From 807a08210a965dd2a88f47e33a69069193d07e16 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Mon, 7 Nov 2022 19:18:13 -0500
Subject: [PATCH] Tweaks

- 20.0: pick fixes for the deny usb toggle
- 20.0: pull in a patch from GrapheneOS removing a package list leak

Signed-off-by: Tad <tad@spotco.us>
---
 Misc/Features/GrapheneOS.txt                  |  3 ++
 .../0028-Remove_Legacy_Package_Query.patch    | 52 +++++++++++++++++++
 PrebuiltApps                                  |  2 +-
 Scripts/LineageOS-20.0/Functions.sh           |  6 +--
 Scripts/LineageOS-20.0/Patch.sh               |  1 +
 fix_permissions.sh                            |  3 ++
 6 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100644 Patches/LineageOS-20.0/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch

diff --git a/Misc/Features/GrapheneOS.txt b/Misc/Features/GrapheneOS.txt
index 00145bd9..28341557 100644
--- a/Misc/Features/GrapheneOS.txt
+++ b/Misc/Features/GrapheneOS.txt
@@ -59,6 +59,9 @@ nojit
 9  https://github.com/GrapheneOS/platform_build/commit/5b9927197e63593b9220d1a9280021252ef205e9
 9  https://github.com/GrapheneOS/platform_build/commit/e36c7aefaa78a1ed5b94c7f51d29277008eea232
 
+[implemented] package leak
+13 https://github.com/GrapheneOS/platform_frameworks_base/commit/28761ffa183eb719dc991a3ce9afa422fb43c16e
+
 [implemented] auto-var-init
 10 https://github.com/GrapheneOS/platform_build_soong/commit/e1b0c965952c47663d4266293b5d0e3f95121260
 10 https://github.com/GrapheneOS-Archive/platform_prebuilts_abi-dumps_vndk/commit/f2bd5eaae6a72a07c6be92cbaf2f9defa30fcf38
diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch b/Patches/LineageOS-20.0/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch
new file mode 100644
index 00000000..57c90468
--- /dev/null
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch
@@ -0,0 +1,52 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Sat, 5 Nov 2022 12:54:52 +0200
+Subject: [PATCH] don't leak device-wide package list to apps when work profile
+ is present
+
+If the primary user had a work profile, then apps installed in primary user could see packages that
+were installed only in secondary user(s). They couldn't see which secondary user had which apps,
+only presence of such packages was revealed.
+
+This special handling of MATCH_UNINSTALLED_PACKAGES flag was added in October 2016 for compatibility
+with legacy launchers. It is not needed anymore, at least for popular third party launchers.
+
+Note that apps in owner user can still see apps in work profile of owner user, it's part of a public
+API. Also, apps that are not installed in primary user are visible in Settings -> Apps, with
+"Not installed for this user" subtitle.
+
+See commit 0d1fd8d09163566d2c7eb72037f63b6404ada642 and issue report
+https://github.com/GrapheneOS/os-issue-tracker/issues/1634 for more details.
+---
+ .../java/com/android/server/pm/ComputerEngine.java   | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/ComputerEngine.java b/services/core/java/com/android/server/pm/ComputerEngine.java
+index 259ca655d2b9..1845d7b1cbcf 100644
+--- a/services/core/java/com/android/server/pm/ComputerEngine.java
++++ b/services/core/java/com/android/server/pm/ComputerEngine.java
+@@ -2845,24 +2845,12 @@ public class ComputerEngine implements Computer {
+      * Update given flags when being used to request {@link PackageInfo}.
+      */
+     public final long updateFlagsForPackage(long flags, int userId) {
+-        final boolean isCallerSystemUser = UserHandle.getCallingUserId()
+-                == UserHandle.USER_SYSTEM;
+         if ((flags & PackageManager.MATCH_ANY_USER) != 0) {
+             // require the permission to be held; the calling uid and given user id referring
+             // to the same user is not sufficient
+             enforceCrossUserPermission(Binder.getCallingUid(), userId, false, false,
+                     !isRecentsAccessingChildProfiles(Binder.getCallingUid(), userId),
+                     "MATCH_ANY_USER flag requires INTERACT_ACROSS_USERS permission");
+-        } else if ((flags & PackageManager.MATCH_UNINSTALLED_PACKAGES) != 0
+-                && isCallerSystemUser
+-                && mUserManager.hasProfile(UserHandle.USER_SYSTEM)) {
+-            // If the caller wants all packages and has a profile associated with it,
+-            // then match all users. This is to make sure that launchers that need to access
+-            //work
+-            // profile apps don't start breaking. TODO: Remove this hack when launchers stop
+-            //using
+-            // MATCH_UNINSTALLED_PACKAGES to query apps in other profiles. b/31000380
+-            flags |= PackageManager.MATCH_ANY_USER;
+         }
+         return updateFlags(flags, userId);
+     }
diff --git a/PrebuiltApps b/PrebuiltApps
index 073a081f..f754766d 160000
--- a/PrebuiltApps
+++ b/PrebuiltApps
@@ -1 +1 @@
-Subproject commit 073a081f055e3ef0e5a9153417b3bf0fd35d7105
+Subproject commit f754766d7c1715518507f5502462a0197a01a2ab
diff --git a/Scripts/LineageOS-20.0/Functions.sh b/Scripts/LineageOS-20.0/Functions.sh
index 66e02174..96873401 100644
--- a/Scripts/LineageOS-20.0/Functions.sh
+++ b/Scripts/LineageOS-20.0/Functions.sh
@@ -102,9 +102,9 @@ patchWorkspace() {
 	gpgVerifyGitTag "$DOS_BUILD_BASE/external/SecureCamera";
 	gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
 
-	#source build/envsetup.sh;
-	#repopick -i 343790; #usb: have enableUsbDataSignal() call queryPortStatus() if successful
-	#repopick -i 343791; #UsbManager: enableUsbDataSignal: return early if HAL version is too old
+	source build/envsetup.sh;
+	repopick -i 343790; #usb: have enableUsbDataSignal() call queryPortStatus() if successful
+	repopick -i 343791; #UsbManager: enableUsbDataSignal: return early if HAL version is too old
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
diff --git a/Scripts/LineageOS-20.0/Patch.sh b/Scripts/LineageOS-20.0/Patch.sh
index e6526ace..0ea15f25 100644
--- a/Scripts/LineageOS-20.0/Patch.sh
+++ b/Scripts/LineageOS-20.0/Patch.sh
@@ -176,6 +176,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0023-Skip_Screen_Animation.patc
 #applyPatch "$DOS_PATCHES/android_frameworks_base/0025-Monet_Toggle.patch"; #Make monet based theming user configurable (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0026-Crash_Details.patch"; #Add an option to show the details of an application error to the user (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0027-Installer_Glitch.patch"; #Make sure PackageInstaller UI returns a result (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch"; #Don't leak device-wide package list to apps when work profile is present (GrapheneOS)
 hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
 changeDefaultDNS; #Change the default DNS servers
 sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)
diff --git a/fix_permissions.sh b/fix_permissions.sh
index dcce14b4..4e514060 100755
--- a/fix_permissions.sh
+++ b/fix_permissions.sh
@@ -31,3 +31,6 @@ chmod -v 700 Patches/Linux/*.sh;
 #PrebuiltApps has its own fix_permissions.sh
 #Patches/Wallpapers has its own fix_permissions.sh
 setStrict Scripts;
+setRelaxed Repos/firmware;
+setRelaxed Repos/firmware-empty;
+setRelaxed Repos/firmware-19.1;