Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-01-24 06:11:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

16.0 October ASB work

Browse Source 
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-10-09 20:45:09 -04:00
parent 27066c202f
commit 5d53945c3c
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
12 changed files with 704 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
Patches/LineageOS-16.0/android_external_libxml2/368053.patch Normal file
View File

@ -0,0 +1,123 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 17 Feb 2023 15:53:07 +0100
Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter
Found with libFuzzer, see #344.
(cherry picked from commit 1743c4c3fc58cf38ecce68db9de51d0f3651e033)
I also copied the error label from
e64653c0e7975594e27d7de2ed4be062c1e4ad03 to fix the build failure.
Bug: http://b/274231102
Test: TreeHugger
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:381160fc2a293d50a627c9e35bb34485bf97b6e7)
Merged-In: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
Change-Id: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
---
xmlregexp.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/xmlregexp.c b/xmlregexp.c
index d255fbf0..6234a879 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -1641,6 +1641,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
return(-1);
inter = ctxt->state;
counter = xmlRegGetCounter(ctxt);
+ if (counter < 0)
+ return(-1);
ctxt->counters[counter].min = atom->min - 1;
ctxt->counters[counter].max = atom->max - 1;
/* count the number of times we see it again */
@@ -1659,6 +1661,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
* epsilon transition.
*/
counter = xmlRegGetCounter(ctxt);
+ if (counter < 0)
+ return(-1);
ctxt->counters[counter].min = atom->min - 1;
ctxt->counters[counter].max = atom->max - 1;
/* count the number of times we see it again */
@@ -5924,6 +5928,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = min;
am->counters[counter].max = max;
@@ -5943,6 +5949,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
if (min == 0)
xmlFAGenerateEpsilonTransition(am, from, to);
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}
/**
@@ -5990,6 +6000,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = min;
am->counters[counter].max = max;
@@ -6009,6 +6021,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
if (min == 0)
xmlFAGenerateEpsilonTransition(am, from, to);
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}
/**
@@ -6076,6 +6092,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = 1;
am->counters[counter].max = 1;
@@ -6088,6 +6106,10 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
xmlRegAtomPush(am, atom);
am->state = to;
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}
@@ -6135,6 +6157,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = 1;
am->counters[counter].max = 1;
@@ -6147,6 +6171,10 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
xmlRegAtomPush(am, atom);
am->state = to;
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}
/**

60
Patches/LineageOS-16.0/android_frameworks_base/368055.patch Normal file
View File

@ -0,0 +1,60 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jean-Michel Trivi <jmtrivi@google.com>
Date: Wed, 7 Dec 2022 04:36:46 +0000
Subject: [PATCH] RingtoneManager: verify default ringtone is audio
When a ringtone picker tries to set a ringtone through
RingtoneManager.setActualDefaultRingtoneUri (also
called by com.android.settings.DefaultRingtonePreference),
verify the mimeType can be obtained (not found when caller
doesn't have access to it) and it is an audio resource.
Bug: 205837340
Test: atest android.media.audio.cts.RingtoneManagerTest
(cherry picked from commit 38618f9fb16d3b5617e2289354d47abe5af17dad)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:377144b64325dadad102f5233ecb50a4446b205b)
Merged-In: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
Change-Id: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
---
media/java/android/media/RingtoneManager.java | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java
index fefa1ede849e..0e03bfb2502a 100644
--- a/media/java/android/media/RingtoneManager.java
+++ b/media/java/android/media/RingtoneManager.java
@@ -819,10 +819,10 @@ public class RingtoneManager {
return ringtoneUri;
}
-
+
/**
* Sets the {@link Uri} of the default sound for a given sound type.
- *
+ *
* @param context A context used for querying.
* @param type The type whose default sound should be set. One of
* {@link #TYPE_RINGTONE}, {@link #TYPE_NOTIFICATION}, or
@@ -843,6 +843,21 @@ public class RingtoneManager {
if(!isInternalRingtoneUri(ringtoneUri)) {
ringtoneUri = ContentProvider.maybeAddUserId(ringtoneUri, context.getUserId());
}
+
+ if (ringtoneUri != null) {
+ final String mimeType = resolver.getType(ringtoneUri);
+ if (mimeType == null) {
+ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
+ + " ignored: failure to find mimeType (no access from this context?)");
+ return;
+ }
+ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
+ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
+ + " ignored: associated mimeType:" + mimeType + " is not an audio type");
+ return;
+ }
+ }
+
Settings.System.putStringForUser(resolver, setting,
ringtoneUri != null ? ringtoneUri.toString() : null, context.getUserId());

52
Patches/LineageOS-16.0/android_frameworks_base/368059.patch Normal file
View File

@ -0,0 +1,52 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Josep del Rio <joseprio@google.com>
Date: Mon, 26 Jun 2023 11:16:37 +0000
Subject: [PATCH] Do not share key mappings with JNI object
The key mapping information between the native key mappings and
the KeyCharacterMap object available in Java is currently shared,
which means that a read can be attempted while it's being modified.
Because the code changed between R and S, this CL fixes it just
for R; the patch for versions S+ is ag/23785419
Bug: 274058082
Test: Presubmit
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4b3c4620166071561ec44961fb08a56676b4fd6c)
Merged-In: I3be94534dcda365da473f82347ae2e3f57bb1b42
Change-Id: I3be94534dcda365da473f82347ae2e3f57bb1b42
---
core/jni/android_view_InputDevice.cpp | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/core/jni/android_view_InputDevice.cpp b/core/jni/android_view_InputDevice.cpp
index 494fad7900ef..806a88f8f50e 100644
--- a/core/jni/android_view_InputDevice.cpp
+++ b/core/jni/android_view_InputDevice.cpp
@@ -14,6 +14,7 @@
* limitations under the License.
*/
+#include <binder/Parcel.h>
#include <input/Input.h>
#include <android_runtime/AndroidRuntime.h>
@@ -48,9 +49,16 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi
return NULL;
}
+ sp<KeyCharacterMap> map = deviceInfo.getKeyCharacterMap();
+ if (map != nullptr) {
+ Parcel parcel;
+ map->writeToParcel(&parcel);
+ map = map->readFromParcel(&parcel);
+ }
+
ScopedLocalRef<jobject> kcmObj(env,
- android_view_KeyCharacterMap_create(env, deviceInfo.getId(),
- deviceInfo.getKeyCharacterMap()));
+ android_view_KeyCharacterMap_create(env, deviceInfo.getId(),
+ map));
if (!kcmObj.get()) {
return NULL;
}

150
Patches/LineageOS-16.0/android_frameworks_base/368060-backport.patch Normal file
View File

@ -0,0 +1,150 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tim Yu <yunicorn@google.com>
Date: Tue, 20 Jun 2023 21:24:36 +0000
Subject: [PATCH] Verify URI Permissions in Autofill RemoteViews
Check permissions of URI inside of FillResponse's RemoteViews. If the
current user does not have the required permissions to view the URI, the
RemoteView is dropped from displaying.
This fixes a security spill in which a user can view content of another
user through a malicious Autofill provider.
Bug: 283137865
Fixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566
b/281534749 b/283101289
Test: Verified by POC app attached in bugs
Test: atest CtsAutoFillServiceTestCases (added new tests)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26beceb9a252a50374d056b162fa7e8ea55051b3)
Merged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a
Change-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a
---
.../com/android/server/autofill/Helper.java | 43 +++++++++++++++++++
.../android/server/autofill/ui/FillUi.java | 11 +++--
.../android/server/autofill/ui/SaveUi.java | 2 +-
3 files changed, 52 insertions(+), 4 deletions(-)
diff --git a/services/autofill/java/com/android/server/autofill/Helper.java b/services/autofill/java/com/android/server/autofill/Helper.java
index f14c8f1aa7f6..a50d87ac81e4 100644
--- a/services/autofill/java/com/android/server/autofill/Helper.java
+++ b/services/autofill/java/com/android/server/autofill/Helper.java
@@ -18,6 +18,8 @@ package com.android.server.autofill;
import android.annotation.NonNull;
import android.annotation.Nullable;
+import android.annotation.UserIdInt;
+import android.app.ActivityManager;
import android.app.assist.AssistStructure;
import android.app.assist.AssistStructure.ViewNode;
import android.content.ComponentName;
@@ -29,13 +31,16 @@ import android.util.Slog;
import android.view.WindowManager;
import android.view.autofill.AutofillId;
import android.view.autofill.AutofillValue;
+import android.widget.RemoteViews;
import com.android.internal.logging.nano.MetricsProto.MetricsEvent;
import com.android.internal.util.ArrayUtils;
import java.io.PrintWriter;
+import java.util.Arrays;
import java.util.ArrayList;
import java.util.LinkedList;
+import java.util.concurrent.atomic.AtomicBoolean;
public final class Helper {
@@ -79,6 +84,44 @@ public final class Helper {
throw new UnsupportedOperationException("contains static members only");
}
+ private static boolean checkRemoteViewUriPermissions(
+ @UserIdInt int userId, @NonNull RemoteViews rView) {
+ final AtomicBoolean permissionsOk = new AtomicBoolean(true);
+
+ rView.visitUris(uri -> {
+ int uriOwnerId = android.content.ContentProvider.getUserIdFromUri(uri);
+ boolean allowed = uriOwnerId == userId;
+ permissionsOk.set(allowed && permissionsOk.get());
+ });
+
+ return permissionsOk.get();
+ }
+
+ /**
+ * Checks the URI permissions of the remote view,
+ * to see if the current userId is able to access it.
+ *
+ * Returns the RemoteView that is passed if user is able, null otherwise.
+ *
+ * TODO: instead of returning a null remoteview when
+ * the current userId cannot access an URI,
+ * return a new RemoteView with the URI removed.
+ */
+ public static @Nullable RemoteViews sanitizeRemoteView(RemoteViews rView) {
+ if (rView == null) return null;
+
+ int userId = ActivityManager.getCurrentUser();
+
+ boolean ok = checkRemoteViewUriPermissions(userId, rView);
+ if (!ok) {
+ Slog.w(TAG,
+ "sanitizeRemoteView() user: " + userId
+ + " tried accessing resource that does not belong to them");
+ }
+ return (ok ? rView : null);
+ }
+
+
@Nullable
static AutofillId[] toArray(@Nullable ArraySet<AutofillId> set) {
if (set == null) return null;
diff --git a/services/autofill/java/com/android/server/autofill/ui/FillUi.java b/services/autofill/java/com/android/server/autofill/ui/FillUi.java
index 8119054f4196..cacfcdff686f 100644
--- a/services/autofill/java/com/android/server/autofill/ui/FillUi.java
+++ b/services/autofill/java/com/android/server/autofill/ui/FillUi.java
@@ -137,8 +137,9 @@ final class FillUi {
mContext = new ContextThemeWrapper(context, THEME_ID);
final LayoutInflater inflater = LayoutInflater.from(mContext);
- final RemoteViews headerPresentation = response.getHeader();
- final RemoteViews footerPresentation = response.getFooter();
+ final RemoteViews headerPresentation = Helper.sanitizeRemoteView(response.getHeader());
+ final RemoteViews footerPresentation = Helper.sanitizeRemoteView(response.getFooter());
+
final ViewGroup decor;
if (mFullScreen) {
decor = (ViewGroup) inflater.inflate(R.layout.autofill_dataset_picker_fullscreen, null);
@@ -219,6 +220,9 @@ final class FillUi {
ViewGroup container = decor.findViewById(R.id.autofill_dataset_picker);
final View content;
try {
+ if (Helper.sanitizeRemoteView(response.getPresentation()) == null) {
+ throw new RuntimeException("Permission error accessing RemoteView");
+ }
response.getPresentation().setApplyTheme(THEME_ID);
content = response.getPresentation().apply(mContext, decor, interceptionHandler);
container.addView(content);
@@ -296,7 +300,8 @@ final class FillUi {
final Dataset dataset = response.getDatasets().get(i);
final int index = dataset.getFieldIds().indexOf(focusedViewId);
if (index >= 0) {
- final RemoteViews presentation = dataset.getFieldPresentation(index);
+ final RemoteViews presentation = Helper.sanitizeRemoteView(
+ dataset.getFieldPresentation(index));
if (presentation == null) {
Slog.w(TAG, "not displaying UI on field " + focusedViewId + " because "
+ "service didn't provide a presentation for it on " + dataset);
diff --git a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java
index 58823036212d..695171e82773 100644
--- a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java
+++ b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java
@@ -269,7 +269,7 @@ final class SaveUi {
final int type = info.getType();
writeLog(MetricsEvent.AUTOFILL_SAVE_CUSTOM_DESCRIPTION, type);
- final RemoteViews template = customDescription.getPresentation();
+ final RemoteViews template = Helper.sanitizeRemoteView(customDescription.getPresentation());
if (template == null) {
Slog.w(TAG, "No remote view on custom description");
return false;

29
Patches/LineageOS-16.0/android_frameworks_base/368061.patch Normal file
View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Josep del Rio <joseprio@google.com>
Date: Wed, 12 Jul 2023 16:32:05 +0000
Subject: [PATCH] Fix KCM key mapping cloning
ag/23792288 tried to fix a security issue by cloning the key
mappings, but unfortunately the parcel was not being rewinded.
Bug: 274058082
Test: Confirmed change works in newer Android versions
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aaaba6cf190d976efdc5db6c78997dbdc9214c15)
Merged-In: I6f75b9202e20d82ebf81a35a2916e653ee1b8372
Change-Id: I6f75b9202e20d82ebf81a35a2916e653ee1b8372
---
core/jni/android_view_InputDevice.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/core/jni/android_view_InputDevice.cpp b/core/jni/android_view_InputDevice.cpp
index 806a88f8f50e..f36300ada64e 100644
--- a/core/jni/android_view_InputDevice.cpp
+++ b/core/jni/android_view_InputDevice.cpp
@@ -53,6 +53,7 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi
if (map != nullptr) {
Parcel parcel;
map->writeToParcel(&parcel);
+ parcel.setDataPosition(0);
map = map->readFromParcel(&parcel);
}

49
Patches/LineageOS-16.0/android_frameworks_base/368062-backport.patch Normal file
View File

@ -0,0 +1,49 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hongwei Wang <hwwang@google.com>
Date: Wed, 24 May 2023 19:35:44 -0700
Subject: [PATCH] Disallow loading icon from content URI to PipMenu
Bug: 278246904
Test: manually, with the PoC app attached to the bug
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f5a87d8a0dc9190327ba0e6113d5b80ee96abae)
Merged-In: Iecfc1fb962de611cbe3c51a44ba4fded53925a7d
Change-Id: Iecfc1fb962de611cbe3c51a44ba4fded53925a7d
---
.../systemui/pip/phone/PipMenuActivity.java | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java b/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java
index 615b29f93269..214c58a80727 100644
--- a/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java
+++ b/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java
@@ -51,6 +51,7 @@ import android.graphics.PointF;
import android.graphics.Rect;
import android.graphics.drawable.ColorDrawable;
import android.graphics.drawable.Drawable;
+import android.graphics.drawable.Icon;
import android.net.Uri;
import android.os.Bundle;
import android.os.Handler;
@@ -508,11 +509,17 @@ public class PipMenuActivity extends Activity {
final RemoteAction action = mActions.get(i);
final ImageView actionView = (ImageView) mActionsGroup.getChildAt(i);
- // TODO: Check if the action drawable has changed before we reload it
- action.getIcon().loadDrawableAsync(this, d -> {
- d.setTint(Color.WHITE);
- actionView.setImageDrawable(d);
- }, mHandler);
+ final int iconType = action.getIcon().getType();
+ if (iconType == Icon.TYPE_URI /* || iconType == Icon.TYPE_URI_ADAPTIVE_BITMAP*/) {
+ // Disallow loading icon from content URI
+ actionView.setImageDrawable(null);
+ } else {
+ // TODO: Check if the action drawable has changed before we reload it
+ action.getIcon().loadDrawableAsync(this, d -> {
+ d.setTint(Color.WHITE);
+ actionView.setImageDrawable(d);
+ }, mHandler);
+ }
actionView.setContentDescription(action.getContentDescription());
if (action.isEnabled()) {
actionView.setOnClickListener(v -> {

59
Patches/LineageOS-16.0/android_frameworks_base/368063.patch Normal file
View File

@ -0,0 +1,59 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Kunal Malhotra <malhk@google.com>
Date: Fri, 2 Jun 2023 23:32:02 +0000
Subject: [PATCH] Fixing DatabaseUtils to detect malformed UTF-16 strings
Test: tested with POC in bug, also using atest
Bug: 224771621
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb4a72e3943d166088407e61aa4439ac349f3f12)
Merged-In: Ide65205b83063801971c5778af3154bcf3f0e530
Change-Id: Ide65205b83063801971c5778af3154bcf3f0e530
---
core/java/android/database/DatabaseUtils.java | 32 +++++++++++++------
1 file changed, 23 insertions(+), 9 deletions(-)
diff --git a/core/java/android/database/DatabaseUtils.java b/core/java/android/database/DatabaseUtils.java
index 3d019f07cb84..d3ebfea947db 100644
--- a/core/java/android/database/DatabaseUtils.java
+++ b/core/java/android/database/DatabaseUtils.java
@@ -337,17 +337,31 @@ public class DatabaseUtils {
*/
public static void appendEscapedSQLString(StringBuilder sb, String sqlString) {
sb.append('\'');
- if (sqlString.indexOf('\'') != -1) {
- int length = sqlString.length();
- for (int i = 0; i < length; i++) {
- char c = sqlString.charAt(i);
- if (c == '\'') {
- sb.append('\'');
+ int length = sqlString.length();
+ for (int i = 0; i < length; i++) {
+ char c = sqlString.charAt(i);
+ if (Character.isHighSurrogate(c)) {
+ if (i == length - 1) {
+ continue;
+ }
+ if (Character.isLowSurrogate(sqlString.charAt(i + 1))) {
+ // add them both
+ sb.append(c);
+ sb.append(sqlString.charAt(i + 1));
+ continue;
+ } else {
+ // this is a lone surrogate, skip it
+ continue;
}
- sb.append(c);
}
- } else
- sb.append(sqlString);
+ if (Character.isLowSurrogate(c)) {
+ continue;
+ }
+ if (c == '\'') {
+ sb.append('\'');
+ }
+ sb.append(c);
+ }
sb.append('\'');
}

24
Patches/LineageOS-16.0/android_frameworks_base/368067-backport.patch Normal file
View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Mon, 9 Oct 2023 20:41:21 -0400
Subject: [PATCH] Revert "DO NOT MERGE Dismiss keyguard when simpin auth'd
and..."
This reverts commit 9137c0f90ae0fc93afa873e8bf6e1565ac46b9ba.
---
.../src/com/android/keyguard/KeyguardSecurityContainer.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
index bb205956e932..6a71cf84759c 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
case SimPuk:
// Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
- if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
+ if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled(
KeyguardUpdateMonitor.getCurrentUser())) {
finish = true;
} else {

16
Patches/LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
View File

@ -26,7 +26,7 @@ Change-Id: Ibbffdb5f3930df74ca8b4ba93d451f7fad086989
create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialogHost.java
diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml
index e78bbea120..54e2864c9a 100644
index e78bbea1202..54e2864c9aa 100644
--- a/res/values-de/cm_strings.xml
+++ b/res/values-de/cm_strings.xml
@@ -308,4 +308,7 @@
@ -38,7 +38,7 @@ index e78bbea120..54e2864c9a 100644
+ <string name="captive_portal_switch_warning">Nach dem Ausschalten der Captive-Portal-Erkennung empfangen Sie keine Verbindungs-Rückmeldung mehr. Wirklich fortfahren?</string>
</resources>
diff --git a/res/values/cm_strings.xml b/res/values/cm_strings.xml
index 7d0b80d3c0..c4a0aaa915 100644
index 7d0b80d3c05..c4a0aaa9157 100644
--- a/res/values/cm_strings.xml
+++ b/res/values/cm_strings.xml
@@ -398,4 +398,9 @@
@ -52,7 +52,7 @@ index 7d0b80d3c0..c4a0aaa915 100644
+ <string name="captive_portal_switch_warning">If you switch off the captive portal, you will not receive connectivity informations any longer. Really switch off?</string>
</resources>
diff --git a/res/xml/network_and_internet.xml b/res/xml/network_and_internet.xml
index 6eda0b0966..899bc41dd2 100644
index 6eda0b09669..899bc41dd22 100644
--- a/res/xml/network_and_internet.xml
+++ b/res/xml/network_and_internet.xml
@@ -101,4 +101,10 @@
@ -67,7 +67,7 @@ index 6eda0b0966..899bc41dd2 100644
+
</PreferenceScreen>
diff --git a/src/com/android/settings/ResetNetworkConfirm.java b/src/com/android/settings/ResetNetworkConfirm.java
index 4bdd8e1dba..2c9f04ca3e 100644
index 4bdd8e1dba8..2c9f04ca3e2 100644
--- a/src/com/android/settings/ResetNetworkConfirm.java
+++ b/src/com/android/settings/ResetNetworkConfirm.java
@@ -32,6 +32,7 @@ import android.os.Bundle;
@ -91,7 +91,7 @@ index 4bdd8e1dba..2c9f04ca3e 100644
// fragments. They lead to garbled message when new fragments come
diff --git a/src/com/android/settings/network/CaptivePortalModePreferenceController.java b/src/com/android/settings/network/CaptivePortalModePreferenceController.java
new file mode 100644
index 0000000000..0fd2d094a1
index 00000000000..0fd2d094a1b
--- /dev/null
+++ b/src/com/android/settings/network/CaptivePortalModePreferenceController.java
@@ -0,0 +1,81 @@
@ -178,7 +178,7 @@ index 0000000000..0fd2d094a1
+}
diff --git a/src/com/android/settings/network/CaptivePortalWarningDialog.java b/src/com/android/settings/network/CaptivePortalWarningDialog.java
new file mode 100644
index 0000000000..8240c2756e
index 00000000000..8240c2756e4
--- /dev/null
+++ b/src/com/android/settings/network/CaptivePortalWarningDialog.java
@@ -0,0 +1,73 @@
@ -257,7 +257,7 @@ index 0000000000..8240c2756e
+}
diff --git a/src/com/android/settings/network/CaptivePortalWarningDialogHost.java b/src/com/android/settings/network/CaptivePortalWarningDialogHost.java
new file mode 100644
index 0000000000..7a04d1f831
index 00000000000..7a04d1f8311
--- /dev/null
+++ b/src/com/android/settings/network/CaptivePortalWarningDialogHost.java
@@ -0,0 +1,32 @@
@ -294,7 +294,7 @@ index 0000000000..7a04d1f831
+ void onCaptivePortalSwitchOffDialogDismissed();
+}
diff --git a/src/com/android/settings/network/NetworkDashboardFragment.java b/src/com/android/settings/network/NetworkDashboardFragment.java
index 89bf5f4dec..4af55e2b50 100644
index 89bf5f4dec2..4af55e2b507 100644
--- a/src/com/android/settings/network/NetworkDashboardFragment.java
+++ b/src/com/android/settings/network/NetworkDashboardFragment.java
@@ -44,7 +44,7 @@ import java.util.Arrays;

136
Patches/LineageOS-16.0/android_packages_apps_Settings/368069-backport.patch Normal file
View File

@ -0,0 +1,136 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Weng Su <wengsu@google.com>
Date: Fri, 7 Jul 2023 19:52:04 +0800
Subject: [PATCH] Restrict ApnEditor settings
- Finish ApnEditor settings if user is not an admin
- Finish ApnEditor settings if user has DISALLOW_CONFIG_MOBILE_NETWORKS restriction
Bug: 279902472
Test: manual test
make RunSettingsRoboTests ROBOTEST_FILTER=ApnEditorTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c2d727b8f9198bf758a4896eda7c9e5385435ff)
Merged-In: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04
Change-Id: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04
---
.../android/settings/network/ApnEditor.java | 23 ++++++++++++++
.../settings/network/ApnEditorTest.java | 31 ++++++++++++++++++-
2 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/src/com/android/settings/network/ApnEditor.java b/src/com/android/settings/network/ApnEditor.java
index cceb31d29e7..74a7fed07fc 100644
--- a/src/com/android/settings/network/ApnEditor.java
+++ b/src/com/android/settings/network/ApnEditor.java
@@ -27,6 +27,7 @@ import android.database.Cursor;
import android.net.Uri;
import android.os.Bundle;
import android.os.PersistableBundle;
+import android.os.UserManager;
import android.provider.Telephony;
import android.support.annotation.VisibleForTesting;
import android.support.v14.preference.MultiSelectListPreference;
@@ -203,6 +204,11 @@ public class ApnEditor extends SettingsPreferenceFragment
@Override
public void onCreate(Bundle icicle) {
super.onCreate(icicle);
+ if (isUserRestricted()) {
+ Log.e(TAG, "This setting isn't available due to user restriction.");
+ finish();
+ return;
+ }
addPreferencesFromResource(R.xml.apn_editor);
@@ -1166,6 +1172,23 @@ public class ApnEditor extends SettingsPreferenceFragment
return userEnteredApnType;
}
+ @VisibleForTesting
+ boolean isUserRestricted() {
+ UserManager userManager = getContext().getSystemService(UserManager.class);
+ if (userManager == null) {
+ return false;
+ }
+ if (!userManager.isAdminUser()) {
+ Log.e(TAG, "User is not an admin");
+ return true;
+ }
+ if (userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) {
+ Log.e(TAG, "User is not allowed to configure mobile network");
+ return true;
+ }
+ return false;
+ }
+
public static class ErrorDialog extends InstrumentedDialogFragment {
public static void showError(ApnEditor editor) {
diff --git a/tests/robotests/src/com/android/settings/network/ApnEditorTest.java b/tests/robotests/src/com/android/settings/network/ApnEditorTest.java
index 35f68a06698..ed82b59be5b 100644
--- a/tests/robotests/src/com/android/settings/network/ApnEditorTest.java
+++ b/tests/robotests/src/com/android/settings/network/ApnEditorTest.java
@@ -32,6 +32,7 @@ import android.content.Context;
import android.content.res.Resources;
import android.database.Cursor;
import android.net.Uri;
+import android.os.UserManager;
import android.support.v14.preference.MultiSelectListPreference;
import android.support.v14.preference.SwitchPreference;
import android.support.v7.preference.EditTextPreference;
@@ -97,6 +98,8 @@ public class ApnEditorTest {
private ApnEditor mApnEditorUT;
private Activity mActivity;
+ @Mock
+ private UserManager mUserManager;
private Resources mResources;
@Before
@@ -111,6 +114,11 @@ public class ApnEditorTest {
doNothing().when(mApnEditorUT).finish();
doNothing().when(mApnEditorUT).showError();
+ doReturn(mUserManager).when(mContext).getSystemService(UserManager.class);
+ doReturn(true).when(mUserManager).isAdminUser();
+ doReturn(false).when(mUserManager)
+ .hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS);
+
setMockPreference(mActivity);
mApnEditorUT.mApnData = new FakeApnData(APN_DATA);
mApnEditorUT.sNotSet = "Not Set";
@@ -447,6 +455,27 @@ public class ApnEditorTest {
assertThat(ApnEditor.formatInteger("not an int")).isEqualTo("not an int");
}
+ @Test
+ @Config(shadows = ShadowFragment.class)
+ public void onCreate_notAdminUser_shouldFinish() {
+ doReturn(false).when(mUserManager).isAdminUser();
+
+ mApnEditorUT.onCreate(null);
+
+ verify(mApnEditorUT).finish();
+ }
+
+ @Test
+ @Config(shadows = ShadowFragment.class)
+ public void onCreate_hasUserRestriction_shouldFinish() {
+ doReturn(true).when(mUserManager)
+ .hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS);
+
+ mApnEditorUT.onCreate(null);
+
+ verify(mApnEditorUT).finish();
+ }
+
private void initCursor() {
doReturn(2).when(mCursor).getColumnCount();
doReturn(Integer.valueOf(2)).when(mCursor).getInt(CURSOR_INTEGER_INDEX);
@@ -489,4 +518,4 @@ public class ApnEditorTest {
mUri = uri;
}
}
-}
\ No newline at end of file
+}

2
Scripts/LineageOS-16.0/Functions.sh
View File

@ -91,7 +91,7 @@ patchWorkspaceReal() {
repopick -fit P_asb_2023-05;
repopick -fit P_asb_2023-06;
repopick -fit P_asb_2023-07 -e 361282;
repopick -fit P_asb_2023-08 -e 365327;
repopick -fit P_asb_2023-08 -e 365327,365328,364605;
repopick -fit P_asb_2023-09;
sh "$DOS_SCRIPTS/Patch.sh";

14
Scripts/LineageOS-16.0/Patch.sh
View File

@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2022-01-05/2023-09-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-09 #XXX
sed -i 's/2022-01-05/2023-10-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-10 #XXX
fi;
if enterAndClear "build/soong"; then
@ -149,6 +149,10 @@ if enterAndClear "external/libvpx"; then
applyPatch "$DOS_PATCHES_COMMON/android_external_libvpx/CVE-2023-5217.patch"; #VP8: disallow thread count changes
fi;
if enterAndClear "external/libxml2"; then
applyPatch "$DOS_PATCHES/android_external_libxml2/368053.patch"; #R_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter
fi;
if enterAndClear "external/svox"; then
git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
sed -i '12iLOCAL_SDK_VERSION := current' pico/Android.mk; #Fix build under Pie
@ -161,6 +165,13 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_fram
fi;
if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/368055.patch"; #R_asb_2023-10 RingtoneManager: verify default ringtone is audio
applyPatch "$DOS_PATCHES/android_frameworks_base/368059.patch"; #R_asb_2023-10 Do not share key mappings with JNI object
applyPatch "$DOS_PATCHES/android_frameworks_base/368060-backport.patch"; #R_asb_2023-10 Verify URI Permissions in Autofill RemoteViews
applyPatch "$DOS_PATCHES/android_frameworks_base/368061.patch"; #R_asb_2023-10 Fix KCM key mapping cloning
applyPatch "$DOS_PATCHES/android_frameworks_base/368062-backport.patch"; #R_asb_2023-10 Disallow loading icon from content URI to PipMenu
applyPatch "$DOS_PATCHES/android_frameworks_base/368063.patch"; #R_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings
applyPatch "$DOS_PATCHES/android_frameworks_base/368067-backport.patch"; #R_asb_2023-10 Revert "DO NOT MERGE Dismiss keyguard when simpin auth'd and..."
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@ -311,6 +322,7 @@ fi;
if enterAndClear "packages/apps/Settings"; then
git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/368069-backport.patch"; #R_asb_2023-10 Restrict ApnEditor settings
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #TODO: Needs work
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)