I've merged the following patches to the Replicant sources and
successfully recompiled/flashed Replicant after that for/on my device:
# https://android.googlesource.com/platform/frameworks/base/+/68b13ba
#
https://android.googlesource.com/platform/packages/apps/Phone/+/fff2f9b
Secure broadcasts, which prevents 3rd party spoofing.
Bug: 7622253
Patch-file #1: Bugfix-7622253.patch
Patch-file #2: Bugfix-7622253-Phone.patch
# https://android.googlesource.com/platform/frameworks/base/+/a2bdffe
Prevent SecurityException from crashing Recents
Bug: 6787477
Patch-file: Bugfix-6787477.patch
# https://android.googlesource.com/platform/libcore/+/67ff477
Fix Security2Test counting
The test was counting the wrong thing. The alias code path is only
triggered by X509 and X.509. This worked when there was only 2 providers
that pointed at the opposites. When there were three the problem showed
up since it wasn't incrementing the right one.
Patch-file: Fix-Security2Test-counting.patch
# https://android.googlesource.com/platform/cts/+/1b08aab
Add character devices to the insecure devices test.
Patch-file: Add-char-dvc2insec-dvc-test.patch
# https://android.googlesource.com/platform/cts/+/96bc825
BannedFilesTest: Detect devices vulnerable to the cmdclient privilege
escalation bug.
Patch-file: Fix-cmdclient-BannedFilesTest.patch
# https://android.googlesource.com/platform/packages/apps/Email/+/54c88ff
Show an error on security exception for attachments.
This uses an existing notification for bad forwarding. The text is a
bit odd ("Attachment not forwarded") but avoids adding new text right
now, and at least conveys the error.
Bug: 8417004
Patch-file: Bugfix-8417004.patch
# https://android.googlesource.com/platform/packages/apps/Email/+/5ab92ca
Ensure security policy notifications are shown
Bug: 8510828
Patch-file: Bugfix-8510828.patch
Finally I've tested this productive device several weeks without any
misbehavior.
Replicant ticket reference: http://redmine.replicant.us/issues/1263
Please review the patches attached [one by one or all together] and
apply them, if you like.From 3afa7c6860d1c885b4e840e4e92c4de4776d18ae Mon Sep 17 00:00:00 2001
From: repo sync <[email protected]>
Date: Mon, 8 Apr 2013 16:16:42 -0700
Subject: [PATCH] Add character devices to the insecure devices test.
Change-Id: Iff6fd33fcc9da408a5f30a1685fc9d0a01d11ffd
Signed-off-by: repo sync <[email protected]> Signed-off-by: Moritz Bandemer <[email protected]>
---
.../permission/cts/FileSystemPermissionTest.java | 33 +++++++++++++++-------
1 file changed, 23 insertions(+), 10 deletions(-)
diff --git a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
index 7ba6133..da6b614 100644
--- a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
+++ b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
@@ -582,14 +582,30 @@ public class FileSystemPermissionTest extends AndroidTestCase {
return retval;
}
- public void testAllBlockDevicesAreSecure() throws Exception {
- Set<File> insecure = getAllInsecureBlockDevicesInDirAndSubdir(new File("/dev"));
+ private static final Set<File> DEV_EXCEPTIONS = new HashSet<File>(
+ Arrays.asList(
+ // Known good devices- should be present everywhere
+ new File("/dev/ashmem"),
+ new File("/dev/binder"),
+ new File("/dev/full"),
+ new File("/dev/ion"),
+ new File("/dev/null"),
+ new File("/dev/random"),
+ new File("/dev/tty"),
+ new File("/dev/urandom"),
+ new File("/dev/zero")
+ // Other exceptions go below here, along with a bug #
+ ));
+
+ public void testAllDevicesAreSecure() throws Exception {
+ Set<File> insecure = getAllInsecureDevicesInDirAndSubdir(new File("/dev"));
+ insecure.removeAll(DEV_EXCEPTIONS);
assertTrue("Found insecure: " + insecure.toString(),
insecure.isEmpty());
}
private static Set<File>
- getAllInsecureBlockDevicesInDirAndSubdir(File dir) throws Exception {
+ getAllInsecureDevicesInDirAndSubdir(File dir) throws Exception {
assertTrue(dir.isDirectory());
Set<File> retval = new HashSet<File>();
File[] subDirectories = dir.listFiles(new FileFilter() {
@@ -602,7 +618,7 @@ public class FileSystemPermissionTest extends AndroidTestCase {
/* recurse into subdirectories */
if (subDirectories != null) {
for (File f : subDirectories) {
- retval.addAll(getAllInsecureBlockDevicesInDirAndSubdir(f));
+ retval.addAll(getAllInsecureDevicesInDirAndSubdir(f));
}
}
@@ -614,16 +630,16 @@ public class FileSystemPermissionTest extends AndroidTestCase {
for (File f: filesInThisDirectory) {
FileUtils.FileStatus status = new FileUtils.FileStatus();
FileUtils.getFileStatus(f.getAbsolutePath(), status, false);
- if (status.hasModeFlag(FileUtils.S_IFBLK)) {
+ if (status.hasModeFlag(FileUtils.S_IFBLK) || status.hasModeFlag(FileUtils.S_IFCHR)) {
if (f.canRead() || f.canWrite() || f.canExecute()) {
retval.add(f);
}
if (status.uid == 2000) {
- // The shell user should not own any block devices
+ // The shell user should not own any devices
retval.add(f);
}
- // Don't allow block devices owned by GIDs
+ // Don't allow devices owned by GIDs
// accessible to non-privileged applications.
if ((status.gid == 1007) // AID_LOG
|| (status.gid == 1015) // AID_SDCARD_RW
@@ -635,9 +651,6 @@ public class FileSystemPermissionTest extends AndroidTestCase {
|| status.hasModeFlag(FileUtils.S_IWGRP)
|| status.hasModeFlag(FileUtils.S_IXGRP))
{
-
- // non-privileged GIDs should not be able to access
- // any block device.
retval.add(f);
}
}
--
1.9.1
From ce2a1f8ed106956bd69104a06eb47411241b452f Mon Sep 17 00:00:00 2001
From: Michael Jurka <[email protected]>
Date: Fri, 8 Feb 2013 15:41:56 +0100
Subject: [PATCH] Prevent SecurityException from crashing Recents
Bug: 6787477
Signed-off-by: Michael Jurka <[email protected]> Signed-off-by: Moritz Bandemer <[email protected]>
---
.../src/com/android/systemui/recent/RecentsPanelView.java | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/packages/SystemUI/src/com/android/systemui/recent/RecentsPanelView.java b/packages/SystemUI/src/com/android/systemui/recent/RecentsPanelView.java
index 3b4155c..c30b4a0 100644
--- a/packages/SystemUI/src/com/android/systemui/recent/RecentsPanelView.java
+++ b/packages/SystemUI/src/com/android/systemui/recent/RecentsPanelView.java
@@ -693,8 +693,12 @@ public class RecentsPanelView extends FrameLayout implements OnItemClickListener
| Intent.FLAG_ACTIVITY_TASK_ON_HOME
| Intent.FLAG_ACTIVITY_NEW_TASK);
if (DEBUG) Log.v(TAG, "Starting activity " + intent);
- context.startActivityAsUser(intent, opts,
- new UserHandle(UserHandle.USER_CURRENT));
+ try {
+ context.startActivityAsUser(intent, opts,
+ new UserHandle(UserHandle.USER_CURRENT));
+ } catch (SecurityException e) {
+ Log.e(TAG, "Recents does not have the permission to launch " + intent, e);
+ }
}
if (usingDrawingCache) {
holder.thumbnailViewImage.setDrawingCacheEnabled(false);
--
1.9.1
From 570da6c97b8f7df2809174633f2beb681eee2c31 Mon Sep 17 00:00:00 2001
From: Robert Greenwalt <[email protected]>
Date: Thu, 18 Apr 2013 10:29:29 -0700
Subject: [PATCH] Secure broadcasts.
Prevents 3rd party spoofing.
Bug: 7622253
Change-Id: I1e1a9887afe009d060205e349c31e3aefba2ea5b
Signed-off-by: Robert Greenwalt <[email protected]> Signed-off-by: Moritz Bandemer <[email protected]>
---
core/res/AndroidManifest.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 1da99ad..bd2b315 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -130,6 +130,7 @@
<protected-broadcast android:name="android.net.conn.CONNECTIVITY_CHANGE" />
<protected-broadcast android:name="android.net.conn.CONNECTIVITY_CHANGE_IMMEDIATE" />
<protected-broadcast android:name="android.net.conn.DATA_ACTIVITY_CHANGE" />
+ <protected-broadcast android:name="android.net.conn.BACKGROUND_DATA_SETTING_CHANGED" />
<protected-broadcast android:name="android.nfc.action.LLCP_LINK_STATE_CHANGED" />
<protected-broadcast android:name="com.android.nfc_extras.action.RF_FIELD_ON_DETECTED" />
--
1.9.1
From 004f7d6aabd27863c4ba6e61356eee8de3224d31 Mon Sep 17 00:00:00 2001
From: Robert Greenwalt <[email protected]>
Date: Tue, 16 Apr 2013 11:56:23 -0700
Subject: [PATCH] Secure some telephony broadcasts.
Prevents 3rd party spoofing.
bug:7622253
Change-Id: I1e1a9887afe009d060205e349c31e3aefba2ea5b
Signed-off-by: Robert Greenwalt <[email protected]> Signed-off-by: Moritz Bandemer <[email protected]>
---
AndroidManifest.xml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index fd14366..f1d213d 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -36,6 +36,9 @@
<protected-broadcast android:name="android.intent.action.ACTION_SHOW_NOTICE_ECM_BLOCK_OTHERS" />
<protected-broadcast android:name="android.intent.action.ACTION_MDN_STATE_CHANGED" />
<protected-broadcast android:name="android.provider.Telephony.SPN_STRINGS_UPDATED" />
+ <protected-broadcast android:name="android.provider.Telephony.SIM_FULL" />
+ <protected-broadcast android:name="com.android.internal.telephony.data-restart-trysetup" />
+ <protected-broadcast android:name="com.android.internal.telephony.data-stall" />
<uses-permission android:name="android.permission.BROADCAST_STICKY" />
<uses-permission android:name="android.permission.CALL_PHONE" />
--
1.9.1
From 0aabd058bd70180aac75a2eba1671d917a08dade Mon Sep 17 00:00:00 2001
From: Yu Ping Hu <[email protected]>
Date: Tue, 23 Apr 2013 10:23:01 -0700
Subject: [PATCH] Show an error on security exception for attachments.
This uses an existing notification for bad forwarding. The
text is a bit odd ("Attachment not forwarded") but avoids
adding new text right now, and at least conveys the error.
Bug: 8417004
Change-Id: Id3629a39b2afb583bac2ea6a3ef1303694f1100c
Signed-off-by: Yu Ping Hu <[email protected]> Signed-off-by: Moritz Bandemer <[email protected]>
---
.../src/com/android/emailcommon/internet/Rfc822Output.java | 10 ++++++----
src/com/android/email/MessagingController.java | 6 ++++++
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/emailcommon/src/com/android/emailcommon/internet/Rfc822Output.java b/emailcommon/src/com/android/emailcommon/internet/Rfc822Output.java
index 51a62fd..f8bc9cc 100644
--- a/emailcommon/src/com/android/emailcommon/internet/Rfc822Output.java
+++ b/emailcommon/src/com/android/emailcommon/internet/Rfc822Output.java
@@ -260,6 +260,7 @@ public class Rfc822Output {
writeBoundary(writer, multipartBoundary, false);
Attachment attachment =
Attachment.getContent(attachmentsCursor, Attachment.class);
+ attachment.mAccountKey = message.mAccountKey;
writeOneAttachment(context, writer, stream, attachment);
writer.write("\r\n");
} while (attachmentsCursor.moveToNext());
@@ -321,12 +322,13 @@ public class Rfc822Output {
out.write('\r');
out.write('\n');
out.flush();
- }
- catch (FileNotFoundException fnfe) {
+ } catch (final FileNotFoundException fnfe) {
// Ignore this - empty file is OK
- }
- catch (IOException ioe) {
+ } catch (final IOException ioe) {
throw new MessagingException("Invalid attachment.", ioe);
+ } catch (final SecurityException se) {
+ throw new MessagingException(MessagingException.GENERAL_SECURITY,
+ "No permissions for attachment", attachment);
}
}
diff --git a/src/com/android/email/MessagingController.java b/src/com/android/email/MessagingController.java
index 6a0f1e1..21d9e59 100644
--- a/src/com/android/email/MessagingController.java
+++ b/src/com/android/email/MessagingController.java
@@ -2070,6 +2070,12 @@ public class MessagingController implements Runnable {
nc.showLoginFailedNotification(account.mId);
}
mListeners.sendPendingMessagesFailed(account.mId, messageId, me);
+ if (me.getExceptionType() == MessagingException.GENERAL_SECURITY) {
+ final Object exceptionData = me.getExceptionData();
+ if (exceptionData != null && exceptionData instanceof Attachment) {
+ nc.showDownloadForwardFailedNotification((Attachment) exceptionData);
+ }
+ }
continue;
}
// 5. move to sent, or delete
--
1.9.1
From 8cf4d9d64e28e05bd603b05c382925eff5a367f1 Mon Sep 17 00:00:00 2001
From: Paul Westbrook <[email protected]>
Date: Sat, 13 Apr 2013 00:48:15 -0700
Subject: [PATCH] Ensure security policy notifications are shown
Cherry-pick of https://googleplex-android-review.googlesource.com/218352
Bug: 8510828
Change-Id: I29e5abe265adc29ae3e291155b14a8cfc7c7f250
Signed-off-by: Paul Westbrook <[email protected]> Signed-off-by: Moritz Bandemer <[email protected]>
---
src/com/android/email/SecurityPolicy.java | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/com/android/email/SecurityPolicy.java b/src/com/android/email/SecurityPolicy.java
index 391ddeb..8082adc 100644
--- a/src/com/android/email/SecurityPolicy.java
+++ b/src/com/android/email/SecurityPolicy.java
@@ -498,10 +498,14 @@ public class SecurityPolicy {
/**
* Convenience method; see javadoc below
*/
- public static void setAccountHoldFlag(Context context, long accountId, boolean newState) {
+ public static void setAccountHoldFlag(Context context, long accountId, boolean holdEnabled) {
Account account = Account.restoreAccountWithId(context, accountId);
if (account != null) {
- setAccountHoldFlag(context, account, newState);
+ setAccountHoldFlag(context, account, holdEnabled);
+ if (holdEnabled) {
+ // Make sure there's a notification up
+ NotificationController.getInstance(context).showSecurityNeededNotification(account);
+ }
}
}
--
1.9.1
From 9eb144009db2e55e88cfb9f59a199069988dbba5 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <[email protected]>
Date: Fri, 26 Oct 2012 13:14:45 -0700
Subject: [PATCH] BannedFilesTest: Detect devices vulnerable to the cmdclient privilege escalation bug.
Change-Id: I76ad31829b48c84b8d02d0f76b78477eace5eaa1
Signed-off-by: Nick Kralevich <[email protected]> Signed-off-by: Moritz Bandemer <[email protected]>
---
.../security/src/android/security/cts/BannedFilesTest.java | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/tests/tests/security/src/android/security/cts/BannedFilesTest.java b/tests/tests/security/src/android/security/cts/BannedFilesTest.java
index b4deed5..ada9aaf 100644
--- a/tests/tests/security/src/android/security/cts/BannedFilesTest.java
+++ b/tests/tests/security/src/android/security/cts/BannedFilesTest.java
@@ -22,6 +22,18 @@ import junit.framework.TestCase;
public class BannedFilesTest extends TestCase {
+ /**
+ * Detect devices vulnerable to the cmdclient privilege escalation bug.
+ *
+ * References:
+ *
+ * http://vulnfactory.org/blog/2012/02/18/xoom-fe-stupid-bugs-and-more-plagiarism/
+ * http://forum.xda-developers.com/showthread.php?t=1213014
+ */
+ public void testNoCmdClient() {
+ assertNotSetugid("/system/bin/cmdclient");
+ }
+
public void testNoSyncAgent() {
assertNotSetugid("/system/bin/sync_agent");
}
--
1.9.1
From bef6ad0192f7060945f4973693de81e748657854 Mon Sep 17 00:00:00 2001
From: Kenny Root <[email protected]>
Date: Tue, 12 Mar 2013 14:26:58 -0700
Subject: [PATCH] Fix Security2Test counting
The test was counting the wrong thing. The alias code path is only
triggered by X509 and X.509. This worked when there was only 2 providers
that pointed at the opposites. When there were three the problem showed
up since it wasn't incrementing the right one.
Change-Id: Id4d01a1981658521a36c42c5d3aea13110069583
Signed-off-by: Kenny Root <[email protected]> Signed-off-by: Moritz Bandemer <[email protected]>
---
.../security/tests/java/security/Security2Test.java | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/luni/src/test/java/org/apache/harmony/security/tests/java/security/Security2Test.java b/luni/src/test/java/org/apache/harmony/security/tests/java/security/Security2Test.java
index 68e7cbc..4dfffda 100644
--- a/luni/src/test/java/org/apache/harmony/security/tests/java/security/Security2Test.java
+++ b/luni/src/test/java/org/apache/harmony/security/tests/java/security/Security2Test.java
@@ -57,17 +57,15 @@ public class Security2Test extends TestCase {
for (Map.Entry entry : provider.entrySet()) {
String key = (String) entry.getKey();
if (isAlias(key)) {
- String aliasVal = key.substring("ALG.ALIAS.".length());
- String aliasKey = aliasVal.substring(0, aliasVal.indexOf(".") + 1)
- + entry.getValue();
+ String aliasName = key.substring("ALG.ALIAS.".length()).toUpperCase();
+ String realName = aliasName.substring(0, aliasName.indexOf(".") + 1) + entry.getValue();
// Skip over nonsense alias declarations where alias and
// aliased are identical. Such entries can occur.
- if (!aliasVal.equalsIgnoreCase(aliasKey)) {
- // Has a real entry been added for aliasValue ?
- if (allSupported.containsKey(aliasVal.toUpperCase())) {
- // Add 1 to the provider count of the thing being
- // aliased
- addOrIncrementTable(allSupported, aliasKey);
+ if (!aliasName.equalsIgnoreCase(realName)) {
+ // Has a real entry been added for aliasName ?
+ if (allSupported.containsKey(aliasName)) {
+ // Add 1 to the provider count of the thing being aliased
+ addOrIncrementTable(allSupported, aliasName);
}
}
}
--
1.9.1
_______________________________________________
Replicant mailing list
[email protected]
http://lists.osuosl.org/mailman/listinfo/replicant
