16.0: Import and verify picks

https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
2025-09-27 19:50:52 -04:00 · 2024-05-07 19:13:31 -04:00 · 2024-05-07 19:13:31 -04:00 · 082bc48c32
commit 082bc48c32
parent 7162b237d3
271 changed files with 25987 additions and 42 deletions
--- a/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/342101.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/342101.patch
@ -0,0 +1,122 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Fri, 25 Feb 2022 15:48:29 +0000
+Subject: [PATCH] Prevent exfiltration of system files via user image settings.
+
+This adds mitigations to prevent system files being exfiltrated
+via the settings content provider when a content URI is provided
+as a chosen user image.
+
+The mitigations are:
+
+1) Copy the image to a new URI rather than the existing takePictureUri
+prior to cropping.
+
+2) Only allow a system handler to respond to the CROP intent.
+
+A similar change is made in ag/17003629 which uses the same
+mechanism.
+
+Bug: 187702830
+Test: builds
+Change-Id: Iba9e08b3cf9e31c162354f09aaf6b4f9afb6bd27
+(cherry picked from commit fac28abbe64a1c3e430414f35139988ef96edb7c)
+Merged-In: Iba9e08b3cf9e31c162354f09aaf6b4f9afb6bd27
+---
+ .../preferences/EditUserPhotoController.java  | 33 ++++++++++++++-----
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/src/com/android/emergency/preferences/EditUserPhotoController.java b/src/com/android/emergency/preferences/EditUserPhotoController.java
+index 77bed01..8aeb8b0 100644
+--- a/src/com/android/emergency/preferences/EditUserPhotoController.java
+++ b/src/com/android/emergency/preferences/EditUserPhotoController.java
+@@ -22,6 +22,7 @@ import android.content.ClipData;
+ import android.content.ContentResolver;
+ import android.content.Context;
+ import android.content.Intent;
+import android.content.pm.ActivityInfo;
+ import android.content.pm.PackageManager;
+ import android.database.Cursor;
+ import android.graphics.Bitmap;
+@@ -73,6 +74,7 @@ public class EditUserPhotoController {
+     private static final int REQUEST_CODE_TAKE_PHOTO = 10002;
+     private static final int REQUEST_CODE_CROP_PHOTO = 10003;
+ 
+    private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg";
+     private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";
+     private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
+     private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";
+@@ -85,6 +87,7 @@ public class EditUserPhotoController {
+     private final Fragment mFragment;
+     private final ImageView mImageView;
+ 
+    private final Uri mPreCropPictureUri;
+     private final Uri mCropPictureUri;
+     private final Uri mTakePictureUri;
+ 
+@@ -96,6 +99,7 @@ public class EditUserPhotoController {
+         mContext = view.getContext();
+         mFragment = fragment;
+         mImageView = view;
+        mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting);
+         mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting);
+         mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting);
+         mPhotoSize = getPhotoSize(mContext);
+@@ -122,7 +126,7 @@ public class EditUserPhotoController {
+             case REQUEST_CODE_TAKE_PHOTO:
+             case REQUEST_CODE_CHOOSE_PHOTO:
+                 if (mTakePictureUri.equals(pictureUri)) {
+-                    cropPhoto();
+                    cropPhoto(pictureUri);
+                 } else {
+                     copyAndCropPhoto(pictureUri);
+                 }
+@@ -231,7 +235,7 @@ public class EditUserPhotoController {
+             protected Void doInBackground(Void... params) {
+                 final ContentResolver cr = mContext.getContentResolver();
+                 try (InputStream in = cr.openInputStream(pictureUri);
+-                        OutputStream out = cr.openOutputStream(mTakePictureUri)) {
+                        OutputStream out = cr.openOutputStream(mPreCropPictureUri)) {
+                     Streams.copy(in, out);
+                 } catch (IOException e) {
+                     Log.w(TAG, "Failed to copy photo", e);
+@@ -242,21 +246,32 @@ public class EditUserPhotoController {
+             @Override
+             protected void onPostExecute(Void result) {
+                 if (!mFragment.isAdded()) return;
+-                cropPhoto();
+                cropPhoto(mPreCropPictureUri);
+             }
+         }.execute();
+     }
+ 
+-    private void cropPhoto() {
+    private void cropPhoto(final Uri pictureUri) {
+         Intent intent = new Intent(ACTION_CROP);
+-        intent.setDataAndType(mTakePictureUri, "image/*");
+        intent.setDataAndType(pictureUri, "image/*");
+         appendOutputExtra(intent, mCropPictureUri);
+         appendCropExtras(intent);
+-        if (intent.resolveActivity(mContext.getPackageManager()) != null) {
+-            mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO);
+-        } else {
+-            onPhotoCropped(mTakePictureUri, false);
+        if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) {
+            return;
+        }
+        onPhotoCropped(mTakePictureUri, false);
+    }
+
+    private boolean startSystemActivityForResult(Intent intent, int code) {
+        ActivityInfo info = intent.resolveActivityInfo(mContext.getPackageManager(),
+                PackageManager.MATCH_SYSTEM_ONLY);
+        if (info == null) {
+            Log.w(TAG, "No system package activity could be found for code " + code);
+            return false;
+         }
+        intent.setPackage(info.packageName);
+        mFragment.startActivityForResult(intent, code);
+        return true;
+     }
+ 
+     private void appendOutputExtra(Intent intent, Uri pictureUri) {
--- a/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345908.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345908.patch
@ -0,0 +1,113 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Wed, 27 Jul 2022 17:18:23 +0000
+Subject: [PATCH] Revert "Prevent exfiltration of system files via user image
+ settings."
+
+This reverts commit fac28abbe64a1c3e430414f35139988ef96edb7c.
+
+Reason for revert: regression if multiple crop system crop handlers are present
+
+Bug: 239914925
+
+Change-Id: I1784eec7ffa2af0b48fa0d0d075e015ebfb7fa47
+(cherry picked from commit 889b93dd4ec351889db69b528d81cdc3f63968fc)
+Merged-In: I1784eec7ffa2af0b48fa0d0d075e015ebfb7fa47
+---
+ .../preferences/EditUserPhotoController.java  | 33 +++++--------------
+ 1 file changed, 9 insertions(+), 24 deletions(-)
+
+diff --git a/src/com/android/emergency/preferences/EditUserPhotoController.java b/src/com/android/emergency/preferences/EditUserPhotoController.java
+index 8aeb8b0..77bed01 100644
+--- a/src/com/android/emergency/preferences/EditUserPhotoController.java
+++ b/src/com/android/emergency/preferences/EditUserPhotoController.java
+@@ -22,7 +22,6 @@ import android.content.ClipData;
+ import android.content.ContentResolver;
+ import android.content.Context;
+ import android.content.Intent;
+-import android.content.pm.ActivityInfo;
+ import android.content.pm.PackageManager;
+ import android.database.Cursor;
+ import android.graphics.Bitmap;
+@@ -74,7 +73,6 @@ public class EditUserPhotoController {
+     private static final int REQUEST_CODE_TAKE_PHOTO = 10002;
+     private static final int REQUEST_CODE_CROP_PHOTO = 10003;
+ 
+-    private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg";
+     private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";
+     private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
+     private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";
+@@ -87,7 +85,6 @@ public class EditUserPhotoController {
+     private final Fragment mFragment;
+     private final ImageView mImageView;
+ 
+-    private final Uri mPreCropPictureUri;
+     private final Uri mCropPictureUri;
+     private final Uri mTakePictureUri;
+ 
+@@ -99,7 +96,6 @@ public class EditUserPhotoController {
+         mContext = view.getContext();
+         mFragment = fragment;
+         mImageView = view;
+-        mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting);
+         mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting);
+         mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting);
+         mPhotoSize = getPhotoSize(mContext);
+@@ -126,7 +122,7 @@ public class EditUserPhotoController {
+             case REQUEST_CODE_TAKE_PHOTO:
+             case REQUEST_CODE_CHOOSE_PHOTO:
+                 if (mTakePictureUri.equals(pictureUri)) {
+-                    cropPhoto(pictureUri);
+                    cropPhoto();
+                 } else {
+                     copyAndCropPhoto(pictureUri);
+                 }
+@@ -235,7 +231,7 @@ public class EditUserPhotoController {
+             protected Void doInBackground(Void... params) {
+                 final ContentResolver cr = mContext.getContentResolver();
+                 try (InputStream in = cr.openInputStream(pictureUri);
+-                        OutputStream out = cr.openOutputStream(mPreCropPictureUri)) {
+                        OutputStream out = cr.openOutputStream(mTakePictureUri)) {
+                     Streams.copy(in, out);
+                 } catch (IOException e) {
+                     Log.w(TAG, "Failed to copy photo", e);
+@@ -246,32 +242,21 @@ public class EditUserPhotoController {
+             @Override
+             protected void onPostExecute(Void result) {
+                 if (!mFragment.isAdded()) return;
+-                cropPhoto(mPreCropPictureUri);
+                cropPhoto();
+             }
+         }.execute();
+     }
+ 
+-    private void cropPhoto(final Uri pictureUri) {
+    private void cropPhoto() {
+         Intent intent = new Intent(ACTION_CROP);
+-        intent.setDataAndType(pictureUri, "image/*");
+        intent.setDataAndType(mTakePictureUri, "image/*");
+         appendOutputExtra(intent, mCropPictureUri);
+         appendCropExtras(intent);
+-        if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) {
+-            return;
+-        }
+-        onPhotoCropped(mTakePictureUri, false);
+-    }
+-
+-    private boolean startSystemActivityForResult(Intent intent, int code) {
+-        ActivityInfo info = intent.resolveActivityInfo(mContext.getPackageManager(),
+-                PackageManager.MATCH_SYSTEM_ONLY);
+-        if (info == null) {
+-            Log.w(TAG, "No system package activity could be found for code " + code);
+-            return false;
+        if (intent.resolveActivity(mContext.getPackageManager()) != null) {
+            mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO);
+        } else {
+            onPhotoCropped(mTakePictureUri, false);
+         }
+-        intent.setPackage(info.packageName);
+-        mFragment.startActivityForResult(intent, code);
+-        return true;
+     }
+ 
+     private void appendOutputExtra(Intent intent, Uri pictureUri) {
--- a/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345909.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345909.patch
@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Fri, 26 Aug 2022 18:33:53 +0100
+Subject: [PATCH] Prevent exfiltration of system files via avatar picker.
+
+This adds mitigations to prevent system files being exfiltrated
+via the settings content provider when a content URI is provided
+as a chosen user image.
+
+The mitigations are:
+
+1) Copy the image to a new URI rather than the existing takePictureUri
+prior to cropping.
+
+2) Only allow a system handler to respond to the CROP intent.
+
+This is a fixed version of ag/17004678, to address b/239513606.
+
+Bug: 187702830
+Test: build and check functionality
+Change-Id: I07bb987b930b851a28871a13032b8fcfcd96d6d1
+(cherry picked from commit 5981e18eb50c54088dc29f8a1e1dc8efdd4bb887)
+Merged-In: I07bb987b930b851a28871a13032b8fcfcd96d6d1
+---
+ .../preferences/EditUserPhotoController.java  | 34 ++++++++++++++-----
+ 1 file changed, 25 insertions(+), 9 deletions(-)
+
+diff --git a/src/com/android/emergency/preferences/EditUserPhotoController.java b/src/com/android/emergency/preferences/EditUserPhotoController.java
+index 77bed01..7265187 100644
+--- a/src/com/android/emergency/preferences/EditUserPhotoController.java
+++ b/src/com/android/emergency/preferences/EditUserPhotoController.java
+@@ -22,7 +22,9 @@ import android.content.ClipData;
+ import android.content.ContentResolver;
+ import android.content.Context;
+ import android.content.Intent;
+import android.content.pm.ActivityInfo;
+ import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
+ import android.database.Cursor;
+ import android.graphics.Bitmap;
+ import android.graphics.Bitmap.Config;
+@@ -73,6 +75,7 @@ public class EditUserPhotoController {
+     private static final int REQUEST_CODE_TAKE_PHOTO = 10002;
+     private static final int REQUEST_CODE_CROP_PHOTO = 10003;
+ 
+    private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg";
+     private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";
+     private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
+     private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";
+@@ -85,6 +88,7 @@ public class EditUserPhotoController {
+     private final Fragment mFragment;
+     private final ImageView mImageView;
+ 
+    private final Uri mPreCropPictureUri;
+     private final Uri mCropPictureUri;
+     private final Uri mTakePictureUri;
+ 
+@@ -96,6 +100,7 @@ public class EditUserPhotoController {
+         mContext = view.getContext();
+         mFragment = fragment;
+         mImageView = view;
+        mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting);
+         mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting);
+         mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting);
+         mPhotoSize = getPhotoSize(mContext);
+@@ -122,7 +127,7 @@ public class EditUserPhotoController {
+             case REQUEST_CODE_TAKE_PHOTO:
+             case REQUEST_CODE_CHOOSE_PHOTO:
+                 if (mTakePictureUri.equals(pictureUri)) {
+-                    cropPhoto();
+                    cropPhoto(pictureUri);
+                 } else {
+                     copyAndCropPhoto(pictureUri);
+                 }
+@@ -231,7 +236,7 @@ public class EditUserPhotoController {
+             protected Void doInBackground(Void... params) {
+                 final ContentResolver cr = mContext.getContentResolver();
+                 try (InputStream in = cr.openInputStream(pictureUri);
+-                        OutputStream out = cr.openOutputStream(mTakePictureUri)) {
+                        OutputStream out = cr.openOutputStream(mPreCropPictureUri)) {
+                     Streams.copy(in, out);
+                 } catch (IOException e) {
+                     Log.w(TAG, "Failed to copy photo", e);
+@@ -242,21 +247,32 @@ public class EditUserPhotoController {
+             @Override
+             protected void onPostExecute(Void result) {
+                 if (!mFragment.isAdded()) return;
+-                cropPhoto();
+                cropPhoto(mPreCropPictureUri);
+             }
+         }.execute();
+     }
+ 
+-    private void cropPhoto() {
+    private void cropPhoto(final Uri pictureUri) {
+         Intent intent = new Intent(ACTION_CROP);
+-        intent.setDataAndType(mTakePictureUri, "image/*");
+        intent.setDataAndType(pictureUri, "image/*");
+         appendOutputExtra(intent, mCropPictureUri);
+         appendCropExtras(intent);
+-        if (intent.resolveActivity(mContext.getPackageManager()) != null) {
+-            mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO);
+-        } else {
+-            onPhotoCropped(mTakePictureUri, false);
+        if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) {
+            return;
+        }
+        onPhotoCropped(mTakePictureUri, false);
+    }
+
+    private boolean startSystemActivityForResult(Intent intent, int code) {
+        List<ResolveInfo> resolveInfos = mContext.getPackageManager()
+                .queryIntentActivities(intent, PackageManager.MATCH_SYSTEM_ONLY);
+        if (resolveInfos.isEmpty()) {
+            Log.w(TAG, "No system package activity could be found for code " + code);
+            return false;
+         }
+        intent.setPackage(resolveInfos.get(0).activityInfo.packageName);
+        mFragment.startActivityForResult(intent, code);
+        return true;
+     }
+ 
+     private void appendOutputExtra(Intent intent, Uri pictureUri) {
--- a/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/349333.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/349333.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: James Smith <jpdsmith@google.com>
+Date: Tue, 29 Nov 2022 16:00:55 +0000
+Subject: [PATCH] Removes unnecessary permission from the EmergencyInfo app.
+
+Test: Manually tested EmergencyInfo with multiple users. Adding
+contacts, medical info, editing user name and photo and eSos all still
+work.
+
+Bug: 248251018
+Bug: 252995513
+Change-Id: If0da54507db7341c97ff67fedc14a44a67b92289
+Merged-In: I1cdef8dd9a1a0432bbafdfe9e98756dd11cfd092
+(cherry picked from commit 73120eb678baf8285cc69587fbc6da23bab4016a)
+Merged-In: If0da54507db7341c97ff67fedc14a44a67b92289
+---
+ AndroidManifest.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/AndroidManifest.xml b/AndroidManifest.xml
+index e5ce533..650cf73 100644
+--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
+@@ -21,7 +21,6 @@
+     <uses-permission android:name="android.permission.CALL_PRIVILEGED" />
+     <uses-permission android:name="android.permission.READ_CONTACTS" />
+     <uses-permission android:name="android.permission.MANAGE_USERS" />
+-    <uses-permission android:name="android.permission.INTERACT_ACROSS_USERS_FULL" />
+ 
+     <application
+         android:defaultToDeviceProtectedStorage="true"