Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 3a6c4af3 authored by Kevin F. Haggerty's avatar Kevin F. Haggerty
Browse files

Merge tag 'android-security-10.0.0_r50' into staging/lineage-17.1_merge_android-security-10.0.0_r50 

Android security 10.0.0 release 50

* tag 'android-security-10.0.0_r50':
  Ignore GrantCredentials call with unexpected calling uid.
  Protect GrantCredentialsPermissionActivity against overlay.
  [DO NOT MERGE] Make GlobalScreenshot PendingIntents immutable
  Revoke permission on non-runtime -> runtime upgrade
  Ensure permissions are revoked on state changes
  Hide overlays over uninstall confirm dialog
  RESTRICT AUTOMERGE Fix CDM package check
  remove sensitive pii from safetynet logging
  DO NOT MERGE Revoke install permissions when the permission defining app is uninstalled.
  DO NOT MERGE Check fingerprint client against top activity in auth callback
  Fix the issue provider can be wrong when requesting slice permission

Conflicts:
	packages/SystemUI/src/com/android/systemui/screenshot/GlobalScreenshot.java

Change-Id: Ia4cc8559d85770ac2d7abfaa0160b80094c8d619
parents 5ef54fb0 bcc5dd17

core/java/android/accounts/GrantCredentialsPermissionActivity.java

+31 −6
Original line number Diff line number Diff line
@@ -16,16 +16,23 @@ 
package android.accounts;



import android.app.Activity;

import android.content.res.Resources;

import android.os.Bundle;

import android.widget.TextView;

import android.widget.LinearLayout;

import android.view.View;

import android.view.LayoutInflater;

import android.app.ActivityTaskManager;

import android.content.Context;

import android.content.Intent;

import android.content.pm.PackageManager;

import android.content.res.Resources;

import android.os.Bundle;

import android.os.IBinder;

import android.os.Process;

import android.os.RemoteException;

import android.os.UserHandle;

import android.text.TextUtils;

import android.util.Log;

import android.view.LayoutInflater;

import android.view.View;

import android.widget.LinearLayout;

import android.widget.TextView;



import com.android.internal.R;



import java.io.IOException;
@@ -42,11 +49,15 @@ public class GrantCredentialsPermissionActivity extends Activity implements View 
    private Account mAccount;

    private String mAuthTokenType;

    private int mUid;

    private int mCallingUid;

    private Bundle mResultBundle = null;

    protected LayoutInflater mInflater;



    protected void onCreate(Bundle savedInstanceState) {

        super.onCreate(savedInstanceState);

        getWindow().addSystemFlags(

                android.view.WindowManager.LayoutParams

                        .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);

        setContentView(R.layout.grant_credentials_permission);

        setTitle(R.string.grant_permissions_header_text);
@@ -74,6 +85,20 @@ public class GrantCredentialsPermissionActivity extends Activity implements View 
            return;

        }



        try {

            IBinder activityToken = getActivityToken();

            mCallingUid = ActivityTaskManager.getService().getLaunchedFromUid(activityToken);

        } catch (RemoteException re) {

            // Couldn't figure out caller details

            Log.w(getClass().getSimpleName(), "Unable to get caller identity \n" + re);

        }



        if (!UserHandle.isSameApp(mCallingUid, Process.SYSTEM_UID) && mCallingUid != mUid) {

            setResult(Activity.RESULT_CANCELED);

            finish();

            return;

        }



        String accountTypeLabel;

        try {

            accountTypeLabel = getAccountLabel(mAccount);

core/java/android/app/slice/SliceProvider.java

+0 −5
Original line number Diff line number Diff line
@@ -152,10 +152,6 @@ public abstract class SliceProvider extends ContentProvider { 
     * @hide

     */

    public static final String EXTRA_PKG = "pkg";

    /**

     * @hide

     */

    public static final String EXTRA_PROVIDER_PKG = "provider_pkg";

    /**

     * @hide

     */
@@ -519,7 +515,6 @@ public abstract class SliceProvider extends ContentProvider { 
                "com.android.systemui.SlicePermissionActivity"));

        intent.putExtra(EXTRA_BIND_URI, sliceUri);

        intent.putExtra(EXTRA_PKG, callingPackage);

        intent.putExtra(EXTRA_PROVIDER_PKG, context.getPackageName());

        // Unique pending intent.

        intent.setData(sliceUri.buildUpon().appendQueryParameter("package", callingPackage)

                .build());

packages/PackageInstaller/src/com/android/packageinstaller/UninstallerActivity.java

+3 −0
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 
package com.android.packageinstaller;



import static android.app.AppOpsManager.MODE_ALLOWED;

import static android.view.WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS;



import static com.android.packageinstaller.PackageUtil.getMaxTargetSdkVersionForUid;
@@ -87,6 +88,8 @@ public class UninstallerActivity extends Activity { 


    @Override

    public void onCreate(Bundle icicle) {

        getWindow().addSystemFlags(SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);



        // Never restore any state, esp. never create any fragments. The data in the fragment might

        // be stale, if e.g. the app was uninstalled while the activity was destroyed.

        super.onCreate(null);

packages/SystemUI/src/com/android/systemui/SlicePermissionActivity.java

+33 −1
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ package com.android.systemui; 


import static android.view.WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS;



import android.annotation.Nullable;

import android.app.Activity;

import android.app.AlertDialog;

import android.app.slice.SliceManager;
@@ -29,6 +30,7 @@ import android.content.pm.PackageManager.NameNotFoundException; 
import android.net.Uri;

import android.os.Bundle;

import android.text.BidiFormatter;

import android.util.EventLog;

import android.util.Log;

import android.widget.CheckBox;

import android.widget.TextView;
@@ -50,10 +52,17 @@ public class SlicePermissionActivity extends Activity implements OnClickListener 


        mUri = getIntent().getParcelableExtra(SliceProvider.EXTRA_BIND_URI);

        mCallingPkg = getIntent().getStringExtra(SliceProvider.EXTRA_PKG);

        mProviderPkg = getIntent().getStringExtra(SliceProvider.EXTRA_PROVIDER_PKG);

        if (mUri == null) {

            Log.e(TAG, SliceProvider.EXTRA_BIND_URI + " wasn't provided");

            finish();

            return;

        }



        try {

            PackageManager pm = getPackageManager();

            mProviderPkg = pm.resolveContentProvider(mUri.getAuthority(),

                    PackageManager.GET_META_DATA).applicationInfo.packageName;

            verifyCallingPkg();

            CharSequence app1 = BidiFormatter.getInstance().unicodeWrap(pm.getApplicationInfo(

                    mCallingPkg, 0).loadSafeLabel(pm, PackageItemInfo.DEFAULT_MAX_LABEL_SIZE_PX,

                    PackageItemInfo.SAFE_LABEL_FLAG_TRIM
@@ -97,4 +106,27 @@ public class SlicePermissionActivity extends Activity implements OnClickListener 
    public void onDismiss(DialogInterface dialog) {

        finish();

    }



    private void verifyCallingPkg() {

        final String providerPkg = getIntent().getStringExtra("provider_pkg");

        if (providerPkg == null || mProviderPkg.equals(providerPkg)) return;

        final String callingPkg = getCallingPkg();

        EventLog.writeEvent(0x534e4554, "159145361", getUid(callingPkg));

    }



    @Nullable

    private String getCallingPkg() {

        final Uri referrer = getReferrer();

        if (referrer == null) return null;

        return referrer.getHost();

    }



    private int getUid(@Nullable final String pkg) {

        if (pkg == null) return -1;

        try {

            return getPackageManager().getApplicationInfo(pkg, 0).uid;

        } catch (NameNotFoundException e) {

        }

        return -1;

    }

}

packages/SystemUI/src/com/android/systemui/screenshot/GlobalScreenshot.java

+48 −38
Original line number Diff line number Diff line
@@ -152,6 +152,7 @@ class SaveImageInBackgroundData { 
        imageUri = null;

        iconSize = 0;

    }



    void clearContext() {

        context = null;

    }
@@ -534,7 +535,8 @@ class SaveImageInBackgroundTask extends AsyncTask<Void, Void, Void> { 
            mPublicNotificationBuilder

                    .setContentTitle(r.getString(R.string.screenshot_saved_title))

                    .setContentText(r.getString(R.string.screenshot_saved_text))

                    .setContentIntent(PendingIntent.getActivity(mParams.context, 0, launchIntent, 0))

                    .setContentIntent(PendingIntent.getActivity(mParams.context, 0, launchIntent,

                            PendingIntent.FLAG_IMMUTABLE))

                    .setWhen(now)

                    .setAutoCancel(true)

                    .setColor(context.getColor(
@@ -542,7 +544,8 @@ class SaveImageInBackgroundTask extends AsyncTask<Void, Void, Void> { 
            mNotificationBuilder

                    .setContentTitle(r.getString(R.string.screenshot_saved_title))

                    .setContentText(r.getString(R.string.screenshot_saved_text))

                .setContentIntent(PendingIntent.getActivity(mParams.context, 0, launchIntent, 0))

                    .setContentIntent(PendingIntent.getActivity(mParams.context, 0, launchIntent,

                            PendingIntent.FLAG_IMMUTABLE))

                    .setWhen(now)

                    .setAutoCancel(true)

                    .setColor(context.getColor(
@@ -693,7 +696,8 @@ class GlobalScreenshot { 
        // Inflate the screenshot layout

        mScreenshotLayout = layoutInflater.inflate(R.layout.global_screenshot, null);

        mScreenshotButtonsLayout = mScreenshotLayout.findViewById(R.id.global_screenshot_buttons);

        mBackgroundView = (ImageView) mScreenshotLayout.findViewById(R.id.global_screenshot_background);

        mBackgroundView = (ImageView) mScreenshotLayout.findViewById(

                R.id.global_screenshot_background);

        mScreenshotView = (ImageView) mScreenshotLayout.findViewById(R.id.global_screenshot);

        mScreenshotFlash = (ImageView) mScreenshotLayout.findViewById(R.id.global_screenshot_flash);

        mScreenshotSelectorView = (ScreenshotSelectorView) mScreenshotLayout.findViewById(
@@ -1021,6 +1025,7 @@ class GlobalScreenshot { 
            }

        });

    }



    private ValueAnimator createScreenshotDropInAnimation() {

        final float flashPeakDurationPct = ((float) (SCREENSHOT_FLASH_TO_PEAK_DURATION)

                / SCREENSHOT_DROP_IN_DURATION);
@@ -1070,6 +1075,7 @@ class GlobalScreenshot { 
                mScreenshotFlash.setAlpha(0f);

                mScreenshotFlash.setVisibility(View.VISIBLE);

            }



            @Override

            public void onAnimationEnd(android.animation.Animator animation) {

                mScreenshotFlash.setVisibility(View.GONE);
@@ -1091,6 +1097,7 @@ class GlobalScreenshot { 
        });

        return anim;

    }



    private ValueAnimator createScreenshotDropOutAnimation(int w, int h, boolean statusBarVisible,

            boolean navBarVisible) {

        ValueAnimator anim = ValueAnimator.ofFloat(0f, 1f);
@@ -1112,7 +1119,8 @@ class GlobalScreenshot { 
                public void onAnimationUpdate(ValueAnimator animation) {

                    float t = (Float) animation.getAnimatedValue();

                    float scaleT = (SCREENSHOT_DROP_IN_MIN_SCALE + mBgPaddingScale)

                            - t * (SCREENSHOT_DROP_IN_MIN_SCALE - SCREENSHOT_FAST_DROP_OUT_MIN_SCALE);

                            - t * (SCREENSHOT_DROP_IN_MIN_SCALE

                            - SCREENSHOT_FAST_DROP_OUT_MIN_SCALE);

                    mBackgroundView.setAlpha((1f - t) * BACKGROUND_ALPHA);

                    mScreenshotView.setAlpha(1f - t);

                    mScreenshotView.setScaleX(scaleT);
@@ -1139,8 +1147,10 @@ class GlobalScreenshot { 
            float halfScreenHeight = (h - 2f * mBgPadding) / 2f;

            final float offsetPct = SCREENSHOT_DROP_OUT_MIN_SCALE_OFFSET;

            final PointF finalPos = new PointF(

                -halfScreenWidth + (SCREENSHOT_DROP_OUT_MIN_SCALE + offsetPct) * halfScreenWidth,

                -halfScreenHeight + (SCREENSHOT_DROP_OUT_MIN_SCALE + offsetPct) * halfScreenHeight);

                    -halfScreenWidth

                            + (SCREENSHOT_DROP_OUT_MIN_SCALE + offsetPct) * halfScreenWidth,

                    -halfScreenHeight

                            + (SCREENSHOT_DROP_OUT_MIN_SCALE + offsetPct) * halfScreenHeight);



            // Animate the screenshot to the status bar

            anim.setDuration(SCREENSHOT_DROP_OUT_DURATION);
@@ -1185,7 +1195,7 @@ class GlobalScreenshot { 
                DevicePolicyManager.POLICY_DISABLE_SCREEN_CAPTURE);

        if (intent != null) {

            final PendingIntent pendingIntent = PendingIntent.getActivityAsUser(

                    context, 0, intent, 0, null, UserHandle.CURRENT);

                    context, 0, intent, PendingIntent.FLAG_IMMUTABLE, null, UserHandle.CURRENT);

            b.setContentIntent(pendingIntent);

        }