From 0fd509cf98ca2059ac9a5c8ce192d5c7842d8267 Mon Sep 17 00:00:00 2001 From: Phil Weaver Date: Thu, 6 Apr 2017 17:40:51 -0700 Subject: Make a11y node info parceling more robust Fix a bug where a malformed Parceled representation of an AccessibilityNodeInfo could be used to mess with Bundles as they get reparceled. Bug: 36491278 Test: Verified that POC no longer works, a11y cts still passes. Change-Id: I10f24747e3ab87d77cd1deba56db4526e3aa5441 (cherry picked from commit 687bb44b437f7bb24dd3dddf072c2f646308e2ca) (cherry picked from commit d0e54c1c096f4836c7eb4054ff02e5e5563f9577) --- .../view/accessibility/AccessibilityNodeInfo.java | 23 +++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/core/java/android/view/accessibility/AccessibilityNodeInfo.java b/core/java/android/view/accessibility/AccessibilityNodeInfo.java index 86ed499cabc0..b7094912569b 100644 --- a/core/java/android/view/accessibility/AccessibilityNodeInfo.java +++ b/core/java/android/view/accessibility/AccessibilityNodeInfo.java @@ -2670,16 +2670,19 @@ public class AccessibilityNodeInfo implements Parcelable { if (mActions != null && !mActions.isEmpty()) { final int actionCount = mActions.size(); - parcel.writeInt(actionCount); + int nonLegacyActionCount = 0; int defaultLegacyStandardActions = 0; for (int i = 0; i < actionCount; i++) { AccessibilityAction action = mActions.get(i); if (isDefaultLegacyStandardAction(action)) { defaultLegacyStandardActions |= action.getId(); + } else { + nonLegacyActionCount++; } } parcel.writeInt(defaultLegacyStandardActions); + parcel.writeInt(nonLegacyActionCount); for (int i = 0; i < actionCount; i++) { AccessibilityAction action = mActions.get(i); @@ -2690,6 +2693,7 @@ public class AccessibilityNodeInfo implements Parcelable { } } else { parcel.writeInt(0); + parcel.writeInt(0); } parcel.writeInt(mMaxTextLength); @@ -2853,16 +2857,13 @@ public class AccessibilityNodeInfo implements Parcelable { mBoundsInScreen.left = parcel.readInt(); mBoundsInScreen.right = parcel.readInt(); - final int actionCount = parcel.readInt(); - if (actionCount > 0) { - final int legacyStandardActions = parcel.readInt(); - addLegacyStandardActions(legacyStandardActions); - final int nonLegacyActionCount = actionCount - Integer.bitCount(legacyStandardActions); - for (int i = 0; i < nonLegacyActionCount; i++) { - final AccessibilityAction action = new AccessibilityAction( - parcel.readInt(), parcel.readCharSequence()); - addActionUnchecked(action); - } + final int legacyStandardActions = parcel.readInt(); + addLegacyStandardActions(legacyStandardActions); + final int nonLegacyActionCount = parcel.readInt(); + for (int i = 0; i < nonLegacyActionCount; i++) { + final AccessibilityAction action = new AccessibilityAction( + parcel.readInt(), parcel.readCharSequence()); + addActionUnchecked(action); } mMaxTextLength = parcel.readInt(); -- cgit v1.2.3 From bf5b43c529ffb7d533f5907d107b925d70fff578 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 15 Feb 2017 15:12:31 -0800 Subject: system_server: add CAP_SYS_PTRACE Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added CAP_SYS_RESOURCE as a capability check which would allow access to sensitive /proc/PID files. system_server uses this capability to collect smaps from managed processes. Presumably this was done to avoid the implications of granting CAP_SYS_PTRACE to system_server. However, with SELinux enforcement, we can grant CAP_SYS_PTRACE but not allow ptrace attach() to other processes. The net result of this is that CAP_SYS_PTRACE and CAP_SYS_RESOURCE have identical security controls, as long as system_server:process ptrace is never granted. Add CAP_SYS_PTRACE to the set of capabilities granted to system_server. Don't delete CAP_SYS_RESOURCE for now. SELinux has blocked the use of CAP_SYS_RESOURCE, but we still want to generate audit logs if it's triggered. CAP_SYS_RESOURCE can be deleted in a future commit. Bug: 34951864 Bug: 38496951 Test: Device boots, functionality remains identical, no sys_resource denials from system_server. Change-Id: I2570266165396dba2b600eac7c42c94800d9c65b (cherry picked from commit 3082eb7c7253c62a06aa151a80487a4eabd49914) (cherry picked from commit 966619d0ab6950fb6c90127b47d493b4c8617878) --- core/java/com/android/internal/os/ZygoteInit.java | 1 + 1 file changed, 1 insertion(+) diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/android/internal/os/ZygoteInit.java index 59283bb2e2e1..9114b3473735 100644 --- a/core/java/com/android/internal/os/ZygoteInit.java +++ b/core/java/com/android/internal/os/ZygoteInit.java @@ -501,6 +501,7 @@ public class ZygoteInit { OsConstants.CAP_NET_RAW, OsConstants.CAP_SYS_MODULE, OsConstants.CAP_SYS_NICE, + OsConstants.CAP_SYS_PTRACE, OsConstants.CAP_SYS_RESOURCE, OsConstants.CAP_SYS_TIME, OsConstants.CAP_SYS_TTY_CONFIG -- cgit v1.2.3 From fb07b46c0622dade6718ae3134bf0f590d557f6d Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Tue, 14 Mar 2017 10:25:35 -0700 Subject: ZygoteInit: Remove CAP_SYS_RESOURCE Please see commit 3082eb7c7253c62a06aa151a80487a4eabd49914 for an explanation of this change. This capability is not used by system_server. Bug: 34951864 Bug: 38496951 Test: code compiles, device boots, no selinux errors ever reported. Change-Id: I4242b1abaa8679b9bfa0d31a1df565b46b7b3cc3 (cherry picked from commit 35775783fc6609035136184e3843bc743b59945d) (cherry picked from commit 4911af2b8ced29dc5035dca301dc80939c9bdab5) --- core/java/com/android/internal/os/ZygoteInit.java | 1 - 1 file changed, 1 deletion(-) diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/android/internal/os/ZygoteInit.java index 9114b3473735..ffe53a53dffc 100644 --- a/core/java/com/android/internal/os/ZygoteInit.java +++ b/core/java/com/android/internal/os/ZygoteInit.java @@ -502,7 +502,6 @@ public class ZygoteInit { OsConstants.CAP_SYS_MODULE, OsConstants.CAP_SYS_NICE, OsConstants.CAP_SYS_PTRACE, - OsConstants.CAP_SYS_RESOURCE, OsConstants.CAP_SYS_TIME, OsConstants.CAP_SYS_TTY_CONFIG ); -- cgit v1.2.3