* NotificationAccessConfirmationActivity (triggered through CompanionDeviceManager) -> Don't show the dialog, bail out early similarly to other invalid inputs.
* NotificationAccessSettings (from Special App Access) -> No changes, but use the canonical constant now.
* ApprovalPreferenceController (used in NotificationAccessDetails) -> Disable the toggle, unless the NLS was previously approved (in which case it can still be removed).
Fixes: 260570119
Fixes: 286043036
Test: atest + manually
Change-Id: Ifc048311746c027e3683cdcf65f1079d04cf7c56
Merged-In: Ifc048311746c027e3683cdcf65f1079d04cf7c56
Currently selected IME can inject KeyEvent on DeviceAdminAdd screen to
activate itself as device admin and cause various DoS attacks.
This CL ensures KeyEvent on "Activate" button can only come from system
apps.
Bug: 280793427
Test: atest DeviceAdminActivationTest
Change-Id: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
(cherry picked from commit 70a501d02e)
Note that an NLS that shouldn't be approvable (because its name is too long) but was already approved (either before the max length check was introduced, or through other means) will disappear from the list if the user revokes its access. This might be somewhat confusing, but since this is a very-edge case already it's fine.
Bug: 282932362
Test: manual
Change-Id: I4c9faea68e6d16b1a4ec7f472b5433cac1704c06
When DISALLOW_CONFIG_LOCATION is set, make location service's
MainSwitchPreference pages for wifi scanning and bluetooth scanning
unavailable too, so that intent direct access is disabled.
screenshot: http://shortn/_kkK3BMTSh1
Bug: 277333746
Bug: 277333781
Test: atest SettingsRoboTests, on device
Change-Id: I52f9a11b1dd78a5e5dbb1bbde3cda7381c87ae39
Test: install test app with long CN
Test: ServiceListingTest
Bug: 260570119
Change-Id: I3ffd02f6cf6bf282e7fc264fd070ed3add4d8571
Merged-In: I3ffd02f6cf6bf282e7fc264fd070ed3add4d8571
When using EXTRA_USER_HANDLE, check for INTERACT_ACROSS_USERS_FULL permission on calling package.
Bug: 259385017
Test: 1. Build a test app that creates and starts an intent to NOTIFICATION_LISTENER_DETAIL_SETTINGS while setting the intent extra android.intent.extra.user_handle to UserHandle(secondaryUserId).
2. Create and switch to a secondary user
Settings > System > Multiple users > Allow multiple users > Add user > Switch to New user
3. Open Settings > Notifications > Device & app notifications and choose an app from the list (uses android.permission.BIND_NOTIFICATION_LISTENER_SERVICE). Enable Device & app notifications for selected app and disable all attributed permissions.
4. Switch back to the Owner user.
5. Get the userId of the secondary user: adb shell pm list users.
6. Open the test app and enter the userId for the secondary user and the component name that uses android.permission.BIND_NOTIFICATION_LISTENER_SERVICE.
8. In the settings window that open, enable all 4 sub-options.
9. Switch to the secondary user and note that the all sub-options for the app are disabled.
Change-Id: I875b9f2fc32c252acdcf8374a14067836e0f1ac6
Merged-In: I875b9f2fc32c252acdcf8374a14067836e0f1ac6
When using EXTRA_USER_HANDLE, check for INTERACT_ACROSS_USERS_FULL permission on calling package.
Bug: 259385017
Test: 1. Build a test app that creates and starts an intent to NOTIFICATION_LISTENER_DETAIL_SETTINGS while setting the intent extra android.intent.extra.user_handle to UserHandle(secondaryUserId).
2. Create and switch to a secondary user
Settings > System > Multiple users > Allow multiple users > Add user > Switch to New user
3. Open Settings > Notifications > Device & app notifications and choose an app from the list (uses android.permission.BIND_NOTIFICATION_LISTENER_SERVICE). Enable Device & app notifications for selected app and disable all attributed permissions.
4. Switch back to the Owner user.
5. Get the userId of the secondary user: adb shell pm list users.
6. Open the test app and enter the userId for the secondary user and the component name that uses android.permission.BIND_NOTIFICATION_LISTENER_SERVICE.
8. In the settings window that open, enable all 4 sub-options.
9. Switch to the secondary user and note that the all sub-options for the app are disabled.
Change-Id: I875b9f2fc32c252acdcf8374a14067836e0f1ac6
Settings App info page supports a "Uninstall for all users" function
when multiple users are enabled. It bypasses the restriction of
DISALLOW_APPS_CONTROL which breaks the user isolation guideline.
To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL
restriction to provide the "Uninstall for all users" function.
Bug: 258653813
Test: manual & robotests
Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Settings App info page supports a "Uninstall for all users" function
when multiple users are enabled. It bypasses the restriction of
DISALLOW_APPS_CONTROL which breaks the user isolation guideline.
To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL
restriction to provide the "Uninstall for all users" function.
Bug: 258653813
Test: manual & robotests
Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Settings App info page supports a "Uninstall for all users" function
when multiple users are enabled. It bypasses the restriction of
DISALLOW_APPS_CONTROL which breaks the user isolation guideline.
To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL
restriction to provide the "Uninstall for all users" function.
Bug: 258653813
Test: manual & robotests
Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Settings App info page supports a "Uninstall for all users" function
when multiple users are enabled. It bypasses the restriction of
DISALLOW_APPS_CONTROL which breaks the user isolation guideline.
To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL
restriction to provide the "Uninstall for all users" function.
Bug: 258653813
Test: manual & robotests
Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
Over the last few years, there have been a number of
Factory Reset Protection bypass bugs in the SUW flow.
It's unlikely to defense all points from individual apps.
Therefore, we decide to block some critical pages when
user doesn't complete the SUW flow.
Test: Can't open the certain pages in the suw flow.
Bug: 258422561
Fix: 200746457
Bug: 202975040
Fix: 213091525
Fix: 213090835
Fix: 201561699
Fix: 213090827
Fix: 213090875
Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e
Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
Over the last few years, there have been a number of
Factory Reset Protection bypass bugs in the SUW flow.
It's unlikely to defense all points from individual apps.
Therefore, we decide to block some critical pages when
user doesn't complete the SUW flow.
Test: Can't open the certain pages in the suw flow.
Bug: 258422561
Fix: 200746457
Bug: 202975040
Fix: 213091525
Fix: 213090835
Fix: 201561699
Fix: 213090827
Fix: 213090875
Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e
Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
Over the last few years, there have been a number of
Factory Reset Protection bypass bugs in the SUW flow.
It's unlikely to defense all points from individual apps.
Therefore, we decide to block some critical pages when
user doesn't complete the SUW flow.
Test: Can't open the certain pages in the suw flow.
Bug: 258422561
Fix: 200746457
Bug: 202975040
Fix: 213091525
Fix: 213090835
Fix: 201561699
Fix: 213090827
Fix: 213090875
Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e
Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
Over the last few years, there have been a number of
Factory Reset Protection bypass bugs in the SUW flow.
It's unlikely to defense all points from individual apps.
Therefore, we decide to block some critical pages when
user doesn't complete the SUW flow.
Test: Can't open the certain pages in the suw flow.
Bug: 258422561
Fix: 200746457
Bug: 202975040
Fix: 213091525
Fix: 213090835
Fix: 201561699
Fix: 213090827
Fix: 213090875
Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e
Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
Bug: 244423101
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothSwitchPreferenceControllerTest
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothDashboardFragmentTest
Test: manual test by test apk
Change-Id: I13562d227e06627fac33239a9d21fd405a18d012
Bug: 244423101
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothSwitchPreferenceControllerTest
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothDashboardFragmentTest
Test: manual test by test apk
Change-Id: I13562d227e06627fac33239a9d21fd405a18d012
Bug: 244423101
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothSwitchPreferenceControllerTest
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothDashboardFragmentTest
Test: manual test by test apk
Change-Id: I13562d227e06627fac33239a9d21fd405a18d012
Bug: 244423101
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothSwitchPreferenceControllerTest
Test: make RunSettingsRoboTests ROBOTEST_FILTER=BluetoothDashboardFragmentTest
Test: manual test by test apk
Change-Id: I13562d227e06627fac33239a9d21fd405a18d012
Prevent ChooseLockPassword and ChooseLockPatten being projected to
remote views, add FLAG_SECURE for these screens.
Bug: 179725730
Test: Check these 2 screens not projected to chromecast
Test: robo test for SetupChooseLockPatternTest ChooseLockPatternTest
SetupChooseLockPasswordTest ChooseLockPasswordTest
Change-Id: I7449a24427c966c1aa4280a7b7e7e70b60997cca
Merged-In: I7449a24427c966c1aa4280a7b7e7e70b60997cca
(cherry picked from commit 98239c0da6)
Prevent ChooseLockPassword and ChooseLockPatten being projected to
remote views, add FLAG_SECURE for these screens.
Bug: 179725730
Test: Check these 2 screens not projected to chromecast
Test: robo test for SetupChooseLockPatternTest ChooseLockPatternTest
SetupChooseLockPasswordTest ChooseLockPasswordTest
Change-Id: I7449a24427c966c1aa4280a7b7e7e70b60997cca
Merged-In: I7449a24427c966c1aa4280a7b7e7e70b60997cca
(cherry picked from commit 98239c0da6)
This adds mitigations to prevent system files being exfiltrated
via the settings content provider when a content URI is provided
as a chosen user image.
The mitigations are:
1) Copy the image to a new URI rather than the existing takePictureUri
prior to cropping.
2) Only allow a system handler to respond to the CROP intent.
This is a fixed version of ag/17003629, to address b/239513606.
Bug: 187702830
Test: build and check functionality
Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb
Change-Id: I98eea867f926c508456ec9bc654e24eeeffa0e54
This reverts commit 8950a90024.
Reason for revert: regression if multiple crop system crop handlers are present
Change-Id: Ib83dbb2f1109d26b7e85192379291bffef187e77
Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb
