frameworks-base

Fork

Android 7.1.2 Release 39 (5787804)
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCXZfNqQAKCRDorT+BmrEO
eNp2AKCSTHz3GAfcnkBg8I8QqGFbfJiekwCfYxX1o1VPcaqUh5H3nd9+luEKWkY=
=kyPa
-----END PGP SIGNATURE-----

Merge tag 'android-7.1.2_r39' into nougat-x86

Android 7.1.2 Release 39 (5787804)

Conflicts:
services/core/java/com/android/server/clipboard/ClipboardService.java
services/core/java/com/android/server/wm/WindowManagerService.java

[RESTRICT AUTOMERGE] Pass correct realCallingUid to startActivity() from startActivityInPackage

Previously startActivity would assume that the system was the calling user when
startActivityInPackage was called. Now the uid of the calling application is
forwarded by the system.

Test: manual; we added logging statements to check the value of realCallingUid
in startActivitiesMayWait when launching the calendar app from the calendar widget
and verified that it was the calendar uid rather than the system uid.

Bug: 123013720
Change-Id: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
Merged-In: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
(cherry picked from commit 216f65bf60a9fb6f3a495d083e5fbb54ae2a9f66)

Fix Layout.primaryIsTrailingPreviousAllLineOffsets

The CL fixes a crash in Layout.primaryIsTrailingPreviousAllLineOffsets.
The crash was happening when the method was called for a line beginning
with an empty bidi run. This could happen, for example, for empty text -
I was unable to find any other case. The CL improves the existing test
for the method with this case, which was previously crashing.

The CL also fixes a potential crash in getLineHorizontals. However, this
bug could never happen as in the current code path clamped is always
false (and kept as parameter for parity with getHorizontal).

Bug: 135444178
Bug: 78464361
Test: atest FrameworksCoreTests:android.text.LayoutTest\#testPrimaryIsTrailingPrevious
Change-Id: I47157abe1d74675884734e3810628a566e40c1b4
(cherry picked from commit 7ad499d00716f45fffdf7331493ed21d1b8d9b77)
(cherry picked from commit d3e81cd63f91533915feb159e0b4241729592963)

HidProfile: sync isPreferred() with HidHostService

HidHostService allow to connect when priority is PRIORITY_UNDEFINED.
HidProfile should return ture when priority is PRIORITY_UNDEFINED.
Otherwise, the "Input device" toggle in off state when HID device
connected.

Bug: 132456322
Test: manual
Change-Id: Id7bae694c57aec17e019d591c0a677e3cb64f845
(cherry picked from commit 830217f277e31e63d9ab8acd21ee2a8f81ee1c8f)

Clear the Parcel before writing an exception during a transaction

This prevents any object data from being accidentally overwritten by the
exception, which could cause unexpected malformed objects to be sent
across the transaction.

Test: atest CtsOsTestCases:ParcelTest#testExceptionOverwritesObject
Bug: 34175893
Change-Id: Iaf80a0ad711762992b8ae60f76d861c97a403013
Merged-In: Iaf80a0ad711762992b8ae60f76d861c97a403013
(cherry picked from commit f8ef5bcf21c87d8617f5e11810cc94350298d114)

Protect VPN dialogs against overlay.

Bug: 130568701
Test: manual. After this, can't display on top of it
Change-Id: Ib032f800edb0416cc15f01a34954340d0d0ffa78
Merged-In: Ib032f800edb0416cc15f01a34954340d0d0ffa78
(cherry picked from commit 4e80dc2861614d25a1f957f50040a8cf04812d11)
(cherry picked from commit 016c72c8abfbae08eda269afb8923e8fc8a4ce44)

[RESTRICT AUTOMERGE] Make Lock task default behaviour consistent with Settings.

Bug: 127605586
Test: Manual
Change-Id: I5b5b0f9184220a4ed3080ca27792f66d1f5d41aa
(cherry picked from commit fe9f143d2c713475ed2e354e893ea26f5c2f7afa)

SUPL ES Extension - June 2019 rollup

Bug: 112159033
ASB: 2019-06
Change-Id: Iaf4b0295e726658852272de1cf857d9d55b63276

Limit IsSeparateProfileChallengeAllowed to system callers

Fixes: 128599668
Test: build, set up separate challenge
Merged-In: I2fef9ab13614627c0f1bcca04759d0974fc6181a
Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a
(cherry picked from commit 9061fcc46bb1ac5ffc16d036b632dd80963b7b52)

[RESTRICT AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage

Test: atest
Fixes: 128599467
Change-Id: I13a0ca7590f8c4b44379730e0ee2088aba400c2a
(cherry picked from commit 657d164136199126ae241848887de0230699cea0)
(cherry picked from commit a2b2e377a0a63cbe9c8bfdfcab1167e55f36a59b)

[RESTRICT AUTOMERGE] Added missing permission check to isPackageDeviceAdminOnAnyUser.

Added a check for the MANAGE_USERS permission to
PackageManagerService#isPackageDeviceAdminOnAnyUser.

Test: Modify the settings app to log the call attempt and follow the
steps below

In order to work around the limitations of N builds we needed to modify
the settings app to log the call attempt. This is described in detail at
b/128599183#comment15

Bug: 128599183
Change-Id: Ie96c8e174983f61574f12d5d4b210d06377054e5
(cherry picked from commit 7b5a576965696747041c93306a41ed656404ed20)

Permission Check For DPM.getPermittedAccessibilityServices

Bug: 128599660
Test: com.android.server.devicepolicy.DevicePolicyManagerTest
Test: com.google.android.gts.devicepolicy.DeviceOwnerTest
Change-Id: I8be915bd6a4ff99884d23005a4c6f0100806dbe8
Merged-In: I8ee3f876fcaffa63636645f0f59709cd147254ef
(cherry picked from commit 4fd13eefcf99d9b9b0d5f5ea99fdc7c799c83d23)

DO NOT MERGE - SUPL ES Extension - Safer Init and Not After Boot

Safe order of pointer setting and background thread start
Verifying mCallEndElapsedRealtimeMillis is not the initial value

Bug: 112159033
Bug: 115361555
Bug: 125124724
Test: Verified not-after-boot with test code b/115361555#comment14
Test: Reproed NPE on Nexus 5x with test thread sleep and verify fix
Change-Id: I596f913bc79873274c2743132c93ef2381d9f3c7
(cherry picked from commit b5e7bbe5b8e1d120d3f13f6d15b7be16d4f2e132)

Revert "Adding SUPL NI Emergency Extension Time"

This reverts commit 1f6d71f856ee770ecc24df446bd3693e0de0fbe0.

Select only preinstalled Spell Checker Services

When we are setting a new spell checker as the default one in
Secure.Settings, TSMS#findAvailSpellCheckerLocked can pick up
any available spell checker service. This violates the principle
that user should be warned whenever we are setting an untrusted
spell checker service as the default service, since the warning
dialog is never shown.

Fixes: 64764051
Bug: 118694079
Test: Manually as follows:
1. Open 'packages/inputmethods/LatinIME/java/AndroidManifest.xml'
and remove 'AndroidSpellCheckerService'
2. lunch aosp_buillhead-userdebug && make -j
3. Flash the image
4. adb shell dumpsys textservices
-> no spell checker is recognized
5. adb shell settings get secure selected_spell_checker
-> null
6. tapas SampleSpellCheckerService
7. make -j
8. adb install -r $OUT/system/app/SampleSpellCheckerService/SampleSpellCheckerService.apk
9. adb shell dumpsys textservices
-> SampleSpellCheckerService is recognized
10. adb shell settings get secure selected_spell_checker
-> null

Change-Id: I16f12293d15258c9148677c7ee09fe6dcf81e81d
Merged-In: Idab3ecc246fe9344a09e6907a0ba39f8ea6506f9
(cherry picked from commit ed5973b8a8a2c0f0fc1f39c59c33f81882f41405)

RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.

Also don't show smart actions for selections in text with unsupported
characters.

Bug: 116321860
Test: runtest -x cts/tests/tests/text/src/android/text/util/cts/LinkifyTest.java

Change-Id: Id271cab8aef6b9b13ef17f1a8654c7616f75cf13
(cherry picked from commit 73f398d306a8acf2dbb1dcff4042ecbaec5506a3)

Adding SUPL NI Emergency Extension Time

Configurable by carrier config.xml resource

Bug: 118839234
Bug: 115361555
Bug: 112159033
Test: On device, see b/115361555#comment14
Change-Id: I52e61656cca8b6fa6468d32d2e69bf60f4c83c61
Merged-In: I52e61656cca8b6fa6468d32d2e69bf60f4c83c61
(cherry picked from commit 64306e1e7b6a0b2257ac05d811be6df9329c9fba)

RESTRICT AUTOMERGE: Recover shady content:// paths.

The path-permission element offers prefix or regex style matching of
paths, but most providers internally use UriMatcher to decide what
to do with an incoming Uri.

This causes trouble because UriMatcher uses Uri.getPathSegments(),
which quietly ignores "empty" paths. Consider this example:

<path-permission android:pathPrefix="/private" ... />

uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);

content://com.example//private

The Uri above will pass the security check, since it's not
technically a prefix match. But the UriMatcher will then match it
as CODE_PRIVATE, since it ignores the "//" zero-length path.

Since we can't safely change the behavior of either path-permission
or UriMatcher, we're left with recovering these shady paths by
trimming away zero-length paths.

Bug: 112555574
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
Change-Id: Ibadbfa4fc904ec54780c8102958735b03293fb9a
(cherry picked from commit 301d17e4dd0420463b4201731366c1a64572940b)

RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission.

1: Cherry-pick ag/4067454 - Setting PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS
updateNonSystemOverlayWindowsVisibilityIfNeeded on relayoutWindow

2: Cherry-pick ag/3650369 - If PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS changed on
relayoutWindow() then updateNonSystemOverlayWindowsVisibilityIfNeeded

3: Add permissions to SystemUI to allow it to hide non-system overlays

Bug: 34170870
Test: manual (see bug for poc)
Change-Id: I57cb0f390d9a78e721c5ddce49a377d385002753
(cherry picked from commit 295af3600912691ed737714462e64db43198d448)

Verify number of Map entries written to Parcel

Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.

Fixes: 112859604
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest

Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
(cherry picked from commit 057a01d1f38e9b46d3faa4059fdd7c8717681ea0)

Fix crash during cursor moving on BiDi text

The crash was introduced by Ib66ef392c19c937718e7101f6d48fac3abe51ad0
The root cause of the crashing is requesting out-of-line access for the
horizontal width. This invalid access is silently ignored by
TextLine#measure() method but new implementation end up with out of
bounds access.

To makes behavior as old implementation, calling getHorizontal instead
of accessing measured result array.

Bug: 78464361, 111580019
Test: Manually done
Change-Id: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
(cherry picked from commit 960647d582911ae7ab8b9491097898e6c313aaf1)
Merged-In: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
(cherry picked from commit 82c84d5fbb692f5ed56175c55031e30566c18ee2)

DO NOT MERGE. Extend SQLiteQueryBuilder for update and delete.

Developers often accept selection clauses from untrusted code, and
SQLiteQueryBuilder already supports a "strict" mode to help catch
SQL injection attacks. This change extends the builder to support
update() and delete() calls, so that we can help secure those
selection clauses too.

Bug: 111085900
Test: atest packages/providers/DownloadProvider/tests/
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/SQLiteQueryBuilderTest.java
Change-Id: Ib4fc8400f184755ee7e971ab5f2095186341730c
Merged-In: Ib4fc8400f184755ee7e971ab5f2095186341730c
(cherry picked from commit 8e95967f092b4ffa593861452e55621b4e528acf)

DO NOT MERGE. Execute "strict" queries with extra parentheses.

SQLiteQueryBuilder has a setStrict() mode which can be used to
detect SQL attacks from untrusted sources, which it does by running
each query twice: once with an extra set of parentheses, and if that
succeeds, it runs the original query verbatim.

This sadly doesn't catch inputs of the type "1=1) OR (1=1", which
creates valid statements for both tests above, but the final executed
query ends up leaking data due to SQLite operator precedence.

Instead, we need to continue compiling both variants, but we need
to execute the query with the additional parentheses to ensure
data won't be leaked.

Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/SQLiteQueryBuilderTest.java
Bug: 111085900
Change-Id: I6e8746fa48f9de13adae37d2990de11c9c585381
Merged-In: I6e8746fa48f9de13adae37d2990de11c9c585381
(cherry picked from commit 286fd5652a9804bfd185980dc07ad239e1169929)

[automerger] Optimise the hit test algorithm am: 71ecf5bd5c am: 42eaa8f932 am: a72cb45f89 am: f5d69aa775

Change-Id: Ic2d4d3ead4926ff0f8021725e28aee4ebfc369f3
Merged-In: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
(cherry picked from commit 94bc67f03c3a32dbf8d29a1c983d11ceb1042b2e)

Fix TrackInfo parcel write

Bug: 77600398
Change-Id: Ia316f1c5dc4879f6851fdb78fe8b9039579be7bc
(cherry picked from commit 0d2dc943dcaa3d7c8479e22ae62be9753ea2643c)

Resolve inconsistent parcel read in NanoAppFilter

Bug: 77599679
Test: Compile only
Change-Id: Ib417a5cb4d51744442d2fb14437cabbe5fd1c266
(cherry picked from commit abe5a73a4a81e312a1690fbc10a6b99ce98b699a)

RESTRICT AUTOMERGE: Prevent shortcut info package name spoofing

Test: cts-tradefed run cts -m CtsShortcutManagerTestCases -t android.content.pm.cts.shortcutmanager.ShortcutManagerFakingPublisherTest
Bug: 109824443
Change-Id: I80b2680d9c7e067f1a36fc8ad1aac1d315022a71
(cherry picked from commit 2f7d50058aeb8c5e0a411d50e5bdc4b25b84de70)

Revert "Optimise the hit test algorithm"

This reverts commit 9dceb027701a1f638484bfeee3749d8399d38918.

Fix DynamicRefTable::load security bug

DynamicRefTables parsed from apks are missing bounds checks that prevent
buffer overflows. This changes verifies the bounds of the header before
attempting to preform operations on the chunk.

Bug: 79488511
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests

Change-Id: I02c8ad957da244fce777ac68a482e4e8fa70f846
Merged-In: I02c8ad957da244fce777ac68a482e4e8fa70f846
(cherry picked from commit 8cf0f988b0c64bcf2c199bb76439c51c257dd162)

ResStringPool: Prevenet boot loop from se fix

Changes the logs adding in a previous security fix to warnings so
devices with malformed APKs currently on them will not undergo DOS when
they are upgraded to P.

Bug: 79724567
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests

Change-Id: Ied54e4bb14abdaf79da562022c7ea6075187c1f8
(cherry picked from commit f05f47b2c1838529e682ad8f931d3da72244b1a1)
(cherry picked from commit c31cf80008fdb06ea8e1eab9764096653e7854b1)