This change enforces that only system, root or shell may call
getAllPackages(), a hidden API that shares all package names regardless
of user, instant app or package visibility rules.
Bug: 174661955
Change-Id: I77460ae19a4d41151577646441f11e2eddbb741a
Merged-In: I77460ae19a4d41151577646441f11e2eddbb741a
(cherry picked from commit 8124efd57b)
Reason for revert: Punted to future release due to invalid fix
Bug: 175319005
Merged-In: I00b78d596ee05c5a4a228771bbf8082af2b0ab8a
Change-Id: I78284e0a0dd5c41345753cdd2ed9a518db1df930
Currently, we keep the process up even if the user switches,
meaning that in some cases (if the user is switched while the
screenshot UI is up) we will save images to the wrong profile.
This change makes ScreenshotHelper listen for user switches and
close the screenshot service, so that a new screenshot is
guaranteed to be constructed with the correct user's context.
Bug: 170474245
Fix: 170474245
Test: manual -- verified bad state occurs if user switches within
the timeout period, ensured that screenshots work immediately
after switching with this change.
Change-Id: I9d32d0928e6c2bda161d04555438d0dd7afef0ba
(cherry picked from commit 7ef1a5dd15)
Auto verification of app links requires that an intent filter declare
action=VIEW, scheme=HTTP(S), category=BROWSABLE. However,
PackageManagerService was not taking that into account, missing the
category requirement.
But the app info Settings UI did take category into account, so it was
possible for a user to set an application to automatically open web URIs
without understanding that this also granted domains that were not
visible in the app info UI.
To resolve both this, this change makes it so that both auto
verification and the Settings state can only consider the app as
"always" open only if the Intent contains both BROWSABLE and DEFAULT.
Bug: 175139501
Bug: 175319005
Test: manual, see bug for reproduction steps
Merged-In: Ib957258735893bf2779bed19bd400c6726ee6478
Change-Id: Ib957258735893bf2779bed19bd400c6726ee6478
(cherry picked from commit 4266f938c6)
NO_INPUT_CHANNEL is a hidden WM flag that allows creation of a window
without an input channel. Unfortunately in releases prior to Android R
this would allow creation of a Window which will not be known to the
InputDispatcher at all. This means that the logic generating
FLAG_OBSCURED will work and a window will be able to overlay another
window without the overlayed window being notified. In Android R and
later this isn't a problem as the InputDispatcher is informed of all
windows, input channel or not. For past Android releases, this patch
disables NO_INPUT_CHANNEL for use outside of the WM.
Bug: 152064592
Test: Existing tests pass
Change-Id: I7e1f45cba139eab92e7df88d1e052baba0ae2cc6
If a permission owner changes, or a permission level is upgraded, revoke
the permission from all packages
Test: Manual
Bug: 154505240
Merged-In: I0dec9eb7c2fecd3147e33e04d3f79f6dffcf7721
Change-Id: I2b3780ba3ae5147026d4c85b3526fe1807724be6
(manually backported from commit a28931a098)
Not only on normal -> runtime.
Test: cts-tradefed run cts-dev -m CtsAppSecurityHostTestCases --test android.appsecurity.cts.PermissionsHostTest#testNoPermissionEscalationAfterReboot
Bug: 154505240, 168319670
Change-Id: If3b420067b4d7111dcf67ae6f98e42176158b679
Merged-In: If3b420067b4d7111dcf67ae6f98e42176158b679
Due to a race condition with activity task stack broadcasts, it's
currently possible for fingerprint authentication to succeed for a
non-top activity. This means, for example, that a malicious overlay
could be drawn in order to mislead the user about what they are
authenticating for.
This commit addresses the issue by adding a check to the fingerprint
authentication client interface that ensures the authenticating
activity is on top at the time of authentication. Otherwise, the
pending authentication will fail, as if an incorrect biometric
been presented.
Test: Follow steps from b/159249069:
1. Install com.pro100svitlo.fingerprintauthdemo from the Play store.
2. Install the PoC attack app from b/159249069.
3. Start the PoC attack app and press the "Launch PoC attack" button.
4. Use fingerprint to authenticate while the overlay is showing.
Before: Authentication succeeds, and a new activity is launched.
After: Authentication fails, and no new activity is launched.
Bug: 159249069
Change-Id: I0707c3f55eaf2a69c6625a3ceb3b5626b3676b26
Merged-In: If5cdf8ffaf3aa7d8a1ac81272e3bfb2cc7cdddf1
Merged-In: Iee6af379515385777984da55048c1efd9339ed88
Merged-In: I9b242a9fee0acbfb430875061e2d809c00fe4b97
Merged-In: I1241a12eafa0bdbac59a8ddd4cf6a0637d467b19
Merged-In: Ie5a0f8c3e9b92d348a78678a6ed192d440c45ffc
Merged-In: I289d67e5c7055ed60f7a96725c523d07cd047b23
When user is stopped, the Vpn#onUserStopped() will be called and
the value of mLockdown will be set to false then store into
setting.
This is a wrong behavior because user doesn't change it, so for
this kind of case, there is no need to store the value of
mLockdown in setting.
In fact, there is no need to call Vpn#saveAlwaysOnPackage() when
user is stopped because there is nothing changed.
Bug: 168500792
Test: atest FrameworksNetTests
Change-Id: Ie85a347216614b7873bfdf199165d89527ada3a8
Require that the PendingIntent be immutable so that a malicious app is
not able to hijack and mutate any of the details.
Fixes: 154915372
Test: build & flash, change wallpaper manually.
Change-Id: I59b48811b26736bf0575769107dd940ca33ccf8d
(cherry picked from commit d4bd69cef0)
Require that the PendingIntent be immutable so that a malicious app is
not able to hijack and mutate any of the details.
Fixes: 154915372
Test: build & flash, change wallpaper manually.
Change-Id: I59b48811b26736bf0575769107dd940ca33ccf8d
(cherry picked from commit d4bd69cef0)
Do not set referrerUri on SessionInfo for non-owners
This change leaves the referrerUri field null when the caller leading to
its production is not the owner of the session.
Bug: 142125338
Test: Manual via test app in related bug
Change-Id: I84679ea0636aa2097e25e23813c48134c9cc1d75
Bug: 160390416
Test: verified command still works from shell
Change-Id: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit 0354261197)
Merged-In: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
Bug: 160390416
Test: verified command still works from shell
Change-Id: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit 0354261197)
Merged-In: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
Re-run app link verification at update time only when the set of hosts
has expanded. Intentionally revoke verify history when an app stops
using autoVerify, as a one-time measure to place it back into the
non-autoverify model for tracking the user's launch preferences. If the
app starts using autoVerify again later, it behaves identically to an
app that has never done so before.
Bug: 151475497
Bug: 146204120
Test: described on master CL
Merged-In: I200d85085ce79842a3ed39377d1f75ec381c8991
Merged-In: Ibaf087946966ad82d60c7b255e3ee75990716b63
Change-Id: Ibaf087946966ad82d60c7b255e3ee75990716b63
Re-run app link verification at update time only when the set of hosts
has expanded. Intentionally revoke verify history when an app stops
using autoVerify, as a one-time measure to place it back into the
non-autoverify model for tracking the user's launch preferences. If the
app starts using autoVerify again later, it behaves identically to an
app that has never done so before.
Bug: 151475497
Bug: 146204120
Test: described on master CL
Merged-In: I200d85085ce79842a3ed39377d1f75ec381c8991
Change-Id: Ibaf087946966ad82d60c7b255e3ee75990716b63
Without this check, any package can set the installer package of
another package whose installer has been removed or was never set.
This provides access to other privileged actions and is undesired.
Bug: 150857253
Test: manual verify with proof of concept in linked bug
Test: atest android.appsecurity.cts.PackageSetInstallerTest
Change-Id: I2159c357911ff39ffd819054b42f96ae86bc98bc
Without this check, any package can set the installer package of
another package whose installer has been removed or was never set.
This provides access to other privileged actions and is undesired.
Bug: 150857253
Test: manual verify with proof of concept in linked bug
Test: atest android.appsecurity.cts.PackageSetInstallerTest
Change-Id: I2159c357911ff39ffd819054b42f96ae86bc98bc
This change is the union of
I2aaab1903dee54190338f7b6e49888aa51437108 and I58834636e092f992e403342e36b475dc60e8f20ai
Original CL descriptions:
*** I2aaab1903dee54190338f7b6e49888aa51437108
Block TYPE_PRESENTATION windows on default display
... and any other display that isn't considered a public presentation
display, as per Display.isPublicPresentation()
*** I58834636e092f992e403342e36b475dc60e8f20a
Use TYPE_PRIVATE_PRESENTATION for private presentations
Detect if the Presenation is targeting a private virtual display, and if they
are use the windowType TYPE_PRIVATE_PRESENTATION.
***
Bug: 141745510
Test: cts-tradefed run cts -m CtsDisplayTestCases -t android.display.cts.VirtualDisplayTest
Test: Manually verfied that presentations are blocked on main display
Change-Id: I67c79c84ec2adfcdaf3b0f7bc7f0f41d30618e85
