This repository was archived by the owner on Jan 4, 2025. It is now read-only.
Q_asb_2024-07 #2
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Because Settings grants the INTERACT_ACROSS_USERS_FULL permission, an exploit is possible where the third party print plugin service can pass other's User Icon URI. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation. Bug: 281525042 Test: Build and flash the code. Try to reproduce the issue with mentioned steps in the bug (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e0693ca9cb408d0dc82f6c6b3feb453fc8ddd83) Merged-In: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce Change-Id: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce
To mitigate a boot loop with reading a massive install_sessions.xml file, this restricts the amount of data that can be written by limiting the size of unbounded parameters like package name and app label. This introduces a lowered max session count. 50 for general applications without the INSTALL_PACKAGES permission, and the same 1024 for those with the permission. Also truncates labels read from PackageItemInfo to 1000 characters, which is probably enough. These changes restrict a malicious third party app to ~0.15 MB written to disk, and a valid installer to ~3.6 MB, as opposed to the >1000 MB previously allowed. These numbers assume no install granted runtime permissions. Those were not restricted since there's no good way to do so, but it's assumed that any installer with that permission is highly privleged and doesn't need to be limited. Along the same lines, DataLoaderParams are also not restricted. This will have to be added if that API is ever made public. However, installer package was restricted, even though the API is hidden. It was an easy add and may have some effect since the value is derived from other data and passed through by other system components. It's still possible to inflate the file size if a lot of different apps attempt to install a large number of packages, but that would require thousands of malicious apps to be installed. Bug: 157224146 Test: atest android.content.pm.PackageSessionTests Change-Id: Iec42bee08d19d4ac53b361a92be6bc1401d9efc8
Bug: 308989388 Bug: 307532206 Test: atest android.content.pm.cts.PackageManagerTest (cherry picked from commit 1f445474cd1b902b2e7292a0d24e58f020fd51e7) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a7e48c8d7e00962d335b0076266a5df98d41a21c) Merged-In: I840c9c9af5752b3901d4719a13e7908faa43ab04 Change-Id: I840c9c9af5752b3901d4719a13e7908faa43ab04
Bug: 299441833 Test: atest android.content.pm.cts.PackageManagerTest (cherry picked from commit 496e78a1951f2ed69290f03c5625c0f8382f4d31) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0d0f185c0d526c1dac0a8894b2c2f2e378328d73) Merged-In: Idd89a6dd72f0e68259095f677185f0494391025c Change-Id: Idd89a6dd72f0e68259095f677185f0494391025c
Bug: 303905130 Bug: 316893159 Test: manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb53f192e0ceaa026a083da156ef0cb0140f0c09) Merged-In: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073 Change-Id: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073
…ments Bug: 315206668 Bug: 218495634 Flag: None Test: manual, atest LockPatternUtilsTest (cherry picked from commit d341f1ecdb011d24b17358f115391b3f997cb179) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba8dfc68aada76127abafdb17d0f0896cc14447a) Merged-In: I5e979a7822dd7254b4579ab28ecf96df1db44179 Change-Id: I5e979a7822dd7254b4579ab28ecf96df1db44179
…n accountOptions are too long. Bug: 293602970 Test: atest UserManagerTest#testAddUserAccountData_validStringValuesAreSaved_validBundleIsSaved && atest UserManagerTest#testAddUserAccountData_invalidStringValuesAreTruncated_invalidBundleIsDropped (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8dc6feaee7c0a5cea093b5280acaad862921cf3e) Merged-In: I23c971f671546ac085060add89485cfac6691ca3 Change-Id: I23c971f671546ac085060add89485cfac6691ca3
Insert toasts from system packages at the front of the queue to ensure that apps can't spam with toast to delay system toasts from showing. Test: atest NotificationManagerServiceTest Bug: 293301736 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67721fcfb3198f220c90c976f870407a0bb8d6c6) Merged-In: I13547f853476bc88d12026c545aba9f857ce8724 Change-Id: I13547f853476bc88d12026c545aba9f857ce8724
By doing this we avoid a few bad things: - mechanism that hides the current toast by trying to show it again - delaying the call to hide and remove the current toast from the queue when it's duration expires (which in the case of repeated calls can delay this indefinitely) Test: atest NotificationManagerServiceTest Test: atest android.widget.cts.ToastTest Bug: 167672740 Change-Id: Ie4953109314113efae49fa0c5e0c236e6e0dbb23
…'s own app only unless it's a system app. Bug: 239423414 Bug: 223376078 Test: atest CtsAppTestCases:ActivityManagerTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d1c95670b248df945784b0f2830acf83b5682de3) Merged-In: Iac6baa889965b8ffecd9a43179a4c96632ad1d02 AOSP-Change-Id: Iac6baa889965b8ffecd9a43179a4c96632ad1d02 Change-Id: I3a39b5e2b2ff0c314972ddeccb012894de704de8
In the pevious CL, we incorrectly added the permission check in the killBackgroundProcessesExcept. Now fix this issue. Bug: 239423414 Bug: 223376078 Test: atest CtsAppTestCases:ActivityManagerTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140fce861944419a375c669010c6c47cd7ff5b37) Merged-In: I9471a77188ee63ec32cd0c81569193e4ccad885b AOSP-Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b Change-Id: I1b1e683b6a92b0fa2a844a99bedcccac8c980e58
…nerService Check that a privileged NotificationListenerService (CDM) has the permission to access the sound URI when updating a notification channel. Test: atest com.android.server.notification.NotificationManagerServiceTest#testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission Bug: 317357401 (cherry picked from commit 9b7bbbf5ad542ecf9ecbf8cd819b468791b443c0) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f090c0538a27d8658d8a860046d5c5e931302341) Merged-In: Ic7d2e96e43565e98d2aa29b8f2ba35c142387ba9 Change-Id: Ic7d2e96e43565e98d2aa29b8f2ba35c142387ba9
Bug: 304290201 Test: manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:76121eb73d4c40829d5513b073871333520fe0a2) Merged-In: I96370cbd4f6a55f894c1a93307e5f82dfd394652 Change-Id: I96370cbd4f6a55f894c1a93307e5f82dfd394652
This CL ensure the caller process is from the same user when calling
ShortcutService#isRequestPinItemSupported.
Bug: 191772737
Test: atest ShortcutManagerTest1 ShortcutManagerTest2
ShortcutManagerTest3 ShortcutManagerTest4 ShortcutManagerTest5
ShortcutManagerTest6 ShortcutManagerTest7 ShortcutManagerTest8
ShortcutManagerTest9 ShortcutManagerTest10 ShortcutManagerTest11
ShortcutManagerTest12
Test: atest CtsShortcutManagerTestCases
Change-Id: Icab7cdf25b870b88ecfde9b99e107bbeda0eb485
Also, after updating packages with NLS components, check the approved services and remove from approved list if missing permissions. Test: atest ManagedServicesTest Bug: 321707289 (cherry picked from commit 24b13a64f9f5e5aa7f45a2132806d6c74e2c62dc) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c15cdfdd4720efb72c3244a044bb27e2c286c4b) Merged-In: I11901755ec430c6e3145def9d67e4e63cda00806 Change-Id: I11901755ec430c6e3145def9d67e4e63cda00806
We only allow removing dynamic permissions. When removePermission() is called for a non-dynamic permission, in addition to logging it, we should also return early to avoid the removePermission() call. Test: manual Bug: 321555066 Fixes: 321711213 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2b5d63b64b2b8208ccc4f62eac3d8962f981dbf8) Merged-In: I7336f2fc78804f26e4b2a329870ecdea776595d8 Change-Id: I7336f2fc78804f26e4b2a329870ecdea776595d8
Another verification is needed after Bundle modification. Bug: 321941232 Test: manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f) Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297 Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297
setting/updating service For test, I registered two tests around on ABTD. CtsAutoFillServiceTestCases module is passing except three known failures: Test run link: - https://android-build.corp.google.com/builds/abtd/run/L33300030002610600 - https://android-build.corp.google.com/builds/abtd/run/L58100030002616607 Bug: b/324874908 Test: atest CtsAutoFillServiceTestCases (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:141d9d050346bfc4673c429382deb1b3d210f6ad) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:51d64705ab70788a536c26d4df5e63f0952ec98f) Merged-In: I51c2e3788ac29ff4d6b86aa2a735ff2ea1463a77 Change-Id: I51c2e3788ac29ff4d6b86aa2a735ff2ea1463a77
Refuse to deal with newlines and null characters in HiddenApiSettings.update(). Also disallow nulls in process start arguments. Bug: 316153291 Test: Treehugger for now (cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8) Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4 Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
Required for ASB 2024-06 Cherry-picked from I9b2ae1ecd1cc8b42ab715ee033879f295949a9ba Change-Id: Ife602cee53c303dd3f841004d8ffc84b38c7677b
Without it, apps (mainline modules) will need to use createPackageContext..., which is a bit painful. Bug: 142472686 Test: atest android.content.cts.ContextTest#testCreateContextAsUser Change-Id: Id640e03862462724df1a4a3101f0b08faafba22f
Bug: 142472686 Test: atest android.content.cts.ContextTest#testCreateContextAsUser Change-Id: Id2e3d5ffe5887a4916e0872a7e85d62cbb439744
Bug: 317503801 Test: atest ExpandableNotificationRowTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3b913c4237993525d2435a2d1082c6af8997168d) Merged-In: I11c5b39f2d9d8f0788acab43640a6d4abcd5a179 Change-Id: I11c5b39f2d9d8f0788acab43640a6d4abcd5a179
…services from enabled list after service update. Bug: 326485767 Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5405514a23edcba0cf30e6ec78189e3f4e7d95cf) Merged-In: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1 Change-Id: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
Only the system UID should be allowed to connect to the Zygote. While for generic Zygotes this is also covered by SELinux policy, this is not true for App Zygotes: the preload code running in an app zygote could connect to another app zygote socket, if it had access to its (random) socket address. On the Java layer, simply check the UID when the connection is made. In the native layer, this check was already present, but it actually didn't work in the case where we receive a new incoming connection on the socket, and receive a 'non-fork' command: in that case, we will simply exit the native loop, and let the Java layer handle the command, without any further UID checking. Modified the native logic to drop new connections with a mismatching UID, and to keep serving the existing connection (if it was still there). [Backport: No native layer for ZygoteCommandBuffer present] Bug: 319081336 Test: manual (cherry picked from commit 2ffc7cb220e4220b7e108c4043a3f0f2a85b6508) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e397fd3d20c3f409311e411387ec1524ccecf085) Merged-In: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532 Change-Id: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
The original removePermission() code in PermissionManagerService missed a logical negation operator when handling non-dynamic permissions, causing both testPermissionPermission_nonDynamicPermission_permissionUnchanged and testRemovePermission_dynamicPermission_permissionRemoved tests in DynamicPermissionsTest to fail. The corresponding test DynamicPermissionsTest is also updated in the other CL: ag/27073864 Bug: 321711213 Test: DynamicPermissionsTest on sc-dev and tm-dev locally (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35d77a77feef62dc108f6478cb9228cc6044f70d) Merged-In: Id573b75cdcfce3a1df5731ffb00c4228c513e686 Change-Id: Id573b75cdcfce3a1df5731ffb00c4228c513e686
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.