NPE happens when there is an orphaned session which we've
tried to prevent in all cases.
Log an error message if this situation happens.
Bug: 227342978
Test: atest CtsRootPackageInstallerHostTestCases
Change-Id: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
(cherry picked from commit 07e31dfb1e)
Merged-In: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
This addresses a security issue where the guest user can remove updates
for system apps.
With this CL, attempts to uninstall/downgrade system apps will fail if
attempted by a non-admin user.
This is a backport of ag/17352264.
Bug: 170646036
Test: manual, try uninstalling system app update as guest
Change-Id: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165
GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.
We fixed related issues previously for GateKeeperResponse class, but
one of the case was remaining when payload is byte array of size 0,
Fixing this case now.
Bug: 220303465
Test: With the POC provided in the bug.
Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586
Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586
(cherry picked from commit 46653a91c3)
Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958
Currently SliceManagerService#checkSlicePermission does not verify the
caller's identity. This leads to a security vulnerability because
checkSlicePermission does more than checking the permission as opposed
to simply return a boolean value -- it additionally grants slice access
under a certain condition. A malicious app can spoof the calling package
to acquire slice access.
This CL verifies the caller before granting slice access.
Bug: 208232850, 179699767
Test: manual
Change-Id: I2539c9ff5ea977c91bb58185c95280b4d533a520
Merged-In: I2539c9ff5ea977c91bb58185c95280b4d533a520
(cherry picked from commit 5bd2196c53)
When switching users and attempting to lock the device, the sysui main
thread becomes overwhelmed with events, creating a significant lag
between the time a message is posted and processed on the main
thread. This can be dangerous when these events are critical for
security, such as calls coming from PhoneWindowManager#lockNow() that
call KeyguardViewMediator#doKeyguardTimeout(). On older devices with
slower CPUs and less memory, the delay in processing can be
significant (15 - 30s).
The result of not prioritizing these events leads to a window of time
where a guest user can switch back to the owner, and gain access to
the owner's homescreen without needing to unlock the device with the
owner's credentials.
As a mitigation, prioritize two events originating in two specific
methods to make sure the device locks as soon as possible as well as
have the system server preemptively update its local cache.
Bug: 151095871
Test: Very manual race condition - follow steps listed in bug
Change-Id: I7585a0a5eeb308e0e32a4f77f581556d883b5cda
Merged-In: I7585a0a5eeb308e0e32a4f77f581556d883b5cda
(cherry picked from commit 28c53ab8bc)
The top-focusable activity resides in the RESUMED state while the app
process is newly created and attached. The behavior may enable UI
hijacking attacks against apps implementing authentication.
This CL disallows the system to resume the activity for the case if it
is not visible or is occluded by other translucent tasks.
Bug: 211481342
Test: atest CtsWindowManagerDeviceTestCases:ActivityLifecycleTests
Change-Id: I7903494cf928b5b5613700262b7c5fff10f3c5a0
A malicious application could overlay the activity. The overlay is
able to be tapped through, which can trick the user into starting a
harmful activity.
The CL added the flag SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS for
the activity to prevent the tapjacking/overlay attack.
Bug: 205595291
Test: atest CtsHarmfulAppWarningHostTestCases
Change-Id: Ia1a1ae0dc451e04bf5c31e3cb8cf30a0d8e32991
(cherry picked from commit a04b3666b8)
setBlocked is a hidden API, so apps should not be calling
the method, but fix up the data in case they do
Test: PreferencesHelperTest; manual with ApiDemos FGS
Bug: 209966086
Change-Id: Icc709a6b0d0a8c5f2d9243959992f1b6764354db
Merged-In: I8a27853c7ed05d9dfd38a3142fbbe185946c3992
This reverts commit 4d91b5aa0b.
Reason for revert: will deliver a better fix for that, ag/16580245.
Change-Id: I8691f47251157aae83d326eb808dd1c06b13a420
Currently, when we abandon a staged session we mark it as destroyed and
then immediately clean it up. Cleaning up a staged session immediately
causes racing condition with pre-reboot verification.
In order to avoid the racing condition, we want to delay cleanup of
staged session until it is safe to do so. This means, the system will
be carrying around destroyed staged sessions internally.
Since there is now a gap between when a session is destroyed and when it
is cleaned up, the user can reboot in this window. As such, we need to
persist the mDestroyed field of session so that we know session is
destroyed after reboot and act accordingly.
Also, once a session is destroyed, theoretically it doesn't exist.
Carrying it around internally is an implementation details which
shouldn't be exposed externally. As such, we filter out destroyed
sessions before surfacing them to users.
Bug: 145925842
Bug: 67862680
Test: atest PackageInstallerSessionTest
Test: atest StagedInstallTest
Change-Id: I4ede6b7a4b5d861e5c73f13884c7aa86cf7633a2
Merged-In: I4ede6b7a4b5d861e5c73f13884c7aa86cf7633a2
(cherry picked from commit 731bd965fb)
The dependent change was validated on qt-dev and rvc-dev, but not explicitly on qt-qpr1-dev.
- In qt-dev, we didn't have this check that the footer view was initialized, but hasActiveClearableNotifications did not call into the mDynamicPrivacyController (it didn't exist), so there was no initialization-time NPE.
- In rvc-dev this footer view check existed, so updateFooter never did any work until setFooterView was called, which is strictly after mDynamicPrivacyController is initialized, so there was no crash.
- In qt-qpr1-dev, mDynamicPrivacyController was added and is checked within updateFooter, but updateFooter didn't have the view check to short circuit before doing that on initialization.
Bug: 193149550
Fixes: 206344625
Test: manually run qt-qpr1-dev with and without fix
Depends-On: I49e2b8bcec7b2ce0a9776ff30a64c07f24949da7
Change-Id: If6e99b5fbe3d2a9d9274223c35d23c30f5524229
Before allowing the group to be deleted, by updating
the current check to the method that populates the channel
list
Test: NotificationManagerServiceTest
Bug: 209965481
Change-Id: I9db781c300e96e9c80bd5d21585b8be9b4db08c8
Merged-In: I9db781c300e96e9c80bd5d21585b8be9b4db08c8
It will throw if abandon() is called on a child session.
Bug: 211944991
Bug: 67862680
Test: to be added
Change-Id: Ib0ba9f3786dda2d3174f3ea8c65d1061a3fcb586
Merged-In: Ib0ba9f3786dda2d3174f3ea8c65d1061a3fcb586
(cherry picked from commit 8b67e7db79)
Any malicious application could hijack tasks by
android:relinquishTaskIdentity. This vulnerability can perform UI
spoofing or spy on user’s activities.
This CL limit the usage which only allow system and same app to apply
relinquishTaskIdentity
Bug: 185810717
Test: atest IntentTests
atest ActivityStarterTests
Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
The size of the input of both setStream and setResource may very big
that system server got oom while handling it, so we try to decode it
first before copying it to the wallpaper path, if the decoding fails, we
treat the input as an invalid input.
Bug: 204087139
Test: Manually set wallpaper, no PDoS observed.
Change-Id: I014cf461954992782b3dfa0dde67c98a572cc770
The size of the input of both setStream and setResource may very big
that system server got oom while handling it, so we try to decode it
first before copying it to the wallpaper path, if the decoding fails, we
treat the input as an invalid input.
Bug: 204087139
Test: Manually set wallpaper, no PDoS observed.
Change-Id: I014cf461954992782b3dfa0dde67c98a572cc770
This line was removed in O, S, & P, but somehow survived in the Q and R branches.
Bug: 193444889
Merged-In: I56589865427b10e2eab68e1ed2e7c290572a9edc
Change-Id: I56589865427b10e2eab68e1ed2e7c290572a9edc
migrateExtraStreamToClipData() will only offer to promote Uri values
if a ClipData isn't already defined, so we ensure that a ClipData
value is always defined. This blocks later promotion and granting.
Bug: 200683077
Bug: 123700107
Test: manual
Change-Id: I99c1411e8b4eb01eb27ac4306e3bf6cc88cb4273
(cherry picked from commit 6ebf410b81)
This adds a force flag, which we will use when turning the screen off to make sure that all UI components are reset to the SHADE state regardless.
Bug: 189575031
Test: make a call; lock screen; pull down shade
Merged-In: I79baeb71ac5d1ed45602ac55cdca996b3bed0ac3
Change-Id: I79baeb71ac5d1ed45602ac55cdca996b3bed0ac3
This reverts commit b45ebca772.
Reason for revert: adding the fix for system to abandon sessions
BUG: 67862680
Test: manual
Change-Id: I2b735e4860dce6eb6d5d8ddc158e8b3165910dc7
Merged-In: I91170ba399b3a596320b3bd9c8188912e5c4f1be
This reverts commit b45ebca772.
Reason for revert: adding the fix for system to abandon sessions
BUG: 67862680
Test: manual
Change-Id: Ia798eb776eb1d05347514a238a6dd75e7c89e872
Merged-In: I91170ba399b3a596320b3bd9c8188912e5c4f1be
Prevents non-system apps from placing a window over the app selection
screen.
Bug: 143559931
Test: Installed test app and attempted to overlay
Change-Id: Ied05088a5007e0f10cd3e1abd8d7da8ffeb3b674
Merged-In: Ied05088a5007e0f10cd3e1abd8d7da8ffeb3b674
(cherry picked from commit 34534e1fd2)
