It is possible for sensor handles retrieved using
ASensorManager_getDefaultSensor() to become stale if the underlying
binder connection to the sensor service gets reset. This can be
triggered by ASensorManager_createEventQueue(), so any sensor handle
retrieved prior to this call may become stale, resulting in a use-after-
free when the handle is eventually registered with the queue. To avoid
this, the event queue is created before retrieving or registering the
sensor.
Bug: 150225255
Test: No longer crashes with proof-of-concept on Pixel 2 XL.
Change-Id: I243f6c68c734af3eb5488855d965a894b5fb99e5
It is possible for sensor handles retrieved using
ASensorManager_getDefaultSensor() to become stale if the underlying
binder connection to the sensor service gets reset. This can be
triggered by ASensorManager_createEventQueue(), so any sensor handle
retrieved prior to this call may become stale, resulting in a use-after-
free when the handle is eventually registered with the queue. To avoid
this, the event queue is created before retrieving or registering the
sensor.
Bug: 150225255
Test: No longer crashes with proof-of-concept on Pixel 2 XL.
Change-Id: I243f6c68c734af3eb5488855d965a894b5fb99e5
It is possible for sensor handles retrieved using
ASensorManager_getDefaultSensor() to become stale if the underlying
binder connection to the sensor service gets reset. This can be
triggered by ASensorManager_createEventQueue(), so any sensor handle
retrieved prior to this call may become stale, resulting in a use-after-
free when the handle is eventually registered with the queue. To avoid
this, the event queue is created before retrieving or registering the
sensor.
Bug: 150225255
Test: No longer crashes with proof-of-concept on Pixel 2 XL.
Change-Id: I243f6c68c734af3eb5488855d965a894b5fb99e5
Bug: 113028175
Bug: 134157796
Bug: 134430124
Test: Build and flash taimen with the matching bootloader change.
Check serial log regarding the start of vendor.darkboot service.
Also read the value via `dd bs=1 skip=2048 if=/dev/block/sda5
count=32 | xxd` to confirm the change.
Test: Trigger a factory reset via Settings. Check the value in /misc
after the reset.
Change-Id: I87c248e25450f520bdc6f1cab3d7f240e54394d0
See bug for more details. The apk already supports asking for this permission at runtime. Upgrading to this android build does not revoke the permission out from under the app.
Bug: 130440726
Test: Manually tested by upgrading walleye to this build and seeing now playing continue to work.
Change-Id: I599586b93ad786762e151fb798d4e5011f2b0315
/metadata should be synchronous enoughly to avoid boot failure.
Bug: 134172577
Change-Id: I342b1eab9b3b79024deebe039e07d0aa93209148
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
- Pre-granting runtime permissions. The stub will be installed on Pixel
1's and this matches Pixel 4 setup.
Bug: 133353187
Test: Build/installed images on Pixels and confirm AA setup
Change-Id: I9e964a1ef40284c6777c733f0f7e771109c7c5a6
Most apps already have the permission to act as full producers
(isolated_app, ephemeral_app, priv_app, untrusted_app_all), but
the camera doesn't inherit that as it runs in its own domain.
Granting only the socket (i.e. ipc) permission, as:
* only that is needed at the moment.
* granting the shmem/fd permissions would require a broader change, as traced_tmpfs is declared in private/.
Specific denial:
05-20 13:56:20.303 7751 7751 W trigger_perfett: type=1400 audit(0.0:19): avc: denied { write } for name="traced_producer" dev="tmpfs" ino=7061 scontext=u:r:google_camera_app:s0:c181,c256,c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=0 app=com.google.android.GoogleCamera
Bug: 130543265
Tested: extrapolating from the same fix on crosshatch, tested manually on blueline-userdebug.
Merged-In: I53dc08a28d167f566b759d8f91d00a4828f4847f
Change-Id: I53dc08a28d167f566b759d8f91d00a4828f4847f
(cherry picked from commit 12b6414919)
The Camera HIDL wrapper needs access to
properties "ro.camera.req.fmq.size" and
"ro.camera.res.fmq.size" which control
the fast message queue size. Cases exist
where the default size is not sufficient.
The precise amount can be controlled by
the respective device configuration which
can set the previously mentioned properties.
Bug: 77865891
Test: Manual using application
Change-Id: I468bde2ee356e0d1d20f781fe6a3af48143cc4b2
Merged-In: I468bde2ee356e0d1d20f781fe6a3af48143cc4b2
