From a4fbc40b23442d002d4a28fb2114fc468ba1c1e4 Mon Sep 17 00:00:00 2001 From: Tavi Date: Sun, 13 Oct 2024 15:41:31 -0400 Subject: [PATCH] 18.1: October 2024 ASB work Signed-off-by: Tavi --- .../android_frameworks_base/405358.patch | 30 ++ .../android_frameworks_base/405359.patch | 32 ++ .../405360-backport.patch | 39 ++ .../405361-backport.patch | 39 ++ .../android_libcore/405362.patch | 53 +++ .../405364-backport.patch | 84 ++++ .../405363-backport.patch | 50 +++ .../android_system_bt/405364-backport.patch | 361 ++++++++++++++++++ Scripts/LineageOS-18.1/Patch.sh | 9 +- 9 files changed, 696 insertions(+), 1 deletion(-) create mode 100644 Patches/LineageOS-18.1/android_frameworks_base/405358.patch create mode 100644 Patches/LineageOS-18.1/android_frameworks_base/405359.patch create mode 100644 Patches/LineageOS-18.1/android_frameworks_base/405360-backport.patch create mode 100644 Patches/LineageOS-18.1/android_frameworks_base/405361-backport.patch create mode 100644 Patches/LineageOS-18.1/android_libcore/405362.patch create mode 100644 Patches/LineageOS-18.1/android_packages_apps_Bluetooth/405364-backport.patch create mode 100644 Patches/LineageOS-18.1/android_packages_apps_Settings/405363-backport.patch create mode 100644 Patches/LineageOS-18.1/android_system_bt/405364-backport.patch diff --git a/Patches/LineageOS-18.1/android_frameworks_base/405358.patch b/Patches/LineageOS-18.1/android_frameworks_base/405358.patch new file mode 100644 index 00000000..357e22ac --- /dev/null +++ b/Patches/LineageOS-18.1/android_frameworks_base/405358.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: William Loh +Date: Mon, 3 Jun 2024 12:56:47 -0700 +Subject: [PATCH] Fail parseUri if end is missing + +Bug: 318683126 +Test: atest IntentTest +Flag: EXEMPT bugfix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b85bee508793e31d6fe37fc9cd4e8fa3787113cc) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:77c140c674ec1cec011989f4a2c2666949771370) +Merged-In: I5f619ced684ff505ce2b7408cd35dd3e9be89dea +Change-Id: I5f619ced684ff505ce2b7408cd35dd3e9be89dea +--- + core/java/android/content/Intent.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java +index 6224758ce71a..ec67c7239df2 100644 +--- a/core/java/android/content/Intent.java ++++ b/core/java/android/content/Intent.java +@@ -7322,6 +7322,9 @@ public class Intent implements Parcelable, Cloneable { + int eq = uri.indexOf('=', i); + if (eq < 0) eq = i-1; + int semi = uri.indexOf(';', i); ++ if (semi < 0) { ++ throw new URISyntaxException(uri, "uri end not found"); ++ } + String value = eq < semi ? Uri.decode(uri.substring(eq + 1, semi)) : ""; + + // action diff --git a/Patches/LineageOS-18.1/android_frameworks_base/405359.patch b/Patches/LineageOS-18.1/android_frameworks_base/405359.patch new file mode 100644 index 00000000..06938b45 --- /dev/null +++ b/Patches/LineageOS-18.1/android_frameworks_base/405359.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Thu, 11 Jul 2024 12:39:22 -0700 +Subject: [PATCH] Update AccountManagerService checkKeyIntent. + +Block intents with "content" data scheme. + +Bug: 349780950 +Test: manual +Flag: EXEMPT bugfix +(cherry picked from commit c1e79495a49bd4d3e380136fe4bca7ac1a9ed763) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1bcf4f36c171a73990b47136930af1930ccd3ece) +Merged-In: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c +Change-Id: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c +--- + .../com/android/server/accounts/AccountManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 43944b050de4..d55be44f62cd 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -4895,6 +4895,9 @@ public class AccountManagerService + if (resolveInfo == null) { + return false; + } ++ if ("content".equals(intent.getScheme())) { ++ return false; ++ } + ActivityInfo targetActivityInfo = resolveInfo.activityInfo; + int targetUid = targetActivityInfo.applicationInfo.uid; + PackageManagerInternal pmi = LocalServices.getService(PackageManagerInternal.class); diff --git a/Patches/LineageOS-18.1/android_frameworks_base/405360-backport.patch b/Patches/LineageOS-18.1/android_frameworks_base/405360-backport.patch new file mode 100644 index 00000000..b077f1e3 --- /dev/null +++ b/Patches/LineageOS-18.1/android_frameworks_base/405360-backport.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mark Renouf +Date: Thu, 20 Jun 2024 16:37:42 -0400 +Subject: [PATCH] Prevent Sharing when FRP enforcement is in effect + +ADB command to trigger sharing: + +``` +adb shell 'am start -a android.intent.action.CHOOSER --eu android.intent.extra.INTENT "intent:#Intent;action=android.intent.action.SEND;type=text/plain;S.android.intent.extra.TEXT=Shared%20text;end"' +``` + +Bug: 327645387 +Test: manual; trigger FRP; attempt to open share sheet using adb +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1c7101154d42f804d52d65643a7e79dfee22295a) +Merged-In: I1db78ab74babe71b516f601be35cf476b5e43271 +Change-Id: I1db78ab74babe71b516f601be35cf476b5e43271 +--- + core/java/com/android/internal/app/ChooserActivity.java | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java +index 9d95a6b346b3..c741029143ec 100644 +--- a/core/java/com/android/internal/app/ChooserActivity.java ++++ b/core/java/com/android/internal/app/ChooserActivity.java +@@ -600,6 +600,14 @@ public class ChooserActivity extends ResolverActivity implements + + @Override + protected void onCreate(Bundle savedInstanceState) { ++ if (Settings.Secure.getIntForUser(getContentResolver(), ++ Settings.Secure.SECURE_FRP_MODE, 0, ++ getUserId()) == 1) { ++ Log.e(TAG, "Sharing disabled due to active FRP lock."); ++ super.onCreate(savedInstanceState); ++ finish(); ++ return; ++ } + final long intentReceivedTime = System.currentTimeMillis(); + getChooserActivityLogger().logSharesheetTriggered(); + // This is the only place this value is being set. Effectively final. diff --git a/Patches/LineageOS-18.1/android_frameworks_base/405361-backport.patch b/Patches/LineageOS-18.1/android_frameworks_base/405361-backport.patch new file mode 100644 index 00000000..a8afe636 --- /dev/null +++ b/Patches/LineageOS-18.1/android_frameworks_base/405361-backport.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sumedh Sen +Date: Wed, 17 Jul 2024 17:42:43 +0000 +Subject: [PATCH] Check whether installerPackageName contains only valid + characters + +Bug: 341256391 +Bug: 307532206 +Test: sts-tradefed run sts-dynamic-develop -m CtsSecurityTestCases -t android.security.cts.CVE_2024_0044 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7aa86be3077b0ffa3de2345788c7c711fcfb4fe7) +Merged-In: I74a172c617d6f5b13f0708092156b657b73b5891 +Change-Id: I74a172c617d6f5b13f0708092156b657b73b5891 +--- + .../com/android/server/pm/PackageInstallerService.java | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java +index 02515cfdc16a..310c56ef1260 100644 +--- a/services/core/java/com/android/server/pm/PackageInstallerService.java ++++ b/services/core/java/com/android/server/pm/PackageInstallerService.java +@@ -609,12 +609,17 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements + params.appLabel = TextUtils.trimToSize(params.appLabel, + PackageItemInfo.MAX_SAFE_LABEL_LENGTH); + +- // Validate installer package name. ++ // Validate requested installer package name. + if (params.installerPackageName != null && !isValidPackageName( + params.installerPackageName)) { + params.installerPackageName = null; + } + ++ // Validate installer package name. ++ if (installerPackageName != null && !isValidPackageName(installerPackageName)) { ++ installerPackageName = null; ++ } ++ + String requestedInstallerPackageName = + params.installerPackageName != null ? params.installerPackageName + : installerPackageName; diff --git a/Patches/LineageOS-18.1/android_libcore/405362.patch b/Patches/LineageOS-18.1/android_libcore/405362.patch new file mode 100644 index 00000000..4118bb1f --- /dev/null +++ b/Patches/LineageOS-18.1/android_libcore/405362.patch @@ -0,0 +1,53 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Almaz Mingaleev +Date: Wed, 10 Jul 2024 13:38:35 +0100 +Subject: [PATCH] Do not accept zip files with invalid headers. + +According to Section 4.3.6 in [1] non-empty zip file starts with +local file header. 4.3.1 allows empty files, and in such case +file starts with "end of central directory record". + +This aligns ZipFile with libziparchive modulo empty zip files - +libziparchive rejects them. + +Tests are skipped because sc-dev branch uses ART module +prebuilts, but builds tests from sources which leads to presubmit +failures. + +Ignore-AOSP-First: b/309938635#comment1 + +[1] https://pkwaredownloads.blob.core.windows.net/pem/APPNOTE.txt + +Bug: 309938635 +Test: CtsLibcoreTestCases +Test: CtsLibcoreOjTestCases +(cherry picked from commit 288a44a1817707110cdf5a3a6ef8377c6e10cce2) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5a6809400627ab1c8dbb76f92dfb89daae6b2f65) +Merged-In: I545cdd49ec3cc138331145f4716c8148662a478b +Change-Id: I545cdd49ec3cc138331145f4716c8148662a478b +--- + ojluni/src/main/native/zip_util.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ojluni/src/main/native/zip_util.c b/ojluni/src/main/native/zip_util.c +index aa9c5cede9..16951a78ed 100644 +--- a/ojluni/src/main/native/zip_util.c ++++ b/ojluni/src/main/native/zip_util.c +@@ -878,6 +878,17 @@ ZIP_Put_In_Cache0(const char *name, ZFILE zfd, char **pmsg, jlong lastModified, + zip->locsig = JNI_TRUE; + else + zip->locsig = JNI_FALSE; ++ ++ // BEGIN Android-changed: do not accept files with invalid header. ++ if (GETSIG(errbuf) != LOCSIG && GETSIG(errbuf) != ENDSIG) { ++ if (pmsg) { ++ *pmsg = strdup("Entry at offset zero has invalid LFH signature."); ++ } ++ ZFILE_Close(zfd); ++ freeZip(zip); ++ return NULL; ++ } ++ // END Android-changed: do not accept files with invalid header. + } + + // This lseek is safe because it happens during construction of the ZipFile diff --git a/Patches/LineageOS-18.1/android_packages_apps_Bluetooth/405364-backport.patch b/Patches/LineageOS-18.1/android_packages_apps_Bluetooth/405364-backport.patch new file mode 100644 index 00000000..8494df55 --- /dev/null +++ b/Patches/LineageOS-18.1/android_packages_apps_Bluetooth/405364-backport.patch @@ -0,0 +1,84 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Himanshu Rawat +Date: Mon, 8 Apr 2024 19:44:45 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Disallow unexpected incoming HID + connections 2/2 + +HID profile accepted any new incoming HID connection. Even when the +connection policy disabled HID connection, remote devices could initiate +HID connection. +This change ensures that incoming HID connection are accepted only if +application was interested in that HID connection. +This vulnerarbility no longer exists on the main because of feature +request b/324093729. + +Test: Manual | Pair and connect a HID device, disable HID connection +from Bluetooth device setting, attempt to connect from the HID device. +Bug: 308429049 +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fc87e65eb3d70f051e2902d3e81ce6587ab1a96) +Merged-In: I1d7e886b1045d026f96c8274aca86dc499f87777 +Change-Id: I1d7e886b1045d026f96c8274aca86dc499f87777 +--- + jni/com_android_bluetooth_hid_host.cpp | 8 +++++--- + src/com/android/bluetooth/hid/HidHostService.java | 7 +++++-- + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/jni/com_android_bluetooth_hid_host.cpp b/jni/com_android_bluetooth_hid_host.cpp +index cab5e3361..22c7dcfe8 100644 +--- a/jni/com_android_bluetooth_hid_host.cpp ++++ b/jni/com_android_bluetooth_hid_host.cpp +@@ -284,7 +284,8 @@ static jboolean connectHidNative(JNIEnv* env, jobject object, + } + + static jboolean disconnectHidNative(JNIEnv* env, jobject object, +- jbyteArray address) { ++ jbyteArray address, ++ jboolean reconnect_allowed) { + jbyte* addr; + jboolean ret = JNI_TRUE; + if (!sBluetoothHidInterface) return JNI_FALSE; +@@ -295,7 +296,8 @@ static jboolean disconnectHidNative(JNIEnv* env, jobject object, + return JNI_FALSE; + } + +- bt_status_t status = sBluetoothHidInterface->disconnect((RawAddress*)addr); ++ bt_status_t status = ++ sBluetoothHidInterface->disconnect((RawAddress*)addr, reconnect_allowed); + if (status != BT_STATUS_SUCCESS) { + ALOGE("Failed disconnect hid channel, status: %d", status); + ret = JNI_FALSE; +@@ -511,7 +513,7 @@ static JNINativeMethod sMethods[] = { + {"initializeNative", "()V", (void*)initializeNative}, + {"cleanupNative", "()V", (void*)cleanupNative}, + {"connectHidNative", "([B)Z", (void*)connectHidNative}, +- {"disconnectHidNative", "([B)Z", (void*)disconnectHidNative}, ++ {"disconnectHidNative", "([BZ)Z", (void*)disconnectHidNative}, + {"getProtocolModeNative", "([B)Z", (void*)getProtocolModeNative}, + {"virtualUnPlugNative", "([B)Z", (void*)virtualUnPlugNative}, + {"setProtocolModeNative", "([BB)Z", (void*)setProtocolModeNative}, +diff --git a/src/com/android/bluetooth/hid/HidHostService.java b/src/com/android/bluetooth/hid/HidHostService.java +index 10d414d46..ed35c2908 100644 +--- a/src/com/android/bluetooth/hid/HidHostService.java ++++ b/src/com/android/bluetooth/hid/HidHostService.java +@@ -161,7 +161,10 @@ public class HidHostService extends ProfileService { + break; + case MESSAGE_DISCONNECT: { + BluetoothDevice device = (BluetoothDevice) msg.obj; +- if (!disconnectHidNative(Utils.getByteAddress(device))) { ++ int connectionPolicy = getConnectionPolicy(device); ++ boolean reconnectAllowed = ++ connectionPolicy == BluetoothProfile.CONNECTION_POLICY_ALLOWED; ++ if (!disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed)) { + broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTING); + broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTED); + break; +@@ -934,7 +937,7 @@ public class HidHostService extends ProfileService { + + private native boolean connectHidNative(byte[] btAddress); + +- private native boolean disconnectHidNative(byte[] btAddress); ++ private native boolean disconnectHidNative(byte[] btAddress, boolean reconnectAllowed); + + private native boolean getProtocolModeNative(byte[] btAddress); + diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/405363-backport.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/405363-backport.patch new file mode 100644 index 00000000..b9f18fbc --- /dev/null +++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/405363-backport.patch @@ -0,0 +1,50 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yiling Chuang +Date: Mon, 8 Jul 2024 03:09:50 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE FRP bypass defense in App battery usage + page + +Before the setup flow completion, don't allow the app info page in App battery usage to be launched. + +Bug: 327748846 +Test: atest SettingsRoboTests + manual test +- factory reset + launch app battery usage app info via ADB during Setup -> verify app closes +Flag : EXEMPT bugfix + +(cherry picked from commit 419a6a907902a12a0f565c808fa70092004d6686) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5d21702863284479af7561e3c833bc2cab2a7d3) +Merged-In: I486820ca2afecc02729a56a3c531fb931c1907d0 +Change-Id: I486820ca2afecc02729a56a3c531fb931c1907d0 +--- + .../android/settings/fuelgauge/AdvancedPowerUsageDetail.java | 5 +++++ + .../settings/fuelgauge/AdvancedPowerUsageDetailTest.java | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java +index e8d5f3330f2..4feac32d030 100644 +--- a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java ++++ b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java +@@ -311,4 +311,9 @@ public class AdvancedPowerUsageDetail extends DashboardFragment implements + mBackgroundActivityPreferenceController.updateSummary( + findPreference(mBackgroundActivityPreferenceController.getPreferenceKey())); + } ++ ++ @Override ++ protected boolean shouldSkipForInitialSUW() { ++ return true; ++ } + } +diff --git a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java +index 8eeac8d26b0..37fa511beeb 100644 +--- a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java ++++ b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java +@@ -395,4 +395,9 @@ public class AdvancedPowerUsageDetailTest { + assertThat(mForegroundPreference.getSummary().toString()).isEqualTo("Used for 0 min"); + assertThat(mBackgroundPreference.getSummary().toString()).isEqualTo("Active for 0 min"); + } ++ ++ @Test ++ public void shouldSkipForInitialSUW_returnTrue() { ++ assertThat(mFragment.shouldSkipForInitialSUW()).isTrue(); ++ } + } diff --git a/Patches/LineageOS-18.1/android_system_bt/405364-backport.patch b/Patches/LineageOS-18.1/android_system_bt/405364-backport.patch new file mode 100644 index 00000000..ae1f6af9 --- /dev/null +++ b/Patches/LineageOS-18.1/android_system_bt/405364-backport.patch @@ -0,0 +1,361 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Himanshu Rawat +Date: Mon, 8 Apr 2024 19:42:21 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Disallow unexpected incoming HID + connections 1/2 + +HID profile accepted any new incoming HID connection. Even when the +connection policy disabled HID connection, remote devices could initiate +HID connection. +This change ensures that incoming HID connection are accepted only if +application was interested in that HID connection. +This vulnerarbility no longer exists on the main because of feature +request b/324093729. + +Test: Manual | Pair and connect a HID device, disable HID connection +from Bluetooth device setting, attempt to connect from the HID device. +Bug: 308429049 +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:18c635ad7923f5c26d6cd4cf7f7c66b2fa02462b) +Merged-In: I6e9db983e752dd498625078c13b736cd4c668806 +Change-Id: I6e9db983e752dd498625078c13b736cd4c668806 +--- + btif/include/btif_hh.h | 4 +- + btif/include/btif_storage.h | 23 ++++++++++ + btif/src/btif_hh.cc | 86 ++++++++++++++++++++++++++++++++++--- + btif/src/btif_storage.cc | 52 +++++++++++++++++++++- + include/hardware/bt_hh.h | 2 +- + 5 files changed, 159 insertions(+), 8 deletions(-) + +diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h +index b71d347c1..ba51aec98 100644 +--- a/btif/include/btif_hh.h ++++ b/btif/include/btif_hh.h +@@ -78,6 +78,7 @@ typedef struct { + uint8_t dev_handle; + RawAddress bd_addr; + tBTA_HH_ATTR_MASK attr_mask; ++ bool reconnect_allowed; + } btif_hh_added_device_t; + + /** +@@ -103,7 +104,8 @@ extern btif_hh_cb_t btif_hh_cb; + extern btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle); + extern void btif_hh_remove_device(RawAddress bd_addr); + extern bool btif_hh_add_added_dev(const RawAddress& bda, +- tBTA_HH_ATTR_MASK attr_mask); ++ tBTA_HH_ATTR_MASK attr_mask, ++ bool reconnect_allowed); + extern bt_status_t btif_hh_virtual_unplug(const RawAddress* bd_addr); + extern void btif_hh_disconnect(RawAddress* bd_addr); + extern void btif_hh_setreport(btif_hh_device_t* p_dev, +diff --git a/btif/include/btif_storage.h b/btif/include/btif_storage.h +index 1c1163d14..362ffdc21 100644 +--- a/btif/include/btif_storage.h ++++ b/btif/include/btif_storage.h +@@ -178,6 +178,29 @@ bt_status_t btif_storage_remove_bonded_device(const RawAddress* remote_bd_addr); + ******************************************************************************/ + bt_status_t btif_storage_load_bonded_devices(void); + ++/******************************************************************************* ++ * ++ * Function btif_storage_set_hid_connection_policy ++ * ++ * Description Stores connection policy info in nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr, ++ bool reconnect_allowed); ++/******************************************************************************* ++ * ++ * Function btif_storage_get_hid_connection_policy ++ * ++ * Description get connection policy info from nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr, ++ bool* reconnect_allowed); ++ + /******************************************************************************* + * + * Function btif_storage_add_hid_device_info +diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc +index 97479e040..41636d368 100644 +--- a/btif/src/btif_hh.cc ++++ b/btif/src/btif_hh.cc +@@ -334,6 +334,24 @@ btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle) { + return NULL; + } + ++/******************************************************************************* ++ * ++ * Function btif_hh_find_added_dev ++ * ++ * Description Return the added device pointer of the specified address ++ * ++ * Returns Added device entry ++ ******************************************************************************/ ++btif_hh_added_device_t* btif_hh_find_added_dev(const RawAddress& addr) { ++ for (int i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) { ++ btif_hh_added_device_t* added_dev = &btif_hh_cb.added_devices[i]; ++ if (added_dev->bd_addr == addr) { ++ return added_dev; ++ } ++ } ++ return nullptr; ++} ++ + /******************************************************************************* + * + * Function btif_hh_find_dev_by_bda +@@ -419,7 +437,8 @@ void btif_hh_start_vup_timer(const RawAddress* bd_addr) { + * + * Returns true if add successfully, otherwise false. + ******************************************************************************/ +-bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) { ++bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask, ++ bool reconnect_allowed) { + int i; + for (i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) { + if (btif_hh_cb.added_devices[i].bd_addr == bda) { +@@ -433,6 +452,7 @@ bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) { + btif_hh_cb.added_devices[i].bd_addr = bda; + btif_hh_cb.added_devices[i].dev_handle = BTA_HH_INVALID_HANDLE; + btif_hh_cb.added_devices[i].attr_mask = attr_mask; ++ btif_hh_cb.added_devices[i].reconnect_allowed = reconnect_allowed; + return true; + } + } +@@ -712,6 +732,23 @@ void btif_hh_getreport(btif_hh_device_t* p_dev, bthh_report_type_t r_type, + * + ****************************************************************************/ + ++static bool btif_hh_connection_allowed(const RawAddress& bda) { ++ /* Accept connection only if reconnection is allowed for the known device, or ++ * outgoing connection was requested */ ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(bda); ++ if (added_dev != nullptr && added_dev->reconnect_allowed) { ++ LOG_VERBOSE("Connection allowed %s", PRIVATE_ADDRESS(bda)); ++ return true; ++ } else if (btif_hh_cb.pending_conn_address == bda) { ++ LOG_VERBOSE("Device connection was pending for: %s, status: %s", ++ PRIVATE_ADDRESS(bda), ++ btif_hh_status_text(btif_hh_cb.status).c_str()); ++ return true; ++ } ++ ++ return false; ++} ++ + /******************************************************************************* + * + * Function btif_hh_upstreams_evt +@@ -770,9 +807,26 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->status); + break; + +- case BTA_HH_OPEN_EVT: ++ case BTA_HH_OPEN_EVT: { + BTIF_TRACE_WARNING("%s: BTA_HH_OPN_EVT: handle=%d, status =%d", __func__, + p_data->conn.handle, p_data->conn.status); ++ ++ if (!btif_hh_connection_allowed(p_data->conn.bda)) { ++ LOG_WARN("Reject Incoming HID Connection, device: %s", ++ PRIVATE_ADDRESS(p_data->conn.bda)); ++ btif_hh_device_t* p_dev = ++ btif_hh_find_connected_dev_by_handle(p_data->conn.handle); ++ if (p_dev != nullptr) { ++ p_dev->dev_status = BTHH_CONN_STATE_DISCONNECTED; ++ } ++ ++ btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED; ++ BTA_HhClose(p_data->conn.handle); ++ HAL_CBACK(bt_hh_callbacks, connection_state_cb, &p_data->conn.bda, ++ BTHH_CONN_STATE_DISCONNECTED); ++ return; ++ } ++ + btif_hh_cb.pending_conn_address = RawAddress::kEmpty; + if (p_data->conn.status == BTA_HH_OK) { + p_dev = btif_hh_find_connected_dev_by_handle(p_data->conn.handle); +@@ -831,6 +885,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED; + } + break; ++ } + + case BTA_HH_CLOSE_EVT: + BTIF_TRACE_DEBUG("BTA_HH_CLOSE_EVT: status = %d, handle = %d", +@@ -983,7 +1038,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->dscp_info.version, + p_data->dscp_info.ctry_code, len, + p_data->dscp_info.descriptor.dsc_list); +- if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask)) { ++ if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask, true)) { + tBTA_HH_DEV_DSCP_INFO dscp_info; + bt_status_t ret; + btif_hh_copy_hid_info(&dscp_info, &p_data->dscp_info); +@@ -999,6 +1054,8 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->dscp_info.ssr_min_tout, len, + p_data->dscp_info.descriptor.dsc_list); + ++ btif_storage_set_hid_connection_policy(p_dev->bd_addr, true); ++ + ASSERTC(ret == BT_STATUS_SUCCESS, "storing hid info failed", ret); + BTIF_TRACE_WARNING("BTA_HH_GET_DSCP_EVT: Called add device"); + +@@ -1280,6 +1337,13 @@ static bt_status_t init(bthh_callbacks_t* callbacks) { + ******************************************************************************/ + static bt_status_t connect(RawAddress* bd_addr) { + if (btif_hh_cb.status != BTIF_HH_DEV_CONNECTING) { ++ /* If the device was already added, ensure that reconnections are allowed */ ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr); ++ if (added_dev != nullptr && !added_dev->reconnect_allowed) { ++ added_dev->reconnect_allowed = true; ++ btif_storage_set_hid_connection_policy(*bd_addr, true); ++ } ++ + btif_transfer_context(btif_hh_handle_evt, BTIF_HH_CONNECT_REQ_EVT, + (char*)bd_addr, sizeof(RawAddress), NULL); + return BT_STATUS_SUCCESS; +@@ -1296,7 +1360,7 @@ static bt_status_t connect(RawAddress* bd_addr) { + * Returns bt_status_t + * + ******************************************************************************/ +-static bt_status_t disconnect(RawAddress* bd_addr) { ++static bt_status_t disconnect(RawAddress* bd_addr, bool reconnect_allowed) { + CHECK_BTHH_INIT(); + BTIF_TRACE_EVENT("BTHH: %s", __func__); + btif_hh_device_t* p_dev; +@@ -1306,6 +1370,17 @@ static bt_status_t disconnect(RawAddress* bd_addr) { + btif_hh_cb.status); + return BT_STATUS_FAIL; + } ++ ++ if (!reconnect_allowed) { ++ LOG_INFO("Incoming reconnections disabled for device %s", ++ PRIVATE_ADDRESS((*bd_addr))); ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr); ++ if (added_dev != nullptr && added_dev->reconnect_allowed) { ++ added_dev->reconnect_allowed = false; ++ btif_storage_set_hid_connection_policy(added_dev->bd_addr, false); ++ } ++ } ++ + p_dev = btif_hh_find_connected_dev_by_bda(*bd_addr); + if (p_dev != NULL) { + return btif_transfer_context(btif_hh_handle_evt, BTIF_HH_DISCONNECT_REQ_EVT, +@@ -1437,9 +1512,10 @@ static bt_status_t set_info(RawAddress* bd_addr, bthh_hid_info_t hid_info) { + (uint8_t*)osi_malloc(dscp_info.descriptor.dl_len); + memcpy(dscp_info.descriptor.dsc_list, &(hid_info.dsc_list), hid_info.dl_len); + +- if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask)) { ++ if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask, true)) { + BTA_HhAddDev(*bd_addr, hid_info.attr_mask, hid_info.sub_class, + hid_info.app_id, dscp_info); ++ btif_storage_set_hid_connection_policy(*bd_addr, true); + } + + osi_free_and_reset((void**)&dscp_info.descriptor.dsc_list); +diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc +index 95e4ef071..c8205da09 100644 +--- a/btif/src/btif_storage.cc ++++ b/btif/src/btif_storage.cc +@@ -83,6 +83,8 @@ using bluetooth::Uuid; + #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE" + #define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout" + ++#define BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED "HidReConnectAllowed" ++ + /* This is a local property to add a device found */ + #define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF + +@@ -1323,6 +1325,50 @@ bt_status_t btif_storage_get_remote_addr_type(const RawAddress* remote_bd_addr, + btif_config_get_int(remote_bd_addr->ToString(), "AddrType", addr_type); + return ret ? BT_STATUS_SUCCESS : BT_STATUS_FAIL; + } ++ ++/******************************************************************************* ++ * ++ * Function btif_storage_set_hid_connection_policy ++ * ++ * Description Stores connection policy info in nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr, ++ bool reconnect_allowed) { ++ std::string bdstr = addr.ToString(); ++ ++ if (btif_config_set_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, ++ reconnect_allowed)) { ++ return BT_STATUS_SUCCESS; ++ } else { ++ return BT_STATUS_FAIL; ++ } ++} ++ ++/******************************************************************************* ++ * ++ * Function btif_storage_get_hid_connection_policy ++ * ++ * Description get connection policy info from nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr, ++ bool* reconnect_allowed) { ++ std::string bdstr = addr.ToString(); ++ ++ // For backward compatibility, assume that the reconnection is allowed in the ++ // absence of the key ++ int value = 1; ++ btif_config_get_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, &value); ++ *reconnect_allowed = (value != 0); ++ ++ return BT_STATUS_SUCCESS; ++} ++ + /******************************************************************************* + * + * Function btif_storage_add_hid_device_info +@@ -1425,8 +1471,11 @@ bt_status_t btif_storage_load_bonded_hid_info(void) { + + RawAddress bd_addr; + RawAddress::FromString(name, bd_addr); ++ ++ bool reconnect_allowed = false; ++ btif_storage_get_hid_connection_policy(bd_addr, &reconnect_allowed); + // add extracted information to BTA HH +- if (btif_hh_add_added_dev(bd_addr, attr_mask)) { ++ if (btif_hh_add_added_dev(bd_addr, attr_mask, reconnect_allowed)) { + BTA_HhAddDev(bd_addr, attr_mask, sub_class, app_id, dscp_info); + } + } +@@ -1458,6 +1507,7 @@ bt_status_t btif_storage_remove_hid_info(RawAddress* remote_bd_addr) { + btif_config_remove(bdstr, "HidSSRMaxLatency"); + btif_config_remove(bdstr, "HidSSRMinTimeout"); + btif_config_remove(bdstr, "HidDescriptor"); ++ btif_config_remove(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED); + btif_config_save(); + return BT_STATUS_SUCCESS; + } +diff --git a/include/hardware/bt_hh.h b/include/hardware/bt_hh.h +index b87b129bb..923c62792 100644 +--- a/include/hardware/bt_hh.h ++++ b/include/hardware/bt_hh.h +@@ -154,7 +154,7 @@ typedef struct { + bt_status_t (*connect)(RawAddress* bd_addr); + + /** dis-connect from hid device */ +- bt_status_t (*disconnect)(RawAddress* bd_addr); ++ bt_status_t (*disconnect)(RawAddress* bd_addr, bool reconnect_allowed); + + /** Virtual UnPlug (VUP) the specified HID device */ + bt_status_t (*virtual_unplug)(RawAddress* bd_addr); diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index 0f194b46..f8ba4dc8 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -93,7 +93,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) -sed -i 's/2024-02-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-09 +sed -i 's/2024-02-05/2024-10-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-10 fi; if enterAndClear "build/soong"; then @@ -174,6 +174,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/399738.patch"; #R_asb_2024-08 B applyPatch "$DOS_PATCHES/android_frameworks_base/399739.patch"; #R_asb_2024-08 Restrict USB poups while setup is in progress applyPatch "$DOS_PATCHES/android_frameworks_base/399740.patch"; #R_asb_2024-08 Hide SAW subwindows applyPatch "$DOS_PATCHES/android_frameworks_base/403218.patch"; #R_asb_2024-09 Sanitized uri scheme by removing scheme delimiter +applyPatch "$DOS_PATCHES/android_frameworks_base/405358.patch"; #T_asb_2024-10 Fail parseUri if end is missing +applyPatch "$DOS_PATCHES/android_frameworks_base/405359.patch"; #T_asb_2024-10 Update AccountManagerService checkKeyIntent. +applyPatch "$DOS_PATCHES/android_frameworks_base/405360-backport.patch"; #T_asb_2024-10 Prevent Sharing when FRP enforcement is in effect +applyPatch "$DOS_PATCHES/android_frameworks_base/405361-backport.patch"; #T_asb_2024-10 Check whether installerPackageName contains only valid characters git revert --no-edit 438d9feacfcad73d3ee918541574132928a93644; #Reverts "Allow signature spoofing for microG Companion/Services" in favor of below patch applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) @@ -307,6 +311,7 @@ applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-sm8150.patch"; fi; if enterAndClear "libcore"; then +applyPatch "$DOS_PATCHES/android_libcore/405362.patch"; #T_asb_2024-10 Do not accept zip files with invalid headers. applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) applyPatch "$DOS_PATCHES/android_libcore/0002-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS) applyPatch "$DOS_PATCHES/android_libcore/0003-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS) @@ -319,6 +324,7 @@ if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAud fi; if enterAndClear "packages/apps/Bluetooth"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/405364-backport.patch"; #T_asb_2024-10 Disallow unexpected incoming HID connections applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS) fi; @@ -372,6 +378,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403219.patch"; #R_asb_20 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403220.patch"; #R_asb_2024-09 Replace getCallingActivity() with getLaunchedFromPackage() applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403221.patch"; #R_asb_2024-09 Ignore fragment attr from ext authenticator resource applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403222.patch"; #R_asb_2024-09 Restrict Settings Homepage prior to provisioning +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/405363-backport.patch"; #T_asb_2024-10 FRP bypass defense in App battery usage page #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile (DivestOS)