GitLab

Require that the PendingIntent be immutable so that a malicious app is
not able to hijack and mutate any of the details.

Fixes: 154915372
Test: build & flash, change wallpaper manually.
Change-Id: I59b48811b26736bf0575769107dd940ca33ccf8d
(cherry picked from commit d4bd69ce)
(cherry picked from commit b392903052b3c35b5b9706d6d1f19762d943f58e)

Repeated locale has not been accepted and IllegalArgumentException
is thrown. Instead of throwing exception, dropping repeated locale
instead.

Bug: 152410253
Test: atest LocaleListTest
Change-Id: I80f243678ac3024eaeb0349f770cff897df7f332
(cherry picked from commit 142ce41b)

Test: manual; monitor SystemUI performance when an app tries to
post a messaging style notification with messages with long text
Bug: 158304295
Bug: 147358092

Merged-In: c953fdf6bc498ca791aed49df04e5a07c935b63a
Change-Id: I0e2ea12fc3351b1a56645b556720ea2306f5422a
(cherry picked from commit c953fdf6bc498ca791aed49df04e5a07c935b63a)
(cherry picked from commit a19f9ed2)

Bug: 160390416
Test: verified command still works from shell

[basilgello: Back-port to 14.1:
 - {ROOT,SHELL}_UID -> Process.{ROOT,SHELL}_UID]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit 03542611973e4ce3ddca522ee12bcc85e59ce901)
Merged-In: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit 5e2931c6)
(cherry picked from commit 4a31000e6072c14608ec1c59321481c8aa330313)

Re-run app link verification at update time only when the set of hosts
has expanded.  Intentionally revoke verify history when an app stops
using autoVerify, as a one-time measure to place it back into the
non-autoverify model for tracking the user's launch preferences.  If the
app starts using autoVerify again later, it behaves identically to an
app that has never done so before.

Bug: 151475497
Bug: 146204120
Test: described on master CL

Merged-In: I200d85085ce79842a3ed39377d1f75ec381c8991
Merged-In: Ibaf087946966ad82d60c7b255e3ee75990716b63
(cherry picked from commit 90b716a4)

[basilgello: Backport to 14.1:
 - idleController.addPowerSaveTempWhitelistApp does not exist,
 - domains is ArrayList<String> not ArraySet<String> so adding
   dummy domainsList]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: Ibaf087946966ad82d60c7b255e3ee75990716b63

Without this check, any package can set the installer package of
another package whose installer has been removed or was never set.
This provides access to other privileged actions and is undesired.

Bug: 150857253

Test: manual verify with proof of concept in linked bug
Test: atest android.appsecurity.cts.PackageSetInstallerTest

[basilgello: Backport to 14.1:
 - callingUid -> Binder.getCallingUid()]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: I2159c357911ff39ffd819054b42f96ae86bc98bc
(cherry picked from commit fc8bfed5)

This reverts commit f697cd3b.

Reason for revert: Inadvertently broke link handling stickiness even for well behaved apps

Bug: 146204120
Test: install app that handles web urls; set to 'always' in Settings;
install same apk again.  Verify that app is still in 'always' state via
'adb shell dumpsys package d'

Merged-In: If9046cb420961b8ef0333e9f1115eb69fb92242e
Change-Id: I36d9c352e741e88b9fc773b084bef3991b6d96ed

nougat grant /e/ mail default permissions

See merge request !81

Change tasks app permission name from "org.dmfs" to "foundation.e"

See merge request !73

GLUtil.texImage2D may throw exception that indicates bad image format.
We should catch this exception, otherwise, systemui may keep crashing.

Bug: 156087409
Test: Set a 16-bit rgb image as wallpaper
Test: Systemui shouldn't keep crashing
Change-Id: I6c9715c049b7848ecd5559ab76612a98dcd4ee6f
(cherry picked from commit a3bff94e)

Bug: 142986887
Bug: 140108616
Test: Manual
Change-Id: I6e0bdc8c02bab54f6278096b3a3acadd97c064c6
Merged-In: I6e0bdc8c02bab54f6278096b3a3acadd97c064c6
(cherry picked from commit b2e84f04)
(cherry picked from commit 9f8923d5)

...rather than relying on in-app code to perform the shutdown.

Backport of security fix.

Bug: 128649910
Bug: 140108616
Test: manual
Test: atest OsHostTests#testForegroundServiceBadNotification

[basilgello: back-port to 14.1:
- core/java/android/app/IActivityManager.aidl -> core/java/android/app/IActivityManager.java,
- no serviceForegroundCrash in services/core/java/com/android/server/am/ActiveServices.java,
- no runCrash in services/core/java/com/android/server/am/ActivityManagerShellCommand.java,
- add argument to ActivityManagerProxy,
- no mNotificationLock and ForegroundService,
- adjust args count (remove '-1') in killMisbehavingService]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
Merged-In: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
(cherry picked from commit a79b6ba5)

Grant default permission to eDrive

See merge request !78

Grant Default Permission to calendar

See merge request !76

from "org.dmfs" to "foundation.e"

[RELEASE] Sprint Lockdown

See merge request !64

Nougat new user icons

See merge request !63

Change-Id: I560753b0bade38785987e43abdaf7b2cb35ccb74

Even if an <intent-filter> matches non-web schemes in addition to http
or https, make sure to include its cited hosts in the autoVerify
evaluation.

Bug: 150038428
Test: atest OsHostTests#testIntentFilterHostValidation
Change-Id: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
Merged-In: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
(cherry picked from commit 1fba0f897f276d5d47962534867e764da8061105)
(cherry picked from commit a481c86c)

Originally, if the caller of navigateUpTo is alive, even the calling
uid is set to the caller who launched the existing destination activity,
the uid from caller process has higher priority to replace the given
calling uid. So this change doesn't modify the existing behavior if
the caller process is valid. Besides, the case of delivering new intent
uses the source record as calling identity too, so the case of starting
new activity should be consistent.

Also forbid attaching null application thread to avoid unexpected state
in process record.

Bug: 144285917
Test: bit FrameworksServicesTests:ActivityStackTests
Test: bit CtsSecurityTestCases:ActivityManagerTest# \
      testActivityManager_attachNullApplication
Merged-In: I60732f430256d37cb926d08d093581f051c4afed
Change-Id: I60732f430256d37cb926d08d093581f051c4afed
(cherry picked from commit 1c9bf5cc)

Assume there are 2 applications A, B with different uids.
There are 4 activities A1, A2, B1, B2 with default task
affinity and launch mode.

After A1 called startActivities(B1, A2, B2):
 Original   : Task(A1, B1, A2, B2)
 This Change: Task(A1, B1), Task(A2, B2)
In other words, the source caller cannot launch its activity
above the activity of other application in the same task, and
it can still launch activity of other application in its task.

Bug: 145669109
Test: run cts --test android.server.cts.StartActivityTests \
      -m CtsServicesHostTestCases

[basilgello: Back-ported to 14.1:
 - Added definition for ActivityRecord.getUid() from
   fwb/82ea6cb9]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: I97bd875146a52f62b8fe82235487ccefb2955e8e
(cherry picked from commit 2be3ba49)

grant esms permissions

See merge request !54

Assume there is a XmlBlock [X] created by a AssetManager [A]
([A] will have mNumRefs = 2). After [A].close is called
(mNumRefs = 1) and then both [X] and [A] are going to be GCed,
if [A].finalize is called first (nativeDestroy), the later
[X].finalize will invoke [A].xmlBlockGone that triggers the
second nativeDestroy of [A] and leads to crash.

By clearing the mObject in AssetManager.finalize, the
decRefsLocked from other paths won't call nativeDestroy again.

Bug: 144028297
Test: atest android.security.cts.AssetManagerTest

Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
(cherry picked from commit 93320661)

If an app has previously used autoVerify to make claims about its status
re handling web navigation intents, but is updated such that it no
longer makes those claims, step down its "official handler" status as
though it had never invoked autoVerify in the first place.

Bug: 146204120
Test: manual: as described in bug; observe policy before/after via
      'adb shell dumpsys package d'
Test: atest CtsOsHostTestCases
Change-Id: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
Merged-In: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
(cherry picked from commit 6cf5f928)

[RELEASE] Sprint Istanbul

See merge request !47

[RELEASE] Sprint Istanbul grant esms permissions

See merge request !51