From ca7312891adcdfc300f2b5c07222120de52030ea Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Wed, 16 Nov 2016 17:22:48 -0700 Subject: DO NOT MERGE: Check provider access for content changes. For an app to either send or receive content change notifications, require that they have some level of access to the underlying provider. Without these checks, a malicious app could sniff sensitive user data from the notifications of otherwise private providers. Test: builds, boots, PoC app now fails Bug: 32555637 Change-Id: If2dcd45cb0a9f1fb3b93e39fc7b8ae9c34c2fdef (cherry picked from commit c813f5dae231bd8f01864227c5dba10d43a89249) (cherry picked from commit db57376d6ccbd4d3e39fc35aa8cfb561bbca4bac) mh0rst: Backport from android-7.1.1_r21 --- core/java/android/app/ActivityManagerInternal.java | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'core/java') diff --git a/core/java/android/app/ActivityManagerInternal.java b/core/java/android/app/ActivityManagerInternal.java index 40eb799..8e7c607 100644 --- a/core/java/android/app/ActivityManagerInternal.java +++ b/core/java/android/app/ActivityManagerInternal.java @@ -25,6 +25,12 @@ import android.content.ComponentName; * @hide Only for use within the system server. */ public abstract class ActivityManagerInternal { + + /** + * Verify that calling app has access to the given provider. + */ + public abstract String checkContentProviderAccess(String authority, int userId); + // Called by the power manager. public abstract void onWakefulnessChanged(int wakefulness); -- cgit v1.1 From 44b0bdc995fbc21b294e1cdca3a5aa63feeb4951 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Wed, 30 Nov 2016 16:07:00 -0700 Subject: DO NOT MERGE. Retain DownloadManager Uri grants when clearing. As part of fixing a recent security issue, DownloadManager now needs to issue Uri permission grants for all downloads. However, if an app that requested a download is upgraded or otherwise force-stopped, the required permission grants are removed. We could tell DownloadManager about the app being stopped, but that would be racy (due to background broadcast), and waking it up would degrade system health. Instead, as a special case we now only consider clearing DownloadManager permission grants when app data is being cleared. Bug: 32172542, 30537115 Test: builds, boots, app upgrade doesn't clear grants Change-Id: I7e3d4546fd12bfe5f81b9fb9857ece58d574a6b9 (cherry picked from commit 23ec811266fb728cf159a90ce4882b3c9bac1887) (cherry picked from commit 6eee8e37fd06bd47dd19b8503bc30cc8ccaf72a7) (cherry picked from commit 36772fc2263e06972add737660392afd246da15e) --- core/java/android/provider/Downloads.java | 2 ++ 1 file changed, 2 insertions(+) (limited to 'core/java') diff --git a/core/java/android/provider/Downloads.java b/core/java/android/provider/Downloads.java index 961eb19..cfdb95d 100644 --- a/core/java/android/provider/Downloads.java +++ b/core/java/android/provider/Downloads.java @@ -41,6 +41,8 @@ public final class Downloads { public static final class Impl implements BaseColumns { private Impl() {} + public static final String AUTHORITY = "downloads"; + /** * The permission to access the download manager */ -- cgit v1.1 From 2ffca13ae484c15087ddd14f69d3e593b51fc904 Mon Sep 17 00:00:00 2001 From: Charles He Date: Thu, 24 Nov 2016 14:05:00 +0000 Subject: Prevent writing to FRP partition during factory reset. Avoid potential race condition between FRP wipe and write operations during factory reset by making the FRP partition unwritable after wipe. Bug: 30352311 Test: manual CVE-2017-0498 Change-Id: If3f024a1611366c0677a996705724458094fcfad (cherry picked from commit a629c772f4a7a5ddf7ff9f78fb19f7ab86c2a9c2) (cherry picked from commit a9437bd1caeeb38780d920a81bde8cc7ca280fe0) (cherry picked from commit 1c4d535d0806dbeb6d2fa5cea0373cbd9ab6d33b) --- .../android/service/persistentdata/PersistentDataBlockManager.java | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'core/java') diff --git a/core/java/android/service/persistentdata/PersistentDataBlockManager.java b/core/java/android/service/persistentdata/PersistentDataBlockManager.java index 0ffdf68..10ffe84 100644 --- a/core/java/android/service/persistentdata/PersistentDataBlockManager.java +++ b/core/java/android/service/persistentdata/PersistentDataBlockManager.java @@ -54,6 +54,9 @@ public class PersistentDataBlockManager { * Returns the number of bytes written or -1 on error. If the block is too big * to fit on the partition, returns -MAX_BLOCK_SIZE. * + * {@link #wipe} will block any further {@link #write} operation until reboot, + * in which case -1 will be returned. + * * @param data the data to write */ public int write(byte[] data) { @@ -108,6 +111,8 @@ public class PersistentDataBlockManager { /** * Zeroes the previously written block in its entirety. Calling this method * will erase all data written to the persistent data partition. + * It will also prevent any further {@link #write} operation until reboot, + * in order to prevent a potential race condition. See b/30352311. */ public void wipe() { try { -- cgit v1.1