Unverified Commit 5464c812 authored by Kevin F. Haggerty's avatar Kevin F. Haggerty

Merge tag 'android-8.1.0_r46' into staging/lineage-15.1_merge-android-8.1.0_r46

Android 8.1.0 Release 46 (OPM6.171019.030.K1)

* tag 'android-8.1.0_r46': (23 commits)
  Fix TrackInfo parcel write
  vpn: allow IPSec traffic through Always-on VPN
  Resolve inconsistent parcel read in NanoAppFilter
  Backport Prevent shortcut info package name spoofing
  Fix DynamicRefTable::load security bug
  ResStringPool: Prevenet boot loop from se fix
  Make safe label more safe
  WM: Prevent secondary display focus while keyguard is up
  DO NOT MERGE: Add unit tests to ensure VPN meteredness
  DO NOT MERGE: Fix ConnectivityController meteredness checks
  clearCallingIdentity before calling into getPackageUidAsUser
  Nullcheck to fix Autofill CTS
  Osu: fixed Mismatch between createFromParcel and writeToParcel
  DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name
  Fix broken check for TelephonyManager#getForbiddenPlmns
  DO NOT MERGE (O) Revoke permision when group changed
  ResStringPool: Fix security vulnerability
  RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to oc-mr1-dev)
  Use concrete CREATOR instance for parceling lists
  Rework thumbnail cleanup
  ...

Change-Id: I1376977831bf2ab308765234b9ae4f3f7da3ee8b
parents 4d1735f7 3c2c834a
......@@ -83,7 +83,7 @@ public class NanoAppFilter {
mAppId = in.readLong();
mAppVersion = in.readInt();
mVersionRestrictionMask = in.readInt();
mAppIdVendorMask = in.readInt();
mAppIdVendorMask = in.readLong();
}
public int describeContents() {
......@@ -91,7 +91,6 @@ public class NanoAppFilter {
}
public void writeToParcel(Parcel out, int flags) {
out.writeLong(mAppId);
out.writeInt(mAppVersion);
out.writeInt(mVersionRestrictionMask);
......
......@@ -2363,10 +2363,10 @@ public class MediaPlayer extends PlayerBase
@Override
public void writeToParcel(Parcel dest, int flags) {
dest.writeInt(mTrackType);
dest.writeString(mFormat.getString(MediaFormat.KEY_MIME));
dest.writeString(getLanguage());
if (mTrackType == MEDIA_TRACK_TYPE_SUBTITLE) {
dest.writeString(mFormat.getString(MediaFormat.KEY_MIME));
dest.writeInt(mFormat.getInteger(MediaFormat.KEY_IS_AUTOSELECT));
dest.writeInt(mFormat.getInteger(MediaFormat.KEY_IS_DEFAULT));
dest.writeInt(mFormat.getInteger(MediaFormat.KEY_IS_FORCED_SUBTITLE));
......
......@@ -94,8 +94,6 @@ import com.android.server.DeviceIdleController;
import com.android.server.LocalServices;
import com.android.server.net.BaseNetworkObserver;
import libcore.io.IoUtils;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
......@@ -114,6 +112,8 @@ import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.atomic.AtomicInteger;
import libcore.io.IoUtils;
/**
* @hide
*/
......@@ -1184,6 +1184,18 @@ public class Vpn {
/* allowedApplications */ null,
/* disallowedApplications */ exemptedPackages);
// The UID range of the first user (0-99999) would block the IPSec traffic, which comes
// directly from the kernel and is marked as uid=0. So we adjust the range to allow
// it through (b/69873852).
for (UidRange range : addedRanges) {
if (range.start == 0) {
addedRanges.remove(range);
if (range.stop != 0) {
addedRanges.add(new UidRange(1, range.stop));
}
}
}
removedRanges.removeAll(addedRanges);
addedRanges.removeAll(mBlockedUsers);
}
......
......@@ -131,6 +131,7 @@ import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import java.util.function.Predicate;
......@@ -1534,6 +1535,24 @@ public class ShortcutService extends IShortcutService.Stub {
"Ephemeral apps can't use ShortcutManager");
}
private void verifyShortcutInfoPackage(String callerPackage, ShortcutInfo si) {
if (si == null) {
return;
}
if (!Objects.equals(callerPackage, si.getPackage())) {
android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
throw new SecurityException("Shortcut package name mismatch");
}
}
private void verifyShortcutInfoPackages(
String callerPackage, List<ShortcutInfo> list) {
final int size = list.size();
for (int i = 0; i < size; i++) {
verifyShortcutInfoPackage(callerPackage, list.get(i));
}
}
// Overridden in unit tests to execute r synchronously.
void injectPostToHandler(Runnable r) {
mHandler.post(r);
......@@ -1681,6 +1700,7 @@ public class ShortcutService extends IShortcutService.Stub {
verifyCaller(packageName, userId);
final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
verifyShortcutInfoPackages(packageName, newShortcuts);
final int size = newShortcuts.size();
synchronized (mLock) {
......@@ -1732,6 +1752,7 @@ public class ShortcutService extends IShortcutService.Stub {
verifyCaller(packageName, userId);
final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
verifyShortcutInfoPackages(packageName, newShortcuts);
final int size = newShortcuts.size();
synchronized (mLock) {
......@@ -1812,6 +1833,7 @@ public class ShortcutService extends IShortcutService.Stub {
verifyCaller(packageName, userId);
final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
verifyShortcutInfoPackages(packageName, newShortcuts);
final int size = newShortcuts.size();
synchronized (mLock) {
......@@ -1871,6 +1893,7 @@ public class ShortcutService extends IShortcutService.Stub {
Preconditions.checkNotNull(shortcut);
Preconditions.checkArgument(shortcut.isEnabled(), "Shortcut must be enabled");
verifyCaller(packageName, userId);
verifyShortcutInfoPackage(packageName, shortcut);
final Intent ret;
synchronized (mLock) {
......@@ -1892,6 +1915,7 @@ public class ShortcutService extends IShortcutService.Stub {
private boolean requestPinItem(String packageName, int userId, ShortcutInfo shortcut,
AppWidgetProviderInfo appWidget, Bundle extras, IntentSender resultIntent) {
verifyCaller(packageName, userId);
verifyShortcutInfoPackage(packageName, shortcut);
final boolean ret;
synchronized (mLock) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment