Loading core/java/android/app/Notification.java +5 −2 Original line number Diff line number Diff line Loading @@ -3357,8 +3357,11 @@ public class Notification implements Parcelable * * @hide */ public void setAllowlistToken(@Nullable IBinder token) { mAllowlistToken = token; public void clearAllowlistToken() { mAllowlistToken = null; if (publicVersion != null) { publicVersion.clearAllowlistToken(); } } /** Loading core/java/android/hardware/usb/UsbConfiguration.java +2 −1 Original line number Diff line number Diff line Loading @@ -172,7 +172,8 @@ public class UsbConfiguration implements Parcelable { String name = in.readString(); int attributes = in.readInt(); int maxPower = in.readInt(); Parcelable[] interfaces = in.readParcelableArray(UsbInterface.class.getClassLoader()); Parcelable[] interfaces = in.readParcelableArray( UsbInterface.class.getClassLoader(), UsbInterface.class); UsbConfiguration configuration = new UsbConfiguration(id, name, attributes, maxPower); configuration.setInterfaces(interfaces); return configuration; Loading packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java +31 −0 Original line number Diff line number Diff line Loading @@ -1906,6 +1906,9 @@ public class SettingsProvider extends ContentProvider { cacheName = Settings.System.ALARM_ALERT_CACHE; } if (cacheName != null) { if (!isValidAudioUri(name, value)) { return false; } final File cacheFile = new File( getRingtoneCacheDir(owningUserId), cacheName); cacheFile.delete(); Loading Loading @@ -1938,6 +1941,34 @@ public class SettingsProvider extends ContentProvider { } } private boolean isValidAudioUri(String name, String uri) { if (uri != null) { Uri audioUri = Uri.parse(uri); if (Settings.AUTHORITY.equals( ContentProvider.getAuthorityWithoutUserId(audioUri.getAuthority()))) { // Don't accept setting the default uri to self-referential URIs like // Settings.System.DEFAULT_RINGTONE_URI, which is an alias to the value of this // setting. return false; } final String mimeType = getContext().getContentResolver().getType(audioUri); if (mimeType == null) { Slog.e(LOG_TAG, "mutateSystemSetting for setting: " + name + " URI: " + audioUri + " ignored: failure to find mimeType (no access from this context?)"); return false; } if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg") || mimeType.equals("application/x-flac"))) { Slog.e(LOG_TAG, "mutateSystemSetting for setting: " + name + " URI: " + audioUri + " ignored: associated mimeType: " + mimeType + " is not an audio type"); return false; } } return true; } private boolean hasWriteSecureSettingsPermission() { // Write secure settings is a more protected permission. If caller has it we are good. return getContext().checkCallingOrSelfPermission(Manifest.permission.WRITE_SECURE_SETTINGS) Loading services/core/java/com/android/server/am/ActivityManagerService.java +21 −2 Original line number Diff line number Diff line Loading @@ -2807,6 +2807,22 @@ public class ActivityManagerService extends IActivityManager.Stub } } /** * Enforces that the uid of the caller matches the uid of the package. * * @param packageName the name of the package to match uid against. * @param callingUid the uid of the caller. * @throws SecurityException if the calling uid doesn't match uid of the package. */ private void enforceCallingPackage(String packageName, int callingUid) { final int userId = UserHandle.getUserId(callingUid); final int packageUid = getPackageManagerInternal().getPackageUid(packageName, /*flags=*/ 0, userId); if (packageUid != callingUid) { throw new SecurityException(packageName + " does not belong to uid " + callingUid); } } @Override public void setPackageScreenCompatMode(String packageName, int mode) { mActivityTaskManager.setPackageScreenCompatMode(packageName, mode); Loading Loading @@ -12267,13 +12283,16 @@ public class ActivityManagerService extends IActivityManager.Stub // A backup agent has just come up @Override public void backupAgentCreated(String agentPackageName, IBinder agent, int userId) { final int callingUid = Binder.getCallingUid(); enforceCallingPackage(agentPackageName, callingUid); // Resolve the target user id and enforce permissions. userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId = mUserController.handleIncomingUser(Binder.getCallingPid(), callingUid, userId, /* allowAll */ false, ALLOW_FULL_ONLY, "backupAgentCreated", null); if (DEBUG_BACKUP) { Slog.v(TAG_BACKUP, "backupAgentCreated: " + agentPackageName + " = " + agent + " callingUserId = " + UserHandle.getCallingUserId() + " userId = " + userId + " callingUid = " + Binder.getCallingUid() + " uid = " + Process.myUid()); + " callingUid = " + callingUid + " uid = " + Process.myUid()); } synchronized(this) { services/core/java/com/android/server/notification/NotificationManagerService.java +1 −1 Original line number Diff line number Diff line Loading @@ -4240,7 +4240,7 @@ public class NotificationManagerService extends SystemService { // Remove background token before returning notification to untrusted app, this // ensures the app isn't able to perform background operations that are // associated with notification interactions. notification.setAllowlistToken(null); notification.clearAllowlistToken(); return new StatusBarNotification( sbn.getPackageName(), sbn.getOpPkg(), Loading Loading
core/java/android/app/Notification.java +5 −2 Original line number Diff line number Diff line Loading @@ -3357,8 +3357,11 @@ public class Notification implements Parcelable * * @hide */ public void setAllowlistToken(@Nullable IBinder token) { mAllowlistToken = token; public void clearAllowlistToken() { mAllowlistToken = null; if (publicVersion != null) { publicVersion.clearAllowlistToken(); } } /** Loading
core/java/android/hardware/usb/UsbConfiguration.java +2 −1 Original line number Diff line number Diff line Loading @@ -172,7 +172,8 @@ public class UsbConfiguration implements Parcelable { String name = in.readString(); int attributes = in.readInt(); int maxPower = in.readInt(); Parcelable[] interfaces = in.readParcelableArray(UsbInterface.class.getClassLoader()); Parcelable[] interfaces = in.readParcelableArray( UsbInterface.class.getClassLoader(), UsbInterface.class); UsbConfiguration configuration = new UsbConfiguration(id, name, attributes, maxPower); configuration.setInterfaces(interfaces); return configuration; Loading
packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java +31 −0 Original line number Diff line number Diff line Loading @@ -1906,6 +1906,9 @@ public class SettingsProvider extends ContentProvider { cacheName = Settings.System.ALARM_ALERT_CACHE; } if (cacheName != null) { if (!isValidAudioUri(name, value)) { return false; } final File cacheFile = new File( getRingtoneCacheDir(owningUserId), cacheName); cacheFile.delete(); Loading Loading @@ -1938,6 +1941,34 @@ public class SettingsProvider extends ContentProvider { } } private boolean isValidAudioUri(String name, String uri) { if (uri != null) { Uri audioUri = Uri.parse(uri); if (Settings.AUTHORITY.equals( ContentProvider.getAuthorityWithoutUserId(audioUri.getAuthority()))) { // Don't accept setting the default uri to self-referential URIs like // Settings.System.DEFAULT_RINGTONE_URI, which is an alias to the value of this // setting. return false; } final String mimeType = getContext().getContentResolver().getType(audioUri); if (mimeType == null) { Slog.e(LOG_TAG, "mutateSystemSetting for setting: " + name + " URI: " + audioUri + " ignored: failure to find mimeType (no access from this context?)"); return false; } if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg") || mimeType.equals("application/x-flac"))) { Slog.e(LOG_TAG, "mutateSystemSetting for setting: " + name + " URI: " + audioUri + " ignored: associated mimeType: " + mimeType + " is not an audio type"); return false; } } return true; } private boolean hasWriteSecureSettingsPermission() { // Write secure settings is a more protected permission. If caller has it we are good. return getContext().checkCallingOrSelfPermission(Manifest.permission.WRITE_SECURE_SETTINGS) Loading
services/core/java/com/android/server/am/ActivityManagerService.java +21 −2 Original line number Diff line number Diff line Loading @@ -2807,6 +2807,22 @@ public class ActivityManagerService extends IActivityManager.Stub } } /** * Enforces that the uid of the caller matches the uid of the package. * * @param packageName the name of the package to match uid against. * @param callingUid the uid of the caller. * @throws SecurityException if the calling uid doesn't match uid of the package. */ private void enforceCallingPackage(String packageName, int callingUid) { final int userId = UserHandle.getUserId(callingUid); final int packageUid = getPackageManagerInternal().getPackageUid(packageName, /*flags=*/ 0, userId); if (packageUid != callingUid) { throw new SecurityException(packageName + " does not belong to uid " + callingUid); } } @Override public void setPackageScreenCompatMode(String packageName, int mode) { mActivityTaskManager.setPackageScreenCompatMode(packageName, mode); Loading Loading @@ -12267,13 +12283,16 @@ public class ActivityManagerService extends IActivityManager.Stub // A backup agent has just come up @Override public void backupAgentCreated(String agentPackageName, IBinder agent, int userId) { final int callingUid = Binder.getCallingUid(); enforceCallingPackage(agentPackageName, callingUid); // Resolve the target user id and enforce permissions. userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId = mUserController.handleIncomingUser(Binder.getCallingPid(), callingUid, userId, /* allowAll */ false, ALLOW_FULL_ONLY, "backupAgentCreated", null); if (DEBUG_BACKUP) { Slog.v(TAG_BACKUP, "backupAgentCreated: " + agentPackageName + " = " + agent + " callingUserId = " + UserHandle.getCallingUserId() + " userId = " + userId + " callingUid = " + Binder.getCallingUid() + " uid = " + Process.myUid()); + " callingUid = " + callingUid + " uid = " + Process.myUid()); } synchronized(this) {
services/core/java/com/android/server/notification/NotificationManagerService.java +1 −1 Original line number Diff line number Diff line Loading @@ -4240,7 +4240,7 @@ public class NotificationManagerService extends SystemService { // Remove background token before returning notification to untrusted app, this // ensures the app isn't able to perform background operations that are // associated with notification interactions. notification.setAllowlistToken(null); notification.clearAllowlistToken(); return new StatusBarNotification( sbn.getPackageName(), sbn.getOpPkg(), Loading
