This project is mirrored from Pull mirroring updated .
  1. 13 Jul, 2020 2 commits
  2. 29 Jun, 2020 2 commits
  3. 09 Jun, 2020 1 commit
  4. 06 Jun, 2020 1 commit
  5. 27 May, 2020 1 commit
  6. 20 May, 2020 2 commits
  7. 06 May, 2020 3 commits
    • Christopher Tate's avatar
      Verify all possible hosts that match web nav · c227c2f1
      Christopher Tate authored
      Even if an <intent-filter> matches non-web schemes in addition to http
      or https, make sure to include its cited hosts in the autoVerify
      Bug: 150038428
      Test: atest OsHostTests#testIntentFilterHostValidation
      Change-Id: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
      Merged-In: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
      (cherry picked from commit 1fba0f897f276d5d47962534867e764da8061105)
      (cherry picked from commit a481c86c)
    • Riddle Hsu's avatar
      RESTRICT AUTOMERGE Use consistent calling uid and package in navigateUpTo · 0cd8f186
      Riddle Hsu authored
      Originally, if the caller of navigateUpTo is alive, even the calling
      uid is set to the caller who launched the existing destination activity,
      the uid from caller process has higher priority to replace the given
      calling uid. So this change doesn't modify the existing behavior if
      the caller process is valid. Besides, the case of delivering new intent
      uses the source record as calling identity too, so the case of starting
      new activity should be consistent.
      Also forbid attaching null application thread to avoid unexpected state
      in process record.
      Bug: 144285917
      Test: bit FrameworksServicesTests:ActivityStackTests
      Test: bit CtsSecurityTestCases:ActivityManagerTest# \
      Merged-In: I60732f430256d37cb926d08d093581f051c4afed
      Change-Id: I60732f430256d37cb926d08d093581f051c4afed
      (cherry picked from commit 1c9bf5cc)
    • Riddle Hsu's avatar
      RESTRICT AUTOMERGE Create separated tasks for different apps from startActivities · db8d9ce6
      Riddle Hsu authored
      Assume there are 2 applications A, B with different uids.
      There are 4 activities A1, A2, B1, B2 with default task
      affinity and launch mode.
      After A1 called startActivities(B1, A2, B2):
       Original   : Task(A1, B1, A2, B2)
       This Change: Task(A1, B1), Task(A2, B2)
      In other words, the source caller cannot launch its activity
      above the activity of other application in the same task, and
      it can still launch activity of other application in its task.
      Bug: 145669109
      Test: run cts --test android.server.cts.StartActivityTests \
            -m CtsServicesHostTestCases
      [basilgello: Back-ported to 14.1:
       - Added definition for ActivityRecord.getUid() from
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I97bd875146a52f62b8fe82235487ccefb2955e8e
      (cherry picked from commit 2be3ba49)
  8. 29 Apr, 2020 1 commit
  9. 14 Apr, 2020 1 commit
  10. 08 Apr, 2020 2 commits
  11. 07 Apr, 2020 3 commits
    • /e/ robot's avatar
    • Ryan Mitchell's avatar
      Fix potential double destroy of AssetManager · c90263e2
      Ryan Mitchell authored
      Assume there is a XmlBlock [X] created by a AssetManager [A]
      ([A] will have mNumRefs = 2). After [A].close is called
      (mNumRefs = 1) and then both [X] and [A] are going to be GCed,
      if [A].finalize is called first (nativeDestroy), the later
      [X].finalize will invoke [A].xmlBlockGone that triggers the
      second nativeDestroy of [A] and leads to crash.
      By clearing the mObject in AssetManager.finalize, the
      decRefsLocked from other paths won't call nativeDestroy again.
      Bug: 144028297
      Test: atest
      Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
      Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
      (cherry picked from commit 93320661)
    • Christopher Tate's avatar
      Revoke 'always' web handler status when not autoverifying · f697cd3b
      Christopher Tate authored
      If an app has previously used autoVerify to make claims about its status
      re handling web navigation intents, but is updated such that it no
      longer makes those claims, step down its "official handler" status as
      though it had never invoked autoVerify in the first place.
      Bug: 146204120
      Test: manual: as described in bug; observe policy before/after via
            'adb shell dumpsys package d'
      Test: atest CtsOsHostTestCases
      Change-Id: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
      Merged-In: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
      (cherry picked from commit 6cf5f928)
  12. 06 Apr, 2020 3 commits
  13. 16 Mar, 2020 2 commits
  14. 12 Mar, 2020 1 commit
  15. 06 Mar, 2020 2 commits
  16. 03 Mar, 2020 3 commits
    • Patrick Baumann's avatar
      Fixes NPE when preparing app data during init · 331107d7
      Patrick Baumann authored
      When deleting an unused static shared library on Q, the user manager was
      fetched via mContext.getSystemService. At this time during boot, the
      service wasn't registered and so null was returned. This has already
      been addressed in R with a move to injecting dependencies in the
      PackageManagerService constructor.
      Bug: 142083996
      Bug: 141413692
      Test: manual; remove static dependency on eng Q build and reboot
      Change-Id: I8ae4e331d09b4734c54cdc6887b273705dce88b1
      Merged-In: I8ae4e331d09b4734c54cdc6887b273705dce88b1
      (cherry picked from commit 5d3fc339)
    • Patrick Baumann's avatar
      Handles null outInfo in deleteSystemPackageLI · 2c0a05d0
      Patrick Baumann authored
      This change adds null checks before accessing outInfo in
      Bug: 142083996
      Bug: 141413692
      Test: manual; remove static dependency on eng build and reboot
      Change-Id: If0fd48343e89cbb77ccd25826656194195d5b0cd
      (cherry picked from commit 17471016508bb9c9ffb8c3946dda0b4897d722f1)
      Merged-In: If0fd48343e89cbb77ccd25826656194195d5b0cd
      (cherry picked from commit 6afabce5)
    • paulhu's avatar
      Fix security problem on PermissionMonitor#hasPermission · caf3c621
      paulhu authored
      PermissionMonitor#hasPermission only checks permssions that app
      requested but it doesn't check whether the permission can be
      granted to this app. If requested permission doens't be granted
      to app, this method still returns that app has this permission.
      Then PermissionMonitor will pass this info to netd that means
      this app still can use network even restricted network without
      granted privileged permission like CONNECTIVITY_INTERNAL or
      Bug: 144679405
      Test: Build, flash, manual test
      Change-Id: I5eba4909e4c2e1d9f275f66be90ac36466b93e90
      Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
      Merged-In: Iae9c273af822b18c2e6fce04848a86f8dea6410a
      (cherry picked from commit 305946b9)
  17. 25 Feb, 2020 3 commits
  18. 24 Feb, 2020 1 commit
  19. 21 Feb, 2020 2 commits
  20. 14 Feb, 2020 1 commit
  21. 11 Feb, 2020 1 commit
  22. 10 Feb, 2020 1 commit
  23. 05 Feb, 2020 1 commit
    • Sterling Huber's avatar
      RESTRICT AUTOMERGE Make toasts non-clickable · 2dbe94c0
      Sterling Huber authored
      Since enforcement was only on client-side, in Toast class, an app could
      use reflection (or other means) to make the Toast clickable. This is a
      security vulnerability since it allows tapjacking, that is, intercept touch
      events and do stuff like steal PINs and passwords.
      This CL brings the enforcement to the system by applying flag
      Test: atest CtsWindowManagetDeviceTestCases:ToastTest
      Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
            log click events. Then:
            1) Observe click events are logged without this CL.
            2) Observer click events are not logged with this CL.
      Bug: 128674520
      (cherry picked from commit 6bf18c39)
      Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0