From 12faa352eea358df503f05ea1109497ef1b0aff9 Mon Sep 17 00:00:00 2001 From: Tavi Date: Thu, 14 Nov 2024 07:37:58 -0500 Subject: [PATCH] 17: November 2024 ASB work Signed-off-by: Tavi --- .../android_external_skia/408442.patch | 48 +++++++ .../android_frameworks_base/408443.patch | 31 +++++ .../android_frameworks_base/408444.patch | 76 +++++++++++ .../408446-backport.patch | 46 +++++++ .../android_frameworks_base/408447.patch | 82 ++++++++++++ .../408452-backport.patch | 122 ++++++++++++++++++ .../408450.patch | 33 +++++ .../408451.patch | 90 +++++++++++++ .../408453-backport.patch | 39 ++++++ Scripts/LineageOS-17.1/Patch.sh | 14 +- 10 files changed, 580 insertions(+), 1 deletion(-) create mode 100644 Patches/LineageOS-17.1/android_external_skia/408442.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/408443.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/408444.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/408446-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/408447.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/408452-backport.patch create mode 100644 Patches/LineageOS-17.1/android_packages_apps_Settings/408450.patch create mode 100644 Patches/LineageOS-17.1/android_packages_apps_Settings/408451.patch create mode 100644 Patches/LineageOS-17.1/android_packages_providers_MediaProvider/408453-backport.patch diff --git a/Patches/LineageOS-17.1/android_external_skia/408442.patch b/Patches/LineageOS-17.1/android_external_skia/408442.patch new file mode 100644 index 00000000..0be252b3 --- /dev/null +++ b/Patches/LineageOS-17.1/android_external_skia/408442.patch @@ -0,0 +1,48 @@ +From cfb96168e5e753a0bdcca4874b012c25a7f7737a Mon Sep 17 00:00:00 2001 +From: Brian Osman +Date: Tue, 27 Aug 2024 14:22:52 -0400 +Subject: [PATCH] RESTRICT AUTOMERGE: Avoid potential overflow when allocating + 3D mask from emboss filter + +Note: the original fix landed after +Iac8b937e516dbfbbcefef54360dd5b7300bacb67 introduced SkMaskBuilder, so +this cherry-pick had to be tweaked to avoid conflicts. Unfortuantely +that means we need RESTRICT AUTOMERGE to prevent this modified version +from flowing through API boundaries into VIC, and we need to manually +cherry-pick it to each API level. + +Bug: 344620577 +Test: N/A -- unclear if even reachable +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/893738 +Commit-Queue: Brian Osman +Reviewed-by: Ben Wagner +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2bc38734eec777bf2574d4b38a7fd4fc05f0ecde) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:69fc79acf3f05f269c55069ba5e2fbd00e1a76b6) +Merged-In: Ia35860371d45120baca63238e77faa5c0eb25d51 +Change-Id: Ia35860371d45120baca63238e77faa5c0eb25d51 +--- + src/effects/SkEmbossMaskFilter.cpp | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/effects/SkEmbossMaskFilter.cpp b/src/effects/SkEmbossMaskFilter.cpp +index 2dcce2b9102..8ea8c08039b 100644 +--- a/src/effects/SkEmbossMaskFilter.cpp ++++ b/src/effects/SkEmbossMaskFilter.cpp +@@ -95,11 +95,13 @@ bool SkEmbossMaskFilter::filterMask(SkMask* dst, const SkMask& src, + + { + uint8_t* alphaPlane = dst->fImage; +- size_t planeSize = dst->computeImageSize(); +- if (0 == planeSize) { +- return false; // too big to allocate, abort ++ size_t totalSize = dst->computeTotalImageSize(); ++ if (totalSize == 0) { ++ return false; // too big to allocate, abort + } +- dst->fImage = SkMask::AllocImage(planeSize * 3); ++ size_t planeSize = dst->computeImageSize(); ++ SkASSERT(planeSize != 0); // if totalSize didn't overflow, this can't either ++ dst->fImage = SkMask::AllocImage(totalSize); + memcpy(dst->fImage, alphaPlane, planeSize); + SkMask::FreeImage(alphaPlane); + } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/408443.patch b/Patches/LineageOS-17.1/android_frameworks_base/408443.patch new file mode 100644 index 00000000..4d4bbaf3 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/408443.patch @@ -0,0 +1,31 @@ +From 3651d27fdb579b51ea8a9b12fc18ca6e495566da Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Tue, 2 Jul 2024 11:02:07 -0700 +Subject: [PATCH] Remove authenticator data if it was disabled. + +Test: manual +Bug: 343440463 +Flag: EXEMPT bugfix +(cherry picked from commit ddfc078af7e89641360b896f99af23a6b371b847) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c2660dcf7fca3f652528d219767f65858bbbe622) +Merged-In: I36bd6bf101da03c9c30a6d3c0080b801e7898bc6 +Change-Id: I36bd6bf101da03c9c30a6d3c0080b801e7898bc6 +--- + .../com/android/server/accounts/AccountManagerService.java | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index fb79904a5b3a8..5718071c2bc4e 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -1165,6 +1165,10 @@ private void validateAccountsInternal( + obsoleteAuthType.add(type); + // And delete it from the TABLE_META + accountsDb.deleteMetaByAuthTypeAndUid(type, uid); ++ } else if (knownUid != null && knownUid != uid) { ++ Slog.w(TAG, "authenticator no longer exist for type " + type); ++ obsoleteAuthType.add(type); ++ accountsDb.deleteMetaByAuthTypeAndUid(type, uid); + } + } + } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/408444.patch b/Patches/LineageOS-17.1/android_frameworks_base/408444.patch new file mode 100644 index 00000000..ac370c57 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/408444.patch @@ -0,0 +1,76 @@ +From 3f5562449aad196198d0d36c312e6461920cebce Mon Sep 17 00:00:00 2001 +From: Jean-Michel Trivi +Date: Mon, 24 Jun 2024 17:29:14 -0700 +Subject: [PATCH] RingtoneManager: allow video ringtone URI + +When checking the MIME type for the default ringtone, also +allow it to refer to video content. + +Bug: 205837340 +Test: see POC + atest android.media.audio.cts.RingtoneManagerTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a8d2785d69314086dc3b5b2531386fefff079ce7) +Merged-In: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7 +Change-Id: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7 +--- + media/java/android/media/RingtoneManager.java | 8 ++++++-- + .../android/providers/settings/SettingsProvider.java | 11 +++++++---- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java +index 918a9d8943dde..1e1142387d149 100644 +--- a/media/java/android/media/RingtoneManager.java ++++ b/media/java/android/media/RingtoneManager.java +@@ -833,9 +833,13 @@ public static void setActualDefaultRingtoneUri(Context context, int type, Uri ri + + " ignored: failure to find mimeType (no access from this context?)"); + return; + } +- if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) { ++ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg") ++ || mimeType.equals("application/x-flac") ++ // also check for video ringtones ++ || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) { + Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri +- + " ignored: associated mimeType:" + mimeType + " is not an audio type"); ++ + " ignored: associated MIME type:" + mimeType ++ + " is not a recognized audio or video type"); + return; + } + } +diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java +index d3c10574ea134..f58016acd290f 100644 +--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java ++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java +@@ -1781,7 +1781,7 @@ private boolean mutateSystemSetting(String name, String value, int runAsUserId, + cacheName = Settings.System.ALARM_ALERT_CACHE; + } + if (cacheName != null) { +- if (!isValidAudioUri(name, value)) { ++ if (!isValidMediaUri(name, value)) { + return false; + } + final File cacheFile = new File( +@@ -1816,7 +1816,7 @@ owningUserId, name, value, null, false, getCallingPackage(), + } + } + +- private boolean isValidAudioUri(String name, String uri) { ++ private boolean isValidMediaUri(String name, String uri) { + if (uri != null) { + Uri audioUri = Uri.parse(uri); + if (Settings.AUTHORITY.equals( +@@ -1834,10 +1834,13 @@ private boolean isValidAudioUri(String name, String uri) { + return false; + } + if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg") +- || mimeType.equals("application/x-flac"))) { ++ || mimeType.equals("application/x-flac") ++ // also check for video ringtones ++ || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) { + Slog.e(LOG_TAG, + "mutateSystemSetting for setting: " + name + " URI: " + audioUri +- + " ignored: associated mimeType: " + mimeType + " is not an audio type"); ++ + " ignored: associated MIME type: " + mimeType ++ + " is not a recognized audio or video type"); + return false; + } + } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/408446-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/408446-backport.patch new file mode 100644 index 00000000..64d31eba --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/408446-backport.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: lpeter +Date: Tue, 6 Aug 2024 09:22:12 +0000 +Subject: [PATCH] Disallow device admin package and protected packages to be + reinstalled as instant. + +We should prevent the following types of apps from being reinstalled with +--install-existing as an instant. +(1)device admin package +(2)protected packages + +Flag: EXEMPT bugfix + +Bug: 341256043 +Test: Manual test +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:77c5ebbd2a83e060577dd584aed7802452339ca5) +Merged-In: I4e913a12477fd4a64990033eaae533e30863e2a2 +Change-Id: I4e913a12477fd4a64990033eaae533e30863e2a2 +--- + .../java/com/android/server/pm/PackageManagerService.java | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index d27b5ad0d646..d304f29ec195 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -13666,6 +13666,9 @@ public class PackageManagerService extends IPackageManager.Stub + (installFlags & PackageManager.INSTALL_INSTANT_APP) != 0; + final boolean fullApp = + (installFlags & PackageManager.INSTALL_FULL_APP) != 0; ++ final boolean isPackageDeviceAdmin = isPackageDeviceAdmin(packageName, userId); ++ final boolean isProtectedPackage = mProtectedPackages != null ++ && mProtectedPackages.isPackageStateProtected(userId, packageName); + + // writer + synchronized (mPackages) { +@@ -13673,7 +13676,8 @@ public class PackageManagerService extends IPackageManager.Stub + if (pkgSetting == null) { + return PackageManager.INSTALL_FAILED_INVALID_URI; + } +- if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting))) { ++ if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting) ++ || isPackageDeviceAdmin || isProtectedPackage)) { + return PackageManager.INSTALL_FAILED_INVALID_URI; + } + if (!canViewInstantApps(callingUid, UserHandle.getUserId(callingUid))) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/408447.patch b/Patches/LineageOS-17.1/android_frameworks_base/408447.patch new file mode 100644 index 00000000..5eedee06 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/408447.patch @@ -0,0 +1,82 @@ +From 527ea3afca9a6ae7d330e5f982f9d22011adab7d Mon Sep 17 00:00:00 2001 +From: Ben Murdoch +Date: Fri, 30 Aug 2024 17:22:59 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Clear app-provided shortcut icons + +When displaying keyboard shortcuts provided by an app, clear +any icon that may have been set (this is only possible via +reflection, and is not a intended for usage outside of the system). + +Bug: 331180422 +Test: Verify on device +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a031e9f221cf87657c42d3ed0ddbe93fc6d7a9c3) +Merged-In: If7e291eb2254c3cbec23673c65e7477e6ad45b09 +Change-Id: If7e291eb2254c3cbec23673c65e7477e6ad45b09 +--- + core/java/android/view/KeyboardShortcutInfo.java | 13 +++++++++++-- + .../systemui/statusbar/KeyboardShortcuts.java | 9 +++++++++ + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/core/java/android/view/KeyboardShortcutInfo.java b/core/java/android/view/KeyboardShortcutInfo.java +index 2660e74dcb205..2075d77a9871e 100644 +--- a/core/java/android/view/KeyboardShortcutInfo.java ++++ b/core/java/android/view/KeyboardShortcutInfo.java +@@ -29,7 +29,7 @@ + */ + public final class KeyboardShortcutInfo implements Parcelable { + private final CharSequence mLabel; +- private final Icon mIcon; ++ private Icon mIcon; + private final char mBaseCharacter; + private final int mKeycode; + private final int mModifiers; +@@ -115,6 +115,15 @@ public Icon getIcon() { + return mIcon; + } + ++ /** ++ * Removes an icon that was previously set. ++ * ++ * @hide ++ */ ++ public void clearIcon() { ++ mIcon = null; ++ } ++ + /** + * Returns the base keycode that, combined with the modifiers, triggers this shortcut. If the + * base character was set instead, returns {@link KeyEvent#KEYCODE_UNKNOWN}. Valid keycodes are +@@ -165,4 +174,4 @@ public KeyboardShortcutInfo[] newArray(int size) { + return new KeyboardShortcutInfo[size]; + } + }; +-} +\ No newline at end of file ++} +diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java b/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java +index 7e6ddcfea7620..cc373d3c8b0f1 100644 +--- a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java ++++ b/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java +@@ -378,6 +378,7 @@ private void showKeyboardShortcuts(int deviceId) { + @Override + public void onKeyboardShortcutsReceived( + final List result) { ++ sanitiseShortcuts(result); + result.add(getSystemShortcuts()); + final KeyboardShortcutGroup appShortcuts = getDefaultApplicationShortcuts(); + if (appShortcuts != null) { +@@ -388,6 +389,14 @@ public void onKeyboardShortcutsReceived( + }, deviceId); + } + ++ static void sanitiseShortcuts(List shortcutGroups) { ++ for (KeyboardShortcutGroup group : shortcutGroups) { ++ for (KeyboardShortcutInfo info : group.getItems()) { ++ info.clearIcon(); ++ } ++ } ++ } ++ + private void dismissKeyboardShortcuts() { + if (mKeyboardShortcutsDialog != null) { + mKeyboardShortcutsDialog.dismiss(); diff --git a/Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/408452-backport.patch b/Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/408452-backport.patch new file mode 100644 index 00000000..209af552 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/408452-backport.patch @@ -0,0 +1,122 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nate Jiang +Date: Thu, 8 Aug 2024 18:13:39 +0000 +Subject: [PATCH] Fix security issue by change the field in WifiConfig + +Flag: EXEMPT bugfix +Bug: 347912017 +Bug: 348352288 +Bug: 346289032 +Test: atest com.android.server.wifi +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:eca3f190d2a5b6b634224863f5ee5f584babd0dc) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0597dc97b34e1d1609c1e33f9b6e524474a94144) +Merged-In: I8998340ae557660036895dd906808d682b83c6f0 +Change-Id: I8998340ae557660036895dd906808d682b83c6f0 +--- + .../server/wifi/WifiConfigurationUtil.java | 72 ++++++++++++++++++- + 1 file changed, 71 insertions(+), 1 deletion(-) + +diff --git a/service/java/com/android/server/wifi/WifiConfigurationUtil.java b/service/java/com/android/server/wifi/WifiConfigurationUtil.java +index b8992a011..98d2cb31a 100644 +--- a/service/java/com/android/server/wifi/WifiConfigurationUtil.java ++++ b/service/java/com/android/server/wifi/WifiConfigurationUtil.java +@@ -82,6 +82,11 @@ public class WifiConfigurationUtil { + private static final int SAE_ASCII_MIN_LEN = 1 + ENCLOSING_QUOTES_LEN; + private static final int PSK_SAE_ASCII_MAX_LEN = 63 + ENCLOSING_QUOTES_LEN; + private static final int PSK_SAE_HEX_LEN = 64; ++ private static final int MAX_STRING_LENGTH = 512; ++ ++ // BACKPORT ++ private static final int MAX_NUMBER_OF_OI = 36; ++ private static final long MAX_OI_VALUE = ((long) 1 << 40) - 1; + @VisibleForTesting + public static final String PASSWORD_MASK = "*"; + private static final String MATCH_EMPTY_SSID_PATTERN_PATH = ""; +@@ -688,7 +693,8 @@ public class WifiConfigurationUtil { + if (!validateSsid(config.SSID, isAdd)) { + return false; + } +- if (!validateBssid(config.BSSID)) { ++ if (!validateBssid(config.BSSID) || !validateBssid(config.dhcpServer) ++ || !validateBssid(config.defaultGwMacAddress)) { + return false; + } + if (!validateBitSets(config)) { +@@ -697,6 +703,12 @@ public class WifiConfigurationUtil { + if (!validateKeyMgmt(config.allowedKeyManagement)) { + return false; + } ++ if (!validatePasspoint(config)) { ++ return false; ++ } ++ if (!validateNetworkSelectionStatus(config.getNetworkSelectionStatus())) { ++ return false; ++ } + if (config.allowedKeyManagement.get(WifiConfiguration.KeyMgmt.WPA_PSK) + && !validatePassword(config.preSharedKey, isAdd, false)) { + return false; +@@ -732,6 +744,64 @@ public class WifiConfigurationUtil { + return true; + } + ++ private static boolean validateStringField(String field, int maxLength) { ++ return field == null || field.length() <= maxLength; ++ } ++ ++ private static boolean validatePasspoint(WifiConfiguration config) { ++ if (!validateStringField(config.FQDN, 255)) { ++ return false; ++ } ++ if (!validateStringField(config.providerFriendlyName, 255)) { ++ return false; ++ } ++ if (!validateRoamingConsortiumIds(config.roamingConsortiumIds)) { ++ return false; ++ } ++ if (!validateUpdateIdentifier(config.updateIdentifier)) { ++ return false; ++ } ++ return true; ++ } ++ ++ private static boolean validateUpdateIdentifier(String updateIdentifier) { ++ if (TextUtils.isEmpty(updateIdentifier)) { ++ return true; ++ } ++ try { ++ Integer.valueOf(updateIdentifier); ++ } catch (NumberFormatException e) { ++ return false; ++ } ++ return true; ++ } ++ ++ private static boolean validateNetworkSelectionStatus( ++ WifiConfiguration.NetworkSelectionStatus status) { ++ if (status == null) { ++ return false; ++ } ++ return validateStringField(status.getConnectChoice(), MAX_STRING_LENGTH) ++ && validateBssid(status.getNetworkSelectionBSSID()); ++ } ++ ++ private static boolean validateRoamingConsortiumIds(long[] roamingConsortiumIds) { ++ if (roamingConsortiumIds != null) { ++ if (roamingConsortiumIds.length > MAX_NUMBER_OF_OI) { ++ Log.d(TAG, "too many Roaming Consortium Organization Identifiers in the " ++ + "profile"); ++ return false; ++ } ++ for (long oi : roamingConsortiumIds) { ++ if (oi < 0 || oi > MAX_OI_VALUE) { ++ Log.d(TAG, "Organization Identifiers is out of range"); ++ return false; ++ } ++ } ++ } ++ return true; ++ } ++ + private static boolean validateBssidPattern( + Pair bssidPatternMatcher) { + if (bssidPatternMatcher == null) return true; diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/408450.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/408450.patch new file mode 100644 index 00000000..ad514809 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/408450.patch @@ -0,0 +1,33 @@ +From 57ac15dfd212fd91ef2501248ac6fab1ec3f6bc6 Mon Sep 17 00:00:00 2001 +From: Adam Bookatz +Date: Mon, 22 Jul 2024 17:03:12 -0700 +Subject: [PATCH] startActivityForResult with new Intent + +Rather than use the raw Intent, we make a copy of it. See bug. + +Bug: 330722900 +Flag: EXEMPT bugfix +Test: manual +Test: atest com.android.settings.users.UserSettingsTest + com.android.settings.users.UserDetailsSettingsTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1189e24e47571eae86634aeaa7dc60b8fe7f4820) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fdb148b6efb16af018a39511001b48286f401512) +Merged-In: Id74e4b7ae261f2916eedaef04a679f83409a4b67 +Change-Id: Id74e4b7ae261f2916eedaef04a679f83409a4b67 +--- + src/com/android/settings/users/AppRestrictionsFragment.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java +index 51624ca63b4..e9e60fb319e 100644 +--- a/src/com/android/settings/users/AppRestrictionsFragment.java ++++ b/src/com/android/settings/users/AppRestrictionsFragment.java +@@ -655,7 +655,7 @@ public void onReceive(Context context, Intent intent) { + int requestCode = generateCustomActivityRequestCode( + RestrictionsResultReceiver.this.preference); + AppRestrictionsFragment.this.startActivityForResult( +- restrictionsIntent, requestCode); ++ new Intent(restrictionsIntent), requestCode); + } + } + } diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/408451.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/408451.patch new file mode 100644 index 00000000..c1dd3269 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/408451.patch @@ -0,0 +1,90 @@ +From e02728d51e013033f3cc168e8630d0322ccfd803 Mon Sep 17 00:00:00 2001 +From: Fan Wu +Date: Mon, 22 Jul 2024 16:12:46 +0800 +Subject: [PATCH] [BACKPORT] Checks cross user permission before handling + intent + +Bug: 326057017 + +Test: atest + +Flag: EXEMPT bug fix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d3b3edd45167515579ab156533754e56ac813f35) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0f67d233c1cd653c113df5956f1ed29a42e1d32f) +Merged-In: I3444e55b22b7487f96b0e3e9deb3f844c4c4723a +Change-Id: I3444e55b22b7487f96b0e3e9deb3f844c4c4723a +--- + .../settings/applications/AppInfoBase.java | 38 ++++++++++++++++++- + 1 file changed, 36 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/settings/applications/AppInfoBase.java b/src/com/android/settings/applications/AppInfoBase.java +index 71043400ff8..ef5297acaec 100644 +--- a/src/com/android/settings/applications/AppInfoBase.java ++++ b/src/com/android/settings/applications/AppInfoBase.java +@@ -18,7 +18,9 @@ + + import static com.android.settingslib.RestrictedLockUtils.EnforcedAdmin; + ++import android.Manifest; + import android.app.Activity; ++import android.app.ActivityManager; + import android.app.Dialog; + import android.app.admin.DevicePolicyManager; + import android.app.settings.SettingsEnums; +@@ -38,6 +40,7 @@ + import android.text.TextUtils; + import android.util.Log; + ++import androidx.annotation.VisibleForTesting; + import androidx.appcompat.app.AlertDialog; + import androidx.fragment.app.DialogFragment; + import androidx.fragment.app.Fragment; +@@ -134,8 +137,13 @@ protected String retrieveAppEntry() { + } + } + if (intent != null && intent.hasExtra(Intent.EXTRA_USER_HANDLE)) { +- mUserId = ((UserHandle) intent.getParcelableExtra( +- Intent.EXTRA_USER_HANDLE)).getIdentifier(); ++ mUserId = ((UserHandle) intent.getParcelableExtra(Intent.EXTRA_USER_HANDLE)) ++ .getIdentifier(); ++ if (mUserId != UserHandle.myUserId() && !hasInteractAcrossUsersPerm()) { ++ Log.w(TAG, "Intent not valid."); ++ finish(); ++ return ""; ++ } + } else { + mUserId = UserHandle.myUserId(); + } +@@ -158,6 +166,32 @@ protected String retrieveAppEntry() { + return mPackageName; + } + ++ @VisibleForTesting ++ protected boolean hasInteractAcrossUsersPerm() { ++ Activity activity = getActivity(); ++ if (activity == null) { ++ return false; ++ } ++ String callingPackageName = null; ++ try { ++ callingPackageName = ActivityManager.getService() ++ .getLaunchedFromPackage(activity.getActivityToken()); ++ } catch (Exception e) { ++ return false; ++ } ++ if (TextUtils.isEmpty(callingPackageName)) { ++ Log.w(TAG, "Not able to get calling package name for permission check"); ++ return false; ++ } ++ if (mPm.checkPermission(Manifest.permission.INTERACT_ACROSS_USERS_FULL, callingPackageName) ++ != PackageManager.PERMISSION_GRANTED) { ++ Log.w(TAG, "Package " + callingPackageName + " does not have required permission " ++ + Manifest.permission.INTERACT_ACROSS_USERS_FULL); ++ return false; ++ } ++ return true; ++ } ++ + protected void setIntentAndFinish(boolean appChanged) { + Log.i(TAG, "appChanged=" + appChanged); + Intent intent = new Intent(); diff --git a/Patches/LineageOS-17.1/android_packages_providers_MediaProvider/408453-backport.patch b/Patches/LineageOS-17.1/android_packages_providers_MediaProvider/408453-backport.patch new file mode 100644 index 00000000..48868219 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_providers_MediaProvider/408453-backport.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Omar Eissa +Date: Tue, 27 Aug 2024 13:24:21 +0000 +Subject: [PATCH] Prevent apps from renaming files they don't own + +Malicious apps could rename files in lower file system using +MediaProvider.update even if they don't have access to such files. They +weren't able to update the DB of MediaProvider, but by renaming such +files they could create fake records in MediaProvider DB and then rename +the file to have the same name as their created record, which would +allow them to access these files. + +IMAGES_MEDIA_ID, AUDIO_MEDIA_ID and VIDEO_MEDIA_ID URIs were already +guaraded against this vulnerability and the aim of this fix to fix it +for all other Media URIs. + +Bug: 304280682 +Flag: EXEMPT bug fix +Test: Manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:191ae46fed057cb96f78d8f140f90f0cec50a797) +Merged-In: I91e9966c012fe292cebc0b544f77032613516fac +Change-Id: I91e9966c012fe292cebc0b544f77032613516fac +--- + src/com/android/providers/media/MediaProvider.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java +index 4cd4452d0..6e9845fc6 100644 +--- a/src/com/android/providers/media/MediaProvider.java ++++ b/src/com/android/providers/media/MediaProvider.java +@@ -4713,6 +4713,8 @@ public class MediaProvider extends ContentProvider { + case VIDEO_MEDIA_ID: + case IMAGES_MEDIA_ID: + case DOWNLOADS_ID: ++ // Check if the caller has the required permissions to do placement ++ enforceCallingPermission(uri, extras, true); + break; + default: + throw new IllegalArgumentException("Movement of " + uri diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 6b36d4b7..8141e695 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -95,7 +95,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) -sed -i 's/2023-02-05/2024-10-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-10 +sed -i 's/2023-02-05/2024-11-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-11 fi; if enterAndClear "build/soong"; then @@ -173,6 +173,10 @@ git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/14/3 git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/15/378315/1 && git cherry-pick FETCH_HEAD; fi; +if enterAndClear "external/skia"; then +applyPatch "$DOS_PATCHES_COMMON/android_external_skia/408442.patch"; #R_asb_2024-11 Avoid potential overflow when allocating 3D mask from emboss filter +fi; + if enterAndClear "external/sonivox"; then applyPatch "$DOS_PATCHES_COMMON/android_external_sonivox/391896.patch"; #n-asb-2024-05 Fix buffer overrun in eas_wtengine fi; @@ -331,6 +335,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/403301.patch"; #Q_asb_2024-09 S applyPatch "$DOS_PATCHES/android_frameworks_base/405515.patch"; #R_asb_2024-10 Update AccountManagerService checkKeyIntent. applyPatch "$DOS_PATCHES/android_frameworks_base/405516.patch"; #R_asb_2024-10 Fail parseUri if end is missing applyPatch "$DOS_PATCHES/android_frameworks_base/405518.patch"; #R_asb_2024-10 Check whether installerPackageName contains only valid characters +applyPatch "$DOS_PATCHES/android_frameworks_base/408443.patch"; #R_asb_2024-11 Remove authenticator data if it was disabled. +applyPatch "$DOS_PATCHES/android_frameworks_base/408444.patch"; #R_asb_2024-11 RingtoneManager: allow video ringtone URI +applyPatch "$DOS_PATCHES/android_frameworks_base/408446-backport.patch"; #R_asb_2024-11 Disallow device admin package and protected packages to be reinstalled as instant. +applyPatch "$DOS_PATCHES/android_frameworks_base/408447.patch"; #R_asb_2024-11 Clear app-provided shortcut icons #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS) @@ -407,6 +415,7 @@ if enterAndClear "frameworks/opt/net/wifi"; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/352562.patch"; #Q_asb_2023-03 Revert "wifi: remove certificates for network factory reset" applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/355360.patch"; #Q_asb_2023-04 Revert "Revert "wifi: remove certificates for network factory reset"" applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/378139.patch"; #Q_asb_2023-07 Limit the number of Passpoint per App +applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/408452-backport.patch"; #Q_asb_2024-11 Fix security issue by change the field in WifiConfig applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS) fi; @@ -534,6 +543,8 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403303.patch"; #Q_asb_20 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403304.patch"; #Q_asb_2024-09 Ignore fragment attr from ext authenticator resource applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403305.patch"; #Q_asb_2024-09 Restrict Settings Homepage prior to provisioning applyPatch "$DOS_PATCHES/android_packages_apps_Settings/405534.patch"; #R_asb_2024-10 FRP bypass defense in App battery usage page +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408450.patch"; #R_asb_2024-11 startActivityForResult with new Intent +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408451.patch"; #R_asb_2024-11 Checks cross user permission before handling intent git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) @@ -601,6 +612,7 @@ applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/355362.patch"; applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/378137.patch"; #Q_asb_2023-09 Canonicalize file path for insertion by legacy apps applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/378138.patch"; #Q_asb_2023-10 Fix path traversal vulnerabilities in MediaProvider applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/399090.patch"; #Q_asb_2024-07 Prevent insertion in other users storage volumes +applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/408453-backport.patch"; #Q_asb_2024-11 fi; if enterAndClear "packages/providers/TelephonyProvider"; then