18: November 2024 ASB Picks

Signed-off-by: Tavi <tavi@divested.dev>

Container/Dockerfile

@@ -7,7 +7,7 @@ ARG username
 RUN  dnf -y update \
 #  && dnf -y install bash coreutils bzip2 curl java-1.8.0-openjdk java-1.8.0-openjdk-devel unzip zip zlib \
 #  && dnf -y install @development-tools tini android-tools automake bc bison  bzip2-libs ccache
-   && dnf -y install @development-tools android-tools automake bc bison bzip2 bzip2-libs ccache curl dpkg-dev flex gcc gcc-c++ git git-lfs glibc-devel.{x86_64,i686} gnupg gperf ImageMagick ImageMagick-c++-devel ImageMagick-devel java-1.8.0-openjdk java-1.8.0-openjdk-devel libgcc.{x86_64,i686} libstdc++.{x86_64,i686} libX11-devel.{x86_64,i686} libxml2-devel libXrandr.{x86_64,i686} libXrender.{x86_64,i686} libxslt lz4-libs lzop make maven mesa-libGL-devel.{x86_64,i686} ncurses ncurses-compat-libs ncurses-devel.{x86_64,i686} ninja-build openssl-devel optipng jpegoptim perl perl-Digest-MD5-File perl-Switch pngcrush python python2 python3-virtualenv python3 python3-mako python-mako python-markdown python-networkx readline-devel.{x86_64,i686} rsync schedtool SDL squashfs-tools syslinux-devel unzip wxGTK xml2 xz-lzma-compat zip zlib zlib-devel vim-common vboot-utils mozilla-fira-mono-fonts mozilla-fira-sans-fonts openssl nano htop wget libxcrypt-compat.x86_64 golang \
+   && dnf -y install @development-tools android-tools automake bc bison bzip2 bzip2-libs ccache curl dpkg-dev flex gcc gcc-c++ git git-lfs glibc-devel.{x86_64,i686} gnupg gperf ImageMagick ImageMagick-c++-devel ImageMagick-devel java-1.8.0-openjdk java-1.8.0-openjdk-devel libgcc.{x86_64,i686} libstdc++.{x86_64,i686} libX11-devel.{x86_64,i686} libxml2-devel libXrandr.{x86_64,i686} libXrender.{x86_64,i686} libxslt lz4-libs lzop make maven mesa-libGL-devel.{x86_64,i686} ncurses ncurses-compat-libs ncurses-devel.{x86_64,i686} ninja-build openssl-devel optipng jpegoptim perl perl-Digest-MD5-File perl-Switch pngcrush python python2 python3-virtualenv python3 python3-mako python-mako python-markdown python-networkx readline-devel.{x86_64,i686} rsync schedtool SDL squashfs-tools syslinux-devel unzip wxGTK xml2 xz-lzma-compat zip zlib zlib-devel vim-common vboot-utils mozilla-fira-mono-fonts mozilla-fira-sans-fonts openssl nano htop wget libxcrypt-compat.x86_64 golang openssl-devel-engine \
   && dnf clean all \
   && curl -o /usr/local/bin/repo https://storage.googleapis.com/git-repo-downloads/repo \
   && chmod a+x /usr/local/bin/repo   \

Patches/LineageOS-18.1/android_external_skia/408442.patch

@@ -0,0 +1,48 @@
+From cfb96168e5e753a0bdcca4874b012c25a7f7737a Mon Sep 17 00:00:00 2001
+From: Brian Osman <brianosman@google.com>
+Date: Tue, 27 Aug 2024 14:22:52 -0400
+Subject: [PATCH] RESTRICT AUTOMERGE: Avoid potential overflow when allocating
+ 3D mask from emboss filter
+
+Note: the original fix landed after
+Iac8b937e516dbfbbcefef54360dd5b7300bacb67 introduced SkMaskBuilder, so
+this cherry-pick had to be tweaked to avoid conflicts. Unfortuantely
+that means we need RESTRICT AUTOMERGE to prevent this modified version
+from flowing through API boundaries into VIC, and we need to manually
+cherry-pick it to each API level.
+
+Bug: 344620577
+Test: N/A -- unclear if even reachable
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/893738
+Commit-Queue: Brian Osman <brianosman@google.com>
+Reviewed-by: Ben Wagner <bungeman@google.com>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2bc38734eec777bf2574d4b38a7fd4fc05f0ecde)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:69fc79acf3f05f269c55069ba5e2fbd00e1a76b6)
+Merged-In: Ia35860371d45120baca63238e77faa5c0eb25d51
+Change-Id: Ia35860371d45120baca63238e77faa5c0eb25d51
+---
+ src/effects/SkEmbossMaskFilter.cpp | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/effects/SkEmbossMaskFilter.cpp b/src/effects/SkEmbossMaskFilter.cpp
+index 2dcce2b9102..8ea8c08039b 100644
+--- a/src/effects/SkEmbossMaskFilter.cpp
++++ b/src/effects/SkEmbossMaskFilter.cpp
+@@ -95,11 +95,13 @@ bool SkEmbossMaskFilter::filterMask(SkMask* dst, const SkMask& src,
+ 
+     {
+         uint8_t* alphaPlane = dst->fImage;
+-        size_t   planeSize = dst->computeImageSize();
+-        if (0 == planeSize) {
+-            return false;   // too big to allocate, abort
++        size_t totalSize = dst->computeTotalImageSize();
++        if (totalSize == 0) {
++            return false;  // too big to allocate, abort
+         }
+-        dst->fImage = SkMask::AllocImage(planeSize * 3);
++        size_t planeSize = dst->computeImageSize();
++        SkASSERT(planeSize != 0);  // if totalSize didn't overflow, this can't either
++        dst->fImage = SkMask::AllocImage(totalSize);
+         memcpy(dst->fImage, alphaPlane, planeSize);
+         SkMask::FreeImage(alphaPlane);
+     }

Patches/LineageOS-18.1/android_frameworks_base/408443.patch

@@ -0,0 +1,31 @@
+From 3651d27fdb579b51ea8a9b12fc18ca6e495566da Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 2 Jul 2024 11:02:07 -0700
+Subject: [PATCH] Remove authenticator data if it was disabled.
+
+Test: manual
+Bug: 343440463
+Flag: EXEMPT bugfix
+(cherry picked from commit ddfc078af7e89641360b896f99af23a6b371b847)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c2660dcf7fca3f652528d219767f65858bbbe622)
+Merged-In: I36bd6bf101da03c9c30a6d3c0080b801e7898bc6
+Change-Id: I36bd6bf101da03c9c30a6d3c0080b801e7898bc6
+---
+ .../com/android/server/accounts/AccountManagerService.java    | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index fb79904a5b3a8..5718071c2bc4e 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -1165,6 +1165,10 @@ private void validateAccountsInternal(
+                             obsoleteAuthType.add(type);
+                             // And delete it from the TABLE_META
+                             accountsDb.deleteMetaByAuthTypeAndUid(type, uid);
++                        } else if (knownUid != null && knownUid != uid) {
++                            Slog.w(TAG, "authenticator no longer exist for type " + type);
++                            obsoleteAuthType.add(type);
++                            accountsDb.deleteMetaByAuthTypeAndUid(type, uid);
+                         }
+                     }
+                 }

Patches/LineageOS-18.1/android_frameworks_base/408444.patch

@@ -0,0 +1,76 @@
+From 3f5562449aad196198d0d36c312e6461920cebce Mon Sep 17 00:00:00 2001
+From: Jean-Michel Trivi <jmtrivi@google.com>
+Date: Mon, 24 Jun 2024 17:29:14 -0700
+Subject: [PATCH] RingtoneManager: allow video ringtone URI
+
+When checking the MIME type for the default ringtone, also
+allow it to refer to video content.
+
+Bug: 205837340
+Test: see POC + atest android.media.audio.cts.RingtoneManagerTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a8d2785d69314086dc3b5b2531386fefff079ce7)
+Merged-In: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7
+Change-Id: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7
+---
+ media/java/android/media/RingtoneManager.java         |  8 ++++++--
+ .../android/providers/settings/SettingsProvider.java  | 11 +++++++----
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java
+index 918a9d8943dde..1e1142387d149 100644
+--- a/media/java/android/media/RingtoneManager.java
++++ b/media/java/android/media/RingtoneManager.java
+@@ -833,9 +833,13 @@ public static void setActualDefaultRingtoneUri(Context context, int type, Uri ri
+                         + " ignored: failure to find mimeType (no access from this context?)");
+                 return;
+             }
+-            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
++            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
++                    || mimeType.equals("application/x-flac")
++                    // also check for video ringtones
++                    || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) {
+                 Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
+-                        + " ignored: associated mimeType:" + mimeType + " is not an audio type");
++                        + " ignored: associated MIME type:" + mimeType
++                        + " is not a recognized audio or video type");
+                 return;
+             }
+         }
+diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+index d3c10574ea134..f58016acd290f 100644
+--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+@@ -1781,7 +1781,7 @@ private boolean mutateSystemSetting(String name, String value, int runAsUserId,
+             cacheName = Settings.System.ALARM_ALERT_CACHE;
+         }
+         if (cacheName != null) {
+-            if (!isValidAudioUri(name, value)) {
++            if (!isValidMediaUri(name, value)) {
+                 return false;
+             }
+             final File cacheFile = new File(
+@@ -1816,7 +1816,7 @@ owningUserId, name, value, null, false, getCallingPackage(),
+         }
+     }
+ 
+-    private boolean isValidAudioUri(String name, String uri) {
++    private boolean isValidMediaUri(String name, String uri) {
+         if (uri != null) {
+             Uri audioUri = Uri.parse(uri);
+             if (Settings.AUTHORITY.equals(
+@@ -1834,10 +1834,13 @@ private boolean isValidAudioUri(String name, String uri) {
+                 return false;
+             }
+             if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
+-                    || mimeType.equals("application/x-flac"))) {
++                    || mimeType.equals("application/x-flac")
++                    // also check for video ringtones
++                    || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) {
+                 Slog.e(LOG_TAG,
+                         "mutateSystemSetting for setting: " + name + " URI: " + audioUri
+-                        + " ignored: associated mimeType: " + mimeType + " is not an audio type");
++                        + " ignored: associated MIME type: " + mimeType
++                        + " is not a recognized audio or video type");
+                 return false;
+             }
+         }

Patches/LineageOS-18.1/android_frameworks_base/408445.patch

@@ -0,0 +1,53 @@
+From 12f53fb98530441d6612b06f07db77db9de2eaf9 Mon Sep 17 00:00:00 2001
+From: Ashish Kumar Gupta <kumarashishg@google.com>
+Date: Wed, 31 Jul 2024 16:02:29 +0000
+Subject: [PATCH] Set no data transfer on function switch timeout for accessory
+ mode
+
+In case of function switch times out, we will check whether
+the last function set was accessory. If this is the case, it is
+recommended to set the function to NONE(No data transfer) rather than
+setting it to the default USB function.
+
+Bug: 353712853
+Test: Build the code, flash the device and test it.
+Test: atest CtsUsbManagerTestCases
+Test: run CtsVerifier tool
+Test: atest CtsUsbTests
+(cherry picked from commit 7c6ec68537ba8abf798afd9ab7c3e5889841171f)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b032a602cdad00687e1fe089d66a6c4fa6925d79)
+Merged-In: I698e9df0333cbb51dd9bd5917a94d81273a2784a
+Change-Id: I698e9df0333cbb51dd9bd5917a94d81273a2784a
+---
+ .../java/com/android/server/usb/UsbDeviceManager.java | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/services/usb/java/com/android/server/usb/UsbDeviceManager.java b/services/usb/java/com/android/server/usb/UsbDeviceManager.java
+index a7a51a151b973..8a6731e2e5ee6 100644
+--- a/services/usb/java/com/android/server/usb/UsbDeviceManager.java
++++ b/services/usb/java/com/android/server/usb/UsbDeviceManager.java
+@@ -659,7 +659,7 @@ private void updateCurrentAccessory() {
+             }
+         }
+ 
+-        private void notifyAccessoryModeExit() {
++        protected void notifyAccessoryModeExit() {
+             // make sure accessory mode is off
+             // and restore default functions
+             Slog.d(TAG, "exited USB accessory mode");
+@@ -1791,8 +1791,13 @@ public void handleMessage(Message msg) {
+                      * Dont force to default when the configuration is already set to default.
+                      */
+                     if (msg.arg1 != 1) {
+-                        // Set this since default function may be selected from Developer options
+-                        setEnabledFunctions(mScreenUnlockedFunctions, false);
++                        if (mCurrentFunctions == UsbManager.FUNCTION_ACCESSORY) {
++                            notifyAccessoryModeExit();
++                        } else {
++                            // Set this since default function may be selected from Developer
++                            // options
++                            setEnabledFunctions(mScreenUnlockedFunctions, false);
++                        }
+                     }
+                     break;
+                 case MSG_GADGET_HAL_REGISTERED:

Patches/LineageOS-18.1/android_frameworks_base/408446.patch

@@ -0,0 +1,46 @@
+From 67f7515c79ea18e50bb87f8fbe083493a0aac0d6 Mon Sep 17 00:00:00 2001
+From: lpeter <lpeter@google.com>
+Date: Tue, 6 Aug 2024 09:22:12 +0000
+Subject: [PATCH] Disallow device admin package and protected packages to be
+ reinstalled as instant.
+
+We should prevent the following types of apps from being reinstalled with
+--install-existing as an instant.
+(1)device admin package
+(2)protected packages
+
+Flag: EXEMPT bugfix
+
+Bug: 341256043
+Test: Manual test
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:77c5ebbd2a83e060577dd584aed7802452339ca5)
+Merged-In: I4e913a12477fd4a64990033eaae533e30863e2a2
+Change-Id: I4e913a12477fd4a64990033eaae533e30863e2a2
+---
+ .../java/com/android/server/pm/PackageManagerService.java   | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 819a1437a4f1f..c0dd1f1e02f5b 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -13390,6 +13390,9 @@ int installExistingPackageAsUser(@Nullable String packageName, @UserIdInt int us
+                     (installFlags & PackageManager.INSTALL_INSTANT_APP) != 0;
+             final boolean fullApp =
+                     (installFlags & PackageManager.INSTALL_FULL_APP) != 0;
++            final boolean isPackageDeviceAdmin = isPackageDeviceAdmin(packageName, userId);
++            final boolean isProtectedPackage = mProtectedPackages != null
++                    && mProtectedPackages.isPackageStateProtected(userId, packageName);
+ 
+             // writer
+             synchronized (mLock) {
+@@ -13397,7 +13400,8 @@ int installExistingPackageAsUser(@Nullable String packageName, @UserIdInt int us
+                 if (pkgSetting == null) {
+                     return PackageManager.INSTALL_FAILED_INVALID_URI;
+                 }
+-                if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting))) {
++                if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting)
++                        || isPackageDeviceAdmin || isProtectedPackage)) {
+                     return PackageManager.INSTALL_FAILED_INVALID_URI;
+                 }
+                 if (!canViewInstantApps(callingUid, UserHandle.getUserId(callingUid))) {

Patches/LineageOS-18.1/android_frameworks_base/408447.patch

@@ -0,0 +1,82 @@
+From 527ea3afca9a6ae7d330e5f982f9d22011adab7d Mon Sep 17 00:00:00 2001
+From: Ben Murdoch <benm@google.com>
+Date: Fri, 30 Aug 2024 17:22:59 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Clear app-provided shortcut icons
+
+When displaying keyboard shortcuts provided by an app, clear
+any icon that may have been set (this is only possible via
+reflection, and is not a intended for usage outside of the system).
+
+Bug: 331180422
+Test: Verify on device
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a031e9f221cf87657c42d3ed0ddbe93fc6d7a9c3)
+Merged-In: If7e291eb2254c3cbec23673c65e7477e6ad45b09
+Change-Id: If7e291eb2254c3cbec23673c65e7477e6ad45b09
+---
+ core/java/android/view/KeyboardShortcutInfo.java    | 13 +++++++++++--
+ .../systemui/statusbar/KeyboardShortcuts.java       |  9 +++++++++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/android/view/KeyboardShortcutInfo.java b/core/java/android/view/KeyboardShortcutInfo.java
+index 2660e74dcb205..2075d77a9871e 100644
+--- a/core/java/android/view/KeyboardShortcutInfo.java
++++ b/core/java/android/view/KeyboardShortcutInfo.java
+@@ -29,7 +29,7 @@
+  */
+ public final class KeyboardShortcutInfo implements Parcelable {
+     private final CharSequence mLabel;
+-    private final Icon mIcon;
++    private Icon mIcon;
+     private final char mBaseCharacter;
+     private final int mKeycode;
+     private final int mModifiers;
+@@ -115,6 +115,15 @@ public Icon getIcon() {
+         return mIcon;
+     }
+ 
++    /**
++     * Removes an icon that was previously set.
++     *
++     * @hide
++     */
++    public void clearIcon() {
++        mIcon = null;
++    }
++
+     /**
+      * Returns the base keycode that, combined with the modifiers, triggers this shortcut. If the
+      * base character was set instead, returns {@link KeyEvent#KEYCODE_UNKNOWN}. Valid keycodes are
+@@ -165,4 +174,4 @@ public KeyboardShortcutInfo[] newArray(int size) {
+             return new KeyboardShortcutInfo[size];
+         }
+     };
+-}
+\ No newline at end of file
++}
+diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java b/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java
+index 7e6ddcfea7620..cc373d3c8b0f1 100644
+--- a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java
++++ b/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java
+@@ -378,6 +378,7 @@ private void showKeyboardShortcuts(int deviceId) {
+             @Override
+             public void onKeyboardShortcutsReceived(
+                     final List<KeyboardShortcutGroup> result) {
++                sanitiseShortcuts(result);
+                 result.add(getSystemShortcuts());
+                 final KeyboardShortcutGroup appShortcuts = getDefaultApplicationShortcuts();
+                 if (appShortcuts != null) {
+@@ -388,6 +389,14 @@ public void onKeyboardShortcutsReceived(
+         }, deviceId);
+     }
+ 
++    static void sanitiseShortcuts(List<KeyboardShortcutGroup> shortcutGroups) {
++        for (KeyboardShortcutGroup group : shortcutGroups) {
++            for (KeyboardShortcutInfo info : group.getItems()) {
++                info.clearIcon();
++            }
++        }
++    }
++
+     private void dismissKeyboardShortcuts() {
+         if (mKeyboardShortcutsDialog != null) {
+             mKeyboardShortcutsDialog.dismiss();

Patches/LineageOS-18.1/android_frameworks_base/408448.patch

@@ -0,0 +1,137 @@
+From e1c64096a439b5d54a5cb6de77242217b1516ca1 Mon Sep 17 00:00:00 2001
+From: Dipankar Bhardwaj <dipankarb@google.com>
+Date: Wed, 21 Aug 2024 14:26:50 +0000
+Subject: [PATCH] Restrict access to directories
+
+Restricted access to Android/data, Android/obb and Android/sandbox
+directories and its sub-directories. Replacing path's pattern match
+check with file equality check.
+
+Test: atest DocumentsClientTest
+Bug: 341680936
+Flag: EXEMPT bug fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:22ea85377ad49594e46c57b398fb477d3d12c668)
+Merged-In: I8879900e57e1702d11797b81e86d0cc3f55bac22
+Change-Id: I8879900e57e1702d11797b81e86d0cc3f55bac22
+---
+ .../ExternalStorageProvider.java              | 79 ++++++++++++++++---
+ 1 file changed, 68 insertions(+), 11 deletions(-)
+
+diff --git a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+index 53e17e35953d1..a722c08605083 100644
+--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
++++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+@@ -16,8 +16,6 @@
+ 
+ package com.android.externalstorage;
+ 
+-import static java.util.regex.Pattern.CASE_INSENSITIVE;
+-
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.app.usage.StorageStatsManager;
+@@ -61,12 +59,15 @@
+ import java.io.FileNotFoundException;
+ import java.io.IOException;
+ import java.io.PrintWriter;
++import java.nio.file.Files;
++import java.nio.file.Paths;
++import java.util.Arrays;
+ import java.util.Collections;
+ import java.util.List;
+ import java.util.Locale;
+ import java.util.Objects;
+ import java.util.UUID;
+-import java.util.regex.Pattern;
++import java.util.stream.Collectors;
+ 
+ /**
+  * Presents content of the shared (a.k.a. "external") storage.
+@@ -89,12 +90,9 @@ public class ExternalStorageProvider extends FileSystemProvider {
+     private static final Uri BASE_URI =
+             new Uri.Builder().scheme(ContentResolver.SCHEME_CONTENT).authority(AUTHORITY).build();
+ 
+-    /**
+-     * Regex for detecting {@code /Android/data/}, {@code /Android/obb/} and
+-     * {@code /Android/sandbox/} along with all their subdirectories and content.
+-     */
+-    private static final Pattern PATTERN_RESTRICTED_ANDROID_SUBTREES =
+-            Pattern.compile("^Android/(?:data|obb|sandbox)(?:/.+)?", CASE_INSENSITIVE);
++    private static final String PRIMARY_EMULATED_STORAGE_PATH = "/storage/emulated/";
++
++    private static final String STORAGE_PATH = "/storage/";
+ 
+     private static final String[] DEFAULT_ROOT_PROJECTION = new String[] {
+             Root.COLUMN_ROOT_ID, Root.COLUMN_FLAGS, Root.COLUMN_ICON, Root.COLUMN_TITLE,
+@@ -308,10 +306,69 @@ protected boolean shouldHideDocument(@NonNull String documentId) {
+             return false;
+         }
+ 
+-        final String path = getPathFromDocId(documentId);
+-        return PATTERN_RESTRICTED_ANDROID_SUBTREES.matcher(path).matches();
++        try {
++            final RootInfo root = getRootFromDocId(documentId);
++            final String canonicalPath = getPathFromDocId(documentId);
++            return isRestrictedPath(root.rootId, canonicalPath);
++        } catch (Exception e) {
++            return true;
++        }
+     }
+ 
++    /**
++     * Based on the given root id and path, we restrict path access if file is Android/data or
++     * Android/obb or Android/sandbox or one of their subdirectories.
++     *
++     * @param canonicalPath of the file
++     * @return true if path is restricted
++     */
++    private boolean isRestrictedPath(String rootId, String canonicalPath) {
++        if (rootId == null || canonicalPath == null) {
++            return true;
++        }
++
++        final String rootPath;
++        if (rootId.equalsIgnoreCase(ROOT_ID_PRIMARY_EMULATED)) {
++            // Creates "/storage/emulated/<user-id>"
++            rootPath = PRIMARY_EMULATED_STORAGE_PATH + UserHandle.myUserId();
++        } else {
++            // Creates "/storage/<volume-uuid>"
++            rootPath = STORAGE_PATH + rootId;
++        }
++        List<java.nio.file.Path> restrictedPathList = Arrays.asList(
++                Paths.get(rootPath, "Android", "data"),
++                Paths.get(rootPath, "Android", "obb"),
++                Paths.get(rootPath, "Android", "sandbox"));
++        // We need to identify restricted parent paths which actually exist on the device
++        List<java.nio.file.Path> validRestrictedPathsToCheck = restrictedPathList.stream().filter(
++                Files::exists).collect(Collectors.toList());
++
++        boolean isRestricted = false;
++        java.nio.file.Path filePathToCheck = Paths.get(rootPath, canonicalPath);
++        try {
++            while (filePathToCheck != null) {
++                for (java.nio.file.Path restrictedPath : validRestrictedPathsToCheck) {
++                    if (Files.isSameFile(restrictedPath, filePathToCheck)) {
++                        isRestricted = true;
++                        Log.v(TAG, "Restricting access for path: " + filePathToCheck);
++                        break;
++                    }
++                }
++                if (isRestricted) {
++                    break;
++                }
++
++                filePathToCheck = filePathToCheck.getParent();
++            }
++        } catch (Exception e) {
++            Log.w(TAG, "Error in checking file equality check.", e);
++            isRestricted = true;
++        }
++
++        return isRestricted;
++    }
++
++
+     /**
+      * Check that the directory is the root of storage or blocked file from tree.
+      * <p>

Patches/LineageOS-18.1/android_frameworks_opt_net_wifi/408452.patch

@@ -0,0 +1,123 @@
+From 77dbe1a766a8207f7039b9b55643599e2210b0da Mon Sep 17 00:00:00 2001
+From: Nate Jiang <qiangjiang@google.com>
+Date: Thu, 8 Aug 2024 18:13:39 +0000
+Subject: [PATCH] [BACKPORT] Fix security issue by change the field in
+ WifiConfig
+
+Flag: EXEMPT bugfix
+Bug: 347912017
+Bug: 348352288
+Bug: 346289032
+Test: atest com.android.server.wifi
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:eca3f190d2a5b6b634224863f5ee5f584babd0dc)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0597dc97b34e1d1609c1e33f9b6e524474a94144)
+Merged-In: I8998340ae557660036895dd906808d682b83c6f0
+Change-Id: I8998340ae557660036895dd906808d682b83c6f0
+---
+ .../server/wifi/WifiConfigurationUtil.java    | 72 ++++++++++++++++++-
+ 1 file changed, 71 insertions(+), 1 deletion(-)
+
+diff --git a/service/java/com/android/server/wifi/WifiConfigurationUtil.java b/service/java/com/android/server/wifi/WifiConfigurationUtil.java
+index ffa9facf55..6b942735b5 100644
+--- a/service/java/com/android/server/wifi/WifiConfigurationUtil.java
++++ b/service/java/com/android/server/wifi/WifiConfigurationUtil.java
+@@ -63,6 +63,11 @@ public class WifiConfigurationUtil {
+     private static final int SAE_ASCII_MIN_LEN = 1 + ENCLOSING_QUOTES_LEN;
+     private static final int PSK_SAE_ASCII_MAX_LEN = 63 + ENCLOSING_QUOTES_LEN;
+     private static final int PSK_SAE_HEX_LEN = 64;
++    private static final int MAX_STRING_LENGTH = 512;
++
++    // BACKPORT
++    private static final int MAX_NUMBER_OF_OI = 36;
++    private static final long MAX_OI_VALUE = ((long) 1 << 40)  - 1;
+ 
+     @VisibleForTesting
+     public static final String PASSWORD_MASK = "*";
+@@ -597,7 +602,8 @@ public static boolean validate(WifiConfiguration config, boolean isAdd) {
+         if (!validateSsid(config.SSID, isAdd)) {
+             return false;
+         }
+-        if (!validateBssid(config.BSSID)) {
++        if (!validateBssid(config.BSSID) || !validateBssid(config.dhcpServer)
++                || !validateBssid(config.defaultGwMacAddress)) {
+             return false;
+         }
+         if (!validateBitSets(config)) {
+@@ -606,6 +612,12 @@ public static boolean validate(WifiConfiguration config, boolean isAdd) {
+         if (!validateKeyMgmt(config.allowedKeyManagement)) {
+             return false;
+         }
++        if (!validatePasspoint(config)) {
++            return false;
++        }
++        if (!validateNetworkSelectionStatus(config.getNetworkSelectionStatus())) {
++            return false;
++        }
+         if (config.allowedKeyManagement.get(WifiConfiguration.KeyMgmt.WPA_PSK)
+                 && !validatePassword(config.preSharedKey, isAdd, false, false)) {
+             return false;
+@@ -651,6 +663,64 @@ public static boolean validate(WifiConfiguration config, boolean isAdd) {
+         return true;
+     }
+ 
++    private static boolean validateStringField(String field, int maxLength) {
++        return field == null || field.length() <= maxLength;
++    }
++
++    private static boolean validatePasspoint(WifiConfiguration config) {
++        if (!validateStringField(config.FQDN, 255)) {
++            return false;
++        }
++        if (!validateStringField(config.providerFriendlyName, 255)) {
++            return false;
++        }
++        if (!validateRoamingConsortiumIds(config.roamingConsortiumIds)) {
++            return false;
++        }
++        if (!validateUpdateIdentifier(config.updateIdentifier)) {
++            return false;
++        }
++        return true;
++    }
++
++    private static boolean validateUpdateIdentifier(String updateIdentifier) {
++        if (TextUtils.isEmpty(updateIdentifier)) {
++            return true;
++        }
++        try {
++            Integer.valueOf(updateIdentifier);
++        } catch (NumberFormatException e) {
++            return false;
++        }
++        return true;
++    }
++
++    private static boolean validateNetworkSelectionStatus(
++            WifiConfiguration.NetworkSelectionStatus status) {
++        if (status == null) {
++            return false;
++        }
++        return validateStringField(status.getConnectChoice(), MAX_STRING_LENGTH)
++                    && validateBssid(status.getNetworkSelectionBSSID());
++    }
++
++    private static boolean validateRoamingConsortiumIds(long[] roamingConsortiumIds) {
++        if (roamingConsortiumIds != null) {
++            if (roamingConsortiumIds.length > MAX_NUMBER_OF_OI) {
++                Log.d(TAG, "too many Roaming Consortium Organization Identifiers in the "
++                        + "profile");
++                return false;
++            }
++            for (long oi : roamingConsortiumIds) {
++                if (oi < 0 || oi > MAX_OI_VALUE) {
++                    Log.d(TAG, "Organization Identifiers is out of range");
++                    return false;
++                }
++            }
++        }
++        return true;
++    }
++
+     private static boolean validateBssidPattern(
+             Pair<MacAddress, MacAddress> bssidPatternMatcher) {
+         if (bssidPatternMatcher == null) return true;

Patches/LineageOS-18.1/android_packages_apps_Settings/408449.patch

@@ -0,0 +1,72 @@
+From 9411c079df368653f34617e2e07487c00b5da4bc Mon Sep 17 00:00:00 2001
+From: Daniel Norman <danielnorman@google.com>
+Date: Wed, 14 Aug 2024 21:15:42 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Stops hiding a11y services with the same
+ package+label as an activity.
+
+Bug: 353700779
+Test: Install poc APKs from the bug, observe issue not reproducible
+Test: (automated tests on 'main' branch)
+Flag: NONE security fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fecb99475e019614d6eba07a79ddc7f46b335892)
+Merged-In: Ia8d43229d277dd4442173166ae0402f05096da4b
+Change-Id: Ia8d43229d277dd4442173166ae0402f05096da4b
+---
+ .../accessibility/AccessibilitySettings.java  | 25 -------------------
+ 1 file changed, 25 deletions(-)
+
+diff --git a/src/com/android/settings/accessibility/AccessibilitySettings.java b/src/com/android/settings/accessibility/AccessibilitySettings.java
+index f918046bc37..b2f37c026ff 100644
+--- a/src/com/android/settings/accessibility/AccessibilitySettings.java
++++ b/src/com/android/settings/accessibility/AccessibilitySettings.java
+@@ -27,7 +27,6 @@
+ import android.content.pm.ActivityInfo;
+ import android.content.pm.PackageManager;
+ import android.content.pm.ResolveInfo;
+-import android.content.pm.ServiceInfo;
+ import android.graphics.drawable.Drawable;
+ import android.hardware.display.ColorDisplayManager;
+ import android.net.Uri;
+@@ -407,17 +406,11 @@ private List<RestrictedPreference> getInstalledAccessibilityList(Context context
+         final List<AccessibilityShortcutInfo> installedShortcutList =
+                 a11yManager.getInstalledAccessibilityShortcutListAsUser(context,
+                         UserHandle.myUserId());
+-
+-        // Remove duplicate item here, new a ArrayList to copy unmodifiable list result
+-        // (getInstalledAccessibilityServiceList).
+         final List<AccessibilityServiceInfo> installedServiceList = new ArrayList<>(
+                 a11yManager.getInstalledAccessibilityServiceList());
+-        installedServiceList.removeIf(
+-                target -> containsTargetNameInList(installedShortcutList, target));
+ 
+         final List<RestrictedPreference> activityList =
+                 preferenceHelper.createAccessibilityActivityPreferenceList(installedShortcutList);
+-
+         final List<RestrictedPreference> serviceList =
+                 preferenceHelper.createAccessibilityServicePreferenceList(installedServiceList);
+ 
+@@ -428,24 +421,6 @@ private List<RestrictedPreference> getInstalledAccessibilityList(Context context
+         return preferenceList;
+     }
+ 
+-    private boolean containsTargetNameInList(List<AccessibilityShortcutInfo> shortcutInfos,
+-            AccessibilityServiceInfo targetServiceInfo) {
+-        final ServiceInfo serviceInfo = targetServiceInfo.getResolveInfo().serviceInfo;
+-        final String servicePackageName = serviceInfo.packageName;
+-        final CharSequence serviceLabel = serviceInfo.loadLabel(getPackageManager());
+-
+-        for (int i = 0, count = shortcutInfos.size(); i < count; ++i) {
+-            final ActivityInfo activityInfo = shortcutInfos.get(i).getActivityInfo();
+-            final String activityPackageName = activityInfo.packageName;
+-            final CharSequence activityLabel = activityInfo.loadLabel(getPackageManager());
+-            if (servicePackageName.equals(activityPackageName)
+-                    && serviceLabel.equals(activityLabel)) {
+-                return true;
+-            }
+-        }
+-        return false;
+-    }
+-
+     private void initializePreBundledServicesMapFromArray(String categoryKey, int key) {
+         String[] services = getResources().getStringArray(key);
+         PreferenceCategory category = mCategoryToPrefCategoryMap.get(categoryKey);

Patches/LineageOS-18.1/android_packages_apps_Settings/408450.patch

@@ -0,0 +1,33 @@
+From 57ac15dfd212fd91ef2501248ac6fab1ec3f6bc6 Mon Sep 17 00:00:00 2001
+From: Adam Bookatz <bookatz@google.com>
+Date: Mon, 22 Jul 2024 17:03:12 -0700
+Subject: [PATCH] startActivityForResult with new Intent
+
+Rather than use the raw Intent, we make a copy of it. See bug.
+
+Bug: 330722900
+Flag: EXEMPT bugfix
+Test: manual
+Test: atest com.android.settings.users.UserSettingsTest
+            com.android.settings.users.UserDetailsSettingsTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1189e24e47571eae86634aeaa7dc60b8fe7f4820)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fdb148b6efb16af018a39511001b48286f401512)
+Merged-In: Id74e4b7ae261f2916eedaef04a679f83409a4b67
+Change-Id: Id74e4b7ae261f2916eedaef04a679f83409a4b67
+---
+ src/com/android/settings/users/AppRestrictionsFragment.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
+index 51624ca63b4..e9e60fb319e 100644
+--- a/src/com/android/settings/users/AppRestrictionsFragment.java
++++ b/src/com/android/settings/users/AppRestrictionsFragment.java
+@@ -655,7 +655,7 @@ public void onReceive(Context context, Intent intent) {
+                     int requestCode = generateCustomActivityRequestCode(
+                             RestrictionsResultReceiver.this.preference);
+                     AppRestrictionsFragment.this.startActivityForResult(
+-                            restrictionsIntent, requestCode);
++                            new Intent(restrictionsIntent), requestCode);
+                 }
+             }
+         }

Patches/LineageOS-18.1/android_packages_apps_Settings/408451.patch

@@ -0,0 +1,90 @@
+From e02728d51e013033f3cc168e8630d0322ccfd803 Mon Sep 17 00:00:00 2001
+From: Fan Wu <cechkahn@google.com>
+Date: Mon, 22 Jul 2024 16:12:46 +0800
+Subject: [PATCH] [BACKPORT] Checks cross user permission before handling
+ intent
+
+Bug: 326057017
+
+Test: atest
+
+Flag: EXEMPT bug fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d3b3edd45167515579ab156533754e56ac813f35)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0f67d233c1cd653c113df5956f1ed29a42e1d32f)
+Merged-In: I3444e55b22b7487f96b0e3e9deb3f844c4c4723a
+Change-Id: I3444e55b22b7487f96b0e3e9deb3f844c4c4723a
+---
+ .../settings/applications/AppInfoBase.java    | 38 ++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/src/com/android/settings/applications/AppInfoBase.java b/src/com/android/settings/applications/AppInfoBase.java
+index 71043400ff8..ef5297acaec 100644
+--- a/src/com/android/settings/applications/AppInfoBase.java
++++ b/src/com/android/settings/applications/AppInfoBase.java
+@@ -18,7 +18,9 @@
+ 
+ import static com.android.settingslib.RestrictedLockUtils.EnforcedAdmin;
+ 
++import android.Manifest;
+ import android.app.Activity;
++import android.app.ActivityManager;
+ import android.app.Dialog;
+ import android.app.admin.DevicePolicyManager;
+ import android.app.settings.SettingsEnums;
+@@ -38,6 +40,7 @@
+ import android.text.TextUtils;
+ import android.util.Log;
+ 
++import androidx.annotation.VisibleForTesting;
+ import androidx.appcompat.app.AlertDialog;
+ import androidx.fragment.app.DialogFragment;
+ import androidx.fragment.app.Fragment;
+@@ -134,8 +137,13 @@ protected String retrieveAppEntry() {
+             }
+         }
+         if (intent != null && intent.hasExtra(Intent.EXTRA_USER_HANDLE)) {
+-            mUserId = ((UserHandle) intent.getParcelableExtra(
+-                    Intent.EXTRA_USER_HANDLE)).getIdentifier();
++            mUserId = ((UserHandle) intent.getParcelableExtra(Intent.EXTRA_USER_HANDLE))
++                    .getIdentifier();
++            if (mUserId != UserHandle.myUserId() && !hasInteractAcrossUsersPerm()) {
++                Log.w(TAG, "Intent not valid.");
++                finish();
++                return "";
++            }
+         } else {
+             mUserId = UserHandle.myUserId();
+         }
+@@ -158,6 +166,32 @@ protected String retrieveAppEntry() {
+         return mPackageName;
+     }
+ 
++    @VisibleForTesting
++    protected boolean hasInteractAcrossUsersPerm() {
++        Activity activity = getActivity();
++        if (activity == null) {
++            return false;
++        }
++        String callingPackageName = null;
++        try {
++            callingPackageName = ActivityManager.getService()
++                .getLaunchedFromPackage(activity.getActivityToken());
++        } catch (Exception e) {
++            return false;
++        }
++        if (TextUtils.isEmpty(callingPackageName)) {
++            Log.w(TAG, "Not able to get calling package name for permission check");
++            return false;
++        }
++        if (mPm.checkPermission(Manifest.permission.INTERACT_ACROSS_USERS_FULL, callingPackageName)
++                != PackageManager.PERMISSION_GRANTED) {
++            Log.w(TAG, "Package " + callingPackageName + " does not have required permission "
++                    + Manifest.permission.INTERACT_ACROSS_USERS_FULL);
++            return false;
++        }
++        return true;
++    }
++
+     protected void setIntentAndFinish(boolean appChanged) {
+         Log.i(TAG, "appChanged=" + appChanged);
+         Intent intent = new Intent();

Patches/LineageOS-18.1/android_packages_providers_MediaProvider/408453.patch

@@ -0,0 +1,39 @@
+From a062609478ba61d2b015ea4eaee550f7c4a31c9f Mon Sep 17 00:00:00 2001
+From: Omar Eissa <oeissa@google.com>
+Date: Tue, 27 Aug 2024 13:24:21 +0000
+Subject: [PATCH] Prevent apps from renaming files they don't own
+
+Malicious apps could rename files in lower file system using
+MediaProvider.update even if they don't have access to such files. They
+weren't able to update the DB of MediaProvider, but by renaming such
+files they could create fake records in MediaProvider DB and then rename
+the file to have the same name as their created record, which would
+allow them to access these files.
+
+IMAGES_MEDIA_ID, AUDIO_MEDIA_ID and VIDEO_MEDIA_ID URIs were already
+guaraded against this vulnerability and the aim of this fix to fix it
+for all other Media URIs.
+
+Bug: 304280682
+Flag: EXEMPT bug fix
+Test: Manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:191ae46fed057cb96f78d8f140f90f0cec50a797)
+Merged-In: I91e9966c012fe292cebc0b544f77032613516fac
+Change-Id: I91e9966c012fe292cebc0b544f77032613516fac
+---
+ src/com/android/providers/media/MediaProvider.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
+index a01ba34c6..c15193414 100644
+--- a/src/com/android/providers/media/MediaProvider.java
++++ b/src/com/android/providers/media/MediaProvider.java
+@@ -5351,6 +5351,8 @@ && getCallingPackageTargetSdkVersion() <= Build.VERSION_CODES.Q) {
+                 case IMAGES_MEDIA_ID:
+                 case DOWNLOADS_ID:
+                 case FILES_ID:
++                    // Check if the caller has the required permissions to do placement
++                    enforceCallingPermission(uri, extras, true);
+                     break;
+                 default:
+                     throw new IllegalArgumentException("Movement of " + uri

Scripts/LineageOS-18.1/Patch.sh

@@ -93,7 +93,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
 sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
-sed -i 's/2024-02-05/2024-10-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-10
+sed -i 's/2024-02-05/2024-11-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-11
 fi;
 
 if enterAndClear "build/soong"; then
@@ -132,6 +132,10 @@ awk -i inplace '!/vendor_ramdisk_available/' Android.bp; #fix compile under A11
 rm -rfv androidtest; #fix compile under A11
 fi;
 
+if enterAndClear "external/skia"; then
+applyPatch "$DOS_PATCHES/android_external_skia/408442.patch"; #R_asb_2024-11 Avoid potential overflow when allocating 3D mask from emboss filter
+fi;
+
 if enterAndClear "external/sonivox"; then
 applyPatch "$DOS_PATCHES_COMMON/android_external_sonivox/391896.patch"; #n-asb-2024-05 Fix buffer overrun in eas_wtengine
 fi;
@@ -178,6 +182,12 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/405515.patch"; #R_asb_2024-10 U
 applyPatch "$DOS_PATCHES/android_frameworks_base/405516.patch"; #R_asb_2024-10 Fail parseUri if end is missing
 applyPatch "$DOS_PATCHES/android_frameworks_base/405517.patch"; #R_asb_2024-10 Prevent Sharing when FRP enforcement is in effect
 applyPatch "$DOS_PATCHES/android_frameworks_base/405518.patch"; #R_asb_2024-10 Check whether installerPackageName contains only valid characters
+applyPatch "$DOS_PATCHES/android_frameworks_base/408443.patch"; #R_asb_2024-11 Remove authenticator data if it was disabled.
+applyPatch "$DOS_PATCHES/android_frameworks_base/408444.patch"; #R_asb_2024-11 RingtoneManager: allow video ringtone URI
+applyPatch "$DOS_PATCHES/android_frameworks_base/408445.patch"; #R_asb_2024-11 Set no data transfer on function switch timeout for accessory mode
+applyPatch "$DOS_PATCHES/android_frameworks_base/408446.patch"; #R_asb_2024-11 Disallow device admin package and protected packages to be reinstalled as instant.
+applyPatch "$DOS_PATCHES/android_frameworks_base/408447.patch"; #R_asb_2024-11 Clear app-provided shortcut icons
+applyPatch "$DOS_PATCHES/android_frameworks_base/408448.patch"; #R_asb_2024-11 Restrict access to directories
 git revert --no-edit 438d9feacfcad73d3ee918541574132928a93644; #Reverts "Allow signature spoofing for microG Companion/Services" in favor of below patch
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
@@ -254,6 +264,7 @@ fi;
 fi;
 
 if enterAndClear "frameworks/opt/net/wifi"; then
+applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/408452.patch"; #R_asb_2024-11 Fix security issue by change the field in WifiConfig
 applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
 fi;
 
@@ -379,6 +390,9 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403220.patch"; #R_asb_20
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403221.patch"; #R_asb_2024-09 Ignore fragment attr from ext authenticator resource
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403222.patch"; #R_asb_2024-09 Restrict Settings Homepage prior to provisioning
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/405534.patch"; #R_asb_2024-10 FRP bypass defense in App battery usage page
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408449.patch"; #R_asb_2024-11 Stops hiding a11y services with the same package+label as an activity.
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408450.patch"; #R_asb_2024-11 startActivityForResult with new Intent
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408451.patch"; #R_asb_2024-11 Checks cross user permission before handling intent
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile (DivestOS)
@@ -438,6 +452,7 @@ fi;
 
 if enterAndClear "packages/providers/MediaProvider"; then
 applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/397544.patch"; #R_asb_2024-07 Prevent insertion in other users storage volumes
+applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/408453.patch"; #R_asb_2024-11 Prevent apps from renaming files they don't own
 fi;
 
 if enterAndClear "packages/providers/TelephonyProvider"; then