Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Patches :D #4

Open
wants to merge 35 commits into
base: eleven
Choose a base branch
from
Open

Security Patches :D #4

wants to merge 35 commits into from

Conversation

Meghthedev
Copy link

No description provided.

Alex Johnston and others added 30 commits May 29, 2023 14:29
@Meghthedev
Add caller check to com.android.credentials.RESET
58affb5 
* Only the Settings app can reset credentials
  via com.android.credentials.RESET.
* com.android.credentials.INSTALL should still be
  callable by CertInstaller.

Manual testing steps:
* Install certificate via Settings
* Verify unable to reset certificates via test app
  provided in the bug (app-debug.apk)
* Verify able to reset certificates via Settings
* Verify com.android.credentials.INSTALL isn't changed

Bug: 200164168
Test: manual
Change-Id: I9dfde586616d004befbee529f2ae842d22795065
(cherry picked from commit 4c1272a)
Merged-In: I9dfde586616d004befbee529f2ae842d22795065
(cherry picked from commit f8a1a56)
Merged-In:I9dfde586616d004befbee529f2ae842d22795065
@Meghthedev
Do not let guest user disable secure nfc
4f47540 
Bug: 209446496
Test: manual
Merged-In: I7253f7f08fde04e30400a30d9a0d24f1ceff04b0
Change-Id: I7253f7f08fde04e30400a30d9a0d24f1ceff04b0
(cherry picked from commit d9e3e6e)
(cherry picked from commit a579ca7)
Merged-In:I7253f7f08fde04e30400a30d9a0d24f1ceff04b0
@Meghthedev
Hide private DNS settings UI in Guest mode
634ff01 
Hide private DNS settings UI in Guest mode to prevent guest
users modifying global private DNS settings.

Bug: 206987762
Test: 1. make RunSettingsRoboTests \
         ROBOTEST_FILTER=PrivateDnsPreferenceControllerTest
      2. Switch to Guest user and check if the private DNS UI is
         hidden or not.
Change-Id: Iebfb8684da3be32110decd9e8447dd07b1c40387
(cherry picked from commit 52e863b)
Merged-In: Iebfb8684da3be32110decd9e8447dd07b1c40387
@Meghthedev
Prevent exfiltration of system files via user image settings.
4491d43 
This is a backport of ag/17005706.

This adds mitigations to prevent system files being exfiltrated
via the settings content provider when a content URI is provided
as a chosen user image.

The mitigations are:

1) Copy the image to a new URI rather than the existing takePictureUri
prior to cropping.

2) Only allow a system handler to respond to the CROP intent.

Bug: 187702830
Test: build and check functionality
Change-Id: Ia6314b6810afb5efa0329f3eeaee9ccfff791966
Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb
(cherry picked from commit 8950a90)
(cherry picked from commit 3c63dd20ebdbead1ea92d16ee94a9397238895d5)
Merged-In: Ia6314b6810afb5efa0329f3eeaee9ccfff791966
@ArcWangInGoogle @Meghthedev
[DO NOT MERGE] Verify ringtone from ringtone picker is audio
b8937a7 
To improve privacy.

Bug: 221041256
Test: atest com.android.settings.DefaultRingtonePreferenceTest
Change-Id: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
(cherry picked from commit e4c2258)
(cherry picked from commit 1682354)
Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
@Meghthedev
Do not let guest user disable secuer nfc via SettingsSlice
cef248f 
Do not let guest user switch the secure nfc preferernce setting.

Bug: 228314987
Test: manual
Change-Id: I60a832e32d83bb57d968af2f8b92d94e2ac7c6a2
(cherry picked from commit 2290b0a)
Merged-In: I60a832e32d83bb57d968af2f8b92d94e2ac7c6a2
@Meghthedev
RESTRICT AUTOMERGE Fix: policy enforcement for location wifi scanning
2ca801a 
Make DISALLOW_CONFIG_LOCATION effectively disallow wifi scanning and
bluetooth scanning settings for location services.

screenshots: https://screenshot.googleplex.com/AqvEW2kTrQT2Ufp

Bug: 228315522
Bug: 228315529
Test: manually on sunfish flashed with rvc.
Change-Id: I6ef64a34764e52de7b461e87ea0af40a6d050587
(cherry picked from commit 78799a5)
Merged-In: I6ef64a34764e52de7b461e87ea0af40a6d050587
@ArcWangInGoogle @Meghthedev
[DO NOT MERGE] Fix Settings crash when setting a null ringtone
196c187 
Ringtone picker may callback a null ringtone Uri
if users select None.

This change pass null ringtone Uri to RingtoneManager
and return.

Bug: 232502532
Bug: 221041256
Test: maunal
      Settings - Sound & Vibration -> Phone ringtone
      -> My Sounds -> None
Change-Id: I044b680871472a3c272f6264c4ef272df542112e
Merged-In: I044b680871472a3c272f6264c4ef272df542112e
(cherry picked from commit 973a461)
Merged-In: I044b680871472a3c272f6264c4ef272df542112e
@Meghthedev
[DO NOT MERGE] Fix can't change notification sound for work profile.
7705906 
Use correct user id context to query the type,
so we won't get empty result unexpectedly.

If we get the null result, then we won't set sound sucessfully.

Bug: 233580016
Bug: 221041256
Test: Manual test and set work profile sound works.
Change-Id: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad
Merged-In: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad
(cherry picked from commit 32145cc)
Merged-In: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad
@Meghthedev
Extract app label from component name in notification access confirma…
c1a16ca 
…tion UI

Bug: 228178437
Test: Manually tested on POC
Change-Id: I8613d9b87a53d4641c0689bca9c961c66a2e9415
Merged-In: I8613d9b87a53d4641c0689bca9c961c66a2e9415
(cherry picked from commit 8d749c5)
Merged-In: I8613d9b87a53d4641c0689bca9c961c66a2e9415
@Meghthedev
Validate config activities with their rule owners
5b6f85e 
Test: RoboTests
Bug: 189332346
Bug: 235823407
Change-Id: Iee1b1caca4d6eb2729feb872c3e4954b6c16519c
Merged-In: Iee1b1caca4d6eb2729feb872c3e4954b6c16519c
(cherry picked from commit b161a3b)
Merged-In: Iee1b1caca4d6eb2729feb872c3e4954b6c16519c
@Meghthedev
Revert "Prevent exfiltration of system files via user image settings."
bf751bb 
This reverts commit 8950a90.

Reason for revert: regression if multiple crop system crop handlers are present

Change-Id: Ib83dbb2f1109d26b7e85192379291bffef187e77
Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb
(cherry picked from commit c0742e7)
Merged-In: Ib83dbb2f1109d26b7e85192379291bffef187e77
@Meghthedev
Prevent exfiltration of system files via avatar picker.
8f834ce 
This adds mitigations to prevent system files being exfiltrated
via the settings content provider when a content URI is provided
as a chosen user image.

The mitigations are:

1) Copy the image to a new URI rather than the existing takePictureUri
prior to cropping.

2) Only allow a system handler to respond to the CROP intent.

This is a fixed version of ag/17003629, to address b/239513606.

Bug: 187702830
Test: build and check functionality
Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb
Change-Id: I98eea867f926c508456ec9bc654e24eeeffa0e54
(cherry picked from commit f70e351)
Merged-In: I98eea867f926c508456ec9bc654e24eeeffa0e54
@Meghthedev
Add FLAG_SECURE for ChooseLockPassword and Pattern
189da23 
Prevent ChooseLockPassword and ChooseLockPatten being projected to
remote views, add FLAG_SECURE for these screens.

Bug: 179725730
Test: Check these 2 screens not projected to chromecast
Test: robo test for SetupChooseLockPatternTest ChooseLockPatternTest
      SetupChooseLockPasswordTest ChooseLockPasswordTest
Change-Id: I7449a24427c966c1aa4280a7b7e7e70b60997cca
@Meghthedev
Rephrase dialog message of clear storage dialog for security concern
3f64f86 
Bug: 193890833
Test: visual
Change-Id: I8f0b066de710169ee8b922c44b6519ca21b9c7ef
(cherry picked from commit 0c359da)
(cherry picked from commit 6024ea5)
Merged-In:I8f0b066de710169ee8b922c44b6519ca21b9c7ef
@Meghthedev
Import translations. DO NOT MERGE ANYWHERE
d9118be 
Auto-generated-cl: translation import

Merged-In: I5b0f9ac74627cc5ab75cc34e47a4292e6a9543b0
Change-Id: I64fda49900da659363eb4e792cf5b87a9c68202d
(cherry picked from commit 6cd4838)
Merged-In:I64fda49900da659363eb4e792cf5b87a9c68202d
@Meghthedev
Add non system overlay flag to InstallCaCertificateWarning
2eca3da 
Bug: 196969991
Test: Manual testing with Settings
Change-Id: Ia9dc251c853526b2ce66c9f8ff595d496b7f1bc4
Merged-In: Ia9dc251c853526b2ce66c9f8ff595d496b7f1bc4
(cherry picked from commit 2f193c8)
(cherry picked from commit fca5cb3)
Merged-In:Ia9dc251c853526b2ce66c9f8ff595d496b7f1bc4
@Meghthedev
RESTRICT AUTOMERGE Make bluetooth switch not discoverable via SliceDe…
d00d678 
…epLinkTrampoline

Bug: 244423101
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothSwitchPreferenceControllerTest
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothDashboardFragmentTest
Test: manual test by test apk

Change-Id: I13562d227e06627fac33239a9d21fd405a18d012
(cherry picked from commit 3cc8db3)
Merged-In: I13562d227e06627fac33239a9d21fd405a18d012
@Meghthedev
[DO NOT MERGE] FRP bypass defense in the settings app
901ce0a 
Over the last few years, there have been a number of
Factory Reset Protection bypass bugs in the SUW flow.
It's unlikely to defense all points from individual apps.

Therefore, we decide to block some critical pages when
user doesn't complete the SUW flow.

Test: Can't open the certain pages in the suw flow.
Bug: 258422561
Fix: 200746457
Bug: 202975040
Fix: 213091525
Fix: 213090835
Fix: 201561699
Fix: 213090827
Fix: 213090875
Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e
Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
(cherry picked from commit ff5bfb4)
Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
@Meghthedev
Add DISALLOW_APPS_CONTROL check into uninstall app for all users
1b7e686 
Settings App info page supports a "Uninstall for all users" function
when multiple users are enabled. It bypasses the restriction of
DISALLOW_APPS_CONTROL which breaks the user isolation guideline.

To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL
restriction to provide the "Uninstall for all users" function.

Bug: 258653813
Test: manual & robotests
Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
(cherry picked from commit 86914be)
Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
@Meghthedev
Only primary user is allowed to control secure nfc
8f9d4db 
Bug: 238298970
Test: manual
Merged-In: I945490ef1e62af479a732c9a260ed94bdd8bc313
Change-Id: I945490ef1e62af479a732c9a260ed94bdd8bc313
(cherry picked from commit 0e57ff9)
Merged-In: I945490ef1e62af479a732c9a260ed94bdd8bc313
@Meghthedev
[DO NO MERGE] Enforce INTERACT_ACROSS_USERS_FULL permission for Notif…
6db393c 
…icationAccessDetails

 When using EXTRA_USER_HANDLE, check for INTERACT_ACROSS_USERS_FULL permission on calling package.

Bug: 259385017
Test: 1. Build a test app that creates and starts an intent to NOTIFICATION_LISTENER_DETAIL_SETTINGS while setting the intent extra  android.intent.extra.user_handle to UserHandle(secondaryUserId).
 2. Create and switch to a secondary user
Settings > System > Multiple users > Allow multiple users > Add user > Switch to New user
 3. Open Settings > Notifications > Device & app notifications and choose an app from the list (uses android.permission.BIND_NOTIFICATION_LISTENER_SERVICE). Enable Device & app notifications for selected app and disable all attributed permissions.
 4. Switch back to the Owner user.
 5. Get the userId of the secondary user: adb shell pm list users.
 6. Open the test app and enter the userId for the secondary user and the component name that uses android.permission.BIND_NOTIFICATION_LISTENER_SERVICE.
 8. In the settings window that open, enable all 4 sub-options.
 9. Switch to the secondary user and note that the all sub-options for the app are disabled.

Change-Id: I875b9f2fc32c252acdcf8374a14067836e0f1ac6
Merged-In: I875b9f2fc32c252acdcf8374a14067836e0f1ac6
(cherry picked from commit on googleplex-android-review.googlesource.com host: 5fb0705)
Merged-In: I875b9f2fc32c252acdcf8374a14067836e0f1ac6
@Meghthedev
RESTRICT AUTOMERGE Fix make Bluetooth discoverable without additional…
e6fe218 
… permission

- Only enable device can be discoverable when the user launch
  "Connected Devices settings" through settings and systemui

Bug: 194695497
Test: make -j42 RunSettingsRoboTests and use test apk to manually test
to verify the device is not discoversable when open "Connected settings"
through test apk.

Change-Id: Ia04ab759b737acf30b782f5c5831dd59f25fb257
(cherry picked from commit d3abbb9)
(cherry picked from commit 528d40e)
Merged-In:Ia04ab759b737acf30b782f5c5831dd59f25fb257
@Meghthedev
RESTRICT AUTOMERGE Make bluetooth not discoverable via SliceDeepLinkT…
1143c0b 
…rampoline

- Don't let device be discovered when the user launch "Connected Devices
  settings" through SliceDeepLinkTrampoline.

Bug: 228450811
Test: make -j42 RunSettingsRoboTests and use test apk to manually test
to verify the device is not discoversable when open "Connected settings"
through test apk.

Change-Id: I5490b58675b1fd9fc36305766867f65caa6ccb6c
(cherry picked from commit 205752d)
(cherry picked from commit c44b6fe)
Merged-In: I5490b58675b1fd9fc36305766867f65caa6ccb6c
@Meghthedev
Fix bypass CALL_PRIVILEGED permission in AppRestrictionsFragment
eee68f9 
In onReceive of AppRestrictionsFragment.java, there is a possible way to
start a phone call without permissions due to a confused deputy.
This could lead to local escalation of privilege with no additional
execution privileges needed.

We should not allow the restrictionsIntent to startActivity simply
because it resolves to multiple activities.
Instead, we should call resolveActivity and check the result's package
name is same as current package name, then it is safe to startActivity.

Bug: 200688991
Test: manual verify
Change-Id: Iaa2d3a9497c3266babe0789961befc9776a4db7a
Merged-In: Iaa2d3a9497c3266babe0789961befc9776a4db7a
(cherry picked from commit 359512c)
(cherry picked from commit dc44d01)
Merged-In:Iaa2d3a9497c3266babe0789961befc9776a4db7a
@Meghthedev
Fix LaunchAnyWhere in AppRestrictionsFragment
ee3da90 
If the intent's package equals to the app's package, this intent
will be allowed to startActivityForResult.
But this check is unsafe, because if the component of this intent
is set, the package field will just be ignored. So if we set the
component to any activity we like and set package to the app's
package, it will pass the assertSafeToStartCustomActivity check
and now we can launch anywhere.

Bug: 223578534
Test: robotest and manual verify
Change-Id: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4
(cherry picked from commit 90e095d)
(cherry picked from commit aeb36e5)
Merged-In: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4
@Meghthedev
[Settings] Move display of VPN version into summary text
779cb71 
Move the display of version text within VPN into summary part of the
display, and limit the height of summary area.

Bug: 205460459
Test: install apk from b/205460459#comment3 and verify
(cherry picked from commit 144f295)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dddd74a491a206178feb10d5ef983d5cd273504d)
Merged-In: I666b9db356feeebf04e3be688897c2d9110a5275
Change-Id: I666b9db356feeebf04e3be688897c2d9110a5275
@Meghthedev
Import translations. DO NOT MERGE ANYWHERE
73db739 
BUG:205460459

Auto-generated-cl: translation import
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ac6b0bdef68e99e0a34656a2148483d7cb77159e)
Merged-In: I669099ad00ba7d90013836e3d456d530ae725b2f
Change-Id: I669099ad00ba7d90013836e3d456d530ae725b2f
@Meghthedev
Convert argument to intent in AddAccountSettings.
c008af1 
Bug: 265798353
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7e8052b527434ed8660e3babdab718f7f3cd7da)
Merged-In: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
Change-Id: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
@Meghthedev
Don't show NLSes with excessively long component names
9b21265 
Test: install test app with long CN
Test: ServiceListingTest
Bug: 260570119
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:11ac41d9b6eddc4733e782984c312fd482a616f3)
Merged-In: I3ffd02f6cf6bf282e7fc264fd070ed3add4d8571
Change-Id: I3ffd02f6cf6bf282e7fc264fd070ed3add4d8571
nullptr03 pushed a commit to CipherOS-Reviveds/android_packages_apps_Settings that referenced this pull request Aug 23, 2023
fix(tablet): fix a11y button gesture assets to match new fancy ones o…
8547eb1 
…n other a11y preferences

Fix: 269717670
Test: 1. Go to Settings > Accessibility shortcuts > accessibility button & gesture.
2. Observe The Gesture's picture.
3. Go to any other accessibility's shortcut.
4. Observe the picture of the Use accessibility gesture. CipherOS#2 should look like CipherOS#4

Change-Id: I11f64648412c9795383d356e80d9dd499095f53b
Matías Hernández and others added 5 commits October 9, 2023 22:01
@Meghthedev
DO NOT MERGE Don't hide approved NLSes in Settings
2df6c8e 
Note that an NLS that shouldn't be approvable (because its name is too long) but was already approved (either before the max length check was introduced, or through other means) will disappear from the list if the user revokes its access. This might be somewhat confusing, but since this is a very-edge case already it's fine.

Bug: 282932362
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:173cc267e0fb854cc7247e9f1e3acff0a325c4af)
Merged-In: Iccfe7b53d643d6c9f9516f91d3cee3309b11551e
Change-Id: Iccfe7b53d643d6c9f9516f91d3cee3309b11551e
@Meghthedev
Settings: don't try to allow NLSes with too-long component names
789a5d9 
* NotificationAccessConfirmationActivity (triggered through CompanionDeviceManager) -> Don't show the dialog, bail out early similarly to other invalid inputs.
* NotificationAccessSettings (from Special App Access) -> No changes, but use the canonical constant now.
* NotificationAccessDetails -> Disable the toggle, unless the NLS was previously approved (in which case it can still be removed).

Fixes: 260570119
Fixes: 286043036
Test: atest + manually
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f1af8c529295c60e516b2cc1d1ac812b8d6047ac)
Merged-In: Ifc048311746c027e3683cdcf65f1079d04cf7c56
Change-Id: Ifc048311746c027e3683cdcf65f1079d04cf7c56
@Meghthedev
DO NOT MERGE: Prevent non-system IME from becoming device admin
47e900e 
Currently selected IME can inject KeyEvent on DeviceAdminAdd screen to
activate itself as device admin and cause various DoS attacks.

This CL ensures KeyEvent on "Activate" button can only come from system
apps.

Bug: 280793427
Test: atest DeviceAdminActivationTest
(cherry picked from commit 70a501d)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0ee3b96e59f3e5699c919af3642130fb33cd263b)
Merged-In: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
Change-Id: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
@Meghthedev
[RESTRICT AUTOMERGE] Restrict ApnEditor settings
5aca2a9 
- Finish ApnEditor settings if user is not an admin

- Finish ApnEditor settings if user has DISALLOW_CONFIG_MOBILE_NETWORKS restriction

Bug: 279902472
Test: manual test
make RunSettingsRoboTests ROBOTEST_FILTER=ApnEditorTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c2d727b8f9198bf758a4896eda7c9e5385435ff)
Merged-In: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04
Change-Id: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04
@ebiggers @Meghthedev
RESTRICT AUTOMERGE: Catch exceptions from setLockCredential()
afcc0a1 
When LockPatternUtils#setLockCredential() fails, it can either return
false or throw an exception.  Catch the exception and treat it the same
way as a false return value, to prevent crashing com.android.settings.

Bug: 253043065
Test: Tried setting lockscreen credential while in secure FRP mode using
      smartlock setup activity launched by intent via adb.  Verified
      that com.android.settings no longer crashes due to the exception
      from LockPatternUtils#setLockCredential().
(cherry picked from commit 05f1eff)
(moved change into ChooseLockPassword.java and ChooseLockPattern.java,
 which are merged into SaveAndFinishWorker.java on udc-qpr-dev and main)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f07aba15008e2681d5a10435dc5e1485863f21f)
Merged-In: I48b9119c19fb6378b1f88d36433ee4f4c8501d76
Change-Id: I48b9119c19fb6378b1f88d36433ee4f4c8501d76
@Meghthedev Meghthedev mentioned this pull request Oct 11, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Meghthedev @ArcWangInGoogle @ebiggers