From 43d61dcef058f5edd57734f9d189d3f5dd290d64 Mon Sep 17 00:00:00 2001
From: Tony Mak <tonymak@google.com>
Date: Fri, 28 Jul 2017 11:53:56 +0100
Subject: Enforce policy for camera gesture in keyguard

Test:
1. Set lock screen, set keyguard policy. Lock the device.
   Observe that double tap is not showing camera

2. Set lock screen, unset the keyguard policy. Lock the device.
   Observe that double tap is showing camera

3. Unset lock screen (swipe), set the keyguard policy. Lock the device.
   Observe that double tap is showing camera.

4. Unset lock screen (swipe), unset the keyguard policy. Lock the device.
   Observe that double tap is showing camera.

Bug: 63787722
Merged-In: I104688eaad719528376e2851f837d5956a6a1169

Change-Id: I42e6d9015682998176fe41971356bde22e1b37b2
(cherry picked from commit 65f02e8ba7a9f013d6971b3d6d1bd95f1785cb3d)
---
 .../android/systemui/statusbar/BaseStatusBar.java  | 19 ++++++++++++++++++
 .../statusbar/phone/KeyguardBottomAreaView.java    | 23 ++++------------------
 .../statusbar/phone/NotificationPanelView.java     |  5 +++++
 3 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/BaseStatusBar.java b/packages/SystemUI/src/com/android/systemui/statusbar/BaseStatusBar.java
index 4866fca05916..3806585199a8 100644
--- a/packages/SystemUI/src/com/android/systemui/statusbar/BaseStatusBar.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/BaseStatusBar.java
@@ -2663,4 +2663,23 @@ public abstract class BaseStatusBar extends SystemUI implements
             mAssistManager.startAssist(args);
         }
     }
+
+    public boolean isCameraAllowedByAdmin() {
+       if (mDevicePolicyManager.getCameraDisabled(null, mCurrentUserId)) {
+           return false;
+       } else if (isKeyguardShowing() && isKeyguardSecure()) {
+           // Check if the admin has disabled the camera specifically for the keyguard
+           return (mDevicePolicyManager.getKeyguardDisabledFeatures(null, mCurrentUserId)
+                   & DevicePolicyManager.KEYGUARD_DISABLE_SECURE_CAMERA) == 0;
+       }
+       return true;
+    }
+
+    public boolean isKeyguardShowing() {
+        if (mStatusBarKeyguardViewManager == null) {
+            Slog.i(TAG, "isKeyguardShowing() called before startKeyguard(), returning true");
+            return true;
+        }
+        return mStatusBarKeyguardViewManager.isShowing();
+    }
 }
diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/phone/KeyguardBottomAreaView.java b/packages/SystemUI/src/com/android/systemui/statusbar/phone/KeyguardBottomAreaView.java
index 4d0e5d34761b..c674a82d6090 100644
--- a/packages/SystemUI/src/com/android/systemui/statusbar/phone/KeyguardBottomAreaView.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/phone/KeyguardBottomAreaView.java
@@ -305,7 +305,10 @@ public class KeyguardBottomAreaView extends FrameLayout implements View.OnClickL
             return;
         }
         ResolveInfo resolved = resolveCameraIntent();
-        boolean visible = !isCameraDisabledByDpm() && resolved != null
+        boolean isCameraDisabled =
+                (mPhoneStatusBar != null) && !mPhoneStatusBar.isCameraAllowedByAdmin();
+        boolean visible = !isCameraDisabled
+                && resolved != null
                 && getResources().getBoolean(R.bool.config_keyguardShowCameraAffordance)
                 && mUserSetupComplete;
         mCameraImageView.setVisibility(visible ? View.VISIBLE : View.GONE);
@@ -339,24 +342,6 @@ public class KeyguardBottomAreaView extends FrameLayout implements View.OnClickL
                 && pm.resolveActivity(PHONE_INTENT, 0) != null;
     }
 
-    private boolean isCameraDisabledByDpm() {
-        final DevicePolicyManager dpm =
-                (DevicePolicyManager) getContext().getSystemService(Context.DEVICE_POLICY_SERVICE);
-        if (dpm != null && mPhoneStatusBar != null) {
-            try {
-                final int userId = ActivityManagerNative.getDefault().getCurrentUser().id;
-                final int disabledFlags = dpm.getKeyguardDisabledFeatures(null, userId);
-                final  boolean disabledBecauseKeyguardSecure =
-                        (disabledFlags & DevicePolicyManager.KEYGUARD_DISABLE_SECURE_CAMERA) != 0
-                                && mPhoneStatusBar.isKeyguardSecure();
-                return dpm.getCameraDisabled(null) || disabledBecauseKeyguardSecure;
-            } catch (RemoteException e) {
-                Log.e(TAG, "Can't get userId", e);
-            }
-        }
-        return false;
-    }
-
     private void watchForCameraPolicyChanges() {
         final IntentFilter filter = new IntentFilter();
         filter.addAction(DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED);
diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/phone/NotificationPanelView.java b/packages/SystemUI/src/com/android/systemui/statusbar/phone/NotificationPanelView.java
index ede6fd08dd26..16e0e641d01e 100644
--- a/packages/SystemUI/src/com/android/systemui/statusbar/phone/NotificationPanelView.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/phone/NotificationPanelView.java
@@ -31,6 +31,7 @@ import android.graphics.Paint;
 import android.graphics.Rect;
 import android.util.AttributeSet;
 import android.util.MathUtils;
+import android.util.EventLog;
 import android.view.MotionEvent;
 import android.view.VelocityTracker;
 import android.view.View;
@@ -2329,6 +2330,10 @@ public class NotificationPanelView extends PanelView implements
      * @param keyguardIsShowing whether keyguard is being shown
      */
     public boolean canCameraGestureBeLaunched(boolean keyguardIsShowing) {
+        if (!mStatusBar.isCameraAllowedByAdmin()) {
+            EventLog.writeEvent(0x534e4554, "63787722", -1, "");
+            return false;
+        }
         ResolveInfo resolveInfo = mKeyguardBottomArea.resolveCameraIntent();
         String packageToLaunch = (resolveInfo == null || resolveInfo.activityInfo == null)
                 ? null : resolveInfo.activityInfo.packageName;
-- 
cgit v1.2.3


From 5979a0b84a8623b04a013eaa1bdc008a9ea9e44d Mon Sep 17 00:00:00 2001
From: Charles He <qiurui@google.com>
Date: Fri, 14 Jul 2017 14:41:06 +0100
Subject: Fix security hole in GateKeeperResponse.

GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.

This CL changes writeToParcel() to make serialization and
deserialization consistent, thus fixing the issue.

Bug: 62998805
Test: use the debug app (see bug)
Change-Id: Ie1c64172c454c3a4b7a0919eb3454f0e38efcd09
(cherry picked from commit e74cae8f7c3e6b12f2bf2b75427ee8f5b53eca3c)
---
 core/java/android/service/gatekeeper/GateKeeperResponse.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
index a512957d6040..6ca6d8ac7100 100644
--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -85,6 +85,8 @@ public final class GateKeeperResponse implements Parcelable {
             if (mPayload != null) {
                 dest.writeInt(mPayload.length);
                 dest.writeByteArray(mPayload);
+            } else {
+                dest.writeInt(0);
             }
         }
     }
-- 
cgit v1.2.3