mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-18 12:24:21 -05:00
16.0 August ASB work
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
f52adb2bc5
commit
4b2160cf56
38
Patches/LineageOS-16.0/android_external_aac/364027.patch
Normal file
38
Patches/LineageOS-16.0/android_external_aac/364027.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
|
||||
Date: Tue, 30 May 2023 16:39:32 +0200
|
||||
Subject: [PATCH] Increase patchParam array size by one and fix out-of-bounce
|
||||
write in resetLppTransposer().
|
||||
|
||||
Bug: 279766766
|
||||
Test: see POC
|
||||
(cherry picked from commit f682b8787eb312b9f8997dac4c2c18bb779cf0df)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:451762ca48e7fb30a0ce77a8962813a3419ec420)
|
||||
Merged-In: I206973e0bb21140865efffd930e39f920f477359
|
||||
Change-Id: I206973e0bb21140865efffd930e39f920f477359
|
||||
---
|
||||
libSBRdec/src/lpp_tran.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libSBRdec/src/lpp_tran.h b/libSBRdec/src/lpp_tran.h
|
||||
index 51b4395..21c4101 100644
|
||||
--- a/libSBRdec/src/lpp_tran.h
|
||||
+++ b/libSBRdec/src/lpp_tran.h
|
||||
@@ -1,7 +1,7 @@
|
||||
/* -----------------------------------------------------------------------------
|
||||
Software License for The Fraunhofer FDK AAC Codec Library for Android
|
||||
|
||||
-© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
|
||||
+© Copyright 1995 - 2023 Fraunhofer-Gesellschaft zur Förderung der angewandten
|
||||
Forschung e.V. All rights reserved.
|
||||
|
||||
1. INTRODUCTION
|
||||
@@ -207,7 +207,7 @@ typedef struct {
|
||||
inverse filtering levels */
|
||||
|
||||
PATCH_PARAM
|
||||
- patchParam[MAX_NUM_PATCHES]; /*!< new parameter set for patching */
|
||||
+ patchParam[MAX_NUM_PATCHES + 1]; /*!< new parameter set for patching */
|
||||
WHITENING_FACTORS
|
||||
whFactors; /*!< the pole moving factors for certain
|
||||
whitening levels as indicated in the bitstream
|
@ -0,0 +1,382 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Seigo Nonaka <nona@google.com>
|
||||
Date: Tue, 2 May 2023 10:01:38 +0900
|
||||
Subject: [PATCH] Cherrypick following three changes
|
||||
|
||||
[cherrypick 545bf3a27] [sfnt, truetype] Add `size_reset` to `MetricsVariations`.
|
||||
[cherrypick daad10810] [truetype] tt_size_reset_height to take FT_Size
|
||||
[cherrypick 51ad7b243] [services] FT_Size_Reset_Func to return FT_Error
|
||||
|
||||
Bug: 278221085
|
||||
Test: TreeHugger
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9fe9411db4b7e715a39c0ccf48d1e0328f1d8e7c)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d63b0bfcbaba361543fd9394b8d86907f52c97d)
|
||||
Merged-In: I7e839b2a36e35c27974a82cc76e853996a7c7688
|
||||
Change-Id: I7e839b2a36e35c27974a82cc76e853996a7c7688
|
||||
---
|
||||
include/freetype/internal/services/svmetric.h | 8 ++-
|
||||
include/freetype/internal/tttypes.h | 10 ++-
|
||||
src/cff/cffdrivr.c | 9 ++-
|
||||
src/cff/cffobjs.c | 6 +-
|
||||
src/sfnt/sfobjs.c | 14 ++--
|
||||
src/sfnt/ttmtx.c | 2 +-
|
||||
src/truetype/ttdriver.c | 7 +-
|
||||
src/truetype/ttgxvar.c | 23 ++++---
|
||||
src/truetype/ttobjs.c | 68 +++++++++++--------
|
||||
src/truetype/ttobjs.h | 6 +-
|
||||
10 files changed, 98 insertions(+), 55 deletions(-)
|
||||
|
||||
diff --git a/include/freetype/internal/services/svmetric.h b/include/freetype/internal/services/svmetric.h
|
||||
index abaacddbb..2e8a2e6b3 100644
|
||||
--- a/include/freetype/internal/services/svmetric.h
|
||||
+++ b/include/freetype/internal/services/svmetric.h
|
||||
@@ -77,6 +77,9 @@ FT_BEGIN_HEADER
|
||||
typedef void
|
||||
(*FT_Metrics_Adjust_Func)( FT_Face face );
|
||||
|
||||
+ typedef FT_Error
|
||||
+ (*FT_Size_Reset_Func)( FT_Size size );
|
||||
+
|
||||
|
||||
FT_DEFINE_SERVICE( MetricsVariations )
|
||||
{
|
||||
@@ -90,6 +93,7 @@ FT_BEGIN_HEADER
|
||||
FT_VOrg_Adjust_Func vorg_adjust;
|
||||
|
||||
FT_Metrics_Adjust_Func metrics_adjust;
|
||||
+ FT_Size_Reset_Func size_reset;
|
||||
};
|
||||
|
||||
|
||||
@@ -103,7 +107,8 @@ FT_BEGIN_HEADER
|
||||
tsb_adjust_, \
|
||||
bsb_adjust_, \
|
||||
vorg_adjust_, \
|
||||
- metrics_adjust_ ) \
|
||||
+ metrics_adjust_, \
|
||||
+ size_reset_ ) \
|
||||
static const FT_Service_MetricsVariationsRec class_ = \
|
||||
{ \
|
||||
hadvance_adjust_, \
|
||||
@@ -114,6 +119,7 @@ FT_BEGIN_HEADER
|
||||
bsb_adjust_, \
|
||||
vorg_adjust_, \
|
||||
metrics_adjust_ \
|
||||
+ size_reset_ \
|
||||
};
|
||||
|
||||
#else /* FT_CONFIG_OPTION_PIC */
|
||||
diff --git a/include/freetype/internal/tttypes.h b/include/freetype/internal/tttypes.h
|
||||
index 10dd336a8..422a680de 100644
|
||||
--- a/include/freetype/internal/tttypes.h
|
||||
+++ b/include/freetype/internal/tttypes.h
|
||||
@@ -1437,8 +1437,14 @@ FT_BEGIN_HEADER
|
||||
void* mm;
|
||||
|
||||
/* a typeless pointer to the FT_Service_MetricsVariationsRec table */
|
||||
- /* used to handle the HVAR, VVAR, and MVAR OpenType tables */
|
||||
- void* var;
|
||||
+ /* used to handle the HVAR, VVAR, and MVAR OpenType tables by the */
|
||||
+ /* "truetype" driver */
|
||||
+ void* tt_var;
|
||||
+
|
||||
+ /* a typeless pointer to the FT_Service_MetricsVariationsRec table */
|
||||
+ /* used to handle the HVAR, VVAR, and MVAR OpenType tables by this */
|
||||
+ /* TT_Face's driver */
|
||||
+ void* face_var;
|
||||
#endif
|
||||
|
||||
/* a typeless pointer to the PostScript Aux service */
|
||||
diff --git a/src/cff/cffdrivr.c b/src/cff/cffdrivr.c
|
||||
index df896848d..7f809bf88 100644
|
||||
--- a/src/cff/cffdrivr.c
|
||||
+++ b/src/cff/cffdrivr.c
|
||||
@@ -933,7 +933,8 @@
|
||||
FT_UInt gindex,
|
||||
FT_Int *avalue )
|
||||
{
|
||||
- FT_Service_MetricsVariations var = (FT_Service_MetricsVariations)face->var;
|
||||
+ FT_Service_MetricsVariations
|
||||
+ var = (FT_Service_MetricsVariations)face->tt_var;
|
||||
|
||||
|
||||
return var->hadvance_adjust( FT_FACE( face ), gindex, avalue );
|
||||
@@ -943,7 +944,8 @@
|
||||
static void
|
||||
cff_metrics_adjust( CFF_Face face )
|
||||
{
|
||||
- FT_Service_MetricsVariations var = (FT_Service_MetricsVariations)face->var;
|
||||
+ FT_Service_MetricsVariations
|
||||
+ var = (FT_Service_MetricsVariations)face->tt_var;
|
||||
|
||||
|
||||
var->metrics_adjust( FT_FACE( face ) );
|
||||
@@ -962,7 +964,8 @@
|
||||
(FT_BSB_Adjust_Func) NULL, /* bsb_adjust */
|
||||
(FT_VOrg_Adjust_Func) NULL, /* vorg_adjust */
|
||||
|
||||
- (FT_Metrics_Adjust_Func) cff_metrics_adjust /* metrics_adjust */
|
||||
+ (FT_Metrics_Adjust_Func) cff_metrics_adjust, /* metrics_adjust */
|
||||
+ (FT_Size_Reset_Func) NULL /* size_reset */
|
||||
)
|
||||
#endif
|
||||
|
||||
diff --git a/src/cff/cffobjs.c b/src/cff/cffobjs.c
|
||||
index a2d7aec65..30e68a104 100644
|
||||
--- a/src/cff/cffobjs.c
|
||||
+++ b/src/cff/cffobjs.c
|
||||
@@ -710,8 +710,10 @@
|
||||
|
||||
#ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT
|
||||
{
|
||||
- FT_Service_MultiMasters mm = (FT_Service_MultiMasters)face->mm;
|
||||
- FT_Service_MetricsVariations var = (FT_Service_MetricsVariations)face->var;
|
||||
+ FT_Service_MultiMasters
|
||||
+ mm = (FT_Service_MultiMasters)face->mm;
|
||||
+ FT_Service_MetricsVariations
|
||||
+ var = (FT_Service_MetricsVariations)face->face_var;
|
||||
|
||||
FT_UInt instance_index = (FT_UInt)face_index >> 16;
|
||||
|
||||
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
|
||||
index 0c917030f..b0547ea70 100644
|
||||
--- a/src/sfnt/sfobjs.c
|
||||
+++ b/src/sfnt/sfobjs.c
|
||||
@@ -896,17 +896,23 @@
|
||||
0 );
|
||||
}
|
||||
|
||||
- if ( !face->var )
|
||||
+ if ( !face->tt_var )
|
||||
{
|
||||
/* we want the metrics variations interface */
|
||||
/* from the `truetype' module only */
|
||||
FT_Module tt_module = FT_Get_Module( library, "truetype" );
|
||||
|
||||
|
||||
- face->var = ft_module_get_service( tt_module,
|
||||
- FT_SERVICE_ID_METRICS_VARIATIONS,
|
||||
- 0 );
|
||||
+ face->tt_var = ft_module_get_service( tt_module,
|
||||
+ FT_SERVICE_ID_METRICS_VARIATIONS,
|
||||
+ 0 );
|
||||
}
|
||||
+
|
||||
+ if ( !face->face_var )
|
||||
+ face->face_var = ft_module_get_service(
|
||||
+ &face->root.driver->root,
|
||||
+ FT_SERVICE_ID_METRICS_VARIATIONS,
|
||||
+ 0 );
|
||||
#endif
|
||||
|
||||
FT_TRACE2(( "SFNT driver\n" ));
|
||||
diff --git a/src/sfnt/ttmtx.c b/src/sfnt/ttmtx.c
|
||||
index 6ddda95b5..0215ac8b2 100644
|
||||
--- a/src/sfnt/ttmtx.c
|
||||
+++ b/src/sfnt/ttmtx.c
|
||||
@@ -229,7 +229,7 @@
|
||||
|
||||
#ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT
|
||||
FT_Service_MetricsVariations var =
|
||||
- (FT_Service_MetricsVariations)face->var;
|
||||
+ (FT_Service_MetricsVariations)face->tt_var;
|
||||
#endif
|
||||
|
||||
|
||||
diff --git a/src/truetype/ttdriver.c b/src/truetype/ttdriver.c
|
||||
index 820cafbb8..757f3d205 100644
|
||||
--- a/src/truetype/ttdriver.c
|
||||
+++ b/src/truetype/ttdriver.c
|
||||
@@ -304,7 +304,7 @@
|
||||
/* use the scaled metrics, even when tt_size_reset fails */
|
||||
FT_Select_Metrics( size->face, strike_index );
|
||||
|
||||
- tt_size_reset( ttsize, 0 ); /* ignore return value */
|
||||
+ tt_size_reset( ttsize ); /* ignore return value */
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -356,7 +356,7 @@
|
||||
|
||||
if ( FT_IS_SCALABLE( size->face ) )
|
||||
{
|
||||
- error = tt_size_reset( ttsize, 0 );
|
||||
+ error = tt_size_reset( ttsize );
|
||||
|
||||
#ifdef TT_USE_BYTECODE_INTERPRETER
|
||||
/* for the `MPS' bytecode instruction we need the point size */
|
||||
@@ -516,7 +516,8 @@
|
||||
(FT_BSB_Adjust_Func) NULL, /* bsb_adjust */
|
||||
(FT_VOrg_Adjust_Func) NULL, /* vorg_adjust */
|
||||
|
||||
- (FT_Metrics_Adjust_Func) tt_apply_mvar /* metrics_adjust */
|
||||
+ (FT_Metrics_Adjust_Func) tt_apply_mvar, /* metrics_adjust */
|
||||
+ (FT_Size_Reset_Func) tt_size_reset_height /* size_reset */
|
||||
)
|
||||
|
||||
#endif /* TT_CONFIG_OPTION_GX_VAR_SUPPORT */
|
||||
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
|
||||
index b3e9ec7d9..fc22229de 100644
|
||||
--- a/src/truetype/ttgxvar.c
|
||||
+++ b/src/truetype/ttgxvar.c
|
||||
@@ -1283,15 +1283,14 @@
|
||||
|
||||
|
||||
static FT_Error
|
||||
- tt_size_reset_iterator( FT_ListNode node,
|
||||
+ ft_size_reset_iterator( FT_ListNode node,
|
||||
void* user )
|
||||
{
|
||||
- TT_Size size = (TT_Size)node->data;
|
||||
+ FT_Size size = (FT_Size)node->data;
|
||||
+ FT_Service_MetricsVariations var = (FT_Service_MetricsVariations)user;
|
||||
|
||||
- FT_UNUSED( user );
|
||||
|
||||
-
|
||||
- tt_size_reset( size, 1 );
|
||||
+ var->size_reset( size );
|
||||
|
||||
return FT_Err_Ok;
|
||||
}
|
||||
@@ -1352,6 +1351,9 @@
|
||||
|
||||
/* adjust all derived values */
|
||||
{
|
||||
+ FT_Service_MetricsVariations var =
|
||||
+ (FT_Service_MetricsVariations)face->face_var;
|
||||
+
|
||||
FT_Face root = &face->root;
|
||||
|
||||
|
||||
@@ -1378,11 +1380,12 @@
|
||||
face->postscript.underlineThickness / 2;
|
||||
root->underline_thickness = face->postscript.underlineThickness;
|
||||
|
||||
- /* iterate over all FT_Size objects and call `tt_size_reset' */
|
||||
- /* to propagate the metrics changes */
|
||||
- FT_List_Iterate( &root->sizes_list,
|
||||
- tt_size_reset_iterator,
|
||||
- NULL );
|
||||
+ /* iterate over all FT_Size objects and call `var->size_reset' */
|
||||
+ /* to propagate the metrics changes */
|
||||
+ if ( var && var->size_reset )
|
||||
+ FT_List_Iterate( &root->sizes_list,
|
||||
+ ft_size_reset_iterator,
|
||||
+ (void*)var );
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/src/truetype/ttobjs.c b/src/truetype/ttobjs.c
|
||||
index bc8086f25..f7f9b2527 100644
|
||||
--- a/src/truetype/ttobjs.c
|
||||
+++ b/src/truetype/ttobjs.c
|
||||
@@ -1234,37 +1234,29 @@
|
||||
/*************************************************************************/
|
||||
/* */
|
||||
/* <Function> */
|
||||
- /* tt_size_reset */
|
||||
+ /* tt_size_reset_height */
|
||||
/* */
|
||||
/* <Description> */
|
||||
- /* Reset a TrueType size when resolutions and character dimensions */
|
||||
- /* have been changed. */
|
||||
+ /* Recompute a TrueType size's ascender, descender, and height */
|
||||
+ /* when resolutions and character dimensions have been changed. */
|
||||
+ /* Used for variation fonts as an iterator function. */
|
||||
/* */
|
||||
/* <Input> */
|
||||
- /* size :: A handle to the target size object. */
|
||||
- /* */
|
||||
- /* only_height :: Only recompute ascender, descender, and height; */
|
||||
- /* this flag is used for variation fonts where */
|
||||
- /* `tt_size_reset' is used as an iterator function. */
|
||||
+ /* ft_size :: */
|
||||
+ /* A handle to the target TT_Size object. This function will be called*/
|
||||
+ /* through a `FT_Size_Reset_Func` pointer which takes `FT_Size`. This*/
|
||||
+ /* function must take `FT_Size` as a result. The passed `FT_Size` is */
|
||||
+ /* expected to point to a `TT_Size`. */
|
||||
/* */
|
||||
FT_LOCAL_DEF( FT_Error )
|
||||
- tt_size_reset( TT_Size size,
|
||||
- FT_Bool only_height )
|
||||
+ tt_size_reset_height( FT_Size ft_size )
|
||||
{
|
||||
- TT_Face face;
|
||||
- FT_Size_Metrics* size_metrics;
|
||||
-
|
||||
-
|
||||
- face = (TT_Face)size->root.face;
|
||||
-
|
||||
- /* nothing to do for CFF2 */
|
||||
- if ( face->is_cff2 )
|
||||
- return FT_Err_Ok;
|
||||
+ TT_Size size = (TT_Size)ft_size;
|
||||
+ TT_Face face = (TT_Face)size->root.face;
|
||||
+ FT_Size_Metrics* size_metrics = &size->hinted_metrics;
|
||||
|
||||
size->ttmetrics.valid = FALSE;
|
||||
|
||||
- size_metrics = &size->hinted_metrics;
|
||||
-
|
||||
/* copy the result from base layer */
|
||||
*size_metrics = size->root.metrics;
|
||||
|
||||
@@ -1291,12 +1283,34 @@
|
||||
|
||||
size->ttmetrics.valid = TRUE;
|
||||
|
||||
- if ( only_height )
|
||||
- {
|
||||
- /* we must not recompute the scaling values here since */
|
||||
- /* `tt_size_reset' was already called (with only_height = 0) */
|
||||
- return FT_Err_Ok;
|
||||
- }
|
||||
+ return FT_Err_Ok;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ /**************************************************************************
|
||||
+ *
|
||||
+ * @Function:
|
||||
+ * tt_size_reset
|
||||
+ *
|
||||
+ * @Description:
|
||||
+ * Reset a TrueType size when resolutions and character dimensions
|
||||
+ * have been changed.
|
||||
+ *
|
||||
+ * @Input:
|
||||
+ * size ::
|
||||
+ * A handle to the target size object.
|
||||
+ */
|
||||
+ FT_LOCAL_DEF( FT_Error )
|
||||
+ tt_size_reset( TT_Size size )
|
||||
+ {
|
||||
+ FT_Error error;
|
||||
+ TT_Face face = (TT_Face)size->root.face;
|
||||
+ FT_Size_Metrics* size_metrics = &size->hinted_metrics;
|
||||
+
|
||||
+
|
||||
+ error = tt_size_reset_height( (FT_Size)size );
|
||||
+ if ( error )
|
||||
+ return error;
|
||||
|
||||
if ( face->header.Flags & 8 )
|
||||
{
|
||||
diff --git a/src/truetype/ttobjs.h b/src/truetype/ttobjs.h
|
||||
index 38fa30e4e..703328167 100644
|
||||
--- a/src/truetype/ttobjs.h
|
||||
+++ b/src/truetype/ttobjs.h
|
||||
@@ -390,8 +390,10 @@ FT_BEGIN_HEADER
|
||||
#endif /* TT_USE_BYTECODE_INTERPRETER */
|
||||
|
||||
FT_LOCAL( FT_Error )
|
||||
- tt_size_reset( TT_Size size,
|
||||
- FT_Bool only_height );
|
||||
+ tt_size_reset_height( FT_Size size );
|
||||
+
|
||||
+ FT_LOCAL( FT_Error )
|
||||
+ tt_size_reset( TT_Size size );
|
||||
|
||||
|
||||
/*************************************************************************/
|
@ -10,10 +10,10 @@ requiring the READ_PHONE_STATE permission.
|
||||
1 file changed, 1 insertion(+), 7 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
index f522b20f7ccd..8380e5059b5f 100644
|
||||
index 44761a523abb..c680053d3259 100644
|
||||
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
@@ -7908,13 +7908,7 @@ public class ActivityManagerService extends IActivityManager.Stub
|
||||
@@ -7936,13 +7936,7 @@ public class ActivityManagerService extends IActivityManager.Stub
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -9,7 +9,7 @@ Subject: [PATCH] make INTERNET into a special runtime permission
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index 0aafab66dabd..c66b55feff34 100644
|
||||
index d23501a86b79..b0c7b69215b3 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -1362,7 +1362,7 @@
|
||||
|
@ -9,7 +9,7 @@ Subject: [PATCH] add a NETWORK permission group for INTERNET
|
||||
2 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index c66b55feff34..a98b3bf710f3 100644
|
||||
index b0c7b69215b3..9bef69cea332 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -1356,10 +1356,20 @@
|
||||
|
@ -26,7 +26,7 @@ index d99302d6696f..30f873d70400 100644
|
||||
android.os.Build.VERSION_CODES.DONUT, 0),
|
||||
new PackageParser.NewPermissionInfo(android.Manifest.permission.READ_PHONE_STATE,
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index a98b3bf710f3..96ad65d1b04f 100644
|
||||
index 9bef69cea332..1aab9b0efa83 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -1149,6 +1149,20 @@
|
||||
|
109
Patches/LineageOS-16.0/android_frameworks_base/364029.patch
Normal file
109
Patches/LineageOS-16.0/android_frameworks_base/364029.patch
Normal file
@ -0,0 +1,109 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Jing Ji <jji@google.com>
|
||||
Date: Tue, 25 Oct 2022 22:39:52 -0700
|
||||
Subject: [PATCH] DO NOT MERGE: ActivityManager#killBackgroundProcesses can
|
||||
kill caller's own app only
|
||||
|
||||
unless it's a system app.
|
||||
|
||||
Bug: 239423414
|
||||
Bug: 223376078
|
||||
Test: atest CtsAppTestCases:ActivityManagerTest
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8b382775b258220466a977453905797521e159de)
|
||||
Merged-In: Iac6baa889965b8ffecd9a43179a4c96632ad1d02
|
||||
Change-Id: Iac6baa889965b8ffecd9a43179a4c96632ad1d02
|
||||
---
|
||||
core/java/android/app/ActivityManager.java | 3 ++
|
||||
core/res/AndroidManifest.xml | 6 +++-
|
||||
.../server/am/ActivityManagerService.java | 32 +++++++++++++++++--
|
||||
3 files changed, 38 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/app/ActivityManager.java b/core/java/android/app/ActivityManager.java
|
||||
index 83630f4c3693..51411c9e208e 100644
|
||||
--- a/core/java/android/app/ActivityManager.java
|
||||
+++ b/core/java/android/app/ActivityManager.java
|
||||
@@ -3615,6 +3615,9 @@ public class ActivityManager {
|
||||
* processes to reclaim memory; the system will take care of restarting
|
||||
* these processes in the future as needed.
|
||||
*
|
||||
+ * <p class="note">Third party applications can only use this API to kill their own processes.
|
||||
+ * </p>
|
||||
+ *
|
||||
* @param packageName The name of the package whose processes are to
|
||||
* be killed.
|
||||
*/
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index 0aafab66dabd..d23501a86b79 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -2092,7 +2092,11 @@
|
||||
android:protectionLevel="normal" />
|
||||
|
||||
<!-- Allows an application to call
|
||||
- {@link android.app.ActivityManager#killBackgroundProcesses}.
|
||||
+ {@link android.app.ActivityManager#killBackgroundProcesses}.
|
||||
+
|
||||
+ <p class="note">Third party applications can only use this API to kill their own
|
||||
+ processes.</p>
|
||||
+
|
||||
<p>Protection level: normal
|
||||
-->
|
||||
<permission android:name="android.permission.KILL_BACKGROUND_PROCESSES"
|
||||
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
index f522b20f7ccd..44761a523abb 100644
|
||||
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
@@ -6810,8 +6810,20 @@ public class ActivityManagerService extends IActivityManager.Stub
|
||||
Slog.w(TAG, msg);
|
||||
throw new SecurityException(msg);
|
||||
}
|
||||
+ final int callingUid = Binder.getCallingUid();
|
||||
+ final int callingPid = Binder.getCallingPid();
|
||||
+ final int callingAppId = UserHandle.getAppId(callingUid);
|
||||
|
||||
- userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(),
|
||||
+ ProcessRecord proc;
|
||||
+ synchronized (mPidsSelfLocked) {
|
||||
+ proc = mPidsSelfLocked.get(callingPid);
|
||||
+ }
|
||||
+ final boolean hasKillAllPermission = PERMISSION_GRANTED == checkPermission(
|
||||
+ android.Manifest.permission.FORCE_STOP_PACKAGES, callingPid, callingUid)
|
||||
+ || UserHandle.isCore(callingUid)
|
||||
+ || (proc != null && proc.info.isSystemApp());
|
||||
+
|
||||
+ userId = mUserController.handleIncomingUser(callingPid, callingUid,
|
||||
userId, true, ALLOW_FULL_ONLY, "killBackgroundProcesses", null);
|
||||
final int[] userIds = mUserController.expandUserId(userId);
|
||||
|
||||
@@ -6826,7 +6838,7 @@ public class ActivityManagerService extends IActivityManager.Stub
|
||||
targetUserId));
|
||||
} catch (RemoteException e) {
|
||||
}
|
||||
- if (appId == -1) {
|
||||
+ if (appId == -1 || (!hasKillAllPermission && appId != callingAppId)) {
|
||||
Slog.w(TAG, "Invalid packageName: " + packageName);
|
||||
return;
|
||||
}
|
||||
@@ -6851,6 +6863,22 @@ public class ActivityManagerService extends IActivityManager.Stub
|
||||
throw new SecurityException(msg);
|
||||
}
|
||||
|
||||
+ final int callingUid = Binder.getCallingUid();
|
||||
+ final int callingPid = Binder.getCallingPid();
|
||||
+
|
||||
+ ProcessRecord proc;
|
||||
+ synchronized (mPidsSelfLocked) {
|
||||
+ proc = mPidsSelfLocked.get(callingPid);
|
||||
+ }
|
||||
+ if (callingUid >= FIRST_APPLICATION_UID
|
||||
+ && (proc == null || !proc.info.isSystemApp())) {
|
||||
+ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
|
||||
+ + callingPid + ", uid=" + callingUid + " is not allowed";
|
||||
+ Slog.w(TAG, msg);
|
||||
+ // Silently return to avoid existing apps from crashing.
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
final long callingId = Binder.clearCallingIdentity();
|
||||
try {
|
||||
synchronized (this) {
|
@ -0,0 +1,60 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Ioana Alexandru <aioana@google.com>
|
||||
Date: Thu, 27 Apr 2023 14:55:28 +0000
|
||||
Subject: [PATCH] Verify URI permissions for notification shortcutIcon.
|
||||
|
||||
Bug: 277593270
|
||||
Test: atest NotificationManagerServiceTest
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:47e661cbf37e1dedf676f482ac07ffc433c92d0b)
|
||||
Merged-In: I1efaa1301bca36895ad4322a919d7421156a60df
|
||||
Change-Id: I1efaa1301bca36895ad4322a919d7421156a60df
|
||||
---
|
||||
core/java/android/app/Notification.java | 20 ++++++++++++++++++++
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
|
||||
index 21bc17172b1f..d8e7d0199615 100644
|
||||
--- a/core/java/android/app/Notification.java
|
||||
+++ b/core/java/android/app/Notification.java
|
||||
@@ -17,6 +17,7 @@
|
||||
package android.app;
|
||||
|
||||
import static com.android.internal.util.NotificationColorUtil.satisfiesTextContrast;
|
||||
+import static android.graphics.drawable.Icon.TYPE_URI;
|
||||
|
||||
import android.annotation.ColorInt;
|
||||
import android.annotation.DrawableRes;
|
||||
@@ -2329,6 +2330,14 @@ public class Notification implements Parcelable
|
||||
}
|
||||
}
|
||||
|
||||
+ private static void visitIconUri(@NonNull Consumer<Uri> visitor, @Nullable Icon icon) {
|
||||
+ if (icon == null) return;
|
||||
+ final int iconType = icon.getType();
|
||||
+ if (iconType == TYPE_URI /*|| iconType == TYPE_URI_ADAPTIVE_BITMAP*/) {
|
||||
+ visitor.accept(icon.getUri());
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Note all {@link Uri} that are referenced internally, with the expectation
|
||||
* that Uri permission grants will need to be issued to ensure the recipient
|
||||
@@ -2344,7 +2353,18 @@ public class Notification implements Parcelable
|
||||
if (bigContentView != null) bigContentView.visitUris(visitor);
|
||||
if (headsUpContentView != null) headsUpContentView.visitUris(visitor);
|
||||
|
||||
+ visitIconUri(visitor, mSmallIcon);
|
||||
+ visitIconUri(visitor, mLargeIcon);
|
||||
+
|
||||
+ if (actions != null) {
|
||||
+ for (Action action : actions) {
|
||||
+ visitIconUri(visitor, action.getIcon());
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (extras != null) {
|
||||
+ visitIconUri(visitor, extras.getParcelable(EXTRA_LARGE_ICON_BIG));
|
||||
+
|
||||
visitor.accept(extras.getParcelable(EXTRA_AUDIO_CONTENTS_URI));
|
||||
visitor.accept(extras.getParcelable(EXTRA_BACKGROUND_IMAGE_URI));
|
||||
}
|
@ -0,0 +1,51 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Beverly <beverlyt@google.com>
|
||||
Date: Mon, 8 May 2023 16:33:12 +0000
|
||||
Subject: [PATCH] On device lockdown, always show the keyguard
|
||||
|
||||
Manual test steps:
|
||||
1. Enable app pinning and disable "Ask for PIN before unpinning" setting
|
||||
2. Pin an app (ie: Settings)
|
||||
3. Lockdown from the power menu
|
||||
Observe: user is brought to the keyguard, primary auth is required
|
||||
to enter the device. After entering credential, the device is still in
|
||||
app pinning mode.
|
||||
|
||||
Test: atest KeyguardViewMediatorTest
|
||||
Test: manual steps outlined above
|
||||
Bug: 218495634
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b23c2d5fb6630ea0da503b937f62880594b13e94)
|
||||
Merged-In: I9a7c5e1acadabd4484e58573331f98dba895f2a2
|
||||
Change-Id: I9a7c5e1acadabd4484e58573331f98dba895f2a2
|
||||
---
|
||||
.../systemui/keyguard/KeyguardViewMediator.java | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
index bac481c8e478..f0d389c15228 100644
|
||||
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
@@ -586,6 +586,13 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper);
|
||||
}
|
||||
}
|
||||
+
|
||||
+ @Override
|
||||
+ public void onStrongAuthStateChanged(int userId) {
|
||||
+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
|
||||
+ doKeyguardLocked(null);
|
||||
+ }
|
||||
+ }
|
||||
};
|
||||
|
||||
ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() {
|
||||
@@ -1341,7 +1348,8 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
}
|
||||
|
||||
// if another app is disabling us, don't show
|
||||
- if (!mExternallyEnabled) {
|
||||
+ if (!mExternallyEnabled
|
||||
+ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
|
||||
if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled");
|
||||
|
||||
// note: we *should* set mNeedToReshowWhenReenabled=true here, but that makes
|
@ -0,0 +1,242 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Grafov <pgrafov@google.com>
|
||||
Date: Wed, 5 Apr 2023 15:15:41 +0000
|
||||
Subject: [PATCH] Ensure policy has no absurdly long strings
|
||||
|
||||
The following APIs now enforce limits and throw IllegalArgumentException
|
||||
when limits are violated:
|
||||
* DPM.setTrustAgentConfiguration() limits agent packgage name,
|
||||
component name, and strings within configuration bundle.
|
||||
* DPM.setPermittedAccessibilityServices() limits package names.
|
||||
* DPM.setPermittedInputMethods() limits package names.
|
||||
* DPM.setAccountManagementDisabled() limits account name.
|
||||
* DPM.setLockTaskPackages() limits package names.
|
||||
* DPM.setAffiliationIds() limits id.
|
||||
* DPM.transferOwnership() limits strings inside the bundle.
|
||||
|
||||
Package names are limited at 223, because they become directory names
|
||||
and it is a filesystem restriction, see FrameworkParsingPackageUtils.
|
||||
|
||||
All other strings are limited at 65535, because longer ones break binary
|
||||
XML serializer.
|
||||
|
||||
The following APIs silently truncate strings that are long beyond reason:
|
||||
* DPM.setShortSupportMessage() truncates message at 200.
|
||||
* DPM.setLongSupportMessage() truncates message at 20000.
|
||||
* DPM.setOrganizationName() truncates org name at 200.
|
||||
|
||||
Bug: 260729089
|
||||
Test: atest com.android.server.devicepolicy
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb7e82ceaa6d16267e7b0e14563161b506d26be8)
|
||||
Merged-In: Idcf54e408722f164d16bf2f24a00cd1f5b626d23
|
||||
Change-Id: Idcf54e408722f164d16bf2f24a00cd1f5b626d23
|
||||
---
|
||||
.../app/admin/DevicePolicyManager.java | 3 +-
|
||||
.../DevicePolicyManagerService.java | 91 ++++++++++++++++++-
|
||||
2 files changed, 90 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
|
||||
index 485ce78c3320..28b7ccb7b946 100644
|
||||
--- a/core/java/android/app/admin/DevicePolicyManager.java
|
||||
+++ b/core/java/android/app/admin/DevicePolicyManager.java
|
||||
@@ -8100,7 +8100,8 @@ public class DevicePolicyManager {
|
||||
|
||||
/**
|
||||
* Called by a device admin to set the long support message. This will be displayed to the user
|
||||
- * in the device administators settings screen.
|
||||
+ * in the device administrators settings screen. If the message is longer than 20000 characters
|
||||
+ * it may be truncated.
|
||||
* <p>
|
||||
* If the long support message needs to be localized, it is the responsibility of the
|
||||
* {@link DeviceAdminReceiver} to listen to the {@link Intent#ACTION_LOCALE_CHANGED} broadcast
|
||||
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
|
||||
index d7539e11bea9..2fd54b4981af 100644
|
||||
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
|
||||
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
|
||||
@@ -250,6 +250,7 @@ import java.lang.reflect.Constructor;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.text.DateFormat;
|
||||
import java.time.LocalDate;
|
||||
+import java.util.ArrayDeque;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
@@ -260,6 +261,7 @@ import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Objects;
|
||||
+import java.util.Queue;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.CountDownLatch;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
@@ -325,6 +327,15 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
|
||||
private static final int REQUEST_EXPIRE_PASSWORD = 5571;
|
||||
|
||||
+ // Binary XML serializer doesn't support longer strings
|
||||
+ private static final int MAX_POLICY_STRING_LENGTH = 65535;
|
||||
+ // FrameworkParsingPackageUtils#MAX_FILE_NAME_SIZE, Android packages are used in dir names.
|
||||
+ private static final int MAX_PACKAGE_NAME_LENGTH = 223;
|
||||
+
|
||||
+ private static final int MAX_LONG_SUPPORT_MESSAGE_LENGTH = 20000;
|
||||
+ private static final int MAX_SHORT_SUPPORT_MESSAGE_LENGTH = 200;
|
||||
+ private static final int MAX_ORG_NAME_LENGTH = 200;
|
||||
+
|
||||
private static final long MS_PER_DAY = TimeUnit.DAYS.toMillis(1);
|
||||
|
||||
private static final long EXPIRATION_GRACE_PERIOD_MS = 5 * MS_PER_DAY; // 5 days, in ms
|
||||
@@ -8284,6 +8295,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
}
|
||||
Preconditions.checkNotNull(admin, "admin is null");
|
||||
Preconditions.checkNotNull(agent, "agent is null");
|
||||
+ enforceMaxPackageNameLength(agent.getPackageName());
|
||||
+ final String agentAsString = agent.flattenToString();
|
||||
+ enforceMaxStringLength(agentAsString, "agent name");
|
||||
+ if (args != null) {
|
||||
+ enforceMaxStringLength(args, "args");
|
||||
+ }
|
||||
final int userHandle = UserHandle.getCallingUserId();
|
||||
synchronized (getLockObject()) {
|
||||
ActiveAdmin ap = getActiveAdminForCallerLocked(admin,
|
||||
@@ -8486,6 +8503,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
Preconditions.checkNotNull(who, "ComponentName is null");
|
||||
|
||||
if (packageList != null) {
|
||||
+ for (String pkg : (List<String>) packageList) {
|
||||
+ enforceMaxPackageNameLength(pkg);
|
||||
+ }
|
||||
+
|
||||
int userId = UserHandle.getCallingUserId();
|
||||
List<AccessibilityServiceInfo> enabledServices = null;
|
||||
long id = mInjector.binderClearCallingIdentity();
|
||||
@@ -8668,6 +8689,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
|
||||
final int callingUserId = mInjector.userHandleGetCallingUserId();
|
||||
if (packageList != null) {
|
||||
+ for (String pkg : (List<String>) packageList) {
|
||||
+ enforceMaxPackageNameLength(pkg);
|
||||
+ }
|
||||
+
|
||||
// InputMethodManager fetches input methods for current user.
|
||||
// So this can only be set when calling user is the current user
|
||||
// or parent is current user in case of managed profiles.
|
||||
@@ -9608,6 +9633,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
return;
|
||||
}
|
||||
Preconditions.checkNotNull(who, "ComponentName is null");
|
||||
+ enforceMaxStringLength(accountType, "account type");
|
||||
synchronized (getLockObject()) {
|
||||
ActiveAdmin ap = getActiveAdminForCallerLocked(who,
|
||||
DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
|
||||
@@ -9871,6 +9897,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
throws SecurityException {
|
||||
Preconditions.checkNotNull(who, "ComponentName is null");
|
||||
Preconditions.checkNotNull(packages, "packages is null");
|
||||
+ for (String pkg : packages) {
|
||||
+ enforceMaxPackageNameLength(pkg);
|
||||
+ }
|
||||
|
||||
synchronized (getLockObject()) {
|
||||
enforceCanCallLockTaskLocked(who);
|
||||
@@ -11249,6 +11278,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
if (!mHasFeature) {
|
||||
return;
|
||||
}
|
||||
+
|
||||
+ message = truncateIfLonger(message, MAX_LONG_SUPPORT_MESSAGE_LENGTH);
|
||||
+
|
||||
Preconditions.checkNotNull(who, "ComponentName is null");
|
||||
final int userHandle = mInjector.userHandleGetCallingUserId();
|
||||
synchronized (getLockObject()) {
|
||||
@@ -11280,6 +11312,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
return;
|
||||
}
|
||||
Preconditions.checkNotNull(who, "ComponentName is null");
|
||||
+ message = truncateIfLonger(message, MAX_SHORT_SUPPORT_MESSAGE_LENGTH);
|
||||
+
|
||||
final int userHandle = mInjector.userHandleGetCallingUserId();
|
||||
synchronized (getLockObject()) {
|
||||
ActiveAdmin admin = getActiveAdminForUidLocked(who,
|
||||
@@ -11408,6 +11442,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
Preconditions.checkNotNull(who, "ComponentName is null");
|
||||
final int userHandle = mInjector.userHandleGetCallingUserId();
|
||||
|
||||
+ text = truncateIfLonger(text, MAX_ORG_NAME_LENGTH);
|
||||
+
|
||||
synchronized (getLockObject()) {
|
||||
ActiveAdmin admin = getActiveAdminForCallerLocked(who,
|
||||
DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
|
||||
@@ -11572,9 +11608,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
throw new IllegalArgumentException("ids must not be null");
|
||||
}
|
||||
for (String id : ids) {
|
||||
- if (TextUtils.isEmpty(id)) {
|
||||
- throw new IllegalArgumentException("ids must not contain empty string");
|
||||
- }
|
||||
+ Preconditions.checkArgument(!TextUtils.isEmpty(id), "ids must not have empty string");
|
||||
+ enforceMaxStringLength(id, "affiliation id");
|
||||
}
|
||||
|
||||
final Set<String> affiliationIds = new ArraySet<>(ids);
|
||||
@@ -12740,6 +12775,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
|
||||
Preconditions.checkNotNull(admin, "Admin cannot be null.");
|
||||
Preconditions.checkNotNull(target, "Target cannot be null.");
|
||||
+ if (bundle != null) {
|
||||
+ enforceMaxStringLength(bundle, "bundle");
|
||||
+ }
|
||||
|
||||
enforceProfileOrDeviceOwner(admin);
|
||||
|
||||
@@ -13194,4 +13232,51 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
|
||||
private static String getManagedProvisioningPackage(Context context) {
|
||||
return context.getResources().getString(R.string.config_managed_provisioning_package);
|
||||
}
|
||||
+
|
||||
+ /**
|
||||
+ * Truncates char sequence to maximum length, nulls are ignored.
|
||||
+ */
|
||||
+ private static CharSequence truncateIfLonger(CharSequence input, int maxLength) {
|
||||
+ return input == null || input.length() <= maxLength
|
||||
+ ? input
|
||||
+ : input.subSequence(0, maxLength);
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * Throw if string argument is too long to be serialized.
|
||||
+ */
|
||||
+ private static void enforceMaxStringLength(String str, String argName) {
|
||||
+ Preconditions.checkArgument(
|
||||
+ str.length() <= MAX_POLICY_STRING_LENGTH, argName + " loo long");
|
||||
+ }
|
||||
+
|
||||
+ private static void enforceMaxPackageNameLength(String pkg) {
|
||||
+ Preconditions.checkArgument(
|
||||
+ pkg.length() <= MAX_PACKAGE_NAME_LENGTH, "Package name too long");
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * Throw if persistable bundle contains any string that we can't serialize.
|
||||
+ */
|
||||
+ private static void enforceMaxStringLength(PersistableBundle bundle, String argName) {
|
||||
+ // Persistable bundles can have other persistable bundles as values, traverse with a queue.
|
||||
+ Queue<PersistableBundle> queue = new ArrayDeque<>();
|
||||
+ queue.add(bundle);
|
||||
+ while (!queue.isEmpty()) {
|
||||
+ PersistableBundle current = queue.remove();
|
||||
+ for (String key : current.keySet()) {
|
||||
+ enforceMaxStringLength(key, "key in " + argName);
|
||||
+ Object value = current.get(key);
|
||||
+ if (value instanceof String) {
|
||||
+ enforceMaxStringLength((String) value, "string value in " + argName);
|
||||
+ } else if (value instanceof String[]) {
|
||||
+ for (String str : (String[]) value) {
|
||||
+ enforceMaxStringLength(str, "string value in " + argName);
|
||||
+ }
|
||||
+ } else if (value instanceof PersistableBundle) {
|
||||
+ queue.add((PersistableBundle) value);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
}
|
70
Patches/LineageOS-16.0/android_frameworks_base/364034.patch
Normal file
70
Patches/LineageOS-16.0/android_frameworks_base/364034.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Ioana Alexandru <aioana@google.com>
|
||||
Date: Fri, 12 May 2023 15:41:09 +0000
|
||||
Subject: [PATCH] Implement visitUris for RemoteViews ViewGroupActionAdd.
|
||||
|
||||
This is to prevent a vulnerability where notifications can show
|
||||
resources belonging to other users, since the URI in the nested views
|
||||
was not being checked.
|
||||
|
||||
Bug: 277740082
|
||||
Test: atest RemoteViewsTest NotificationVisitUrisTest
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:850fd984e5f346645b5a941ed7307387c7e4c4de)
|
||||
Merged-In: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8
|
||||
Change-Id: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8
|
||||
---
|
||||
core/java/android/widget/RemoteViews.java | 5 ++++
|
||||
.../src/android/widget/RemoteViewsTest.java | 24 +++++++++++++++++++
|
||||
2 files changed, 29 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java
|
||||
index 10053dddb0fb..b36d27fc3b3b 100644
|
||||
--- a/core/java/android/widget/RemoteViews.java
|
||||
+++ b/core/java/android/widget/RemoteViews.java
|
||||
@@ -1672,6 +1672,11 @@ public class RemoteViews implements Parcelable, Filter {
|
||||
public int getActionTag() {
|
||||
return VIEW_GROUP_ACTION_ADD_TAG;
|
||||
}
|
||||
+
|
||||
+ @Override
|
||||
+ public final void visitUris(@NonNull Consumer<Uri> visitor) {
|
||||
+ mNestedViews.visitUris(visitor);
|
||||
+ }
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/core/tests/coretests/src/android/widget/RemoteViewsTest.java b/core/tests/coretests/src/android/widget/RemoteViewsTest.java
|
||||
index 7d2e07ecbd71..1123988e9512 100644
|
||||
--- a/core/tests/coretests/src/android/widget/RemoteViewsTest.java
|
||||
+++ b/core/tests/coretests/src/android/widget/RemoteViewsTest.java
|
||||
@@ -474,6 +474,30 @@ public class RemoteViewsTest {
|
||||
verify(visitor, times(1)).accept(eq(icon4.getUri()));
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void visitUris_nestedViews() {
|
||||
+ final RemoteViews outer = new RemoteViews(mPackage, R.layout.remote_views_test);
|
||||
+
|
||||
+ final RemoteViews inner = new RemoteViews(mPackage, 33);
|
||||
+ final Uri imageUriI = Uri.parse("content://inner/image");
|
||||
+ final Icon icon1 = Icon.createWithContentUri("content://inner/icon1");
|
||||
+ final Icon icon2 = Icon.createWithContentUri("content://inner/icon2");
|
||||
+ final Icon icon3 = Icon.createWithContentUri("content://inner/icon3");
|
||||
+ final Icon icon4 = Icon.createWithContentUri("content://inner/icon4");
|
||||
+ inner.setImageViewUri(R.id.image, imageUriI);
|
||||
+ inner.setTextViewCompoundDrawables(R.id.text, icon1, icon2, icon3, icon4);
|
||||
+
|
||||
+ outer.addView(R.id.layout, inner);
|
||||
+
|
||||
+ Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
|
||||
+ outer.visitUris(visitor);
|
||||
+ verify(visitor, times(1)).accept(eq(imageUriI));
|
||||
+ verify(visitor, times(1)).accept(eq(icon1.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon2.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon3.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon4.getUri()));
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void visitUris_separateOrientation() {
|
||||
final RemoteViews landscape = new RemoteViews(mPackage, R.layout.remote_views_test);
|
@ -0,0 +1,29 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Ioana Alexandru <aioana@google.com>
|
||||
Date: Mon, 15 May 2023 16:15:55 +0000
|
||||
Subject: [PATCH] Check URIs in notification public version.
|
||||
|
||||
Bug: 276294099
|
||||
Test: atest NotificationManagerServiceTest NotificationVisitUrisTest
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9663d493142b59c65311bc09d48427d3bdde0222)
|
||||
Merged-In: I670198b213abb2cb29a9865eb9d1e897700508b4
|
||||
Change-Id: I670198b213abb2cb29a9865eb9d1e897700508b4
|
||||
---
|
||||
core/java/android/app/Notification.java | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
|
||||
index d8e7d0199615..b2daecc659cc 100644
|
||||
--- a/core/java/android/app/Notification.java
|
||||
+++ b/core/java/android/app/Notification.java
|
||||
@@ -2346,6 +2346,10 @@ public class Notification implements Parcelable
|
||||
* @hide
|
||||
*/
|
||||
public void visitUris(@NonNull Consumer<Uri> visitor) {
|
||||
+ if (publicVersion != null) {
|
||||
+ publicVersion.visitUris(visitor);
|
||||
+ }
|
||||
+
|
||||
visitor.accept(sound);
|
||||
|
||||
if (tickerView != null) tickerView.visitUris(visitor);
|
@ -0,0 +1,125 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Mikhail <michaelmikhil@google.com>
|
||||
Date: Fri, 28 Apr 2023 16:17:16 +0000
|
||||
Subject: [PATCH] Verify URI permissions in MediaMetadata
|
||||
|
||||
Add a check for URI permission to make sure that user can access the URI
|
||||
set in MediaMetadata. If permission is denied, clear the URI string set
|
||||
in metadata.
|
||||
|
||||
Bug: 271851153
|
||||
Test: atest MediaSessionTest
|
||||
Test: Verified by POC app attached in bug, image of second user is not
|
||||
the UMO background of the first user.
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f95b7fc61d6b3bf49420ded0357bec031f8cbdcf)
|
||||
Merged-In: I384f8e230c909d8fc8e5f147e2fd3558fec44626
|
||||
Change-Id: I384f8e230c909d8fc8e5f147e2fd3558fec44626
|
||||
---
|
||||
.../server/media/MediaSessionRecord.java | 54 +++++++++++++++----
|
||||
1 file changed, 45 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java
|
||||
index 442354bbb6b9..01d09178f7dd 100644
|
||||
--- a/services/core/java/com/android/server/media/MediaSessionRecord.java
|
||||
+++ b/services/core/java/com/android/server/media/MediaSessionRecord.java
|
||||
@@ -16,7 +16,11 @@
|
||||
|
||||
package com.android.server.media;
|
||||
|
||||
+import android.app.ActivityManager;
|
||||
+import android.app.IActivityManager;
|
||||
import android.app.PendingIntent;
|
||||
+import android.content.ContentProvider;
|
||||
+import android.content.ContentResolver;
|
||||
import android.content.Context;
|
||||
import android.content.Intent;
|
||||
import android.content.pm.ParceledListSlice;
|
||||
@@ -49,6 +53,7 @@ import android.os.Process;
|
||||
import android.os.RemoteException;
|
||||
import android.os.ResultReceiver;
|
||||
import android.os.SystemClock;
|
||||
+import android.text.TextUtils;
|
||||
import android.util.Log;
|
||||
import android.util.Slog;
|
||||
import android.view.KeyEvent;
|
||||
@@ -64,6 +69,10 @@ import java.util.ArrayList;
|
||||
*/
|
||||
public class MediaSessionRecord implements IBinder.DeathRecipient {
|
||||
private static final String TAG = "MediaSessionRecord";
|
||||
+ private static final String[] ART_URIS = new String[] {
|
||||
+ MediaMetadata.METADATA_KEY_ALBUM_ART_URI,
|
||||
+ MediaMetadata.METADATA_KEY_ART_URI,
|
||||
+ MediaMetadata.METADATA_KEY_DISPLAY_ICON_URI};
|
||||
private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);
|
||||
|
||||
/**
|
||||
@@ -83,6 +92,7 @@ public class MediaSessionRecord implements IBinder.DeathRecipient {
|
||||
private final SessionStub mSession;
|
||||
private final SessionCb mSessionCb;
|
||||
private final MediaSessionService mService;
|
||||
+ final IActivityManager mAm;
|
||||
private final Context mContext;
|
||||
|
||||
private final Object mLock = new Object();
|
||||
@@ -133,6 +143,7 @@ public class MediaSessionRecord implements IBinder.DeathRecipient {
|
||||
mAudioManager = (AudioManager) mContext.getSystemService(Context.AUDIO_SERVICE);
|
||||
mAudioManagerInternal = LocalServices.getService(AudioManagerInternal.class);
|
||||
mAudioAttrs = new AudioAttributes.Builder().setUsage(AudioAttributes.USAGE_MEDIA).build();
|
||||
+ mAm = ActivityManager.getService();
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -792,19 +803,44 @@ public class MediaSessionRecord implements IBinder.DeathRecipient {
|
||||
@Override
|
||||
public void setMetadata(MediaMetadata metadata) {
|
||||
synchronized (mLock) {
|
||||
- MediaMetadata temp = metadata == null ? null : new MediaMetadata.Builder(metadata)
|
||||
- .build();
|
||||
- // This is to guarantee that the underlying bundle is unparceled
|
||||
- // before we set it to prevent concurrent reads from throwing an
|
||||
- // exception
|
||||
- if (temp != null) {
|
||||
- temp.size();
|
||||
- }
|
||||
- mMetadata = temp;
|
||||
+ mMetadata = sanitizeMediaMetadata(metadata);
|
||||
}
|
||||
mHandler.post(MessageHandler.MSG_UPDATE_METADATA);
|
||||
}
|
||||
|
||||
+
|
||||
+ private MediaMetadata sanitizeMediaMetadata(MediaMetadata metadata) {
|
||||
+ if (metadata == null) {
|
||||
+ return null;
|
||||
+ }
|
||||
+ MediaMetadata.Builder metadataBuilder = new MediaMetadata.Builder(metadata);
|
||||
+ for (String key: ART_URIS) {
|
||||
+ String uriString = metadata.getString(key);
|
||||
+ if (TextUtils.isEmpty(uriString)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ Uri uri = Uri.parse(uriString);
|
||||
+ if (!ContentResolver.SCHEME_CONTENT.equals(uri.getScheme())) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ try {
|
||||
+ mAm.checkGrantUriPermission(getUid(),
|
||||
+ getPackageName(),
|
||||
+ ContentProvider.getUriWithoutUserId(uri),
|
||||
+ Intent.FLAG_GRANT_READ_URI_PERMISSION,
|
||||
+ ContentProvider.getUserIdFromUri(uri, getUserId()));
|
||||
+ } catch (RemoteException | SecurityException e) {
|
||||
+ metadataBuilder.putString(key, null);
|
||||
+ }
|
||||
+ }
|
||||
+ MediaMetadata sanitizedMetadata = metadataBuilder.build();
|
||||
+ // sanitizedMetadata.size() guarantees that the underlying bundle is unparceled
|
||||
+ // before we set it to prevent concurrent reads from throwing an
|
||||
+ // exception
|
||||
+ sanitizedMetadata.size();
|
||||
+ return sanitizedMetadata;
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public void setPlaybackState(PlaybackState state) {
|
||||
int oldState = mPlaybackState == null
|
55
Patches/LineageOS-16.0/android_frameworks_base/364037.patch
Normal file
55
Patches/LineageOS-16.0/android_frameworks_base/364037.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Chandru S <chandruis@google.com>
|
||||
Date: Tue, 16 May 2023 10:41:07 -0700
|
||||
Subject: [PATCH] Use Settings.System.getIntForUser instead of getInt to make
|
||||
sure user specific settings are used
|
||||
|
||||
Bug: 265431505
|
||||
Test: atest KeyguardViewMediatorTest
|
||||
(cherry picked from commit 625e009fc195ba5d658ca2d78ebb23d2770cc6c4)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ce6510deba06bcb72a0e468294b483fc4ac4be17)
|
||||
Merged-In: I66a660c091c90a957a0fd1e144c013840db3f47e
|
||||
Change-Id: I66a660c091c90a957a0fd1e144c013840db3f47e
|
||||
---
|
||||
.../systemui/keyguard/KeyguardViewMediator.java | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
index f0d389c15228..820c7eac715a 100644
|
||||
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
@@ -935,9 +935,9 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
final ContentResolver cr = mContext.getContentResolver();
|
||||
|
||||
// From SecuritySettings
|
||||
- final long lockAfterTimeout = Settings.Secure.getInt(cr,
|
||||
+ final long lockAfterTimeout = Settings.Secure.getIntForUser(cr,
|
||||
Settings.Secure.LOCK_SCREEN_LOCK_AFTER_TIMEOUT,
|
||||
- KEYGUARD_LOCK_AFTER_DELAY_DEFAULT);
|
||||
+ KEYGUARD_LOCK_AFTER_DELAY_DEFAULT, userId);
|
||||
|
||||
// From DevicePolicyAdmin
|
||||
final long policyTimeout = mLockPatternUtils.getDevicePolicyManager()
|
||||
@@ -949,8 +949,8 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
timeout = lockAfterTimeout;
|
||||
} else {
|
||||
// From DisplaySettings
|
||||
- long displayTimeout = Settings.System.getInt(cr, SCREEN_OFF_TIMEOUT,
|
||||
- KEYGUARD_DISPLAY_TIMEOUT_DELAY_DEFAULT);
|
||||
+ long displayTimeout = Settings.System.getIntForUser(cr, SCREEN_OFF_TIMEOUT,
|
||||
+ KEYGUARD_DISPLAY_TIMEOUT_DELAY_DEFAULT, userId);
|
||||
|
||||
// policy in effect. Make sure we don't go beyond policy limit.
|
||||
displayTimeout = Math.max(displayTimeout, 0); // ignore negative values
|
||||
@@ -1792,7 +1792,10 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
private void playSound(int soundId) {
|
||||
if (soundId == 0) return;
|
||||
final ContentResolver cr = mContext.getContentResolver();
|
||||
- if (Settings.System.getInt(cr, Settings.System.LOCKSCREEN_SOUNDS_ENABLED, 1) == 1) {
|
||||
+ int lockscreenSoundsEnabled = Settings.System.getIntForUser(cr,
|
||||
+ Settings.System.LOCKSCREEN_SOUNDS_ENABLED, 1,
|
||||
+ KeyguardUpdateMonitor.getCurrentUser());
|
||||
+ if (lockscreenSoundsEnabled == 1) {
|
||||
|
||||
mLockSounds.stop(mLockSoundStreamId);
|
||||
// Init mAudioManager
|
@ -0,0 +1,126 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pranav Madapurmath <pmadapurmath@google.com>
|
||||
Date: Thu, 25 May 2023 21:58:19 +0000
|
||||
Subject: [PATCH] Resolve StatusHints image exploit across user.
|
||||
|
||||
Because of the INTERACT_ACROSS_USERS permission, an app that implements
|
||||
a ConnectionService can upload an image icon belonging to another user
|
||||
by setting it in the StatusHints. Validating the construction of the
|
||||
StatusHints on the calling user would prevent a malicious app from
|
||||
registering a connection service with the embedded image icon from a
|
||||
different user.
|
||||
|
||||
From additional feedback, this CL also addresses potential
|
||||
vulnerabilities in an app being able to directly invoke the binder for a
|
||||
means to manipulate the contents of the bundle that are passed with it.
|
||||
The targeted points of entry are in ConnectionServiceWrapper for the
|
||||
following APIs: handleCreateConnectionComplete, setStatusHints,
|
||||
addConferenceCall, and addExistingConnection.
|
||||
|
||||
Fixes: 280797684
|
||||
Test: Manual (verified that original exploit is no longer an issue).
|
||||
Test: Unit test for validating image in StatusHints constructor.
|
||||
Test: Unit tests to address vulnerabilities via the binder.
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48223d6034907349c6a3fab3018c1b37d86367af)
|
||||
Merged-In: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2
|
||||
Change-Id: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2
|
||||
---
|
||||
.../java/android/telecom/StatusHints.java | 53 ++++++++++++++++++-
|
||||
1 file changed, 51 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/telecomm/java/android/telecom/StatusHints.java b/telecomm/java/android/telecom/StatusHints.java
|
||||
index 453f408bedba..c75bd2781f9f 100644
|
||||
--- a/telecomm/java/android/telecom/StatusHints.java
|
||||
+++ b/telecomm/java/android/telecom/StatusHints.java
|
||||
@@ -16,14 +16,19 @@
|
||||
|
||||
package android.telecom;
|
||||
|
||||
+import android.annotation.Nullable;
|
||||
import android.annotation.SystemApi;
|
||||
import android.content.ComponentName;
|
||||
import android.content.Context;
|
||||
import android.graphics.drawable.Drawable;
|
||||
import android.graphics.drawable.Icon;
|
||||
+import android.os.Binder;
|
||||
import android.os.Bundle;
|
||||
import android.os.Parcel;
|
||||
import android.os.Parcelable;
|
||||
+import android.os.UserHandle;
|
||||
+
|
||||
+import com.android.internal.annotations.VisibleForTesting;
|
||||
|
||||
import java.util.Objects;
|
||||
|
||||
@@ -33,7 +38,7 @@ import java.util.Objects;
|
||||
public final class StatusHints implements Parcelable {
|
||||
|
||||
private final CharSequence mLabel;
|
||||
- private final Icon mIcon;
|
||||
+ private Icon mIcon;
|
||||
private final Bundle mExtras;
|
||||
|
||||
/**
|
||||
@@ -48,10 +53,30 @@ public final class StatusHints implements Parcelable {
|
||||
|
||||
public StatusHints(CharSequence label, Icon icon, Bundle extras) {
|
||||
mLabel = label;
|
||||
- mIcon = icon;
|
||||
+ mIcon = validateAccountIconUserBoundary(icon, Binder.getCallingUserHandle());
|
||||
mExtras = extras;
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * @param icon
|
||||
+ * @hide
|
||||
+ */
|
||||
+ @VisibleForTesting
|
||||
+ public StatusHints(@Nullable Icon icon) {
|
||||
+ mLabel = null;
|
||||
+ mExtras = null;
|
||||
+ mIcon = icon;
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ *
|
||||
+ * @param icon
|
||||
+ * @hide
|
||||
+ */
|
||||
+ public void setIcon(@Nullable Icon icon) {
|
||||
+ mIcon = icon;
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* @return A package used to load the icon.
|
||||
*
|
||||
@@ -112,6 +137,30 @@ public final class StatusHints implements Parcelable {
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Validates the StatusHints image icon to see if it's not in the calling user space.
|
||||
+ * Invalidates the icon if so, otherwise returns back the original icon.
|
||||
+ *
|
||||
+ * @param icon
|
||||
+ * @return icon (validated)
|
||||
+ * @hide
|
||||
+ */
|
||||
+ public static Icon validateAccountIconUserBoundary(Icon icon, UserHandle callingUserHandle) {
|
||||
+ // Refer to Icon#getUriString for context. The URI string is invalid for icons of
|
||||
+ // incompatible types.
|
||||
+ if (icon != null && (icon.getType() == Icon.TYPE_URI
|
||||
+ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) {
|
||||
+ String encodedUser = icon.getUri().getEncodedUserInfo();
|
||||
+ // If there is no encoded user, the URI is calling into the calling user space
|
||||
+ if (encodedUser != null) {
|
||||
+ int userId = Integer.parseInt(encodedUser);
|
||||
+ // Do not try to save the icon if the user id isn't in the calling user space.
|
||||
+ if (userId != callingUserHandle.getIdentifier()) return null;
|
||||
+ }
|
||||
+ }
|
||||
+ return icon;
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public void writeToParcel(Parcel out, int flags) {
|
||||
out.writeCharSequence(mLabel);
|
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Aishwarya Mallampati <amallampati@google.com>
|
||||
Date: Wed, 10 May 2023 21:54:43 +0000
|
||||
Subject: [PATCH] Update file permissions using canonical path
|
||||
|
||||
Bug: 264880895
|
||||
Bug: 264880689
|
||||
Test: atest android.telephonyprovider.cts.MmsPartTest
|
||||
atest CtsTelephonyTestCases
|
||||
Sanity check - sending and receiving sms and mms manually
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6743638a096c32627f398efd2ea78f08b8a2db8c)
|
||||
Merged-In: I8dd888ea31ec07c9f0de38eb8e8170d3ed255686
|
||||
Change-Id: I8dd888ea31ec07c9f0de38eb8e8170d3ed255686
|
||||
---
|
||||
src/com/android/providers/telephony/MmsProvider.java | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java
|
||||
index 6ba775ba..7546c246 100644
|
||||
--- a/src/com/android/providers/telephony/MmsProvider.java
|
||||
+++ b/src/com/android/providers/telephony/MmsProvider.java
|
||||
@@ -819,15 +819,16 @@ public class MmsProvider extends ContentProvider {
|
||||
String path = getContext().getDir(PARTS_DIR_NAME, 0).getPath() + '/' +
|
||||
uri.getPathSegments().get(1);
|
||||
try {
|
||||
+ File canonicalFile = new File(path).getCanonicalFile();
|
||||
String partsDirPath = getContext().getDir(PARTS_DIR_NAME, 0).getCanonicalPath();
|
||||
- if (!new File(path).getCanonicalPath().startsWith(partsDirPath)) {
|
||||
+ if (!canonicalFile.getPath().startsWith(partsDirPath + '/')) {
|
||||
EventLog.writeEvent(0x534e4554, "240685104",
|
||||
Binder.getCallingUid(), (TAG + " update: path " + path +
|
||||
" does not start with " + partsDirPath));
|
||||
return 0;
|
||||
}
|
||||
// Reset the file permission back to read for everyone but me.
|
||||
- Os.chmod(path, 0644);
|
||||
+ Os.chmod(canonicalFile.getPath(), 0644);
|
||||
if (LOCAL_LOGV) {
|
||||
Log.d(TAG, "MmsProvider.update chmod is successful for path: " + path);
|
||||
}
|
@ -0,0 +1,706 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pranav Madapurmath <pmadapurmath@google.com>
|
||||
Date: Thu, 25 May 2023 20:49:21 +0000
|
||||
Subject: [PATCH] Resolve StatusHints image exploit across user.
|
||||
|
||||
Because of the INTERACT_ACROSS_USERS permission, an app that implements
|
||||
a ConnectionService can upload an image icon belonging to another user
|
||||
by setting it in the StatusHints. Validating the construction of the
|
||||
StatusHints on the calling user would prevent a malicious app from
|
||||
registering a connection service with the embedded image icon from a
|
||||
different user.
|
||||
|
||||
From additional feedback, this CL also addresses potential
|
||||
vulnerabilities in an app being able to directly invoke the binder for a
|
||||
means to manipulate the contents of the bundle that are passed with it.
|
||||
The targeted points of entry are in ConnectionServiceWrapper for the
|
||||
following APIs: handleCreateConnectionComplete, setStatusHints,
|
||||
addConferenceCall, and addExistingConnection.
|
||||
|
||||
Fixes: 280797684
|
||||
Test: Manual (verified that original exploit is no longer an issue).
|
||||
Test: Unit test for validating image in StatusHints constructor.
|
||||
Test: Unit tests to address vulnerabilities via the binder.
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49d19dd265bee669b230efa29bf98c83650efea6)
|
||||
Merged-In: Ie1f6a8866d31d5f1099dd0630cf8e9ee782d389c
|
||||
Change-Id: Ie1f6a8866d31d5f1099dd0630cf8e9ee782d389c
|
||||
---
|
||||
.../telecom/ConnectionServiceWrapper.java | 32 ++++
|
||||
.../server/telecom/tests/BasicCallTests.java | 165 +++++++++++++++++-
|
||||
.../server/telecom/tests/CallExtrasTest.java | 6 +-
|
||||
.../tests/ConnectionServiceFixture.java | 21 ++-
|
||||
.../telecom/tests/TelecomSystemTest.java | 63 +++++--
|
||||
.../server/telecom/tests/VideoCallTests.java | 16 +-
|
||||
6 files changed, 264 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java
|
||||
index 6dd9a3a08..1b86842af 100644
|
||||
--- a/src/com/android/server/telecom/ConnectionServiceWrapper.java
|
||||
+++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java
|
||||
@@ -19,6 +19,7 @@ package com.android.server.telecom;
|
||||
import android.app.AppOpsManager;
|
||||
import android.content.ComponentName;
|
||||
import android.content.Context;
|
||||
+import android.graphics.drawable.Icon;
|
||||
import android.net.Uri;
|
||||
import android.os.Binder;
|
||||
import android.os.Bundle;
|
||||
@@ -73,10 +74,17 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
|
||||
public void handleCreateConnectionComplete(String callId, ConnectionRequest request,
|
||||
ParcelableConnection connection, Session.Info sessionInfo) {
|
||||
Log.startSession(sessionInfo, LogUtils.Sessions.CSW_HANDLE_CREATE_CONNECTION_COMPLETE);
|
||||
+ UserHandle callingUserHandle = Binder.getCallingUserHandle();
|
||||
long token = Binder.clearCallingIdentity();
|
||||
try {
|
||||
synchronized (mLock) {
|
||||
logIncoming("handleCreateConnectionComplete %s", callId);
|
||||
+ // Check status hints image for cross user access
|
||||
+ if (connection.getStatusHints() != null) {
|
||||
+ Icon icon = connection.getStatusHints().getIcon();
|
||||
+ connection.getStatusHints().setIcon(StatusHints.
|
||||
+ validateAccountIconUserBoundary(icon, callingUserHandle));
|
||||
+ }
|
||||
ConnectionServiceWrapper.this
|
||||
.handleCreateConnectionComplete(callId, request, connection);
|
||||
|
||||
@@ -415,6 +423,15 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
|
||||
public void addConferenceCall(String callId, ParcelableConference parcelableConference,
|
||||
Session.Info sessionInfo) {
|
||||
Log.startSession(sessionInfo, LogUtils.Sessions.CSW_ADD_CONFERENCE_CALL);
|
||||
+
|
||||
+ UserHandle callingUserHandle = Binder.getCallingUserHandle();
|
||||
+ // Check status hints image for cross user access
|
||||
+ if (parcelableConference.getStatusHints() != null) {
|
||||
+ Icon icon = parcelableConference.getStatusHints().getIcon();
|
||||
+ parcelableConference.getStatusHints().setIcon(StatusHints.
|
||||
+ validateAccountIconUserBoundary(icon, callingUserHandle));
|
||||
+ }
|
||||
+
|
||||
long token = Binder.clearCallingIdentity();
|
||||
try {
|
||||
synchronized (mLock) {
|
||||
@@ -637,10 +654,17 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
|
||||
public void setStatusHints(String callId, StatusHints statusHints,
|
||||
Session.Info sessionInfo) {
|
||||
Log.startSession(sessionInfo, "CSW.sSH");
|
||||
+ UserHandle callingUserHandle = Binder.getCallingUserHandle();
|
||||
long token = Binder.clearCallingIdentity();
|
||||
try {
|
||||
synchronized (mLock) {
|
||||
logIncoming("setStatusHints %s %s", callId, statusHints);
|
||||
+ // Check status hints image for cross user access
|
||||
+ if (statusHints != null) {
|
||||
+ Icon icon = statusHints.getIcon();
|
||||
+ statusHints.setIcon(StatusHints.validateAccountIconUserBoundary(
|
||||
+ icon, callingUserHandle));
|
||||
+ }
|
||||
Call call = mCallIdMapper.getCall(callId);
|
||||
if (call != null) {
|
||||
call.setStatusHints(statusHints);
|
||||
@@ -819,6 +843,14 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
|
||||
} else {
|
||||
connectIdToCheck = callId;
|
||||
}
|
||||
+
|
||||
+ // Check status hints image for cross user access
|
||||
+ if (connection.getStatusHints() != null) {
|
||||
+ Icon icon = connection.getStatusHints().getIcon();
|
||||
+ connection.getStatusHints().setIcon(StatusHints.
|
||||
+ validateAccountIconUserBoundary(icon, userHandle));
|
||||
+ }
|
||||
+
|
||||
// Check to see if this Connection has already been added.
|
||||
Call alreadyAddedConnection = mCallsManager
|
||||
.getAlreadyAddedConnection(connectIdToCheck);
|
||||
diff --git a/tests/src/com/android/server/telecom/tests/BasicCallTests.java b/tests/src/com/android/server/telecom/tests/BasicCallTests.java
|
||||
index e304d3416..190604a75 100644
|
||||
--- a/tests/src/com/android/server/telecom/tests/BasicCallTests.java
|
||||
+++ b/tests/src/com/android/server/telecom/tests/BasicCallTests.java
|
||||
@@ -16,9 +16,12 @@
|
||||
|
||||
package com.android.server.telecom.tests;
|
||||
|
||||
+import static com.android.server.telecom.tests.ConnectionServiceFixture.STATUS_HINTS_EXTRA;
|
||||
+
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertNull;
|
||||
+import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.mockito.Matchers.any;
|
||||
import static org.mockito.Matchers.anyInt;
|
||||
@@ -34,6 +37,8 @@ import static org.mockito.Mockito.when;
|
||||
|
||||
import android.content.Context;
|
||||
import android.content.IContentProvider;
|
||||
+import android.content.Intent;
|
||||
+import android.graphics.drawable.Icon;
|
||||
import android.media.AudioManager;
|
||||
import android.net.Uri;
|
||||
import android.os.Bundle;
|
||||
@@ -50,12 +55,15 @@ import android.telecom.Log;
|
||||
import android.telecom.ParcelableCall;
|
||||
import android.telecom.PhoneAccount;
|
||||
import android.telecom.PhoneAccountHandle;
|
||||
+import android.telecom.StatusHints;
|
||||
import android.telecom.TelecomManager;
|
||||
import android.telecom.VideoProfile;
|
||||
import android.support.test.filters.FlakyTest;
|
||||
import android.test.suitebuilder.annotation.LargeTest;
|
||||
import android.test.suitebuilder.annotation.MediumTest;
|
||||
|
||||
+import androidx.test.filters.SmallTest;
|
||||
+
|
||||
import com.android.internal.telecom.IInCallAdapter;
|
||||
import com.android.internal.telephony.CallerInfo;
|
||||
|
||||
@@ -179,7 +187,7 @@ public class BasicCallTests extends TelecomSystemTest {
|
||||
@Test
|
||||
public void testTelecomManagerAcceptRingingVideoCall() throws Exception {
|
||||
IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(),
|
||||
- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA);
|
||||
+ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null);
|
||||
|
||||
assertEquals(Call.STATE_RINGING, mInCallServiceFixtureX.getCall(ids.mCallId).getState());
|
||||
assertEquals(Call.STATE_RINGING, mInCallServiceFixtureY.getCall(ids.mCallId).getState());
|
||||
@@ -208,7 +216,7 @@ public class BasicCallTests extends TelecomSystemTest {
|
||||
@Test
|
||||
public void testTelecomManagerAcceptRingingVideoCallAsAudio() throws Exception {
|
||||
IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(),
|
||||
- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA);
|
||||
+ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null);
|
||||
|
||||
assertEquals(Call.STATE_RINGING, mInCallServiceFixtureX.getCall(ids.mCallId).getState());
|
||||
assertEquals(Call.STATE_RINGING, mInCallServiceFixtureY.getCall(ids.mCallId).getState());
|
||||
@@ -236,7 +244,7 @@ public class BasicCallTests extends TelecomSystemTest {
|
||||
@Test
|
||||
public void testTelecomManagerAcceptRingingInvalidVideoState() throws Exception {
|
||||
IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(),
|
||||
- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA);
|
||||
+ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null);
|
||||
|
||||
assertEquals(Call.STATE_RINGING, mInCallServiceFixtureX.getCall(ids.mCallId).getState());
|
||||
assertEquals(Call.STATE_RINGING, mInCallServiceFixtureY.getCall(ids.mCallId).getState());
|
||||
@@ -629,13 +637,13 @@ public class BasicCallTests extends TelecomSystemTest {
|
||||
@MediumTest
|
||||
@Test
|
||||
public void testBasicConferenceCall() throws Exception {
|
||||
- makeConferenceCall();
|
||||
+ makeConferenceCall(null, null);
|
||||
}
|
||||
|
||||
@MediumTest
|
||||
@Test
|
||||
public void testAddCallToConference1() throws Exception {
|
||||
- ParcelableCall conferenceCall = makeConferenceCall();
|
||||
+ ParcelableCall conferenceCall = makeConferenceCall(null, null);
|
||||
IdPair callId3 = startAndMakeActiveOutgoingCall("650-555-1214",
|
||||
mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA);
|
||||
// testAddCallToConference{1,2} differ in the order of arguments to InCallAdapter#conference
|
||||
@@ -653,7 +661,7 @@ public class BasicCallTests extends TelecomSystemTest {
|
||||
@MediumTest
|
||||
@Test
|
||||
public void testAddCallToConference2() throws Exception {
|
||||
- ParcelableCall conferenceCall = makeConferenceCall();
|
||||
+ ParcelableCall conferenceCall = makeConferenceCall(null, null);
|
||||
IdPair callId3 = startAndMakeActiveOutgoingCall("650-555-1214",
|
||||
mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA);
|
||||
mInCallServiceFixtureX.getInCallAdapter()
|
||||
@@ -909,7 +917,7 @@ public class BasicCallTests extends TelecomSystemTest {
|
||||
public void testOutgoingCallSelectPhoneAccountVideo() throws Exception {
|
||||
startOutgoingPhoneCallPendingCreateConnection("650-555-1212",
|
||||
null, mConnectionServiceFixtureA,
|
||||
- Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL);
|
||||
+ Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL, null);
|
||||
com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls()
|
||||
.iterator().next();
|
||||
assert(call.isVideoCallingSupported());
|
||||
@@ -932,7 +940,7 @@ public class BasicCallTests extends TelecomSystemTest {
|
||||
public void testOutgoingCallSelectPhoneAccountNoVideo() throws Exception {
|
||||
startOutgoingPhoneCallPendingCreateConnection("650-555-1212",
|
||||
null, mConnectionServiceFixtureA,
|
||||
- Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL);
|
||||
+ Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL, null);
|
||||
com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls()
|
||||
.iterator().next();
|
||||
assert(call.isVideoCallingSupported());
|
||||
@@ -1134,4 +1142,145 @@ public class BasicCallTests extends TelecomSystemTest {
|
||||
assertTrue(muteValues.get(0));
|
||||
assertFalse(muteValues.get(1));
|
||||
}
|
||||
+
|
||||
+ /**
|
||||
+ * Verifies that StatusHints image is validated in ConnectionServiceWrapper#addConferenceCall
|
||||
+ * when the image doesn't belong to the calling user. Simulates a scenario where an app
|
||||
+ * could manipulate the contents of the bundle and send it via the binder to upload an image
|
||||
+ * from another user.
|
||||
+ *
|
||||
+ * @throws Exception
|
||||
+ */
|
||||
+ @SmallTest
|
||||
+ @Test
|
||||
+ public void testValidateStatusHintsImage_addConferenceCall() throws Exception {
|
||||
+ Intent callIntent1 = new Intent();
|
||||
+ // Stub intent for call2
|
||||
+ Intent callIntent2 = new Intent();
|
||||
+ Bundle callExtras1 = new Bundle();
|
||||
+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/");
|
||||
+ // Load StatusHints extra into TelecomManager.EXTRA_OUTGOING_CALL_EXTRAS to be processed
|
||||
+ // as the call extras. This will be leveraged in ConnectionServiceFixture to set the
|
||||
+ // StatusHints for the given connection.
|
||||
+ StatusHints statusHints = new StatusHints(icon);
|
||||
+ assertNotNull(statusHints.getIcon());
|
||||
+ callExtras1.putParcelable(STATUS_HINTS_EXTRA, statusHints);
|
||||
+ callIntent1.putExtra(TelecomManager.EXTRA_OUTGOING_CALL_EXTRAS, callExtras1);
|
||||
+
|
||||
+ // Start conference call to invoke ConnectionServiceWrapper#addConferenceCall.
|
||||
+ // Note that the calling user would be User 0.
|
||||
+ ParcelableCall conferenceCall = makeConferenceCall(callIntent1, callIntent2);
|
||||
+
|
||||
+ // Ensure that StatusHints was set.
|
||||
+ assertNotNull(mInCallServiceFixtureX.getCall(mInCallServiceFixtureX.mLatestCallId)
|
||||
+ .getStatusHints());
|
||||
+ // Ensure that the StatusHints image icon was disregarded.
|
||||
+ assertNull(mInCallServiceFixtureX.getCall(mInCallServiceFixtureX.mLatestCallId)
|
||||
+ .getStatusHints().getIcon());
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * Verifies that StatusHints image is validated in
|
||||
+ * ConnectionServiceWrapper#handleCreateConnectionComplete when the image doesn't belong to the
|
||||
+ * calling user. Simulates a scenario where an app could manipulate the contents of the
|
||||
+ * bundle and send it via the binder to upload an image from another user.
|
||||
+ *
|
||||
+ * @throws Exception
|
||||
+ */
|
||||
+ @SmallTest
|
||||
+ @Test
|
||||
+ public void testValidateStatusHintsImage_handleCreateConnectionComplete() throws Exception {
|
||||
+ Bundle extras = new Bundle();
|
||||
+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/");
|
||||
+ // Load the bundle with the test extra in order to simulate an app directly invoking the
|
||||
+ // binder on ConnectionServiceWrapper#handleCreateConnectionComplete.
|
||||
+ StatusHints statusHints = new StatusHints(icon);
|
||||
+ assertNotNull(statusHints.getIcon());
|
||||
+ extras.putParcelable(STATUS_HINTS_EXTRA, statusHints);
|
||||
+
|
||||
+ // Start incoming call with StatusHints extras
|
||||
+ // Note that the calling user in ConnectionServiceWrapper#handleCreateConnectionComplete
|
||||
+ // would be User 0.
|
||||
+ IdPair ids = startIncomingPhoneCallWithExtras("650-555-1212",
|
||||
+ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, extras);
|
||||
+
|
||||
+ // Ensure that StatusHints was set.
|
||||
+ assertNotNull(mInCallServiceFixtureX.getCall(ids.mCallId).getStatusHints());
|
||||
+ // Ensure that the StatusHints image icon was disregarded.
|
||||
+ assertNull(mInCallServiceFixtureX.getCall(ids.mCallId).getStatusHints().getIcon());
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * Verifies that StatusHints image is validated in ConnectionServiceWrapper#setStatusHints
|
||||
+ * when the image doesn't belong to the calling user. Simulates a scenario where an app
|
||||
+ * could manipulate the contents of the bundle and send it via the binder to upload an image
|
||||
+ * from another user.
|
||||
+ *
|
||||
+ * @throws Exception
|
||||
+ */
|
||||
+ @SmallTest
|
||||
+ @Test
|
||||
+ public void testValidateStatusHintsImage_setStatusHints() throws Exception {
|
||||
+ IdPair outgoing = startAndMakeActiveOutgoingCall("650-555-1214",
|
||||
+ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA);
|
||||
+
|
||||
+ // Modify existing connection with StatusHints image exploit
|
||||
+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/");
|
||||
+ StatusHints statusHints = new StatusHints(icon);
|
||||
+ assertNotNull(statusHints.getIcon());
|
||||
+ ConnectionServiceFixture.ConnectionInfo connectionInfo = mConnectionServiceFixtureA
|
||||
+ .mConnectionById.get(outgoing.mConnectionId);
|
||||
+ connectionInfo.statusHints = statusHints;
|
||||
+
|
||||
+ // Invoke ConnectionServiceWrapper#setStatusHints.
|
||||
+ // Note that the calling user would be User 0.
|
||||
+ mConnectionServiceFixtureA.sendSetStatusHints(outgoing.mConnectionId);
|
||||
+ waitForHandlerAction(mConnectionServiceFixtureA.mConnectionServiceDelegate.getHandler(),
|
||||
+ TEST_TIMEOUT);
|
||||
+
|
||||
+ // Ensure that StatusHints was set.
|
||||
+ assertNotNull(mInCallServiceFixtureX.getCall(outgoing.mCallId).getStatusHints());
|
||||
+ // Ensure that the StatusHints image icon was disregarded.
|
||||
+ assertNull(mInCallServiceFixtureX.getCall(outgoing.mCallId)
|
||||
+ .getStatusHints().getIcon());
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * Verifies that StatusHints image is validated in
|
||||
+ * ConnectionServiceWrapper#addExistingConnection when the image doesn't belong to the calling
|
||||
+ * user. Simulates a scenario where an app could manipulate the contents of the bundle and
|
||||
+ * send it via the binder to upload an image from another user.
|
||||
+ *
|
||||
+ * @throws Exception
|
||||
+ */
|
||||
+ @SmallTest
|
||||
+ @Test
|
||||
+ public void testValidateStatusHintsImage_addExistingConnection() throws Exception {
|
||||
+ IdPair outgoing = startAndMakeActiveOutgoingCall("650-555-1214",
|
||||
+ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA);
|
||||
+ Connection existingConnection = mConnectionServiceFixtureA.mLatestConnection;
|
||||
+
|
||||
+ // Modify existing connection with StatusHints image exploit
|
||||
+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/");
|
||||
+ StatusHints modifiedStatusHints = new StatusHints(icon);
|
||||
+ assertNotNull(modifiedStatusHints.getIcon());
|
||||
+ ConnectionServiceFixture.ConnectionInfo connectionInfo = mConnectionServiceFixtureA
|
||||
+ .mConnectionById.get(outgoing.mConnectionId);
|
||||
+ connectionInfo.statusHints = modifiedStatusHints;
|
||||
+
|
||||
+ // Invoke ConnectionServiceWrapper#addExistingConnection.
|
||||
+ // Note that the calling user would be User 0.
|
||||
+ mConnectionServiceFixtureA.sendAddExistingConnection(outgoing.mConnectionId);
|
||||
+ waitForHandlerAction(mConnectionServiceFixtureA.mConnectionServiceDelegate.getHandler(),
|
||||
+ TEST_TIMEOUT);
|
||||
+
|
||||
+ // Ensure that StatusHints was set. Due to test setup, the ParcelableConnection object that
|
||||
+ // is passed into sendAddExistingConnection is instantiated on invocation. The call's
|
||||
+ // StatusHints are not updated at the time of completion, so instead, we can verify that
|
||||
+ // the ParcelableConnection object was modified.
|
||||
+ assertNotNull(mConnectionServiceFixtureA.mLatestParcelableConnection.getStatusHints());
|
||||
+ // Ensure that the StatusHints image icon was disregarded.
|
||||
+ assertNull(mConnectionServiceFixtureA.mLatestParcelableConnection
|
||||
+ .getStatusHints().getIcon());
|
||||
+ }
|
||||
}
|
||||
diff --git a/tests/src/com/android/server/telecom/tests/CallExtrasTest.java b/tests/src/com/android/server/telecom/tests/CallExtrasTest.java
|
||||
index 44578c519..219a81e63 100644
|
||||
--- a/tests/src/com/android/server/telecom/tests/CallExtrasTest.java
|
||||
+++ b/tests/src/com/android/server/telecom/tests/CallExtrasTest.java
|
||||
@@ -357,7 +357,7 @@ public class CallExtrasTest extends TelecomSystemTest {
|
||||
@LargeTest
|
||||
@Test
|
||||
public void testConferenceSetExtras() throws Exception {
|
||||
- ParcelableCall call = makeConferenceCall();
|
||||
+ ParcelableCall call = makeConferenceCall(null, null);
|
||||
String conferenceId = call.getId();
|
||||
|
||||
Conference conference = mConnectionServiceFixtureA.mLatestConference;
|
||||
@@ -400,7 +400,7 @@ public class CallExtrasTest extends TelecomSystemTest {
|
||||
@LargeTest
|
||||
@Test
|
||||
public void testConferenceExtraOperations() throws Exception {
|
||||
- ParcelableCall call = makeConferenceCall();
|
||||
+ ParcelableCall call = makeConferenceCall(null, null);
|
||||
String conferenceId = call.getId();
|
||||
Conference conference = mConnectionServiceFixtureA.mLatestConference;
|
||||
assertNotNull(conference);
|
||||
@@ -436,7 +436,7 @@ public class CallExtrasTest extends TelecomSystemTest {
|
||||
@LargeTest
|
||||
@Test
|
||||
public void testConferenceICS() throws Exception {
|
||||
- ParcelableCall call = makeConferenceCall();
|
||||
+ ParcelableCall call = makeConferenceCall(null, null);
|
||||
String conferenceId = call.getId();
|
||||
Conference conference = mConnectionServiceFixtureA.mLatestConference;
|
||||
|
||||
diff --git a/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java b/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java
|
||||
index 3154b7d0d..f91863fbe 100644
|
||||
--- a/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java
|
||||
+++ b/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java
|
||||
@@ -67,6 +67,7 @@ public class ConnectionServiceFixture implements TestFixture<IConnectionService>
|
||||
static int INVALID_VIDEO_STATE = -1;
|
||||
public CountDownLatch mExtrasLock = new CountDownLatch(1);
|
||||
static int NOT_SPECIFIED = 0;
|
||||
+ public static final String STATUS_HINTS_EXTRA = "updateStatusHints";
|
||||
|
||||
/**
|
||||
* Implementation of ConnectionService that performs no-ops for tasks normally meant for
|
||||
@@ -101,6 +102,11 @@ public class ConnectionServiceFixture implements TestFixture<IConnectionService>
|
||||
if (mProperties != NOT_SPECIFIED) {
|
||||
fakeConnection.setConnectionProperties(mProperties);
|
||||
}
|
||||
+ // Testing for StatusHints image icon cross user access
|
||||
+ if (request.getExtras() != null) {
|
||||
+ fakeConnection.setStatusHints(
|
||||
+ request.getExtras().getParcelable(STATUS_HINTS_EXTRA));
|
||||
+ }
|
||||
|
||||
return fakeConnection;
|
||||
}
|
||||
@@ -117,6 +123,11 @@ public class ConnectionServiceFixture implements TestFixture<IConnectionService>
|
||||
if (mProperties != NOT_SPECIFIED) {
|
||||
fakeConnection.setConnectionProperties(mProperties);
|
||||
}
|
||||
+ // Testing for StatusHints image icon cross user access
|
||||
+ if (request.getExtras() != null) {
|
||||
+ fakeConnection.setStatusHints(
|
||||
+ request.getExtras().getParcelable(STATUS_HINTS_EXTRA));
|
||||
+ }
|
||||
return fakeConnection;
|
||||
}
|
||||
|
||||
@@ -133,6 +144,12 @@ public class ConnectionServiceFixture implements TestFixture<IConnectionService>
|
||||
Conference fakeConference = new FakeConference();
|
||||
fakeConference.addConnection(cxn1);
|
||||
fakeConference.addConnection(cxn2);
|
||||
+ if (cxn1.getStatusHints() != null || cxn2.getStatusHints() != null) {
|
||||
+ // For testing purposes, pick one of the status hints that isn't null.
|
||||
+ StatusHints statusHints = cxn1.getStatusHints() != null
|
||||
+ ? cxn1.getStatusHints() : cxn2.getStatusHints();
|
||||
+ fakeConference.setStatusHints(statusHints);
|
||||
+ }
|
||||
mLatestConference = fakeConference;
|
||||
addConference(fakeConference);
|
||||
} else {
|
||||
@@ -438,6 +455,7 @@ public class ConnectionServiceFixture implements TestFixture<IConnectionService>
|
||||
|
||||
public String mLatestConnectionId;
|
||||
public Connection mLatestConnection;
|
||||
+ public ParcelableConnection mLatestParcelableConnection;
|
||||
public Conference mLatestConference;
|
||||
public final Set<IConnectionServiceAdapter> mConnectionServiceAdapters = new HashSet<>();
|
||||
public final Map<String, ConnectionInfo> mConnectionById = new HashMap<>();
|
||||
@@ -672,7 +690,7 @@ public class ConnectionServiceFixture implements TestFixture<IConnectionService>
|
||||
}
|
||||
|
||||
private ParcelableConnection parcelable(ConnectionInfo c) {
|
||||
- return new ParcelableConnection(
|
||||
+ mLatestParcelableConnection = new ParcelableConnection(
|
||||
c.request.getAccountHandle(),
|
||||
c.state,
|
||||
c.capabilities,
|
||||
@@ -692,5 +710,6 @@ public class ConnectionServiceFixture implements TestFixture<IConnectionService>
|
||||
c.disconnectCause,
|
||||
c.conferenceableConnectionIds,
|
||||
c.extras);
|
||||
+ return mLatestParcelableConnection;
|
||||
}
|
||||
}
|
||||
diff --git a/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java b/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java
|
||||
index 4cf76444a..c98b7e699 100644
|
||||
--- a/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java
|
||||
+++ b/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java
|
||||
@@ -374,12 +374,13 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
super.tearDown();
|
||||
}
|
||||
|
||||
- protected ParcelableCall makeConferenceCall() throws Exception {
|
||||
- IdPair callId1 = startAndMakeActiveOutgoingCall("650-555-1212",
|
||||
- mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA);
|
||||
+ protected ParcelableCall makeConferenceCall(
|
||||
+ Intent callIntentExtras1, Intent callIntentExtras2) throws Exception {
|
||||
+ IdPair callId1 = startAndMakeActiveOutgoingCallWithExtras("650-555-1212",
|
||||
+ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, callIntentExtras1);
|
||||
|
||||
- IdPair callId2 = startAndMakeActiveOutgoingCall("650-555-1213",
|
||||
- mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA);
|
||||
+ IdPair callId2 = startAndMakeActiveOutgoingCallWithExtras("650-555-1213",
|
||||
+ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, callIntentExtras2);
|
||||
|
||||
IInCallAdapter inCallAdapter = mInCallServiceFixtureX.getInCallAdapter();
|
||||
inCallAdapter.conference(callId1.mCallId, callId2.mCallId);
|
||||
@@ -582,17 +583,17 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
throws Exception {
|
||||
|
||||
return startOutgoingPhoneCall(number, phoneAccountHandle, connectionServiceFixture,
|
||||
- initiatingUser, VideoProfile.STATE_AUDIO_ONLY);
|
||||
+ initiatingUser, VideoProfile.STATE_AUDIO_ONLY, null);
|
||||
}
|
||||
|
||||
protected IdPair startOutgoingPhoneCall(String number, PhoneAccountHandle phoneAccountHandle,
|
||||
ConnectionServiceFixture connectionServiceFixture, UserHandle initiatingUser,
|
||||
- int videoState) throws Exception {
|
||||
+ int videoState, Intent callIntentExtras) throws Exception {
|
||||
int startingNumConnections = connectionServiceFixture.mConnectionById.size();
|
||||
int startingNumCalls = mInCallServiceFixtureX.mCallById.size();
|
||||
|
||||
startOutgoingPhoneCallPendingCreateConnection(number, phoneAccountHandle,
|
||||
- connectionServiceFixture, initiatingUser, videoState);
|
||||
+ connectionServiceFixture, initiatingUser, videoState, callIntentExtras);
|
||||
|
||||
verify(connectionServiceFixture.getTestDouble(), timeout(TEST_TIMEOUT))
|
||||
.createConnectionComplete(anyString(), any());
|
||||
@@ -631,7 +632,7 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
mIsEmergencyCall = true;
|
||||
// Call will not use the ordered broadcaster, since it is an Emergency Call
|
||||
startOutgoingPhoneCallWaitForBroadcaster(number, phoneAccountHandle,
|
||||
- connectionServiceFixture, initiatingUser, videoState, true /*isEmergency*/);
|
||||
+ connectionServiceFixture, initiatingUser, videoState, true /*isEmergency*/, null);
|
||||
|
||||
return outgoingCallCreateConnectionComplete(startingNumConnections, startingNumCalls,
|
||||
phoneAccountHandle, connectionServiceFixture);
|
||||
@@ -640,7 +641,7 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
protected void startOutgoingPhoneCallWaitForBroadcaster(String number,
|
||||
PhoneAccountHandle phoneAccountHandle,
|
||||
ConnectionServiceFixture connectionServiceFixture, UserHandle initiatingUser,
|
||||
- int videoState, boolean isEmergency) throws Exception {
|
||||
+ int videoState, boolean isEmergency, Intent actionCallIntent) throws Exception {
|
||||
reset(connectionServiceFixture.getTestDouble(), mInCallServiceFixtureX.getTestDouble(),
|
||||
mInCallServiceFixtureY.getTestDouble());
|
||||
|
||||
@@ -653,7 +654,9 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
|
||||
boolean hasInCallAdapter = mInCallServiceFixtureX.mInCallAdapter != null;
|
||||
|
||||
- Intent actionCallIntent = new Intent();
|
||||
+ if (actionCallIntent == null) {
|
||||
+ actionCallIntent = new Intent();
|
||||
+ }
|
||||
actionCallIntent.setData(Uri.parse("tel:" + number));
|
||||
actionCallIntent.putExtra(Intent.EXTRA_PHONE_NUMBER, number);
|
||||
if(isEmergency) {
|
||||
@@ -699,9 +702,9 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
protected String startOutgoingPhoneCallPendingCreateConnection(String number,
|
||||
PhoneAccountHandle phoneAccountHandle,
|
||||
ConnectionServiceFixture connectionServiceFixture, UserHandle initiatingUser,
|
||||
- int videoState) throws Exception {
|
||||
+ int videoState, Intent callIntentExtras) throws Exception {
|
||||
startOutgoingPhoneCallWaitForBroadcaster(number,phoneAccountHandle,
|
||||
- connectionServiceFixture, initiatingUser, videoState, false /*isEmergency*/);
|
||||
+ connectionServiceFixture, initiatingUser, videoState, false /*isEmergency*/, callIntentExtras);
|
||||
|
||||
ArgumentCaptor<Intent> newOutgoingCallIntent =
|
||||
ArgumentCaptor.forClass(Intent.class);
|
||||
@@ -798,14 +801,24 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
PhoneAccountHandle phoneAccountHandle,
|
||||
final ConnectionServiceFixture connectionServiceFixture) throws Exception {
|
||||
return startIncomingPhoneCall(number, phoneAccountHandle, VideoProfile.STATE_AUDIO_ONLY,
|
||||
- connectionServiceFixture);
|
||||
+ connectionServiceFixture, null);
|
||||
+ }
|
||||
+
|
||||
+ protected IdPair startIncomingPhoneCallWithExtras(
|
||||
+ String number,
|
||||
+ PhoneAccountHandle phoneAccountHandle,
|
||||
+ final ConnectionServiceFixture connectionServiceFixture,
|
||||
+ Bundle extras) throws Exception {
|
||||
+ return startIncomingPhoneCall(number, phoneAccountHandle, VideoProfile.STATE_AUDIO_ONLY,
|
||||
+ connectionServiceFixture, extras);
|
||||
}
|
||||
|
||||
protected IdPair startIncomingPhoneCall(
|
||||
String number,
|
||||
PhoneAccountHandle phoneAccountHandle,
|
||||
int videoState,
|
||||
- final ConnectionServiceFixture connectionServiceFixture) throws Exception {
|
||||
+ final ConnectionServiceFixture connectionServiceFixture,
|
||||
+ Bundle extras) throws Exception {
|
||||
reset(connectionServiceFixture.getTestDouble(), mInCallServiceFixtureX.getTestDouble(),
|
||||
mInCallServiceFixtureY.getTestDouble());
|
||||
|
||||
@@ -822,7 +835,9 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
new IncomingCallAddedListener(incomingCallAddedLatch);
|
||||
mTelecomSystem.getCallsManager().addListener(callAddedListener);
|
||||
|
||||
- Bundle extras = new Bundle();
|
||||
+ if (extras == null) {
|
||||
+ extras = new Bundle();
|
||||
+ }
|
||||
extras.putParcelable(
|
||||
TelecomManager.EXTRA_INCOMING_CALL_ADDRESS,
|
||||
Uri.fromParts(PhoneAccount.SCHEME_TEL, number, null));
|
||||
@@ -916,7 +931,16 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
PhoneAccountHandle phoneAccountHandle,
|
||||
ConnectionServiceFixture connectionServiceFixture) throws Exception {
|
||||
return startAndMakeActiveOutgoingCall(number, phoneAccountHandle, connectionServiceFixture,
|
||||
- VideoProfile.STATE_AUDIO_ONLY);
|
||||
+ VideoProfile.STATE_AUDIO_ONLY, null);
|
||||
+ }
|
||||
+
|
||||
+ protected IdPair startAndMakeActiveOutgoingCallWithExtras(
|
||||
+ String number,
|
||||
+ PhoneAccountHandle phoneAccountHandle,
|
||||
+ ConnectionServiceFixture connectionServiceFixture,
|
||||
+ Intent callIntentExtras) throws Exception {
|
||||
+ return startAndMakeActiveOutgoingCall(number, phoneAccountHandle, connectionServiceFixture,
|
||||
+ VideoProfile.STATE_AUDIO_ONLY, callIntentExtras);
|
||||
}
|
||||
|
||||
// A simple outgoing call, verifying that the appropriate connection service is contacted,
|
||||
@@ -924,9 +948,10 @@ public class TelecomSystemTest extends TelecomTestCase {
|
||||
protected IdPair startAndMakeActiveOutgoingCall(
|
||||
String number,
|
||||
PhoneAccountHandle phoneAccountHandle,
|
||||
- ConnectionServiceFixture connectionServiceFixture, int videoState) throws Exception {
|
||||
+ ConnectionServiceFixture connectionServiceFixture, int videoState,
|
||||
+ Intent callIntentExtras) throws Exception {
|
||||
IdPair ids = startOutgoingPhoneCall(number, phoneAccountHandle, connectionServiceFixture,
|
||||
- Process.myUserHandle(), videoState);
|
||||
+ Process.myUserHandle(), videoState, callIntentExtras);
|
||||
|
||||
connectionServiceFixture.sendSetDialing(ids.mConnectionId);
|
||||
if (phoneAccountHandle != mPhoneAccountSelfManaged.getAccountHandle()) {
|
||||
diff --git a/tests/src/com/android/server/telecom/tests/VideoCallTests.java b/tests/src/com/android/server/telecom/tests/VideoCallTests.java
|
||||
index 97e71d18b..84beedc0f 100644
|
||||
--- a/tests/src/com/android/server/telecom/tests/VideoCallTests.java
|
||||
+++ b/tests/src/com/android/server/telecom/tests/VideoCallTests.java
|
||||
@@ -105,7 +105,7 @@ public class VideoCallTests extends TelecomSystemTest {
|
||||
// Start an incoming video call.
|
||||
IdPair ids = startAndMakeActiveOutgoingCall("650-555-1212",
|
||||
mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA,
|
||||
- VideoProfile.STATE_BIDIRECTIONAL);
|
||||
+ VideoProfile.STATE_BIDIRECTIONAL, null);
|
||||
|
||||
verifyAudioRoute(CallAudioState.ROUTE_SPEAKER);
|
||||
}
|
||||
@@ -121,7 +121,7 @@ public class VideoCallTests extends TelecomSystemTest {
|
||||
// Start an incoming video call.
|
||||
IdPair ids = startAndMakeActiveOutgoingCall("650-555-1212",
|
||||
mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA,
|
||||
- VideoProfile.STATE_TX_ENABLED);
|
||||
+ VideoProfile.STATE_TX_ENABLED, null);
|
||||
|
||||
verifyAudioRoute(CallAudioState.ROUTE_SPEAKER);
|
||||
}
|
||||
@@ -137,7 +137,7 @@ public class VideoCallTests extends TelecomSystemTest {
|
||||
// Start an incoming video call.
|
||||
IdPair ids = startAndMakeActiveOutgoingCall("650-555-1212",
|
||||
mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA,
|
||||
- VideoProfile.STATE_AUDIO_ONLY);
|
||||
+ VideoProfile.STATE_AUDIO_ONLY, null);
|
||||
|
||||
verifyAudioRoute(CallAudioState.ROUTE_EARPIECE);
|
||||
}
|
||||
@@ -165,7 +165,7 @@ public class VideoCallTests extends TelecomSystemTest {
|
||||
@Test
|
||||
public void testIncomingVideoCallMissedCheckVideoHistory() throws Exception {
|
||||
IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(),
|
||||
- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA);
|
||||
+ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null);
|
||||
com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls()
|
||||
.iterator().next();
|
||||
|
||||
@@ -182,7 +182,7 @@ public class VideoCallTests extends TelecomSystemTest {
|
||||
@Test
|
||||
public void testIncomingVideoCallRejectedCheckVideoHistory() throws Exception {
|
||||
IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(),
|
||||
- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA);
|
||||
+ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null);
|
||||
com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls()
|
||||
.iterator().next();
|
||||
|
||||
@@ -201,7 +201,7 @@ public class VideoCallTests extends TelecomSystemTest {
|
||||
public void testOutgoingVideoCallCanceledCheckVideoHistory() throws Exception {
|
||||
IdPair ids = startOutgoingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(),
|
||||
mConnectionServiceFixtureA, Process.myUserHandle(),
|
||||
- VideoProfile.STATE_BIDIRECTIONAL);
|
||||
+ VideoProfile.STATE_BIDIRECTIONAL, null);
|
||||
com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls()
|
||||
.iterator().next();
|
||||
|
||||
@@ -219,7 +219,7 @@ public class VideoCallTests extends TelecomSystemTest {
|
||||
public void testOutgoingVideoCallRejectedCheckVideoHistory() throws Exception {
|
||||
IdPair ids = startOutgoingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(),
|
||||
mConnectionServiceFixtureA, Process.myUserHandle(),
|
||||
- VideoProfile.STATE_BIDIRECTIONAL);
|
||||
+ VideoProfile.STATE_BIDIRECTIONAL, null);
|
||||
com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls()
|
||||
.iterator().next();
|
||||
|
||||
@@ -237,7 +237,7 @@ public class VideoCallTests extends TelecomSystemTest {
|
||||
public void testOutgoingVideoCallAnsweredAsAudio() throws Exception {
|
||||
IdPair ids = startOutgoingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(),
|
||||
mConnectionServiceFixtureA, Process.myUserHandle(),
|
||||
- VideoProfile.STATE_BIDIRECTIONAL);
|
||||
+ VideoProfile.STATE_BIDIRECTIONAL, null);
|
||||
com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls()
|
||||
.iterator().next();
|
||||
|
@ -9,15 +9,23 @@ Test: atest NotificationManagerServiceTest
|
||||
Merged-In: I1efaa1301bca36895ad4322a919d7421156a60df
|
||||
Change-Id: I1efaa1301bca36895ad4322a919d7421156a60df
|
||||
---
|
||||
core/java/android/app/Notification.java | 19 +++++++++++++++++++
|
||||
core/java/android/app/Notification.java | 20 +++++++++++++++++++
|
||||
.../NotificationManagerServiceTest.java | 7 ++++++-
|
||||
2 files changed, 25 insertions(+), 1 deletion(-)
|
||||
2 files changed, 26 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
|
||||
index 3e75c52bf893..107becdfbcff 100644
|
||||
index 3e75c52bf893..8f0b36cf2a87 100644
|
||||
--- a/core/java/android/app/Notification.java
|
||||
+++ b/core/java/android/app/Notification.java
|
||||
@@ -2434,6 +2434,14 @@ public class Notification implements Parcelable
|
||||
@@ -18,6 +18,7 @@ package android.app;
|
||||
|
||||
import static android.annotation.Dimension.DP;
|
||||
import static android.graphics.drawable.Icon.TYPE_BITMAP;
|
||||
+import static android.graphics.drawable.Icon.TYPE_URI;
|
||||
|
||||
import static com.android.internal.util.ContrastColorUtil.satisfiesTextContrast;
|
||||
|
||||
@@ -2434,6 +2435,14 @@ public class Notification implements Parcelable
|
||||
}
|
||||
}
|
||||
|
||||
@ -32,7 +40,7 @@ index 3e75c52bf893..107becdfbcff 100644
|
||||
/**
|
||||
* Note all {@link Uri} that are referenced internally, with the expectation
|
||||
* that Uri permission grants will need to be issued to ensure the recipient
|
||||
@@ -2449,7 +2457,18 @@ public class Notification implements Parcelable
|
||||
@@ -2449,7 +2458,18 @@ public class Notification implements Parcelable
|
||||
if (bigContentView != null) bigContentView.visitUris(visitor);
|
||||
if (headsUpContentView != null) headsUpContentView.visitUris(visitor);
|
||||
|
||||
|
@ -98,7 +98,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
|
||||
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||
sed -i 's/2022-01-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-07 #XXX
|
||||
sed -i 's/2022-01-05/2023-08-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-08 #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -110,6 +110,10 @@ applyPatch "$DOS_PATCHES/android_device_qcom_sepolicy-legacy/0001-Camera_Fix.pat
|
||||
echo "SELINUX_IGNORE_NEVERALLOWS := true" >> sepolicy.mk; #Ignore neverallow violations XXX: necessary for -user builds of legacy devices
|
||||
fi;
|
||||
|
||||
if enterAndClear "external/aac"; then
|
||||
applyPatch "$DOS_PATCHES/android_external_aac/364027.patch"; #R_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer().
|
||||
fi;
|
||||
|
||||
if enterAndClear "external/chromium-webview"; then
|
||||
if [ "$(type -t DOS_WEBVIEW_CHERRYPICK)" = "alias" ] ; then DOS_WEBVIEW_CHERRYPICK; fi; #Update the WebView to latest if available
|
||||
if [ "$DOS_WEBVIEW_LFS" = true ]; then git lfs pull; fi; #Ensure the objects are available
|
||||
@ -135,6 +139,7 @@ fi;
|
||||
|
||||
if enterAndClear "external/freetype"; then
|
||||
applyPatch "$DOS_PATCHES/android_external_freetype/360951.patch"; #R_asb_2023-07 Cherry-pick two upstream changes
|
||||
#applyPatch "$DOS_PATCHES/android_external_freetype/364028-backport.patch"; #R_asb_2023-08 Cherrypick following three changes #XXX: needs fix
|
||||
fi;
|
||||
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
|
||||
@ -162,6 +167,15 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/360955-backport.patch"; #R_asb_
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360959-backport.patch"; #R_asb_2023-07 Dismiss keyguard when simpin auth'd and security method is none.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360962-backport.patch"; #R_asb_2023-07 Truncate ShortcutInfo Id
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360963-backport.patch"; #R_asb_2023-07 Visit URIs in landscape/portrait custom remote views.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364029.patch"; #R_asb_2023-08 ActivityManager#killBackgroundProcesses can kill caller's own app only
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364031-backport.patch"; #R_asb_2023-08 Verify URI permissions for notification shortcutIcon.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364032-backport.patch"; #R_asb_2023-08 On device lockdown, always show the keyguard
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364033-backport.patch"; #R_asb_2023-08 Ensure policy has no absurdly long strings
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364034.patch"; #R_asb_2023-08 Implement visitUris for RemoteViews ViewGroupActionAdd.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364035-backport.patch"; #R_asb_2023-08 Check URIs in notification public version.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_2023-08 Verify URI permissions in MediaMetadata
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
|
||||
@ -344,9 +358,14 @@ if enterAndClear "packages/providers/DownloadProvider"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||
fi;
|
||||
|
||||
#if enterAndClear "packages/providers/TelephonyProvider"; then
|
||||
if enterAndClear "packages/providers/TelephonyProvider"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/364040-backport.patch"; #R_asb_2023-08 Update file permissions using canonical path
|
||||
#cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/;
|
||||
#fi;
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/services/Telecomm"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364041-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/services/Telephony"; then
|
||||
git revert --no-edit 99564aaf0417c9ddf7d6aeb10d326e5b24fa8f55;
|
||||
|
Loading…
Reference in New Issue
Block a user