This project is mirrored from Pull mirroring updated .
  1. 21 Dec, 2020 1 commit
  2. 20 Dec, 2020 1 commit
    • wilsonshih's avatar
      Make WallpaperMS bind wallpaper component PendingIntent immutable. · bdbf96c1
      wilsonshih authored
      Require that the PendingIntent be immutable so that a malicious app is
      not able to hijack and mutate any of the details.
      Fixes: 154915372
      Test: build & flash, change wallpaper manually.
      Change-Id: I59b48811b26736bf0575769107dd940ca33ccf8d
      (cherry picked from commit d4bd69ce)
      (cherry picked from commit b392903052b3c35b5b9706d6d1f19762d943f58e)
  3. 05 Nov, 2020 2 commits
    • Seigo Nonaka's avatar
      Accept repeated locale as an input of LocaleList construction. · d51d737f
      Seigo Nonaka authored
      Repeated locale has not been accepted and IllegalArgumentException
      is thrown. Instead of throwing exception, dropping repeated locale
      Bug: 152410253
      Test: atest LocaleListTest
      Change-Id: I80f243678ac3024eaeb0349f770cff897df7f332
      (cherry picked from commit 142ce41b)
    • Julia Reynolds's avatar
      Sanitize more of the notification text fields · 820614a3
      Julia Reynolds authored
      Test: manual; monitor SystemUI performance when an app tries to
      post a messaging style notification with messages with long text
      Bug: 158304295
      Bug: 147358092
      Merged-In: c953fdf6bc498ca791aed49df04e5a07c935b63a
      Change-Id: I0e2ea12fc3351b1a56645b556720ea2306f5422a
      (cherry picked from commit c953fdf6bc498ca791aed49df04e5a07c935b63a)
      (cherry picked from commit a19f9ed2)
  4. 29 Oct, 2020 1 commit
  5. 28 Oct, 2020 1 commit
    • John Reck's avatar
      Add missing isShellUser check · 10c01c2f
      John Reck authored
      Bug: 160390416
      Test: verified command still works from shell
      [basilgello: Back-port to 14.1:
       - {ROOT,SHELL}_UID -> Process.{ROOT,SHELL}_UID]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
      (cherry picked from commit 03542611973e4ce3ddca522ee12bcc85e59ce901)
      Merged-In: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
      (cherry picked from commit 5e2931c6)
      (cherry picked from commit 4a31000e6072c14608ec1c59321481c8aa330313)
  6. 06 Oct, 2020 1 commit
  7. 11 Sep, 2020 3 commits
    • Christopher Tate's avatar
      DO NOT MERGE - Only autoVerify at install for new hosts · 3afe5662
      Christopher Tate authored
      Re-run app link verification at update time only when the set of hosts
      has expanded.  Intentionally revoke verify history when an app stops
      using autoVerify, as a one-time measure to place it back into the
      non-autoverify model for tracking the user's launch preferences.  If the
      app starts using autoVerify again later, it behaves identically to an
      app that has never done so before.
      Bug: 151475497
      Bug: 146204120
      Test: described on master CL
      Merged-In: I200d85085ce79842a3ed39377d1f75ec381c8991
      Merged-In: Ibaf087946966ad82d60c7b255e3ee75990716b63
      (cherry picked from commit 90b716a4)
      [basilgello: Backport to 14.1:
       - idleController.addPowerSaveTempWhitelistApp does not exist,
       - domains is ArrayList<String> not ArraySet<String> so adding
         dummy domainsList]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: Ibaf087946966ad82d60c7b255e3ee75990716b63
    • Winson's avatar
      DO NOT MERGE: Verify INSTALL_PACKAGES permissions when adding installer package · 5e87848e
      Winson authored
      Without this check, any package can set the installer package of
      another package whose installer has been removed or was never set.
      This provides access to other privileged actions and is undesired.
      Bug: 150857253
      Test: manual verify with proof of concept in linked bug
      Test: atest android.appsecurity.cts.PackageSetInstallerTest
      [basilgello: Backport to 14.1:
       - callingUid -> Binder.getCallingUid()]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I2159c357911ff39ffd819054b42f96ae86bc98bc
      (cherry picked from commit fc8bfed5)
    • Chris Tate's avatar
      Revert "Revoke 'always' web handler status when not autoverifying" · c3ad6422
      Chris Tate authored
      This reverts commit f697cd3b.
      Reason for revert: Inadvertently broke link handling stickiness even for well behaved apps
      Bug: 146204120
      Test: install app that handles web urls; set to 'always' in Settings;
      install same apk again.  Verify that app is still in 'always' state via
      'adb shell dumpsys package d'
      Merged-In: If9046cb420961b8ef0333e9f1115eb69fb92242e
      Change-Id: I36d9c352e741e88b9fc773b084bef3991b6d96ed
  8. 22 Aug, 2020 1 commit
  9. 14 Aug, 2020 1 commit
  10. 10 Aug, 2020 1 commit
  11. 05 Aug, 2020 3 commits
    • Ahan Wu's avatar
      DO NOT MERGE Prevent ImageWallpaper from keeping crashing · 6b94d503
      Ahan Wu authored
      GLUtil.texImage2D may throw exception that indicates bad image format.
      We should catch this exception, otherwise, systemui may keep crashing.
      Bug: 156087409
      Test: Set a 16-bit rgb image as wallpaper
      Test: Systemui shouldn't keep crashing
      Change-Id: I6c9715c049b7848ecd5559ab76612a98dcd4ee6f
      (cherry picked from commit a3bff94e)
    • Jing Ji's avatar
      More fixes towards the race conditions in AMS · d8389d36
      Jing Ji authored
      Bug: 142986887
      Bug: 140108616
      Test: Manual
      Change-Id: I6e0bdc8c02bab54f6278096b3a3acadd97c064c6
      Merged-In: I6e0bdc8c02bab54f6278096b3a3acadd97c064c6
      (cherry picked from commit b2e84f04)
      (cherry picked from commit 9f8923d5)
    • Christopher Tate's avatar
      DO NOT MERGE - Kill apps outright for API contract violations · eee0afba
      Christopher Tate authored
      ...rather than relying on in-app code to perform the shutdown.
      Backport of security fix.
      Bug: 128649910
      Bug: 140108616
      Test: manual
      Test: atest OsHostTests#testForegroundServiceBadNotification
      [basilgello: back-port to 14.1:
      - core/java/android/app/IActivityManager.aidl -> core/java/android/app/,
      - no serviceForegroundCrash in services/core/java/com/android/server/am/,
      - no runCrash in services/core/java/com/android/server/am/,
      - add argument to ActivityManagerProxy,
      - no mNotificationLock and ForegroundService,
      - adjust args count (remove '-1') in killMisbehavingService]
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
      Merged-In: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
      (cherry picked from commit a79b6ba5)
  12. 22 Jul, 2020 1 commit
  13. 13 Jul, 2020 2 commits
  14. 29 Jun, 2020 2 commits
  15. 23 Jun, 2020 1 commit
  16. 09 Jun, 2020 1 commit
  17. 06 Jun, 2020 1 commit
  18. 27 May, 2020 1 commit
  19. 20 May, 2020 2 commits
  20. 06 May, 2020 3 commits
    • Christopher Tate's avatar
      Verify all possible hosts that match web nav · c227c2f1
      Christopher Tate authored
      Even if an <intent-filter> matches non-web schemes in addition to http
      or https, make sure to include its cited hosts in the autoVerify
      Bug: 150038428
      Test: atest OsHostTests#testIntentFilterHostValidation
      Change-Id: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
      Merged-In: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
      (cherry picked from commit 1fba0f897f276d5d47962534867e764da8061105)
      (cherry picked from commit a481c86c)
    • Riddle Hsu's avatar
      RESTRICT AUTOMERGE Use consistent calling uid and package in navigateUpTo · 0cd8f186
      Riddle Hsu authored
      Originally, if the caller of navigateUpTo is alive, even the calling
      uid is set to the caller who launched the existing destination activity,
      the uid from caller process has higher priority to replace the given
      calling uid. So this change doesn't modify the existing behavior if
      the caller process is valid. Besides, the case of delivering new intent
      uses the source record as calling identity too, so the case of starting
      new activity should be consistent.
      Also forbid attaching null application thread to avoid unexpected state
      in process record.
      Bug: 144285917
      Test: bit FrameworksServicesTests:ActivityStackTests
      Test: bit CtsSecurityTestCases:ActivityManagerTest# \
      Merged-In: I60732f430256d37cb926d08d093581f051c4afed
      Change-Id: I60732f430256d37cb926d08d093581f051c4afed
      (cherry picked from commit 1c9bf5cc)
    • Riddle Hsu's avatar
      RESTRICT AUTOMERGE Create separated tasks for different apps from startActivities · db8d9ce6
      Riddle Hsu authored
      Assume there are 2 applications A, B with different uids.
      There are 4 activities A1, A2, B1, B2 with default task
      affinity and launch mode.
      After A1 called startActivities(B1, A2, B2):
       Original   : Task(A1, B1, A2, B2)
       This Change: Task(A1, B1), Task(A2, B2)
      In other words, the source caller cannot launch its activity
      above the activity of other application in the same task, and
      it can still launch activity of other application in its task.
      Bug: 145669109
      Test: run cts --test android.server.cts.StartActivityTests \
            -m CtsServicesHostTestCases
      [basilgello: Back-ported to 14.1:
       - Added definition for ActivityRecord.getUid() from
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I97bd875146a52f62b8fe82235487ccefb2955e8e
      (cherry picked from commit 2be3ba49)
  21. 29 Apr, 2020 1 commit
  22. 14 Apr, 2020 1 commit
  23. 08 Apr, 2020 2 commits
  24. 07 Apr, 2020 3 commits
    • /e/ robot's avatar
    • Ryan Mitchell's avatar
      Fix potential double destroy of AssetManager · c90263e2
      Ryan Mitchell authored
      Assume there is a XmlBlock [X] created by a AssetManager [A]
      ([A] will have mNumRefs = 2). After [A].close is called
      (mNumRefs = 1) and then both [X] and [A] are going to be GCed,
      if [A].finalize is called first (nativeDestroy), the later
      [X].finalize will invoke [A].xmlBlockGone that triggers the
      second nativeDestroy of [A] and leads to crash.
      By clearing the mObject in AssetManager.finalize, the
      decRefsLocked from other paths won't call nativeDestroy again.
      Bug: 144028297
      Test: atest
      Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
      Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
      (cherry picked from commit 93320661)
    • Christopher Tate's avatar
      Revoke 'always' web handler status when not autoverifying · f697cd3b
      Christopher Tate authored
      If an app has previously used autoVerify to make claims about its status
      re handling web navigation intents, but is updated such that it no
      longer makes those claims, step down its "official handler" status as
      though it had never invoked autoVerify in the first place.
      Bug: 146204120
      Test: manual: as described in bug; observe policy before/after via
            'adb shell dumpsys package d'
      Test: atest CtsOsHostTestCases
      Change-Id: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
      Merged-In: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
      (cherry picked from commit 6cf5f928)
  25. 06 Apr, 2020 3 commits