Loading core/java/android/net/PacProxySelector.java +9 −0 Original line number Diff line number Diff line Loading @@ -30,6 +30,7 @@ import java.net.Proxy.Type; import java.net.ProxySelector; import java.net.SocketAddress; import java.net.URI; import java.net.URISyntaxException; import java.util.List; /** Loading Loading @@ -67,7 +68,15 @@ public class PacProxySelector extends ProxySelector { String response = null; String urlString; try { // Strip path and username/password from URI so it's not visible to PAC script. The // path often contains credentials the app does not want exposed to a potentially // malicious PAC script. if (!"http".equalsIgnoreCase(uri.getScheme())) { uri = new URI(uri.getScheme(), null, uri.getHost(), uri.getPort(), "/", null, null); } urlString = uri.toURL().toString(); } catch (URISyntaxException e) { urlString = uri.getHost(); } catch (MalformedURLException e) { urlString = uri.getHost(); } Loading core/java/com/android/internal/app/ChooserActivity.java +13 −1 Original line number Diff line number Diff line Loading @@ -656,7 +656,19 @@ public class ChooserActivity extends ResolverActivity { } intent.setComponent(mChooserTarget.getComponentName()); intent.putExtras(mChooserTarget.getIntentExtras()); activity.startActivityAsCaller(intent, options, true, userId); // Important: we will ignore the target security checks in ActivityManager // if and only if the ChooserTarget's target package is the same package // where we got the ChooserTargetService that provided it. This lets a // ChooserTargetService provide a non-exported or permission-guarded target // to the chooser for the user to pick. // // If mSourceInfo is null, we got this ChooserTarget from the caller or elsewhere // so we'll obey the caller's normal security checks. final boolean ignoreTargetSecurity = mSourceInfo != null && mSourceInfo.getResolvedComponentName().getPackageName() .equals(mChooserTarget.getComponentName().getPackageName()); activity.startActivityAsCaller(intent, options, ignoreTargetSecurity, userId); return true; } Loading services/backup/java/com/android/server/backup/BackupManagerService.java +26 −7 Original line number Diff line number Diff line Loading @@ -80,7 +80,9 @@ import android.os.storage.StorageManager; import android.provider.Settings; import android.system.ErrnoException; import android.system.Os; import android.text.TextUtils; import android.util.ArrayMap; import android.util.ArraySet; import android.util.AtomicFile; import android.util.EventLog; import android.util.Log; Loading @@ -93,6 +95,7 @@ import com.android.internal.backup.IBackupTransport; import com.android.internal.backup.IObbBackupService; import com.android.server.AppWidgetBackupBridge; import com.android.server.EventLogTags; import com.android.server.SystemConfig; import com.android.server.SystemService; import com.android.server.backup.PackageManagerBackupAgent.Metadata; Loading Loading @@ -300,6 +303,7 @@ public class BackupManagerService { volatile boolean mClearingData; // Transport bookkeeping final ArraySet<ComponentName> mTransportWhitelist; final Intent mTransportServiceIntent = new Intent(SERVICE_ACTION_TRANSPORT_HOST); final ArrayMap<String,String> mTransportNames = new ArrayMap<String,String>(); // component name -> registration name Loading Loading @@ -1084,11 +1088,15 @@ public class BackupManagerService { // Set up our transport options and initialize the default transport // TODO: Don't create transports that we don't need to? mCurrentTransport = Settings.Secure.getString(context.getContentResolver(), SystemConfig systemConfig = SystemConfig.getInstance(); mTransportWhitelist = systemConfig.getBackupTransportWhitelist(); String transport = Settings.Secure.getString(context.getContentResolver(), Settings.Secure.BACKUP_TRANSPORT); if ("".equals(mCurrentTransport)) { mCurrentTransport = null; if (TextUtils.isEmpty(transport)) { transport = null; } mCurrentTransport = transport; if (DEBUG) Slog.v(TAG, "Starting with transport " + mCurrentTransport); // Find all transport hosts and bind to their services Loading @@ -1099,11 +1107,11 @@ public class BackupManagerService { } if (hosts != null) { for (int i = 0; i < hosts.size(); i++) { final ServiceInfo transport = hosts.get(i).serviceInfo; final ServiceInfo transportService = hosts.get(i).serviceInfo; if (MORE_DEBUG) { Slog.v(TAG, " " + transport.packageName + "/" + transport.name); Slog.v(TAG, " " + transportService.packageName + "/" + transportService.name); } tryBindTransport(transport); tryBindTransport(transportService); } } Loading Loading @@ -1983,7 +1991,12 @@ public class BackupManagerService { // Actually bind; presumes that we have already validated the transport service boolean bindTransport(ServiceInfo transport) { ComponentName svcName = new ComponentName(transport.packageName, transport.name); if (MORE_DEBUG) { if (!mTransportWhitelist.contains(svcName)) { Slog.w(TAG, "Proposed transport " + svcName + " not whitelisted; ignoring"); return false; } if (DEBUG) { Slog.i(TAG, "Binding to transport host " + svcName); } Intent intent = new Intent(mTransportServiceIntent); Loading Loading @@ -9654,6 +9667,12 @@ if (MORE_DEBUG) Slog.v(TAG, " + got " + nRead + "; now wanting " + (size - soF + " (now = " + System.currentTimeMillis() + ')'); pw.println(" next scheduled: " + KeyValueBackupJob.nextScheduled()); pw.println("Transport whitelist:"); for (ComponentName transport : mTransportWhitelist) { pw.print(" "); pw.println(transport.flattenToShortString()); } pw.println("Available transports:"); final String[] transports = listAllTransports(); if (transports != null) { Loading services/core/java/com/android/server/LockSettingsService.java +2 −0 Original line number Diff line number Diff line Loading @@ -470,6 +470,7 @@ public class LockSettingsService extends ILockSettings.Stub { @Override public void setLockPattern(String pattern, String savedCredential, int userId) throws RemoteException { checkWritePermission(userId); byte[] currentHandle = getCurrentHandle(userId); if (pattern == null) { Loading Loading @@ -498,6 +499,7 @@ public class LockSettingsService extends ILockSettings.Stub { @Override public void setLockPassword(String password, String savedCredential, int userId) throws RemoteException { checkWritePermission(userId); byte[] currentHandle = getCurrentHandle(userId); if (password == null) { Loading services/core/java/com/android/server/SystemConfig.java +25 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,7 @@ import static android.content.pm.PackageManager.INTENT_FILTER_DOMAIN_VERIFICATIO import static android.content.pm.PackageManager.INTENT_FILTER_DOMAIN_VERIFICATION_STATUS_ALWAYS_ASK; import android.app.ActivityManager; import android.content.ComponentName; import android.content.pm.FeatureInfo; import android.content.pm.Signature; import android.os.*; Loading Loading @@ -109,6 +110,9 @@ public class SystemConfig { final ArrayMap<Signature, ArraySet<String>> mSignatureAllowances = new ArrayMap<Signature, ArraySet<String>>(); // These are the permitted backup transport service components final ArraySet<ComponentName> mBackupTransportWhitelist = new ArraySet<>(); public static SystemConfig getInstance() { synchronized (SystemConfig.class) { if (sInstance == null) { Loading Loading @@ -158,6 +162,10 @@ public class SystemConfig { return mSignatureAllowances; } public ArraySet<ComponentName> getBackupTransportWhitelist() { return mBackupTransportWhitelist; } SystemConfig() { // Read configuration from system readPermissions(Environment.buildPath( Loading Loading @@ -432,6 +440,23 @@ public class SystemConfig { mLinkedApps.add(makeLink(pkgname, state)); } XmlUtils.skipCurrentTag(parser); } else if ("backup-transport-whitelisted-service".equals(name)) { String serviceName = parser.getAttributeValue(null, "service"); if (serviceName == null) { Slog.w(TAG, "<backup-transport-whitelisted-service> without service in " + permFile + " at " + parser.getPositionDescription()); } else { ComponentName cn = ComponentName.unflattenFromString(serviceName); if (cn == null) { Slog.w(TAG, "<backup-transport-whitelisted-service> with invalid service name " + serviceName + " in "+ permFile + " at " + parser.getPositionDescription()); } else { mBackupTransportWhitelist.add(cn); } } XmlUtils.skipCurrentTag(parser); } else { XmlUtils.skipCurrentTag(parser); Loading Loading
core/java/android/net/PacProxySelector.java +9 −0 Original line number Diff line number Diff line Loading @@ -30,6 +30,7 @@ import java.net.Proxy.Type; import java.net.ProxySelector; import java.net.SocketAddress; import java.net.URI; import java.net.URISyntaxException; import java.util.List; /** Loading Loading @@ -67,7 +68,15 @@ public class PacProxySelector extends ProxySelector { String response = null; String urlString; try { // Strip path and username/password from URI so it's not visible to PAC script. The // path often contains credentials the app does not want exposed to a potentially // malicious PAC script. if (!"http".equalsIgnoreCase(uri.getScheme())) { uri = new URI(uri.getScheme(), null, uri.getHost(), uri.getPort(), "/", null, null); } urlString = uri.toURL().toString(); } catch (URISyntaxException e) { urlString = uri.getHost(); } catch (MalformedURLException e) { urlString = uri.getHost(); } Loading
core/java/com/android/internal/app/ChooserActivity.java +13 −1 Original line number Diff line number Diff line Loading @@ -656,7 +656,19 @@ public class ChooserActivity extends ResolverActivity { } intent.setComponent(mChooserTarget.getComponentName()); intent.putExtras(mChooserTarget.getIntentExtras()); activity.startActivityAsCaller(intent, options, true, userId); // Important: we will ignore the target security checks in ActivityManager // if and only if the ChooserTarget's target package is the same package // where we got the ChooserTargetService that provided it. This lets a // ChooserTargetService provide a non-exported or permission-guarded target // to the chooser for the user to pick. // // If mSourceInfo is null, we got this ChooserTarget from the caller or elsewhere // so we'll obey the caller's normal security checks. final boolean ignoreTargetSecurity = mSourceInfo != null && mSourceInfo.getResolvedComponentName().getPackageName() .equals(mChooserTarget.getComponentName().getPackageName()); activity.startActivityAsCaller(intent, options, ignoreTargetSecurity, userId); return true; } Loading
services/backup/java/com/android/server/backup/BackupManagerService.java +26 −7 Original line number Diff line number Diff line Loading @@ -80,7 +80,9 @@ import android.os.storage.StorageManager; import android.provider.Settings; import android.system.ErrnoException; import android.system.Os; import android.text.TextUtils; import android.util.ArrayMap; import android.util.ArraySet; import android.util.AtomicFile; import android.util.EventLog; import android.util.Log; Loading @@ -93,6 +95,7 @@ import com.android.internal.backup.IBackupTransport; import com.android.internal.backup.IObbBackupService; import com.android.server.AppWidgetBackupBridge; import com.android.server.EventLogTags; import com.android.server.SystemConfig; import com.android.server.SystemService; import com.android.server.backup.PackageManagerBackupAgent.Metadata; Loading Loading @@ -300,6 +303,7 @@ public class BackupManagerService { volatile boolean mClearingData; // Transport bookkeeping final ArraySet<ComponentName> mTransportWhitelist; final Intent mTransportServiceIntent = new Intent(SERVICE_ACTION_TRANSPORT_HOST); final ArrayMap<String,String> mTransportNames = new ArrayMap<String,String>(); // component name -> registration name Loading Loading @@ -1084,11 +1088,15 @@ public class BackupManagerService { // Set up our transport options and initialize the default transport // TODO: Don't create transports that we don't need to? mCurrentTransport = Settings.Secure.getString(context.getContentResolver(), SystemConfig systemConfig = SystemConfig.getInstance(); mTransportWhitelist = systemConfig.getBackupTransportWhitelist(); String transport = Settings.Secure.getString(context.getContentResolver(), Settings.Secure.BACKUP_TRANSPORT); if ("".equals(mCurrentTransport)) { mCurrentTransport = null; if (TextUtils.isEmpty(transport)) { transport = null; } mCurrentTransport = transport; if (DEBUG) Slog.v(TAG, "Starting with transport " + mCurrentTransport); // Find all transport hosts and bind to their services Loading @@ -1099,11 +1107,11 @@ public class BackupManagerService { } if (hosts != null) { for (int i = 0; i < hosts.size(); i++) { final ServiceInfo transport = hosts.get(i).serviceInfo; final ServiceInfo transportService = hosts.get(i).serviceInfo; if (MORE_DEBUG) { Slog.v(TAG, " " + transport.packageName + "/" + transport.name); Slog.v(TAG, " " + transportService.packageName + "/" + transportService.name); } tryBindTransport(transport); tryBindTransport(transportService); } } Loading Loading @@ -1983,7 +1991,12 @@ public class BackupManagerService { // Actually bind; presumes that we have already validated the transport service boolean bindTransport(ServiceInfo transport) { ComponentName svcName = new ComponentName(transport.packageName, transport.name); if (MORE_DEBUG) { if (!mTransportWhitelist.contains(svcName)) { Slog.w(TAG, "Proposed transport " + svcName + " not whitelisted; ignoring"); return false; } if (DEBUG) { Slog.i(TAG, "Binding to transport host " + svcName); } Intent intent = new Intent(mTransportServiceIntent); Loading Loading @@ -9654,6 +9667,12 @@ if (MORE_DEBUG) Slog.v(TAG, " + got " + nRead + "; now wanting " + (size - soF + " (now = " + System.currentTimeMillis() + ')'); pw.println(" next scheduled: " + KeyValueBackupJob.nextScheduled()); pw.println("Transport whitelist:"); for (ComponentName transport : mTransportWhitelist) { pw.print(" "); pw.println(transport.flattenToShortString()); } pw.println("Available transports:"); final String[] transports = listAllTransports(); if (transports != null) { Loading
services/core/java/com/android/server/LockSettingsService.java +2 −0 Original line number Diff line number Diff line Loading @@ -470,6 +470,7 @@ public class LockSettingsService extends ILockSettings.Stub { @Override public void setLockPattern(String pattern, String savedCredential, int userId) throws RemoteException { checkWritePermission(userId); byte[] currentHandle = getCurrentHandle(userId); if (pattern == null) { Loading Loading @@ -498,6 +499,7 @@ public class LockSettingsService extends ILockSettings.Stub { @Override public void setLockPassword(String password, String savedCredential, int userId) throws RemoteException { checkWritePermission(userId); byte[] currentHandle = getCurrentHandle(userId); if (password == null) { Loading
services/core/java/com/android/server/SystemConfig.java +25 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,7 @@ import static android.content.pm.PackageManager.INTENT_FILTER_DOMAIN_VERIFICATIO import static android.content.pm.PackageManager.INTENT_FILTER_DOMAIN_VERIFICATION_STATUS_ALWAYS_ASK; import android.app.ActivityManager; import android.content.ComponentName; import android.content.pm.FeatureInfo; import android.content.pm.Signature; import android.os.*; Loading Loading @@ -109,6 +110,9 @@ public class SystemConfig { final ArrayMap<Signature, ArraySet<String>> mSignatureAllowances = new ArrayMap<Signature, ArraySet<String>>(); // These are the permitted backup transport service components final ArraySet<ComponentName> mBackupTransportWhitelist = new ArraySet<>(); public static SystemConfig getInstance() { synchronized (SystemConfig.class) { if (sInstance == null) { Loading Loading @@ -158,6 +162,10 @@ public class SystemConfig { return mSignatureAllowances; } public ArraySet<ComponentName> getBackupTransportWhitelist() { return mBackupTransportWhitelist; } SystemConfig() { // Read configuration from system readPermissions(Environment.buildPath( Loading Loading @@ -432,6 +440,23 @@ public class SystemConfig { mLinkedApps.add(makeLink(pkgname, state)); } XmlUtils.skipCurrentTag(parser); } else if ("backup-transport-whitelisted-service".equals(name)) { String serviceName = parser.getAttributeValue(null, "service"); if (serviceName == null) { Slog.w(TAG, "<backup-transport-whitelisted-service> without service in " + permFile + " at " + parser.getPositionDescription()); } else { ComponentName cn = ComponentName.unflattenFromString(serviceName); if (cn == null) { Slog.w(TAG, "<backup-transport-whitelisted-service> with invalid service name " + serviceName + " in "+ permFile + " at " + parser.getPositionDescription()); } else { mBackupTransportWhitelist.add(cn); } } XmlUtils.skipCurrentTag(parser); } else { XmlUtils.skipCurrentTag(parser); Loading
