This project is mirrored from Updated .
  1. 08 Apr, 2020 1 commit
  2. 07 Apr, 2020 1 commit
  3. 06 Apr, 2020 3 commits
  4. 16 Mar, 2020 2 commits
  5. 12 Mar, 2020 1 commit
  6. 06 Mar, 2020 2 commits
  7. 03 Mar, 2020 3 commits
    • Patrick Baumann's avatar
      Fixes NPE when preparing app data during init · 331107d7
      Patrick Baumann authored
      When deleting an unused static shared library on Q, the user manager was
      fetched via mContext.getSystemService. At this time during boot, the
      service wasn't registered and so null was returned. This has already
      been addressed in R with a move to injecting dependencies in the
      PackageManagerService constructor.
      Bug: 142083996
      Bug: 141413692
      Test: manual; remove static dependency on eng Q build and reboot
      Change-Id: I8ae4e331d09b4734c54cdc6887b273705dce88b1
      Merged-In: I8ae4e331d09b4734c54cdc6887b273705dce88b1
      (cherry picked from commit 5d3fc339)
    • Patrick Baumann's avatar
      Handles null outInfo in deleteSystemPackageLI · 2c0a05d0
      Patrick Baumann authored
      This change adds null checks before accessing outInfo in
      Bug: 142083996
      Bug: 141413692
      Test: manual; remove static dependency on eng build and reboot
      Change-Id: If0fd48343e89cbb77ccd25826656194195d5b0cd
      (cherry picked from commit 17471016508bb9c9ffb8c3946dda0b4897d722f1)
      Merged-In: If0fd48343e89cbb77ccd25826656194195d5b0cd
      (cherry picked from commit 6afabce5)
    • paulhu's avatar
      Fix security problem on PermissionMonitor#hasPermission · caf3c621
      paulhu authored
      PermissionMonitor#hasPermission only checks permssions that app
      requested but it doesn't check whether the permission can be
      granted to this app. If requested permission doens't be granted
      to app, this method still returns that app has this permission.
      Then PermissionMonitor will pass this info to netd that means
      this app still can use network even restricted network without
      granted privileged permission like CONNECTIVITY_INTERNAL or
      Bug: 144679405
      Test: Build, flash, manual test
      Change-Id: I5eba4909e4c2e1d9f275f66be90ac36466b93e90
      Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
      Merged-In: Iae9c273af822b18c2e6fce04848a86f8dea6410a
      (cherry picked from commit 305946b9)
  8. 25 Feb, 2020 3 commits
  9. 24 Feb, 2020 1 commit
  10. 21 Feb, 2020 2 commits
  11. 14 Feb, 2020 1 commit
  12. 11 Feb, 2020 1 commit
  13. 10 Feb, 2020 1 commit
  14. 05 Feb, 2020 3 commits
    • Sterling Huber's avatar
      RESTRICT AUTOMERGE Make toasts non-clickable · 2dbe94c0
      Sterling Huber authored
      Since enforcement was only on client-side, in Toast class, an app could
      use reflection (or other means) to make the Toast clickable. This is a
      security vulnerability since it allows tapjacking, that is, intercept touch
      events and do stuff like steal PINs and passwords.
      This CL brings the enforcement to the system by applying flag
      Test: atest CtsWindowManagetDeviceTestCases:ToastTest
      Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
            log click events. Then:
            1) Observe click events are logged without this CL.
            2) Observer click events are not logged with this CL.
      Bug: 128674520
      (cherry picked from commit 6bf18c39)
      Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0
    • Yohei Yukawa's avatar
      DO NOT MERGE back porting for fixing sysui direct reply · de08dc76
      Yohei Yukawa authored
      Root cause: systemui run as user 0 service to handle all of users'
      notifications. And, the users can user the copy/cut/paste
      Solution: To crate @hide API in TextView let SystemUI to mark the
      TextView instance should check if the power of
      INTERACT_ACROSS_USER_FULL is needed to be restricted.
      e.x. Keyguard password textview/Notificaiton entries
      Bug: 123232892
      Test: manual test
      Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139
      Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393
      Reference: I975baa748c821538e5a733bb98a33ac609bf40a7
      Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937
      (cherry picked from commit 08391b3d)
      [basilgello: Back-ported to 14.1:
       - packages/SystemUI/src/com/android/keyguard/ ->
      Signed-off-by: default avatarVasyl Gello <>
      Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139
    • Tarandeep Singh's avatar
      DO NOT MERGE: Disable SpellChecker in secondary user's direct reply · 1163d5e8
      Tarandeep Singh authored
      For secondary users, when AOSP keyboard is used to type in
      direct-reply, unknown words can be added to dictionary.
      It's *not* OK for SpellCheckerService of primary user to
      check unknown words typed by a secondary user.
      The dialog to add these words shows up in primary user instead.
      TextView uses TextView#isSuggestionsEnabled() to determine if
      SpellChecker is enabled. This can be disabled by setting the flag
      Note: This doesn't affect workprofile users on P or older versions since
      they use same SpellCheckerService for all workprofiles.
      Bug: 123232892
      Test: Manually tested using the steps mentioned in the bug.
       1. Flash latest P build.
       2. Install AOSP keyboard (LatinIME) and set it as default.
       3. Install and open EditTextVariations
       4. Initiate direct reply in primary user and type non-english
          words like "ggggg hhhhh".
       5. Observe that they get red underline and tapping it brings "add
          to dictionary" popup.
       6. Create a new secondary user and switch to it.
       7. Once the setup completes, initiate a direct reply and type words
          similar to step 4.
       8. Verify that red underlines dont appear.
       9. switch back to primary user and verify direct reply still has red
      (cherry picked from commit b5c0e01a)
      Change-Id: I93918eb2c12e37908e03a7951a9e2c5375bc0ecc
  15. 03 Feb, 2020 1 commit
  16. 21 Jan, 2020 2 commits
  17. 07 Jan, 2020 3 commits
    • Jing Ji's avatar
      Prevent system uid component from running in an isolated app process · e9c1ec70
      Jing Ji authored
      Bug: 140055304
      Test: Manua
      Change-Id: Ie7f6ed23f0c6009aad0f67a00af119b02cdceac3
      Merged-In: I5a1618fab529cb0300d4a8e9c7762ee218ca09eb
      (cherry picked from commit 0bfebadf)
    • Todd Kennedy's avatar
      Only allow INSTALL_ALLOW_TEST from shell or root · f24e5205
      Todd Kennedy authored
      Bug: 141169173
      Test: Manual. App can't be installed as test-only
      Change-Id: Ib6dcca7901aa549d620448c0165c22270a3042be
      Merged-In: Ib6dcca7901aa549d620448c0165c22270a3042be
      (cherry picked from commit 702d3947)
    • Ahan Wu's avatar
      DO NOT MERGE Validate wallpaper dimension while generating crop · 7d4f9019
      Ahan Wu authored
      If dimensions of cropped wallpaper image exceed max texture size that
      GPU can support, it will cause ImageWallpaper keep crashing
      because hwui crashes by invalid operation (0x502).
      Bug: 120847476.
      Test: Write a custom app to set a 8000x800 bitmap as wallpaper.
      Test: The cropped file will be 29600x2960 and make sysui keep crashing.
      Test: After applyed this cl, wallpaper will use fallback.
      Test: Sysui will not keep crashing any more.
      Change-Id: I8ed5931298c652a2230858cf62df3f6fcd345c5a
      (cherry picked from commit f1e1f4f0)
  18. 23 Dec, 2019 1 commit
  19. 16 Dec, 2019 2 commits
  20. 15 Dec, 2019 1 commit
  21. 08 Dec, 2019 1 commit
    • Seigo Nonaka's avatar
      Do not compute outside given range in TextLine · 434f2bce
      Seigo Nonaka authored
      This is second attempt of I646851973b3816bf9ba32dfe26748c0345a5a081
      which breaks various layout test on application.
      The empty string must be also handled by the TextLine since it
      retrieves the default line height from the empty string.
      Bug: 140632678
      Test: StaticLayoutTest
      Test: Manually done
      Change-Id: I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735
  22. 14 Nov, 2019 1 commit
  23. 05 Nov, 2019 3 commits
    • Jeff Sharkey's avatar
      RESTRICT AUTOMERGE Strict SQLiteQueryBuilder needs to be stricter. · a634fae4
      Jeff Sharkey authored
      Malicious callers can leak side-channel information by using
      subqueries in any untrusted inputs where SQLite allows "expr" values.
      This change offers setStrictGrammar() to prevent this by outright
      blocking subqueries in WHERE and HAVING clauses, and by requiring
      that GROUP BY and ORDER BY clauses be composed only of valid columns.
      This change also offers setStrictColumns() to require that all
      untrusted column names are valid, such as those in ContentValues.
      Relaxes to always allow aggregation operators on returned columns,
      since untrusted callers can always calculate these manually.
      Bug: 135270103
      Bug: 135269143
      Test: atest android.database.sqlite.cts.SQLiteQueryBuilderTest
      Test: atest FrameworksCoreTests:android.database.sqlite.SQLiteTokenizerTest
      Exempt-From-Owner-Approval: already approved in downstream branch
      Change-Id: I6290afd19c966a8bdca71c377c88210d921a9f25
      (cherry picked from commit 216bbc2a)
    • Zongheng Wang's avatar
      Set default phonebook access to ACCESS_REJECTED when user didn't choose one · 000e1d20
      Zongheng Wang authored
      When there's no users' choice to tell us whether to share their
      phonebook information to the Bluetooth device, set the phonebook access
      permission to ACCESS_REJECTED.
      Bug: 138529441
      Test: Manual test
      Change-Id: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
      Merged-In: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
      (cherry picked from commit 9b3cb0f0)
    • Jeff Sharkey's avatar
      RESTRICT AUTOMERGE Enable stricter SQLiteQueryBuilder options. · 598188b4
      Jeff Sharkey authored
      Malicious callers can leak side-channel information by using
      subqueries in any untrusted inputs where SQLite allows "expr" values.
      This change starts using setStrictColumns() and setStrictGrammar()
      on SQLiteQueryBuilder to block this class of attacks.  This means we
      now need to define the projection mapping of valid columns, which
      consists of both the columns defined in the public API and columns
      read internally by DownloadInfo.Reader.
      We're okay growing sAppReadableColumnsSet like this, since we're
      relying on our trusted WHERE clause to filter away any rows that
      don't belong to the calling UID.
      Remove the legacy Lexer code, since we're now internally relying on
      the robust and well-tested SQLiteTokenizer logic.
      Bug: 135270103
      Bug: 135269143
      Test: atest DownloadProviderTests
      Test: atest
      Change-Id: Iec1e8ce18dc4a9564318e0473d9d3863c8c2988a
      (cherry picked from commit 382d5c0c)