Assume there is a XmlBlock [X] created by a AssetManager [A]
([A] will have mNumRefs = 2). After [A].close is called
(mNumRefs = 1) and then both [X] and [A] are going to be GCed,
if [A].finalize is called first (nativeDestroy), the later
[X].finalize will invoke [A].xmlBlockGone that triggers the
second nativeDestroy of [A] and leads to crash.
By clearing the mObject in AssetManager.finalize, the
decRefsLocked from other paths won't call nativeDestroy again.
Bug: 144028297
Test: atest android.security.cts.AssetManagerTest
Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
The path-permission element offers prefix or regex style matching of
paths, but most providers internally use UriMatcher to decide what
to do with an incoming Uri.
This causes trouble because UriMatcher uses Uri.getPathSegments(),
which quietly ignores "empty" paths. Consider this example:
<path-permission android:pathPrefix="/private" ... />
uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);
content://com.example//private
The Uri above will pass the security check, since it's not
technically a prefix match. But the UriMatcher will then match it
as CODE_PRIVATE, since it ignores the "//" zero-length path.
Since we can't safely change the behavior of either path-permission
or UriMatcher, we're left with recovering these shady paths by
trimming away zero-length paths.
Bug: 112555574
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
Change-Id: Ibadbfa4fc904ec54780c8102958735b03293fb9a
* limit the absolute maximum size of the label to 50000 characters
[which is probably far more than necessary, but, can be dialed down]
* use a string buffer while processing the string [instead of creating
multiple string objects]
Bug: 62537081
Test: Manual. Install APK in bug and see that it can be uninstalled
Change-Id: Ibf63c2691ad7438a123e92110d95b1f50050f8b1
Merged-In: Ibf63c2691ad7438a123e92110d95b1f50050f8b1
docs: Revised descriptions of binding and connecting to services.
Clarified that Context.bindService() returning true only indicates
that the system has found a service to bind to the client and that
ServiceConnection.onServiceConnected() might not be called if the
service encounters an error, such as crashing during startup.
Test: make ds-docs
Bug: 63118511
Change-Id: I0906de76abf4124d74f7f4f80ac0eab3cbf94f7e
The guide now contains supplemental, rather than duplicate,
information relative to the "App Shortcuts" guide, available at
https://developer.android.com/guide/topics/ui/shortcuts.html
Test: make ds-docs -j8
Bug: 64401518
Change-Id: Iefa34299a9765eb5d853da71d9197a0edb346026
We added a couple of protection flags that also apply to
normal and dangerous permissions. These flags are folded
in the protection level breaking apps that directly and
compare against the protection constants. Apps that target
older than O SDK don't get protection flags folded into
the protection level.
Test: All permission tests pass
Added a new test to ensure no protection flags reported
for normal and dangerous permissions
Change-Id: I87b10a7695d8ecfa7156525d6f3d101fc0639513
bug:62755026
We added a couple of protection flags that also apply to
normal and dangerous permissions. These flags are folded
in the protection level breaking apps that directly and
compare against the protection constants. Apps that target
older than O SDK don't get protection flags folded into
the protection level.
Test: All permission tests pass
Added a new test to ensure no protection flags reproted
for normal and dangerous permissions
bug:62755026
Change-Id: I72547b0146e6b6919803e33ff64b7208c4a255ad
Since CONTEXT_RESTRICTED is not a default flag of createPackageContext,
we can't rely on it for preventing unexpected font injections.
To protect developers and existing apps from a risk of font injection,
stop loading font from other package's resouce unless the developer
explicitly set CONTEXT_IGNORE_SECURITY.
This CL contains Iac2a6fb3d82ef23d5ca6ee33f4aaa9ed28455271 by manual
merging to handle repository split.
Bug: 62813533
Bug: 62879353
Test: Manually done
Merged-In: I4442ddc48dadb5c968b444be86038b602074d301
Change-Id: I4442ddc48dadb5c968b444be86038b602074d301
Add the shared libs that are APKs to the native library
path when creating application class loaders. Also don't
allow shared libraries hosting native libs to request
extraction of the native libs out of the APK. Lastly,
shared libraries hosting native libs must be declared
as multi-architecture.
Test: CTS tests in this topic
bug:62720360
Change-Id: I0a398593ebe41b2976cb706ca8a388005f5aec83
Autofill seems to need IDs to be preserved across things
like configuration changes, while accessibility will not
function without views with unique ids. Separating out the
two types of IDs. We can re-combine them once it's clear
that both demands can be satisfied.
Bug: 62301218
Test: Run a11y and autofill CTS, and verify that the play
store app functions with TalkBack after a screen rotation.
Change-Id: I17a99de2874768fc0ade3aa354130dd1f6b4cd7e
Instead of maintaining a separate structure just for overlay
paths, store them as user state in the package setting. Also
centralize updating the overlay paths to avoid issues with
inconsistent updates.
Fixes: 36561125
Test: Manual
Change-Id: Iac1c987e8650074dbc564e332d5da1950fad6ac5
Sometimes callers want to clear the calling identity [to avoid permission
calls]. In this case, allow passing the original calling identity to
internal methods.
Test: Manual; create profile account and observe launcher still works cross profile
Test: bit FrameworksServicesTests:com.android.server.pm.ShortcutManagerTest{1..10}
Change-Id: I73f8ad4b2dc1895227c3fcb14f3f1f18f600562f
Fixes: 38349978
Previously, it was possible for the view hierarchy to be measured,
laid out, and drawn around a window frame size that did not match
the current configuration. This stems from new configurations not
always propagating back from WindowSession#relayout, which is
called from ViewRootImpl.
This changelist makes WindowManagerService#relayoutWindow always
return the latest configuration. It also adds rotation to the
configuration.
Fixes: 32839232
Test: go/wm-smoke
Test: Open Camera while rotating phone to landscape. Added
temporary logs to detect inconsistencies between measurements
and reported rotation on draw.
Change-Id: I39daca338b4f87eff1a509eb99493f01e710ced1
Most @SystemApi methods should be protected with system (or higher)
permissions, so annotate common methods with @RequiresPermission to
make automatic verification easier.
Verification is really only relevant when calling into system
services (where permissions checking can happen on the other side of
a Binder call), so annotate managers with the new @SystemService
annotation, which is now automatically documented.
This is purely a docs change; no logic changes are being made.
Test: make -j32 update-api && make -j32 offline-sdk-docs
Bug: 62263906
Change-Id: I2554227202d84465676aa4ab0dd336b5c45fc651
When answering the question "how much space is free", use the same
logic for Settings UI and StorageManager.getAllocatableBytes(). That
is, the reported free space is usable bytes plus any cached data the
system is willing to delete automatically.
This does *not* include any reserved cache space, since we don't want
abusive apps to penalize other well-behaved apps that are storing
their data in cache locations. Callers freeing cached data need to
now explicitly request defiance of the reserved cache space. (Most
callers are already doing this by using FLAG_ALLOCATE_AGGRESSIVE.)
Rewrite the core logic of DeviceStorageMonitorService to understand
this new "reserved" cache space, and to be easier to understand. It
also now handles cached data on adopted storage volumes, which had
been ignored until now. Also fix bug where we had skipped "low"
broadcasts when the device skipped directly from/to "full" state.
Bug: 38008706
Test: cts-tradefed run commandAndExit cts-dev -m CtsJobSchedulerTestCases -t android.jobscheduler.cts.StorageConstraintTest
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.StorageHostTest
Change-Id: Icbdcf3b52775f7ada1ceaeff2f96094c8d8052f9
An invalid, 'null' resource ID is defined as 0. Apps often use -1.
Add a helper method that makes checking valid IDs easy and more
centralized.
Eventually make it public API.
Bug: 38393777
Test: manual
Change-Id: I969ec4a45e86bdab3d7f57d357d475b77c7f8a78
Change-Id: I97f791b61f9b4f7ed33305345bf3d92394b40ae4
Fixes: 38202759
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.EphemeralTest
Test: Manual. Create sample app that replaces the launcher to test ability to see ephemeral apps.
Turns out there was another path in to the activity manager
to trigger a PendingIntent, which needs to be modified to
now also pass in the whitelist token of that pending intent.
Test: manual
Change-Id: I755ff87db1b782fa6974d404dcb490786053c5e0
