Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 53d4aaa5 authored by Kevin F. Haggerty's avatar Kevin F. Haggerty
Browse files

Merge tag 'android-security-10.0.0_r69' of... 

Merge tag 'android-security-10.0.0_r69' of https://android.googlesource.com/platform/frameworks/base into staging/lineage-17.1_merge_android-security-10.0.0_r69

Android Security 10.0.0 Release 69 (8712615)

* tag 'android-security-10.0.0_r69' of https://android.googlesource.com/platform/frameworks/base:
  Only allow the system server to connect to sync adapters
  Stop using invalid URL to prevent unexpected crash
  Remove package title from notification access confirmation intent
  DO NOT MERGE Suppress notifications when device enter lockdown
  [RESTRICT AUTOMERGE]Only allow system and same app to apply relinquishTaskIdentity

Change-Id: I0e75426f3d7435fe4b52f2d5f5cf753aba645c3f
parents 12fd3a9f 5e464b76

core/java/android/content/AbstractThreadedSyncAdapter.java

+20 −0
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ import static com.android.internal.util.function.pooled.PooledLambda.obtainMessa 
import android.accounts.Account;

import android.annotation.MainThread;

import android.annotation.NonNull;

import android.os.Binder;

import android.os.Build;

import android.os.Bundle;

import android.os.Handler;
@@ -171,8 +172,20 @@ public abstract class AbstractThreadedSyncAdapter { 
    }



    private class ISyncAdapterImpl extends ISyncAdapter.Stub {

        private boolean isCallerSystem() {

            final long callingUid = Binder.getCallingUid();

            if (callingUid != Process.SYSTEM_UID) {

                android.util.EventLog.writeEvent(0x534e4554, "203229608", -1, "");

                return false;

            }

            return true;

        }



        @Override

        public void onUnsyncableAccount(ISyncAdapterUnsyncableAccountCallback cb) {

            if (!isCallerSystem()) {

                return;

            }

            Handler.getMain().sendMessage(obtainMessage(

                    AbstractThreadedSyncAdapter::handleOnUnsyncableAccount,

                    AbstractThreadedSyncAdapter.this, cb));
@@ -181,12 +194,16 @@ public abstract class AbstractThreadedSyncAdapter { 
        @Override

        public void startSync(ISyncContext syncContext, String authority, Account account,

                Bundle extras) {

            if (!isCallerSystem()) {

                return;

            }

            if (ENABLE_LOG) {

                if (extras != null) {

                    extras.size(); // Unparcel so its toString() will show the contents.

                }

                Log.d(TAG, "startSync() start " + authority + " " + account + " " + extras);

            }



            try {

                final SyncContext syncContextClient = new SyncContext(syncContext);
@@ -242,6 +259,9 @@ public abstract class AbstractThreadedSyncAdapter { 


        @Override

        public void cancelSync(ISyncContext syncContext) {

            if (!isCallerSystem()) {

                return;

            }

            try {

                // synchronize to make sure that mSyncThreads doesn't change between when we

                // check it and when we use it

core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java

+6 −4
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 
package com.android.internal.notification;



import android.content.ComponentName;

import android.content.Context;

import android.content.Intent;



public final class NotificationAccessConfirmationActivityContract {
@@ -25,13 +26,14 @@ public final class NotificationAccessConfirmationActivityContract { 
            "com.android.settings.notification.NotificationAccessConfirmationActivity");

    public static final String EXTRA_USER_ID = "user_id";

    public static final String EXTRA_COMPONENT_NAME = "component_name";

    public static final String EXTRA_PACKAGE_TITLE = "package_title";



    public static Intent launcherIntent(int userId, ComponentName component, String packageTitle) {

    /**

     * Creates a launcher intent for NotificationAccessConfirmationActivity.

     */

    public static Intent launcherIntent(Context context, int userId, ComponentName component) {

        return new Intent()

                .setComponent(COMPONENT_NAME)

                .putExtra(EXTRA_USER_ID, userId)

                .putExtra(EXTRA_COMPONENT_NAME, component)

                .putExtra(EXTRA_PACKAGE_TITLE, packageTitle);

                .putExtra(EXTRA_COMPONENT_NAME, component);

    }

}

services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java

+2 −11
Original line number Diff line number Diff line
@@ -39,7 +39,6 @@ import android.content.Intent; 
import android.content.ServiceConnection;

import android.content.pm.FeatureInfo;

import android.content.pm.PackageInfo;

import android.content.pm.PackageItemInfo;

import android.content.pm.PackageManager;

import android.net.NetworkPolicyManager;

import android.os.Binder;
@@ -310,20 +309,12 @@ public class CompanionDeviceManagerService extends SystemService implements Bind 
            String callingPackage = component.getPackageName();

            checkCanCallNotificationApi(callingPackage);

            int userId = getCallingUserId();

            String packageTitle = BidiFormatter.getInstance().unicodeWrap(

                    getPackageInfo(callingPackage, userId)

                            .applicationInfo

                            .loadSafeLabel(getContext().getPackageManager(),

                                    PackageItemInfo.DEFAULT_MAX_LABEL_SIZE_PX,

                                    PackageItemInfo.SAFE_LABEL_FLAG_TRIM

                                            | PackageItemInfo.SAFE_LABEL_FLAG_FIRST_LINE)

                            .toString());

            long identity = Binder.clearCallingIdentity();

            final long identity = Binder.clearCallingIdentity();

            try {

                return PendingIntent.getActivityAsUser(getContext(),

                        0 /* request code */,

                        NotificationAccessConfirmationActivityContract.launcherIntent(

                                userId, component, packageTitle),

                                getContext(), userId, component),

                        PendingIntent.FLAG_IMMUTABLE | PendingIntent.FLAG_ONE_SHOT

                                | PendingIntent.FLAG_CANCEL_CURRENT,

                        null /* options */,

services/core/java/com/android/server/connectivity/PacManager.java

+17 −2
Original line number Diff line number Diff line
@@ -37,6 +37,7 @@ import android.os.SystemClock; 
import android.os.SystemProperties;

import android.provider.Settings;

import android.util.Log;

import android.webkit.URLUtil;



import com.android.internal.annotations.GuardedBy;

import com.android.internal.util.TrafficStatsConstants;
@@ -215,8 +216,22 @@ public class PacManager { 
     * @throws IOException if the URL is malformed, or the PAC file is too big.

     */

    private static String get(Uri pacUri) throws IOException {

        URL url = new URL(pacUri.toString());

        URLConnection urlConnection = url.openConnection(java.net.Proxy.NO_PROXY);

        if (!URLUtil.isValidUrl(pacUri.toString()))  {

            throw new IOException("Malformed URL:" + pacUri);

        }



        final URL url = new URL(pacUri.toString());

        URLConnection urlConnection;

        try {

            urlConnection = url.openConnection(java.net.Proxy.NO_PROXY);

            // Catch the possible exceptions and rethrow as IOException to not to crash the system

            // for illegal input.

        } catch (IllegalArgumentException e) {

            throw new IOException("Incorrect proxy type for " + pacUri);

        } catch (UnsupportedOperationException e) {

            throw new IOException("Unsupported URL connection type for " + pacUri);

        }



        long contentLength = -1;

        try {

            contentLength = Long.parseLong(urlConnection.getHeaderField("Content-Length"));

services/core/java/com/android/server/notification/NotificationManagerService.java

+103 −6
Original line number Diff line number Diff line
@@ -207,6 +207,7 @@ import android.util.Log; 
import android.util.Pair;

import android.util.Slog;

import android.util.SparseArray;

import android.util.SparseBooleanArray;

import android.util.StatsLog;

import android.util.TimeUtils;

import android.util.Xml;
@@ -233,6 +234,7 @@ import com.android.internal.util.FastXmlSerializer; 
import com.android.internal.util.Preconditions;

import com.android.internal.util.XmlUtils;

import com.android.internal.util.function.TriPredicate;

import com.android.internal.widget.LockPatternUtils;

import com.android.server.DeviceIdleController;

import com.android.server.EventLogTags;

import com.android.server.IoThread;
@@ -1520,6 +1522,54 @@ public class NotificationManagerService extends SystemService { 
        return out;

    }



    protected class StrongAuthTracker extends LockPatternUtils.StrongAuthTracker {



        SparseBooleanArray mUserInLockDownMode = new SparseBooleanArray();

        boolean mIsInLockDownMode = false;



        StrongAuthTracker(Context context) {

            super(context);

        }



        private boolean containsFlag(int haystack, int needle) {

            return (haystack & needle) != 0;

        }



        public boolean isInLockDownMode() {

            return mIsInLockDownMode;

        }



        @Override

        public synchronized void onStrongAuthRequiredChanged(int userId) {

            boolean userInLockDownModeNext = containsFlag(getStrongAuthForUser(userId),

                    STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN);

            mUserInLockDownMode.put(userId, userInLockDownModeNext);

            boolean isInLockDownModeNext = mUserInLockDownMode.indexOfValue(true) != -1;



            if (mIsInLockDownMode == isInLockDownModeNext) {

                return;

            }



            if (isInLockDownModeNext) {

                cancelNotificationsWhenEnterLockDownMode();

            }



            // When the mIsInLockDownMode is true, both notifyPostedLocked and

            // notifyRemovedLocked will be dismissed. So we shall call

            // cancelNotificationsWhenEnterLockDownMode before we set mIsInLockDownMode

            // as true and call postNotificationsWhenExitLockDownMode after we set

            // mIsInLockDownMode as false.

            mIsInLockDownMode = isInLockDownModeNext;



            if (!isInLockDownModeNext) {

                postNotificationsWhenExitLockDownMode();

            }

        }

    }



    private LockPatternUtils mLockPatternUtils;

    private StrongAuthTracker mStrongAuthTracker;



    public NotificationManagerService(Context context) {

        super(context);

        Notification.processWhitelistToken = WHITELIST_TOKEN;
@@ -1531,6 +1581,11 @@ public class NotificationManagerService extends SystemService { 
        mAudioManager = audioMananger;

    }



    @VisibleForTesting

    void setStrongAuthTracker(StrongAuthTracker strongAuthTracker) {

        mStrongAuthTracker = strongAuthTracker;

    }



    @VisibleForTesting

    void setKeyguardManager(KeyguardManager keyguardManager) {

        mKeyguardManager = keyguardManager;
@@ -1706,6 +1761,8 @@ public class NotificationManagerService extends SystemService { 


        mHandler = new WorkerHandler(looper);

        mRankingThread.start();

        mLockPatternUtils = new LockPatternUtils(getContext());

        mStrongAuthTracker = new StrongAuthTracker(getContext());

        String[] extractorNames;

        try {

            extractorNames = resources.getStringArray(R.array.config_notificationSignalExtractors);
@@ -1849,7 +1906,8 @@ public class NotificationManagerService extends SystemService { 
        init(Looper.myLooper(),

                AppGlobals.getPackageManager(), getContext().getPackageManager(),

                getLocalService(LightsManager.class),

                new NotificationListeners(AppGlobals.getPackageManager()),

                new NotificationListeners(getContext(), mNotificationLock, mUserProfiles,

                        AppGlobals.getPackageManager()),

                new NotificationAssistants(getContext(), mNotificationLock, mUserProfiles,

                        AppGlobals.getPackageManager()),

                new ConditionProviders(getContext(), mUserProfiles, AppGlobals.getPackageManager()),
@@ -2001,6 +2059,7 @@ public class NotificationManagerService extends SystemService { 
            mRoleObserver = new RoleObserver(getContext().getSystemService(RoleManager.class),

                    mPackageManager, getContext().getMainExecutor());

            mRoleObserver.init();

            mLockPatternUtils.registerStrongAuthTracker(mStrongAuthTracker);

        } else if (phase == SystemService.PHASE_THIRD_PARTY_APPS_CAN_START) {

            // This observer will force an update when observe is called, causing us to

            // bind to listener services.
@@ -7494,6 +7553,29 @@ public class NotificationManagerService extends SystemService { 
        }

    }



    private void cancelNotificationsWhenEnterLockDownMode() {

        synchronized (mNotificationLock) {

            int numNotifications = mNotificationList.size();

            for (int i = 0; i < numNotifications; i++) {

                NotificationRecord rec = mNotificationList.get(i);

                mListeners.notifyRemovedLocked(rec, REASON_CANCEL_ALL,

                        rec.getStats());

            }



        }

    }



    private void postNotificationsWhenExitLockDownMode() {

        synchronized (mNotificationLock) {

            int numNotifications = mNotificationList.size();

            for (int i = 0; i < numNotifications; i++) {

                NotificationRecord rec = mNotificationList.get(i);

                mListeners.notifyPostedLocked(rec, rec);

            }



        }

    }



    private void updateNotificationPulse() {

        synchronized (mNotificationLock) {

            updateLightsLocked();
@@ -7704,6 +7786,10 @@ public class NotificationManagerService extends SystemService { 
                rankings.toArray(new NotificationListenerService.Ranking[0]));

    }



    boolean isInLockDownMode() {

        return mStrongAuthTracker.isInLockDownMode();

    }



    boolean hasCompanionDevice(ManagedServiceInfo info) {

        if (mCompanionManager == null) {

            mCompanionManager = getCompanionManager();
@@ -8223,9 +8309,9 @@ public class NotificationManagerService extends SystemService { 


        private final ArraySet<ManagedServiceInfo> mLightTrimListeners = new ArraySet<>();



        public NotificationListeners(IPackageManager pm) {

            super(getContext(), mNotificationLock, mUserProfiles, pm);



        public NotificationListeners(Context context, Object lock, UserProfiles userProfiles,

                IPackageManager pm) {

            super(context, lock, userProfiles, pm);

        }



        @Override
@@ -8334,8 +8420,12 @@ public class NotificationManagerService extends SystemService { 
         *                           targetting <= O_MR1

         */

        @GuardedBy("mNotificationLock")

        private void notifyPostedLocked(NotificationRecord r, NotificationRecord old,

        void notifyPostedLocked(NotificationRecord r, NotificationRecord old,

                boolean notifyAllListeners) {

            if (isInLockDownMode()) {

                return;

            }



            // Lazily initialized snapshots of the notification.

            StatusBarNotification sbn = r.sbn;

            StatusBarNotification oldSbn = (old != null) ? old.sbn : null;
@@ -8398,8 +8488,11 @@ public class NotificationManagerService extends SystemService { 
        @GuardedBy("mNotificationLock")

        public void notifyRemovedLocked(NotificationRecord r, int reason,

                NotificationStats notificationStats) {

            final StatusBarNotification sbn = r.sbn;

            if (isInLockDownMode()) {

                return;

            }



            final StatusBarNotification sbn = r.sbn;

            // make a copy in case changes are made to the underlying Notification object

            // NOTE: this copy is lightweight: it doesn't include heavyweight parts of the

            // notification
@@ -8450,6 +8543,10 @@ public class NotificationManagerService extends SystemService { 
         */

        @GuardedBy("mNotificationLock")

        public void notifyRankingUpdateLocked(List<NotificationRecord> changedHiddenNotifications) {

            if (isInLockDownMode()) {

                return;

            }



            boolean isHiddenRankingUpdate = changedHiddenNotifications != null

                    && changedHiddenNotifications.size() > 0;