This project is mirrored from Pull mirroring updated .
  1. 10 Aug, 2022 1 commit
  2. 04 Aug, 2022 1 commit
  3. 15 Jul, 2022 1 commit
  4. 07 Jul, 2022 1 commit
    • Kevin F. Haggerty's avatar
      Merge tag 'android-security-10.0.0_r68' of... · 12fd3a9f
      Kevin F. Haggerty authored
      Merge tag 'android-security-10.0.0_r68' of into staging/lineage-17.1_merge_android-security-10.0.0_r68
      Android security 10.0.0 release 68
      * tag 'android-security-10.0.0_r68' of
        DO NOT MERGE Crash invalid FGS notifications
        [RESTRICT AUTOMERGE] Log to EventLog on prepareUserStorage failure
        [RESTRICT AUTOMERGE] Ignore errors preparing user storage for existing users
        [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery for system user only
        [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery if preparing user storage fails
        [RESTRICT AUTOMERGE] StorageManagerService: don't ignore failures to prepare user storage
        Check user unlocked before write to /data/system_ce/0/snapshots
      Change-Id: Ibfcea4ae4c26b42f6e2905fef94827a38991120b
  5. 24 Jun, 2022 1 commit
  6. 11 Jun, 2022 6 commits
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of [16564590, 17823648, 18670434, 18715266, 18701369] into... · 5e464b76
      Android Build Coastguard Worker authored
      Merge cherrypicks of [16564590, 17823648, 18670434, 18715266, 18701369] into security-aosp-qt-release.
      Change-Id: Iddd72295c0f836acaf477f3ac187cc0c576362fd
    • Makoto Onuki's avatar
      Only allow the system server to connect to sync adapters · 25e9539f
      Makoto Onuki authored
      Bug: 203229608
      Test: Manual test with changing the check logic + debug log
      Change-Id: If18009f61360564d02dcda9b1e5fa15685e3250f
      (cherry picked from commit 58270527d11ac7e5f07d337a402d8edf046a63ee)
      (cherry picked from commit 7d1397a54475ed7fee632339ef7c60b432f0fbff)
      Merged-In: If18009f61360564d02dcda9b1e5fa15685e3250f
    • chiachangwang's avatar
      Stop using invalid URL to prevent unexpected crash · 1a7b2f8b
      chiachangwang authored
      Verify the input PAC Uri before performing follow-up actions.
      Check if the URL is a valid URL to filter some invalid URLs since
      these invalid URLs could not fall into any subclass of existing
      URLConnections. When the PAC Uri is other invalid URL scheme, it
      will cause an UnsupportedOperationException if there is no proper
      subclass that implements the openConnection() method.
      A malformed URL may crash the system.
      Even it's a valid URL, some subclasses(e.g. JarURLConnection)
      may not have openConnection() implemented. It will also hit the
      problem, so convert the possbile exception from openConnection()
      to re-throw it to IOException which is handled in the existing
      Bug: 219498290
      Test: atest FrameworksNetTests CtsNetTestCases
      Test: Test with malformed URL
      Merged-In: I22903414380b62051f514e43b93af992f45740b4
      Merged-In: I2abff75ec59a17628ef006aad348c53fadbed076
      Change-Id: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
      (cherry picked from commit 6390b37a3b32fc7583154d53fda3af8fbd95f59f)
      (cherry picked from commit 6d6f4106948bbad67b9845603392d084078997c4)
      Merged-In: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
    • Raphael Kim's avatar
      Remove package title from notification access confirmation intent · 4c2d8d77
      Raphael Kim authored
      Bug: 228178437
      Test: Manually confirmed on an application
      Change-Id: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
      Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
      (cherry picked from commit 51d47ec7c875cf964f46965a27a5d36343ea999d)
      Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
    • Wenhao Wang's avatar
      DO NOT MERGE Suppress notifications when device enter lockdown · 3b018fea
      Wenhao Wang authored
      This CL makes the following modifcations:
      1. Add LockPatternUtils.StrongAuthTracker to monitor
      the lockdown mode status of the phone.
      2. Call mListeners.notifyRemovedLocked with all the
      notifications in the mNotificationList when entering
      the lockdown mode.
      3. Call mListeners.notifyPostedLocked with all the
      notifications in the mNotificationList when exiting
      the lockdown mode.
      4. Dismiss the function calls of notifyPostedLocked,
      notifyRemovedLocked, and notifyRankingUpdateLocked
      during the lockdown mode.
      The CL also adds corresponding tests.
      Bug: 173721373
      Test: atest NotificationManagerServiceTest
      Test: atest NotificationListenersTest
      Test: manually verify the paired device cannot receive
      notifications when the host phone is in lockdown mode.
      Ignore-AOSP-First: pending fix for a security issue.
      Change-Id: I7e83544863eeadf8272b6ff8a9bb8136d6466203
      Merged-In: I7e83544863eeadf8272b6ff8a9bb8136d6466203
      (cherry picked from commit 3cb6842a053e236cc98d7616ba4433c31ffda3ac)
      (cherry picked from commit 85c00b98a6cac8d7286a70300ceff509693818f2)
      Merged-In: I7e83544863eeadf8272b6ff8a9bb8136d6466203
    • Jeff Chang's avatar
      [RESTRICT AUTOMERGE]Only allow system and same app to apply relinquishTaskIdentity · 57df14fb
      Jeff Chang authored
      Any malicious application could hijack tasks by
      android:relinquishTaskIdentity. This vulnerability can perform UI
      spoofing or spy on user’s activities.
      This CL limit the usage which only allow system and same app to apply
      Bug: 185810717
      Test: atest IntentTests
            atest ActivityStarterTests
      Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
      (cherry picked from commit cd1f9e72)
      Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
  7. 10 Jun, 2022 1 commit
  8. 16 May, 2022 2 commits
  9. 14 May, 2022 1 commit
  10. 13 May, 2022 6 commits
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] Log to EventLog on prepareUserStorage failure · 0ef91007
      Eric Biggers authored
      Bug: 224585613
      Change-Id: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
      (cherry picked from commit fbb632ea95ac5b6d9efa89e09d0988a9df4f19e4)
      Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
      (cherry picked from commit 2f2e7d84f8f856e897056064b64c6b7213ba5d86)
      Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] Ignore errors preparing user storage for existing users · db90cf4f
      Eric Biggers authored
      Unfortunately we can't rule out the existence of devices where the user
      storage wasn't properly prepared, due to StorageManagerService
      previously ignoring errors from mVold.prepareUserStorage, combined with
      OEMs potentially creating files in per-user directories too early.  And
      forcing these broken devices to be factory reset upon taking an OTA is
      not currently considered to be acceptable.
      One option is to only check for prepareUserStorage errors on devices
      that launched with T or later.  However, this is a serious issue and it
      would be strongly preferable to do more than that.
      Therefore, this CL makes it so that errors are checked for all new
      users, rather than all new devices.  A field ignorePrepareStorageErrors
      is added to the user record; it is only ever set to true implicitly,
      when reading a user record from disk that lacks this field.  This field
      is used by StorageManagerService to decide whether to check for errors.
      Bug: 164488924
      Bug: 224585613
      Test: Intentionally made a device affected by this issue by reverting
            the CLs that introduced the error checks, and changing vold to
            inject an error into prepareUserStorage.   Then, flashed a build
            with this CL without wiping userdata.  The device still boots, as
            expected, and the log shows that the error was intentionally
            ignored.  Tested that if a second user is added, the error is
            *not* ignored and the second user's storage is destroyed before it
            can be used.  Finally, wiped the device and verified that it won't
            boot up anymore, as expected since error checking is enabled for
            the system user in that case.
      Change-Id: I9bdd1a4bf5b14542adb901f264a91d489115c89b
      (cherry picked from commit 60d8318c47b7b659716d71243d087b34ab327f64)
      Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b
      (cherry picked from commit 493aa93b84b4281378e6b767bf2df6139bd0975d)
      Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery for system user only · c0b699da
      Eric Biggers authored
      With the next CL, old devices might contain a combination of old users
      with prepareUserStorage error checking disabled and new users with
      prepareUserStorage error checking enabled.  Factory resetting the whole
      device when any user fails to prepare may be too aggressive.  Also,
      UserDataPreparer already destroys the affected user's storage when it
      fails to prepare, which seems to be fairly effective at breaking things
      for that user (absent proper error handling by upper layers).
      Therefore, let's only factory reset the device if the failing user is
      the system user.
      Bug: 164488924
      Bug: 224585613
      Change-Id: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
      (cherry picked from commit 4c76da76c9831266e4e63c0618150bed10a929a7)
      Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
      (cherry picked from commit a296a2b724f3b7233952740231a49d432949276b)
      Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery if preparing user storage fails · e4ca118f
      Eric Biggers authored
      StorageManager.prepareUserStorage() can throw an exception if a
      directory cannot be encrypted, for example due to already being
      nonempty.  In this case, usage of the directory must not be allowed to
      proceed.  UserDataPreparer currently handles this by deleting the user's
      directories, but the error is still ultimately suppressed and starting
      the user is still allowed to proceed.
      The correct behavior in this case is to reboot into recovery to ask the
      user to factory reset the device.  This is already what happens when
      'init' fails to encrypt a directory with the system DE policy.  However,
      this was overlooked for the user directories.  Start doing this.
      Bug: 164488924
      Bug: 224585613
      Change-Id: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
      (cherry picked from commit 5256365e65882b81509ec2f6b9dfe2dcf0025254)
      Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
      (cherry picked from commit ea010f3dd213bb6b5f3ed28b89988754ed26aac6)
      Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
    • Eric Biggers's avatar
      [RESTRICT AUTOMERGE] StorageManagerService: don't ignore failures to prepare user storage · 9596f217
      Eric Biggers authored
      We must never leave directories unencrypted.
      Bug: 164488924
      Bug: 224585613
      Change-Id: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
      (cherry picked from commit 50946dd15fd14cbf92b5c7e32ac7a0f088b8b302)
      Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
      (cherry picked from commit f80dd3ecd46db03005423e7fac28a0def49d0140)
      Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
    • Guo Li's avatar
      Check user unlocked before write to /data/system_ce/0/snapshots · 3cdddcef
      Guo Li authored
      When reboot device. TaskSnapshotPersister create directory
      "/data/system_ce/0/snapshots" before FBE decrypt.
      Then WTF occur.
      Bug: 154787951
      Bug: 224585613
      Test: Device boots without WTF error
      Change-Id: Ie9d4a28008adc93e27bc8ab015a3a6507428c3e4
      (cherry picked from commit 2f9987f5)
      Merged-In: Ie9d4a28008adc93e27bc8ab015a3a6507428c3e4
      (cherry picked from commit 3ab9dc113ea2d503a6ff490643050711ba09ac57)
      Merged-In: Ie9d4a28008adc93e27bc8ab015a3a6507428c3e4
  11. 04 May, 2022 1 commit
    • Kevin F. Haggerty's avatar
      Merge tag 'android-security-10.0.0_r66' into staging/lineage-17.1_merge_android-security-10.0.0_r66 · 9d930f99
      Kevin F. Haggerty authored
      Android Security 10.0.0 Release 66 (8287684)
      * tag 'android-security-10.0.0_r66':
        Always restart apps if base.apk gets updated.
        Verify caller before auto granting slice permission
        [RESTRICT AUTOMERGE] Do not resume activity if behind a translucent task
        Filter notification APIs by user
        [DO NOT MERGE] Keyguard - Treat messsages to lock with priority
      Change-Id: Ib6fa58c99d5b8253f226d1b7382aa27ed469121d
  12. 02 May, 2022 8 commits
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of [16564590, 17185256, 17045726, 17343925, 17400663,... · 3e199be0
      Android Build Coastguard Worker authored
      Merge cherrypicks of [16564590, 17185256, 17045726, 17343925, 17400663, 17591189, 17587088, 16908080] into security-aosp-qt-release.
      Change-Id: I035ab01d3459142878a8f76cd0255e618864d76e
    • Thomas Stuart's avatar
      limit TelecomManager#registerPhoneAccount to 10; api doc update · 1f7e6c10
      Thomas Stuart authored
      bug: 209814693
      Bug: 217934478
      Test: CTS
      Change-Id: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
      Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
      (cherry picked from commit f0f67b5a)
      Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
    • Jonathan Scott's avatar
      [qt] RESTRICT AUTOMERGE Add finalizeWorkProfileProvisioning. · 4f9a87b9
      Jonathan Scott authored
      Test: atest android.devicepolicy.cts.DevicePolicyManagerTest
      Bug: 210469972
      Change-Id: I2de99f9ccd8b27ffdc2562fa451f132e73d54317
      (cherry picked from commit c5037ec6)
      Merged-In: I2de99f9ccd8b27ffdc2562fa451f132e73d54317
    • JW Wang's avatar
      Fix NPE · 4ec4fe1d
      JW Wang authored
      NPE happens when there is an orphaned session which we've
      tried to prevent in all cases.
      Log an error message if this situation happens.
      Bug: 227342978
      Test: atest CtsRootPackageInstallerHostTestCases
      Change-Id: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
      (cherry picked from commit 07e31dfb1efabc8110d64819f26a06e12a35e020)
      Merged-In: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
      (cherry picked from commit f562aadd)
      Merged-In: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
    • Oli Lan's avatar
      RESTRICT AUTOMERGE Prevent non-admin users from deleting system apps. · bd3c5f80
      Oli Lan authored
      This addresses a security issue where the guest user can remove updates
      for system apps.
      With this CL, attempts to uninstall/downgrade system apps will fail if
      attempted by a non-admin user.
      This is a backport of ag/17352264.
      Bug: 170646036
      Test: manual, try uninstalling system app update as guest
      Change-Id: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
      Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165
      (cherry picked from commit a7621e0c)
      Merged-In: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
    • Ayush Sharma's avatar
      Fix security hole in GateKeeperResponse · 6f8efa1e
      Ayush Sharma authored
      GateKeeperResponse has inconsistent writeToParcel() and
      createFromParcel() methods, making it possible for a malicious app to
      create a Bundle that changes contents after reserialization. Such
      Bundles can be used to execute Intents with system privileges.
      We fixed related issues previously for GateKeeperResponse class, but
      one of the case was remaining when payload is byte array of size 0,
      Fixing this case now.
      Bug: 220303465
      Test: With the POC provided in the bug.
      Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586
      Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586
      (cherry picked from commit 46653a91c30245ca29d41d69174813979a910496)
      Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958
      (cherry picked from commit 658c53c4)
      Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958
    • Julia Reynolds's avatar
      DO NOT MERGE Add an OEM configurable limit for zen rules · f7dcca40
      Julia Reynolds authored
      Test: ZenModeHelperTest
      Bug: 220735360
      Change-Id: I3da105951af90007bf48dc6cf00aed3e28778b36
      Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
      (cherry picked from commit 3072d98c)
      Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
    • David Christie's avatar
      Update GeofenceHardwareRequestParcelable to match parcel/unparcel format. · 99ac85ce
      David Christie authored
      Test: manual
      Bug: 216631962
      Change-Id: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
      (cherry picked from commit 3e1ffdb2)
      Merged-In: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
  13. 16 Apr, 2022 1 commit
  14. 14 Apr, 2022 2 commits
  15. 05 Apr, 2022 1 commit
  16. 04 Apr, 2022 2 commits
  17. 28 Mar, 2022 2 commits
  18. 23 Mar, 2022 1 commit
  19. 21 Mar, 2022 1 commit