Because of the INTERACT_ACROSS_USERS permission, an app that implements
a ConnectionService can upload an image icon belonging to another user
by setting it in the StatusHints. Validating the construction of the
StatusHints on the calling user would prevent a malicious app from
registering a connection service with the embedded image icon from a
different user.
From additional feedback, this CL also addresses potential
vulnerabilities in an app being able to directly invoke the binder for a
means to manipulate the contents of the bundle that are passed with it.
The targeted points of entry are in ConnectionServiceWrapper for the
following APIs: handleCreateConnectionComplete, setStatusHints,
addConferenceCall, and addExistingConnection.
Fixes: 280797684
Test: Manual (verified that original exploit is no longer an issue).
Test: Unit test for validating image in StatusHints constructor.
Test: Unit tests to address vulnerabilities via the binder.
Change-Id: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2
Merged-In: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2
If they were null, then the Parcelable would fail to work.
Bug: 126726802
Test: manual
Change-Id: I7929ffa2f20e5de1c8e68e8263cca99496e9d014
Exempt-From-Owner-Approval: Trivial API annotations
If a status hint icon wasn't set we'd crash.
Fix was to set StatusHitns.mIcon to null if the icon resource ID'
was 0.
BUG: 21168985
Change-Id: I33c06169f9e184b063e6fd10f77408bc262ea3c8
Move the android.telecom.* namespace back to @hide, and also mark it
with @SystemApi so that system-privileged apps can use them.
Bug: 18302450
Change-Id: I33ae1b9b0dfdb1c5eff51ca3c829196bcfc9411c
- Changing package from android.telecomm to android.telecom
- Changing package from com.android.telecomm to
com.android.server.telecomm.
- Renaming TelecommManager to TelecomManager.
Bug: 17364651
Change-Id: I192cb5d189f55db012ea72ee82ccc5aedbc21638
