This app-generated input needs to not be too long to avoid errors in the process of writing to disk.
Bug: 242846316
Test: cts ConditionTest; atest ConditionTest; manually verified exploit apk is OK
Change-Id: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
(cherry picked from commit 81352c3775)
The service must have the CAPTURE_AUDIO_HOTWORD permission to access
AlwaysOnHotwordDetector. If it doesn't have the permission, return
STATE_HARDWARE_UNAVAILABLE state. If it is not granted the
RECORD_AUDIO permisison, it also can't start to recognize the audio.
Test: manual
Test: atest CtsVoiceInteractionTestCases
Test: atest CtsAssistTestCases
Bug: 229793943
Change-Id: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.
We fixed related issues previously for GateKeeperResponse class, but
one of the case was remaining when payload is byte array of size 0,
Fixing this case now.
Bug: 220303465
Test: With the POC provided in the bug.
Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586
Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586
(cherry picked from commit 46653a91c3)
Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958
* For the case where the pinned inline suggestion triggers an
pending intent through the auth flow, and it returns a dataset
to be autofilled, previously we would replace the existing
dataset with the returned dataset. However, this is causing
several potential issues:
1. if the returned dataset doesn't contain inline presentation
the the pinned icon will not show again
2. if the returned dataset contains inline presentation but not
the pending intent, then the pinned icon will show up again
but tapping on it will not launch the pending intent
3. if the returned dataset contains the inline presentaion and
the pending intent, then when we "autofill" it, it'll fire
the pending intent directly as opposed to filling in the
value
* We fix the issue by not replacing the old dataset if the dataset
is a pinned inline suggestion.
* One caveat of the approach is that: a dataset can potentially
have multiple fields, and it's possible that some of the fields'
has inline presentation and some don't. It's also possible that
some of the fields' inline presentation is pinned and some isn't.
So the concept of whether a Dataset is pinned or not is
ill-defined. Here we say a dataset is pinned if any of the field
has a pinned inline presentation in the dataset. It's not ideal
but hopefully it is sufficient for most of the cases.
* An alternative approach is to have the autofill provider telling
whether they want to replace the old dataset or not, through
a new field in the returned Bundle. But that requres an API change
so is infeasible at this time.
Test: atest android.autofillservice.cts.inline
Test: atest android.autofillservice.cts.augmented
Test: atest android.autofillservice.cts.LoginActivityTest
Test: atest android.autofillservice.cts.AuthenticationTest
Bug: 159367101
Change-Id: I6d162aeb88a4655989c1aa315df8304c0980ac60
* Attach to each inline suggestion remote view the user id
and session id, which together identify a session. Then when
the session is destroyed, we release all the remote views
associated with the it.
* Worst scenario is that the IME is still showing the UI when
the remote view is released due to session destroy, in which
case the suggestion will disappear from the IME window. But
we also make sure we send an empty response to IME before
releasing the views, so it should be bad. Plus when a session
is destroyed, interacting with the suggestion UI doesn't do
anything, so it's not very helpful to show them.
* Also add a dump method to the InlineSuggestionRenderService
to help with debugging
Test: atest android.autofillservice.cts.inline
Bug: 154683107
Change-Id: I488fd9d9af08d0df3ffd3c851f96c567d07eed5a
Add possible conditions under which SystemUI may not prompt the user to
add a control.
Test: no test
Fixes: 159728016
Change-Id: I143e50cc15397d85b4212d9fb29d64df7c2de80c
* SurfaceControlViewHost#setView() method will post a task to the
main thread to draw the view. We want to callback the surface
package to the remote process after the view is drawn and ready
to be shown, to avoid the flicker when the remote process attaches
it to their window when it's not drawn.
Test: atest android.autofillservice.cts.inline
Bug: 157515522
Change-Id: Ia75baaf9d6a4770a783dfc75ebb01b4b6e62e180
It is hard to reproduce this issue, it would better add try-catch
for the augmented autofill UI as regular autofill UI did.
Bug: 149744098
Test: atest CtsAutoFillServiceTestCases
Change-Id: I808ac48476ef96b8944e762dd5c41413da3a2c2e
After 9118c9b the surface can be destroy after the window state become
invisible, since WallpaperService copy the surface from WMS and it is
not implement with ViewRootImpl, WallpaperService#Engine should call
relayout to get new surface when client need to redraw it.
Bug: 158955956
Test: verify the wallpaper can show by launch LiveWallpaperChange with
live wallpaper and push/pull it from recents several times.
Test: atest WallpaperServiceTest ImageWallpaperTest
Change-Id: I79f97df61696eea325183e9b9057cbb10ce8cc66
* The bug was introduced in ag/11784240 causing the existing CTS test to
fail: android.autofillservice.cts.augmented.AugmentedLoginActivityTest
#testCancellationSignalCalled_retriggerAugmentedAutofill
* Basically when the dropdown fill window is displayed, we should not mark
the augmented autofill request as complete
Test: atest android.autofillservice.cts.augmented
Test: atest android.autofillservice.cts.inline
Bug: 158864213
Bug: 158038231
Change-Id: Ifb75189c1ba3183c99516bfb9a7053524f4bbddc
Allow single taps as well as long press to launch the detail panel
when no template is specified.
Fixes: 158773087
Test: ControlsMockApp, any default type
Change-Id: I4d5451f6a5968d8dd223eb5b10d931ad60aad951
* The augmented autofill may dynamically request an autofill request
which will "invalidate" the old suggestions. In case the new request
doesn't return any suggestions, we need to make sure the old
suggestions are removed from the IME.
* See the scenario in https://b.corp.google.com/issues/158038231#comment14
Test: manual
Test: atest android.autofillservice.cts.inline
Bug: 157515522
Bug: 158038231
Change-Id: If85592395ad918197566a5ca556fba8ccc971071
Show a more informative error to the user on touch/long press about
how to handle this situation. Properly animate status changes.
Fixes: 154737944
Test: TYPE_DISPLAY in mock app simulates not found error
Change-Id: I15ce2d2621ea29c97936f9d9022d917637693288
* if the user taps quickly such that there is only ACTION_DOWN and
ACTION_UP, without ACTION_MOVE, it'd be possible that the
isSecure check is not respected. This patch fixes that case.
Test: atest android.autofillservice.cts.inline
Bug: 157772682
Bug: 158038231
Change-Id: Icd21bf2f88259673bb9b20e46e63672648495eac
The camera API, MediaStore.ACTION_IMAGE_CAPTURE requires apps to pass
a content:// URI with write permissions to the camera. Unfortunately,
apps haven't been doing this and we only started hitting problems in R
for two reasons:
1. The FileUriExposedException that should crash apps when they try to
share file:// URIs acroos binder is skipped. This is because, the
image_capture intent is passed across binder as a field in a
ChooserActivity Intent and the child intents are not checked for
file URI exposed
2. Prior to R, when camera gets a file:// URI, camera issues a file
open(2) in its process. This open(2) succeeds because the camera had
write_external_storage permission which gave it write access to all
files on external storage
Now, camera targets R and (2) fails because camera does not have write
access to files owned by other apps. To workaround, we do the
following in the apps process when it targets < R:
a. When we detect a file:// URI for the camera in an Intent, we create
the file on disk if it is not already created.
b. Scan the file to insert it in the database and retrieve a
content:// URI
c. Replace the file:// URI with the content URI in the image_capture
intent
This works because, the system will ensure the camera is granted write
access to the content URI.
Test: Manual
Bug: 156336269
Change-Id: I4849ff5e806a8207650ff7534846c36ecdc6d3c0
The finish() method is used to clear hard references after
the data copy has ended. This fixes a bug where the references are cleared before onError() is attempted to be called.
Test: CTS tests in followup CL
Bug: 157136368
Fixes: 157136368
Change-Id: If924fe388762831af90579e6b00bdf223230e203
Limit to 36 controls: 6 structures with up to 6 controls per structure
Fixes: 153606605
Test: atest ControlsControllerImplTest
Change-Id: Ieddceda4a0902e4b42208680c7a77ee03514a16c
In the test we trigger the manual autofill request programmatically,
because the focus isn't on the field, we will not get the callback
from IME.
It would be better not to ask IME for inline request if the request
is manual and the view is not focused because it's a simpler/safer
approach and manual request without focus should be rare.
Bug: 154661868
Test: atest CtsAutoFillServiceTestCases
Change-Id: I783b2542094cdea547ebd58ce89f30d9cd421708
* Before this change, when the inline suggestion view is detached from
the IME window (e.g. due to layout change), the remote view content
will not show again even after the view is reattached to the window
on the IME side. This patch fixes it by requesting the remote view
owner (the ext services) for a new SurfacePackage when the view is
re-attached to the window (see javadoc of SurfaceControlViewHost for
why this works).
* This patch also fixes the issue where the SurfaceControlViewHost was
never released in the ext services. This is done by notifying the
ext services (through system server) when the view is detached from
the IME window, and then the system server will release the
SurfaceControlViewHost if after N(=500) ms the view is not re-attached
to a window.
* After the SurfaceControlViewHost is released, if the view is
re-attached to the window later, a new SurfaceControlViewHost will be
created to back the same InlineContentView.
* The current code structure also lays a foundation for a subsequent
change to allow reusing the same remote view for inline suggestions
during filtering.
Test: atest CtsAutofillServiceTestCases (sanity test)
Bug: 153615023
Bug: 154683107
Change-Id: Idc587e1e82a96b792c351796464821b7aad7cd89
Currently DreamActivity doesn't handle any configuration changes,
and does not set fixed orientation. So the decor view will be
detached if the activity is relaunching for configuration changes.
Though it also works by making DreamActivity support handling the
changes, all implementations of DreamService may need to add the
corresponding handling. So this fix only keeps the service alive
for compatibility.
Fixes: 154474768
Test: atest DreamManagerServiceTests#testDreamNotFinishAfterRotation
Test: Enter Settings > Display > Screen saver, press "Start now".
The dream service should not be stopped after device rotated.
Change-Id: I454f75d06c4539258eeafd8794a3cb03e0276163
Two recent checkins broke the Javadoc (in both cases, an <h3> wasn't
properly closed). Made the fix by hand to the HTML output in
cl/309818465 but we need to make the corresponding change to
the Java source or it'll get reverted next time we update the reference
docs.
Staged to:
go/dac-stage/reference/android/content/pm/LauncherApps.PinItemRequest
go/dac-stage/reference/android/service/autofill/AutofillService
go/dac-stage/reference/kotlin/android/content/pm/LauncherApps.PinItemRequest
go/dac-stage/reference/kotlin/android/service/autofill/AutofillService
BUG: 155669442
Exempt-from-owner-approval: Docs-only change
Test: make ds-docs
Change-Id: I97be9550689544304dff276cf3c9406f9cd98408
* The use case of this API was for augmented autofill service to send
updated suggestions
* Before this change, the dynamic autofill request by the augmented
autofill service only triggers a manual request, but this has caused
some regular autofill providers to always some suggestion due to
their special handling for the manual request. Thus the augmented
autofill service will not receive the request.
* With this cahnge, the request cancels the previous session to start a
new session, and also it triggers a regular request (non-manual) so
the autofill provider will not special handle the request.
Test: atest CtsAutoFillServiceTestCases
Bug: 154543563
Change-Id: I233125a6070394a102ad40b9a50b98a43d952b9f
* Before this change, the suggestionRoot would intercept all touch
events so that it can optionally forward them to the IME process
to support scrolling, no touch event will be sent to the child
view through the regular event dispatching process.
* With this change, we move the touch event transferring (to IME)
logic from SuggestionRoot's onTouchEvent to dispatchTouchEvent.
Now the touch events before a scroll is detected will be sent to
the child chip view, and only the touch events after a scroll is
detected will be sent to the IME.
* This patch also move the OnClickListener and OnLongClickListener
from the root view to the chip view, since the touch events now
either goes to the chip view or to the IME process.
* Note that in order to achieve this, given that we can't change
the API, and there is existing OnLongClickListener registered
to the chip view, we have to add a @hide API to the View to
get the existing OnLongClickListener and attach a new one to the
chip view, such that we can do the additional work of sending
the long click event to IME, when the view is long clicked.
* This patch should also fix the a11y talkback mode bug where
double-tapping on the view doesn't autofill the value.
Double-tap and hold also works that it triggers the attribution
dialog.
Test: atest CtsAutoFillServiceTestCases (sanity test)
Bug: 155245913
Bug: 154149807
Change-Id: I6f7be1ea5c0955969abb4ccae0cb421423095c4d
Previously, we generally required fully qualified names for referring
to inner class constructors (like #Notification.Builder()) despite that
not being valid javadoc. Now, we properly support #Builder() syntax and
the old syntax will error.
Bug: 6963924
Test: make doc-comment-check-docs
Exempt-From-Owner-Approval: cherry-picked from master
Change-Id: Ib2e4360493275b79c72487ee1cb173bb5e0fd35f
Merged-In: Ib2e4360493275b79c72487ee1cb173bb5e0fd35f
(cherry picked from commit 4c4aa41272)
Use POWER_MENU_LOCKED_SHOW_CONTENT to control lock screen behavior for
the Quick Access Wallet.
Do not provide Intents that will fail to start an Activity.
Update comments.
Bug:155232731
Bug:155186709
Test: manual
Test: atest CtsQuickAccessWalletTestCases
Change-Id: I78e5355a69d666aee6dd122389edabed170f07b2
