17.1 March ASB work

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-03-21 11:57:39 -04:00
parent b4dbe27f23
commit 44fa294eca
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
23 changed files with 2023 additions and 8 deletions

View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
Date: Tue, 22 Nov 2022 22:00:13 +0000
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
Bug: http://b/242299736
Test: TreeHugger
Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140
---
src/inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/inflate.c b/src/inflate.c
index ac333e8..cd01857 100644
--- a/src/inflate.c
+++ b/src/inflate.c
@@ -759,8 +759,9 @@ int flush;
if (copy > have) copy = have;
if (copy) {
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);

View File

@ -22,7 +22,7 @@ index 586d9a819d1e..85e86237adf6 100644
<!-- Allows applications to access information about networks. <!-- Allows applications to access information about networks.
<p>Protection level: normal <p>Protection level: normal
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 011e19586ed2..245ea111996c 100644 index 4c6c1842d93e..8c0729b3506f 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1024,7 +1024,7 @@ public class PermissionManagerService { @@ -1024,7 +1024,7 @@ public class PermissionManagerService {

View File

@ -100,7 +100,7 @@ index 2cf2b923ef90..ae206c1f5872 100644
<string name="permlab_readCalendar">Read calendar events and details</string> <string name="permlab_readCalendar">Read calendar events and details</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. --> <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 245ea111996c..4a940dbb7744 100644 index 8c0729b3506f..8edb487294e6 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1024,7 +1024,7 @@ public class PermissionManagerService { @@ -1024,7 +1024,7 @@ public class PermissionManagerService {

View File

@ -25,7 +25,7 @@ index 1bd1396c6d45..a3e1b685a3be 100644
Process.SYSTEM_UID, userId, delayingPermCallback); Process.SYSTEM_UID, userId, delayingPermCallback);
// Allow app op later as we are holding mPackages // Allow app op later as we are holding mPackages
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 23af4e6c1c3e..011e19586ed2 100644 index ae10b28cd8bb..4c6c1842d93e 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1023,6 +1023,10 @@ public class PermissionManagerService { @@ -1023,6 +1023,10 @@ public class PermissionManagerService {
@ -63,7 +63,7 @@ index 23af4e6c1c3e..011e19586ed2 100644
if (!permissionsState.hasRuntimePermission(bp.name, userId) if (!permissionsState.hasRuntimePermission(bp.name, userId)
&& permissionsState.grantRuntimePermission(bp, && permissionsState.grantRuntimePermission(bp,
userId) != PERMISSION_OPERATION_FAILURE) { userId) != PERMISSION_OPERATION_FAILURE) {
@@ -2228,7 +2240,7 @@ public class PermissionManagerService { @@ -2233,7 +2245,7 @@ public class PermissionManagerService {
&& (grantedPermissions == null && (grantedPermissions == null
|| ArrayUtils.contains(grantedPermissions, permission))) { || ArrayUtils.contains(grantedPermissions, permission))) {
final int flags = permissionsState.getPermissionFlags(permission, userId); final int flags = permissionsState.getPermissionFlags(permission, userId);
@ -72,7 +72,7 @@ index 23af4e6c1c3e..011e19586ed2 100644
// Installer cannot change immutable permissions. // Installer cannot change immutable permissions.
if ((flags & immutableFlags) == 0) { if ((flags & immutableFlags) == 0) {
grantRuntimePermission(permission, pkg.packageName, false, callingUid, grantRuntimePermission(permission, pkg.packageName, false, callingUid,
@@ -2287,7 +2299,7 @@ public class PermissionManagerService { @@ -2292,7 +2304,7 @@ public class PermissionManagerService {
// to keep the review required permission flag per user while an // to keep the review required permission flag per user while an
// install permission's state is shared across all users. // install permission's state is shared across all users.
if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
@ -81,7 +81,7 @@ index 23af4e6c1c3e..011e19586ed2 100644
return; return;
} }
@@ -2339,7 +2351,8 @@ public class PermissionManagerService { @@ -2344,7 +2356,8 @@ public class PermissionManagerService {
+ permName + " for package " + packageName); + permName + " for package " + packageName);
} }
@ -91,7 +91,7 @@ index 23af4e6c1c3e..011e19586ed2 100644
Slog.w(TAG, "Cannot grant runtime permission to a legacy app"); Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
return; return;
} }
@@ -2426,7 +2439,7 @@ public class PermissionManagerService { @@ -2431,7 +2444,7 @@ public class PermissionManagerService {
// to keep the review required permission flag per user while an // to keep the review required permission flag per user while an
// install permission's state is shared across all users. // install permission's state is shared across all users.
if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M

View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julia Reynolds <juliacr@google.com>
Date: Mon, 16 May 2022 15:28:24 -0400
Subject: [PATCH] Move service initialization
Occasionally ILockSettings can fail to be initialized otherwise
Fixes: 232714129
Test: boot (and eventually bootstress/reboot-long)
Change-Id: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002
Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002
(cherry picked from commit 8e278543bd290d4b6c417758554d6dee93a4fe74)
(cherry picked from commit caa5a22ea0c401c4eef548fb8161820beda3ff13)
Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002
---
.../server/notification/NotificationManagerService.java | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
index 347811d82862..c9831781b543 100755
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
@@ -1567,7 +1567,6 @@ public class NotificationManagerService extends SystemService {
}
}
- private LockPatternUtils mLockPatternUtils;
private StrongAuthTracker mStrongAuthTracker;
public NotificationManagerService(Context context) {
@@ -1761,7 +1760,6 @@ public class NotificationManagerService extends SystemService {
mHandler = new WorkerHandler(looper);
mRankingThread.start();
- mLockPatternUtils = new LockPatternUtils(getContext());
mStrongAuthTracker = new StrongAuthTracker(getContext());
String[] extractorNames;
try {
@@ -2059,7 +2057,7 @@ public class NotificationManagerService extends SystemService {
mRoleObserver = new RoleObserver(getContext().getSystemService(RoleManager.class),
mPackageManager, getContext().getMainExecutor());
mRoleObserver.init();
- mLockPatternUtils.registerStrongAuthTracker(mStrongAuthTracker);
+ new LockPatternUtils(getContext()).registerStrongAuthTracker(mStrongAuthTracker);
} else if (phase == SystemService.PHASE_THIRD_PARTY_APPS_CAN_START) {
// This observer will force an update when observe is called, causing us to
// bind to listener services.

View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alex Johnston <acjohnston@google.com>
Date: Tue, 5 Oct 2021 11:44:37 +0000
Subject: [PATCH] Stop managed profile owner granting READ_SMS
Reason: There is only one telephony stack shared
between the personal and work profile.
Bug: 194382185
Bug: 189942529
Test: build
Change-Id: If0d27a317a7c0ee46af371b30208327e5636c7cf
(cherry picked from commit 87f37319bf7ee22c6e7c29432b6c9bbce0fdb591)
Merged-In: If0d27a317a7c0ee46af371b30208327e5636c7cf
---
core/java/android/app/admin/DevicePolicyManager.java | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 08e6ff318fbc..5e263b0d05b6 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -8836,6 +8836,15 @@ public class DevicePolicyManager {
* {@link android.os.Build.VERSION_CODES#M} the app-op matching the permission is set to
* {@link android.app.AppOpsManager#MODE_IGNORED}, but the permission stays granted.
*
+ * Control over the following permissions are restricted for managed profile owners:
+ * <ul>
+ * <li>Manifest.permission.READ_SMS</li>
+ * </ul>
+ * <p>
+ * A managed profile owner may not grant these permissions (i.e. call this method with any of
+ * the permissions listed above and {@code grantState} of
+ * {@code #PERMISSION_GRANT_STATE_GRANTED}), but may deny them.
+ *
* @param admin Which profile or device owner this request is associated with.
* @param packageName The application to grant or revoke a permission to.
* @param permission The permission to grant or revoke.

View File

@ -0,0 +1,528 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wenhao Wang <wenhaowang@google.com>
Date: Tue, 30 Aug 2022 11:09:46 -0700
Subject: [PATCH] Enable user graularity for lockdown mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The NotificationManagerService registers a LockPatternUtils.StrongAuthTracker
to observe the StrongAuth changes of every user.
More specifically, its the STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN flag.
Via this flag, NotificationManagerService can perform the following operations
when the user enter or exit lockdown mode:
Enter lockdown:
1. Remove all the notifications belonging to the user.
2. Set the local flag to indicate the lockdown is on for the user.
The local flag will suppress the user's notifications on the
post, remove and update functions.
Exit lockdown:
1. Clear the local flag to indicate the lockdown is off for the user.
2. Repost the users notifications (suppressed during lockdown mode).
The CL also updates corresponding tests.
Bug: 173721373
Bug: 250743174
Test: atest NotificationManagerServiceTest
Test: atest NotificationListenersTest
Ignore-AOSP-First: pending fix for a security issue.
Change-Id: I4f30e56550729db7d673a92d2a1250509713f36d
Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d
(cherry picked from commit de3b12fca23178d8c821058261572449b67d5967)
(cherry picked from commit 5e40f39f5bd4ae769d79ce022a64f1345512b65d)
Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d
---
.../NotificationManagerService.java | 75 ++++++----
.../NotificationListenersTest.java | 132 +++++++++++-------
.../NotificationManagerServiceTest.java | 72 ++++++++--
3 files changed, 191 insertions(+), 88 deletions(-)
diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
index c9831781b543..7ae80d927aaa 100755
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
@@ -1535,34 +1535,39 @@ public class NotificationManagerService extends SystemService {
return (haystack & needle) != 0;
}
- public boolean isInLockDownMode() {
- return mIsInLockDownMode;
+ // Return whether the user is in lockdown mode.
+ // If the flag is not set, we assume the user is not in lockdown.
+ public boolean isInLockDownMode(int userId) {
+ return mUserInLockDownMode.get(userId, false);
}
@Override
public synchronized void onStrongAuthRequiredChanged(int userId) {
boolean userInLockDownModeNext = containsFlag(getStrongAuthForUser(userId),
STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN);
- mUserInLockDownMode.put(userId, userInLockDownModeNext);
- boolean isInLockDownModeNext = mUserInLockDownMode.indexOfValue(true) != -1;
- if (mIsInLockDownMode == isInLockDownModeNext) {
+ // Nothing happens if the lockdown mode of userId keeps the same.
+ if (userInLockDownModeNext == isInLockDownMode(userId)) {
return;
}
- if (isInLockDownModeNext) {
- cancelNotificationsWhenEnterLockDownMode();
+ // When the lockdown mode is changed, we perform the following steps.
+ // If the userInLockDownModeNext is true, all the function calls to
+ // notifyPostedLocked and notifyRemovedLocked will not be executed.
+ // The cancelNotificationsWhenEnterLockDownMode calls notifyRemovedLocked
+ // and postNotificationsWhenExitLockDownMode calls notifyPostedLocked.
+ // So we shall call cancelNotificationsWhenEnterLockDownMode before
+ // we set mUserInLockDownMode as true.
+ // On the other hand, if the userInLockDownModeNext is false, we shall call
+ // postNotificationsWhenExitLockDownMode after we put false into mUserInLockDownMode
+ if (userInLockDownModeNext) {
+ cancelNotificationsWhenEnterLockDownMode(userId);
}
- // When the mIsInLockDownMode is true, both notifyPostedLocked and
- // notifyRemovedLocked will be dismissed. So we shall call
- // cancelNotificationsWhenEnterLockDownMode before we set mIsInLockDownMode
- // as true and call postNotificationsWhenExitLockDownMode after we set
- // mIsInLockDownMode as false.
- mIsInLockDownMode = isInLockDownModeNext;
+ mUserInLockDownMode.put(userId, userInLockDownModeNext);
- if (!isInLockDownModeNext) {
- postNotificationsWhenExitLockDownMode();
+ if (!userInLockDownModeNext) {
+ postNotificationsWhenExitLockDownMode(userId);
}
}
}
@@ -7579,11 +7584,14 @@ public class NotificationManagerService extends SystemService {
}
}
- private void cancelNotificationsWhenEnterLockDownMode() {
+ private void cancelNotificationsWhenEnterLockDownMode(int userId) {
synchronized (mNotificationLock) {
int numNotifications = mNotificationList.size();
for (int i = 0; i < numNotifications; i++) {
NotificationRecord rec = mNotificationList.get(i);
+ if (rec.getUser().getIdentifier() != userId) {
+ continue;
+ }
mListeners.notifyRemovedLocked(rec, REASON_CANCEL_ALL,
rec.getStats());
}
@@ -7591,14 +7599,23 @@ public class NotificationManagerService extends SystemService {
}
}
- private void postNotificationsWhenExitLockDownMode() {
+ private void postNotificationsWhenExitLockDownMode(int userId) {
synchronized (mNotificationLock) {
int numNotifications = mNotificationList.size();
+ // Set the delay to spread out the burst of notifications.
+ long delay = 0;
for (int i = 0; i < numNotifications; i++) {
NotificationRecord rec = mNotificationList.get(i);
- mListeners.notifyPostedLocked(rec, rec);
+ if (rec.getUser().getIdentifier() != userId) {
+ continue;
+ }
+ mHandler.postDelayed(() -> {
+ synchronized (mNotificationLock) {
+ mListeners.notifyPostedLocked(rec, rec);
+ }
+ }, delay);
+ delay += 20;
}
-
}
}
@@ -7777,12 +7794,15 @@ public class NotificationManagerService extends SystemService {
* notifications visible to the given listener.
*/
@GuardedBy("mNotificationLock")
- private NotificationRankingUpdate makeRankingUpdateLocked(ManagedServiceInfo info) {
+ NotificationRankingUpdate makeRankingUpdateLocked(ManagedServiceInfo info) {
final int N = mNotificationList.size();
final ArrayList<NotificationListenerService.Ranking> rankings = new ArrayList<>();
for (int i = 0; i < N; i++) {
NotificationRecord record = mNotificationList.get(i);
+ if (isInLockDownMode(record.getUser().getIdentifier())) {
+ continue;
+ }
if (!isVisibleToListener(record.sbn, info)) {
continue;
}
@@ -7818,8 +7838,8 @@ public class NotificationManagerService extends SystemService {
rankings.toArray(new NotificationListenerService.Ranking[0]));
}
- boolean isInLockDownMode() {
- return mStrongAuthTracker.isInLockDownMode();
+ boolean isInLockDownMode(int userId) {
+ return mStrongAuthTracker.isInLockDownMode(userId);
}
boolean hasCompanionDevice(ManagedServiceInfo info) {
@@ -7854,7 +7874,8 @@ public class NotificationManagerService extends SystemService {
ServiceManager.getService(Context.COMPANION_DEVICE_SERVICE));
}
- private boolean isVisibleToListener(StatusBarNotification sbn, ManagedServiceInfo listener) {
+ @VisibleForTesting
+ boolean isVisibleToListener(StatusBarNotification sbn, ManagedServiceInfo listener) {
if (!listener.enabledAndUserMatches(sbn.getUserId())) {
return false;
}
@@ -8454,7 +8475,7 @@ public class NotificationManagerService extends SystemService {
@GuardedBy("mNotificationLock")
void notifyPostedLocked(NotificationRecord r, NotificationRecord old,
boolean notifyAllListeners) {
- if (isInLockDownMode()) {
+ if (isInLockDownMode(r.getUser().getIdentifier())) {
return;
}
@@ -8520,7 +8541,7 @@ public class NotificationManagerService extends SystemService {
@GuardedBy("mNotificationLock")
public void notifyRemovedLocked(NotificationRecord r, int reason,
NotificationStats notificationStats) {
- if (isInLockDownMode()) {
+ if (isInLockDownMode(r.getUser().getIdentifier())) {
return;
}
@@ -8575,10 +8596,6 @@ public class NotificationManagerService extends SystemService {
*/
@GuardedBy("mNotificationLock")
public void notifyRankingUpdateLocked(List<NotificationRecord> changedHiddenNotifications) {
- if (isInLockDownMode()) {
- return;
- }
-
boolean isHiddenRankingUpdate = changedHiddenNotifications != null
&& changedHiddenNotifications.size() > 0;
diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java
index 793739bfe8f5..e04339fe5ee9 100644
--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java
+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java
@@ -28,6 +28,7 @@ import static org.mockito.Mockito.when;
import android.app.INotificationManager;
import android.content.pm.IPackageManager;
import android.content.pm.PackageManager;
+import android.os.UserHandle;
import android.service.notification.NotificationStats;
import android.service.notification.StatusBarNotification;
import android.testing.TestableContext;
@@ -40,8 +41,6 @@ import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.mockito.internal.util.reflection.FieldSetter;
-import java.util.List;
-
public class NotificationListenersTest extends UiServiceTestCase {
@Mock
@@ -70,46 +69,65 @@ public class NotificationListenersTest extends UiServiceTestCase {
@Test
public void testNotifyPostedLockedInLockdownMode() {
- NotificationRecord r = mock(NotificationRecord.class);
- NotificationRecord old = mock(NotificationRecord.class);
-
- // before the lockdown mode
- when(mNm.isInLockDownMode()).thenReturn(false);
- mListeners.notifyPostedLocked(r, old, true);
- mListeners.notifyPostedLocked(r, old, false);
- verify(mListeners, times(2)).getServices();
-
- // in the lockdown mode
- reset(r);
- reset(old);
- reset(mListeners);
- when(mNm.isInLockDownMode()).thenReturn(true);
- mListeners.notifyPostedLocked(r, old, true);
- mListeners.notifyPostedLocked(r, old, false);
- verify(mListeners, never()).getServices();
- }
-
- @Test
- public void testnotifyRankingUpdateLockedInLockdownMode() {
- List chn = mock(List.class);
-
- // before the lockdown mode
- when(mNm.isInLockDownMode()).thenReturn(false);
- mListeners.notifyRankingUpdateLocked(chn);
- verify(chn, times(1)).size();
-
- // in the lockdown mode
- reset(chn);
- when(mNm.isInLockDownMode()).thenReturn(true);
- mListeners.notifyRankingUpdateLocked(chn);
- verify(chn, never()).size();
+ NotificationRecord r0 = mock(NotificationRecord.class);
+ NotificationRecord old0 = mock(NotificationRecord.class);
+ UserHandle uh0 = mock(UserHandle.class);
+
+ NotificationRecord r1 = mock(NotificationRecord.class);
+ NotificationRecord old1 = mock(NotificationRecord.class);
+ UserHandle uh1 = mock(UserHandle.class);
+
+ // Neither user0 and user1 is in the lockdown mode
+ when(r0.getUser()).thenReturn(uh0);
+ when(uh0.getIdentifier()).thenReturn(0);
+ when(mNm.isInLockDownMode(0)).thenReturn(false);
+
+ when(r1.getUser()).thenReturn(uh1);
+ when(uh1.getIdentifier()).thenReturn(1);
+ when(mNm.isInLockDownMode(1)).thenReturn(false);
+
+ mListeners.notifyPostedLocked(r0, old0, true);
+ mListeners.notifyPostedLocked(r0, old0, false);
+ verify(r0, atLeast(2)).getSbn();
+
+ mListeners.notifyPostedLocked(r1, old1, true);
+ mListeners.notifyPostedLocked(r1, old1, false);
+ verify(r1, atLeast(2)).getSbn();
+
+ // Reset
+ reset(r0);
+ reset(old0);
+ reset(r1);
+ reset(old1);
+
+ // Only user 0 is in the lockdown mode
+ when(r0.getUser()).thenReturn(uh0);
+ when(uh0.getIdentifier()).thenReturn(0);
+ when(mNm.isInLockDownMode(0)).thenReturn(true);
+
+ when(r1.getUser()).thenReturn(uh1);
+ when(uh1.getIdentifier()).thenReturn(1);
+ when(mNm.isInLockDownMode(1)).thenReturn(false);
+
+ mListeners.notifyPostedLocked(r0, old0, true);
+ mListeners.notifyPostedLocked(r0, old0, false);
+ verify(r0, never()).getSbn();
+
+ mListeners.notifyPostedLocked(r1, old1, true);
+ mListeners.notifyPostedLocked(r1, old1, false);
+ verify(r1, atLeast(2)).getSbn();
}
@Test
public void testNotifyRemovedLockedInLockdownMode() throws NoSuchFieldException {
StatusBarNotification sbn = mock(StatusBarNotification.class);
- NotificationRecord r = mock(NotificationRecord.class);
- NotificationStats rs = mock(NotificationStats.class);
+ NotificationRecord r0 = mock(NotificationRecord.class);
+ NotificationStats rs0 = mock(NotificationStats.class);
+ UserHandle uh0 = mock(UserHandle.class);
+
+ NotificationRecord r1 = mock(NotificationRecord.class);
+ NotificationStats rs1 = mock(NotificationStats.class);
+ UserHandle uh1 = mock(UserHandle.class);
FieldSetter.setField(r,
NotificationRecord.class.getDeclaredField("sbn"),
sbn);
@@ -117,19 +135,31 @@ public class NotificationListenersTest extends UiServiceTestCase {
NotificationManagerService.class.getDeclaredField("mHandler"),
mock(NotificationManagerService.WorkerHandler.class));
- // before the lockdown mode
- when(mNm.isInLockDownMode()).thenReturn(false);
- mListeners.notifyRemovedLocked(r, 0, rs);
- mListeners.notifyRemovedLocked(r, 0, rs);
- verify(sbn, times(2)).cloneLight();
-
- // in the lockdown mode
- reset(sbn);
- reset(r);
- reset(rs);
- when(mNm.isInLockDownMode()).thenReturn(true);
- mListeners.notifyRemovedLocked(r, 0, rs);
- mListeners.notifyRemovedLocked(r, 0, rs);
- verify(sbn, never()).cloneLight();
+ // Neither user0 and user1 is in the lockdown mode
+ when(r0.getUser()).thenReturn(uh0);
+ when(uh0.getIdentifier()).thenReturn(0);
+ when(mNm.isInLockDownMode(0)).thenReturn(false);
+ when(r0.getSbn()).thenReturn(sbn);
+
+ when(r1.getUser()).thenReturn(uh1);
+ when(uh1.getIdentifier()).thenReturn(1);
+ when(mNm.isInLockDownMode(1)).thenReturn(false);
+ when(r1.getSbn()).thenReturn(sbn);
+
+ mListeners.notifyRemovedLocked(r0, 0, rs0);
+ mListeners.notifyRemovedLocked(r0, 0, rs0);
+ verify(r0, atLeast(2)).getSbn();
+
+ mListeners.notifyRemovedLocked(r1, 0, rs1);
+ mListeners.notifyRemovedLocked(r1, 0, rs1);
+ verify(r1, atLeast(2)).getSbn();
+
+ // Reset
+ reset(r0);
+ reset(rs0);
+ reset(r1);
+ reset(rs1);
+
+ // Only user 0 is in the lockdown mode
}
}
diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
index 5030e124e4ce..7018b55b278d 100755
--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
@@ -124,6 +124,7 @@ import android.provider.MediaStore;
import android.provider.Settings;
import android.service.notification.Adjustment;
import android.service.notification.NotificationListenerService;
+import android.service.notification.NotificationRankingUpdate;
import android.service.notification.NotificationStats;
import android.service.notification.StatusBarNotification;
import android.service.notification.ZenPolicy;
@@ -149,6 +150,7 @@ import com.android.server.SystemService;
import com.android.server.UiServiceTestCase;
import com.android.server.lights.Light;
import com.android.server.lights.LightsManager;
+import com.android.server.notification.ManagedServices.ManagedServiceInfo;
import com.android.server.notification.NotificationManagerService.NotificationAssistants;
import com.android.server.notification.NotificationManagerService.NotificationListeners;
import com.android.server.pm.PackageManagerService;
@@ -255,6 +257,8 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
@Mock
AlarmManager mAlarmManager;
+ private NotificationManagerService.WorkerHandler mWorkerHandler;
+
// Use a Testable subclass so we can simulate calls from the system without failing.
private static class TestableNotificationManagerService extends NotificationManagerService {
int countSystemChecks = 0;
@@ -264,6 +268,9 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
@Nullable
NotificationAssistantAccessGrantedCallback mNotificationAssistantAccessGrantedCallback;
+ @Nullable
+ Boolean mIsVisibleToListenerReturnValue = null;
+
TestableNotificationManagerService(Context context) {
super(context);
}
@@ -326,6 +333,18 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
void onGranted(ComponentName assistant, int userId, boolean granted);
}
+ protected void setIsVisibleToListenerReturnValue(boolean value) {
+ mIsVisibleToListenerReturnValue = value;
+ }
+
+ @Override
+ boolean isVisibleToListener(StatusBarNotification sbn, ManagedServiceInfo listener) {
+ if (mIsVisibleToListenerReturnValue != null) {
+ return mIsVisibleToListenerReturnValue;
+ }
+ return super.isVisibleToListener(sbn, listener);
+ }
+
@Override
protected boolean canLaunchInActivityView(Context context, PendingIntent pendingIntent,
String packageName) {
@@ -429,7 +448,8 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
when(mAssistants.isAdjustmentAllowed(anyString())).thenReturn(true);
- mService.init(mTestableLooper.getLooper(),
+ mWorkerHandler = spy(mService.new WorkerHandler(mTestableLooper.getLooper()));
+ mService.init(mWorkerHandler,
mPackageManager, mPackageManagerClient, mockLightsManager,
mListeners, mAssistants, mConditionProviders,
mCompanionMgr, mSnoozeHelper, mUsageStats, mPolicyFile, mActivityManager,
@@ -459,6 +479,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
clearDeviceConfig();
InstrumentationRegistry.getInstrumentation()
.getUiAutomation().dropShellPermissionIdentity();
+ mWorkerHandler.removeCallbacksAndMessages(null);
}
public void waitForIdle() {
@@ -5607,10 +5628,10 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
mStrongAuthTracker.setGetStrongAuthForUserReturnValue(
STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN);
mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId());
- assertTrue(mStrongAuthTracker.isInLockDownMode());
- mStrongAuthTracker.setGetStrongAuthForUserReturnValue(0);
+ assertTrue(mStrongAuthTracker.isInLockDownMode(mContext.getUserId()));
+ mStrongAuthTracker.setGetStrongAuthForUserReturnValue(mContext.getUserId());
mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId());
- assertFalse(mStrongAuthTracker.isInLockDownMode());
+ assertFalse(mStrongAuthTracker.isInLockDownMode(mContext.getUserId()));
}
@Test
@@ -5626,8 +5647,8 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
// when entering the lockdown mode, cancel the 2 notifications.
mStrongAuthTracker.setGetStrongAuthForUserReturnValue(
STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN);
- mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId());
- assertTrue(mStrongAuthTracker.isInLockDownMode());
+ mStrongAuthTracker.onStrongAuthRequiredChanged(0);
+ assertTrue(mStrongAuthTracker.isInLockDownMode(0));
// the notifyRemovedLocked function is called twice due to REASON_LOCKDOWN.
ArgumentCaptor<Integer> captor = ArgumentCaptor.forClass(Integer.class);
@@ -5636,9 +5657,44 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
// exit lockdown mode.
mStrongAuthTracker.setGetStrongAuthForUserReturnValue(0);
- mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId());
+ mStrongAuthTracker.onStrongAuthRequiredChanged(0);
+ assertFalse(mStrongAuthTracker.isInLockDownMode(0));
// the notifyPostedLocked function is called twice.
- verify(mListeners, times(2)).notifyPostedLocked(any(), any());
+ verify(mWorkerHandler, times(2)).postDelayed(any(Runnable.class), anyLong());
+ }
+
+ @Test
+ public void testMakeRankingUpdateLockedInLockDownMode() {
+ // post 2 notifications from a same package
+ NotificationRecord pkgA = new NotificationRecord(mContext,
+ generateSbn("a", 1000, 9, 0), mTestNotificationChannel);
+ mService.addNotification(pkgA);
+ NotificationRecord pkgB = new NotificationRecord(mContext,
+ generateSbn("a", 1000, 9, 1), mTestNotificationChannel);
+ mService.addNotification(pkgB);
+
+ mService.setIsVisibleToListenerReturnValue(true);
+ NotificationRankingUpdate nru = mService.makeRankingUpdateLocked(null);
+ assertEquals(2, nru.getRankingMap().getOrderedKeys().length);
+
+ // when only user 0 entering the lockdown mode, its notification will be suppressed.
+ mStrongAuthTracker.setGetStrongAuthForUserReturnValue(
+ STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN);
+ mStrongAuthTracker.onStrongAuthRequiredChanged(0);
+ assertTrue(mStrongAuthTracker.isInLockDownMode(0));
+ assertFalse(mStrongAuthTracker.isInLockDownMode(1));
+
+ nru = mService.makeRankingUpdateLocked(null);
+ assertEquals(1, nru.getRankingMap().getOrderedKeys().length);
+
+ // User 0 exits lockdown mode. Its notification will be resumed.
+ mStrongAuthTracker.setGetStrongAuthForUserReturnValue(0);
+ mStrongAuthTracker.onStrongAuthRequiredChanged(0);
+ assertFalse(mStrongAuthTracker.isInLockDownMode(0));
+ assertFalse(mStrongAuthTracker.isInLockDownMode(1));
+
+ nru = mService.makeRankingUpdateLocked(null);
+ assertEquals(2, nru.getRankingMap().getOrderedKeys().length);
}
}

View File

@ -0,0 +1,53 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nate Myren <ntmyren@google.com>
Date: Fri, 2 Dec 2022 09:44:31 -0800
Subject: [PATCH] RESTRICT AUTOMERGE Revoke dev perm if app is upgrading to
post 23 and perm has pre23 flag
If a permission has the "pre23" flag, and an app is upgrading past api
23, then we should not assume that a "development" permission remains
granted
Fixes: 259458532
Test: atest RevokeSawPermissionTest
Change-Id: I214396f455c5ed9e8bac2e50b1525b86475c81c7
(cherry picked from commit 2f30a63b11e59f9daf42f51eb85aa91c86f4baf4)
Merged-In: I214396f455c5ed9e8bac2e50b1525b86475c81c7
---
.../server/pm/permission/PermissionManagerService.java | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 23af4e6c1c3e..ae10b28cd8bb 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -671,7 +671,7 @@ public class PermissionManagerService {
}
final PackageSetting ps = (PackageSetting) newPackage.mExtras;
if (grantSignaturePermission(Manifest.permission.SYSTEM_ALERT_WINDOW, newPackage, saw,
- ps.getPermissionsState())) {
+ ps.getPermissionsState(), true)) {
return;
}
for (int userId: mUserManagerInt.getUserIds()) {
@@ -1836,6 +1836,11 @@ public class PermissionManagerService {
private boolean grantSignaturePermission(String perm, PackageParser.Package pkg,
BasePermission bp, PermissionsState origPermissions) {
+ return grantSignaturePermission(perm, pkg, bp, origPermissions, false);
+ }
+
+ private boolean grantSignaturePermission(String perm, PackageParser.Package pkg,
+ BasePermission bp, PermissionsState origPermissions, boolean isApi23Upgrade) {
boolean oemPermission = bp.isOEM();
boolean vendorPrivilegedPermission = bp.isVendorPrivileged();
boolean privilegedPermission = bp.isPrivileged() || bp.isVendorPrivileged();
@@ -2022,7 +2027,7 @@ public class PermissionManagerService {
// Any pre-installed system app is allowed to get this permission.
allowed = true;
}
- if (!allowed && bp.isDevelopment()) {
+ if (!allowed && bp.isDevelopment() && !(bp.isPre23() && isApi23Upgrade)) {
// For development permissions, a development permission
// is granted only if it was already granted.
allowed = origPermissions.hasInstallPermission(perm);

View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Michael Wright <michaelwr@google.com>
Date: Mon, 26 Sep 2022 20:37:33 +0100
Subject: [PATCH] Reconcile WorkSource parcel and unparcel code.
Prior to this CL, WorkSources would Parcel their list of WorkChains as
-1 if null, or the size of the list followed by the list itself if
non-null. When reading it back in, on the other hand, they would check
if the size was positive, and only then read the list from the Parcel.
This works for all cases except when the WorkSource has an empty but
non-null list of WorkChains as the list would get written to the parcel,
but then never read on the other side.
If parceling a list was a no-op when empty this wouldn't be an issue,
but it must write at least its size into the parcel to know how many
elements to extract. In the empty list case, this single element is left
unread as the size is not positive which essentially corrupts any future
items read from that same parcelable.
Bug: 220302519
Test: atest android.security.cts.WorkSourceTest#testWorkChainParceling
Change-Id: I2fec40dfced420ca38e717059b0e95ee8ef9946a
(cherry picked from commit 266b3bddcf14d448c0972db64b42950f76c759e3)
Merged-In: I2fec40dfced420ca38e717059b0e95ee8ef9946a
---
core/java/android/os/WorkSource.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/java/android/os/WorkSource.java b/core/java/android/os/WorkSource.java
index 0b4a56121038..4e7a280aa2c1 100644
--- a/core/java/android/os/WorkSource.java
+++ b/core/java/android/os/WorkSource.java
@@ -114,7 +114,7 @@ public class WorkSource implements Parcelable {
mNames = in.createStringArray();
int numChains = in.readInt();
- if (numChains > 0) {
+ if (numChains >= 0) {
mChains = new ArrayList<>(numChains);
in.readParcelableList(mChains, WorkChain.class.getClassLoader());
} else {

View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Winson Chung <winsonc@google.com>
Date: Wed, 11 Jan 2023 18:58:41 +0000
Subject: [PATCH] Revert "Ensure that only SysUI can override pending intent
launch flags"
This reverts commit c4d3106e347922610f8c554de3ae238175ed393e.
Reason for revert: b/264884187, b/264885689
Change-Id: I9fb0d66327f3f872a92e6b9d682d58489e81e6ba
(cherry picked from commit 7bb933f48ff15d8f08d2185005b7b3e212915276)
Merged-In: I9fb0d66327f3f872a92e6b9d682d58489e81e6ba
---
.../com/android/server/am/PendingIntentRecord.java | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/services/core/java/com/android/server/am/PendingIntentRecord.java b/services/core/java/com/android/server/am/PendingIntentRecord.java
index 44d67ed0d642..54504c3c1e24 100644
--- a/services/core/java/com/android/server/am/PendingIntentRecord.java
+++ b/services/core/java/com/android/server/am/PendingIntentRecord.java
@@ -317,16 +317,11 @@ public final class PendingIntentRecord extends IIntentSender.Stub {
resolvedType = key.requestResolvedType;
}
- // Apply any launch flags from the ActivityOptions. This is used only by SystemUI
- // to ensure that we can launch the pending intent with a consistent launch mode even
- // if the provided PendingIntent is immutable (ie. to force an activity to launch into
- // a new task, or to launch multiple instances if supported by the app)
+ // Apply any launch flags from the ActivityOptions. This is to ensure that the caller
+ // can specify a consistent launch mode even if the PendingIntent is immutable
final ActivityOptions opts = ActivityOptions.fromBundle(options);
if (opts != null) {
- // TODO(b/254490217): Move this check into SafeActivityOptions
- if (controller.mAtmInternal.isCallerRecents(Binder.getCallingUid())) {
- finalIntent.addFlags(opts.getPendingIntentLaunchFlags());
- }
+ finalIntent.addFlags(opts.getPendingIntentLaunchFlags());
}
// Extract options before clearing calling identity

View File

@ -41,7 +41,7 @@ index d91b7f8b8..befc92fb4 100644
configureRandomizedMacAddress(config); configureRandomizedMacAddress(config);
} else { } else {
diff --git a/service/java/com/android/server/wifi/WifiConfigManager.java b/service/java/com/android/server/wifi/WifiConfigManager.java diff --git a/service/java/com/android/server/wifi/WifiConfigManager.java b/service/java/com/android/server/wifi/WifiConfigManager.java
index fce5758e1..817fb2958 100644 index 393a5c395..cb44fb4ab 100644
--- a/service/java/com/android/server/wifi/WifiConfigManager.java --- a/service/java/com/android/server/wifi/WifiConfigManager.java
+++ b/service/java/com/android/server/wifi/WifiConfigManager.java +++ b/service/java/com/android/server/wifi/WifiConfigManager.java
@@ -1113,7 +1113,13 @@ public class WifiConfigManager { @@ -1113,7 +1113,13 @@ public class WifiConfigManager {

View File

@ -0,0 +1,250 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 21 Mar 2023 13:01:30 -0400
Subject: [PATCH] Revert "[DO NOT MERGE] wifi: remove certificates for network
factory reset"
This reverts commit 5aa2d76b9d820ebe175a5f4c416a873352000c71.
Change-Id: I3ae8d2ae65006560bd2b5b44a6075ba207707e1b
---
.../server/wifi/WifiConfigManager.java | 2 +-
.../com/android/server/wifi/WifiKeyStore.java | 7 ++---
.../wifi/WifiNetworkSuggestionsManager.java | 2 +-
.../android/server/wifi/WifiServiceImpl.java | 6 ----
.../server/wifi/WifiConfigManagerTest.java | 6 ++--
.../android/server/wifi/WifiKeyStoreTest.java | 28 +++----------------
.../WifiNetworkSuggestionsManagerTest.java | 2 +-
.../server/wifi/WifiServiceImplTest.java | 16 ++++-------
8 files changed, 18 insertions(+), 51 deletions(-)
diff --git a/service/java/com/android/server/wifi/WifiConfigManager.java b/service/java/com/android/server/wifi/WifiConfigManager.java
index fce5758e1..393a5c395 100644
--- a/service/java/com/android/server/wifi/WifiConfigManager.java
+++ b/service/java/com/android/server/wifi/WifiConfigManager.java
@@ -1359,7 +1359,7 @@ public class WifiConfigManager {
// will remove the enterprise keys when provider is uninstalled. Suggestion enterprise
// networks will remove the enterprise keys when suggestion is removed.
if (!config.isPasspoint() && !config.fromWifiNetworkSuggestion && config.isEnterprise()) {
- mWifiKeyStore.removeKeys(config.enterpriseConfig, false);
+ mWifiKeyStore.removeKeys(config.enterpriseConfig);
}
removeConnectChoiceFromAllNetworks(config.configKey());
diff --git a/service/java/com/android/server/wifi/WifiKeyStore.java b/service/java/com/android/server/wifi/WifiKeyStore.java
index 8e82f4720..c1706a20d 100644
--- a/service/java/com/android/server/wifi/WifiKeyStore.java
+++ b/service/java/com/android/server/wifi/WifiKeyStore.java
@@ -221,11 +221,10 @@ public class WifiKeyStore {
* Remove enterprise keys from the network config.
*
* @param config Config corresponding to the network.
- * @param forceRemove remove keys regardless of the key installer.
*/
- public void removeKeys(WifiEnterpriseConfig config, boolean forceRemove) {
+ public void removeKeys(WifiEnterpriseConfig config) {
// Do not remove keys that were manually installed by the user
- if (forceRemove || config.isAppInstalledDeviceKeyAndCert()) {
+ if (config.isAppInstalledDeviceKeyAndCert()) {
String client = config.getClientCertificateAlias();
// a valid client certificate is configured
if (!TextUtils.isEmpty(client)) {
@@ -238,7 +237,7 @@ public class WifiKeyStore {
}
// Do not remove CA certs that were manually installed by the user
- if (forceRemove || config.isAppInstalledCaCert()) {
+ if (config.isAppInstalledCaCert()) {
String[] aliases = config.getCaCertificateAliases();
// a valid ca certificate is configured
if (aliases != null) {
diff --git a/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java b/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java
index ae7892cd2..031aec603 100644
--- a/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java
+++ b/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java
@@ -668,7 +668,7 @@ public class WifiNetworkSuggestionsManager {
if (!config.isEnterprise()) {
continue;
}
- mWifiKeyStore.removeKeys(config.enterpriseConfig, false);
+ mWifiKeyStore.removeKeys(config.enterpriseConfig);
}
// Clear the scan cache.
removeFromScanResultMatchInfoMap(removingSuggestions);
diff --git a/service/java/com/android/server/wifi/WifiServiceImpl.java b/service/java/com/android/server/wifi/WifiServiceImpl.java
index 0d6732dd7..d375ba4c8 100644
--- a/service/java/com/android/server/wifi/WifiServiceImpl.java
+++ b/service/java/com/android/server/wifi/WifiServiceImpl.java
@@ -3002,13 +3002,7 @@ public class WifiServiceImpl extends BaseWifiService {
List<WifiConfiguration> networks = mClientModeImpl.syncGetConfiguredNetworks(
Binder.getCallingUid(), mClientModeImplChannel, Process.WIFI_UID);
if (networks != null) {
- EventLog.writeEvent(0x534e4554, "231985227", -1,
- "Remove certs for factory reset");
for (WifiConfiguration config : networks) {
- if (config.isEnterprise()) {
- mWifiInjector.getWifiKeyStore().removeKeys(
- config.enterpriseConfig, true);
- }
removeNetwork(config.networkId, packageName);
}
}
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java b/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
index 71d06fb7e..f5ad049dd 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
@@ -703,7 +703,7 @@ public class WifiConfigManagerTest {
verify(mWcmListener, never()).onSavedNetworkAdded(suggestionNetwork.networkId);
assertTrue(mWifiConfigManager
.removeNetwork(suggestionNetwork.networkId, TEST_CREATOR_UID));
- verify(mWifiKeyStore, never()).removeKeys(any(), eq(false));
+ verify(mWifiKeyStore, never()).removeKeys(any());
}
/**
@@ -947,7 +947,7 @@ public class WifiConfigManagerTest {
assertTrue(mWifiConfigManager.removeNetwork(passpointNetwork.networkId, Process.WIFI_UID));
// Verify keys are not being removed.
- verify(mWifiKeyStore, never()).removeKeys(any(WifiEnterpriseConfig.class), eq(false));
+ verify(mWifiKeyStore, never()).removeKeys(any(WifiEnterpriseConfig.class));
verifyNetworkRemoveBroadcast(passpointNetwork);
// Ensure that the write was not invoked for Passpoint network remove.
mContextConfigStoreMockOrder.verify(mWifiConfigStore, never()).write(anyBoolean());
@@ -5169,7 +5169,7 @@ public class WifiConfigManagerTest {
assertTrue(mWifiConfigManager.removeNetwork(configuration.networkId, TEST_CREATOR_UID));
// Verify keys are not being removed.
- verify(mWifiKeyStore, never()).removeKeys(any(WifiEnterpriseConfig.class), eq(false));
+ verify(mWifiKeyStore, never()).removeKeys(any(WifiEnterpriseConfig.class));
verifyNetworkRemoveBroadcast(configuration);
// Ensure that the write was not invoked for Passpoint network remove.
mContextConfigStoreMockOrder.verify(mWifiConfigStore, never()).write(anyBoolean());
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java b/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java
index 3f54c3f85..7649d1ba4 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java
@@ -96,7 +96,7 @@ public class WifiKeyStoreTest {
public void testRemoveKeysForAppInstalledCerts() {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(true);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(true);
- mWifiKeyStore.removeKeys(mWifiEnterpriseConfig, false);
+ mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
// Method calls the KeyStore#delete method 4 times, user key, user cert, and 2 CA cert
verify(mKeyStore).delete(Credentials.USER_PRIVATE_KEY + USER_CERT_ALIAS, Process.WIFI_UID);
@@ -115,7 +115,7 @@ public class WifiKeyStoreTest {
public void testRemoveKeysForMixedInstalledCerts1() {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(true);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(false);
- mWifiKeyStore.removeKeys(mWifiEnterpriseConfig, false);
+ mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
// Method calls the KeyStore#delete method 2 times: user key and user cert
verify(mKeyStore).delete(Credentials.USER_PRIVATE_KEY + USER_CERT_ALIAS, Process.WIFI_UID);
@@ -131,7 +131,7 @@ public class WifiKeyStoreTest {
public void testRemoveKeysForMixedInstalledCerts2() {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(false);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(true);
- mWifiKeyStore.removeKeys(mWifiEnterpriseConfig, false);
+ mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
// Method calls the KeyStore#delete method 2 times: 2 CA certs
verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[0],
@@ -148,27 +148,7 @@ public class WifiKeyStoreTest {
public void testRemoveKeysForUserInstalledCerts() {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(false);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(false);
- mWifiKeyStore.removeKeys(mWifiEnterpriseConfig, false);
- verifyNoMoreInteractions(mKeyStore);
- }
-
- /**
- * Verifies that keys and certs are removed when they were not installed by the user
- * when forceRemove is true.
- */
- @Test
- public void testForceRemoveKeysForUserInstalledCerts() throws Exception {
- when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(false);
- when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(false);
- mWifiKeyStore.removeKeys(mWifiEnterpriseConfig, true);
-
- // KeyStore#delete() is called three time for user cert, user key, and 2 CA cert.
- verify(mKeyStore).delete(Credentials.USER_PRIVATE_KEY + USER_CERT_ALIAS, Process.WIFI_UID);
- verify(mKeyStore).delete(Credentials.USER_CERTIFICATE + USER_CERT_ALIAS, Process.WIFI_UID);
- verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[0],
- Process.WIFI_UID);
- verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[1],
- Process.WIFI_UID);
+ mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
verifyNoMoreInteractions(mKeyStore);
}
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java b/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java
index 60dcf153c..ed5bb39ab 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java
@@ -344,7 +344,7 @@ public class WifiNetworkSuggestionsManagerTest {
assertEquals(WifiManager.STATUS_NETWORK_SUGGESTIONS_SUCCESS,
mWifiNetworkSuggestionsManager.remove(new ArrayList<>(),
TEST_UID_1, TEST_PACKAGE_1));
- verify(mWifiKeyStore).removeKeys(any(), eq(false));
+ verify(mWifiKeyStore).removeKeys(any());
}
/**
* Verify successful replace (add,remove, add) of network suggestions.
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java b/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
index 53d6d7815..fab326858 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
@@ -260,7 +260,6 @@ public class WifiServiceImplTest {
@Mock WifiScoreCard mWifiScoreCard;
@Mock PasspointManager mPasspointManager;
@Mock IDppCallback mDppCallback;
- @Mock WifiKeyStore mWifiKeyStore;
@Spy FakeWifiLog mLog;
@@ -402,7 +401,6 @@ public class WifiServiceImplTest {
when(mContext.checkPermission(eq(android.Manifest.permission.NETWORK_MANAGED_PROVISIONING),
anyInt(), anyInt())).thenReturn(PackageManager.PERMISSION_DENIED);
when(mScanRequestProxy.startScan(anyInt(), anyString())).thenReturn(true);
- when(mWifiInjector.getWifiKeyStore()).thenReturn(mWifiKeyStore);
ArgumentCaptor<SoftApCallback> softApCallbackCaptor =
ArgumentCaptor.forClass(SoftApCallback.class);
@@ -3643,11 +3641,7 @@ public class WifiServiceImplTest {
anyInt(), anyInt())).thenReturn(PackageManager.PERMISSION_GRANTED);
when(mWifiPermissionsUtil.checkNetworkSettingsPermission(anyInt())).thenReturn(true);
final String fqdn = "example.com";
- WifiConfiguration openNetwork = WifiConfigurationTestUtil.createOpenNetwork();
- openNetwork.networkId = TEST_NETWORK_ID;
- WifiConfiguration eapNetwork = WifiConfigurationTestUtil.createEapNetwork(
- WifiEnterpriseConfig.Eap.TLS, WifiEnterpriseConfig.Phase2.NONE);
- eapNetwork.networkId = TEST_NETWORK_ID + 1;
+ WifiConfiguration network = WifiConfigurationTestUtil.createOpenNetwork();
PasspointConfiguration config = new PasspointConfiguration();
HomeSp homeSp = new HomeSp();
homeSp.setFqdn(fqdn);
@@ -3655,17 +3649,17 @@ public class WifiServiceImplTest {
mWifiServiceImpl.mClientModeImplChannel = mAsyncChannel;
when(mClientModeImpl.syncGetConfiguredNetworks(anyInt(), any(), anyInt()))
- .thenReturn(Arrays.asList(openNetwork, eapNetwork));
+ .thenReturn(Arrays.asList(network));
when(mClientModeImpl.syncGetPasspointConfigs(any(), anyBoolean()))
.thenReturn(Arrays.asList(config));
+ when(mClientModeImpl.syncGetPasspointConfigs(any())).thenReturn(Arrays.asList(config));
+
mWifiServiceImpl.factoryReset(TEST_PACKAGE_NAME);
mLooper.dispatchAll();
verify(mWifiApConfigStore).setApConfiguration(null);
- verify(mClientModeImpl).syncRemoveNetwork(mAsyncChannel, openNetwork.networkId);
- verify(mClientModeImpl).syncRemoveNetwork(mAsyncChannel, eapNetwork.networkId);
- verify(mWifiKeyStore).removeKeys(eapNetwork.enterpriseConfig, true);
+ verify(mClientModeImpl).syncRemoveNetwork(mAsyncChannel, network.networkId);
verify(mClientModeImpl).syncRemovePasspointConfig(mAsyncChannel, true, fqdn);
verify(mWifiConfigManager).clearDeletedEphemeralNetworks();
verify(mClientModeImpl).clearNetworkRequestUserApprovedAccessPoints();

View File

@ -0,0 +1,120 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alex Johnston <acjohnston@google.com>
Date: Wed, 14 Sep 2022 08:02:27 +0000
Subject: [PATCH] DO NOT MERGE Stop managed profile owner granting READ_SMS
Reason: There is only one telephony stack shared
between the personal and work profile.
This change is a partial cherry-pick of ag/15371816.
DPM.canAdminGrantSensorsPermissions did not exist pre-S. Pre-S,
the admin was always able to grant permissions incl sensor permissions. The change here will continue to allow granting of permissions unless the admin is on a managed profile and the permission is READ_SMS.
Bug: 194382185
Bug: 189942529
Test: manual testing with TestDPC
Change-Id: Icc1e59a18c4786635cbc651aefc2561fbbddfdb1
(cherry picked from commit 7cd8e7f00cf2d921a2d9b2999cfc85a148c781b9)
Merged-In: Icc1e59a18c4786635cbc651aefc2561fbbddfdb1
---
.../PermissionControllerServiceImpl.java | 14 +++++-
.../AdminRestrictedPermissionsUtils.java | 44 +++++++++++++++++++
2 files changed, 56 insertions(+), 2 deletions(-)
create mode 100644 src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java
diff --git a/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java b/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java
index 57f399275..2121d6e5d 100644
--- a/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java
+++ b/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java
@@ -35,6 +35,7 @@ import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.os.AsyncTask;
import android.os.UserHandle;
+import android.os.UserManager;
import android.permission.PermissionControllerService;
import android.permission.PermissionManager;
import android.permission.RuntimePermissionPresentationInfo;
@@ -52,6 +53,7 @@ import com.android.packageinstaller.permission.model.AppPermissionUsage.GroupUsa
import com.android.packageinstaller.permission.model.AppPermissions;
import com.android.packageinstaller.permission.model.Permission;
import com.android.packageinstaller.permission.model.PermissionUsages;
+import com.android.packageinstaller.permission.utils.AdminRestrictedPermissionsUtils;
import com.android.packageinstaller.permission.utils.Utils;
import org.xmlpull.v1.XmlPullParser;
@@ -576,6 +578,8 @@ public final class PermissionControllerServiceImpl extends PermissionControllerS
AppPermissions app = new AppPermissions(this, pkgInfo, false, true, null);
+ final boolean isManagedProfile = getSystemService(UserManager.class).isManagedProfile();
+
int numPerms = expandedPermissions.size();
for (int i = 0; i < numPerms; i++) {
String permName = expandedPermissions.get(i);
@@ -591,8 +595,14 @@ public final class PermissionControllerServiceImpl extends PermissionControllerS
switch (grantState) {
case PERMISSION_GRANT_STATE_GRANTED:
- perm.setPolicyFixed(true);
- group.grantRuntimePermissions(false, new String[]{permName});
+ if (AdminRestrictedPermissionsUtils.mayAdminGrantPermission(perm.getName(),
+ isManagedProfile)) {
+ perm.setPolicyFixed(true);
+ group.grantRuntimePermissions(false, new String[]{permName});
+ } else {
+ // similar to PERMISSION_GRANT_STATE_DEFAULT
+ perm.setPolicyFixed(false);
+ }
break;
case PERMISSION_GRANT_STATE_DENIED:
perm.setPolicyFixed(true);
diff --git a/src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java b/src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java
new file mode 100644
index 000000000..5bbb37837
--- /dev/null
+++ b/src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.packageinstaller.permission.utils;
+
+import android.Manifest;
+import android.util.ArraySet;
+
+/**
+ * A class for dealing with permissions that the admin may not grant in certain configurations.
+ */
+public final class AdminRestrictedPermissionsUtils {
+
+ /**
+ * A set of permissions that the managed Profile Owner cannot grant.
+ */
+ private static final ArraySet<String> MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS =
+ new ArraySet<>();
+
+ static {
+ MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.add(Manifest.permission.READ_SMS);
+ }
+
+ /**
+ * Returns true if the admin may grant this permission, false otherwise.
+ */
+ public static boolean mayAdminGrantPermission(String permission, boolean isManagedProfile) {
+ return !isManagedProfile
+ || !MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission);
+ }
+}

View File

@ -0,0 +1,378 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tsung-Mao Fang <tmfang@google.com>
Date: Mon, 3 Jan 2022 18:25:04 +0800
Subject: [PATCH] FRP bypass defense in the settings app
Over the last few years, there have been a number of
Factory Reset Protection bypass bugs in the SUW flow.
It's unlikely to defense all points from individual apps.
Therefore, we decide to block some critical pages when
user doesn't complete the SUW flow.
Test: Can't open the certain pages in the suw flow.
Bug: 258422561
Fix: 200746457
Bug: 202975040
Fix: 213091525
Fix: 213090835
Fix: 201561699
Fix: 213090827
Fix: 213090875
Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e
Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
(cherry picked from commit ff5bfb40c8b09ab477efaae6a0199911a0d703dd)
Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
---
.../settings/SettingsPreferenceFragment.java | 23 +++++-
.../accounts/AccountDashboardFragment.java | 5 ++
.../appinfo/AppInfoDashboardFragment.java | 5 ++
.../DevelopmentSettingsDashboardFragment.java | 5 ++
.../system/ResetDashboardFragment.java | 5 ++
.../SettingsPreferenceFragmentTest.java | 74 +++++++++++++++++++
.../AccountDashboardFragmentTest.java | 5 ++
.../appinfo/AppInfoDashboardFragmentTest.java | 5 ++
...elopmentSettingsDashboardFragmentTest.java | 5 ++
.../system/ResetDashboardFragmentTest.java | 40 ++++++++++
10 files changed, 171 insertions(+), 1 deletion(-)
create mode 100644 tests/robotests/src/com/android/settings/system/ResetDashboardFragmentTest.java
diff --git a/src/com/android/settings/SettingsPreferenceFragment.java b/src/com/android/settings/SettingsPreferenceFragment.java
index 6b29b2e1e4..0c537534df 100644
--- a/src/com/android/settings/SettingsPreferenceFragment.java
+++ b/src/com/android/settings/SettingsPreferenceFragment.java
@@ -56,6 +56,8 @@ import com.android.settingslib.core.instrumentation.Instrumentable;
import com.android.settingslib.widget.FooterPreferenceMixinCompat;
import com.android.settingslib.widget.LayoutPreference;
+import com.google.android.setupcompat.util.WizardManagerHelper;
+
import java.util.UUID;
/**
@@ -64,7 +66,7 @@ import java.util.UUID;
public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceFragment
implements DialogCreatable, HelpResourceProvider, Indexable {
- private static final String TAG = "SettingsPreference";
+ private static final String TAG = "SettingsPreferenceFragment";
private static final String SAVE_HIGHLIGHTED_KEY = "android:preference_highlighted";
@@ -128,6 +130,15 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
@VisibleForTesting
public boolean mPreferenceHighlighted = false;
+ @Override
+ public void onAttach(Context context) {
+ if (shouldSkipForInitialSUW() && !WizardManagerHelper.isDeviceProvisioned(getContext())) {
+ Log.w(TAG, "Skip " + getClass().getSimpleName() + " before SUW completed.");
+ finish();
+ }
+ super.onAttach(context);
+ }
+
@Override
public void onCreate(Bundle icicle) {
super.onCreate(icicle);
@@ -264,6 +275,16 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
return 0;
}
+ /**
+ * Whether UI should be skipped in the initial SUW flow.
+ *
+ * @return {@code true} when UI should be skipped in the initial SUW flow.
+ * {@code false} when UI should not be skipped in the initial SUW flow.
+ */
+ protected boolean shouldSkipForInitialSUW() {
+ return false;
+ }
+
protected void onDataSetChanged() {
highlightPreferenceIfNeeded();
updateEmptyView();
diff --git a/src/com/android/settings/accounts/AccountDashboardFragment.java b/src/com/android/settings/accounts/AccountDashboardFragment.java
index 515008af59..627a3177d2 100644
--- a/src/com/android/settings/accounts/AccountDashboardFragment.java
+++ b/src/com/android/settings/accounts/AccountDashboardFragment.java
@@ -67,6 +67,11 @@ public class AccountDashboardFragment extends DashboardFragment {
return buildPreferenceControllers(context, this /* parent */, authorities);
}
+ @Override
+ protected boolean shouldSkipForInitialSUW() {
+ return true;
+ }
+
private static List<AbstractPreferenceController> buildPreferenceControllers(Context context,
SettingsPreferenceFragment parent, String[] authorities) {
final List<AbstractPreferenceController> controllers = new ArrayList<>();
diff --git a/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java b/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java
index 9917d352e8..b757380c5d 100755
--- a/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java
+++ b/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java
@@ -473,6 +473,11 @@ public class AppInfoDashboardFragment extends DashboardFragment
return true;
}
+ @Override
+ protected boolean shouldSkipForInitialSUW() {
+ return true;
+ }
+
private void uninstallPkg(String packageName, boolean allUsers, boolean andDisable) {
stopListeningToPackageRemove();
// Create new intent to launch Uninstaller activity
diff --git a/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java b/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java
index f18225e8fb..ca46b24a31 100644
--- a/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java
+++ b/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java
@@ -181,6 +181,11 @@ public class DevelopmentSettingsDashboardFragment extends RestrictedDashboardFra
}
}
+ @Override
+ protected boolean shouldSkipForInitialSUW() {
+ return true;
+ }
+
@Override
public View onCreateView(LayoutInflater inflater, ViewGroup container,
Bundle savedInstanceState) {
diff --git a/src/com/android/settings/system/ResetDashboardFragment.java b/src/com/android/settings/system/ResetDashboardFragment.java
index 5243d6a393..aa06691d67 100644
--- a/src/com/android/settings/system/ResetDashboardFragment.java
+++ b/src/com/android/settings/system/ResetDashboardFragment.java
@@ -58,6 +58,11 @@ public class ResetDashboardFragment extends DashboardFragment {
return buildPreferenceControllers(context, getSettingsLifecycle());
}
+ @Override
+ protected boolean shouldSkipForInitialSUW() {
+ return true;
+ }
+
private static List<AbstractPreferenceController> buildPreferenceControllers(Context context,
Lifecycle lifecycle) {
final List<AbstractPreferenceController> controllers = new ArrayList<>();
diff --git a/tests/robotests/src/com/android/settings/SettingsPreferenceFragmentTest.java b/tests/robotests/src/com/android/settings/SettingsPreferenceFragmentTest.java
index cce01550a7..71c531a4c9 100644
--- a/tests/robotests/src/com/android/settings/SettingsPreferenceFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/SettingsPreferenceFragmentTest.java
@@ -23,11 +23,13 @@ import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import android.content.Context;
import android.os.Bundle;
+import android.provider.Settings;
import android.view.View;
import androidx.fragment.app.FragmentActivity;
@@ -39,6 +41,7 @@ import androidx.preference.PreferenceScreen;
import com.android.settings.testutils.FakeFeatureFactory;
import com.android.settings.widget.WorkOnlyCategory;
+import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -61,7 +64,9 @@ public class SettingsPreferenceFragmentTest {
private PreferenceScreen mPreferenceScreen;
private Context mContext;
private TestFragment mFragment;
+ private TestFragment2 mFragment2;
private View mEmptyView;
+ private int mInitDeviceProvisionedValue;
@Before
public void setUp() {
@@ -69,13 +74,24 @@ public class SettingsPreferenceFragmentTest {
FakeFeatureFactory.setupForTest();
mContext = RuntimeEnvironment.application;
mFragment = spy(new TestFragment());
+ mFragment2 = spy(new TestFragment2());
doReturn(mActivity).when(mFragment).getActivity();
when(mFragment.getContext()).thenReturn(mContext);
+ when(mFragment2.getContext()).thenReturn(mContext);
mEmptyView = new View(mContext);
ReflectionHelpers.setField(mFragment, "mEmptyView", mEmptyView);
doReturn(ITEM_COUNT).when(mPreferenceScreen).getPreferenceCount();
+
+ mInitDeviceProvisionedValue = Settings.Global.getInt(mContext.getContentResolver(),
+ Settings.Global.DEVICE_PROVISIONED, 0);
+ }
+
+ @After
+ public void tearDown() {
+ Settings.Global.putInt(mContext.getContentResolver(),
+ Settings.Global.DEVICE_PROVISIONED, mInitDeviceProvisionedValue);
}
@Test
@@ -187,8 +203,66 @@ public class SettingsPreferenceFragmentTest {
verify(workOnlyCategory).setVisible(false);
}
+ @Test
+ public void onAttach_shouldNotSkipForSUWAndDeviceIsProvisioned_notCallFinish() {
+ Settings.Global.putInt(mContext.getContentResolver(),
+ Settings.Global.DEVICE_PROVISIONED, 1);
+
+ mFragment.onAttach(mContext);
+
+ verify(mFragment, never()).finish();
+ }
+
+ @Test
+ public void onAttach_shouldNotSkipForSUWAndDeviceIsNotProvisioned_notCallFinish() {
+ Settings.Global.putInt(mContext.getContentResolver(),
+ Settings.Global.DEVICE_PROVISIONED, 0);
+
+ mFragment.onAttach(mContext);
+
+ verify(mFragment, never()).finish();
+ }
+
+ @Test
+ public void onAttach_shouldSkipForSUWAndDeviceIsDeviceProvisioned_notCallFinish() {
+ Settings.Global.putInt(mContext.getContentResolver(),
+ Settings.Global.DEVICE_PROVISIONED, 1);
+
+ mFragment2.onAttach(mContext);
+
+ verify(mFragment2, never()).finish();
+ }
+
+ @Test
+ public void onAttach_shouldSkipForSUWAndDeviceProvisioned_notCallFinish() {
+ Settings.Global.putInt(mContext.getContentResolver(),
+ Settings.Global.DEVICE_PROVISIONED, 0);
+
+ mFragment2.onAttach(mContext);
+
+ verify(mFragment2, times(1)).finish();
+ }
+
public static class TestFragment extends SettingsPreferenceFragment {
+ @Override
+ protected boolean shouldSkipForInitialSUW() {
+ return false;
+ }
+
+ @Override
+ public int getMetricsCategory() {
+ return 0;
+ }
+ }
+
+ public static class TestFragment2 extends SettingsPreferenceFragment {
+
+ @Override
+ protected boolean shouldSkipForInitialSUW() {
+ return true;
+ }
+
@Override
public int getMetricsCategory() {
return 0;
diff --git a/tests/robotests/src/com/android/settings/accounts/AccountDashboardFragmentTest.java b/tests/robotests/src/com/android/settings/accounts/AccountDashboardFragmentTest.java
index 006087516c..b04d5c7637 100644
--- a/tests/robotests/src/com/android/settings/accounts/AccountDashboardFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/accounts/AccountDashboardFragmentTest.java
@@ -53,4 +53,9 @@ public class AccountDashboardFragmentTest {
assertThat(indexRes).isNotNull();
assertThat(indexRes.get(0).xmlResId).isEqualTo(mFragment.getPreferenceScreenResId());
}
+
+ @Test
+ public void shouldSkipForInitialSUW_returnTrue() {
+ assertThat(mFragment.shouldSkipForInitialSUW()).isTrue();
+ }
}
diff --git a/tests/robotests/src/com/android/settings/applications/appinfo/AppInfoDashboardFragmentTest.java b/tests/robotests/src/com/android/settings/applications/appinfo/AppInfoDashboardFragmentTest.java
index e46cd06afe..5292c60f86 100644
--- a/tests/robotests/src/com/android/settings/applications/appinfo/AppInfoDashboardFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/applications/appinfo/AppInfoDashboardFragmentTest.java
@@ -384,6 +384,11 @@ public final class AppInfoDashboardFragmentTest {
.isTrue();
}
+ @Test
+ public void shouldSkipForInitialSUW_returnTrue() {
+ assertThat(mFragment.shouldSkipForInitialSUW()).isTrue();
+ }
+
@Implements(AppUtils.class)
public static class ShadowAppUtils {
diff --git a/tests/robotests/src/com/android/settings/development/DevelopmentSettingsDashboardFragmentTest.java b/tests/robotests/src/com/android/settings/development/DevelopmentSettingsDashboardFragmentTest.java
index 83a4880968..d460d13e9e 100644
--- a/tests/robotests/src/com/android/settings/development/DevelopmentSettingsDashboardFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/development/DevelopmentSettingsDashboardFragmentTest.java
@@ -275,6 +275,11 @@ public class DevelopmentSettingsDashboardFragmentTest {
verify(controller).onDisableLogPersistDialogRejected();
}
+ @Test
+ public void shouldSkipForInitialSUW_returnTrue() {
+ assertThat(mDashboard.shouldSkipForInitialSUW()).isTrue();
+ }
+
@Implements(EnableDevelopmentSettingWarningDialog.class)
public static class ShadowEnableDevelopmentSettingWarningDialog {
diff --git a/tests/robotests/src/com/android/settings/system/ResetDashboardFragmentTest.java b/tests/robotests/src/com/android/settings/system/ResetDashboardFragmentTest.java
new file mode 100644
index 0000000000..c1d47887a7
--- /dev/null
+++ b/tests/robotests/src/com/android/settings/system/ResetDashboardFragmentTest.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.system;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.robolectric.RobolectricTestRunner;
+
+@RunWith(RobolectricTestRunner.class)
+public class ResetDashboardFragmentTest {
+
+ private ResetDashboardFragment mFragment;
+
+ @Before
+ public void setup() {
+ mFragment = new ResetDashboardFragment();
+ }
+
+ @Test
+ public void shouldSkipForInitialSUW_returnTrue() {
+ assertThat(mFragment.shouldSkipForInitialSUW()).isTrue();
+ }
+}

View File

@ -0,0 +1,45 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Yanting Yang <yantingyang@google.com>
Date: Wed, 4 Jan 2023 09:40:38 +0000
Subject: [PATCH] Add DISALLOW_APPS_CONTROL check into uninstall app for all
users
Settings App info page supports a "Uninstall for all users" function
when multiple users are enabled. It bypasses the restriction of
DISALLOW_APPS_CONTROL which breaks the user isolation guideline.
To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL
restriction to provide the "Uninstall for all users" function.
Bug: 258653813
Test: manual & robotests
Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
(cherry picked from commit 86914bedc84474c152e4536fb3cfa2fb488030b8)
Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
---
.../applications/appinfo/AppInfoDashboardFragment.java | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
mode change 100755 => 100644 src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java
diff --git a/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java b/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java
old mode 100755
new mode 100644
index b757380c5d..bbbb7113d5
--- a/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java
+++ b/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java
@@ -355,7 +355,13 @@ public class AppInfoDashboardFragment extends DashboardFragment
return;
}
super.onPrepareOptionsMenu(menu);
- menu.findItem(UNINSTALL_ALL_USERS_MENU).setVisible(shouldShowUninstallForAll(mAppEntry));
+ final MenuItem uninstallAllUsersItem = menu.findItem(UNINSTALL_ALL_USERS_MENU);
+ uninstallAllUsersItem.setVisible(
+ shouldShowUninstallForAll(mAppEntry) && !mAppsControlDisallowedBySystem);
+ if (uninstallAllUsersItem.isVisible()) {
+ RestrictedLockUtilsInternal.setMenuItemAsDisabledByAdmin(getActivity(),
+ uninstallAllUsersItem, mAppsControlDisallowedAdmin);
+ }
mUpdatedSysApp = (mAppEntry.info.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0;
final MenuItem uninstallUpdatesItem = menu.findItem(UNINSTALL_UPDATES);
final boolean uninstallUpdateDisabled = getContext().getResources().getBoolean(

View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 28 Dec 2022 00:32:37 +0000
Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate
this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
Bug: 258652631
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66
(cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03)
Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66
---
stack/gatt/gatt_cl.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 3115317da..db41c5f9f 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -572,7 +572,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d",
gatt_dbg_op_name(op_code), len);
- if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
+ if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
+ len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
LOG(ERROR) << "illegal prepare write response length, discard";
gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
return;
@@ -581,7 +582,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
STREAM_TO_UINT16(value.handle, p);
STREAM_TO_UINT16(value.offset, p);
- value.len = len - 4;
+ value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
memcpy(value.value, p, value.len);

View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Mon, 2 Jan 2023 22:05:45 +0000
Subject: [PATCH] Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
In A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
`-=` operation on it may result in integer underflow and
OOB write with the computed pointer passed to
A2DP_BuildMediaPayloadHeaderSbc.
This is a backport of I45320085b1e458d3b0e0d86162a35aaaae7b34cb
Test: atest net_test_stack_a2dp_codecs_native
Ignore-AOSP-First: security
Tag:#security
Bug: 186803518
Change-Id: I4ff1a1de71884b8de23008b2569fdea3650e85ec
(cherry picked from commit a710300216be4a86373a65c6a685aeef8509cfa7)
Merged-In: I4ff1a1de71884b8de23008b2569fdea3650e85ec
---
stack/a2dp/a2dp_sbc.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
index 4c48993c4..5036eec2e 100644
--- a/stack/a2dp/a2dp_sbc.cc
+++ b/stack/a2dp/a2dp_sbc.cc
@@ -704,6 +704,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info,
BT_HDR* p_buf, uint16_t frames_per_packet) {
uint8_t* p;
+ // there is a timestamp right following p_buf
+ if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
+ return false;
+ }
+
p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
p = (uint8_t*)(p_buf + 1) + p_buf->offset;
p_buf->len += A2DP_SBC_MPL_HDR_LEN;

View File

@ -0,0 +1,75 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 4 Jan 2023 22:45:13 +0000
Subject: [PATCH] Fix an OOB write in SDP_AddAttribute
When the `attr_pad` becomes full, it is possible
that un index of `-1` is computed write
a zero byte to `p_val`, rusulting OOB write.
```
p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0';
```
This is a backport of I937d22a2df26fca1d7f06b10182c4e713ddfed1b
Bug: 261867748
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
(cherry picked from commit cc527a97f78a2999a0156a579e488afe9e3675b2)
Merged-In: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
---
stack/sdp/sdp_db.cc | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc
index ea5b84d23..4130ae71a 100644
--- a/stack/sdp/sdp_db.cc
+++ b/stack/sdp/sdp_db.cc
@@ -362,6 +362,11 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
uint16_t xx, yy, zz;
tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];
+ if (p_val == nullptr) {
+ SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
+ return (false);
+ }
+
if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
if ((attr_type == UINT_DESC_TYPE) ||
(attr_type == TWO_COMP_INT_DESC_TYPE) ||
@@ -398,6 +403,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
if (p_rec->record_handle == handle) {
tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0];
+ // error out early, no need to look up
+ if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
+ SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
+ "full, skip adding the attribute", handle);
+ return (false);
+ }
+
/* Found the record. Now, see if the attribute already exists */
for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
/* The attribute exists. replace it */
@@ -437,15 +449,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
attr_len = 0;
}
- if ((attr_len > 0) && (p_val != 0)) {
+ if (attr_len > 0) {
p_attr->len = attr_len;
memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
p_rec->free_pad_ptr += attr_len;
- } else if ((attr_len == 0 &&
- p_attr->len !=
- 0) || /* if truncate to 0 length, simply don't add */
- p_val == 0) {
+ } else if (attr_len == 0 && p_attr->len != 0) {
+ /* if truncate to 0 length, simply don't add */
SDP_TRACE_ERROR(
"SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
attr_id, attr_len);

View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 28 Dec 2022 00:32:37 +0000
Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate
this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
Bug: 258652631
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66
(cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03)
Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66
---
stack/gatt/gatt_cl.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 73a338b6d..98186daed 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -578,7 +578,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d",
gatt_dbg_op_name(op_code), len);
- if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
+ if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
+ len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
LOG(ERROR) << "illegal prepare write response length, discard";
gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
return;
@@ -587,7 +588,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
STREAM_TO_UINT16(value.handle, p);
STREAM_TO_UINT16(value.offset, p);
- value.len = len - 4;
+ value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
memcpy(value.value, p, value.len);

View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Mon, 2 Jan 2023 22:05:45 +0000
Subject: [PATCH] Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
In A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
`-=` operation on it may result in integer underflow and
OOB write with the computed pointer passed to
A2DP_BuildMediaPayloadHeaderSbc.
This is a backport of I45320085b1e458d3b0e0d86162a35aaaae7b34cb
Test: atest net_test_stack_a2dp_codecs_native
Ignore-AOSP-First: security
Tag:#security
Bug: 186803518
Change-Id: I4ff1a1de71884b8de23008b2569fdea3650e85ec
(cherry picked from commit a710300216be4a86373a65c6a685aeef8509cfa7)
Merged-In: I4ff1a1de71884b8de23008b2569fdea3650e85ec
---
stack/a2dp/a2dp_sbc.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
index 623ecfac1..393a17ee5 100644
--- a/stack/a2dp/a2dp_sbc.cc
+++ b/stack/a2dp/a2dp_sbc.cc
@@ -881,6 +881,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info,
BT_HDR* p_buf, uint16_t frames_per_packet) {
uint8_t* p;
+ // there is a timestamp right following p_buf
+ if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
+ return false;
+ }
+
p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
p = (uint8_t*)(p_buf + 1) + p_buf->offset;
p_buf->len += A2DP_SBC_MPL_HDR_LEN;

View File

@ -0,0 +1,78 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 4 Jan 2023 22:45:13 +0000
Subject: [PATCH] Fix an OOB write in SDP_AddAttribute
When the `attr_pad` becomes full, it is possible
that un index of `-1` is computed write
a zero byte to `p_val`, rusulting OOB write.
```
p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0';
```
This is a backport of I937d22a2df26fca1d7f06b10182c4e713ddfed1b
Bug: 261867748
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
(cherry picked from commit cc527a97f78a2999a0156a579e488afe9e3675b2)
Merged-In: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
---
stack/sdp/sdp_db.cc | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc
index 65ed52fd9..23e5b53ff 100644
--- a/stack/sdp/sdp_db.cc
+++ b/stack/sdp/sdp_db.cc
@@ -399,6 +399,11 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
uint16_t xx;
tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];
+ if (p_val == nullptr) {
+ SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
+ return (false);
+ }
+
if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
if ((attr_type == UINT_DESC_TYPE) ||
(attr_type == TWO_COMP_INT_DESC_TYPE) ||
@@ -433,7 +438,15 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
/* Find the record in the database */
for (xx = 0; xx < sdp_cb.server_db.num_records; xx++, p_rec++) {
if (p_rec->record_handle == handle) {
- return SDP_AddAttributeToRecord (p_rec, attr_id, attr_type, attr_len, p_val);
+
+ // error out early, no need to look up
+ if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
+ SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
+ "full, skip adding the attribute", handle);
+ return (false);
+ } else {
+ return SDP_AddAttributeToRecord (p_rec, attr_id, attr_type, attr_len, p_val);
+ }
}
}
#endif
@@ -500,15 +513,13 @@ bool SDP_AddAttributeToRecord (tSDP_RECORD *p_rec, uint16_t attr_id,
attr_len = 0;
}
- if ((attr_len > 0) && (p_val != 0)) {
+ if (attr_len > 0) {
p_attr->len = attr_len;
memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
p_rec->free_pad_ptr += attr_len;
- } else if ((attr_len == 0 &&
- p_attr->len !=
- 0) || /* if truncate to 0 length, simply don't add */
- p_val == 0) {
+ } else if (attr_len == 0 && p_attr->len != 0) {
+ /* if truncate to 0 length, simply don't add */
SDP_TRACE_ERROR(
"SDP_AddAttributeToRecord fail, length exceed maximum: ID %d: attr_len:%d ",
attr_id, attr_len);

View File

@ -0,0 +1,100 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rocky Liao <quic_rjliao@quicinc.com>
Date: Mon, 19 Sep 2022 17:39:42 +0800
Subject: [PATCH] AVRCP: Fix potential buffer overflow
There will be buffer overflow if remote response exceeds
AVRC_MAX_APP_ATTR_SIZE, add array index check to avoid
buffer overflow issue.
CRs-fixed: 3278869
Change-Id: Ia93690e0dc4b28fd01af3a406678d43d426d3be8
---
btif/src/btif_rc.cc | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc
index 0b34f7c36..a0e38998f 100644
--- a/btif/src/btif_rc.cc
+++ b/btif/src/btif_rc.cc
@@ -5067,13 +5067,13 @@ static void handle_app_attr_txt_response(tBTA_AV_META_MSG* pmeta_msg,
* for standard attributes.
*/
p_app_settings->num_ext_attrs = 0;
- for (xx = 0; xx < p_app_settings->ext_attr_index; xx++) {
+ for (xx = 0; xx < p_app_settings->ext_attr_index && xx < AVRC_MAX_APP_ATTR_SIZE; xx++) {
osi_free_and_reset((void**)&p_app_settings->ext_attrs[xx].p_str);
}
p_app_settings->ext_attr_index = 0;
if (p_dev) {
- for (xx = 0; xx < p_app_settings->num_attrs; xx++) {
+ for (xx = 0; xx < p_app_settings->num_attrs && xx < AVRC_MAX_APP_ATTR_SIZE; xx++) {
attrs[xx] = p_app_settings->attrs[xx].attr_id;
}
@@ -5086,7 +5086,7 @@ static void handle_app_attr_txt_response(tBTA_AV_META_MSG* pmeta_msg,
for (xx = 0; xx < p_rsp->num_attr; xx++) {
uint8_t x;
- for (x = 0; x < p_app_settings->num_ext_attrs; x++) {
+ for (x = 0; x < p_app_settings->num_ext_attrs && x < AVRC_MAX_APP_ATTR_SIZE; x++) {
if (p_app_settings->ext_attrs[x].attr_id == p_rsp->p_attrs[xx].attr_id) {
p_app_settings->ext_attrs[x].charset_id = p_rsp->p_attrs[xx].charset_id;
p_app_settings->ext_attrs[x].str_len = p_rsp->p_attrs[xx].str_len;
@@ -5096,7 +5096,7 @@ static void handle_app_attr_txt_response(tBTA_AV_META_MSG* pmeta_msg,
}
}
- for (xx = 0; xx < p_app_settings->ext_attrs[0].num_val; xx++) {
+ for (xx = 0; xx < p_app_settings->ext_attrs[0].num_val && xx < BTRC_MAX_APP_ATTR_SIZE; xx++) {
vals[xx] = p_app_settings->ext_attrs[0].ext_attr_val[xx].val;
}
get_player_app_setting_value_text_cmd(vals, xx, p_dev);
@@ -5141,11 +5141,11 @@ static void handle_app_attr_val_txt_response(
* for standard attributes.
*/
p_app_settings->num_ext_attrs = 0;
- for (xx = 0; xx < p_app_settings->ext_attr_index; xx++) {
+ for (xx = 0; xx < p_app_settings->ext_attr_index && xx < AVRC_MAX_APP_ATTR_SIZE; xx++) {
int x;
btrc_player_app_ext_attr_t* p_ext_attr = &p_app_settings->ext_attrs[xx];
- for (x = 0; x < p_ext_attr->num_val; x++)
+ for (x = 0; x < p_ext_attr->num_val && x < BTRC_MAX_APP_ATTR_SIZE; x++)
osi_free_and_reset((void**)&p_ext_attr->ext_attr_val[x].p_str);
p_ext_attr->num_val = 0;
osi_free_and_reset((void**)&p_app_settings->ext_attrs[xx].p_str);
@@ -5162,11 +5162,17 @@ static void handle_app_attr_val_txt_response(
return;
}
+ if (p_app_settings->ext_val_index >= AVRC_MAX_APP_ATTR_SIZE) {
+ BTIF_TRACE_ERROR("%s: ext_val_index is 0x%02x, overflow!",
+ __func__, p_app_settings->ext_val_index);
+ return;
+ }
+
for (xx = 0; xx < p_rsp->num_attr; xx++) {
uint8_t x;
btrc_player_app_ext_attr_t* p_ext_attr;
p_ext_attr = &p_app_settings->ext_attrs[p_app_settings->ext_val_index];
- for (x = 0; x < p_rsp->num_attr; x++) {
+ for (x = 0; x < p_rsp->num_attr && x < BTRC_MAX_APP_ATTR_SIZE; x++) {
if (p_ext_attr->ext_attr_val[x].val == p_rsp->p_attrs[xx].attr_id) {
p_ext_attr->ext_attr_val[x].charset_id = p_rsp->p_attrs[xx].charset_id;
p_ext_attr->ext_attr_val[x].str_len = p_rsp->p_attrs[xx].str_len;
@@ -5204,11 +5210,11 @@ static void handle_app_attr_val_txt_response(
/* Free the application settings information after sending to
* application.
*/
- for (xx = 0; xx < p_app_settings->ext_attr_index; xx++) {
+ for (xx = 0; xx < p_app_settings->ext_attr_index && xx < AVRC_MAX_APP_ATTR_SIZE; xx++) {
int x;
btrc_player_app_ext_attr_t* p_ext_attr = &p_app_settings->ext_attrs[xx];
- for (x = 0; x < p_ext_attr->num_val; x++)
+ for (x = 0; x < p_ext_attr->num_val && x < BTRC_MAX_APP_ATTR_SIZE; x++)
osi_free_and_reset((void**)&p_ext_attr->ext_attr_val[x].p_str);
p_ext_attr->num_val = 0;
osi_free_and_reset((void**)&p_app_settings->ext_attrs[xx].p_str);

View File

@ -97,6 +97,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
#sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
sed -i 's/2023-02-05/2023-03-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-03 #XXX
fi; fi;
if enterAndClear "build/soong"; then if enterAndClear "build/soong"; then
@ -131,7 +132,17 @@ sed -i 's/about to delete/unable to delete/' pico/src/com/svox/pico/LangPackUnin
awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.java; awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.java;
fi; fi;
if enterAndClear "external/zlib"; then
applyPatch "$DOS_PATCHES/android_external_zlib/351107.patch"; #n-asb-2023-03 Fix a bug when getting a gzip header extra field with inflate().
fi;
if enterAndClear "frameworks/base"; then if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/351411-backport.patch"; #R_asb_2023-03 Move service initialization
applyPatch "$DOS_PATCHES/android_frameworks_base/351412.patch"; #R_asb_2023-03 Stop managed profile owner granting READ_SMS
applyPatch "$DOS_PATCHES/android_frameworks_base/351413-backport.patch"; #R_asb_2023-03 Enable user graularity for lockdown mode #XXX
applyPatch "$DOS_PATCHES/android_frameworks_base/351414-backport.patch"; #R_asb_2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag #XXX
applyPatch "$DOS_PATCHES/android_frameworks_base/351415.patch"; #R_asb_2023-03 Reconcile WorkSource parcel and unparcel code.
applyPatch "$DOS_PATCHES/android_frameworks_base/351436.patch"; #R_asb_2023-03 Revert "Ensure that only SysUI can override pending intent launch flags"
#applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@ -200,6 +211,7 @@ fi;
fi; fi;
if enterAndClear "frameworks/opt/net/wifi"; then if enterAndClear "frameworks/opt/net/wifi"; then
applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/351437-backport.patch"; #R_asb_2023-03 Revert "[DO NOT MERGE] wifi: remove certificates for network factory reset"
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
fi; fi;
@ -292,6 +304,7 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_pa
fi; fi;
if enterAndClear "packages/apps/PermissionController"; then if enterAndClear "packages/apps/PermissionController"; then
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/351439-backport.patch"; #R_asb_2023-03 Stop managed profile owner granting READ_SMS
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-2.patch"; #Add INTERNET permission toggle (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-2.patch"; #Add INTERNET permission toggle (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Sensors_Permission-1.patch"; #Always treat OTHER_SENSORS as a runtime permission (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Sensors_Permission-1.patch"; #Always treat OTHER_SENSORS as a runtime permission (GrapheneOS)
@ -300,6 +313,8 @@ fi;
if enterAndClear "packages/apps/Settings"; then if enterAndClear "packages/apps/Settings"; then
git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351440-backport.patch"; #R_asb_2023-03 FRP bypass defense in the settings app
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351441.patch"; #R_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) #FIXME: needs work #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) #FIXME: needs work
@ -356,6 +371,9 @@ applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patc
fi; fi;
if enterAndClear "system/bt"; then if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/351443.patch"; #R_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate
applyPatch "$DOS_PATCHES/android_system_bt/351444.patch"; #R_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
applyPatch "$DOS_PATCHES/android_system_bt/351445.patch"; #R_asb_2023-03 Fix an OOB write in SDP_AddAttribute
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
#applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@ -420,6 +438,13 @@ if enter "vendor/divested"; then
echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch
awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices
fi; fi;
if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351448.patch"; #R_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351449.patch"; #R_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351450.patch"; #R_asb_2023-03 Fix an OOB write in SDP_AddAttribute
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351451.patch"; #R_asb_2023-03 AVRCP: Fix potential buffer overflow
fi;
# #
#END OF ROM CHANGES #END OF ROM CHANGES
# #