Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 2da9d826 authored by Michael Bestas's avatar Michael Bestas
Browse files

Merge tag 'android-security-13.0.0_r12' into staging/lineage-20.0_merge-android-security-13.0.0_r12 

Android Security 13.0.0 Release 12 (10993242)

# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZW4YFAAKCRDorT+BmrEO
# eKMmAJ4xzqaCt262gfWss+wGj8cRqIKfMQCeNfFLqjK3AnqeMohEK4n91oE5u24=
# =lSwo
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon Dec  4 20:19:00 2023 EET
# gpg:                using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [marginal]
# gpg: initial-contribution@android.com: Verified 2092 signatures in the past
#      2 years.  Encrypted 4 messages in the past 23 months.
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 4340 D135 70EF 945E 8381  0964 E8AD 3F81 9AB1 0E78

# By Pinyao Ting (3) and others
# Via Android Build Coastguard Worker
* tag 'android-security-13.0.0_r12':
  Check URI permissions for resumable media artwork
  Stop using deprecated getParcelable method in AccountManagerService.
  Move startWatchingModeWithFlags to the native supported binder calls
  Updated: always show the keyguard on device lockdown
  Adding in verification of calling UID in onShellCommand
  Revert "On device lockdown, always show the keyguard"
  Validate userId when publishing shortcuts
  Use readUniqueFileDescriptor in incidentd service
  Restrict number of shortcuts can be added through addDynamicShortcuts
  Require permission to unlock keyguard
  Disable priority conversation widget for secondary users
  Validate URI-based shortcut icon at creation time.
  RESTRICT AUTOMERGE: Drop invalid data.
  Visit Uris related to Notification style extras
  Fix bypass BAL via `requestGeofence`
  Visit Uris added by WearableExtender

 Conflicts:
	packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
	packages/SystemUI/src/com/android/systemui/media/controls/pipeline/MediaDataManager.kt
	packages/SystemUI/src/com/android/systemui/statusbar/notification/dagger/NotificationsModule.java
	packages/SystemUI/src/com/android/systemui/statusbar/notification/row/NotificationConversationInfo.java
	packages/SystemUI/src/com/android/systemui/statusbar/notification/row/NotificationGutsManager.java
	packages/SystemUI/tests/src/com/android/systemui/media/MediaDataManagerTest.kt
	packages/SystemUI/tests/src/com/android/systemui/statusbar/notification/row/NotificationGutsManagerTest.java

Change-Id: Ida8c817195a98650446ef2e4091f2481b861984b
parents d46a80e4 d203ccf2

cmds/incidentd/src/IncidentService.cpp

+12 −8
Original line number Diff line number Diff line
@@ -500,9 +500,13 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* 


    switch (code) {

        case SHELL_COMMAND_TRANSACTION: {

            int in = data.readFileDescriptor();

            int out = data.readFileDescriptor();

            int err = data.readFileDescriptor();

            unique_fd in, out, err;

            if (status_t status = data.readUniqueFileDescriptor(&in); status != OK) return status;



            if (status_t status = data.readUniqueFileDescriptor(&out); status != OK) return status;



            if (status_t status = data.readUniqueFileDescriptor(&err); status != OK) return status;



            int argc = data.readInt32();

            Vector<String8> args;

            for (int i = 0; i < argc && data.dataAvail() > 0; i++) {
@@ -512,15 +516,15 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* 
            sp<IResultReceiver> resultReceiver =

                    IResultReceiver::asInterface(data.readStrongBinder());



            FILE* fin = fdopen(in, "r");

            FILE* fout = fdopen(out, "w");

            FILE* ferr = fdopen(err, "w");

            FILE* fin = fdopen(in.release(), "r");

            FILE* fout = fdopen(out.release(), "w");

            FILE* ferr = fdopen(err.release(), "w");



            if (fin == NULL || fout == NULL || ferr == NULL) {

                resultReceiver->send(NO_MEMORY);

            } else {

                err = command(fin, fout, ferr, args);

                resultReceiver->send(err);

                status_t result = command(fin, fout, ferr, args);

                resultReceiver->send(result);

            }



            if (fin != NULL) {

core/java/android/app/IActivityTaskManager.aidl

+1 −0
Original line number Diff line number Diff line
@@ -241,6 +241,7 @@ interface IActivityTaskManager { 
     *              {@link android.view.WindowManagerPolicyConstants#KEYGUARD_GOING_AWAY_FLAG_TO_SHADE}

     *              etc.

     */

     @JavaPassthrough(annotation="@android.annotation.RequiresPermission(android.Manifest.permission.CONTROL_KEYGUARD)")

    void keyguardGoingAway(int flags);



    void suppressResizeConfigChanges(boolean suppress);

core/java/android/app/IUriGrantsManager.aidl

+3 −0
Original line number Diff line number Diff line
@@ -39,4 +39,7 @@ interface IUriGrantsManager { 
    void clearGrantedUriPermissions(in String packageName, int userId);

    ParceledListSlice getUriPermissions(in String packageName, boolean incoming,

            boolean persistedOnly);



    int checkGrantUriPermission_ignoreNonSystem(

            int sourceUid, String targetPkg, in Uri uri, int modeFlags, int userId);

}

core/java/android/app/Notification.java

+33 −16
Original line number Diff line number Diff line
@@ -2138,6 +2138,10 @@ public class Notification implements Parcelable 
            }

        }













        private void visitUris(@NonNull Consumer<Uri> visitor) {













            visitIconUri(visitor, getIcon());













        }



























        @Override















        public Action clone() {















            return new Action(










@@ -2823,7 +2827,7 @@ public class Notification implements Parcelable



























        if (actions != null) {















            for (Action action : actions) {













                visitIconUri(visitor, action.getIcon());













                action.visitUris(visitor);















            }















        }























@@ -2846,18 +2850,14 @@ public class Notification implements Parcelable













                visitor.accept(Uri.parse(extras.getString(EXTRA_BACKGROUND_IMAGE_URI)));















            }



























            ArrayList<Person> people = extras.getParcelableArrayList(EXTRA_PEOPLE_LIST);













            ArrayList<Person> people = extras.getParcelableArrayList(EXTRA_PEOPLE_LIST,













                    Person.class);















            if (people != null && !people.isEmpty()) {















                for (Person p : people) {















                    visitor.accept(p.getIconUri());















                }















            }



























            final Person person = extras.getParcelable(EXTRA_MESSAGING_PERSON, Person.class);













            if (person != null) {













                visitor.accept(person.getIconUri());













            }



























            final RemoteInputHistoryItem[] history = extras.getParcelableArray(















                    Notification.EXTRA_REMOTE_INPUT_HISTORY_ITEMS,















                    RemoteInputHistoryItem.class);









@@ -2869,10 +2869,16 @@ public class Notification implements Parcelable













                    }















                }















            }

























            // Extras for MessagingStyle. We visit them even if not isStyle(MessagingStyle), since













            // Notification Listeners might use directly (without the isStyle check).













            final Person person = extras.getParcelable(EXTRA_MESSAGING_PERSON, Person.class);













            if (person != null) {













                visitor.accept(person.getIconUri());















            }



























        if (isStyle(MessagingStyle.class) && extras != null) {













            final Parcelable[] messages = extras.getParcelableArray(EXTRA_MESSAGES);













            final Parcelable[] messages = extras.getParcelableArray(EXTRA_MESSAGES,













                    Parcelable.class);















            if (!ArrayUtils.isEmpty(messages)) {















                for (MessagingStyle.Message message : MessagingStyle.Message















                        .getMessagesFromBundleArray(messages)) {









@@ -2885,7 +2891,8 @@ public class Notification implements Parcelable













                }















            }



























            final Parcelable[] historic = extras.getParcelableArray(EXTRA_HISTORIC_MESSAGES);













            final Parcelable[] historic = extras.getParcelableArray(EXTRA_HISTORIC_MESSAGES,













                    Parcelable.class);















            if (!ArrayUtils.isEmpty(historic)) {















                for (MessagingStyle.Message message : MessagingStyle.Message















                        .getMessagesFromBundleArray(historic)) {









@@ -2898,20 +2905,24 @@ public class Notification implements Parcelable













                }















            }



























            visitIconUri(visitor, extras.getParcelable(EXTRA_CONVERSATION_ICON));













        }













            visitIconUri(visitor, extras.getParcelable(EXTRA_CONVERSATION_ICON, Icon.class));



























        if (isStyle(CallStyle.class) & extras != null) {













            Person callPerson = extras.getParcelable(EXTRA_CALL_PERSON);













            // Extras for CallStyle (same reason for visiting without checking isStyle).













            Person callPerson = extras.getParcelable(EXTRA_CALL_PERSON, Person.class);















            if (callPerson != null) {















                visitor.accept(callPerson.getIconUri());















            }













            visitIconUri(visitor, extras.getParcelable(EXTRA_VERIFICATION_ICON));













            visitIconUri(visitor, extras.getParcelable(EXTRA_VERIFICATION_ICON, Icon.class));















        }





























        if (mBubbleMetadata != null) {















            visitIconUri(visitor, mBubbleMetadata.getIcon());















        }

























        if (extras != null && extras.containsKey(WearableExtender.EXTRA_WEARABLE_EXTENSIONS)) {













            WearableExtender extender = new WearableExtender(this);













            extender.visitUris(visitor);













        }















    }





























    /**










@@ -11630,6 +11641,12 @@ public class Notification implements Parcelable













                mFlags &= ~mask;















            }















        }

























        private void visitUris(@NonNull Consumer<Uri> visitor) {













            for (Action action : mActions) {













                action.visitUris(visitor);













            }













        }















    }





























    /**

































core/java/android/os/PersistableBundle.java



+34
−8




























Original line number
Diff line number
Diff line








@@ -21,6 +21,7 @@ import static java.nio.charset.StandardCharsets.UTF_8;













import android.annotation.NonNull;















import android.annotation.Nullable;















import android.util.ArrayMap;













import android.util.Slog;















import android.util.TypedXmlPullParser;















import android.util.TypedXmlSerializer;















import android.util.Xml;










@@ -50,6 +51,8 @@ import java.util.ArrayList;













 */















public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable,















        XmlUtils.WriteMapCallback {













    private static final String TAG = "PersistableBundle";





























    private static final String TAG_PERSISTABLEMAP = "pbundle_as_map";































    /** An unmodifiable {@code PersistableBundle} that is always {@link #isEmpty() empty}. */










@@ -118,7 +121,11 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa













     * @hide















     */















    public PersistableBundle(Bundle b) {













        this(b.getItemwiseMap());













        this(b, true);













    }



























    private PersistableBundle(Bundle b, boolean throwException) {













        this(b.getItemwiseMap(), throwException);















    }































    /**









@@ -127,7 +134,7 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa













     * @param map a Map containing only those items that can be persisted.















     * @throws IllegalArgumentException if any element of #map cannot be persisted.















     */













    private PersistableBundle(ArrayMap<String, Object> map) {













    private PersistableBundle(ArrayMap<String, Object> map, boolean throwException) {















        super();















        mFlags = FLAG_DEFUSABLE;

























@@ -136,16 +143,23 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa





























        // Now verify each item throwing an exception if there is a violation.















        final int N = mMap.size();













        for (int i=0; i<N; i++) {













        for (int i = N - 1; i >= 0; --i) {















            Object value = mMap.valueAt(i);















            if (value instanceof ArrayMap) {















                // Fix up any Maps by replacing them with PersistableBundles.













                mMap.setValueAt(i, new PersistableBundle((ArrayMap<String, Object>) value));













                mMap.setValueAt(i,













                        new PersistableBundle((ArrayMap<String, Object>) value, throwException));















            } else if (value instanceof Bundle) {













                mMap.setValueAt(i, new PersistableBundle(((Bundle) value)));













                mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException));















            } else if (!isValidType(value)) {













                throw new IllegalArgumentException("Bad value in PersistableBundle key="













                        + mMap.keyAt(i) + " value=" + value);













                final String errorMsg = "Bad value in PersistableBundle key="













                        + mMap.keyAt(i) + " value=" + value;













                if (throwException) {













                    throw new IllegalArgumentException(errorMsg);













                } else {













                    Slog.wtfStack(TAG, errorMsg);













                    mMap.removeAt(i);













                }















            }















        }















    }










@@ -268,6 +282,15 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa













    /** @hide */















    public void saveToXml(TypedXmlSerializer out) throws IOException, XmlPullParserException {















        unparcel();













        // Explicitly drop invalid types an attacker may have added before persisting.













        for (int i = mMap.size() - 1; i >= 0; --i) {













            final Object value = mMap.valueAt(i);













            if (!isValidType(value)) {













                Slog.e(TAG, "Dropping bad data before persisting: "













                        + mMap.keyAt(i) + "=" + value);













                mMap.removeAt(i);













            }













        }















        XmlUtils.writeMapXml(mMap, out, this);















    }


























@@ -322,9 +345,12 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa













        while (((event = in.next()) != XmlPullParser.END_DOCUMENT) &&















                (event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) {















            if (event == XmlPullParser.START_TAG) {













                // Don't throw an exception when restoring from XML since an attacker could try to













                // input invalid data in the persisted file.















                return new PersistableBundle((ArrayMap<String, Object>)















                        XmlUtils.readThisArrayMapXml(in, startTag, tagName,













                        new MyReadMapCallback()));













                        new MyReadMapCallback()),













                        /* throwException */ false);















            }















        }















        return new PersistableBundle();  // An empty mutable PersistableBundle