setPairingConfirmation was set to only require BLUETOOTH_ADMIN
permission which shouldn't be able to set the confirmation itself.
This is restricted to BLUETOOTH_PRIVILEGED permission.
Bug: 29043989
Change-Id: Iddc935f0b02f5ff56e930914b4b664377e786184
We can no longer return the "my_downloads" paths: if those Uris were
shared beyond the app that requested the download, access would be
denied. Instead, we need to switch to using "all_downloads" Uris so
that permission grants can be issued to third-party viewer apps.
Since an app requesting a download doesn't normally have permission
to "all_downloads" paths, DownloadProvider now issues narrow grants
toward the owner of each download, both at device boot and when new
downloads are started.
Bug: 30537115, 30945409
Change-Id: I533125b36444877f54373d88922f2acc777e250b
This is the backport of the following commits :
Commit c5f27a7cb2:
-----------------------------------------------
Reopen whitelisted zygote file descriptors after a fork.
We don't want these descriptors to be shared post-fork, so we'll
have to close and reopen them when the zygote forks. The set of
open descriptors is checked against a whitelist and it is a fatal
error if a non whitelisted FD is opened. It is also a fatal error
if anything other than a regular file / character device or socket
is opened at the time of forking.
This work is done in two stages :
- An initial list of FDs is constructed and cached prior to the
first zygote fork.
- On each subsequent fork, we check whether the list of open FDs
has changed. We are currently tolerant of changes, but in the
longer term, it should be a fatal error if the set of open file
descriptors in the zygote changes.
- Post fork, we traverse the list of open descriptors and reopen
them if necessary.
bug: 30963384
Commit 3764a260f0:
-----------------------------------------------
Add a whitelist of sockets on fork.
Maintain a whitelist of AF_UNIX sockets that are permitted
to exist at the time of forking. If an open socket does not belong
to the whitelist (or is not AF_UNIX), the process will abort. If an
open socket is whitelisted, it will be redirected to /dev/null after
a sucessful fork. This allows us to unify our handling of the special
zygote sockets (/dev/socket/zygote[_secondary]) with the existing
whitelist of non socket file descriptors.
This change also removes non-fatal ALOGW messages since they have the
side effect of reopening the logging socket.
bug: 30963384
Commit 0b76d6a28e:
-----------------------------------------------
fd_utils: Fix broken usage of iterators.
There were two separate issues here :
- RestatInternal was using an iterator after a call to erase(). This
will not work because it will be invalidated.
- The "standard" for loop idiom for iterating over a map while making
structural changes to it is broken. Switch to a while loop and treat
cases where elements are erased differently from cases where they
aren't.
bug: 31092930
bug: 30963384
Plus additional changes:
-----------------------------------------------
- change std::unordered_map to std::tr1::unordered_map.
- add /dev/alarm and /dev/__properties__ to the whitelist.
- map.erase(iterator) returns void prior to C++11, so need the kludge
of calling erase(it++).
Change-Id: I694ff66d5f227239b0190ffc2287882b16e336fa
Don't write partial requests, and don't return (or throw) early after
partially reading a response.
bug: 30143607
(cherry-picked from commit 448be0a622)
Change-Id: I5881fdd5e81023cd21fb4d23a471a5031987a1f1
Remove MANAGE_USERS permission from shell and whitelist it for
some specific functionality.
Bug: 29189712
Change-Id: Ifb37448c091af91991964511e3efb1bb4dea1ff3
Remove MANAGE_USERS permission from shell and whitelist it for
some specific functionality.
Bug: 29189712
Change-Id: Ifb37448c091af91991964511e3efb1bb4dea1ff3
Get the canonical identity and metadata about the package from the
Package Manager at time of usage rather than rely on the caller to
have gotten things right, even when the caller has the system uid.
Bug 28795098
Change-Id: I215786bc894dedf7ca28e9c80cefabd0e40ca877
The URL path could contain credentials that apps don't want exposed
to a potentially malicious PAC script.
Bug: 27593919
Change-Id: I4bb0362fc91f70ad47c4c7453d77d6f9a1e8eeed
Since this is a backport, there is only one rule that guards intent
filter priorities:
1) Updates will NOT be granted a priority greater than the priority
defined on the system image.
NOTE: I had to bring in pieces of ag/526831 so intent filters could
be collected and matched
Bug: 27450489
Change-Id: Ifcec4d7a59e684331399abc41eea1bd6876155a4
Since this is a backport, there is only one rule that guards intent
filter priorities:
1) Updates will NOT be granted a priority greater than the priority
defined on the system image.
Bug: 27450489
Change-Id: Ifcec4d7a59e684331399abc41eea1bd6876155a4
BUG:26094635
If the caller to ContentResolver#getCurrentSyncs does not hold the
GET_ACCOUNTS permission, return a SyncInfo object that does not
contain any Account information.
Change-Id: I5628ebe1f56c8e3f784aaf1b3281e6b829d19314
(cherry picked from commit b63057e698)
BUG:26094635
If the caller to ContentResolver#getCurrentSyncs does not hold the
GET_ACCOUNTS permission, return a SyncInfo object that does not
contain any Account information.
Change-Id: I5628ebe1f56c8e3f784aaf1b3281e6b829d19314
(cherry picked from commit b63057e698)
DEFAULT_*_SUBSCRIPTION_CHANGED broadcasts were added but not protected,
allowing 3rd parties to potentially spoof the bcasts feeding misinformation
to system listeners.
bug:25778215
Change-Id: Ie5fc68a7d2224ce3f6beeca91667fe9b7654f0d5
