This project is mirrored from Updated .
  1. 25 Feb, 2020 3 commits
  2. 21 Feb, 2020 2 commits
  3. 14 Feb, 2020 1 commit
  4. 11 Feb, 2020 1 commit
  5. 10 Feb, 2020 1 commit
  6. 05 Feb, 2020 3 commits
    • Sterling Huber's avatar
      RESTRICT AUTOMERGE Make toasts non-clickable · 2dbe94c0
      Sterling Huber authored
      Since enforcement was only on client-side, in Toast class, an app could
      use reflection (or other means) to make the Toast clickable. This is a
      security vulnerability since it allows tapjacking, that is, intercept touch
      events and do stuff like steal PINs and passwords.
      This CL brings the enforcement to the system by applying flag
      Test: atest CtsWindowManagetDeviceTestCases:ToastTest
      Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
            log click events. Then:
            1) Observe click events are logged without this CL.
            2) Observer click events are not logged with this CL.
      Bug: 128674520
      (cherry picked from commit 6bf18c39)
      Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0
    • Yohei Yukawa's avatar
      DO NOT MERGE back porting for fixing sysui direct reply · de08dc76
      Yohei Yukawa authored
      Root cause: systemui run as user 0 service to handle all of users'
      notifications. And, the users can user the copy/cut/paste
      Solution: To crate @hide API in TextView let SystemUI to mark the
      TextView instance should check if the power of
      INTERACT_ACROSS_USER_FULL is needed to be restricted.
      e.x. Keyguard password textview/Notificaiton entries
      Bug: 123232892
      Test: manual test
      Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139
      Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393
      Reference: I975baa748c821538e5a733bb98a33ac609bf40a7
      Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937
      (cherry picked from commit 08391b3d)
      [basilgello: Back-ported to 14.1:
       - packages/SystemUI/src/com/android/keyguard/ ->
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139
    • Tarandeep Singh's avatar
      DO NOT MERGE: Disable SpellChecker in secondary user's direct reply · 1163d5e8
      Tarandeep Singh authored
      For secondary users, when AOSP keyboard is used to type in
      direct-reply, unknown words can be added to dictionary.
      It's *not* OK for SpellCheckerService of primary user to
      check unknown words typed by a secondary user.
      The dialog to add these words shows up in primary user instead.
      TextView uses TextView#isSuggestionsEnabled() to determine if
      SpellChecker is enabled. This can be disabled by setting the flag
      Note: This doesn't affect workprofile users on P or older versions since
      they use same SpellCheckerService for all workprofiles.
      Bug: 123232892
      Test: Manually tested using the steps mentioned in the bug.
       1. Flash latest P build.
       2. Install AOSP keyboard (LatinIME) and set it as default.
       3. Install and open EditTextVariations
       4. Initiate direct reply in primary user and type non-english
          words like "ggggg hhhhh".
       5. Observe that they get red underline and tapping it brings "add
          to dictionary" popup.
       6. Create a new secondary user and switch to it.
       7. Once the setup completes, initiate a direct reply and type words
          similar to step 4.
       8. Verify that red underlines dont appear.
       9. switch back to primary user and verify direct reply still has red
      (cherry picked from commit b5c0e01a)
      Change-Id: I93918eb2c12e37908e03a7951a9e2c5375bc0ecc
  7. 03 Feb, 2020 1 commit
  8. 21 Jan, 2020 2 commits
  9. 07 Jan, 2020 3 commits
    • Jing Ji's avatar
      Prevent system uid component from running in an isolated app process · e9c1ec70
      Jing Ji authored
      Bug: 140055304
      Test: Manua
      Change-Id: Ie7f6ed23f0c6009aad0f67a00af119b02cdceac3
      Merged-In: I5a1618fab529cb0300d4a8e9c7762ee218ca09eb
      (cherry picked from commit 0bfebadf)
    • Todd Kennedy's avatar
      Only allow INSTALL_ALLOW_TEST from shell or root · f24e5205
      Todd Kennedy authored
      Bug: 141169173
      Test: Manual. App can't be installed as test-only
      Change-Id: Ib6dcca7901aa549d620448c0165c22270a3042be
      Merged-In: Ib6dcca7901aa549d620448c0165c22270a3042be
      (cherry picked from commit 702d3947)
    • Ahan Wu's avatar
      DO NOT MERGE Validate wallpaper dimension while generating crop · 7d4f9019
      Ahan Wu authored
      If dimensions of cropped wallpaper image exceed max texture size that
      GPU can support, it will cause ImageWallpaper keep crashing
      because hwui crashes by invalid operation (0x502).
      Bug: 120847476.
      Test: Write a custom app to set a 8000x800 bitmap as wallpaper.
      Test: The cropped file will be 29600x2960 and make sysui keep crashing.
      Test: After applyed this cl, wallpaper will use fallback.
      Test: Sysui will not keep crashing any more.
      Change-Id: I8ed5931298c652a2230858cf62df3f6fcd345c5a
      (cherry picked from commit f1e1f4f0)
  10. 23 Dec, 2019 1 commit
  11. 16 Dec, 2019 2 commits
  12. 15 Dec, 2019 1 commit
  13. 08 Dec, 2019 1 commit
    • Seigo Nonaka's avatar
      Do not compute outside given range in TextLine · 434f2bce
      Seigo Nonaka authored
      This is second attempt of I646851973b3816bf9ba32dfe26748c0345a5a081
      which breaks various layout test on application.
      The empty string must be also handled by the TextLine since it
      retrieves the default line height from the empty string.
      Bug: 140632678
      Test: StaticLayoutTest
      Test: Manually done
      Change-Id: I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735
  14. 14 Nov, 2019 1 commit
  15. 05 Nov, 2019 4 commits
    • Jeff Sharkey's avatar
      RESTRICT AUTOMERGE Strict SQLiteQueryBuilder needs to be stricter. · a634fae4
      Jeff Sharkey authored
      Malicious callers can leak side-channel information by using
      subqueries in any untrusted inputs where SQLite allows "expr" values.
      This change offers setStrictGrammar() to prevent this by outright
      blocking subqueries in WHERE and HAVING clauses, and by requiring
      that GROUP BY and ORDER BY clauses be composed only of valid columns.
      This change also offers setStrictColumns() to require that all
      untrusted column names are valid, such as those in ContentValues.
      Relaxes to always allow aggregation operators on returned columns,
      since untrusted callers can always calculate these manually.
      Bug: 135270103
      Bug: 135269143
      Test: atest android.database.sqlite.cts.SQLiteQueryBuilderTest
      Test: atest FrameworksCoreTests:android.database.sqlite.SQLiteTokenizerTest
      Exempt-From-Owner-Approval: already approved in downstream branch
      Change-Id: I6290afd19c966a8bdca71c377c88210d921a9f25
      (cherry picked from commit 216bbc2a)
    • Zongheng Wang's avatar
      Set default phonebook access to ACCESS_REJECTED when user didn't choose one · 000e1d20
      Zongheng Wang authored
      When there's no users' choice to tell us whether to share their
      phonebook information to the Bluetooth device, set the phonebook access
      permission to ACCESS_REJECTED.
      Bug: 138529441
      Test: Manual test
      Change-Id: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
      Merged-In: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
      (cherry picked from commit 9b3cb0f0)
    • Jeff Sharkey's avatar
      RESTRICT AUTOMERGE Enable stricter SQLiteQueryBuilder options. · 598188b4
      Jeff Sharkey authored
      Malicious callers can leak side-channel information by using
      subqueries in any untrusted inputs where SQLite allows "expr" values.
      This change starts using setStrictColumns() and setStrictGrammar()
      on SQLiteQueryBuilder to block this class of attacks.  This means we
      now need to define the projection mapping of valid columns, which
      consists of both the columns defined in the public API and columns
      read internally by DownloadInfo.Reader.
      We're okay growing sAppReadableColumnsSet like this, since we're
      relying on our trusted WHERE clause to filter away any rows that
      don't belong to the calling UID.
      Remove the legacy Lexer code, since we're now internally relying on
      the robust and well-tested SQLiteTokenizer logic.
      Bug: 135270103
      Bug: 135269143
      Test: atest DownloadProviderTests
      Test: atest
      Change-Id: Iec1e8ce18dc4a9564318e0473d9d3863c8c2988a
      (cherry picked from commit 382d5c0c)
    • Jonathan Scott's avatar
      Jonathan Scott authored
      Test: Just adding a constant
      Bug: 132261064
      Change-Id: I1527be03a10fa1a2fde09e3e41d6b7e83a986fc0
      Merged-In: I2bce277ff8f2de4614e19d5385fe6712b076f9c9
      (cherry picked from commit 20e5d926)
  16. 23 Oct, 2019 1 commit
  17. 22 Oct, 2019 1 commit
  18. 14 Oct, 2019 1 commit
  19. 08 Oct, 2019 1 commit
    • Bryan Ferris's avatar
      [RESTRICT AUTOMERGE] Pass correct realCallingUid to startActivity() from startActivityInPackage · b06d7be1
      Bryan Ferris authored
      Previously startActivity would assume that the system was the calling user when
      startActivityInPackage was called. Now the uid of the calling application is
      forwarded by the system.
      Test: manual; we added logging statements to check the value of realCallingUid
      in startActivitiesMayWait when launching the calendar app from the calendar widget
      and verified that it was the calendar uid rather than the system uid.
      Bug: 123013720
      Change-Id: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
      Merged-In: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
      (cherry picked from commit 216f65bf)
  20. 04 Oct, 2019 1 commit
  21. 12 Sep, 2019 1 commit
  22. 11 Sep, 2019 1 commit
  23. 06 Sep, 2019 3 commits
    • Mihai Popa's avatar
      Fix Layout.primaryIsTrailingPreviousAllLineOffsets · 676c2ff5
      Mihai Popa authored
      The CL fixes a crash in Layout.primaryIsTrailingPreviousAllLineOffsets.
      The crash was happening when the method was called for a line beginning
      with an empty bidi run. This could happen, for example, for empty text -
      I was unable to find any other case. The CL improves the existing test
      for the method with this case, which was previously crashing.
      The CL also fixes a potential crash in getLineHorizontals. However, this
      bug could never happen as in the current code path clamped is always
      false (and kept as parameter for parity with getHorizontal).
      Bug: 135444178
      Bug: 78464361
      Test: atest FrameworksCoreTests:android.text.LayoutTest\#testPrimaryIsTrailingPrevious
      Change-Id: I47157abe1d74675884734e3810628a566e40c1b4
      (cherry picked from commit 7ad499d0)
      (cherry picked from commit d3e81cd6)
    • Chienyuan's avatar
      HidProfile: sync isPreferred() with HidHostService · e5269350
      Chienyuan authored
      HidHostService allow to connect when priority is PRIORITY_UNDEFINED.
      HidProfile should return ture when priority is PRIORITY_UNDEFINED.
      Otherwise, the "Input device" toggle in off state when HID device
      Bug: 132456322
      Test: manual
      Change-Id: Id7bae694c57aec17e019d591c0a677e3cb64f845
      (cherry picked from commit 830217f2)
    • Michael Wachenschwanz's avatar
      Clear the Parcel before writing an exception during a transaction · c7ffe07c
      Michael Wachenschwanz authored
      This prevents any object data from being accidentally overwritten by the
      exception, which could cause unexpected malformed objects to be sent
      across the transaction.
      Test: atest CtsOsTestCases:ParcelTest#testExceptionOverwritesObject
      Bug: 34175893
      Change-Id: Iaf80a0ad711762992b8ae60f76d861c97a403013
      Merged-In: Iaf80a0ad711762992b8ae60f76d861c97a403013
      (cherry picked from commit f8ef5bcf)
  24. 13 Aug, 2019 1 commit
  25. 08 Aug, 2019 2 commits