GitLab

Android security 9.0.0 release 64

* tag 'android-security-9.0.0_r64':
  Ignore GrantCredentials call with unexpected calling uid.
  Protect GrantCredentialsPermissionActivity against overlay.
  [DO NOT MERGE] Make GlobalScreenshot PendingIntents immutable
  Check that Account Parcel has name and type.
  Revoke permission on non-runtime -> runtime upgrade
  Ensure permissions are revoked on state changes
  RESTRICT AUTOMERGE Fix CDM package check
  remove sensitive pii from safetynet logging
  DO NOT MERGE Check fingerprint client against top activity in auth callback
  Fix the issue provider can be wrong when requesting slice permission

Change-Id: I5686e8a3ed26d5abdec952748e1eb1a33ba8d0c8

* Since we are shipping userdebug builds by default
  it'd be nice to keep signature and version downgrade
  checks intact.
* Fixes : https://gitlab.com/LineageOS/issues/android/-/issues/2192

Change-Id: Ib46ccb50ac091469caf99a73a5a08942cbc457f6

Change-Id: I38bbfaf026634b297ed41c4aef850fe2593aac8e

WifiConfiguration contains sensitive location
information, so this extra is no longer included
in the CONFIGURED_NETWORKS_CHANGED_ACTION
broadcast. Update docs to reflect this change.

Bug: 158874479
Test: compiles
Change-Id: I72ba9f75a89519ef136cc2766a8551b606b218c7

Android Security 9.0.0 Release 63 (6893678)

* tag 'android-security-9.0.0_r63':
  Fix storing the wrong value of mLockdown in setting
  Make WallpaperMS bind wallpaper component PendingIntent immutable.

Change-Id: I8ac10ede71fd4707458ddad4cf7dd44efb062b13

Change-Id: I9bc6478375e69e6cc3ffec676c8690b3ea6c8d2b

Activity can be used only in two cases.
1) Calling uid matches uid grantee.
2) Calling uid is is system. This flow is used by getToken methods with
notifyAuthFailure=true.

Test: Existing CTS tests
Bug: 158480899
Merged-In: I1421c333b6cebb4f7cddcdd8766298f6872e933b
Change-Id: I18af48cf3cb4ad23a3e5b02a8ea1416aa5570dba
(cherry picked from commit ece586e3218e1ecd497e020af3fac4f381957ef7)

Bug: 169763814
Test: manual
Merged-In: I15dd22791fcc61ef02b06ad51d9e4409d11c0181
Change-Id: I0d8f901d100a5e2a022c96fa6c2be75a11c58059
(cherry picked from commit deddb784d0c4b3dab69045dd4f98a89d6fca5f52)

Mutable pending intents are a security risk. This change adds the
IMMUTABLE flag to all PendingIntents created in GlobalScreenshot.

Bug: 162738636
Test: manual
Change-Id: I1044b6aaf2b1650ff91d9a72181684d2aaea9a62
(cherry picked from commit ed450d77edc632bbdf74f86fa76dae1f9475a5c9)

Bug: 129287265
Test: manual
Change-Id: I8431eb27cc4c6dfd3048b28ff635474f14433308
(cherry picked from commit 32e85796)
(cherry picked from commit 0992000acea457142cb2b715a106057d6cee9166)

Not only on normal -> runtime.

Test: atest android.appsecurity.cts.PermissionsHostTest#testNoPermissionEscalationAfterReboot
Bug: 154505240, 168319670
Change-Id: If3b420067b4d7111dcf67ae6f98e42176158b679
Merged-In: If3b420067b4d7111dcf67ae6f98e42176158b679
(cherry picked from commit 60c41ae4a653ea594f6ebaf78f30d7e50be62327)

If a permission owner changes, or a permission level is upgraded, revoke
the permission from all packages

Test: Manual
Bug: 154505240
Merged-In: I0dec9eb7c2fecd3147e33e04d3f79f6dffcf7721
Change-Id: I0dec9eb7c2fecd3147e33e04d3f79f6dffcf7721
(cherry picked from commit a28931a09814a89e1c55816c794c1e1f20dc0c91)
(cherry picked from commit a162e9592db4231c33e04c86db5f2db84aed6303)

Fix CDM package check

CDM was using a pckage check that returns a value intead of throwing,
resulting in failing to throw on querying other package's associations

Test: ensure attached bug no longer reproduces
Bug: 167244818
Change-Id: I21319b6f5495dcae681541c76b847aad0c00b8ab
(cherry picked from commit feb4dd913c1b128df1626471375d423257d57cf9)

Bug: 159145361
Test: manual
Change-Id: I8f1be55971672c7e8f5aa8848f65b1b9d9f40fb5
Merged-In: I8f1be55971672c7e8f5aa8848f65b1b9d9f40fb5
(cherry picked from commit 3b6905bf6a39de7789f93a7ce6ca5d65a3fe589e)
(cherry picked from commit 6d9794aa9ff786f98252d859b8a1de7429f5441a)

Due to a race condition with activity task stack broadcasts, it's
currently possible for fingerprint authentication to succeed for a
non-top activity. This means, for example, that a malicious overlay
could be drawn in order to mislead the user about what they are
authenticating for.

This commit addresses the issue by adding a check to the fingerprint
authentication client interface that ensures the authenticating
activity is on top at the time of authentication. Otherwise, the
pending authentication will fail, as if an incorrect biometric
been presented.

Test: Follow steps from b/159249069:
1. Install com.pro100svitlo.fingerprintauthdemo from the Play store.
2. Install the PoC attack app from b/159249069.
3. Start the PoC attack app and press the "Launch PoC attack" button.
4. Use fingerprint to authenticate while the overlay is showing.

Before: Authentication succeeds, and a new activity is launched.
After: Authentication fails, and no new activity is launched.

Bug: 159249069
Change-Id: If5cdf8ffaf3aa7d8a1ac81272e3bfb2cc7cdddf1
Merged-In: Iee6af379515385777984da55048c1efd9339ed88
Merged-In: I9b242a9fee0acbfb430875061e2d809c00fe4b97
Merged-In: I1241a12eafa0bdbac59a8ddd4cf6a0637d467b19
Merged-In: Ie5a0f8c3e9b92d348a78678a6ed192d440c45ffc
Merged-In: I289d67e5c7055ed60f7a96725c523d07cd047b23
(cherry picked from commit d4774f910101d20b36afff4b39ce824b89d491cc)

SlicePermissionActivity reads provider_pkg from intent, which can be
modified at will. As a result user might see incorrect package name in
the dialog granting slice permission.

Bug: 159145361
Test: manual
Merged-In: I8b66c02786df4096dad74b7e76255d5ddd1d609d
Change-Id: I8b66c02786df4096dad74b7e76255d5ddd1d609d
(cherry picked from commit 0ad32a2d70ae410a59d730802b47af7c27b0b4a3)
(cherry picked from commit 4cab9c38764a6123c0072f0ef7b007cc29cd1b74)

Android security 9.0.0 release 62

* tag 'refs/tags/android-security-9.0.0_r62':
  [WIFI] Make Aware + Connectivity agent network specifiers sensitive
  [CS] Add an option to block sensitive network specifier
  Accept repeated locale as an input of LocaleList construction.
  Sanitize more of the notification text fields
  DO NOT MERGE Don't allow non-instant permissions for instant apps.

Change-Id: Ie83a9f0d9388a606e08dae862ff478948ddf3da8

Change-Id: Ib6bdabecfacbaa87a2317cd6cdb77bc5b4504be1

Android 9.0.0 Release 61 (6780336)

* tag 'android-9.0.0_r61':
  Add missing isShellUser check
  Mark implicit PendingIntents as immutable
  Require a more specific intent
  RESTRICT AUTOMERGE Do not set referrerUri on SessionInfo for non-owners
  Remove unused intent in NiNotification

When user is stopped, the Vpn#onUserStopped() will be called and
the value of mLockdown will be set to false then store into
setting.
This is a wrong behavior because user doesn't change it, so for
this kind of case, there is no need to store the value of
mLockdown in setting.
In fact, there is no need to call Vpn#saveAlwaysOnPackage() when
user is stopped because there is nothing changed.

Bug: 168500792
Test: atest FrameworksNetTests
Change-Id: Ie85a347216614b7873bfdf199165d89527ada3a8
(cherry picked from commit 9226fc3723a477751705011cd7eecf063b1c3707)

Require that the PendingIntent be immutable so that a malicious app is
not able to hijack and mutate any of the details.

Fixes: 154915372
Test: build & flash, change wallpaper manually.
Change-Id: I59b48811b26736bf0575769107dd940ca33ccf8d
(cherry picked from commit d4bd69ce)
(cherry picked from commit a839692d5ca4ea47e9565865eae5cdf904cc0629)

Revert clean top bar

See merge request !86

This reverts commit 7e502ac8.

Pie clean top bar

See merge request !84

Android 9.0.0 release 60

* tag 'android-9.0.0_r60':
  Revert "Ignores protected broadcasts if not priv-app"
  Only autoVerify at install for new hosts
  DO NOT MERGE: Verify INSTALL_PACKAGES permissions when adding installer package
  Revert "Revoke 'always' web handler status when not autoverifying"

Change-Id: I8cebfba17f32226567c1a6fdf6c1b6bab395bb3c

Change-Id: I2ea43c78213b464e96eb01d5b9c6d665b0328196

Configure the Wi-Fi Aware agent network
specifier as sensitive. This will strip it out from the
network capabilities before the capabilities are forwarded to the
app.

Necessary since the agent network specifier contains information
which the apps should not have.

Bug: 161853197
Bug: 161370134
Test: atest ConnectivityServiceTest (frameworks/base/tests/net)
Test: atest frameworks/base/tests/net
Test: atest frameworks/opt/net/wifi/tests/wifitests
Test: atest frameworks/opt/telephony/tests/telephonytests
Test: atest frameworks/opt/net/ethernet/tests
Test: atest android.net.cts - some flakiness!
Test: act.py ThroughputTest
Test: act.py DataPathTest
Test: atest SingleDeviceTest (cts)
Change-Id: Ia6adf2afa0f2052dc46a504ceb3e5aaba591aab8
Merged-In: I9673107a2ee13bca63539fc7dbee7f376af3ebcb
(cherry picked from commit 7f60f432)

Network specifiers are used for 2 purposes:

- As part of network requests to specify more information on the type
  of requested networks.
- On network agents to specify information about their networks.

The network specifiers of the requests and agents are matched to each
other. However, the agent network specifier may contain sensitive
information which we do not want forwarded to any app.

This CL adds an option to strip out this agent network specifier before
the network capabilities are forwarded to the app.

Bug: 161853197
Bug: 161370134
Test: atest ConnectivityServiceTest (frameworks/base/tests/net)
Test: atest frameworks/base/tests/net
Test: atest frameworks/opt/net/wifi/tests/wifitests
Test: atest frameworks/opt/telephony/tests/telephonytests
Test: atest frameworks/opt/net/ethernet/tests
Test: atest android.net.cts - some flakiness!
Test: act.py ThroughputTest
Test: act.py DataPathTest
Test: atest SingleDeviceTest (cts)
Change-Id: I38ed3ff88532ef522ab167c88d87e6e82295ffc5
Merged-In: If08d312ff814bdde1147518f923199e6349503d5
(cherry picked from commit 9b1d701a)

Repeated locale has not been accepted and IllegalArgumentException
is thrown. Instead of throwing exception, dropping repeated locale
instead.

Bug: 152410253
Test: atest LocaleListTest
Change-Id: I80f243678ac3024eaeb0349f770cff897df7f332
(cherry picked from commit 33ee4638)

Test: manual; monitor SystemUI performance when an app tries to
post a messaging style notification with messages with long text
Bug: 158304295
Bug: 147358092

Merged-In: c953fdf6bc498ca791aed49df04e5a07c935b63a
Change-Id: I0e2ea12fc3351b1a56645b556720ea2306f5422a
(cherry picked from commit c953fdf6bc498ca791aed49df04e5a07c935b63a)
(cherry picked from commit 7857da64)