.
Bug: 69703445
Test: Transaction_test#SetFlagsSecureEUidSystem
Change-Id: I0dd36462867da52e6b1451f65f56c2c5d37538f3
(cherry picked from commit bab740f10e0812ba47d19931fdfe2fa7e02bbd0c)
|
|
This reverts commit 0877ed0c116242b9dbab30954e4f130e4c68e0a0.
|
|
For purposes of the screen rotation animation the system server is allowed
to capture secure (not protected) layers and trusted not to persist screenshots
which may contain secure layers. However when displaying the screen rotation animation,
the layer the screenshot is placed on will itself not be secure, so if we record
the animation the recording will contain persisted versions of the secure content. Make sure
we use the new API from SurfaceFlinger to set FLAG_SECURE if our screenshot contains secure
content.
Bug: 69703445
Test: Transaction_test#SetFlagsSecureEUidSystem
Change-Id: I0dd36462867da52e6b1451f65f56c2c5d37538f3
(cherry picked from commit bab740f10e0812ba47d19931fdfe2fa7e02bbd0c)
|
|
the system server.
In pre-P versions of Android, it was allowed to screenshot secure layers if the
buffer queue producer which was the target of the screenshot was owned by
the system (in this case SurfaceFlinger). This really was a synonym for:
The screen rotation animation was allowed to capture secure layers, but the other
code paths weren't. In O we mistakenly changed this check to always allow the system server
to capture secure layers via the captureScreen path (the captureLayers path used for
TaskSnapshots was unaffected). This can result in data leakage in cases where the
system server takes screenshots on behalf of other parts of the system (e.g. for
the assistant). To mitigate this we provide an explicit switch for the system server
to specify whether it wishes to capture Secure layers. While this is dangerous, I think
it is less dangerous than the previous implicit switch of capturing secure layers based on which
type of BufferQueue was passed in. The flag defaults to not capturing secure layers
and we set it to true in the one place we need it (for the screen rotation animation).
Non privileged clients can still not capture secure layers at all directly.
Test: TransactionTest.cpp#SetFlagsSecureEUidSystem
Bug: 120610669
Change-Id: I9d32c5ac2b005059be9f464859a415167d9ddbd4
(cherry picked from commit dc49e0088a05108a0616704ca5565136f89c0a1f)
|