From 68e95273ebf3763a8469fab9e3856d0faab23141 Mon Sep 17 00:00:00 2001 From: Dmitry Dementyev Date: Thu, 17 Jun 2021 13:16:38 -0700 Subject: Change ownership of the account request notification. Add "Permission requested by Application..." string. Test: manual Bug: 179338675 Change-Id: Ib66ccc1b39bd1f3f8fa3b1efc38a9d413b72a321 (cherry picked from commit 26de0c231ffb9fd8d22e80ca120c766c26276779) --- core/res/res/values/strings.xml | 2 ++ core/res/res/values/symbols.xml | 1 + .../server/accounts/AccountManagerService.java | 21 +++++++++++++++------ 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml index ce6815f10b30..a65176ffd149 100644 --- a/core/res/res/values/strings.xml +++ b/core/res/res/values/strings.xml @@ -3376,6 +3376,8 @@ Deny Permission requested Permission requested\nfor account %s. + + Permission requested by %1$s\nfor account %2$s. You\'re using this app outside of your work profile diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml index 15a353ba2b05..febe06a7f816 100644 --- a/core/res/res/values/symbols.xml +++ b/core/res/res/values/symbols.xml @@ -506,6 +506,7 @@ + diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java index c61761651cee..8756bd685258 100644 --- a/services/core/java/com/android/server/accounts/AccountManagerService.java +++ b/services/core/java/com/android/server/accounts/AccountManagerService.java @@ -438,7 +438,7 @@ public class AccountManagerService if (!checkAccess || hasAccountAccess(account, packageName, UserHandle.getUserHandleForUid(uid))) { cancelNotification(getCredentialPermissionNotificationId(account, - AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), packageName, + AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), UserHandle.getUserHandleForUid(uid)); } } @@ -3013,8 +3013,8 @@ public class AccountManagerService String authTokenType = intent.getStringExtra( GrantCredentialsPermissionActivity.EXTRAS_AUTH_TOKEN_TYPE); final String titleAndSubtitle = - mContext.getString(R.string.permission_request_notification_with_subtitle, - account.name); + mContext.getString(R.string.permission_request_notification_for_app_with_subtitle, + getApplicationLabel(packageName), account.name); final int index = titleAndSubtitle.indexOf('\n'); String title = titleAndSubtitle; String subtitle = ""; @@ -3036,7 +3036,16 @@ public class AccountManagerService PendingIntent.FLAG_CANCEL_CURRENT, null, user)) .build(); installNotification(getCredentialPermissionNotificationId( - account, authTokenType, uid), n, packageName, user.getIdentifier()); + account, authTokenType, uid), n, "android", user.getIdentifier()); + } + + private String getApplicationLabel(String packageName) { + try { + return mPackageManager.getApplicationLabel( + mPackageManager.getApplicationInfo(packageName, 0)).toString(); + } catch (PackageManager.NameNotFoundException e) { + return packageName; + } } private Intent newGrantCredentialsPermissionIntent(Account account, String packageName, @@ -3072,7 +3081,7 @@ public class AccountManagerService nId = accounts.credentialsPermissionNotificationIds.get(key); if (nId == null) { String tag = TAG + ":" + SystemMessage.NOTE_ACCOUNT_CREDENTIAL_PERMISSION - + ":" + account.hashCode() + ":" + authTokenType.hashCode(); + + ":" + account.hashCode() + ":" + authTokenType.hashCode() + ":" + uid; int id = SystemMessage.NOTE_ACCOUNT_CREDENTIAL_PERMISSION; nId = new NotificationId(tag, id); accounts.credentialsPermissionNotificationIds.put(key, nId); @@ -4021,7 +4030,7 @@ public class AccountManagerService private void handleAuthenticatorResponse(boolean accessGranted) throws RemoteException { cancelNotification(getCredentialPermissionNotificationId(account, - AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), packageName, + AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), UserHandle.getUserHandleForUid(uid)); if (callback != null) { Bundle result = new Bundle(); -- cgit v1.2.3 From 2e8287be1287479715486fba92b88b4daefebe9a Mon Sep 17 00:00:00 2001 From: John Reck Date: Thu, 22 Apr 2021 16:55:09 -0400 Subject: Fix a potential thread safety issue in VectorDrawable Bug: 158839504 Bug: 185178568 Test: speculative Change-Id: Id9f229f08fe5897dda25441fbaa15c98f8130de9 (cherry picked from commit 32207ceb2fb408d06924b46919fc438477fddcf0) --- graphics/java/android/graphics/drawable/VectorDrawable.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/graphics/java/android/graphics/drawable/VectorDrawable.java b/graphics/java/android/graphics/drawable/VectorDrawable.java index ceac3253e178..1772ab018a6d 100644 --- a/graphics/java/android/graphics/drawable/VectorDrawable.java +++ b/graphics/java/android/graphics/drawable/VectorDrawable.java @@ -264,15 +264,19 @@ public class VectorDrawable extends Drawable { private final Rect mTmpBounds = new Rect(); public VectorDrawable() { - this(new VectorDrawableState(null), null); + this(null, null); } /** * The one constructor to rule them all. This is called by all public * constructors to set the state and initialize local properties. */ - private VectorDrawable(@NonNull VectorDrawableState state, @Nullable Resources res) { - mVectorState = state; + private VectorDrawable(@Nullable VectorDrawableState state, @Nullable Resources res) { + // As the mutable, not-thread-safe native instance is stored in VectorDrawableState, we + // need to always do a defensive copy even if mutate() isn't called. Otherwise + // draw() being called on 2 different VectorDrawable instances could still hit the same + // underlying native object. + mVectorState = new VectorDrawableState(state); updateLocalState(res); } -- cgit v1.2.3 From 0acc4ee8c43ac9234ce603e142db197d5fcbc3ba Mon Sep 17 00:00:00 2001 From: Rhed Jao Date: Fri, 30 Jul 2021 15:52:05 +0800 Subject: DO NOT MERGE Apply a maximum char count to the load label api The system is overwhelmed by an enormous label string returned by the load label api. This cl truncates the label string if it exceeds the maximum safe length. Also update the max safe label length to 1000 characters, which is enough. Bug: 67013844 Test: atest PackageManagerTest Change-Id: Ia4d768cc93a47cfb8b6f7c4b6dc73abd801809bd Merged-in: Ia4d768cc93a47cfb8b6f7c4b6dc73abd801809bd (cherry picked from commit 7380c153b97bfa38a0dfa9cccc71062f6d6bd6f4) --- core/java/android/content/pm/PackageItemInfo.java | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/core/java/android/content/pm/PackageItemInfo.java b/core/java/android/content/pm/PackageItemInfo.java index 84b779466dbf..63a158b0bf40 100644 --- a/core/java/android/content/pm/PackageItemInfo.java +++ b/core/java/android/content/pm/PackageItemInfo.java @@ -43,7 +43,7 @@ import java.util.Comparator; public class PackageItemInfo { private static final float MAX_LABEL_SIZE_PX = 500f; /** The maximum length of a safe label, in characters */ - private static final int MAX_SAFE_LABEL_LENGTH = 50000; + private static final int MAX_SAFE_LABEL_LENGTH = 1000; /** * Public name of this item. From the "android:name" attribute. @@ -131,6 +131,12 @@ public class PackageItemInfo { * item does not have a label, its name is returned. */ public CharSequence loadLabel(PackageManager pm) { + // Trims the label string to the MAX_SAFE_LABEL_LENGTH. This is to prevent that the + // system is overwhelmed by an enormous string returned by the application. + return trimToSize(loadUnsafeLabel(pm), MAX_SAFE_LABEL_LENGTH); + } + + private CharSequence loadUnsafeLabel(PackageManager pm) { if (nonLocalizedLabel != null) { return nonLocalizedLabel; } @@ -146,6 +152,15 @@ public class PackageItemInfo { return packageName; } + private CharSequence trimToSize(CharSequence label, int size) { + if (TextUtils.isEmpty(label) || label.length() <= size) return label; + if (Character.isHighSurrogate(label.charAt(size - 1)) + && Character.isLowSurrogate(label.charAt(size))) { + size = size - 1; + } + return label.subSequence(0, size); + } + /** * Same as {@link #loadLabel(PackageManager)} with the addition that * the returned label is safe for being presented in the UI since it -- cgit v1.2.3 From c2852d0c1855175155c8ac1aba47baca8f8cab0d Mon Sep 17 00:00:00 2001 From: Dave Mankoff Date: Wed, 21 Jul 2021 10:08:04 -0400 Subject: Guard DISABLE_PLUGIN with PLUGIN permission. Fixes a p0 security bug. We already have the plugin permission defined in our manifest. Ensure that senders of the DISABLE_PLUGIN broadcast have that permission. Fixes: 193444889 Test: manual Change-Id: Iebaba435c17c5644c5357c0683858447f5ffb897 Merged-In: Iebaba435c17c5644c5357c0683858447f5ffb897 (cherry picked from commit de779f8124595b4097ca890691a23a3fd629ef40) --- .../SystemUI/src/com/android/systemui/plugins/PluginManagerImpl.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/SystemUI/src/com/android/systemui/plugins/PluginManagerImpl.java b/packages/SystemUI/src/com/android/systemui/plugins/PluginManagerImpl.java index 03747d50a6fa..fab0e281d2c0 100644 --- a/packages/SystemUI/src/com/android/systemui/plugins/PluginManagerImpl.java +++ b/packages/SystemUI/src/com/android/systemui/plugins/PluginManagerImpl.java @@ -181,10 +181,12 @@ public class PluginManagerImpl extends BroadcastReceiver implements PluginManage IntentFilter filter = new IntentFilter(Intent.ACTION_PACKAGE_ADDED); filter.addAction(Intent.ACTION_PACKAGE_CHANGED); filter.addAction(Intent.ACTION_PACKAGE_REMOVED); + filter.addDataScheme("package"); + mContext.registerReceiver(this, filter); filter.addAction(PLUGIN_CHANGED); filter.addAction(DISABLE_PLUGIN); filter.addDataScheme("package"); - mContext.registerReceiver(this, filter); + mContext.registerReceiver(this, filter, PluginInstanceManager.PLUGIN_PERMISSION, null); filter = new IntentFilter(Intent.ACTION_USER_UNLOCKED); mContext.registerReceiver(this, filter); } -- cgit v1.2.3 From d03d598da4ce4ee12b4269b360fbe581019a1916 Mon Sep 17 00:00:00 2001 From: MahendaviAamir Date: Wed, 9 Jun 2021 17:10:42 +0530 Subject: Send targeted broadcasts to prevent other apps from receiving them. When sending broadcasts ACTION_SNOOZE_WARNING in NPMS, which may contain sensitive information, explicitly set the package name that should receive it to prevent other apps from receiving them. Bug: 177931370 Test: manual Change-Id: I2a0a0dc09e27791de829bacfb2e865ffea993715 Merged-In: I11d736771d859d2af27d5c84a502ab038974e2e2 (cherry picked from commit fdbcf17a4eda04e3140b5d97658a3d4815abd9f5) --- .../java/com/android/server/net/NetworkPolicyManagerService.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java index 5159c70e991c..0940c09049bd 100644 --- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java +++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java @@ -1155,8 +1155,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { builder.setContentText(body); builder.setDefaults(Notification.DEFAULT_ALL); builder.setChannelId(SystemNotificationChannels.NETWORK_ALERTS); - - final Intent snoozeIntent = buildSnoozeWarningIntent(policy.template); + final Intent snoozeIntent = buildSnoozeWarningIntent(policy.template, + mContext.getPackageName()); builder.setDeleteIntent(PendingIntent.getBroadcast( mContext, 0, snoozeIntent, PendingIntent.FLAG_UPDATE_CURRENT)); @@ -4243,9 +4243,10 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { return new Intent(ACTION_ALLOW_BACKGROUND); } - private static Intent buildSnoozeWarningIntent(NetworkTemplate template) { + private static Intent buildSnoozeWarningIntent(NetworkTemplate template, String targetPackage) { final Intent intent = new Intent(ACTION_SNOOZE_WARNING); intent.putExtra(EXTRA_NETWORK_TEMPLATE, template); + intent.setPackage(targetPackage); return intent; } -- cgit v1.2.3