17: November 2024 ASB work

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-17.1/android_external_skia/408442.patch

@@ -0,0 +1,48 @@
+From cfb96168e5e753a0bdcca4874b012c25a7f7737a Mon Sep 17 00:00:00 2001
+From: Brian Osman <brianosman@google.com>
+Date: Tue, 27 Aug 2024 14:22:52 -0400
+Subject: [PATCH] RESTRICT AUTOMERGE: Avoid potential overflow when allocating
+ 3D mask from emboss filter
+
+Note: the original fix landed after
+Iac8b937e516dbfbbcefef54360dd5b7300bacb67 introduced SkMaskBuilder, so
+this cherry-pick had to be tweaked to avoid conflicts. Unfortuantely
+that means we need RESTRICT AUTOMERGE to prevent this modified version
+from flowing through API boundaries into VIC, and we need to manually
+cherry-pick it to each API level.
+
+Bug: 344620577
+Test: N/A -- unclear if even reachable
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/893738
+Commit-Queue: Brian Osman <brianosman@google.com>
+Reviewed-by: Ben Wagner <bungeman@google.com>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2bc38734eec777bf2574d4b38a7fd4fc05f0ecde)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:69fc79acf3f05f269c55069ba5e2fbd00e1a76b6)
+Merged-In: Ia35860371d45120baca63238e77faa5c0eb25d51
+Change-Id: Ia35860371d45120baca63238e77faa5c0eb25d51
+---
+ src/effects/SkEmbossMaskFilter.cpp | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/effects/SkEmbossMaskFilter.cpp b/src/effects/SkEmbossMaskFilter.cpp
+index 2dcce2b9102..8ea8c08039b 100644
+--- a/src/effects/SkEmbossMaskFilter.cpp
++++ b/src/effects/SkEmbossMaskFilter.cpp
+@@ -95,11 +95,13 @@ bool SkEmbossMaskFilter::filterMask(SkMask* dst, const SkMask& src,
+ 
+     {
+         uint8_t* alphaPlane = dst->fImage;
+-        size_t   planeSize = dst->computeImageSize();
+-        if (0 == planeSize) {
+-            return false;   // too big to allocate, abort
++        size_t totalSize = dst->computeTotalImageSize();
++        if (totalSize == 0) {
++            return false;  // too big to allocate, abort
+         }
+-        dst->fImage = SkMask::AllocImage(planeSize * 3);
++        size_t planeSize = dst->computeImageSize();
++        SkASSERT(planeSize != 0);  // if totalSize didn't overflow, this can't either
++        dst->fImage = SkMask::AllocImage(totalSize);
+         memcpy(dst->fImage, alphaPlane, planeSize);
+         SkMask::FreeImage(alphaPlane);
+     }

Patches/LineageOS-17.1/android_frameworks_base/408443.patch

@@ -0,0 +1,31 @@
+From 3651d27fdb579b51ea8a9b12fc18ca6e495566da Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 2 Jul 2024 11:02:07 -0700
+Subject: [PATCH] Remove authenticator data if it was disabled.
+
+Test: manual
+Bug: 343440463
+Flag: EXEMPT bugfix
+(cherry picked from commit ddfc078af7e89641360b896f99af23a6b371b847)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c2660dcf7fca3f652528d219767f65858bbbe622)
+Merged-In: I36bd6bf101da03c9c30a6d3c0080b801e7898bc6
+Change-Id: I36bd6bf101da03c9c30a6d3c0080b801e7898bc6
+---
+ .../com/android/server/accounts/AccountManagerService.java    | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index fb79904a5b3a8..5718071c2bc4e 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -1165,6 +1165,10 @@ private void validateAccountsInternal(
+                             obsoleteAuthType.add(type);
+                             // And delete it from the TABLE_META
+                             accountsDb.deleteMetaByAuthTypeAndUid(type, uid);
++                        } else if (knownUid != null && knownUid != uid) {
++                            Slog.w(TAG, "authenticator no longer exist for type " + type);
++                            obsoleteAuthType.add(type);
++                            accountsDb.deleteMetaByAuthTypeAndUid(type, uid);
+                         }
+                     }
+                 }

Patches/LineageOS-17.1/android_frameworks_base/408444.patch

@@ -0,0 +1,76 @@
+From 3f5562449aad196198d0d36c312e6461920cebce Mon Sep 17 00:00:00 2001
+From: Jean-Michel Trivi <jmtrivi@google.com>
+Date: Mon, 24 Jun 2024 17:29:14 -0700
+Subject: [PATCH] RingtoneManager: allow video ringtone URI
+
+When checking the MIME type for the default ringtone, also
+allow it to refer to video content.
+
+Bug: 205837340
+Test: see POC + atest android.media.audio.cts.RingtoneManagerTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a8d2785d69314086dc3b5b2531386fefff079ce7)
+Merged-In: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7
+Change-Id: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7
+---
+ media/java/android/media/RingtoneManager.java         |  8 ++++++--
+ .../android/providers/settings/SettingsProvider.java  | 11 +++++++----
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java
+index 918a9d8943dde..1e1142387d149 100644
+--- a/media/java/android/media/RingtoneManager.java
++++ b/media/java/android/media/RingtoneManager.java
+@@ -833,9 +833,13 @@ public static void setActualDefaultRingtoneUri(Context context, int type, Uri ri
+                         + " ignored: failure to find mimeType (no access from this context?)");
+                 return;
+             }
+-            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
++            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
++                    || mimeType.equals("application/x-flac")
++                    // also check for video ringtones
++                    || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) {
+                 Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
+-                        + " ignored: associated mimeType:" + mimeType + " is not an audio type");
++                        + " ignored: associated MIME type:" + mimeType
++                        + " is not a recognized audio or video type");
+                 return;
+             }
+         }
+diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+index d3c10574ea134..f58016acd290f 100644
+--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+@@ -1781,7 +1781,7 @@ private boolean mutateSystemSetting(String name, String value, int runAsUserId,
+             cacheName = Settings.System.ALARM_ALERT_CACHE;
+         }
+         if (cacheName != null) {
+-            if (!isValidAudioUri(name, value)) {
++            if (!isValidMediaUri(name, value)) {
+                 return false;
+             }
+             final File cacheFile = new File(
+@@ -1816,7 +1816,7 @@ owningUserId, name, value, null, false, getCallingPackage(),
+         }
+     }
+ 
+-    private boolean isValidAudioUri(String name, String uri) {
++    private boolean isValidMediaUri(String name, String uri) {
+         if (uri != null) {
+             Uri audioUri = Uri.parse(uri);
+             if (Settings.AUTHORITY.equals(
+@@ -1834,10 +1834,13 @@ private boolean isValidAudioUri(String name, String uri) {
+                 return false;
+             }
+             if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
+-                    || mimeType.equals("application/x-flac"))) {
++                    || mimeType.equals("application/x-flac")
++                    // also check for video ringtones
++                    || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) {
+                 Slog.e(LOG_TAG,
+                         "mutateSystemSetting for setting: " + name + " URI: " + audioUri
+-                        + " ignored: associated mimeType: " + mimeType + " is not an audio type");
++                        + " ignored: associated MIME type: " + mimeType
++                        + " is not a recognized audio or video type");
+                 return false;
+             }
+         }

Patches/LineageOS-17.1/android_frameworks_base/408446-backport.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: lpeter <lpeter@google.com>
+Date: Tue, 6 Aug 2024 09:22:12 +0000
+Subject: [PATCH] Disallow device admin package and protected packages to be
+ reinstalled as instant.
+
+We should prevent the following types of apps from being reinstalled with
+--install-existing as an instant.
+(1)device admin package
+(2)protected packages
+
+Flag: EXEMPT bugfix
+
+Bug: 341256043
+Test: Manual test
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:77c5ebbd2a83e060577dd584aed7802452339ca5)
+Merged-In: I4e913a12477fd4a64990033eaae533e30863e2a2
+Change-Id: I4e913a12477fd4a64990033eaae533e30863e2a2
+---
+ .../java/com/android/server/pm/PackageManagerService.java   | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index d27b5ad0d646..d304f29ec195 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -13666,6 +13666,9 @@ public class PackageManagerService extends IPackageManager.Stub
+                     (installFlags & PackageManager.INSTALL_INSTANT_APP) != 0;
+             final boolean fullApp =
+                     (installFlags & PackageManager.INSTALL_FULL_APP) != 0;
++            final boolean isPackageDeviceAdmin = isPackageDeviceAdmin(packageName, userId);
++            final boolean isProtectedPackage = mProtectedPackages != null
++                    && mProtectedPackages.isPackageStateProtected(userId, packageName);
+ 
+             // writer
+             synchronized (mPackages) {
+@@ -13673,7 +13676,8 @@ public class PackageManagerService extends IPackageManager.Stub
+                 if (pkgSetting == null) {
+                     return PackageManager.INSTALL_FAILED_INVALID_URI;
+                 }
+-                if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting))) {
++                if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting)
++                        || isPackageDeviceAdmin || isProtectedPackage)) {
+                     return PackageManager.INSTALL_FAILED_INVALID_URI;
+                 }
+                 if (!canViewInstantApps(callingUid, UserHandle.getUserId(callingUid))) {

Patches/LineageOS-17.1/android_frameworks_base/408447.patch

@@ -0,0 +1,82 @@
+From 527ea3afca9a6ae7d330e5f982f9d22011adab7d Mon Sep 17 00:00:00 2001
+From: Ben Murdoch <benm@google.com>
+Date: Fri, 30 Aug 2024 17:22:59 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Clear app-provided shortcut icons
+
+When displaying keyboard shortcuts provided by an app, clear
+any icon that may have been set (this is only possible via
+reflection, and is not a intended for usage outside of the system).
+
+Bug: 331180422
+Test: Verify on device
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a031e9f221cf87657c42d3ed0ddbe93fc6d7a9c3)
+Merged-In: If7e291eb2254c3cbec23673c65e7477e6ad45b09
+Change-Id: If7e291eb2254c3cbec23673c65e7477e6ad45b09
+---
+ core/java/android/view/KeyboardShortcutInfo.java    | 13 +++++++++++--
+ .../systemui/statusbar/KeyboardShortcuts.java       |  9 +++++++++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/android/view/KeyboardShortcutInfo.java b/core/java/android/view/KeyboardShortcutInfo.java
+index 2660e74dcb205..2075d77a9871e 100644
+--- a/core/java/android/view/KeyboardShortcutInfo.java
++++ b/core/java/android/view/KeyboardShortcutInfo.java
+@@ -29,7 +29,7 @@
+  */
+ public final class KeyboardShortcutInfo implements Parcelable {
+     private final CharSequence mLabel;
+-    private final Icon mIcon;
++    private Icon mIcon;
+     private final char mBaseCharacter;
+     private final int mKeycode;
+     private final int mModifiers;
+@@ -115,6 +115,15 @@ public Icon getIcon() {
+         return mIcon;
+     }
+ 
++    /**
++     * Removes an icon that was previously set.
++     *
++     * @hide
++     */
++    public void clearIcon() {
++        mIcon = null;
++    }
++
+     /**
+      * Returns the base keycode that, combined with the modifiers, triggers this shortcut. If the
+      * base character was set instead, returns {@link KeyEvent#KEYCODE_UNKNOWN}. Valid keycodes are
+@@ -165,4 +174,4 @@ public KeyboardShortcutInfo[] newArray(int size) {
+             return new KeyboardShortcutInfo[size];
+         }
+     };
+-}
+\ No newline at end of file
++}
+diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java b/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java
+index 7e6ddcfea7620..cc373d3c8b0f1 100644
+--- a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java
++++ b/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java
+@@ -378,6 +378,7 @@ private void showKeyboardShortcuts(int deviceId) {
+             @Override
+             public void onKeyboardShortcutsReceived(
+                     final List<KeyboardShortcutGroup> result) {
++                sanitiseShortcuts(result);
+                 result.add(getSystemShortcuts());
+                 final KeyboardShortcutGroup appShortcuts = getDefaultApplicationShortcuts();
+                 if (appShortcuts != null) {
+@@ -388,6 +389,14 @@ public void onKeyboardShortcutsReceived(
+         }, deviceId);
+     }
+ 
++    static void sanitiseShortcuts(List<KeyboardShortcutGroup> shortcutGroups) {
++        for (KeyboardShortcutGroup group : shortcutGroups) {
++            for (KeyboardShortcutInfo info : group.getItems()) {
++                info.clearIcon();
++            }
++        }
++    }
++
+     private void dismissKeyboardShortcuts() {
+         if (mKeyboardShortcutsDialog != null) {
+             mKeyboardShortcutsDialog.dismiss();

Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/408452-backport.patch

@@ -0,0 +1,122 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nate Jiang <qiangjiang@google.com>
+Date: Thu, 8 Aug 2024 18:13:39 +0000
+Subject: [PATCH] Fix security issue by change the field in WifiConfig
+
+Flag: EXEMPT bugfix
+Bug: 347912017
+Bug: 348352288
+Bug: 346289032
+Test: atest com.android.server.wifi
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:eca3f190d2a5b6b634224863f5ee5f584babd0dc)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0597dc97b34e1d1609c1e33f9b6e524474a94144)
+Merged-In: I8998340ae557660036895dd906808d682b83c6f0
+Change-Id: I8998340ae557660036895dd906808d682b83c6f0
+---
+ .../server/wifi/WifiConfigurationUtil.java    | 72 ++++++++++++++++++-
+ 1 file changed, 71 insertions(+), 1 deletion(-)
+
+diff --git a/service/java/com/android/server/wifi/WifiConfigurationUtil.java b/service/java/com/android/server/wifi/WifiConfigurationUtil.java
+index b8992a011..98d2cb31a 100644
+--- a/service/java/com/android/server/wifi/WifiConfigurationUtil.java
++++ b/service/java/com/android/server/wifi/WifiConfigurationUtil.java
+@@ -82,6 +82,11 @@ public class WifiConfigurationUtil {
+     private static final int SAE_ASCII_MIN_LEN = 1 + ENCLOSING_QUOTES_LEN;
+     private static final int PSK_SAE_ASCII_MAX_LEN = 63 + ENCLOSING_QUOTES_LEN;
+     private static final int PSK_SAE_HEX_LEN = 64;
++    private static final int MAX_STRING_LENGTH = 512;
++
++    // BACKPORT
++    private static final int MAX_NUMBER_OF_OI = 36;
++    private static final long MAX_OI_VALUE = ((long) 1 << 40)  - 1;
+     @VisibleForTesting
+     public static final String PASSWORD_MASK = "*";
+     private static final String MATCH_EMPTY_SSID_PATTERN_PATH = "";
+@@ -688,7 +693,8 @@ public class WifiConfigurationUtil {
+         if (!validateSsid(config.SSID, isAdd)) {
+             return false;
+         }
+-        if (!validateBssid(config.BSSID)) {
++        if (!validateBssid(config.BSSID) || !validateBssid(config.dhcpServer)
++                || !validateBssid(config.defaultGwMacAddress)) {
+             return false;
+         }
+         if (!validateBitSets(config)) {
+@@ -697,6 +703,12 @@ public class WifiConfigurationUtil {
+         if (!validateKeyMgmt(config.allowedKeyManagement)) {
+             return false;
+         }
++        if (!validatePasspoint(config)) {
++            return false;
++        }
++        if (!validateNetworkSelectionStatus(config.getNetworkSelectionStatus())) {
++            return false;
++        }
+         if (config.allowedKeyManagement.get(WifiConfiguration.KeyMgmt.WPA_PSK)
+                 && !validatePassword(config.preSharedKey, isAdd, false)) {
+             return false;
+@@ -732,6 +744,64 @@ public class WifiConfigurationUtil {
+         return true;
+     }
+ 
++    private static boolean validateStringField(String field, int maxLength) {
++        return field == null || field.length() <= maxLength;
++    }
++
++    private static boolean validatePasspoint(WifiConfiguration config) {
++        if (!validateStringField(config.FQDN, 255)) {
++            return false;
++        }
++        if (!validateStringField(config.providerFriendlyName, 255)) {
++            return false;
++        }
++        if (!validateRoamingConsortiumIds(config.roamingConsortiumIds)) {
++            return false;
++        }
++        if (!validateUpdateIdentifier(config.updateIdentifier)) {
++            return false;
++        }
++        return true;
++    }
++
++    private static boolean validateUpdateIdentifier(String updateIdentifier) {
++        if (TextUtils.isEmpty(updateIdentifier)) {
++            return true;
++        }
++        try {
++            Integer.valueOf(updateIdentifier);
++        } catch (NumberFormatException e) {
++            return false;
++        }
++        return true;
++    }
++
++    private static boolean validateNetworkSelectionStatus(
++            WifiConfiguration.NetworkSelectionStatus status) {
++        if (status == null) {
++            return false;
++        }
++        return validateStringField(status.getConnectChoice(), MAX_STRING_LENGTH)
++                    && validateBssid(status.getNetworkSelectionBSSID());
++    }
++
++    private static boolean validateRoamingConsortiumIds(long[] roamingConsortiumIds) {
++        if (roamingConsortiumIds != null) {
++            if (roamingConsortiumIds.length > MAX_NUMBER_OF_OI) {
++                Log.d(TAG, "too many Roaming Consortium Organization Identifiers in the "
++                        + "profile");
++                return false;
++            }
++            for (long oi : roamingConsortiumIds) {
++                if (oi < 0 || oi > MAX_OI_VALUE) {
++                    Log.d(TAG, "Organization Identifiers is out of range");
++                    return false;
++                }
++            }
++        }
++        return true;
++    }
++
+     private static boolean validateBssidPattern(
+             Pair<MacAddress, MacAddress> bssidPatternMatcher) {
+         if (bssidPatternMatcher == null) return true;

Patches/LineageOS-17.1/android_packages_apps_Settings/408450.patch

@@ -0,0 +1,33 @@
+From 57ac15dfd212fd91ef2501248ac6fab1ec3f6bc6 Mon Sep 17 00:00:00 2001
+From: Adam Bookatz <bookatz@google.com>
+Date: Mon, 22 Jul 2024 17:03:12 -0700
+Subject: [PATCH] startActivityForResult with new Intent
+
+Rather than use the raw Intent, we make a copy of it. See bug.
+
+Bug: 330722900
+Flag: EXEMPT bugfix
+Test: manual
+Test: atest com.android.settings.users.UserSettingsTest
+            com.android.settings.users.UserDetailsSettingsTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1189e24e47571eae86634aeaa7dc60b8fe7f4820)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fdb148b6efb16af018a39511001b48286f401512)
+Merged-In: Id74e4b7ae261f2916eedaef04a679f83409a4b67
+Change-Id: Id74e4b7ae261f2916eedaef04a679f83409a4b67
+---
+ src/com/android/settings/users/AppRestrictionsFragment.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
+index 51624ca63b4..e9e60fb319e 100644
+--- a/src/com/android/settings/users/AppRestrictionsFragment.java
++++ b/src/com/android/settings/users/AppRestrictionsFragment.java
+@@ -655,7 +655,7 @@ public void onReceive(Context context, Intent intent) {
+                     int requestCode = generateCustomActivityRequestCode(
+                             RestrictionsResultReceiver.this.preference);
+                     AppRestrictionsFragment.this.startActivityForResult(
+-                            restrictionsIntent, requestCode);
++                            new Intent(restrictionsIntent), requestCode);
+                 }
+             }
+         }

Patches/LineageOS-17.1/android_packages_apps_Settings/408451.patch

@@ -0,0 +1,90 @@
+From e02728d51e013033f3cc168e8630d0322ccfd803 Mon Sep 17 00:00:00 2001
+From: Fan Wu <cechkahn@google.com>
+Date: Mon, 22 Jul 2024 16:12:46 +0800
+Subject: [PATCH] [BACKPORT] Checks cross user permission before handling
+ intent
+
+Bug: 326057017
+
+Test: atest
+
+Flag: EXEMPT bug fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d3b3edd45167515579ab156533754e56ac813f35)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0f67d233c1cd653c113df5956f1ed29a42e1d32f)
+Merged-In: I3444e55b22b7487f96b0e3e9deb3f844c4c4723a
+Change-Id: I3444e55b22b7487f96b0e3e9deb3f844c4c4723a
+---
+ .../settings/applications/AppInfoBase.java    | 38 ++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/src/com/android/settings/applications/AppInfoBase.java b/src/com/android/settings/applications/AppInfoBase.java
+index 71043400ff8..ef5297acaec 100644
+--- a/src/com/android/settings/applications/AppInfoBase.java
++++ b/src/com/android/settings/applications/AppInfoBase.java
+@@ -18,7 +18,9 @@
+ 
+ import static com.android.settingslib.RestrictedLockUtils.EnforcedAdmin;
+ 
++import android.Manifest;
+ import android.app.Activity;
++import android.app.ActivityManager;
+ import android.app.Dialog;
+ import android.app.admin.DevicePolicyManager;
+ import android.app.settings.SettingsEnums;
+@@ -38,6 +40,7 @@
+ import android.text.TextUtils;
+ import android.util.Log;
+ 
++import androidx.annotation.VisibleForTesting;
+ import androidx.appcompat.app.AlertDialog;
+ import androidx.fragment.app.DialogFragment;
+ import androidx.fragment.app.Fragment;
+@@ -134,8 +137,13 @@ protected String retrieveAppEntry() {
+             }
+         }
+         if (intent != null && intent.hasExtra(Intent.EXTRA_USER_HANDLE)) {
+-            mUserId = ((UserHandle) intent.getParcelableExtra(
+-                    Intent.EXTRA_USER_HANDLE)).getIdentifier();
++            mUserId = ((UserHandle) intent.getParcelableExtra(Intent.EXTRA_USER_HANDLE))
++                    .getIdentifier();
++            if (mUserId != UserHandle.myUserId() && !hasInteractAcrossUsersPerm()) {
++                Log.w(TAG, "Intent not valid.");
++                finish();
++                return "";
++            }
+         } else {
+             mUserId = UserHandle.myUserId();
+         }
+@@ -158,6 +166,32 @@ protected String retrieveAppEntry() {
+         return mPackageName;
+     }
+ 
++    @VisibleForTesting
++    protected boolean hasInteractAcrossUsersPerm() {
++        Activity activity = getActivity();
++        if (activity == null) {
++            return false;
++        }
++        String callingPackageName = null;
++        try {
++            callingPackageName = ActivityManager.getService()
++                .getLaunchedFromPackage(activity.getActivityToken());
++        } catch (Exception e) {
++            return false;
++        }
++        if (TextUtils.isEmpty(callingPackageName)) {
++            Log.w(TAG, "Not able to get calling package name for permission check");
++            return false;
++        }
++        if (mPm.checkPermission(Manifest.permission.INTERACT_ACROSS_USERS_FULL, callingPackageName)
++                != PackageManager.PERMISSION_GRANTED) {
++            Log.w(TAG, "Package " + callingPackageName + " does not have required permission "
++                    + Manifest.permission.INTERACT_ACROSS_USERS_FULL);
++            return false;
++        }
++        return true;
++    }
++
+     protected void setIntentAndFinish(boolean appChanged) {
+         Log.i(TAG, "appChanged=" + appChanged);
+         Intent intent = new Intent();

Patches/LineageOS-17.1/android_packages_providers_MediaProvider/408453-backport.patch

@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Omar Eissa <oeissa@google.com>
+Date: Tue, 27 Aug 2024 13:24:21 +0000
+Subject: [PATCH] Prevent apps from renaming files they don't own
+
+Malicious apps could rename files in lower file system using
+MediaProvider.update even if they don't have access to such files. They
+weren't able to update the DB of MediaProvider, but by renaming such
+files they could create fake records in MediaProvider DB and then rename
+the file to have the same name as their created record, which would
+allow them to access these files.
+
+IMAGES_MEDIA_ID, AUDIO_MEDIA_ID and VIDEO_MEDIA_ID URIs were already
+guaraded against this vulnerability and the aim of this fix to fix it
+for all other Media URIs.
+
+Bug: 304280682
+Flag: EXEMPT bug fix
+Test: Manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:191ae46fed057cb96f78d8f140f90f0cec50a797)
+Merged-In: I91e9966c012fe292cebc0b544f77032613516fac
+Change-Id: I91e9966c012fe292cebc0b544f77032613516fac
+---
+ src/com/android/providers/media/MediaProvider.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
+index 4cd4452d0..6e9845fc6 100644
+--- a/src/com/android/providers/media/MediaProvider.java
++++ b/src/com/android/providers/media/MediaProvider.java
+@@ -4713,6 +4713,8 @@ public class MediaProvider extends ContentProvider {
+                 case VIDEO_MEDIA_ID:
+                 case IMAGES_MEDIA_ID:
+                 case DOWNLOADS_ID:
++                    // Check if the caller has the required permissions to do placement
++                    enforceCallingPermission(uri, extras, true);
+                     break;
+                 default:
+                     throw new IllegalArgumentException("Movement of " + uri

Scripts/LineageOS-17.1/Patch.sh

@@ -95,7 +95,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
 sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
-sed -i 's/2023-02-05/2024-10-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-10
+sed -i 's/2023-02-05/2024-11-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-11
 fi;
 
 if enterAndClear "build/soong"; then
@@ -173,6 +173,10 @@ git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/14/3
 git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/15/378315/1 && git cherry-pick FETCH_HEAD;
 fi;
 
+if enterAndClear "external/skia"; then
+applyPatch "$DOS_PATCHES_COMMON/android_external_skia/408442.patch"; #R_asb_2024-11 Avoid potential overflow when allocating 3D mask from emboss filter
+fi;
+
 if enterAndClear "external/sonivox"; then
 applyPatch "$DOS_PATCHES_COMMON/android_external_sonivox/391896.patch"; #n-asb-2024-05 Fix buffer overrun in eas_wtengine
 fi;
@@ -331,6 +335,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/403301.patch"; #Q_asb_2024-09 S
 applyPatch "$DOS_PATCHES/android_frameworks_base/405515.patch"; #R_asb_2024-10 Update AccountManagerService checkKeyIntent.
 applyPatch "$DOS_PATCHES/android_frameworks_base/405516.patch"; #R_asb_2024-10 Fail parseUri if end is missing
 applyPatch "$DOS_PATCHES/android_frameworks_base/405518.patch"; #R_asb_2024-10 Check whether installerPackageName contains only valid characters
+applyPatch "$DOS_PATCHES/android_frameworks_base/408443.patch"; #R_asb_2024-11 Remove authenticator data if it was disabled.
+applyPatch "$DOS_PATCHES/android_frameworks_base/408444.patch"; #R_asb_2024-11 RingtoneManager: allow video ringtone URI
+applyPatch "$DOS_PATCHES/android_frameworks_base/408446-backport.patch"; #R_asb_2024-11 Disallow device admin package and protected packages to be reinstalled as instant.
+applyPatch "$DOS_PATCHES/android_frameworks_base/408447.patch"; #R_asb_2024-11 Clear app-provided shortcut icons
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@@ -407,6 +415,7 @@ if enterAndClear "frameworks/opt/net/wifi"; then
 applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/352562.patch"; #Q_asb_2023-03 Revert "wifi: remove certificates for network factory reset"
 applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/355360.patch"; #Q_asb_2023-04 Revert "Revert "wifi: remove certificates for network factory reset""
 applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/378139.patch"; #Q_asb_2023-07 Limit the number of Passpoint per App
+applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/408452-backport.patch"; #Q_asb_2024-11 Fix security issue by change the field in WifiConfig
 applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
 fi;
@@ -534,6 +543,8 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403303.patch"; #Q_asb_20
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403304.patch"; #Q_asb_2024-09 Ignore fragment attr from ext authenticator resource
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403305.patch"; #Q_asb_2024-09 Restrict Settings Homepage prior to provisioning
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/405534.patch"; #R_asb_2024-10 FRP bypass defense in App battery usage page
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408450.patch"; #R_asb_2024-11 startActivityForResult with new Intent
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408451.patch"; #R_asb_2024-11 Checks cross user permission before handling intent
 git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@@ -601,6 +612,7 @@ applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/355362.patch";
 applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/378137.patch"; #Q_asb_2023-09 Canonicalize file path for insertion by legacy apps
 applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/378138.patch"; #Q_asb_2023-10 Fix path traversal vulnerabilities in MediaProvider
 applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/399090.patch"; #Q_asb_2024-07 Prevent insertion in other users storage volumes
+applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/408453-backport.patch"; #Q_asb_2024-11
 fi;
 
 if enterAndClear "packages/providers/TelephonyProvider"; then