15.1: June ASB work

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-15.1/android_frameworks_base/394878.patch

@@ -0,0 +1,43 @@
+From 2d2a31353a07daf096aa9e2ca09e18ad2773b1ba Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 26 Mar 2024 10:31:44 -0700
+Subject: [PATCH] Add more checkKeyIntent checks to AccountManagerService.
+
+Another verification is needed after Bundle modification.
+Bug: 321941232
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f)
+Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297
+Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297
+---
+ .../android/server/accounts/AccountManagerService.java | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 4e4c261d0cc46..19e1a4c55120a 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -3453,6 +3453,11 @@ public void onResult(Bundle result) {
+ 
+             // Strip auth token from result.
+             result.remove(AccountManager.KEY_AUTHTOKEN);
++            if (!checkKeyIntent(Binder.getCallingUid(), result)) {
++                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
++                        "invalid intent in bundle returned");
++                return;
++            }
+ 
+             if (Log.isLoggable(TAG, Log.VERBOSE)) {
+                 Log.v(TAG,
+@@ -5039,6 +5044,11 @@ public void onResult(Bundle result) {
+                     } else {
+                         if (mStripAuthTokenFromResult) {
+                             result.remove(AccountManager.KEY_AUTHTOKEN);
++                            if (!checkKeyIntent(Binder.getCallingUid(), result)) {
++                                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
++                                        "invalid intent in bundle returned");
++                                return;
++                            }
+                         }
+                         if (Log.isLoggable(TAG, Log.VERBOSE)) {
+                             Log.v(TAG, getClass().getSimpleName()

Patches/LineageOS-15.1/android_frameworks_base/394879.patch

@@ -0,0 +1,53 @@
+From a568a9144f1a804e4ac136522dfcd1f8aaae81a3 Mon Sep 17 00:00:00 2001
+From: Chris Wailes <chriswailes@google.com>
+Date: Thu, 18 Apr 2019 18:25:57 -0700
+Subject: [PATCH] Adds additional sanitization for Zygote command arguments.
+
+Previously we were only insuring that the arguments provided to the
+Zygote didn't contain any newlines.  This adds additional checks for
+carriage returns and standalone integer arguments to protect against
+malicious argument and packet injection respectively.
+
+Bug: 130164289
+Test: m & flash & boot & check logs
+Change-Id: I4055c50d52db0047c02c11096710fd07b429660c
+Merged-In: I4055c50d52db0047c02c11096710fd07b429660c
+(cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a)
+---
+ core/java/android/os/ZygoteProcess.java | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
+index 6994033a963a8..904ec46859fa4 100644
+--- a/core/java/android/os/ZygoteProcess.java
++++ b/core/java/android/os/ZygoteProcess.java
+@@ -16,6 +16,7 @@
+ 
+ package android.os;
+ 
++import android.annotation.NonNull;
+ import android.net.LocalSocket;
+ import android.net.LocalSocketAddress;
+ import android.util.Log;
+@@ -278,15 +279,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr
+      */
+     @GuardedBy("mLock")
+     private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
+-            ZygoteState zygoteState, ArrayList<String> args)
++            ZygoteState zygoteState, @NonNull ArrayList<String> args)
+             throws ZygoteStartFailedEx {
+         try {
+             // Throw early if any of the arguments are malformed. This means we can
+             // avoid writing a partial response to the zygote.
+             int sz = args.size();
+             for (int i = 0; i < sz; i++) {
++                // Making two indexOf calls here is faster than running a manually fused loop due
++                // to the fact that indexOf is a optimized intrinsic.
+                 if (args.get(i).indexOf('\n') >= 0) {
+-                    throw new ZygoteStartFailedEx("embedded newlines not allowed");
++                    throw new ZygoteStartFailedEx("Embedded newlines not allowed");
++                } else if (args.get(i).indexOf('\r') >= 0) {
++                    throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
+                 }
+             }
+ 

Patches/LineageOS-15.1/android_frameworks_base/394880.patch

@@ -0,0 +1,32 @@
+From 00ff56bb646c525192f06cbeed96c3dc78d45795 Mon Sep 17 00:00:00 2001
+From: Hans Boehm <hboehm@google.com>
+Date: Tue, 2 Jan 2024 16:53:13 -0800
+Subject: [PATCH] Check hidden API exemptions
+
+Refuse to deal with newlines and null characters in
+HiddenApiSettings.update(). Also disallow nulls in process start
+arguments.
+
+Bug: 316153291
+Test: Treehugger for now
+(cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8)
+Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
+Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
+---
+ core/java/android/os/ZygoteProcess.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
+index 904ec46859fa4..aab1d9d578031 100644
+--- a/core/java/android/os/ZygoteProcess.java
++++ b/core/java/android/os/ZygoteProcess.java
+@@ -292,6 +292,8 @@ private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
+                     throw new ZygoteStartFailedEx("Embedded newlines not allowed");
+                 } else if (args.get(i).indexOf('\r') >= 0) {
+                     throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
++                } else if (args.get(i).indexOf('\u0000') >= 0) {
++                    throw new ZygoteStartFailedEx("Embedded nulls not allowed");
+                 }
+             }
+ 

Patches/LineageOS-15.1/android_frameworks_base/394881-backport.patch

@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ameer Armaly <aarmaly@google.com>
+Date: Fri, 8 Mar 2024 19:41:06 +0000
+Subject: [PATCH] AccessibilityManagerService: remove uninstalled services from
+ enabled list after service update.
+
+Bug: 326485767
+Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5405514a23edcba0cf30e6ec78189e3f4e7d95cf)
+Merged-In: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
+Change-Id: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
+---
+ .../AccessibilityManagerService.java          | 23 +++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+index 1e07aa5d4376..99f997220c40 100644
+--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+@@ -1548,10 +1548,13 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
+         boolean isUnlockingOrUnlocked = LocalServices.getService(UserManagerInternal.class)
+                     .isUserUnlockingOrUnlocked(userState.mUserId);
+ 
++        // Store the list of installed services.
++        mTempComponentNameSet.clear();
+         for (int i = 0, count = userState.mInstalledServices.size(); i < count; i++) {
+             AccessibilityServiceInfo installedService = userState.mInstalledServices.get(i);
+             ComponentName componentName = ComponentName.unflattenFromString(
+                     installedService.getId());
++            mTempComponentNameSet.add(componentName);
+ 
+             Service service = componentNameToServiceMap.get(componentName);
+ 
+@@ -1594,6 +1597,26 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
+         if (audioManager != null) {
+             audioManager.setAccessibilityServiceUids(mTempIntArray);
+         }
++
++        // If any services have been removed, remove them from the enabled list and the touch
++        // exploration granted list.
++        boolean anyServiceRemoved =
++                userState.mEnabledServices.removeIf((comp) -> !mTempComponentNameSet.contains(comp))
++                        || userState.mTouchExplorationGrantedServices.removeIf(
++                                (comp) -> !mTempComponentNameSet.contains(comp));
++        if (anyServiceRemoved) {
++            // Update the enabled services setting.
++            persistComponentNamesToSettingLocked(
++                    Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
++                    userState.mEnabledServices,
++                    userState.mUserId);
++            // Update the touch exploration granted services setting.
++            persistComponentNamesToSettingLocked(
++                    Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
++                    userState.mTouchExplorationGrantedServices,
++                    userState.mUserId);
++        }
++        mTempComponentNameSet.clear();
+         updateAccessibilityEnabledSetting(userState);
+     }
+ 

Patches/LineageOS-15.1/android_frameworks_base/394882.patch

@@ -0,0 +1,40 @@
+From 538cc6c384985f272dc7ab6c7cc7222a59b4c341 Mon Sep 17 00:00:00 2001
+From: Guojing Yuan <guojing@google.com>
+Date: Thu, 14 Dec 2023 19:30:04 +0000
+Subject: [PATCH] [BACKPORT] Check permissions for CDM shell commands
+
+Override handleShellCommand instead of onShellCommand because
+Binder.onShellCommand checks the necessary permissions of the caller.
+
+Backport by mse1969@posteo.de:
+In Pie, method handleShellCommand does not exist, only Binder.onShellCommand, in which
+the caller uid check isn't yet implemented. Backport: Take over the uid check from A11
+and implement it in the method override.
+
+Bug: 313428840
+
+Test: manually tested CDM shell commands
+(cherry picked from commit 1761a0fee9c2cd9787bbb7fbdbe30b4c2b03396e)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d008c61451dba86aa9f14c6bcd661db2cea4856)
+Merged-In: I5539b3594feb5544c458c0fd1061b51a0a808900
+Change-Id: I5539b3594feb5544c458c0fd1061b51a0a808900
+---
+ .../server/companion/CompanionDeviceManagerService.java      | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+index 087fe8560fc80..8ffb53f8a3b9d 100644
+--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+@@ -345,6 +345,11 @@ private void checkUsesFeature(String pkg, int userId) {
+         public void onShellCommand(FileDescriptor in, FileDescriptor out, FileDescriptor err,
+                 String[] args, ShellCallback callback, ResultReceiver resultReceiver)
+                 throws RemoteException {
++            final int callingUid = Binder.getCallingUid();
++            if (callingUid != Process.ROOT_UID && callingUid != Process.SHELL_UID) {
++                resultReceiver.send(-1, null);
++                throw new RemoteException("Shell commands are only callable by ADB");
++            }
+             new ShellCmd().exec(this, in, out, err, args, callback, resultReceiver);
+         }
+     }

Scripts/LineageOS-15.1/Patch.sh

@@ -76,7 +76,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
 applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2024-05-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -258,6 +258,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 R
 applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 Disallow system apps to be installed/updated as instant.
 applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout.
 applyPatch "$DOS_PATCHES/android_frameworks_base/389014-backport.patch"; #S_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
+applyPatch "$DOS_PATCHES/android_frameworks_base/394878.patch"; #P_asb_2024-06 Add more checkKeyIntent checks to AccountManagerService.
+applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 Adds additional sanitization for Zygote command arguments.
+applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions
+applyPatch "$DOS_PATCHES/android_frameworks_base/394881-backport.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
+applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)