Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit a5797c64 authored by Kevin F. Haggerty's avatar Kevin F. Haggerty
Browse files

Merge commit '1b991494' into staging/lineage-20.0_android-security-13.0.0_r20 

* commit '1b991494':
  Revert "Security fix for VPN app killable via lockscreen."
  RESTRICT AUTOMERGE Fix READ/WRITE operation access issues on Restricted appOps.
  Hide SAW subwindows
  Add the protection to avoid data overflow in BinaryXmlSerializer.java
  Security fix for VPN app killable via lockscreen.
  Restrict USB poups while setup is in progress
  Rate limiting PiP aspect ratio change request
  RESTRICT AUTOMERGE Backport preventing BAL bypass via bound service

Conflicts:
	services/texttospeech/java/com/android/server/texttospeech/TextToSpeechManagerPerUserService.java

Change-Id: I8963b89a1cc71173aed162ed983bb9152b673665
parents 39483371 1b991494

apex/jobscheduler/service/java/com/android/server/job/JobServiceContext.java

+4 −2
Original line number Diff line number Diff line
@@ -311,11 +311,13 @@ public final class JobServiceContext implements ServiceConnection { 
                    bindFlags = Context.BIND_AUTO_CREATE | Context.BIND_NOT_FOREGROUND

                            | Context.BIND_ALMOST_PERCEPTIBLE

                            | Context.BIND_BYPASS_POWER_NETWORK_RESTRICTIONS

                            | Context.BIND_NOT_APP_COMPONENT_USAGE;

                            | Context.BIND_NOT_APP_COMPONENT_USAGE

                            | Context.BIND_DENY_ACTIVITY_STARTS_PRE_34;

                } else {

                    bindFlags = Context.BIND_AUTO_CREATE | Context.BIND_NOT_FOREGROUND

                            | Context.BIND_NOT_PERCEPTIBLE

                            | Context.BIND_NOT_APP_COMPONENT_USAGE;

                            | Context.BIND_NOT_APP_COMPONENT_USAGE

                            | Context.BIND_DENY_ACTIVITY_STARTS_PRE_34;

                }

                binding = mContext.bindServiceAsUser(intent, this, bindFlags,

                        UserHandle.of(job.getUserId()));

core/java/android/app/AppOpsManager.java

+1 −1
Original line number Diff line number Diff line
@@ -3290,7 +3290,7 @@ public class AppOpsManager { 
    }



    /**

     * Retrieve whether the op can be read by apps with manage appops permission.

     * Retrieve whether the op can be read by apps with privileged appops permission.

     * @hide

     */

    public static boolean opRestrictsRead(int op) {

core/java/android/speech/tts/TextToSpeech.java

+2 −1
Original line number Diff line number Diff line
@@ -2379,7 +2379,8 @@ public class TextToSpeech { 
        boolean connect(String engine) {

            Intent intent = new Intent(Engine.INTENT_ACTION_TTS_SERVICE);

            intent.setPackage(engine);

            return mContext.bindService(intent, this, Context.BIND_AUTO_CREATE);

            return mContext.bindService(intent, this,

                    Context.BIND_AUTO_CREATE | Context.BIND_DENY_ACTIVITY_STARTS_PRE_34);

        }



        @Override

core/java/com/android/internal/util/BinaryXmlSerializer.java

+10 −0
Original line number Diff line number Diff line
@@ -97,6 +97,8 @@ public final class BinaryXmlSerializer implements TypedXmlSerializer { 
     */

    private static final int BUFFER_SIZE = 32_768;



    private static final int MAX_UNSIGNED_SHORT = 65_535;



    private FastDataOutput mOut;



    /**
@@ -226,6 +228,10 @@ public final class BinaryXmlSerializer implements TypedXmlSerializer { 
        if (namespace != null && !namespace.isEmpty()) throw illegalNamespace();

        mOut.writeByte(ATTRIBUTE | TYPE_BYTES_HEX);

        mOut.writeInternedUTF(name);

        if (value.length > MAX_UNSIGNED_SHORT) {

            throw new IOException("attributeBytesHex: input size (" + value.length

                    + ") exceeds maximum allowed size (" + MAX_UNSIGNED_SHORT + ")");

        }

        mOut.writeShort(value.length);

        mOut.write(value);

        return this;
@@ -237,6 +243,10 @@ public final class BinaryXmlSerializer implements TypedXmlSerializer { 
        if (namespace != null && !namespace.isEmpty()) throw illegalNamespace();

        mOut.writeByte(ATTRIBUTE | TYPE_BYTES_BASE64);

        mOut.writeInternedUTF(name);

        if (value.length > MAX_UNSIGNED_SHORT) {

            throw new IOException("attributeBytesBase64: input size (" + value.length

                    + ") exceeds maximum allowed size (" + MAX_UNSIGNED_SHORT + ")");

        }

        mOut.writeShort(value.length);

        mOut.write(value);

        return this;

core/tests/coretests/src/android/util/BinaryXmlTest.java

+50 −0
Original line number Diff line number Diff line
@@ -24,6 +24,8 @@ import static android.util.XmlTest.doVerifyRead; 
import static android.util.XmlTest.doVerifyWrite;



import static org.junit.Assert.assertEquals;

import static org.junit.Assert.assertThrows;

import static org.junit.Assert.fail;

import static org.xmlpull.v1.XmlPullParser.START_TAG;



import android.os.PersistableBundle;
@@ -38,12 +40,15 @@ import java.io.ByteArrayOutputStream; 
import java.io.File;

import java.io.FileInputStream;

import java.io.FileOutputStream;

import java.io.IOException;

import java.io.InputStream;

import java.io.OutputStream;

import java.nio.charset.StandardCharsets;



@RunWith(AndroidJUnit4.class)

public class BinaryXmlTest {

    private static final int MAX_UNSIGNED_SHORT = 65_535;



    /**

     * Verify that we can write and read large numbers of interned

     * {@link String} values.
@@ -167,4 +172,49 @@ public class BinaryXmlTest { 
            }

        }

    }



    @Test

    public void testAttributeBytes_BinaryDataOverflow() throws Exception {

        final TypedXmlSerializer out = Xml.newBinarySerializer();

        final ByteArrayOutputStream os = new ByteArrayOutputStream();

        out.setOutput(os, StandardCharsets.UTF_8.name());



        final byte[] testBytes = new byte[MAX_UNSIGNED_SHORT + 1];

        assertThrows(IOException.class,

                () -> out.attributeBytesHex(/* namespace */ null, /* name */ "attributeBytesHex",

                        testBytes));



        assertThrows(IOException.class,

                () -> out.attributeBytesBase64(/* namespace */ null, /* name */

                        "attributeBytesBase64", testBytes));

    }



    @Test

    public void testAttributeBytesHex_MaximumBinaryData() throws Exception {

        final TypedXmlSerializer out = Xml.newBinarySerializer();

        final ByteArrayOutputStream os = new ByteArrayOutputStream();

        out.setOutput(os, StandardCharsets.UTF_8.name());



        final byte[] testBytes = new byte[MAX_UNSIGNED_SHORT];

        try {

            out.attributeBytesHex(/* namespace */ null, /* name */ "attributeBytesHex", testBytes);

        } catch (Exception e) {

            fail("testAttributeBytesHex fails with exception: " + e.toString());

        }

    }



    @Test

    public void testAttributeBytesBase64_MaximumBinaryData() throws Exception {

        final TypedXmlSerializer out = Xml.newBinarySerializer();

        final ByteArrayOutputStream os = new ByteArrayOutputStream();

        out.setOutput(os, StandardCharsets.UTF_8.name());



        final byte[] testBytes = new byte[MAX_UNSIGNED_SHORT];

        try {

            out.attributeBytesBase64(/* namespace */ null, /* name */ "attributeBytesBase64",

                    testBytes);

        } catch (Exception e) {

            fail("testAttributeBytesBase64 fails with exception: " + e.toString());

        }

    }

}