Merge tag 'android-security-12.1.0_r4' into staging/lineage-19.1_android-security-12.1.0_r4
Android Security 12.1.0 Release 4 (12496785) * tag 'android-security-12.1.0_r4': Properly handle onNullBinding() in appwidget service. RESTRICT AUTOMERGE Clear app-provided shortcut icons Disallow device admin package and protected packages to be reinstalled as instant. Set no data transfer on function switch timeout for accessory mode Check more URIs in notifications RingtoneManager: allow video ringtone URI Remove authenticator data if it was disabled. fix: Security Report - Reveal images across users via EditUserPhotoController [RESTRICT AUTOMERGE] Check whether installerPackageName contains only valid characters Prevent Sharing when FRP enforcement is in effect Fail parseUri if end is missing Update AccountManagerService checkKeyIntent. RESTRICT AUTOMERGE Delete keystore keys from RecoveryService.rebootRecoveryWithCommand() DO NOT MERGE Ignore - Sanitized uri scheme by removing scheme delimiter Hide SAW subwindows Add the protection to avoid data overflow in BinaryXmlSerializer.java Restrict USB poups while setup is in progress Rate limiting PiP aspect ratio change request RESTRICT AUTOMERGE Backport preventing BAL bypass via bound service Fix security vulnerability of non-dynamic permission removal Verify UID of incoming Zygote connections. [DO NOT MERGE][CDM] Fix setSkipPrompt on Android S Fix security vulnerability allowing apps to start from background [RESTRICT AUTOMERGE][PM] Send ACTION_PACKAGE_CHANGED when mimeGroups are changed [RESTRICT AUTOMERGE] AccessibilityManagerService: remove uninstalled services from enabled list after service update. [CDM][CMD] Check permissions for CDM shell commands Resolve message/conversation image Uris with the correct user id Check hidden API exemptions [DO NOT MERGE][Autofill Framework] Add in check for intent filter when setting/updating service [DO NOT MERGE][CDM] Fix a security issue that allow 3p apps to skip prompt by setSkipPrompt Add more checkKeyIntent checks to AccountManagerService. Fix vulnerability in AttributionSource due to incorrect Binder call Fix error handling for non-dynamic permissions Hide window immediately if itself doesn't run hide animation Check for NLS bind permission when rebinding services Added throttle when reporting shortcut usage Verify URI permission for channel sound update from NotificationListenerService DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses permissions DO NOT MERGE: ActivityManager#killBackgroundProcesses can kill caller's own app only Update media visibility on lock screen Revert "Refactor the SADeviceState to AdiDeviceState" Revert "AudioService: anonymize Bluetooth MAC addresses" Prioritize system toasts Fix security vulnerability that creates user with no restrictions when accountOptions are too long. isUserInLockDown can be true when there are other strong auth requirements Don't store invalid pkgs when migrating filters RESTRICT AUTOMERGE Added limitations for attributions to handle invalid cases Disallow system apps to be installed/updated as instant. Close AccountManagerService.session after timeout. Validate package names passed to the installer. Resolve custom printer icon boundary exploit. AudioService: anonymize Bluetooth MAC addresses Refactor the SADeviceState to AdiDeviceState Enforce persisted snoozed notifications limits [RESTRICT AUTOMERGE] Check permission of Autofill icon URIs Restrict activity launch when caller is running in the background DO NOT MERGE Disallow Wallpaper service to launch activity from background. Unbind TileService onNullBinding DO NOT MERGE: "Hide" /Android/data|obb|sanbox/ on shared storage DO NOT MERGE Ensure finish lockscreen when usersetup incomplete DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses permissions Fix vulnerability that allowed attackers to start arbitary activities RESTRICT AUTOMERGE Log to detect usage of whitelistToken when sending non-PI target [SB][Privacy] Fetch current active appops on startup. [CDM] Validate component name length before requesting notification access. Truncate user data to a limit of 500 characters RESTRICT AUTOMERGE: Check URI permissions for resumable media artwork Move startWatchingModeWithFlags to the native supported binder calls Updated: always show the keyguard on device lockdown Adding in verification of calling UID in onShellCommand Revert "On device lockdown, always show the keyguard" Validate userId when publishing shortcuts Use readUniqueFileDescriptor in incidentd service Restrict number of shortcuts can be added through addDynamicShortcuts Require permission to unlock keyguard Validate URI-based shortcut icon at creation time. Disable priority conversation widget for secondary users RESTRICT AUTOMERGE: Drop invalid data. Visit Uris related to Notification style extras Fix bypass BAL via `requestGeofence` Visit Uris added by WearableExtender [SettingsProvider] verify ringtone URI before setting Use type safe API of readParcelableArray [DO NOT MERGE] Check caller's uid in backupAgentCreated callback DO NOT MERGE Fix BAL via notification.publicVersion Revert "Dismiss keyguard when simpin auth'd and..." [RESTRICT AUTOMERGE] Ignore small source rect hint RESTRICT AUTOMERGE: SettingsProvider: exclude secure_frp_mode from resets Add userId check before loading icon in Device Controls Fixing DatabaseUtils to detect malformed UTF-16 strings Disallow loading icon from content URI to PipMenu [DO NOT MERGE] Verify URI Permissions in Autofill RemoteViews Do not share key mappings with JNI object Verify URI permissions for EXTRA_REMOTE_INPUT_HISTORY_ITEMS. Import translations. DO NOT MERGE ANYWHERE Add placeholder when media control title is blank RingtoneManager: verify default ringtone is audio Improve user handling when querying for resumable media Update AccountManagerService checkKeyIntentParceledCorrectly. Forbid granting access to NLSes with too-long component names Ignore virtual presentation windows - RESTRICT AUTOMERGE [DO NOT MERGE] Update quickshare intent rather than recreating DO NOT MERGE Grant carrier privileges if package has carrier config access. DO NOT MERGE Revert "Verify URI permissions for EXTRA_REMOTE_INPUT_HISTORY_ITEMS." Remove unnecessary padding code Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used Resolve StatusHints image exploit across user. Visit URIs in themed remoteviews icons. Fix PrivacyChip not visible issue Check URIs in sized remote views. Verify URI permissions in MediaMetadata Validate ComponentName for MediaButtonBroadcastReceiver Implement visitUris for RemoteViews ViewGroupActionAdd. Check URIs in notification public version. Preserve flags for non-runtime permissions upon package update. Ensure policy has no absurdly long strings On device lockdown, always show the keyguard Verify URI permissions for notification shortcutIcon. Do not load drawable for wallet card if the card image icon iscreated with content URI. ActivityManagerService: Allow openContentUri from vendor/system/product. DO NOT MERGE: ActivityManager#killBackgroundProcesses can kill caller's own app only Visit URIs in landscape/portrait custom remote views. Truncate ShortcutInfo Id Verify URI permissions for EXTRA_REMOTE_INPUT_HISTORY_ITEMS. Dismiss keyguard when simpin auth'd and... Only allow NEW_TASK flag when adjusting pending intents Grant URI permissions to the CallStyle-related ones Limit the number of supported v1 and v2 signers Sanitize VPN label to prevent HTML injection Revert "Ensure that only SysUI can override pending intent launch flags" Ensure that only SysUI can override pending intent launch flags [RESTRICT AUTOMERGE] Add BubbleMetadata detection to block FSI Enforce DevicePolicyManager.setUserControlDisabledPackages in AppStandbyController Handle invalid data during job loading. Allow filtering of services DO NOT MERGE: Grant MANAGE_USERS access to Traceur Check key intent for selectors and prohibited flags [DO NOT MERGE] Prevent RemoteViews crashing SystemUi [DO NOT MERGE] Wait for preloading images to complete before inflating notifications Prevent sharesheet from previewing unowned URIs Remove Activity if it enters PiP without window Limit the number of shortcuts per app that can be retained by system Trim strings added to persistent snoozed notification storage. enforce stricter rules when registering phoneAccounts Uri: check authority and scheme as part of determining URI path Re-enforce MANAGE_ACTIVITY_TASKS for applySyncTransaction Checks if AccessibilityServiceInfo is within parcelable size. [RESTRICT AUTOMERGE][pm] still allow debuggable for system app downgrades [RESTRICT AUTOMERGE][pm] prevent system app downgrades of versions lower than preload [RESTRICT AUTOMERGE] Fix bypass BG-FGS and BAL via package manager APIs Fix bypass BAL via LocationManager.requestFlush Add a limit on channel group creation [DO NOT MERGE] Backport BAL restrictions from T to S, this blocks apps from using Alarm Manager to bypass BAL restrictions. [RESTRICT AUTOMERGE] Strip part of the activity info of another uid if no privilege Encode Intent scheme when serializing to URI string RESTRICT AUTOMERGE Fix checkKeyIntentParceledCorrectly's bypass Checking if package belongs to UID before registering broadcast receiver Revert "[RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege" [RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege DO NOT MERGE: Context#startInstrumentation could be started from SHELL only now. Revert "Ensure that only SysUI can override pending intent launch flags" Enforce MediaButtonReceiver extracted component name matches session package name Reconcile WorkSource parcel and unparcel code. Move service initialization Enforce MediaButtonReceiver ComponentName belongs to app Revert "[RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege" [DO NOT MERGE] Disallow clicks on privacy chip before provisioned [RESTRICT AUTOMERGE] Do not send new Intent to non-exported activity when navigateUpTo RESTRICT AUTOMERGE Use chain start token in performOpTransaction Use rule package name in addAutomaticZenRule; specify "android" for all system apps Convert argument to intent in ChooseTypeAndAccountActivity fpService#authWithPrompt uses correct user handle. [RESTRICT AUTOMERGE] Correct the behavior of ACTION_PACKAGE_DATA_CLEARED [DO NOT MERGE] Revert "Check rule package name in ZenModeHelper.addAutomaticRule" [DO NOT MERGE] Revert "Fix system zen rules by using owner package name if caller is system" Fix system zen rules by using owner package name if caller is system Make Activites touch opaque - DO NOT MERGE [DO NOT MERGE] Do not clear calling identify when using BiometricPrompt from FingerprintService. [RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege Ensure that only SysUI can override pending intent launch flags Enable user graularity for lockdown mode Fix sharing to another profile where an app has multiple targets Add protections against queueing a UsbRequest when the underlying UsbDeviceConnection is closed. RESTRICT AUTOMERGE Revoke SYSTEM_ALERT_WINDOW on upgrade past api 23 [RESTRICT AUTOMERGE][SettingsProvider] key size limit for mutating settings RESTRICT AUTOMERGE Validate permission tree size on permission update Backport missing permission check for querying main activity intent [RESTRICT AUTOMERGE] [SettingsProvider] mem limit should be checked before settings are updated [DO NOT MERGE] Fix conditionId string trimming in AutomaticZenRule Disable all A11yServices from an uninstalled package. Limit length and number of MIME types you can set Limit lengths of fields in Condition to a max length. [DO NOT MERGE] Revert "Fix system zen rules by using owner package name if caller is system" [DO NOT MERGE] Update window with FLAG_SECURE when bouncer is showing Add safety checks on KEY_INTENT mismatch. [DO NOT MERGE] Fix permanent denial of service via setComponentEnabledSetting Lower per-app notificationchannel limit [Do Not Merge] Ignore malformed shortcuts Prevent exfiltration of system files via avatar picker. [RESTRICT AUTOMERGE] Allow activity to be reparent while allowTaskReparenting is applied Fix a security issue in app widget service. Fix NPE [pm] forbid deletion of protected packages Include all enabled services when FEEDBACK_ALL_MASK. Validate package name passed to setApplicationRestrictions. (Reland) Prevent non-admin users from deleting system apps. Limit the size of NotificationChannel and NotificationChannelGroup Revert "Prevent exfiltration of system files via user image settings." Revert "Prevent non-admin users from deleting system apps." Stop crashing the system on hitting the alarm limit [DO NOT MERGE] Do not dismiss keyguard after SIM PUK unlock Make sure parallel broadcasts enforce excluded permissions Fix system zen rules by using owner package name if caller is system Trim any long string inputs that come in to AutomaticZenRule DO NOT MERGE Fix auto-grant of AR runtime permission if device is upgrading from pre-Q Check rule package name in ZenModeHelper.addAutomaticRule Do not send AccessibilityEvent if notification is for different user. [RESTRICT AUTOMERGE] Do not send new Intent to non-exported activity when navigateUpTo switch TelecomManager List getters to ParceledListSlice DO NOT MERGE Move accountname and typeName length check from Account.java to AccountManagerService. Add excludedPackages parameter to broadcast Enforce zen rule limit on a package level. Strip transition information from activityoptions when sent to app Remove package name from SafetyNet logs Fix Notification redaction when power cycling a non-dozing device while occluded. Fix duplicate permission privilege escalation Block FullScreenIntent while device is in use if notification has a silencing GroupAlertBehavior. Parcel: recycle recycles Limit the number of concurrently snoozed notifications Restrict getInputMethodWindowVisibleHeight DO NOT MERGE Suppress notifications when device enter lockdown Only allow the system server to connect to sync adapters Stop using invalid URL to prevent unexpected crash Remove package title from notification access confirmation intent Make CheckOp return allowed if any attr tag for a package is excluded Allow system server uid to bypass location restriction Disallow privileged apps to bypass location restriction DO NOT MERGE. Add a permissions check to LocationManagerService. Clear mInterface before calling resetIkeState() Make sure callingPackage belongs to callingUid when checking BG-FGS restrictions. Update ServiceState broadcast for location permissions USB: Increase debounce time for DISCONNECT processing (revised) Log to EventLog on prepareUserStorage failure Ignore errors preparing user storage for existing users UserDataPreparer: reboot to recovery for system user only UserDataPreparer: reboot to recovery if preparing user storage fails StorageManagerService: don't ignore failures to prepare user storage DO NOT MERGE: WM: Call Transaction#sanitize limit TelecomManager#registerPhoneAccount to 10; api doc update [scv2] RESTRICT AUTOMERGE Add finalizeWorkProfileProvisioning. Disallow too large display padding for wallpaper Fix NPE Prevent exfiltration of system files via user image settings. Prevent non-admin users from deleting system apps. Fix security hole in GateKeeperResponse Update GeofenceHardwareRequestParcelable to match parcel/unparcel format. Add an OEM configurable limit for zen rules Keyguard - Treat messsages to lock with priority [Ongoing Call] Don't call #getIntent to avoid a security vulnerability. Always restart apps if base.apk gets updated. Verify caller before auto granting slice permission Replace BitmapRegionDecoder with ImageDecoder [RESTRICT AUTOMERGE] Do not resume activity if behind a translucent task Update permissions for ServiceState broadcast Filter notification APIs by user Security fixes for PendingIntent related apis in LauncherApps [RESTRICT AUTOMERGE] Add hide-non-system-overlay flag for HarmfulAppWarningActivity Restrict AdbManager broadcasts to apps with MANAGE_DEBUGGING permission. Validate pid can be trusted Fix a mismatch in Bitmap_createFromParcel Change-Id: I07007468a83139fbeab08b01b491d7f9c892dc95
Loading
Please register or sign in to comment