We can no longer return the "my_downloads" paths: if those Uris were
shared beyond the app that requested the download, access would be
denied. Instead, we need to switch to using "all_downloads" Uris so
that permission grants can be issued to third-party viewer apps.
Since an app requesting a download doesn't normally have permission
to "all_downloads" paths, DownloadProvider now issues narrow grants
toward the owner of each download, both at device boot and when new
downloads are started.
Bug: 30537115, 30945409
Change-Id: I533125b36444877f54373d88922f2acc777e250b
setPairingConfirmation was set to only require BLUETOOTH_ADMIN
permission which shouldn't be able to set the confirmation itself.
This is restricted to BLUETOOTH_PRIVILEGED permission.
Bug: 29043989
Change-Id: Iddc935f0b02f5ff56e930914b4b664377e786184
setPairingConfirmation was set to only require BLUETOOTH_ADMIN
permission which shouldn't be able to set the confirmation itself.
This is restricted to BLUETOOTH_PRIVILEGED permission.
Bug: 29043989
Change-Id: Iddc935f0b02f5ff56e930914b4b664377e786184
ExifInterface object can be created with a unsupported file format.
If saveAttribute is called with an unsupported file format, ExifInterface
makes the file corrupted. This CL prevents those cases by throwing
an exception before making any change on the file.
Bug: 30936376
Change-Id: I915f56b00ec9422b53591ac5534e070a1d6798e6
ExifInterface object can be created with a unsupported file format.
If saveAttribute is called with an unsupported file format, ExifInterface
makes the file corrupted. This CL prevents those cases by throwing
an exception before making any change on the file.
Bug: 30936376
Change-Id: I915f56b00ec9422b53591ac5534e070a1d6798e6
This is the backport of the following commits :
Commit c5f27a7cb2ec816f483a65255034a1b57a8aa22:
-----------------------------------------------
Reopen whitelisted zygote file descriptors after a fork.
We don't want these descriptors to be shared post-fork, so we'll
have to close and reopen them when the zygote forks. The set of
open descriptors is checked against a whitelist and it is a fatal
error if a non whitelisted FD is opened. It is also a fatal error
if anything other than a regular file / character device or socket
is opened at the time of forking.
This work is done in two stages :
- An initial list of FDs is constructed and cached prior to the
first zygote fork.
- On each subsequent fork, we check whether the list of open FDs
has changed. We are currently tolerant of changes, but in the
longer term, it should be a fatal error if the set of open file
descriptors in the zygote changes.
- Post fork, we traverse the list of open descriptors and reopen
them if necessary.
bug: 30963384
Commit 3764a260f0c90dcb323caeda14baf903cc108759:
-----------------------------------------------
Add a whitelist of sockets on fork.
Maintain a whitelist of AF_UNIX sockets that are permitted
to exist at the time of forking. If an open socket does not belong
to the whitelist (or is not AF_UNIX), the process will abort. If an
open socket is whitelisted, it will be redirected to /dev/null after
a sucessful fork. This allows us to unify our handling of the special
zygote sockets (/dev/socket/zygote[_secondary]) with the existing
whitelist of non socket file descriptors.
This change also removes non-fatal ALOGW messages since they have the
side effect of reopening the logging socket.
bug: 30963384
Commit 0b76d6a28e6978151bf245a775329cdae5e574d5:
-----------------------------------------------
fd_utils: Fix broken usage of iterators.
There were two separate issues here :
- RestatInternal was using an iterator after a call to erase(). This
will not work because it will be invalidated.
- The "standard" for loop idiom for iterating over a map while making
structural changes to it is broken. Switch to a while loop and treat
cases where elements are erased differently from cases where they
aren't.
bug: 31092930
bug: 30963384
Plus additional changes:
-----------------------------------------------
- change std::unordered_map to std::tr1::unordered_map.
- add /dev/alarm and /dev/__properties__ to the whitelist.
- map.erase(iterator) returns void prior to C++11, so need the kludge
of calling erase(it++).
Change-Id: I694ff66d5f227239b0190ffc2287882b16e336fa
There's two pieces to this fix:
1. Move PAC loading off IoThread which isn't meant for
blocking network fetches. If the fetch takes more than
60s Android reboots when the IoThread is used.
2. Limit PAC fetching to 20MB. Any PAC bigger than that
is likely evil.
MitM of PACs should only be possbile when a non-SSL PAC URL
is used.
Change-Id: Ie1658a1c705615dc85a7fc68053f0dad8d048294
Fixes: 30100884
Don't write partial requests, and don't return (or throw) early after
partially reading a response.
bug: 30143607
(cherry-picked from commit 448be0a62209c977593d81617853a8a428d013df)
Change-Id: I5881fdd5e81023cd21fb4d23a471a5031987a1f1
Don't write partial requests, and don't return (or throw) early after
partially reading a response.
bug: 30143607
(cherry-picked from commit 448be0a62209c977593d81617853a8a428d013df)
Change-Id: I5881fdd5e81023cd21fb4d23a471a5031987a1f1
