18.1: July ASB work

Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-07-15 14:10:41 -04:00
parent 30b658da98
commit 837cfbbf48
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
13 changed files with 279 additions and 11 deletions

View File

@ -23,7 +23,7 @@ index eb64db7493cc..31b960716b4b 100644
<!-- Allows applications to access information about networks.
<p>Protection level: normal
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 0320c4b20c93..374fa4ea084e 100644
index 64a1b5b6bb6a..e2eb882cb14e 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -2650,7 +2650,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {

View File

@ -128,7 +128,7 @@ index 189544f98594..9badc8c4d9c0 100644
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 374fa4ea084e..182679b779e9 100644
index e2eb882cb14e..cb6caf9e2577 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -2650,7 +2650,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {

View File

@ -17,7 +17,7 @@ As a result, PackageManagerService is no longer modified.
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index eb27a13523ba..0320c4b20c93 100644
index 53164c7424d5..64a1b5b6bb6a 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1462,7 +1462,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {

View File

@ -145,7 +145,7 @@ index 790d7f7ab694..4f7fd039ccd7 100644
OsConstants._LINUX_CAPABILITY_VERSION_3, 0);
StructCapUserData[] data;
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index e6a3029c5b2b..5e4518cffb9f 100644
index b2c0a6b98273..2c0acd3b2498 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -29,6 +29,7 @@ import android.net.Credentials;
@ -156,7 +156,7 @@ index e6a3029c5b2b..5e4518cffb9f 100644
import android.os.Trace;
import android.system.ErrnoException;
import android.system.Os;
@@ -501,6 +502,13 @@ class ZygoteConnection {
@@ -504,6 +505,13 @@ class ZygoteConnection {
throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned");
} else {
if (!isZygote) {

View File

@ -78,10 +78,10 @@ index a7d9827855a2..aa874ad98a78 100644
+ public static native void nativeHandleRuntimeFlags(int runtimeFlags);
}
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index f31616fc88fb..f5044f9ecbb0 100644
index b2f65145358a..9fb4ae12922e 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -505,7 +505,7 @@ class ZygoteConnection {
@@ -508,7 +508,7 @@ class ZygoteConnection {
if (SystemProperties.getBoolean("sys.spawn.exec", false) &&
(parsedArgs.mRuntimeFlags & ApplicationInfo.FLAG_DEBUGGABLE) == 0) {
ExecInit.execApplication(parsedArgs.mNiceName, parsedArgs.mTargetSdkVersion,

View File

@ -10,10 +10,10 @@ spawning when doing debugging.
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 5e4518cffb9f..f31616fc88fb 100644
index 2c0acd3b2498..b2f65145358a 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -502,7 +502,8 @@ class ZygoteConnection {
@@ -505,7 +505,8 @@ class ZygoteConnection {
throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned");
} else {
if (!isZygote) {

View File

@ -0,0 +1,46 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Thu, 29 Feb 2024 12:03:05 +0000
Subject: [PATCH] Verify UID of incoming Zygote connections.
Only the system UID should be allowed to connect to the Zygote. While
for generic Zygotes this is also covered by SELinux policy, this is not
true for App Zygotes: the preload code running in an app zygote could
connect to another app zygote socket, if it had access to its (random)
socket address.
On the Java layer, simply check the UID when the connection is made. In
the native layer, this check was already present, but it actually didn't
work in the case where we receive a new incoming connection on the
socket, and receive a 'non-fork' command: in that case, we will simply
exit the native loop, and let the Java layer handle the command, without
any further UID checking.
Modified the native logic to drop new connections with a mismatching
UID, and to keep serving the existing connection (if it was still
there).
Bug: 319081336
Test: manual
(cherry picked from commit 2ffc7cb220e4220b7e108c4043a3f0f2a85b6508)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e397fd3d20c3f409311e411387ec1524ccecf085)
Merged-In: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
Change-Id: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
---
core/java/com/android/internal/os/ZygoteConnection.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index e6a3029c5b2b..b2c0a6b98273 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -98,6 +98,9 @@ class ZygoteConnection {
throw ex;
}
+ if (peer.getUid() != Process.SYSTEM_UID) {
+ throw new ZygoteSecurityException("Only system UID is allowed to connect to Zygote.");
+ }
isEof = false;
}

View File

@ -0,0 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Yi-an Chen <theianchen@google.com>
Date: Tue, 23 Apr 2024 21:53:02 +0000
Subject: [PATCH] Fix security vulnerability of non-dynamic permission removal
The original removePermission() code in PermissionManagerService
missed a logical negation operator when handling non-dynamic
permissions, causing both
testPermissionPermission_nonDynamicPermission_permissionUnchanged and
testRemovePermission_dynamicPermission_permissionRemoved tests in
DynamicPermissionsTest to fail.
The corresponding test DynamicPermissionsTest is also updated in the
other CL: ag/27073864
Bug: 321711213
Test: DynamicPermissionsTest on sc-dev and tm-dev locally
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35d77a77feef62dc108f6478cb9228cc6044f70d)
Merged-In: Id573b75cdcfce3a1df5731ffb00c4228c513e686
Change-Id: Id573b75cdcfce3a1df5731ffb00c4228c513e686
---
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index eb27a13523ba..53164c7424d5 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -641,7 +641,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
if (bp == null) {
return;
}
- if (bp.isDynamic()) {
+ if (!bp.isDynamic()) {
// TODO: switch this back to SecurityException
Slog.wtf(TAG, "Not allowed to modify non-dynamic permission "
+ permName);

View File

@ -17,7 +17,7 @@ Signed-off-by: Tad <tad@spotco.us>
create mode 100644 src/com/android/settings/security/CarrierConfig2PreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 3d2b61cc580..e07fd234aa0 100644
index 3d2b61cc580..5a51dd12f10 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -11981,6 +11981,9 @@

View File

@ -0,0 +1,51 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Omar Eissa <oeissa@google.com>
Date: Mon, 15 Apr 2024 12:04:56 +0000
Subject: [PATCH] Prevent insertion in other users storage volumes
Don't allow file insertion in other users storage volumes.
This was already handled if DATA was explicitly set in content values,
but was allowed if DATA was generated based on other values like RELATIVE_PATH and DISPLAY_NAME.
Insertion of files in other users storage volumes can be used by malicious apps
to get access to other users files, since the same file would exist in both users MP databases
which would lead to MP falsely assuming that the user has access to this file.
Bug: 294406604
Test: atest MediaProviderTests
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df39f8486b25473d0bdbeed896ad917e3c793bf9)
Merged-In: Ie219bbdbe28819421040e4c083b65ab47d8ebde6
Change-Id: Ie219bbdbe28819421040e4c083b65ab47d8ebde6
---
src/com/android/providers/media/MediaProvider.java | 1 +
tests/src/com/android/providers/media/MediaProviderTest.java | 5 ++---
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
index 5b3a8c41e..3b040f9d1 100644
--- a/src/com/android/providers/media/MediaProvider.java
+++ b/src/com/android/providers/media/MediaProvider.java
@@ -2652,6 +2652,7 @@ public class MediaProvider extends ContentProvider {
FileUtils.sanitizeValues(values, /*rewriteHiddenFileName*/ !isFuseThread());
FileUtils.computeDataFromValues(values, volumePath, isFuseThread());
+ assertFileColumnsConsistent(match, uri, values);
// Create result file
File res = new File(values.getAsString(MediaColumns.DATA));
diff --git a/tests/src/com/android/providers/media/MediaProviderTest.java b/tests/src/com/android/providers/media/MediaProviderTest.java
index 83b722e07..b865f28e2 100644
--- a/tests/src/com/android/providers/media/MediaProviderTest.java
+++ b/tests/src/com/android/providers/media/MediaProviderTest.java
@@ -316,9 +316,8 @@ public class MediaProviderTest {
@Test
public void testInsertionWithInvalidFilePath_throwsIllegalArgumentException() {
final ContentValues values = new ContentValues();
- values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example");
- values.put(MediaStore.Images.Media.DISPLAY_NAME,
- "./../../../../../../../../../../../data/media/test.txt");
+ values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example/");
+ values.put(MediaStore.Images.Media.DISPLAY_NAME, "data/media/test.txt");
assertThrows(
IllegalArgumentException.class, () -> sIsolatedResolver.insert(

View File

@ -0,0 +1,63 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Mon, 22 Apr 2024 21:14:56 +0000
Subject: [PATCH] Fix an authentication bypass bug in SMP
When pairing with BLE legacy pairing initiated
from remote, authentication can be bypassed.
This change fixes it.
Bug: 251514170
Test: m com.android.btservices
Test: manual run against PoC
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)
Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
---
stack/smp/smp_act.cc | 12 ++++++++++++
stack/smp/smp_int.h | 1 +
2 files changed, 13 insertions(+)
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index c1f143e92..7edd7bd60 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -284,6 +284,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s", __func__);
smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
+ p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
}
/*******************************************************************************
@@ -665,6 +666,17 @@ void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
return;
}
+ if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
+ (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
+ !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
+ // in legacy pairing, the peer should send its rand after
+ // we send our confirm
+ tSMP_INT_DATA smp_int_data{};
+ smp_int_data.status = SMP_INVALID_PARAMETERS;
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+ return;
+ }
+
/* save the SRand for comparison */
STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
}
diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
index 72fdf55a9..e3063c57d 100644
--- a/stack/smp/smp_int.h
+++ b/stack/smp/smp_int.h
@@ -241,6 +241,7 @@ typedef union {
(1 << 7) /* used to resolve race condition */
#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \
(1 << 8) /* used on slave to resolve race condition */
+#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)
/* check if authentication requirement need MITM protection */
#define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)

View File

@ -0,0 +1,63 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Mon, 22 Apr 2024 21:14:56 +0000
Subject: [PATCH] Fix an authentication bypass bug in SMP
When pairing with BLE legacy pairing initiated
from remote, authentication can be bypassed.
This change fixes it.
Bug: 251514170
Test: m com.android.btservices
Test: manual run against PoC
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)
Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
---
stack/smp/smp_act.cc | 12 ++++++++++++
stack/smp/smp_int.h | 1 +
2 files changed, 13 insertions(+)
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index c2023e421..546024aef 100755
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -300,6 +300,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s", __func__);
smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
+ p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
}
/*******************************************************************************
@@ -661,6 +662,17 @@ void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
return;
}
+ if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
+ (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
+ !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
+ // in legacy pairing, the peer should send its rand after
+ // we send our confirm
+ tSMP_INT_DATA smp_int_data{};
+ smp_int_data.status = SMP_INVALID_PARAMETERS;
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+ return;
+ }
+
/* save the SRand for comparison */
STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
}
diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
index 34267ecf7..3cf2a96b4 100644
--- a/stack/smp/smp_int.h
+++ b/stack/smp/smp_int.h
@@ -248,6 +248,7 @@ enum {
(1 << 7) /* used to resolve race condition */
#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \
(1 << 8) /* used on slave to resolve race condition */
+#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)
/* check if authentication requirement need MITM protection */
#define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)

View File

@ -93,7 +93,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
sed -i 's/2024-02-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-06
sed -i 's/2024-02-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #X_asb_2024-07
fi;
if enterAndClear "build/soong"; then
@ -156,6 +156,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/394560.patch"; #R_asb_2024-06 A
applyPatch "$DOS_PATCHES/android_frameworks_base/394561.patch"; #R_asb_2024-06 Check hidden API exemptions
applyPatch "$DOS_PATCHES/android_frameworks_base/394562.patch"; #R_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
applyPatch "$DOS_PATCHES/android_frameworks_base/394563.patch"; #R_asb_2024-06 Check permissions for CDM shell commands
applyPatch "$DOS_PATCHES/android_frameworks_base/397450-backport.patch"; #S_asb_2024-07 Verify UID of incoming Zygote connections.
applyPatch "$DOS_PATCHES/android_frameworks_base/397451.patch"; #S_asb_2024-07 Fix security vulnerability of non-dynamic permission removal
git revert --no-edit 438d9feacfcad73d3ee918541574132928a93644; #Reverts "Allow signature spoofing for microG Companion/Services" in favor of below patch
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
@ -408,6 +410,10 @@ if enterAndClear "packages/providers/DownloadProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
#if enterAndClear "packages/providers/MediaProvider"; then
#applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/397453-backport.patch"; #S_asb_2024-07 Prevent insertion in other users storage volumes #XXX
#fi;
if enterAndClear "packages/providers/TelephonyProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/304614.patch"; #mcc/mnc fix (Sony)
applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/312102.patch"; #mnc fix (Sony)
@ -421,6 +427,7 @@ if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/385557.patch"; #R_asb_2024-03 Fix an OOB bug in smp_proc_sec_req
applyPatch "$DOS_PATCHES/android_system_bt/385558.patch"; #R_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
applyPatch "$DOS_PATCHES/android_system_bt/385559.patch"; #R_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
applyPatch "$DOS_PATCHES/android_system_bt/397454-backport.patch"; #S_asb_2024-07 Fix an authentication bypass bug in SMP
git am "$DOS_PATCHES/android_system_bt/a2dp-master-fixes.patch"; #topic (AOSP)
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
fi;
@ -473,6 +480,7 @@ if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/385591.patch"; #R_asb_2024-03 Fix an OOB bug in smp_proc_sec_req
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/385592.patch"; #R_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/385593.patch"; #R_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/397455.patch"; #S_asb_2024-07 Fix an authentication bypass bug in SMP
fi;
if enterAndClear "vendor/lineage"; then