This project is mirrored from Updated .
  1. 09 Mar, 2020 1 commit
  2. 03 Mar, 2020 1 commit
  3. 11 Feb, 2020 2 commits
  4. 10 Feb, 2020 1 commit
  5. 04 Feb, 2020 1 commit
  6. 23 Jan, 2020 1 commit
  7. 21 Jan, 2020 2 commits
  8. 10 Jan, 2020 4 commits
    • Patrick Baumann's avatar
      Fixes NPE when preparing app data during init · e8ae9fcf
      Patrick Baumann authored
      When deleting an unused static shared library on Q, the user manager was
      fetched via mContext.getSystemService. At this time during boot, the
      service wasn't registered and so null was returned. This has already
      been addressed in R with a move to injecting dependencies in the
      PackageManagerService constructor.
      Bug: 142083996
      Bug: 141413692
      Test: manual; remove static dependency on eng Q build and reboot
      Change-Id: I8ae4e331d09b4734c54cdc6887b273705dce88b1
      Merged-In: I8ae4e331d09b4734c54cdc6887b273705dce88b1
      (cherry picked from commit 5d3fc339)
    • Patrick Baumann's avatar
      Use KNOWN_PACKAGES when shared lib consumers · 9192cc56
      Patrick Baumann authored
      This change ensures we find ALL known packages that could be consuming a
      shared library, not only currently installed ones. Without this check,
      the system may get into a state in which we have currently uninstalled
      but on-device apps that depend on a shared library that does not exist
      on device.
      This change also leaves static shared library packages on device even if
      it's not installed for any of the remaining users as it could still be
      used, but marked uninstalled for users in which it is consumed.
      Bug: 141413692
      Bug: 142083996
      Test: Manual; attempt to remove shared lib after marking its consumer uninstalled.
      Test: atest StaticSharedLibsHostTests
      Change-Id: Id4e37c3e4d3ea3ad5fddae5d2c7305e56f50eeea
      Merged-In: Id4e37c3e4d3ea3ad5fddae5d2c7305e56f50eeea
      (cherry picked from commit 08315953)
    • Patrick Baumann's avatar
      Handles null outInfo in deleteSystemPackageLI · 3bf4bb5e
      Patrick Baumann authored
      This change adds null checks before accessing outInfo in
      Bug: 142083996
      Bug: 141413692
      Test: manual; remove static dependency on eng build and reboot
      Change-Id: If0fd48343e89cbb77ccd25826656194195d5b0cd
      (cherry picked from commit 17471016508bb9c9ffb8c3946dda0b4897d722f1)
      Merged-In: If0fd48343e89cbb77ccd25826656194195d5b0cd
      (cherry picked from commit 6afabce5)
    • paulhu's avatar
      Fix security problem on PermissionMonitor#hasPermission · 0eb5ec96
      paulhu authored
      PermissionMonitor#hasPermission only checks permssions that app
      requested but it doesn't check whether the permission can be
      granted to this app. If requested permission doens't be granted
      to app, this method still returns that app has this permission.
      Then PermissionMonitor will pass this info to netd that means
      this app still can use network even restricted network without
      granted privileged permission like CONNECTIVITY_INTERNAL or
      Bug: 144679405
      Test: Build, flash, manual test
      Change-Id: I5eba4909e4c2e1d9f275f66be90ac36466b93e90
      Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
      Merged-In: Iae9c273af822b18c2e6fce04848a86f8dea6410a
      (cherry picked from commit 305946b9)
  9. 08 Jan, 2020 1 commit
    • Kevin F. Haggerty's avatar
      Merge tag 'android-8.1.0_r72' into staging/lineage-15.1_merge-android-8.1.0_r72 · 51674980
      Kevin F. Haggerty authored
      Android 8.1.0 release 72
      * tag 'android-8.1.0_r72':
        Force FGS notifications to show for a minimum time
        Prevent system uid component from running in an isolated app process
        Only allow INSTALL_ALLOW_TEST from shell or root
        DO NOT MERGE Validate wallpaper dimension while generating crop
        RESTRICT AUTOMERGE Revive runLimit check logic
      Change-Id: Ib7e1d04e646ff2ebf943bf1154626de3435f4ba9
  10. 23 Dec, 2019 2 commits
    • /e/ robot's avatar
    • David Sehr's avatar
      Allow tuning of heaptargetutilization · 898cdb65
      David Sehr authored
      Remove a pair of explicit sets of this value.  This allows ART to tune
      this parameter to improve GC responsiveness and memory usage.  Tuning
      this parameter is a key area of work for OEM-requested high-memory
      device configurations.
      Bug: 145823510
      Test: boot and run with various configurations of the flag.
      Change-Id: I19680ff5fa1ebf9dfd4a3f71533d03510f4da414
      Merged-In: I19680ff5fa1ebf9dfd4a3f71533d03510f4da414
      (cherry picked from commit b2910d3b6ff282194a4fa4e6c6818c4325168a4f)
  11. 16 Dec, 2019 3 commits
    • Sterling Huber's avatar
      RESTRICT AUTOMERGE · 71509777
      Sterling Huber authored
      Make toasts non-clickable
      Since enforcement was only on client-side, in Toast class, an app could
      use reflection (or other means) to make the Toast clickable. This is a
      security vulnerability since it allows tapjacking, that is, intercept touch
      events and do stuff like steal PINs and passwords.
      This CL brings the enforcement to the system by applying flag
      Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
            log click events. Then:
            1) Observe click events are logged without this CL.
            2) Observer click events are not logged with this CL.
      Bug: 128674520
      Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0
      (cherry picked from commit 54e6a3c4)
    • Yohei Yukawa's avatar
      DO NOT MERGE back porting for fixing sysui direct reply · 52c28563
      Yohei Yukawa authored
      Root cause: systemui run as user 0 service to handle all of users'
      notifications. And, the users can user the copy/cut/paste
      Solution: To crate @hide API in TextView let SystemUI to mark the
      TextView instance should check if the power of
      INTERACT_ACROSS_USER_FULL is needed to be restricted.
      e.x. Keyguard password textview/Notificaiton entries
      Bug: 123232892
      Test: manual test
      Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139
      Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393
      Reference: I975baa748c821538e5a733bb98a33ac609bf40a7
      Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139
      Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937
      Merged-In: I6d11e4d6a84570bc2991a8552349e8b216b0d139
      (cherry picked from commit 08aae908)
    • Tarandeep Singh's avatar
      DO NOT MERGE: Disable SpellChecker in secondary user's direct reply · f7f0454e
      Tarandeep Singh authored
      For secondary users, when AOSP keyboard is used to type in
      direct-reply, unknown words can be added to dictionary.
      It's *not* OK for SpellCheckerService of primary user to
      check unknown words typed by a secondary user.
      The dialog to add these words shows up in primary user instead.
      TextView uses TextView#isSuggestionsEnabled() to determine if
      SpellChecker is enabled. This can be disabled by setting the flag
      Note: This doesn't affect workprofile users on P or older versions since
      they use same SpellCheckerService for all workprofiles.
      Bug: 123232892
      Test: Manually tested using the steps mentioned in the bug.
       1. Flash latest P build.
       2. Install AOSP keyboard (LatinIME) and set it as default.
       3. Install and open EditTextVariations
       4. Initiate direct reply in primary user and type non-english
          words like "ggggg hhhhh".
       5. Observe that they get red underline and tapping it brings "add
          to dictionary" popup.
       6. Create a new secondary user and switch to it.
       7. Once the setup completes, initiate a direct reply and type words
          similar to step 4.
       8. Verify that red underlines dont appear.
       9. switch back to primary user and verify direct reply still has red
      Change-Id: I93918eb2c12e37908e03a7951a9e2c5375bc0ecc
      (cherry picked from commit b52efcb9)
  12. 15 Dec, 2019 2 commits
  13. 11 Dec, 2019 3 commits
  14. 03 Dec, 2019 1 commit
  15. 26 Nov, 2019 2 commits
  16. 25 Nov, 2019 1 commit
  17. 17 Nov, 2019 1 commit
  18. 13 Nov, 2019 1 commit
  19. 12 Nov, 2019 1 commit
    • Kevin F. Haggerty's avatar
      Merge tag 'android-8.1.0_r70' into staging/lineage-15.1_merge-android-8.1.0_r70 · 1bbe2b78
      Kevin F. Haggerty authored
      Android 8.1.0 release 70
      * tag 'android-8.1.0_r70':
        RESTRICT AUTOMERGE Enable stricter SQLiteQueryBuilder options.
        RESTRICT AUTOMERGE Strict SQLiteQueryBuilder needs to be stricter.
        Set default phonebook access to ACCESS_REJECTED when user didn't choose one
      Change-Id: Ia2b60472b8a69fbe7cde0ee3bbf92cacbff35c8f
  20. 08 Nov, 2019 4 commits
    • Evan Laird's avatar
      Force FGS notifications to show for a minimum time · 15273ad9
      Evan Laird authored
      It's possible for a service to do a start/stop foreground and cause a
      couple of things to happen:
      NotificationManagerService will enqueue a EnqueueNotificationRunnable,
      post a PostNotificationRunnable (for the startForeground), and then also
      enqueue a CancelNotificationRunnable. There is some racy behavior here
      in that the cancel runnable can get triggered in between enqueue and
      post runnables. If the cancel happens first, then
      NotificationListenerServices will never get the message.
      This behavior is technically allowed, however for foreground services we
      want to ensure that there is a minmum amount of time that notification
      listeners are aware of the foreground service so that (for instance) the
      FGS notification can be shown.
      This CL does two things to mitigate this problem:
      1. Introduce checking in the CancelNotificationRunnable such that it
      will not cancel until after PostNotificationRunnable has finished
      2. Introduce a NotificationLifetimeExtender method that will allow a
      lifetime extender to manage the lifetime of a notification that has been
      enqueued but not inflated yet.
      Bug: 119041698
      Test: atest NotificationManagerServiceTest
      Test: atest ForegroundServiceLifetimeExtenderTest
      Change-Id: I0680034ed9315aa2c05282524d48faaed066ebd0
      Merged-In: I0680034ed9315aa2c05282524d48faaed066ebd0
      (cherry picked from commit 3692a6d2)
    • Jing Ji's avatar
      Prevent system uid component from running in an isolated app process · ef7e2882
      Jing Ji authored
      Bug: 140055304
      Test: Manua
      Change-Id: Ie7f6ed23f0c6009aad0f67a00af119b02cdceac3
      Merged-In: I5a1618fab529cb0300d4a8e9c7762ee218ca09eb
      (cherry picked from commit 0bfebadf)
    • Todd Kennedy's avatar
      Only allow INSTALL_ALLOW_TEST from shell or root · 21af7a41
      Todd Kennedy authored
      Bug: 141169173
      Test: Manual. App can't be installed as test-only
      Change-Id: Ib6dcca7901aa549d620448c0165c22270a3042be
      Merged-In: Ib6dcca7901aa549d620448c0165c22270a3042be
      (cherry picked from commit 702d3947)
    • Ahan Wu's avatar
      DO NOT MERGE Validate wallpaper dimension while generating crop · 6630006d
      Ahan Wu authored
      If dimensions of cropped wallpaper image exceed max texture size that
      GPU can support, it will cause ImageWallpaper keep crashing
      because hwui crashes by invalid operation (0x502).
      Bug: 120847476.
      Test: Write a custom app to set a 8000x800 bitmap as wallpaper.
      Test: The cropped file will be 29600x2960 and make sysui keep crashing.
      Test: After applyed this cl, wallpaper will use fallback.
      Test: Sysui will not keep crashing any more.
      Change-Id: Ifaf2085a0bc94448e49fa2f30066f47310586236
      (cherry picked from commit 160c28c3)
  21. 17 Oct, 2019 1 commit
    • Seigo Nonaka's avatar
      RESTRICT AUTOMERGE · ecee2eba
      Seigo Nonaka authored
      Revive runLimit check logic
      The runLimit check logic was accidentally removed by
      Bug: 142134328
      Bug: 140632678
      Test: Manually done with reported step
      Test: StaticLayoutTest passes
      Change-Id: Ib1d5efdcb9adcc18a6a43370dc016ea464f48148
      (cherry picked from commit 7b05578d)
  22. 15 Oct, 2019 2 commits
  23. 08 Oct, 2019 1 commit
    • Seigo Nonaka's avatar
      RESTRICT AUTOMERGE · 4fdbba03
      Seigo Nonaka authored
      Do not compute outside given range in TextLine
      This is second attempt of I646851973b3816bf9ba32dfe26748c0345a5a081
      which breaks various layout test on application.
      The empty string must be also handled by the TextLine since it
      retrieves the default line height from the empty string.
      Bug: 140632678
      Test: StaticLayoutTest
      Test: Manually done
      Change-Id: I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735
      (cherry picked from commit 4ce901e4)
  24. 19 Sep, 2019 1 commit
    • Jeff Sharkey's avatar
      RESTRICT AUTOMERGE · 35dba262
      Jeff Sharkey authored
      Enable stricter SQLiteQueryBuilder options.
      Malicious callers can leak side-channel information by using
      subqueries in any untrusted inputs where SQLite allows "expr" values.
      This change starts using setStrictColumns() and setStrictGrammar()
      on SQLiteQueryBuilder to block this class of attacks.  This means we
      now need to define the projection mapping of valid columns, which
      consists of both the columns defined in the public API and columns
      read internally by DownloadInfo.Reader.
      We're okay growing sAppReadableColumnsSet like this, since we're
      relying on our trusted WHERE clause to filter away any rows that
      don't belong to the calling UID.
      Remove the legacy Lexer code, since we're now internally relying on
      the robust and well-tested SQLiteTokenizer logic.
      Bug: 135270103, 135269143
      Test: cts-tradefed run cts -m CtsAppTestCases -t
      Change-Id: Iec1e8ce18dc4a9564318e0473d9d3863c8c2988a
      (cherry picked from commit f683c688)