This project is mirrored from Pull mirroring updated .
  1. 21 Feb, 2022 1 commit
  2. 12 Feb, 2022 1 commit
  3. 24 Aug, 2021 2 commits
  4. 19 Jul, 2021 1 commit
  5. 08 Jun, 2021 2 commits
    • Beth Thibodeau's avatar
      Increase maximum allowed size for status bar icons · 55219d15
      Beth Thibodeau authored
      The previous size was causing some apps to crash which otherwise worked
      fine. This more closely matches the hard limit in RecordingCanvas
      (which we need to stay below to prevent SystemUI from crashing).
      Fixes: 182891864
      Fixes: 182232777
      Bug: 169255797
      Test: atest StatusBarIconViewTest
      Test: manual - posting notifications with different drawable sizes
      Change-Id: I8deacc651e05a202ec980eeb8bcdf4f92daea8eb
      (cherry picked from commit 5cd7976f)
      (cherry picked from commit 8875da52)
    • Beth Thibodeau's avatar
      Limit maximum allowed size for a status bar icon · 6da8f91a
      Beth Thibodeau authored
      Bug: 169255797
      Test: atest StatusBarIconViewTest
      Test: verified that app crashes instead of SysUI following repro steps
      Change-Id: I66e3bb873841b5babfd522c82cea7bed361fc14c
      (cherry picked from commit 4394595debfd3f625b45a8b2280cdbec61f8dc71)
      (cherry picked from commit 5791303c)
  6. 16 Apr, 2021 1 commit
  7. 09 Apr, 2021 1 commit
  8. 06 Apr, 2021 2 commits
    • Miranda Kephart's avatar
      Close screenshot process on user switched · c1b1eebc
      Miranda Kephart authored
      Currently, we keep the process up even if the user switches,
      meaning that in some cases (if the user is switched while the
      screenshot UI is up) we will save images to the wrong profile.
      This change makes ScreenshotHelper listen for user switches and
      close the screenshot service, so that a new screenshot is
      guaranteed to be constructed with the correct user's context.
      Bug: 170474245
      Fix: 170474245
      Test: manual -- verified bad state occurs if user switches within
      the timeout period, ensured that screenshots work immediately
      after switching with this change.
      Change-Id: I9d32d0928e6c2bda161d04555438d0dd7afef0ba
      (cherry picked from commit 7ef1a5dd)
      (cherry picked from commit 8a2656d4)
    • Robert Carr's avatar
      DO NOT MERGE: WM: Only allow system to use NO_INPUT_CHANNEL. · 24030902
      Robert Carr authored
      NO_INPUT_CHANNEL is a hidden WM flag that allows creation of a window
      without an input channel. Unfortunately in releases prior to Android R
      this would allow creation of a Window which will not be known to the
      InputDispatcher at all. This means that the logic generating
      FLAG_OBSCURED will work and a window will be able to overlay another
      window without the overlayed window being notified. In Android R and
      later this isn't a problem as the InputDispatcher is informed of all
      windows, input channel or not. For past Android releases, this patch
      disables NO_INPUT_CHANNEL for use outside of the WM.
      Bug: 152064592
      Test: Existing tests pass
      (cherry picked from commit 9661bf7a
      [basilgello: Back-port to 14.1:
       - SYSTEM_UID -> Process.SYSTEM_UID]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I7e1f45cba139eab92e7df88d1e052baba0ae2cc6
  9. 07 Mar, 2021 1 commit
  10. 02 Mar, 2021 1 commit
  11. 17 Feb, 2021 5 commits
    • /e/ robot's avatar
    • Ivan Chiang's avatar
      Revoke the uri permission when the file is deleted · 6183c32e
      Ivan Chiang authored
      When the file is deleted, renamed or moved, revoke all uri
      permissions with the file
      Bug: 157474195
      Test: manual test with DocumentsUI
      Test: atest DocumentsTest#testAfterMoveDocumentInStorage_revokeUriPermission
      Change-Id: I4ffb183630aadb2d87b0965e8cecf88af15f4534
      Merged-In: I4ffb183630aadb2d87b0965e8cecf88af15f4534
      (cherry picked from commit 9efd606f)
      (cherry picked from commit 42c44f36)
    • lumark's avatar
      Restrict app transition maximum duration · 756de71e
      lumark authored
      As WindowState#startAnimation for restricting window animation duration
      (currently is 10 secs),
      For security reason, we also need to restrict app transition animation
      duration as 3 secs to prevent malicious app may set a long duration or
      infinity repeat counts through ActivityOption#makeCustomAnimation or
      Activity#overridePendingTransition with custom animation set.
      Bug: 145728687
      Test: manual as issue provided test app
      Change-Id: I39051d6e4d2b681ce2becbafe14aab3f3d8ebf6b
      (cherry picked from commit 36bcc773)
    • Varun Shah's avatar
      RESTRICT AUTOMERGE Ensure caller identity is restored in CP quick-path. · fe0cd263
      Varun Shah authored
      Bug: 172935267
      Test: PoC in bug
      Change-Id: I469bde7d0a0f89c94f1234cf40983395048962e2
      (cherry picked from commit 79062d79)
    • Winson's avatar
      Remove updateIntentVerificationStatusAsUser from ResolverActivity · 5cc8255a
      Winson authored
      DO NOT CHERRY PICK ANYWHERE: Security issue
      This API is meant to grant an app complete verification over the
      domains it has declared, meaning it will always resolve the domains it
      declares for web links.
      This can allow an app to take over links that are unowned. Any time a
      user selects "Always" when resolving an Intent in the diambiguation
      dialog, this API would be called, and all subsequent resolutions of any
      domain declared by the app selected would be automatically directed to
      that app, with no prompt to the user.
      From a quick search, it's possible that all usages of this API are
      actually unintended and should be removed. Should be considered for
      deprecation in the future.
      Bug: 163358811
      Test: none, this is not generally testable, see linked bug for context
      Merged-In: Iff7f788a83af68c7fbb1c6b9a8be7b47136be2b6
      Change-Id: Iff7f788a83af68c7fbb1c6b9a8be7b47136be2b6
      (cherry picked from commit 4e71b31e)
  12. 16 Feb, 2021 1 commit
  13. 11 Feb, 2021 1 commit
  14. 05 Feb, 2021 2 commits
  15. 06 Jan, 2021 5 commits
    • Dmitry Dementyev's avatar
      Protect GrantCredentialsPermissionActivity against overlay. · 6b266b30
      Dmitry Dementyev authored
      Bug: 169763814
      Test: manual
      Merged-In: I15dd22791fcc61ef02b06ad51d9e4409d11c0181
      Change-Id: I0d8f901d100a5e2a022c96fa6c2be75a11c58059
      (cherry picked from commit deddb784)
    • Miranda Kephart's avatar
      Make GlobalScreenshot PendingIntents immutable · 45131deb
      Miranda Kephart authored
      Mutable pending intents are a security risk. This change adds the
      IMMUTABLE flag to all PendingIntents created in GlobalScreenshot.
      Bug: 162738636
      Test: manual
      Change-Id: I1044b6aaf2b1650ff91d9a72181684d2aaea9a62
      (cherry picked from commit 3aa7d375)
    • Dmitry Dementyev's avatar
      Ignore GrantCredentials call with unexpected calling uid. · 3bf558af
      Dmitry Dementyev authored
      Activity can be used only in two cases.
      1) Calling uid matches uid grantee.
      2) Calling uid is is system. This flow is used by getToken methods with
      Test: Existing CTS tests
      Bug: 158480899
      Merged-In: I983fa
      [basilgello: Back-port to 14.1:
       - ActivityManager.getService() -> ActivityManagerNative.getDefault()]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I8da362df269decd7c3930a2387f42e09796e732f
      (cherry picked from commit 88787b77)
    • Dmitry Dementyev's avatar
      Check that Account Parcel has name and type. · 653e64f0
      Dmitry Dementyev authored
      Bug: 129287265
      Test: manual
      (cherry picked from commit 32e85796)
      (cherry picked from commit 0992000a)
      Change-Id: I8431eb27cc4c6dfd3048b28ff635474f14433308
    • Curtis Belmonte's avatar
      DO NOT MERGE Check fingerprint client against top activity in auth callback · 5566abdf
      Curtis Belmonte authored
      Due to a race condition with activity task stack broadcasts, it's
      currently possible for fingerprint authentication to succeed for a
      non-top activity. This means, for example, that a malicious overlay
      could be drawn in order to mislead the user about what they are
      authenticating for.
      This commit addresses the issue by adding a check to the fingerprint
      authentication client interface that ensures the authenticating
      activity is on top at the time of authentication. Otherwise, the
      pending authentication will fail, as if an incorrect biometric
      been presented.
      Test: Follow steps from b/159249069:
      1. Install com.pro100svitlo.fingerprintauthdemo from the Play store.
      2. Install the PoC attack app from b/159249069.
      3. Start the PoC attack app and press the "Launch PoC attack" button.
      4. Use fingerprint to authenticate while the overlay is showing.
      Before: Authentication succeeds, and a new activity is launched.
      After: Authentication fails, and no new activity is launched.
      Bug: 159249069
      Change-Id: I0707c3f55eaf2a69c6625a3ceb3b5626b3676b26
      Merged-In: If5cdf8ffaf3aa7d8a1ac81272e3bfb2cc7cdddf1
      Merged-In: Iee6af379515385777984da55048c1efd9339ed88
      Merged-In: I9b242a9fee0acbfb430875061e2d809c00fe4b97
      Merged-In: I1241a12eafa0bdbac59a8ddd4cf6a0637d467b19
      Merged-In: Ie5a0f8c3e9b92d348a78678a6ed192d440c45ffc
      Merged-In: I289d67e5c7055ed60f7a96725c523d07cd047b23
      (cherry picked from commit 7786f490
      [basilgello: Back-port to 14.1:
       - No android.hardware.biometrics.fingerprint.V2_1.IBiometricsFingerprint present,
       - import ->
       - ActivityManager.getService() -> activityManagerNative.getDefault()]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I0bffe9dd72b239cbb6ddeb2dc0c83f06033723dd
  16. 21 Dec, 2020 1 commit
  17. 20 Dec, 2020 1 commit
  18. 05 Nov, 2020 2 commits
  19. 29 Oct, 2020 1 commit
  20. 28 Oct, 2020 1 commit
    • John Reck's avatar
      Add missing isShellUser check · 10c01c2f
      John Reck authored
      Bug: 160390416
      Test: verified command still works from shell
      [basilgello: Back-port to 14.1:
       - {ROOT,SHELL}_UID -> Process.{ROOT,SHELL}_UID]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
      (cherry picked from commit 03542611)
      Merged-In: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
      (cherry picked from commit 5e2931c6)
      (cherry picked from commit 4a31000e6072c14608ec1c59321481c8aa330313)
  21. 06 Oct, 2020 1 commit
  22. 11 Sep, 2020 3 commits
    • Christopher Tate's avatar
      DO NOT MERGE - Only autoVerify at install for new hosts · 3afe5662
      Christopher Tate authored
      Re-run app link verification at update time only when the set of hosts
      has expanded.  Intentionally revoke verify history when an app stops
      using autoVerify, as a one-time measure to place it back into the
      non-autoverify model for tracking the user's launch preferences.  If the
      app starts using autoVerify again later, it behaves identically to an
      app that has never done so before.
      Bug: 151475497
      Bug: 146204120
      Test: described on master CL
      Merged-In: I200d85085ce79842a3ed39377d1f75ec381c8991
      Merged-In: Ibaf087946966ad82d60c7b255e3ee75990716b63
      (cherry picked from commit 90b716a4
      [basilgello: Backport to 14.1:
       - idleController.addPowerSaveTempWhitelistApp does not exist,
       - domains is ArrayList<String> not ArraySet<String> so adding
         dummy domainsList]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: Ibaf087946966ad82d60c7b255e3ee75990716b63
    • Winson's avatar
      DO NOT MERGE: Verify INSTALL_PACKAGES permissions when adding installer package · 5e87848e
      Winson authored
      Without this check, any package can set the installer package of
      another package whose installer has been removed or was never set.
      This provides access to other privileged actions and is undesired.
      Bug: 150857253
      Test: manual verify with proof of concept in linked bug
      Test: atest android.appsecurity.cts.PackageSetInstallerTest
      [basilgello: Backport to 14.1:
       - callingUid -> Binder.getCallingUid()]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I2159c357911ff39ffd819054b42f96ae86bc98bc
      (cherry picked from commit fc8bfed5)
    • Chris Tate's avatar
      Revert "Revoke 'always' web handler status when not autoverifying" · c3ad6422
      Chris Tate authored
      This reverts commit f697cd3b.
      Reason for revert: Inadvertently broke link handling stickiness even for well behaved apps
      Bug: 146204120
      Test: install app that handles web urls; set to 'always' in Settings;
      install same apk again.  Verify that app is still in 'always' state via
      'adb shell dumpsys package d'
      Merged-In: If9046cb420961b8ef0333e9f1115eb69fb92242e
      Change-Id: I36d9c352e741e88b9fc773b084bef3991b6d96ed
  23. 22 Aug, 2020 1 commit
  24. 14 Aug, 2020 1 commit
  25. 10 Aug, 2020 1 commit