Currently SliceManagerService#checkSlicePermission does not verify the
caller's identity. This leads to a security vulnerability because
checkSlicePermission does more than checking the permission as opposed
to simply return a boolean value -- it additionally grants slice access
under a certain condition. A malicious app can spoof the calling package
to acquire slice access.
This CL verifies the caller before granting slice access.
Bug: 208232850, 179699767
Test: manual
Change-Id: I2539c9ff5ea977c91bb58185c95280b4d533a520
Merged-In: I2539c9ff5ea977c91bb58185c95280b4d533a520
(cherry picked from commit 5bd2196c53)
The top-focusable activity resides in the RESUMED state while the app
process is newly created and attached. The behavior may enable UI
hijacking attacks against apps implementing authentication.
This CL disallows the system to resume the activity for the case if it
is not visible or is occluded by other translucent tasks.
Bug: 211481342
Test: atest CtsWindowManagerDeviceTestCases:ActivityLifecycleTests
Change-Id: I7903494cf928b5b5613700262b7c5fff10f3c5a0
setBlocked is a hidden API, so apps should not be calling
the method, but fix up the data in case they do
Test: PreferencesHelperTest; manual with ApiDemos FGS
Bug: 209966086
Change-Id: Icc709a6b0d0a8c5f2d9243959992f1b6764354db
Merged-In: I8a27853c7ed05d9dfd38a3142fbbe185946c3992
setBlocked is a hidden API, so apps should not be calling
the method, but fix up the data in case they do
Test: PreferencesHelperTest; manual with ApiDemos FGS
Bug: 209966086
Change-Id: Icc709a6b0d0a8c5f2d9243959992f1b6764354db
Merged-In: I8a27853c7ed05d9dfd38a3142fbbe185946c3992
Before allowing the group to be deleted, by updating
the current check to the method that populates the channel
list
Test: NotificationManagerServiceTest
Bug: 209965481
Change-Id: I9db781c300e96e9c80bd5d21585b8be9b4db08c8
Merged-In: I9db781c300e96e9c80bd5d21585b8be9b4db08c8
(cherry picked from commit 331b617949)
Currently, when we abandon a staged session we mark it as destroyed and
then immediately clean it up. Cleaning up a staged session immediately
causes racing condition with pre-reboot verification.
In order to avoid the racing condition, we want to delay cleanup of
staged session until it is safe to do so. This means, the system will
be carrying around destroyed staged sessions internally.
Since there is now a gap between when a session is destroyed and when it
is cleaned up, the user can reboot in this window. As such, we need to
persist the mDestroyed field of session so that we know session is
destroyed after reboot and act accordingly.
Also, once a session is destroyed, theoretically it doesn't exist.
Carrying it around internally is an implementation details which
shouldn't be exposed externally. As such, we filter out destroyed
sessions before surfacing them to users.
Bug: 145925842
Bug: 67862680
Test: atest PackageInstallerSessionTest
Test: atest StagedInstallTest
Change-Id: I4ede6b7a4b5d861e5c73f13884c7aa86cf7633a2
Merged-In: I4ede6b7a4b5d861e5c73f13884c7aa86cf7633a2
(cherry picked from commit 731bd965fb)
Before allowing the group to be deleted, by updating
the current check to the method that populates the channel
list
Test: NotificationManagerServiceTest
Bug: 209965481
Change-Id: I9db781c300e96e9c80bd5d21585b8be9b4db08c8
Merged-In: I9db781c300e96e9c80bd5d21585b8be9b4db08c8
It will throw if abandon() is called on a child session.
Bug: 211944991
Bug: 67862680
Test: to be added
Change-Id: Ib0ba9f3786dda2d3174f3ea8c65d1061a3fcb586
Merged-In: Ib0ba9f3786dda2d3174f3ea8c65d1061a3fcb586
(cherry picked from commit 8b67e7db79)
Any malicious application could hijack tasks by
android:relinquishTaskIdentity. This vulnerability can perform UI
spoofing or spy on user’s activities.
This CL limit the usage which only allow system and same app to apply
relinquishTaskIdentity
Bug: 185810717
Test: atest IntentTests
atest ActivityStarterTests
Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
migrateExtraStreamToClipData() will only offer to promote Uri values
if a ClipData isn't already defined, so we ensure that a ClipData
value is always defined. This blocks later promotion and granting.
Bug: 200683077
Bug: 123700107
Test: manual
Change-Id: I99c1411e8b4eb01eb27ac4306e3bf6cc88cb4273
(cherry picked from commit 6ebf410b81)
This reverts commit b45ebca772.
Reason for revert: adding the fix for system to abandon sessions
BUG: 67862680
Test: manual
Change-Id: I2b735e4860dce6eb6d5d8ddc158e8b3165910dc7
Merged-In: I91170ba399b3a596320b3bd9c8188912e5c4f1be
This reverts commit b45ebca772.
Reason for revert: adding the fix for system to abandon sessions
BUG: 67862680
Test: manual
Change-Id: Ia798eb776eb1d05347514a238a6dd75e7c89e872
Merged-In: I91170ba399b3a596320b3bd9c8188912e5c4f1be
See comment here for the discussion on solution
https://b.corp.google.com/issues/169762606#comment14
Change-Id: If212df3a3b7be1de0fb26b8e88b2fcbb8077c253
Bug: 169762606
(cherry picked from commit 11053c17b3)
Change-Id: I424e098dd70ae31bbbc7cb2f3eccd1ccc287064b
Merged-In: If212df3a3b7be1de0fb26b8e88b2fcbb8077c253
See comment here for the discussion on solution
https://b.corp.google.com/issues/169762606#comment14
Change-Id: If212df3a3b7be1de0fb26b8e88b2fcbb8077c253
Bug: 169762606
(cherry picked from commit 11053c17b3)
Change-Id: I6494366a5695daedc3f4f0046da9e130a5363f5f
Merged-In: If212df3a3b7be1de0fb26b8e88b2fcbb8077c253
In case the broadcast intents "com.android.server.net.action.SNOOZE_WARNING"
or "com.android.server.net.action.SNOOZE_RAPID" are dispatched to apps,
then add a SafetyNet log.
Bug: 177931370
Test: manual
Change-Id: I65b2e96ff1230b2051dd1e5bd9c21e5ba3e1146a
Merged-In: I65b2e96ff1230b2051dd1e5bd9c21e5ba3e1146a
(cherry picked from commit a22e341ac2)
In case the broadcast intents "com.android.server.net.action.SNOOZE_WARNING"
or "com.android.server.net.action.SNOOZE_RAPID" are dispatched to apps,
then add a SafetyNet log.
Bug: 177931370
Test: manual
Change-Id: I65b2e96ff1230b2051dd1e5bd9c21e5ba3e1146a
Merged-In: I65b2e96ff1230b2051dd1e5bd9c21e5ba3e1146a
(cherry picked from commit a22e341ac2)
