Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 646dde0ace455447b772443f7965ff0101fb5834
commit646dde0ace455447b772443f7965ff0101fb5834[log] [tgz]
authorJeff Sharkey <jsharkey@android.com>Mon Nov 21 10:33:54 2016 -0700
committerJeff Sharkey <jsharkey@android.com>Mon Mar 13 12:46:49 2017 -0600
tree6bb2c5848950b616442f017c93f371352e89c68b
parenta5af24cd02f9dadbea7d23c59ce5f04ce045080d [diff]
No direct Uri grants from system.

The system should never be extending Uri permission grants from
itself, since it automatically holds all the permissions.  Instead,
the system should always be a mediator between two specific apps, and
it should be using startActivityAsCaller() if it needs to extend
permissions.

Blocking at this level fixes an entire class of confused deputy
security issues.

There is a small exemption for the "com.android.settings.files"
authority which is used for photo cropping in the Settings app.

Test: builds, normal intent resolution UI works
Bug: 33019296, 35158271
Change-Id: I3f0de58facedab8767541291b5dfa022fa2e4414
1 file changed
tree: 6bb2c5848950b616442f017c93f371352e89c68b
  1. apct-tests/
  2. api/
  3. cmds/
  4. core/
  5. data/
  6. docs/
  7. drm/
  8. graphics/
  9. keystore/
  10. legacy-test/
  11. libs/
  12. location/
  13. media/
  14. native/
  15. nfc-extras/
  16. obex/
  17. opengl/
  18. packages/
  19. proto/
  20. rs/
  21. samples/
  22. sax/
  23. services/
  24. telecomm/
  25. telephony/
  26. test-runner/
  27. tests/
  28. tools/
  29. wifi/
  30. Android.bp
  31. Android.mk
  32. CleanSpec.mk
  33. compiled-classes-phone
  34. MODULE_LICENSE_APACHE2
  35. NOTICE
  36. pathmap.mk
  37. preloaded-classes
  38. PREUPLOAD.cfg