Security Patches :D #3
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…666af6 Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/native/+/15720346 Bug: 197336441 Change-Id: I703760ecbfa007d27caf76556ed21bbf0558df80 (cherry picked from commit 62eaabc)
Another bug due to a huge amount of complexity in the Parcel implementation. Bug: 203847542 Test: added testcase fails on device w/o Parcel.cpp fix, and it passes on a device with the fix Merged-In: I34411675687cb3d18bffa082984ebdf308e1c1a6 Change-Id: I34411675687cb3d18bffa082984ebdf308e1c1a6 (cherry picked from commit 0439037) (cherry picked from commit d668098) Merged-In:I34411675687cb3d18bffa082984ebdf308e1c1a6
Currently, we only check whether a window is partially obscured during the initial tap down. However, there is another use case: slippery enter. During a slippery enter, the touch down is generated into the slipped-into window, and touch cancel is generated for the slipped-from window. The window receiving the slippery enter does not need to have any flags. Until we figure out whether we can restrict the usage of this flag to system components, add this check as an intermediate fix. Bug: 157929241 Test: atest FlagSlipperyTest Test: atest inputflinger_tests Change-Id: I93d9681479f41244ffed4b1f88cceb69be71adf2 Merged-In: I93d9681479f41244ffed4b1f88cceb69be71adf2 (cherry picked from commit d8c6ef2) Merged-In:I93d9681479f41244ffed4b1f88cceb69be71adf2
…stealReceiveChannel Add a mutex to prevent a potential race condition. Bug: 232541124 Test: See bug for details Change-Id: Ia338f124c786bf12d6adba10a67b9048fe9c34a5 (cherry picked from commit a820057) Merged-In: Ia338f124c786bf12d6adba10a67b9048fe9c34a5
* Retrieve and store PRODUCT_SHIPPING_API_LEVEL using property_get_int32
This fixes error: frameworks/native/libs/renderengine/gl/filters/BlurFilter.cpp:40:44: error: use of undeclared identifier 'PRODUCT_SHIPPING_API_LEVEL'
ALOGI("PRODUCT_SHIPPING_API_LEVEL=%d", PRODUCT_SHIPPING_API_LEVEL);
1 error generated.
…based. Add private flag to WindowManager.LayoutParams. If the flag is set, check if caller has INTERNAL_SYSTEM_WINDOW permission. Bug: 155781676 Bug: 196389741 Test: atest WindowManagerServiceTests Change-Id: I58cf9f38c496e0ae8b2193dca45c0805e831bc9e Merged-In: I58cf9f38c496e0ae8b2193dca45c0805e831bc9e (cherry picked from commit 39bc611) Merged-In: I58cf9f38c496e0ae8b2193dca45c0805e831bc9e
- Add a layer state to indicate that this layer and its children in the hierarchy are trusted. This can only be set by callers holding ACCESS_SURFACE_FLINGER, and will be used for the PIP task layer to indicate that activities in PIP are trusted (as they are controlled only by the user and SystemUI) Bug: 191529039 Bug: 196389741 Test: TBD Change-Id: Id92ccb087bd0d8dbaeeef3ba50b67fe015e53db8 Merged-In: Id92ccb087bd0d8dbaeeef3ba50b67fe015e53db8 (cherry picked from commit 7605fb4) Merged-In: Id92ccb087bd0d8dbaeeef3ba50b67fe015e53db8
…tructor To avoid it being initialised to true randomly. Bug: 199483370 Bug: 196389741 Change-Id: I75be2b1d305e22f8a71532b9f5b8ea6c469baaaa Merged-In: I75be2b1d305e22f8a71532b9f5b8ea6c469baaaa (cherry picked from commit 41f48c7) Merged-In: I75be2b1d305e22f8a71532b9f5b8ea6c469baaaa
Introduces an API to drop input events on this SurfaceControl. This policy will be inherited by its children. The caller must hold the ACCESS_SURFACE_FLINGER permission. Options include: ALL: SurfaceControl and its children will not receive any input regardless of whether it has a valid input channel. These policies are used to enable features that allow for a less trusted interaction model between apps. See the bug for more details. Note: this backport does not include the OBSCURED option since its not needed for the security fix. Test: atest libgui_test InputDispatcherDropInputFeatureTest Bug: 197296414 Merged-In: I443741d5ab51a45d37fb865f11c433c436d96c1e Change-Id: I443741d5ab51a45d37fb865f11c433c436d96c1e (cherry picked from commit 122c4d2) Merged-In: I443741d5ab51a45d37fb865f11c433c436d96c1e
If a window has the feature DROP_INPUT set, then all touch and key events directed to the window will be dropped. For touch events, the events will not go to the window behind it. The flags are used to enable features that allow for a less trusted interaction model between apps. See the bug for more details. Test: atest libgui_test InputDispatcherDropInputFeatureTest Bug: 197296414 Merged-In: I71d7cf5064c8ce4626cff09b92e15ca38b39cbbe Change-Id: I71d7cf5064c8ce4626cff09b92e15ca38b39cbbe (cherry picked from commit 0f13fe5) Merged-In: I71d7cf5064c8ce4626cff09b92e15ca38b39cbbe
ALL: If this mode is set on a layer, set the DROP_INPUT feature flag on the layer and its children if it has a valid input channel. This will ensure these layers will not be able to receive any input. Note: this backport does not include the OBSCURED option since its not needed for the security fix. Test: atest libgui_test InputDispatcherDropInputFeatureTest Bug: 197296414 Merged-In: Ibce11ee7df5b5c8c226ebfab29574a99cd656f6d Change-Id: Ibce11ee7df5b5c8c226ebfab29574a99cd656f6d (cherry picked from commit cbe9c10) Merged-In: Ibce11ee7df5b5c8c226ebfab29574a99cd656f6d
This allows container surfaces to be considered visible in InputDispatcher and prevent touches from passing through them. In particular this is used by ActivityRecordInputSink to block touches that would otherwise pass through the area available to the activity. Bug: 194480991 Bug: 222292477 Test: Manually tested that blocking still works Test: atest InputSurfacesTest Change-Id: Iacfc952139311363b914b1d6bffc2b4190133d02 (cherry picked from commit a185882) (cherry picked from commit c7df484a6f4265d20418fc64c46ead350f794a0c) Merged-In: Iacfc952139311363b914b1d6bffc2b4190133d02
- This is part of fix of commit Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df for backporting. - Part of commit Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df which sanitizes the transaction flags from DisplayState instead. - In rvc, we only have ACCESS_SURFACE_FLINGER permission check passed as `privileged` argument in SF::applyTransactionState. We can directly utilize it for sanitization in DiaplyState. - In rvc code base, SF::setTransactionState pass a const array of displayState objects and then call SF::applyTransactionState. To successfully sanitize the flags for each displayState object, we convert this const array into non-const one before calling SF::applyTransactionState. Bug: 248031255 Test: test using displaytoken app manually on the phone, test shell screenrecord during using displaytoken; atest android.hardware.camera2.cts.FastBasicsTest Change-Id: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df (cherry picked from commit 03d4458ea0cb00c28f695d99aae5e4c6b15fc237) Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
Test: libsensorserviceaidl_fuzzer with testcase from bug Bug: 269014004 Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 Change-Id: I0e255c64243c38876fb657cbf942fc1613363216 (cherry picked from commit aeec1802f7befc8fbb18313ad3ac0969c3811870) Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 (cherry picked from commit on googleplex-android-review.googlesource.com host: f1aa5fb53437ec2fabc9be00099af836da5f07f2) Merged-In: I0e255c64243c38876fb657cbf942fc1613363216
After catching an error in Sensor::unflatten, there are memory leaks caught by the fuzzer in the same test case. Test: libsensorserviceaidl_fuzzer with testcase from bug Bug: 269014004 Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 Change-Id: I509cceb41f56ca117d9475f6f6674244560fe582 (cherry picked from commit c95fa0f0e7c7b73746ff850b85a79fc5f92b784e) Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 (cherry picked from commit on googleplex-android-review.googlesource.com host: ceb0d52273256c6a5c5622bf81b0ac4ba106faa1) Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582
In order to ensure that clients don't leak their sensor manager instance that we currently store in a static map, they need to be able to remove their instance. Otherwise, this instance is never removed from the list and will hang around until our SensorManage instance is destroyed. Bug: 269014004 Test: Run ./libsensorserviceaidl_fuzzer Change-Id: I52185f74ae8d28b379440235ca6f03c5089081f5 (cherry picked from commit 9532f7c682fdd4b1e6e553cd6f61fc0cf2555902) Merged-In: I52185f74ae8d28b379440235ca6f03c5089081f5 (cherry picked from commit on googleplex-android-review.googlesource.com host: 4521fbf8095439a1c1681b5c709b306a5dc1d1e3) Merged-In: I52185f74ae8d28b379440235ca6f03c5089081f5
Test: atest VtsHalSensorManagerV1_0TargetTest Bug: 278013275 Bug: 269014004 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49600b10aa5675d4e7e985203d69f252ead13e45) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7057a9f08d98bfec8ffbabcf00f2885d3909c6c9) Merged-In: I091f57de9570b0ace3a8da76f16fe0e83f0aa624 Change-Id: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.