Skip to content
GitLab
Switch branch/tag
This project is mirrored from https://github.com/LineageOS/android_frameworks_base.git. Pull mirroring updated .
  1. 10 Aug, 2022 1 commit
  3. 04 Aug, 2022 1 commit
  5. 15 Jul, 2022 1 commit
  7. 07 Jul, 2022 1 commit
    • Kevin F. Haggerty's avatar
      Merge tag 'android-security-10.0.0_r68' of... · 12fd3a9f
      Kevin F. Haggerty authored 
      Merge tag 'android-security-10.0.0_r68' of https://android.googlesource.com/platform/frameworks/base into staging/lineage-17.1_merge_android-security-10.0.0_r68

Android security 10.0.0 release 68

* tag 'android-security-10.0.0_r68' of https://android.googlesource.com/platform/frameworks/base:
  DO NOT MERGE Crash invalid FGS notifications
  [RESTRICT AUTOMERGE] Log to EventLog on prepareUserStorage failure
  [RESTRICT AUTOMERGE] Ignore errors preparing user storage for existing users
  [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery for system user only
  [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery if preparing user storage fails
  [RESTRICT AUTOMERGE] StorageManagerService: don't ignore failures to prepare user storage
  Check user unlocked before write to /data/system_ce/0/snapshots

Conflicts:
	services/core/java/com/android/server/wm/TaskSnapshotPersister.java

Change-Id: Ibfcea4ae4c26b42f6e2905fef94827a38991120b
      12fd3a9f
  9. 24 Jun, 2022 1 commit
  11. 11 Jun, 2022 6 commits
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of [16564590, 17823648, 18670434, 18715266, 18701369] into... · 5e464b76
      Android Build Coastguard Worker authored 
      Merge cherrypicks of [16564590, 17823648, 18670434, 18715266, 18701369] into security-aosp-qt-release.

Change-Id: Iddd72295c0f836acaf477f3ac187cc0c576362fd
      5e464b76
    • Makoto Onuki's avatar
      Only allow the system server to connect to sync adapters · 25e9539f
      Makoto Onuki authored 
      Bug: 203229608
Test: Manual test with changing the check logic + debug log
Change-Id: If18009f61360564d02dcda9b1e5fa15685e3250f
(cherry picked from commit 58270527d11ac7e5f07d337a402d8edf046a63ee)
(cherry picked from commit 7d1397a54475ed7fee632339ef7c60b432f0fbff)
Merged-In: If18009f61360564d02dcda9b1e5fa15685e3250f
      25e9539f
    • chiachangwang's avatar
      Stop using invalid URL to prevent unexpected crash · 1a7b2f8b
      chiachangwang authored 
      Verify the input PAC Uri before performing follow-up actions.

Check if the URL is a valid URL to filter some invalid URLs since
these invalid URLs could not fall into any subclass of existing
URLConnections. When the PAC Uri is other invalid URL scheme, it
will cause an UnsupportedOperationException if there is no proper
subclass that implements the openConnection() method.
A malformed URL may crash the system.

Even it's a valid URL, some subclasses(e.g. JarURLConnection)
may not have openConnection() implemented. It will also hit the
problem, so convert the possbile exception from openConnection()
to re-throw it to IOException which is handled in the existing
code.

Bug: 219498290
Test: atest FrameworksNetTests CtsNetTestCases
Test: Test with malformed URL
Merged-In: I22903414380b62051f514e43b93af992f45740b4
Merged-In: I2abff75ec59a17628ef006aad348c53fadbed076
Change-Id: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
(cherry picked from commit 6390b37a3b32fc7583154d53fda3af8fbd95f59f)
(cherry picked from commit 6d6f4106948bbad67b9845603392d084078997c4)
Merged-In: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
      1a7b2f8b
    • Raphael Kim's avatar
      Remove package title from notification access confirmation intent · 4c2d8d77
      Raphael Kim authored 
      Bug: 228178437
Test: Manually confirmed on an application
Change-Id: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
(cherry picked from commit 51d47ec7c875cf964f46965a27a5d36343ea999d)
Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
      4c2d8d77
    • Wenhao Wang's avatar
      DO NOT MERGE Suppress notifications when device enter lockdown · 3b018fea
      Wenhao Wang authored 
      This CL makes the following modifcations:
1. Add LockPatternUtils.StrongAuthTracker to monitor
the lockdown mode status of the phone.
2. Call mListeners.notifyRemovedLocked with all the
notifications in the mNotificationList when entering
the lockdown mode.
3. Call mListeners.notifyPostedLocked with all the
notifications in the mNotificationList when exiting
the lockdown mode.
4. Dismiss the function calls of notifyPostedLocked,
notifyRemovedLocked, and notifyRankingUpdateLocked
during the lockdown mode.

The CL also adds corresponding tests.

Bug: 173721373
Test: atest NotificationManagerServiceTest
Test: atest NotificationListenersTest
Test: manually verify the paired device cannot receive
notifications when the host phone is in lockdown mode.
Ignore-AOSP-First: pending fix for a security issue.

Change-Id: I7e83544863eeadf8272b6ff8a9bb8136d6466203
Merged-In: I7e83544863eeadf8272b6ff8a9bb8136d6466203
(cherry picked from commit 3cb6842a053e236cc98d7616ba4433c31ffda3ac)
(cherry picked from commit 85c00b98a6cac8d7286a70300ceff509693818f2)
Merged-In: I7e83544863eeadf8272b6ff8a9bb8136d6466203
      3b018fea
    • Jeff Chang's avatar
      [RESTRICT AUTOMERGE]Only allow system and same app to apply relinquishTaskIdentity · 57df14fb
      Jeff Chang authored 
      Any malicious application could hijack tasks by
android:relinquishTaskIdentity. This vulnerability can perform UI
spoofing or spy on user’s activities.

This CL limit the usage which only allow system and same app to apply
relinquishTaskIdentity

Bug: 185810717
Test: atest IntentTests
      atest ActivityStarterTests
Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
(cherry picked from commit cd1f9e72)
Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
      57df14fb
  13. 10 Jun, 2022 1 commit
  15. 16 May, 2022 2 commits
  17. 14 May, 2022 1 commit
  19. 13 May, 2022 6 commits
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] Log to EventLog on prepareUserStorage failure · 0ef91007
      Eric Biggers authored 
      Bug: 224585613
Change-Id: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
(cherry picked from commit fbb632ea95ac5b6d9efa89e09d0988a9df4f19e4)
Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
(cherry picked from commit 2f2e7d84f8f856e897056064b64c6b7213ba5d86)
Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
      0ef91007
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] Ignore errors preparing user storage for existing users · db90cf4f
      Eric Biggers authored 
      Unfortunately we can't rule out the existence of devices where the user
storage wasn't properly prepared, due to StorageManagerService
previously ignoring errors from mVold.prepareUserStorage, combined with
OEMs potentially creating files in per-user directories too early.  And
forcing these broken devices to be factory reset upon taking an OTA is
not currently considered to be acceptable.

One option is to only check for prepareUserStorage errors on devices
that launched with T or later.  However, this is a serious issue and it
would be strongly preferable to do more than that.

Therefore, this CL makes it so that errors are checked for all new
users, rather than all new devices.  A field ignorePrepareStorageErrors
is added to the user record; it is only ever set to true implicitly,
when reading a user record from disk that lacks this field.  This field
is used by StorageManagerService to decide whether to check for errors.

Bug: 164488924
Bug: 224585613
Test: Intentionally made a device affected by this issue by reverting
      the CLs that introduced the error checks, and changing vold to
      inject an error into prepareUserStorage.   Then, flashed a build
      with this CL without wiping userdata.  The device still boots, as
      expected, and the log shows that the error was intentionally
      ignored.  Tested that if a second user is added, the error is
      *not* ignored and the second user's storage is destroyed before it
      can be used.  Finally, wiped the device and verified that it won't
      boot up anymore, as expected since error checking is enabled for
      the system user in that case.
Change-Id: I9bdd1a4bf5b14542adb901f264a91d489115c89b
(cherry picked from commit 60d8318c47b7b659716d71243d087b34ab327f64)
Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b
(cherry picked from commit 493aa93b84b4281378e6b767bf2df6139bd0975d)
Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b
      db90cf4f
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery for system user only · c0b699da
      Eric Biggers authored 
      With the next CL, old devices might contain a combination of old users
with prepareUserStorage error checking disabled and new users with
prepareUserStorage error checking enabled.  Factory resetting the whole
device when any user fails to prepare may be too aggressive.  Also,
UserDataPreparer already destroys the affected user's storage when it
fails to prepare, which seems to be fairly effective at breaking things
for that user (absent proper error handling by upper layers).

Therefore, let's only factory reset the device if the failing user is
the system user.

Bug: 164488924
Bug: 224585613
Change-Id: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
(cherry picked from commit 4c76da76c9831266e4e63c0618150bed10a929a7)
Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
(cherry picked from commit a296a2b724f3b7233952740231a49d432949276b)
Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
      c0b699da
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery if preparing user storage fails · e4ca118f
      Eric Biggers authored 
      StorageManager.prepareUserStorage() can throw an exception if a
directory cannot be encrypted, for example due to already being
nonempty.  In this case, usage of the directory must not be allowed to
proceed.  UserDataPreparer currently handles this by deleting the user's
directories, but the error is still ultimately suppressed and starting
the user is still allowed to proceed.

The correct behavior in this case is to reboot into recovery to ask the
user to factory reset the device.  This is already what happens when
'init' fails to encrypt a directory with the system DE policy.  However,
this was overlooked for the user directories.  Start doing this.

Bug: 164488924
Bug: 224585613
Change-Id: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
(cherry picked from commit 5256365e65882b81509ec2f6b9dfe2dcf0025254)
Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
(cherry picked from commit ea010f3dd213bb6b5f3ed28b89988754ed26aac6)
Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
      e4ca118f
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] StorageManagerService: don't ignore failures to prepare user storage · 9596f217
      Eric Biggers authored 
      We must never leave directories unencrypted.

Bug: 164488924
Bug: 224585613
Change-Id: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
(cherry picked from commit 50946dd15fd14cbf92b5c7e32ac7a0f088b8b302)
Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
(cherry picked from commit f80dd3ecd46db03005423e7fac28a0def49d0140)
Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
      9596f217
    • Guo Li's avatar
      Check user unlocked before write to /data/system_ce/0/snapshots · 3cdddcef
      Guo Li authored 
      When reboot device. TaskSnapshotPersister create directory
"/data/system_ce/0/snapshots" before FBE decrypt.
Then WTF occur.

Bug: 154787951
Bug: 224585613
Test: Device boots without WTF error
Change-Id: Ie9d4a28008adc93e27bc8ab015a3a6507428c3e4
(cherry picked from commit 2f9987f5)
Merged-In: Ie9d4a28008adc93e27bc8ab015a3a6507428c3e4
(cherry picked from commit 3ab9dc113ea2d503a6ff490643050711ba09ac57)
Merged-In: Ie9d4a28008adc93e27bc8ab015a3a6507428c3e4
      3cdddcef
  21. 04 May, 2022 1 commit
    • Kevin F. Haggerty's avatar
      Merge tag 'android-security-10.0.0_r66' into staging/lineage-17.1_merge_android-security-10.0.0_r66 · 9d930f99
      Kevin F. Haggerty authored 
      Android Security 10.0.0 Release 66 (8287684)

* tag 'android-security-10.0.0_r66':
  Always restart apps if base.apk gets updated.
  Verify caller before auto granting slice permission
  [RESTRICT AUTOMERGE] Do not resume activity if behind a translucent task
  Filter notification APIs by user
  [DO NOT MERGE] Keyguard - Treat messsages to lock with priority

Conflicts:
	services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java

Change-Id: Ib6fa58c99d5b8253f226d1b7382aa27ed469121d
      9d930f99
  23. 02 May, 2022 8 commits
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of [16564590, 17185256, 17045726, 17343925, 17400663,... · 3e199be0
      Android Build Coastguard Worker authored 
      Merge cherrypicks of [16564590, 17185256, 17045726, 17343925, 17400663, 17591189, 17587088, 16908080] into security-aosp-qt-release.

Change-Id: I035ab01d3459142878a8f76cd0255e618864d76e
      3e199be0
    • Thomas Stuart's avatar
      limit TelecomManager#registerPhoneAccount to 10; api doc update · 1f7e6c10
      Thomas Stuart authored 
      bug: 209814693
Bug: 217934478
Test: CTS
Change-Id: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
(cherry picked from commit f0f67b5a)
Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
      1f7e6c10
    • Jonathan Scott's avatar
      [qt] RESTRICT AUTOMERGE Add finalizeWorkProfileProvisioning. · 4f9a87b9
      Jonathan Scott authored 
      Test: atest android.devicepolicy.cts.DevicePolicyManagerTest
Bug: 210469972
Change-Id: I2de99f9ccd8b27ffdc2562fa451f132e73d54317
(cherry picked from commit c5037ec6)
Merged-In: I2de99f9ccd8b27ffdc2562fa451f132e73d54317
      4f9a87b9
    • JW Wang's avatar
      Fix NPE · 4ec4fe1d
      JW Wang authored 
      NPE happens when there is an orphaned session which we've
tried to prevent in all cases.

Log an error message if this situation happens.

Bug: 227342978
Test: atest CtsRootPackageInstallerHostTestCases
Change-Id: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
(cherry picked from commit 07e31dfb1efabc8110d64819f26a06e12a35e020)
Merged-In: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
(cherry picked from commit f562aadd)
Merged-In: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
      4ec4fe1d
    • Oli Lan's avatar
      RESTRICT AUTOMERGE Prevent non-admin users from deleting system apps. · bd3c5f80
      Oli Lan authored 
      This addresses a security issue where the guest user can remove updates
for system apps.

With this CL, attempts to uninstall/downgrade system apps will fail if
attempted by a non-admin user.

This is a backport of ag/17352264.

Bug: 170646036
Test: manual, try uninstalling system app update as guest
Change-Id: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165
(cherry picked from commit a7621e0c)
Merged-In: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
      bd3c5f80
    • Ayush Sharma's avatar
      Fix security hole in GateKeeperResponse · 6f8efa1e
      Ayush Sharma authored 
      GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.

We fixed related issues previously for GateKeeperResponse class, but
one of the case was remaining when payload is byte array of size 0,
Fixing this case now.

Bug: 220303465
Test: With the POC provided in the bug.
Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586
Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586

(cherry picked from commit 46653a91c30245ca29d41d69174813979a910496)

Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958
(cherry picked from commit 658c53c4)
Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958
      6f8efa1e
    • Julia Reynolds's avatar
      DO NOT MERGE Add an OEM configurable limit for zen rules · f7dcca40
      Julia Reynolds authored 
      Test: ZenModeHelperTest
Bug: 220735360
Change-Id: I3da105951af90007bf48dc6cf00aed3e28778b36
Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
(cherry picked from commit 3072d98c)
Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
      f7dcca40
    • David Christie's avatar
      Update GeofenceHardwareRequestParcelable to match parcel/unparcel format. · 99ac85ce
      David Christie authored 
      Test: manual
Bug: 216631962

Change-Id: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
(cherry picked from commit 3e1ffdb2)
Merged-In: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
      99ac85ce
  25. 16 Apr, 2022 1 commit
  27. 14 Apr, 2022 2 commits
  29. 05 Apr, 2022 1 commit
  31. 04 Apr, 2022 2 commits
  33. 28 Mar, 2022 2 commits
  35. 23 Mar, 2022 1 commit
  37. 21 Mar, 2022 1 commit