17.1 April ASB work

Signed-off-by: Tad <tad@spotco.us>
2024-06-25 22:22:19 +00:00 · 2023-04-28 14:42:05 -04:00 · 2023-04-28 14:42:05 -04:00 · ab4eceb830
commit ab4eceb830
parent 18f72663e8
22 changed files with 1603 additions and 6 deletions
--- a/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch
@ -10,7 +10,7 @@ requiring the READ_PHONE_STATE permission.
 1 file changed, 1 insertion(+), 6 deletions(-)

 diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
-index bb78408617b8..9148a09271f4 100644
+index efbccb3b8f94..8d0498c0ca7f 100644
 --- a/services/core/java/com/android/server/am/ActivityManagerService.java
 +++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -4981,12 +4981,7 @@ public class ActivityManagerService extends IActivityManager.Stub
--- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch
@ -11,10 +11,10 @@ need to be granted by default for all apps to maintain compatibility.
 2 files changed, 20 insertions(+), 6 deletions(-)

 diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
-index 1bd1396c6d45..a3e1b685a3be 100644
+index ef97d61d26d7..6592c574c027 100644
 --- a/services/core/java/com/android/server/pm/PackageManagerService.java
 +++ b/services/core/java/com/android/server/pm/PackageManagerService.java
-@@ -20185,7 +20185,8 @@ public class PackageManagerService extends IPackageManager.Stub
+@@ -20191,7 +20191,8 @@ public class PackageManagerService extends IPackageManager.Stub
             }
 
             // If this permission was granted by default, make sure it is.
--- a/Patches/LineageOS-17.1/android_frameworks_base/353944.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/353944.patch
@ -0,0 +1,76 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jing Ji <jji@google.com>
+Date: Thu, 4 Aug 2022 11:36:26 -0700
+Subject: [PATCH] DO NOT MERGE: Context#startInstrumentation could be started
+ from SHELL only now.
+
+Or, if an instrumentation starts another instrumentation and so on,
+and the original instrumentation is started from SHELL, allow all
+Context#startInstrumentation calls in this chain.
+
+Otherwise, it'll throw a SecurityException.
+
+Bug: 237766679
+Test: atest CtsAppTestCases:InstrumentationTest
+Merged-In: Ia08f225c21a3933067d066a578ea4af9c23e7d4c
+Merged-In: I1b76f61c5fd6c9f7e738978592260945a606f40c
+Merged-In: I3ea7aa27bd776fec546908a37f667f680da9c892
+Change-Id: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406
+(cherry picked from commit 8c90891a38ecb5047e115e13baf700a8b486a5d1)
+Merged-In: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406
+---
+ .../server/am/ActivityManagerService.java     | 34 +++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index bb78408617b8..efbccb3b8f94 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -15761,6 +15761,17 @@ public class ActivityManagerService extends IActivityManager.Stub
+                 reportStartInstrumentationFailureLocked(watcher, className, msg);
+                 throw new SecurityException(msg);
+             }
+            if (!Build.IS_DEBUGGABLE && callingUid != ROOT_UID && callingUid != SHELL_UID
+                    && callingUid != SYSTEM_UID && !hasActiveInstrumentationLocked(callingPid)) {
+                // If it's not debug build and not called from root/shell/system uid, reject it.
+                final String msg = "Permission Denial: instrumentation test "
+                        + className + " from pid=" + callingPid + ", uid=" + callingUid
+                        + ", pkgName=" + getPackageNameByPid(callingPid)
+                        + " not allowed because it's not started from SHELL";
+                Slog.wtfQuiet(TAG, msg);
+                reportStartInstrumentationFailureLocked(watcher, className, msg);
+                throw new SecurityException(msg);
+            }
+ 
+             ActiveInstrumentation activeInstr = new ActiveInstrumentation(this);
+             activeInstr.mClass = className;
+@@ -15817,6 +15828,29 @@ public class ActivityManagerService extends IActivityManager.Stub
+         return true;
+     }
+ 
+    @GuardedBy("this")
+    private boolean hasActiveInstrumentationLocked(int pid) {
+        if (pid == 0) {
+            return false;
+        }
+        synchronized (mPidsSelfLocked) {
+            ProcessRecord process = mPidsSelfLocked.get(pid);
+            return process != null && process.getActiveInstrumentation() != null;
+        }
+    }
+
+    private String getPackageNameByPid(int pid) {
+        synchronized (mPidsSelfLocked) {
+            final ProcessRecord app = mPidsSelfLocked.get(pid);
+
+            if (app != null && app.info != null) {
+                return app.info.packageName;
+            }
+
+            return null;
+        }
+    }
+
+     private boolean isCallerShell() {
+         final int callingUid = Binder.getCallingUid();
+         return callingUid == SHELL_UID || callingUid == ROOT_UID;
--- a/Patches/LineageOS-17.1/android_frameworks_base/353945.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/353945.patch
@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kunal Malhotra <malhk@google.com>
+Date: Mon, 7 Nov 2022 23:33:55 +0000
+Subject: [PATCH] Checking if package belongs to UID before registering
+ broadcast receiver
+
+Test: manual testing done on device by installing test APK and checking if receiver can register
+Bug: 242040055
+Change-Id: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
+Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
+(cherry picked from commit 790a8d0dd329460bc60456681cb446accf2a27e0)
+(cherry picked from commit 4f0dc37b896e06086391e71ce471e413215e1130)
+Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
+---
+ services/core/java/com/android/server/am/ActiveServices.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java
+index 84702ddfe231..c6d94eb3b408 100644
+--- a/services/core/java/com/android/server/am/ActiveServices.java
+++ b/services/core/java/com/android/server/am/ActiveServices.java
+@@ -2186,6 +2186,11 @@ public final class ActiveServices {
+                             throw new SecurityException("BIND_EXTERNAL_SERVICE failed, "
+                                     + className + " is not an isolatedProcess");
+                         }
+                        if (AppGlobals.getPackageManager().getPackageUid(callingPackage,
+                                0, userId) != callingUid) {
+                            throw new SecurityException("BIND_EXTERNAL_SERVICE failed, "
+                                    + "calling package not owned by calling UID ");
+                        }
+                         // Run the service under the calling package's application.
+                         ApplicationInfo aInfo = AppGlobals.getPackageManager().getApplicationInfo(
+                                 callingPackage, ActivityManagerService.STOCK_PM_FLAGS, userId);
--- a/Patches/LineageOS-17.1/android_frameworks_base/353946.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/353946.patch
@ -0,0 +1,71 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hao Ke <haok@google.com>
+Date: Mon, 12 Dec 2022 15:49:16 +0000
+Subject: [PATCH] Fix checkKeyIntentParceledCorrectly's bypass
+
+The checkKeyIntentParceledCorrectly method was added in checkKeyIntent, which was originaly  only invoked when AccountManagerService deserializes the KEY_INTENT value as not NULL. However, due to the self-changing bundle technique in Parcel mismatch problems, the Intent value can change after reparceling; hence would bypass the added checkKeyIntentParceledCorrectly call.
+
+This CL did the following:
+
+- Ensure the checkKeyIntent method is also called when result.getParcelable(AccountManager.KEY_INTENT) == null.
+
+Bug: 260567867
+Bug: 262230405
+Test: local test, see b/262230405
+Test: atest CtsAccountManagerTestCases
+Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477
+Change-Id: I7b528f52c41767ae12731838fdd36aa26a8f3477
+(cherry picked from commit 9f623983a8d4ec48d58b0eda56fa461fc6748981)
+Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477
+---
+ .../server/accounts/AccountManagerService.java    | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 58978a55a32a..b4edf94927b2 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -3434,8 +3434,7 @@ public class AccountManagerService
+             Bundle.setDefusable(result, true);
+             mNumResults++;
+             Intent intent = null;
+-            if (result != null
+-                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+            if (result != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+                         result)) {
+@@ -4800,8 +4799,10 @@ public class AccountManagerService
+             	EventLog.writeEvent(0x534e4554, "250588548", authUid, "");
+                 return false;
+             }
+-
+             Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+            if (intent == null) {
+                return true;
+            }
+             // Explicitly set an empty ClipData to ensure that we don't offer to
+             // promote any Uris contained inside for granting purposes
+             if (intent.getClipData() == null) {
+@@ -4854,7 +4855,10 @@ public class AccountManagerService
+             p.recycle();
+             Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+             Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
+-            return (intent.filterEquals(simulateIntent));
+            if (intent == null) {
+                return (simulateIntent == null);
+            }
+            return intent.filterEquals(simulateIntent);
+         }
+ 
+         private boolean isExportedSystemActivity(ActivityInfo activityInfo) {
+@@ -4999,8 +5003,7 @@ public class AccountManagerService
+                     }
+                 }
+             }
+-            if (result != null
+-                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+            if (result != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+                         result)) {
--- a/Patches/LineageOS-17.1/android_frameworks_base/353947.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/353947.patch
@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Winson Chiu <chiuwinson@google.com>
+Date: Fri, 6 Jan 2023 21:26:24 +0000
+Subject: [PATCH] Encode Intent scheme when serializing to URI string RESTRICT
+ AUTOMERGE
+
+Avoids deserialization error when the scheme contains a
+reserved character.
+
+Bug: 261858325
+
+Test: atest android.content.cts.IntentTest#testEncoding
+
+Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470
+Change-Id: Ic34b3f796b762763db5aa7b5d7c109ae70607470
+(cherry picked from commit 43437b4ee6424933d4e403f0375ef8c1f07986f4)
+Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470
+---
+ core/java/android/content/Intent.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java
+index d7898776965e..72e0fa615b09 100644
+--- a/core/java/android/content/Intent.java
+++ b/core/java/android/content/Intent.java
+@@ -10393,7 +10393,7 @@ public class Intent implements Parcelable, Cloneable {
+     private void toUriInner(StringBuilder uri, String scheme, String defAction,
+             String defPackage, int flags) {
+         if (scheme != null) {
+-            uri.append("scheme=").append(scheme).append(';');
+            uri.append("scheme=").append(Uri.encode(scheme)).append(';');
+         }
+         if (mAction != null && !mAction.equals(defAction)) {
+             uri.append("action=").append(Uri.encode(mAction)).append(';');
--- a/Patches/LineageOS-17.1/android_frameworks_base/353948-backport.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/353948-backport.patch
@ -0,0 +1,430 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christophe Pinelli <cpinelli@google.com>
+Date: Tue, 27 Dec 2022 20:29:33 +0000
+Subject: [PATCH] Backport BAL restrictions from S to R, this blocks apps from
+ using Alarm Manager to bypass BAL restrictions.
+
+Test: atest BackgroundActivityLaunchTest
+Bug: 195756028
+Change-Id: Ifa3f79bc74c10d0ac8322079f2e6e3e0ba476b0f
+(cherry picked from commit 1d737c2fbdc71570bbcaca0f44da4ee132fa545f)
+Merged-In: Ifa3f79bc74c10d0ac8322079f2e6e3e0ba476b0f
+---
+ core/java/android/app/ActivityOptions.java    | 10 +--
+ core/java/android/app/BroadcastOptions.java   | 25 +++++-
+ core/java/android/app/ComponentOptions.java   | 84 +++++++++++++++++++
+ .../android/server/AlarmManagerService.java   | 21 ++++-
+ .../server/am/PendingIntentRecord.java        | 23 ++++-
+ .../android/server/wm/ActivityStarter.java    | 22 +++--
+ .../server/wm/ActivityTaskManagerService.java |  2 +-
+ .../com/android/server/wm/AppTaskImpl.java    |  2 +-
+ 8 files changed, 169 insertions(+), 20 deletions(-)
+ create mode 100644 core/java/android/app/ComponentOptions.java
+
+diff --git a/core/java/android/app/ActivityOptions.java b/core/java/android/app/ActivityOptions.java
+index 926044bffdd0..36ab62aedc09 100644
+--- a/core/java/android/app/ActivityOptions.java
+++ b/core/java/android/app/ActivityOptions.java
+@@ -59,7 +59,7 @@ import java.util.ArrayList;
+  * {@link android.content.Context#startActivity(android.content.Intent, android.os.Bundle)
+  * Context.startActivity(Intent, Bundle)} and related methods.
+  */
+-public class ActivityOptions {
+public class ActivityOptions extends ComponentOptions {
+     private static final String TAG = "ActivityOptions";
+ 
+     /**
+@@ -881,13 +881,12 @@ public class ActivityOptions {
+     }
+ 
+     private ActivityOptions() {
+        super();
+     }
+ 
+     /** @hide */
+     public ActivityOptions(Bundle opts) {
+-        // If the remote side sent us bad parcelables, they won't get the
+-        // results they want, which is their loss.
+-        opts.setDefusable(true);
+        super(opts);
+ 
+         mPackageName = opts.getString(KEY_PACKAGE_NAME);
+         try {
+@@ -1439,8 +1438,9 @@ public class ActivityOptions {
+      * object; you must not modify it, but can supply it to the startActivity
+      * methods that take an options Bundle.
+      */
+    @Override
+     public Bundle toBundle() {
+-        Bundle b = new Bundle();
+        Bundle b = super.toBundle();
+         if (mPackageName != null) {
+             b.putString(KEY_PACKAGE_NAME, mPackageName);
+         }
+diff --git a/core/java/android/app/BroadcastOptions.java b/core/java/android/app/BroadcastOptions.java
+index 161e2ad06ec0..8947fb44b07b 100644
+--- a/core/java/android/app/BroadcastOptions.java
+++ b/core/java/android/app/BroadcastOptions.java
+@@ -28,7 +28,7 @@ import android.os.Bundle;
+  * {@hide}
+  */
+ @SystemApi
+-public class BroadcastOptions {
+public class BroadcastOptions extends ComponentOptions {
+     private long mTemporaryAppWhitelistDuration;
+     private int mMinManifestReceiverApiLevel = 0;
+     private int mMaxManifestReceiverApiLevel = Build.VERSION_CODES.CUR_DEVELOPMENT;
+@@ -72,10 +72,12 @@ public class BroadcastOptions {
+     }
+ 
+     private BroadcastOptions() {
+        super();
+     }
+ 
+     /** @hide */
+     public BroadcastOptions(Bundle opts) {
+        super(opts);
+         mTemporaryAppWhitelistDuration = opts.getLong(KEY_TEMPORARY_APP_WHITELIST_DURATION);
+         mMinManifestReceiverApiLevel = opts.getInt(KEY_MIN_MANIFEST_RECEIVER_API_LEVEL, 0);
+         mMaxManifestReceiverApiLevel = opts.getInt(KEY_MAX_MANIFEST_RECEIVER_API_LEVEL,
+@@ -173,6 +175,24 @@ public class BroadcastOptions {
+         return mAllowBackgroundActivityStarts;
+     }
+ 
+    /**
+     * Set PendingIntent activity is allowed to be started in the background if the caller
+     * can start background activities.
+     * @hide
+     */
+    public void setPendingIntentBackgroundActivityLaunchAllowed(boolean allowed) {
+        super.setPendingIntentBackgroundActivityLaunchAllowed(allowed);
+    }
+
+    /**
+     * Get PendingIntent activity is allowed to be started in the background if the caller
+     * can start background activities.
+     * @hide
+     */
+    public boolean isPendingIntentBackgroundActivityLaunchAllowed() {
+        return super.isPendingIntentBackgroundActivityLaunchAllowed();
+    }
+
+     /**
+      * Returns the created options as a Bundle, which can be passed to
+      * {@link android.content.Context#sendBroadcast(android.content.Intent)
+@@ -181,8 +201,9 @@ public class BroadcastOptions {
+      * object; you must not modify it, but can supply it to the sendBroadcast
+      * methods that take an options Bundle.
+      */
+    @Override
+     public Bundle toBundle() {
+-        Bundle b = new Bundle();
+        Bundle b = super.toBundle();
+         if (mTemporaryAppWhitelistDuration > 0) {
+             b.putLong(KEY_TEMPORARY_APP_WHITELIST_DURATION, mTemporaryAppWhitelistDuration);
+         }
+diff --git a/core/java/android/app/ComponentOptions.java b/core/java/android/app/ComponentOptions.java
+new file mode 100644
+index 000000000000..34ee9138a364
+--- /dev/null
+++ b/core/java/android/app/ComponentOptions.java
+@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.app;
+
+import android.os.Bundle;
+
+/**
+ * @hide
+ */
+public class ComponentOptions {
+
+    /**
+     * Default value for KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED.
+     * @hide
+     **/
+    public static final boolean PENDING_INTENT_BAL_ALLOWED_DEFAULT = true;
+
+    /**
+     * PendingIntent caller allows activity start even if PendingIntent creator is in background.
+     * This only works if the PendingIntent caller is allowed to start background activities,
+     * for example if it's in the foreground, or has BAL permission.
+     * @hide
+     */
+    public static final String KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED =
+            "android.pendingIntent.backgroundActivityAllowed";
+
+    private boolean mPendingIntentBalAllowed = PENDING_INTENT_BAL_ALLOWED_DEFAULT;
+
+    ComponentOptions() {
+    }
+
+    ComponentOptions(Bundle opts) {
+        // If the remote side sent us bad parcelables, they won't get the
+        // results they want, which is their loss.
+        opts.setDefusable(true);
+        setPendingIntentBackgroundActivityLaunchAllowed(
+                opts.getBoolean(KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED,
+                        PENDING_INTENT_BAL_ALLOWED_DEFAULT));
+    }
+
+    /**
+     * Set PendingIntent activity is allowed to be started in the background if the caller
+     * can start background activities.
+     *
+     * @hide
+     */
+    public void setPendingIntentBackgroundActivityLaunchAllowed(boolean allowed) {
+        mPendingIntentBalAllowed = allowed;
+    }
+
+    /**
+     * Get PendingIntent activity is allowed to be started in the background if the caller
+     * can start background activities.
+     *
+     * @hide
+     */
+    public boolean isPendingIntentBackgroundActivityLaunchAllowed() {
+        return mPendingIntentBalAllowed;
+    }
+
+    /**
+     * @hide
+     */
+    public Bundle toBundle() {
+        Bundle bundle = new Bundle();
+        bundle.putBoolean(KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED,
+                mPendingIntentBalAllowed);
+        return bundle;
+    }
+}
+diff --git a/services/core/java/com/android/server/AlarmManagerService.java b/services/core/java/com/android/server/AlarmManagerService.java
+index a65603cb4020..d82b435b4612 100644
+--- a/services/core/java/com/android/server/AlarmManagerService.java
+++ b/services/core/java/com/android/server/AlarmManagerService.java
+@@ -26,6 +26,7 @@ import static android.app.AlarmManager.RTC_WAKEUP;
+ import android.annotation.UserIdInt;
+ import android.app.Activity;
+ import android.app.ActivityManager;
+import android.app.ActivityOptions;
+ import android.app.AlarmManager;
+ import android.app.AppOpsManager;
+ import android.app.BroadcastOptions;
+@@ -272,6 +273,8 @@ class AlarmManagerService extends SystemService {
+      * Broadcast options to use for FLAG_ALLOW_WHILE_IDLE.
+      */
+     Bundle mIdleOptions;
+    ActivityOptions mActivityOptsRestrictBal = ActivityOptions.makeBasic();
+    BroadcastOptions mBroadcastOptsRestrictBal = BroadcastOptions.makeBasic();
+ 
+     private final SparseArray<AlarmManager.AlarmClockInfo> mNextAlarmClockForUser =
+             new SparseArray<>();
+@@ -497,6 +500,7 @@ class AlarmManagerService extends SystemService {
+                 mLastAllowWhileIdleWhitelistDuration = ALLOW_WHILE_IDLE_WHITELIST_DURATION;
+                 BroadcastOptions opts = BroadcastOptions.makeBasic();
+                 opts.setTemporaryAppWhitelistDuration(ALLOW_WHILE_IDLE_WHITELIST_DURATION);
+                opts.setPendingIntentBackgroundActivityLaunchAllowed(false);
+                 mIdleOptions = opts.toBundle();
+             }
+         }
+@@ -1495,6 +1499,8 @@ class AlarmManagerService extends SystemService {
+     @Override
+     public void onStart() {
+         mInjector.init();
+        mActivityOptsRestrictBal.setPendingIntentBackgroundActivityLaunchAllowed(false);
+        mBroadcastOptsRestrictBal.setPendingIntentBackgroundActivityLaunchAllowed(false);
+ 
+         synchronized (mLock) {
+             mHandler = new AlarmHandler();
+@@ -4143,6 +4149,13 @@ class AlarmManagerService extends SystemService {
+         return alarm.creatorUid;
+     }
+ 
+    private Bundle getAlarmOperationBundle(Alarm alarm) {
+        if (alarm.operation.isActivity()) {
+            return mActivityOptsRestrictBal.toBundle();
+        }
+        return mBroadcastOptsRestrictBal.toBundle();
+    }
+
+     @VisibleForTesting
+     class AlarmHandler extends Handler {
+         public static final int ALARM_EVENT = 1;
+@@ -4181,7 +4194,11 @@ class AlarmManagerService extends SystemService {
+                     for (int i=0; i<triggerList.size(); i++) {
+                         Alarm alarm = triggerList.get(i);
+                         try {
+-                            alarm.operation.send();
+                            // Disallow AlarmManager to start random background activity.
+                            final Bundle bundle = getAlarmOperationBundle(alarm);
+                            alarm.operation.send(/* context */ null, /* code */0, /* intent */
+                                    null, /* onFinished */null, /* handler */
+                                    null, /* requiredPermission */ null, bundle);
+                         } catch (PendingIntent.CanceledException e) {
+                             if (alarm.repeatInterval > 0) {
+                                 // This IntentSender is no longer valid, but this
+@@ -4696,7 +4713,7 @@ class AlarmManagerService extends SystemService {
+                                 mBackgroundIntent.putExtra(
+                                         Intent.EXTRA_ALARM_COUNT, alarm.count),
+                                 mDeliveryTracker, mHandler, null,
+-                                allowWhileIdle ? mIdleOptions : null);
+                                allowWhileIdle ? mIdleOptions : getAlarmOperationBundle(alarm));
+                     } catch (PendingIntent.CanceledException e) {
+                         if (alarm.repeatInterval > 0) {
+                             // This IntentSender is no longer valid, but this
+diff --git a/services/core/java/com/android/server/am/PendingIntentRecord.java b/services/core/java/com/android/server/am/PendingIntentRecord.java
+index 54504c3c1e24..20d87e6882ac 100644
+--- a/services/core/java/com/android/server/am/PendingIntentRecord.java
+++ b/services/core/java/com/android/server/am/PendingIntentRecord.java
+@@ -20,6 +20,7 @@ import static android.app.ActivityManager.START_SUCCESS;
+ import static com.android.server.am.ActivityManagerDebugConfig.TAG_AM;
+ import static com.android.server.am.ActivityManagerDebugConfig.TAG_WITH_CLASS_NAME;
+ 
+import android.annotation.Nullable;
+ import android.app.ActivityManager;
+ import android.app.ActivityOptions;
+ import android.content.IIntentSender;
+@@ -277,6 +278,25 @@ public final class PendingIntentRecord extends IIntentSender.Stub {
+                 requiredPermission, null, null, 0, 0, 0, options);
+     }
+ 
+    /**
+     * Return true if the activity options allows PendingIntent to use caller's BAL permission.
+     */
+    public static boolean isPendingIntentBalAllowedByCaller(
+            @Nullable ActivityOptions activityOptions) {
+        if (activityOptions == null) {
+            return ActivityOptions.PENDING_INTENT_BAL_ALLOWED_DEFAULT;
+        }
+        return isPendingIntentBalAllowedByCaller(activityOptions.toBundle());
+    }
+
+    private static boolean isPendingIntentBalAllowedByCaller(@Nullable Bundle options) {
+        if (options == null) {
+            return ActivityOptions.PENDING_INTENT_BAL_ALLOWED_DEFAULT;
+        }
+        return options.getBoolean(ActivityOptions.KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED,
+                ActivityOptions.PENDING_INTENT_BAL_ALLOWED_DEFAULT);
+    }
+
+     public int sendInner(int code, Intent intent, String resolvedType, IBinder whitelistToken,
+             IIntentReceiver finishedReceiver, String requiredPermission, IBinder resultTo,
+             String resultWho, int requestCode, int flagsMask, int flagsValues, Bundle options) {
+@@ -389,7 +409,8 @@ public final class PendingIntentRecord extends IIntentSender.Stub {
+             // temporarily allow receivers and services to open activities from background if the
+             // PendingIntent.send() caller was foreground at the time of sendInner() call
+             final boolean allowTrampoline = uid != callingUid
+-                    && controller.mAtmInternal.isUidForeground(callingUid);
+                    && controller.mAtmInternal.isUidForeground(callingUid)
+                    && isPendingIntentBalAllowedByCaller(options);
+ 
+             // note: we on purpose don't pass in the information about the PendingIntent's creator,
+             // like pid or ProcessRecord, to the ActivityTaskManagerInternal calls below, because
+diff --git a/services/core/java/com/android/server/wm/ActivityStarter.java b/services/core/java/com/android/server/wm/ActivityStarter.java
+index f37698de34d5..44fef5427cc3 100644
+--- a/services/core/java/com/android/server/wm/ActivityStarter.java
+++ b/services/core/java/com/android/server/wm/ActivityStarter.java
+@@ -767,6 +767,10 @@ class ActivityStarter {
+         abort |= !mService.getPermissionPolicyInternal().checkStartActivity(intent, callingUid,
+                 callingPackage);
+ 
+        // Merge the two options bundles, while realCallerOptions takes precedence.
+        ActivityOptions checkedOptions = options != null
+                ? options.getOptions(intent, aInfo, callerApp, mSupervisor) : null;
+
+         boolean restrictedBgActivity = false;
+         if (!abort) {
+             try {
+@@ -774,15 +778,12 @@ class ActivityStarter {
+                         "shouldAbortBackgroundActivityStart");
+                 restrictedBgActivity = shouldAbortBackgroundActivityStart(callingUid,
+                         callingPid, callingPackage, realCallingUid, realCallingPid, callerApp,
+-                        originatingPendingIntent, allowBackgroundActivityStart, intent);
+                        originatingPendingIntent, allowBackgroundActivityStart, intent, checkedOptions);
+             } finally {
+                 Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
+             }
+         }
+ 
+-        // Merge the two options bundles, while realCallerOptions takes precedence.
+-        ActivityOptions checkedOptions = options != null
+-                ? options.getOptions(intent, aInfo, callerApp, mSupervisor) : null;
+         if (allowPendingRemoteAnimationRegistryLookup) {
+             checkedOptions = mService.getActivityStartController()
+                     .getPendingRemoteAnimationRegistry()
+@@ -941,7 +942,7 @@ class ActivityStarter {
+     boolean shouldAbortBackgroundActivityStart(int callingUid, int callingPid,
+             final String callingPackage, int realCallingUid, int realCallingPid,
+             WindowProcessController callerApp, PendingIntentRecord originatingPendingIntent,
+-            boolean allowBackgroundActivityStart, Intent intent) {
+            boolean allowBackgroundActivityStart, Intent intent, ActivityOptions checkedOptions) {
+         // don't abort for the most important UIDs
+         final int callingAppId = UserHandle.getAppId(callingUid);
+         if (callingUid == Process.ROOT_UID || callingAppId == Process.SYSTEM_UID
+@@ -976,7 +977,11 @@ class ActivityStarter {
+                 ? isCallingUidPersistentSystemProcess
+                 : (realCallingAppId == Process.SYSTEM_UID)
+                         || realCallingUidProcState <= ActivityManager.PROCESS_STATE_PERSISTENT_UI;
+-        if (realCallingUid != callingUid) {
+        // Legacy behavior allows to use caller foreground state to bypass BAL restriction.
+        final boolean balAllowedByPiSender =
+                PendingIntentRecord.isPendingIntentBalAllowedByCaller(checkedOptions);
+
+        if (balAllowedByPiSender && realCallingUid != callingUid) {
+             // don't abort if the realCallingUid has a visible window
+             if (realCallingUidHasAnyVisibleWindow) {
+                 return false;
+@@ -1013,9 +1018,10 @@ class ActivityStarter {
+         // If we don't have callerApp at this point, no caller was provided to startActivity().
+         // That's the case for PendingIntent-based starts, since the creator's process might not be
+         // up and alive. If that's the case, we retrieve the WindowProcessController for the send()
+-        // caller, so that we can make the decision based on its foreground/whitelisted state.
+        // caller if caller allows, so that we can make the decision
+        // based on its foreground/whitelisted state.
+         int callerAppUid = callingUid;
+-        if (callerApp == null) {
+        if (callerApp == null && balAllowedByPiSender) {
+             callerApp = mService.getProcessController(realCallingPid, realCallingUid);
+             callerAppUid = realCallingUid;
+         }
+diff --git a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
+index 5e2626b9a7dd..d0dad0a23729 100644
+--- a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
+++ b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
+@@ -2398,7 +2398,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub {
+         final ActivityStarter starter = getActivityStartController().obtainStarter(
+                 null /* intent */, "moveTaskToFront");
+         if (starter.shouldAbortBackgroundActivityStart(callingUid, callingPid, callingPackage, -1,
+-                -1, callerApp, null, false, null)) {
+                -1, callerApp, null, false, null, null)) {
+             if (!isBackgroundActivityStartsEnabled()) {
+                 return;
+             }
+diff --git a/services/core/java/com/android/server/wm/AppTaskImpl.java b/services/core/java/com/android/server/wm/AppTaskImpl.java
+index 1eb7455135c7..f221c3a4573f 100644
+--- a/services/core/java/com/android/server/wm/AppTaskImpl.java
+++ b/services/core/java/com/android/server/wm/AppTaskImpl.java
+@@ -117,7 +117,7 @@ class AppTaskImpl extends IAppTask.Stub {
+                 final ActivityStarter starter = mService.getActivityStartController().obtainStarter(
+                         null /* intent */, "moveToFront");
+                 if (starter.shouldAbortBackgroundActivityStart(callingUid, callingPid,
+-                        callingPackage, -1, -1, callerApp, null, false, null)) {
+                        callingPackage, -1, -1, callerApp, null, false, null, null)) {
+                     if (!mService.isBackgroundActivityStartsEnabled()) {
+                         return;
+                     }
--- a/Patches/LineageOS-17.1/android_frameworks_base/353950-backport.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/353950-backport.patch
@ -0,0 +1,134 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Tue, 18 Jan 2022 11:59:54 -0500
+Subject: [PATCH] Add a limit on channel group creation
+
+Same as exists for channels
+
+This is a backport of the fix in ag/16659457, including the adjustment from ag/20920023 (changed the max value from 50000 to 6000).
+
+Test: PreferencesHelperTest
+Bug: 210114537
+Bug: 261723753
+Change-Id: Ic27efba4c54e22eebca16fc948879e652df4467b
+(cherry picked from commit 37b3549807d15452ac334fae316e615c3b9b8e8b & I3f3a99765c161369e1b026686a0e5f0c83ed839e)
+Merged-In: I3f3a99765c161369e1b026686a0e5f0c83ed839e
+Merged-In: Ic27efba4c54e22eebca16fc948879e652df4467b
+(cherry picked from commit 0f29716ab6fbf236e5d8f688bcdfdadf32429545)
+Merged-In: Ic27efba4c54e22eebca16fc948879e652df4467b
+---
+ .../notification/PreferencesHelper.java       | 16 ++++++-
+ .../notification/PreferencesHelperTest.java   | 47 +++++++++++++++++++
+ 2 files changed, 62 insertions(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/notification/PreferencesHelper.java b/services/core/java/com/android/server/notification/PreferencesHelper.java
+index d4ba51cc3146..1a3779f7c607 100644
+--- a/services/core/java/com/android/server/notification/PreferencesHelper.java
+++ b/services/core/java/com/android/server/notification/PreferencesHelper.java
+@@ -73,7 +73,9 @@ public class PreferencesHelper implements RankingConfig {
+     private static final String NON_BLOCKABLE_CHANNEL_DELIM = ":";
+ 
+     @VisibleForTesting
+-    static final int NOTIFICATION_CHANNEL_COUNT_LIMIT = 50000;
+    static final int NOTIFICATION_CHANNEL_COUNT_LIMIT = 5000;
+    @VisibleForTesting
+    static final int NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT = 6000;
+ 
+     @VisibleForTesting
+     static final String TAG_RANKING = "ranking";
+@@ -184,6 +186,7 @@ public class PreferencesHelper implements RankingConfig {
+                                 }
+                             }
+                             boolean skipWarningLogged = false;
+                            boolean skipGroupWarningLogged = false;
+ 
+                             PackagePreferences r = getOrCreatePackagePreferencesLocked(name, uid,
+                                     XmlUtils.readIntAttribute(
+@@ -220,6 +223,14 @@ public class PreferencesHelper implements RankingConfig {
+                                 String tagName = parser.getName();
+                                 // Channel groups
+                                 if (TAG_GROUP.equals(tagName)) {
+                                    if (r.groups.size() >= NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT) {
+                                        if (!skipGroupWarningLogged) {
+                                            Slog.w(TAG, "Skipping further groups for " + r.pkg
+                                                    + "; app has too many");
+                                            skipGroupWarningLogged = true;
+                                        }
+                                        continue;
+                                    }
+                                     String id = parser.getAttributeValue(null, ATT_ID);
+                                     CharSequence groupName = parser.getAttributeValue(null,
+                                             ATT_NAME);
+@@ -610,6 +621,9 @@ public class PreferencesHelper implements RankingConfig {
+             }
+             if (fromTargetApp) {
+                 group.setBlocked(false);
+                if (r.groups.size() >= NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT) {
+                    throw new IllegalStateException("Limit exceed; cannot create more groups");
+                }
+             }
+             final NotificationChannelGroup oldGroup = r.groups.get(group.getId());
+             if (!group.equals(oldGroup)) {
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/PreferencesHelperTest.java b/services/tests/uiservicestests/src/com/android/server/notification/PreferencesHelperTest.java
+index 2cede07de257..dfb62999be5f 100644
+--- a/services/tests/uiservicestests/src/com/android/server/notification/PreferencesHelperTest.java
+++ b/services/tests/uiservicestests/src/com/android/server/notification/PreferencesHelperTest.java
+@@ -23,6 +23,7 @@ import static android.app.NotificationManager.IMPORTANCE_NONE;
+ import static android.app.NotificationManager.IMPORTANCE_UNSPECIFIED;
+ 
+ import static com.android.server.notification.PreferencesHelper.NOTIFICATION_CHANNEL_COUNT_LIMIT;
+import static com.android.server.notification.PreferencesHelper.NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT;
+ 
+ import static junit.framework.Assert.assertNull;
+ import static junit.framework.Assert.fail;
+@@ -2729,4 +2730,50 @@ public class PreferencesHelperTest extends UiServiceTestCase {
+         assertNull(mHelper.getNotificationChannel(PKG_O, UID_O, extraChannel, true));
+         assertNull(mHelper.getNotificationChannel(PKG_O, UID_O, extraChannel1, true));
+     }
+
+    @Test
+    public void testTooManyGroups() {
+        for (int i = 0; i < NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT; i++) {
+            NotificationChannelGroup group = new NotificationChannelGroup(String.valueOf(i),
+                    String.valueOf(i));
+            mHelper.createNotificationChannelGroup(PKG_O, UID_O, group, true);
+        }
+        try {
+            NotificationChannelGroup group = new NotificationChannelGroup(
+                    String.valueOf(NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT),
+                    String.valueOf(NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT));
+            mHelper.createNotificationChannelGroup(PKG_O, UID_O, group, true);
+            fail("Allowed to create too many notification channel groups");
+        } catch (IllegalStateException e) {
+            // great
+        }
+    }
+
+    @Test
+    public void testTooManyGroups_xml() throws Exception {
+        String extraGroup = "EXTRA";
+        String extraGroup1 = "EXTRA1";
+
+        // create first... many... directly so we don't need a big xml blob in this test
+        for (int i = 0; i < NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT; i++) {
+            NotificationChannelGroup group = new NotificationChannelGroup(String.valueOf(i),
+                    String.valueOf(i));
+            mHelper.createNotificationChannelGroup(PKG_O, UID_O, group, true);
+        }
+
+        final String xml = "<ranking version=\"1\">\n"
+                + "<package name=\"" + PKG_O + "\" uid=\"" + UID_O + "\" >\n"
+                + "<channelGroup id=\"" + extraGroup + "\" name=\"hi\"/>"
+                + "<channelGroup id=\"" + extraGroup1 + "\" name=\"hi2\"/>"
+                + "</package>"
+                + "</ranking>";
+        XmlPullParser parser = Xml.newPullParser();
+        parser.setInput(new BufferedInputStream(new ByteArrayInputStream(xml.getBytes())),
+                null);
+        parser.nextTag();
+        mHelper.readXml(parser, false, UserHandle.USER_ALL);
+
+        assertNull(mHelper.getNotificationChannelGroup(extraGroup, PKG_O, UID_O));
+        assertNull(mHelper.getNotificationChannelGroup(extraGroup1, PKG_O, UID_O));
+    }
+ }
--- a/Patches/LineageOS-17.1/android_frameworks_base/353951-backport.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/353951-backport.patch
@ -0,0 +1,217 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rhed Jao <rhedjao@google.com>
+Date: Wed, 11 Jan 2023 16:02:27 +0800
+Subject: [PATCH] Fix bypass BG-FGS and BAL via package manager APIs
+
+Opt-in for BAL of PendingIntent for following APIs:
+
+* PackageInstaller.uninstall()
+* PackageInstaller.installExistingPackage()
+* PackageInstaller.uninstallExistingPackage()
+* PackageInstaller.Session.commit()
+* PackageInstaller.Session.commitTransferred()
+* PackageManager.freeStorage()
+
+Bug: 230492955
+Bug: 243377226
+Test: atest android.security.cts.PackageInstallerTest
+Test: atest CtsStagedInstallHostTestCases
+Change-Id: I9b6f801d69ea6d2244a38dbe689e81afa4e798bf
+(cherry picked from commit b0b1ddb4b4ba5db27f5616b02ae2cdca8b63496f)
+Merged-In: I9b6f801d69ea6d2244a38dbe689e81afa4e798bf
+---
+ core/java/android/content/IntentSender.java   | 42 ++++++++++++++++++-
+ .../server/pm/PackageInstallerService.java    | 11 ++++-
+ .../server/pm/PackageInstallerSession.java    | 19 +++++++--
+ .../server/pm/PackageManagerService.java      | 10 ++++-
+ 4 files changed, 73 insertions(+), 9 deletions(-)
+
+diff --git a/core/java/android/content/IntentSender.java b/core/java/android/content/IntentSender.java
+index ec0bac486c65..0ef0a71fffe0 100644
+--- a/core/java/android/content/IntentSender.java
+++ b/core/java/android/content/IntentSender.java
+@@ -16,8 +16,10 @@
+ 
+ package android.content;
+ 
+import android.annotation.Nullable;
+ import android.annotation.UnsupportedAppUsage;
+ import android.app.ActivityManager;
+import android.app.ActivityOptions;
+ import android.os.Bundle;
+ import android.os.RemoteException;
+ import android.os.Handler;
+@@ -154,7 +156,7 @@ public class IntentSender implements Parcelable {
+      */
+     public void sendIntent(Context context, int code, Intent intent,
+             OnFinished onFinished, Handler handler) throws SendIntentException {
+-        sendIntent(context, code, intent, onFinished, handler, null);
+        sendIntent(context, code, intent, onFinished, handler, null, null /* options */);
+     }
+ 
+     /**
+@@ -186,6 +188,42 @@ public class IntentSender implements Parcelable {
+     public void sendIntent(Context context, int code, Intent intent,
+             OnFinished onFinished, Handler handler, String requiredPermission)
+             throws SendIntentException {
+        sendIntent(context, code, intent, onFinished, handler, requiredPermission,
+                null /* options */);
+    }
+
+    /**
+     * Perform the operation associated with this IntentSender, allowing the
+     * caller to specify information about the Intent to use and be notified
+     * when the send has completed.
+     *
+     * @param context The Context of the caller.  This may be null if
+     * <var>intent</var> is also null.
+     * @param code Result code to supply back to the IntentSender's target.
+     * @param intent Additional Intent data.  See {@link Intent#fillIn
+     * Intent.fillIn()} for information on how this is applied to the
+     * original Intent.  Use null to not modify the original Intent.
+     * @param onFinished The object to call back on when the send has
+     * completed, or null for no callback.
+     * @param handler Handler identifying the thread on which the callback
+     * should happen.  If null, the callback will happen from the thread
+     * pool of the process.
+     * @param requiredPermission Name of permission that a recipient of the PendingIntent
+     * is required to hold.  This is only valid for broadcast intents, and
+     * corresponds to the permission argument in
+     * {@link Context#sendBroadcast(Intent, String) Context.sendOrderedBroadcast(Intent, String)}.
+     * If null, no permission is required.
+     * @param options Additional options the caller would like to provide to modify the sending
+     * behavior.  May be built from an {@link ActivityOptions} to apply to an activity start.
+     *
+     * @throws SendIntentException Throws CanceledIntentException if the IntentSender
+     * is no longer allowing more intents to be sent through it.
+     * @hide
+     */
+    public void sendIntent(Context context, int code, Intent intent,
+            OnFinished onFinished, Handler handler, String requiredPermission,
+            @Nullable Bundle options)
+            throws SendIntentException {
+         try {
+             String resolvedType = intent != null ?
+                     intent.resolveTypeIfNeeded(context.getContentResolver())
+@@ -195,7 +233,7 @@ public class IntentSender implements Parcelable {
+                     onFinished != null
+                             ? new FinishedDispatcher(this, onFinished, handler)
+                             : null,
+-                    requiredPermission, null);
+                    requiredPermission, options);
+             if (res < 0) {
+                 throw new SendIntentException();
+             }
+diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java
+index c73f489cb143..ee0cd1f2ea23 100644
+--- a/services/core/java/com/android/server/pm/PackageInstallerService.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerService.java
+@@ -23,6 +23,7 @@ import android.Manifest;
+ import android.app.ActivityManager;
+ import android.app.AppGlobals;
+ import android.app.AppOpsManager;
+import android.app.BroadcastOptions;
+ import android.app.Notification;
+ import android.app.NotificationManager;
+ import android.app.PackageDeleteObserver;
+@@ -1046,7 +1047,10 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements
+                     PackageManager.deleteStatusToString(returnCode, msg));
+             fillIn.putExtra(PackageInstaller.EXTRA_LEGACY_STATUS, returnCode);
+             try {
+-                mTarget.sendIntent(mContext, 0, fillIn, null, null);
+                final BroadcastOptions options = BroadcastOptions.makeBasic();
+                options.setPendingIntentBackgroundActivityLaunchAllowed(false);
+                mTarget.sendIntent(mContext, 0, fillIn, null /* onFinished*/,
+                        null /* handler */, null /* requiredPermission */, options.toBundle());
+             } catch (SendIntentException ignored) {
+             }
+         }
+@@ -1076,7 +1080,10 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements
+                     PackageInstaller.STATUS_PENDING_USER_ACTION);
+             fillIn.putExtra(Intent.EXTRA_INTENT, intent);
+             try {
+-                mTarget.sendIntent(mContext, 0, fillIn, null, null);
+                final BroadcastOptions options = BroadcastOptions.makeBasic();
+                options.setPendingIntentBackgroundActivityLaunchAllowed(false);
+                mTarget.sendIntent(mContext, 0, fillIn, null /* onFinished*/,
+                        null /* handler */, null /* requiredPermission */, options.toBundle());
+             } catch (SendIntentException ignored) {
+             }
+         }
+diff --git a/services/core/java/com/android/server/pm/PackageInstallerSession.java b/services/core/java/com/android/server/pm/PackageInstallerSession.java
+index 5a880cb5fa52..b03f06ffd859 100644
+--- a/services/core/java/com/android/server/pm/PackageInstallerSession.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerSession.java
+@@ -46,6 +46,7 @@ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.app.admin.DevicePolicyEventLogger;
+ import android.app.admin.DevicePolicyManagerInternal;
+import android.app.BroadcastOptions;
+ import android.content.Context;
+ import android.content.IIntentReceiver;
+ import android.content.IIntentSender;
+@@ -960,13 +961,21 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
+                         try {
+                             intent.putExtra(PackageInstaller.EXTRA_SESSION_ID,
+                                     PackageInstallerSession.this.sessionId);
+-                            mStatusReceiver.sendIntent(mContext, 0, intent, null, null);
+                            final BroadcastOptions options = BroadcastOptions.makeBasic();
+                            options.setPendingIntentBackgroundActivityLaunchAllowed(false);
+                            mStatusReceiver.sendIntent(mContext, 0, intent,
+                                    null /* onFinished*/, null /* handler */,
+                                    null /* requiredPermission */, options.toBundle());
+                         } catch (IntentSender.SendIntentException ignore) {
+                         }
+                     }
+                 } else if (PackageInstaller.STATUS_PENDING_USER_ACTION == status) {
+                     try {
+-                        mStatusReceiver.sendIntent(mContext, 0, intent, null, null);
+                        final BroadcastOptions options = BroadcastOptions.makeBasic();
+                        options.setPendingIntentBackgroundActivityLaunchAllowed(false);
+                        mStatusReceiver.sendIntent(mContext, 0, intent,
+                                null /* onFinished*/, null /* handler */,
+                                null /* requiredPermission */, options.toBundle());
+                     } catch (IntentSender.SendIntentException ignore) {
+                     }
+                 } else {
+@@ -974,7 +983,11 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
+                             PackageInstallerSession.this.sessionId);
+                     mChildSessionsRemaining.clear(); // we're done. Don't send any more.
+                     try {
+-                        mStatusReceiver.sendIntent(mContext, 0, intent, null, null);
+                        final BroadcastOptions options = BroadcastOptions.makeBasic();
+                        options.setPendingIntentBackgroundActivityLaunchAllowed(false);
+                        mStatusReceiver.sendIntent(mContext, 0, intent,
+                                null /* onFinished*/, null /* handler */,
+                                null /* requiredPermission */, options.toBundle());
+                     } catch (IntentSender.SendIntentException ignore) {
+                     }
+                 }
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 1bd1396c6d45..ef97d61d26d7 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -4893,7 +4893,10 @@ public class PackageManagerService extends IPackageManager.Stub
+             }
+             if (pi != null) {
+                 try {
+-                    pi.sendIntent(null, success ? 1 : 0, null, null, null);
+                    final BroadcastOptions options = BroadcastOptions.makeBasic();
+                    options.setPendingIntentBackgroundActivityLaunchAllowed(false);
+                    pi.sendIntent(null, success ? 1 : 0, null /* intent */, null /* onFinished*/,
+                            null /* handler */, null /* requiredPermission */, options.toBundle());
+                 } catch (SendIntentException e) {
+                     Slog.w(TAG, e);
+                 }
+@@ -13738,7 +13741,10 @@ public class PackageManagerService extends IPackageManager.Stub
+         fillIn.putExtra(PackageInstaller.EXTRA_STATUS,
+                 PackageManager.installStatusToPublicStatus(returnCode));
+         try {
+-            target.sendIntent(context, 0, fillIn, null, null);
+            final BroadcastOptions options = BroadcastOptions.makeBasic();
+            options.setPendingIntentBackgroundActivityLaunchAllowed(false);
+            target.sendIntent(context, 0, fillIn, null /* onFinished*/,
+                    null /* handler */, null /* requiredPermission */, options.toBundle());
+         } catch (SendIntentException ignored) {
+         }
+     }
--- a/Patches/LineageOS-17.1/android_frameworks_native/353953-backport.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_native/353953-backport.patch
@ -0,0 +1,138 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sally Qi <sallyqi@google.com>
+Date: Wed, 5 Oct 2022 11:42:30 -0700
+Subject: [PATCH] Mitigate the security vulnerability by sanitizing the
+ transaction flags.
+
+- This is part of fix of commit
+  Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df for backporting.
+- Part of commit Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df which
+  sanitizes the transaction flags from DisplayState instead.
+- In rvc, we only have ACCESS_SURFACE_FLINGER permission check passed as
+  `privileged` argument in SF::applyTransactionState. We can directly
+  utilize it for sanitization in DiaplyState.
+- In rvc code base, SF::setTransactionState pass a const array of
+  displayState objects and then call SF::applyTransactionState. To
+  successfully sanitize the flags for each displayState object, we
+  convert this const array into non-const one before calling
+  SF::applyTransactionState.
+
+Bug: 248031255
+Test: test using displaytoken app manually on the phone, test shell
+screenrecord during using displaytoken; atest
+android.hardware.camera2.cts.FastBasicsTest
+
+Change-Id: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
+Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
+(cherry picked from commit 03d4458ea0cb00c28f695d99aae5e4c6b15fc237)
+Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
+---
+ libs/gui/LayerState.cpp                    | 21 +++++++++++++++++++++
+ libs/gui/include/gui/LayerState.h          |  1 +
+ services/surfaceflinger/SurfaceFlinger.cpp | 14 ++++++++++----
+ services/surfaceflinger/SurfaceFlinger.h   |  5 ++---
+ 4 files changed, 34 insertions(+), 7 deletions(-)
+
+diff --git a/libs/gui/LayerState.cpp b/libs/gui/LayerState.cpp
+index 6066421faf..293f042de2 100644
+--- a/libs/gui/LayerState.cpp
+++ b/libs/gui/LayerState.cpp
+@@ -237,6 +237,27 @@ void DisplayState::merge(const DisplayState& other) {
+     }
+ }
+ 
+void DisplayState::sanitize(bool privileged) {
+    if (what & DisplayState::eLayerStackChanged) {
+        if (!privileged) {
+            what &= ~DisplayState::eLayerStackChanged;
+            ALOGE("Stripped attempt to set eLayerStackChanged in sanitize");
+        }
+    }
+    if (what & DisplayState::eDisplayProjectionChanged) {
+        if (!privileged) {
+            what &= ~DisplayState::eDisplayProjectionChanged;
+            ALOGE("Stripped attempt to set eDisplayProjectionChanged in sanitize");
+        }
+    }
+    if (what & DisplayState::eSurfaceChanged) {
+        if (!privileged) {
+            what &= ~DisplayState::eSurfaceChanged;
+            ALOGE("Stripped attempt to set eSurfaceChanged in sanitize");
+        }
+    }
+}
+
+ void layer_state_t::merge(const layer_state_t& other) {
+     if (other.what & ePositionChanged) {
+         what |= ePositionChanged;
+diff --git a/libs/gui/include/gui/LayerState.h b/libs/gui/include/gui/LayerState.h
+index f438eb3d01..8a07602e41 100644
+--- a/libs/gui/include/gui/LayerState.h
+++ b/libs/gui/include/gui/LayerState.h
+@@ -231,6 +231,7 @@ struct DisplayState {
+ 
+     DisplayState();
+     void merge(const DisplayState& other);
+    void sanitize(bool privileged);
+ 
+     uint32_t what;
+     sp<IBinder> token;
+diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
+index db26808cc2..21e9e8eb96 100644
+--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
+@@ -3675,7 +3675,7 @@ bool SurfaceFlinger::flushTransactionQueues() {
+             auto& [applyToken, transactionQueue] = *it;
+ 
+             while (!transactionQueue.empty()) {
+-                const auto& transaction = transactionQueue.front();
+                auto& transaction = transactionQueue.front();
+                 if (!transactionIsReadyToBeApplied(transaction.desiredPresentTime,
+                                                    transaction.states)) {
+                     setTransactionFlags(eTransactionFlushNeeded);
+@@ -3794,12 +3794,17 @@ void SurfaceFlinger::setTransactionState(const Vector<ComposerState>& states,
+         return;
+     }
+ 
+-    applyTransactionState(states, displays, flags, inputWindowCommands, desiredPresentTime,
+    Vector<DisplayState> displaysList;
+    for (auto& d : displays) {
+        displaysList.add(d);
+    }
+
+    applyTransactionState(states, displaysList, flags, inputWindowCommands, desiredPresentTime,
+                           uncacheBuffer, listenerCallbacks, postTime, privileged);
+ }
+ 
+ void SurfaceFlinger::applyTransactionState(const Vector<ComposerState>& states,
+-                                           const Vector<DisplayState>& displays, uint32_t flags,
+                                           Vector<DisplayState>& displays, uint32_t flags,
+                                            const InputWindowCommands& inputWindowCommands,
+                                            const int64_t desiredPresentTime,
+                                            const client_cache_t& uncacheBuffer,
+@@ -3824,7 +3829,8 @@ void SurfaceFlinger::applyTransactionState(const Vector<ComposerState>& states,
+         }
+     }
+ 
+-    for (const DisplayState& display : displays) {
+    for (DisplayState& display : displays) {
+        display.sanitize(privileged);
+         transactionFlags |= setDisplayStateLocked(display);
+     }
+ 
+diff --git a/services/surfaceflinger/SurfaceFlinger.h b/services/surfaceflinger/SurfaceFlinger.h
+index e58caa63b3..c4578d0dbb 100644
+--- a/services/surfaceflinger/SurfaceFlinger.h
+++ b/services/surfaceflinger/SurfaceFlinger.h
+@@ -568,9 +568,8 @@ private:
+     /* ------------------------------------------------------------------------
+      * Transactions
+      */
+-    void applyTransactionState(const Vector<ComposerState>& state,
+-                               const Vector<DisplayState>& displays, uint32_t flags,
+-                               const InputWindowCommands& inputWindowCommands,
+    void applyTransactionState(const Vector<ComposerState>& state, Vector<DisplayState>& displays,
+                               uint32_t flags, const InputWindowCommands& inputWindowCommands,
+                                const int64_t desiredPresentTime,
+                                const client_cache_t& uncacheBuffer,
+                                const std::vector<ListenerCallbacks>& listenerCallbacks,
--- a/Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/0002-Random_MAC.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/0002-Random_MAC.patch
@ -41,7 +41,7 @@ index d91b7f8b8..befc92fb4 100644
                         configureRandomizedMacAddress(config);
                     } else {
 diff --git a/service/java/com/android/server/wifi/WifiConfigManager.java b/service/java/com/android/server/wifi/WifiConfigManager.java
-index 393a5c395..cb44fb4ab 100644
+index fce5758e1..817fb2958 100644
 --- a/service/java/com/android/server/wifi/WifiConfigManager.java
 +++ b/service/java/com/android/server/wifi/WifiConfigManager.java
@@ -1113,7 +1113,13 @@ public class WifiConfigManager {
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/353956.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/353956.patch
@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jack Yu <jackcwyu@google.com>
+Date: Thu, 28 Jul 2022 19:42:27 +0800
+Subject: [PATCH] Only primary user is allowed to control secure nfc
+
+Bug: 238298970
+Test: manual
+Merged-In: I945490ef1e62af479a732c9a260ed94bdd8bc313
+Change-Id: I945490ef1e62af479a732c9a260ed94bdd8bc313
+(cherry picked from commit 0e57ff90cdae3575c243d21d490e2b6384d33397)
+Merged-In: I945490ef1e62af479a732c9a260ed94bdd8bc313
+---
+ src/com/android/settings/nfc/SecureNfcEnabler.java              | 2 +-
+ src/com/android/settings/nfc/SecureNfcPreferenceController.java | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/com/android/settings/nfc/SecureNfcEnabler.java b/src/com/android/settings/nfc/SecureNfcEnabler.java
+index f31a382a57..ad5c4ab7e8 100644
+--- a/src/com/android/settings/nfc/SecureNfcEnabler.java
+++ b/src/com/android/settings/nfc/SecureNfcEnabler.java
+@@ -61,7 +61,7 @@ public class SecureNfcEnabler extends BaseNfcEnabler {
+     }
+ 
+     private boolean isToggleable() {
+-        if (mUserManager.isGuestUser()) {
+        if (!mUserManager.isPrimaryUser()) {
+             return false;
+         }
+         return true;
+diff --git a/src/com/android/settings/nfc/SecureNfcPreferenceController.java b/src/com/android/settings/nfc/SecureNfcPreferenceController.java
+index 2ff685e5a0..ab87ddba34 100644
+--- a/src/com/android/settings/nfc/SecureNfcPreferenceController.java
+++ b/src/com/android/settings/nfc/SecureNfcPreferenceController.java
+@@ -104,7 +104,7 @@ public class SecureNfcPreferenceController extends TogglePreferenceController
+     }
+ 
+     private boolean isToggleable() {
+-        if (mUserManager.isGuestUser()) {
+        if (!mUserManager.isPrimaryUser()) {
+             return false;
+         }
+         return true;
--- a/Patches/LineageOS-17.1/android_packages_providers_MediaProvider/353957-backport.patch
+++ b/Patches/LineageOS-17.1/android_packages_providers_MediaProvider/353957-backport.patch
@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Abhijeet Kaur <abkaur@google.com>
+Date: Wed, 23 Nov 2022 08:47:27 +0000
+Subject: [PATCH] Canonicalise path before extracting relative path
+
+This helps us make accurate access checks on the given path.
+
+Bug: 228833816
+Bug: 228450832
+Test: atest FileUtilsTest
+Test: atest LegacyStorageHostTest
+Change-Id: Id620644ffdfe20e9281773e2e23851c56732dd11
+Merged-In: Id620644ffdfe20e9281773e2e23851c56732dd11
+(cherry picked from commit 93f5186e4b4a044e00a168c55e05fd3835033221)
+(cherry picked from commit 0f59f42685f186fd207355c01c580038436713ba)
+Merged-In: Id620644ffdfe20e9281773e2e23851c56732dd11
+---
+ src/com/android/providers/media/MediaProvider.java | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
+index 9032644e7..f9ea135fd 100644
+--- a/src/com/android/providers/media/MediaProvider.java
+++ b/src/com/android/providers/media/MediaProvider.java
+@@ -2308,8 +2308,22 @@ public class MediaProvider extends ContentProvider {
+         }
+     }
+ 
+    @Nullable
+    private static String getCanonicalPath(@Nullable String path) {
+        if (path == null) return null;
+
+        try {
+            return new File(path).getCanonicalPath();
+        } catch (IOException e) {
+            Log.d(TAG, "Unable to get canonical path from invalid data path: " + path, e);
+            return null;
+        }
+    }
+
+     private static @Nullable String extractRelativePath(@Nullable String data) {
+        data = getCanonicalPath(data);
+         if (data == null) return null;
+
+         final Matcher matcher = PATTERN_RELATIVE_PATH.matcher(data);
+         if (matcher.find()) {
+             final int lastSlash = data.lastIndexOf('/');
--- a/Patches/LineageOS-17.1/android_packages_services_Telecomm/353959.patch
+++ b/Patches/LineageOS-17.1/android_packages_services_Telecomm/353959.patch
@ -0,0 +1,68 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chinmay Dhodapkar <chinmayd@google.com>
+Date: Sun, 4 Dec 2022 09:46:34 -0800
+Subject: [PATCH] DO NOT MERGE do not process content uri in call Intents
+
+Add checks in Telecom so content uris are not processed
+
+Bug: 257030107
+Test: atest NewOutgoingCallIntentBroadcasterTest
+Test: adb shell am start -a android.intent.action.CALL -d tel:xxx
+Change-Id: Ic2c3014cecfd5db84dc2023b4c247d96ad1c3414
+Merged-In: Ic2c3014cecfd5db84dc2023b4c247d96ad1c3414
+(cherry picked from commit 9636518478fb887dd1834c0433eb3a71eb72faaf)
+Merged-In: Ic2c3014cecfd5db84dc2023b4c247d96ad1c3414
+---
+ .../telecom/NewOutgoingCallIntentBroadcaster.java  | 14 ++++++++++++--
+ .../NewOutgoingCallIntentBroadcasterTest.java      | 13 +++++++++++++
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/com/android/server/telecom/NewOutgoingCallIntentBroadcaster.java b/src/com/android/server/telecom/NewOutgoingCallIntentBroadcaster.java
+index 7a641af3c..960be80a3 100644
+--- a/src/com/android/server/telecom/NewOutgoingCallIntentBroadcaster.java
+++ b/src/com/android/server/telecom/NewOutgoingCallIntentBroadcaster.java
+@@ -313,8 +313,18 @@ public class NewOutgoingCallIntentBroadcaster {
+     }
+ 
+     private String getNumberFromCallIntent(Intent intent) {
+-        String number;
+-        number = mPhoneNumberUtilsAdapter.getNumberFromIntent(intent, mContext);
+        String number = null;
+
+        Uri uri = intent.getData();
+        if (uri != null) {
+            String scheme = uri.getScheme();
+            if (scheme != null) {
+                if (scheme.equals("tel") || scheme.equals("sip")) {
+                    number = uri.getSchemeSpecificPart();
+                }
+            }
+        }
+
+         if (TextUtils.isEmpty(number)) {
+             Log.w(this, "Empty number obtained from the call intent.");
+             return null;
+diff --git a/tests/src/com/android/server/telecom/tests/NewOutgoingCallIntentBroadcasterTest.java b/tests/src/com/android/server/telecom/tests/NewOutgoingCallIntentBroadcasterTest.java
+index 81b43265f..b618bba1e 100644
+--- a/tests/src/com/android/server/telecom/tests/NewOutgoingCallIntentBroadcasterTest.java
+++ b/tests/src/com/android/server/telecom/tests/NewOutgoingCallIntentBroadcasterTest.java
+@@ -186,6 +186,19 @@ public class NewOutgoingCallIntentBroadcasterTest extends TelecomTestCase {
+         verifyNoCallPlaced();
+     }
+ 
+    @Test
+    public void testNoCallsPlacedWithContentUri() {
+        Uri handle = Uri.parse("content://com.android.contacts/data/1");
+        Intent intent = new Intent(Intent.ACTION_CALL, handle);
+
+        int result = processIntent(intent, true).disconnectCause;
+
+        assertEquals(DisconnectCause.NO_PHONE_NUMBER_SUPPLIED, result);
+        verify(mContext, never()).getContentResolver();
+        verifyNoBroadcastSent();
+        verifyNoCallPlaced();
+    }
+
+     @SmallTest
+     @Test
+     public void testEmergencyCallWithNonDefaultDialer() {
--- a/Patches/LineageOS-17.1/android_system_bt/353960.patch
+++ b/Patches/LineageOS-17.1/android_system_bt/353960.patch
@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Thu, 8 Dec 2022 01:08:11 +0000
+Subject: [PATCH] Fix OOB access in avdt_scb_hdl_pkt_no_frag
+
+This is a back port of the following 2 CLs:
+- Id13b1ebde8f603123c8b7a49922b2f1378ab788f
+- If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4
+
+Regression test: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54
+
+Bug: 142546355 258057241
+Test: atest net_test_stack_avdtp
+Ignore-AOSP-First: security
+Change-Id: Ie1707385d6452ece47915c153f4faaa1c8a287c9
+(cherry picked from commit b0b968e8c6214e20a5dc3617d66567225df0884f)
+Merged-In: Ie1707385d6452ece47915c153f4faaa1c8a287c9
+---
+ stack/avdt/avdt_scb_act.cc | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
+index ce53c45eb..f2de4ba35 100644
+--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
+@@ -255,19 +255,24 @@ void avdt_scb_hdl_pkt_no_frag(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) {
+     if (offset > len) goto length_error;
+     p += 2;
+     BE_STREAM_TO_UINT16(ex_len, p);
+-    offset += ex_len * 4;
+     p += ex_len * 4;
+   }
+ 
+  if ((p - p_start) >= len) {
+    AVDT_TRACE_WARNING("%s: handling malformatted packet: ex_len too large", __func__);
+    osi_free_and_reset((void**)&p_data->p_pkt);
+    return;
+  }
+  offset = p - p_start;
+
+   /* adjust length for any padding at end of packet */
+   if (o_p) {
+     /* padding length in last byte of packet */
+-    pad_len = *(p_start + p_data->p_pkt->len);
+    pad_len = *(p_start + len - 1);
+   }
+ 
+   /* do sanity check */
+-  if ((offset > p_data->p_pkt->len) ||
+-      ((pad_len + offset) > p_data->p_pkt->len)) {
+  if (pad_len >= (len - offset)) {
+     AVDT_TRACE_WARNING("Got bad media packet");
+     osi_free_and_reset((void**)&p_data->p_pkt);
+   }
--- a/Patches/LineageOS-17.1/android_system_bt/353961.patch
+++ b/Patches/LineageOS-17.1/android_system_bt/353961.patch
@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Fri, 20 Jan 2023 19:39:30 +0000
+Subject: [PATCH] Fix an OOB bug in register_notification_rsp
+
+This is a backport of I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f
+to rvc-dev.
+
+Bug: 245916076
+Test: manual
+Ignore-AOSP-First: security
+Change-Id: I37a9f45e707702b2ec52b5a2d572f177f2911765
+(cherry picked from commit 901e34203c6280d414cbfa3978de04fd6515ffdf)
+Merged-In: I37a9f45e707702b2ec52b5a2d572f177f2911765
+---
+ btif/src/btif_rc.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc
+index 575d83e37..be29e559b 100644
+--- a/btif/src/btif_rc.cc
+++ b/btif/src/btif_rc.cc
+@@ -1892,6 +1892,11 @@ static bt_status_t register_notification_rsp(
+                    dump_rc_notification_event_id(event_id));
+   std::unique_lock<std::mutex> lock(btif_rc_cb.lock);
+ 
+  if (event_id > MAX_RC_NOTIFICATIONS) {
+    BTIF_TRACE_ERROR("Invalid event id");
+    return BT_STATUS_PARM_INVALID;
+  }
+
+   memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP));
+ 
+   avrc_rsp.reg_notif.event_id = event_id;
--- a/Patches/LineageOS-17.1/android_system_nfc/353962.patch
+++ b/Patches/LineageOS-17.1/android_system_nfc/353962.patch
@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 31 Jan 2023 19:04:09 -0800
+Subject: [PATCH] OOBW in nci_snd_set_routing_cmd()
+
+Bug: 264879662
+Test: read a tag, nfc on/off
+Change-Id: I408cf611fb35e9467d7484165ce48759970b158a
+(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78)
+Merged-In: I408cf611fb35e9467d7484165ce48759970b158a
+---
+ src/nfc/nci/nci_hmsgs.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/nfc/nci/nci_hmsgs.cc b/src/nfc/nci/nci_hmsgs.cc
+index 885ebaa..c191c26 100644
+--- a/src/nfc/nci/nci_hmsgs.cc
+++ b/src/nfc/nci/nci_hmsgs.cc
+@@ -630,6 +630,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size,
+   uint8_t* pp;
+   uint8_t size = tlv_size + 2;
+ 
+  if (size < tlv_size) {
+    return (NCI_STATUS_FAILED);
+  }
+
+   if (tlv_size == 0) {
+     /* just to terminate routing table
+      * 2 bytes (more=FALSE and num routing entries=0) */
--- a/Patches/LineageOS-17.1/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/353963.patch
+++ b/Patches/LineageOS-17.1/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/353963.patch
@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 31 Jan 2023 19:04:09 -0800
+Subject: [PATCH] OOBW in nci_snd_set_routing_cmd()
+
+Bug: 264879662
+Test: read a tag, nfc on/off
+Change-Id: I408cf611fb35e9467d7484165ce48759970b158a
+(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78)
+Merged-In: I408cf611fb35e9467d7484165ce48759970b158a
+---
+ SN100x/src/nfc/nci/nci_hmsgs.cc | 4 ++++
+ src/nfc/nci/nci_hmsgs.cc        | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/SN100x/src/nfc/nci/nci_hmsgs.cc b/SN100x/src/nfc/nci/nci_hmsgs.cc
+index 99a40a1f..e37a82b6 100755
+--- a/SN100x/src/nfc/nci/nci_hmsgs.cc
+++ b/SN100x/src/nfc/nci/nci_hmsgs.cc
+@@ -673,6 +673,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size,
+   uint8_t* pp;
+   uint8_t size = tlv_size + 2;
+ 
+  if (size < tlv_size) {
+    return (NCI_STATUS_FAILED);
+  }
+
+   if (tlv_size == 0) {
+     /* just to terminate routing table
+      * 2 bytes (more=FALSE and num routing entries=0) */
+diff --git a/src/nfc/nci/nci_hmsgs.cc b/src/nfc/nci/nci_hmsgs.cc
+index eedfc084..898d1446 100755
+--- a/src/nfc/nci/nci_hmsgs.cc
+++ b/src/nfc/nci/nci_hmsgs.cc
+@@ -727,6 +727,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size,
+   uint8_t* pp;
+   uint8_t size = tlv_size + 2;
+ 
+  if (size < tlv_size) {
+    return (NCI_STATUS_FAILED);
+  }
+
+   if (tlv_size == 0) {
+     /* just to terminate routing table
+      * 2 bytes (more=false and num routing entries=0) */
--- a/Patches/LineageOS-17.1/android_vendor_nxp_opensource_pn5xx_halimpl/353964.patch
+++ b/Patches/LineageOS-17.1/android_vendor_nxp_opensource_pn5xx_halimpl/353964.patch
@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 31 Jan 2023 19:04:09 -0800
+Subject: [PATCH] OOBW in nci_snd_set_routing_cmd()
+
+Bug: 264879662
+Test: read a tag, nfc on/off
+Change-Id: I408cf611fb35e9467d7484165ce48759970b158a
+(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78)
+Merged-In: I408cf611fb35e9467d7484165ce48759970b158a
+---
+ halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc b/halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc
+index a76ba5a..34d1d07 100755
+--- a/halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc
+++ b/halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc
+@@ -672,6 +672,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size,
+   uint8_t *pp;
+   uint8_t size = tlv_size + 2;
+ 
+  if (size < tlv_size) {
+    return (NCI_STATUS_FAILED);
+  }
+
+   if (tlv_size == 0) {
+     /* just to terminate routing table
+      * 2 bytes (more=false and num routing entries=0) */
--- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353967.patch
+++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353967.patch
@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Fri, 20 Jan 2023 19:39:30 +0000
+Subject: [PATCH] Fix an OOB bug in register_notification_rsp
+
+This is a backport of I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f
+to rvc-dev.
+
+Bug: 245916076
+Test: manual
+Ignore-AOSP-First: security
+Change-Id: I37a9f45e707702b2ec52b5a2d572f177f2911765
+(cherry picked from commit 901e34203c6280d414cbfa3978de04fd6515ffdf)
+Merged-In: I37a9f45e707702b2ec52b5a2d572f177f2911765
+---
+ btif/src/btif_rc.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc
+index a0e38998f..41fd73485 100644
+--- a/btif/src/btif_rc.cc
+++ b/btif/src/btif_rc.cc
+@@ -3137,6 +3137,11 @@ static bt_status_t register_notification_rsp(
+                    dump_rc_notification_event_id(event_id));
+   std::unique_lock<std::mutex> lock(btif_rc_cb.lock);
+ 
+  if (event_id > MAX_RC_NOTIFICATIONS) {
+    BTIF_TRACE_ERROR("Invalid event id");
+    return BT_STATUS_PARM_INVALID;
+  }
+
+   memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP));
+ 
+   avrc_rsp.reg_notif.event_id = event_id;
--- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353968.patch
+++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353968.patch
@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mayank Madhukar <quic_mmadhuka@quicinc.com>
+Date: Thu, 14 Jul 2022 15:33:53 +0530
+Subject: [PATCH] AVDTP: Fix a potential overflow about the media payload
+ offset
+
+This variable is uint16, and is possible to overflow when the length of
+header extension is larger. Here we compare with the data length to
+prevent any exceptions.
+
+Change-Id: If55d77132e893d6856c9f4ccc42d24a6e7cafe29
+CRs-Fixed: 3237187
+---
+ stack/avdt/avdt_scb_act.cc | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
+index 130f44ab1..568575458 100644
+--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
+@@ -277,19 +277,24 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) {
+     if (offset > len) goto length_error;
+     p += 2;
+     BE_STREAM_TO_UINT16(ex_len, p);
+-    offset += ex_len * 4;
+     p += ex_len * 4;
+   }
+ 
+  if ((p - p_start) > len) {
+    android_errorWriteLog(0x534e4554, "142546355");
+    osi_free_and_reset((void**)&p_data->p_pkt);
+    return;
+  }
+  offset = p - p_start;
+
+   /* adjust length for any padding at end of packet */
+   if (o_p) {
+     /* padding length in last byte of packet */
+-    pad_len = *(p_start + p_data->p_pkt->len);
+    pad_len = *(p_start + len);
+   }
+ 
+   /* do sanity check */
+-  if ((offset > p_data->p_pkt->len) ||
+-      ((pad_len + offset) > p_data->p_pkt->len)) {
+  if (pad_len > (len - offset)) {
+     AVDT_TRACE_WARNING("Got bad media packet");
+     osi_free_and_reset((void**)&p_data->p_pkt);
+   }
--- a/Scripts/LineageOS-17.1/Patch.sh
+++ b/Scripts/LineageOS-17.1/Patch.sh
@ -97,7 +97,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
-sed -i 's/2023-02-05/2023-03-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-03 #XXX
+sed -i 's/2023-02-05/2023-04-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-04 #XXX
 fi;

 if enterAndClear "build/soong"; then
@ -145,6 +145,13 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/351415.patch"; #R_asb_2023-03 R
 applyPatch "$DOS_PATCHES/android_frameworks_base/351436.patch"; #R_asb_2023-03 Revert "Ensure that only SysUI can override pending intent launch flags"
 applyPatch "$DOS_PATCHES/android_frameworks_base/352555.patch"; #Q_asb_2023-03 Revert "[RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege"
 applyPatch "$DOS_PATCHES/android_frameworks_base/353117.patch"; #Q_asb_2023-03 Fix sharing to another profile where an app has multiple targets
+applyPatch "$DOS_PATCHES/android_frameworks_base/353944.patch"; #R_asb_2023-04 Context#startInstrumentation could be started from SHELL only now.
+applyPatch "$DOS_PATCHES/android_frameworks_base/353945.patch"; #R_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver
+applyPatch "$DOS_PATCHES/android_frameworks_base/353946.patch"; #R_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass
+applyPatch "$DOS_PATCHES/android_frameworks_base/353947.patch"; #R_asb_2023-04 Encode Intent scheme when serializing to URI string
+applyPatch "$DOS_PATCHES/android_frameworks_base/353948-backport.patch"; #R_asb_2023-04 Backport BAL restrictions from S to R, this blocks apps from using AlarmManager to bypass BAL restrictions.
+applyPatch "$DOS_PATCHES/android_frameworks_base/353950-backport.patch"; #R_asb_2023-04 Add a limit on channel group creation
+applyPatch "$DOS_PATCHES/android_frameworks_base/353951-backport.patch"; #R_asb_2023-04 Fix bypass BG-FGS and BAL via package manager APIs #XXX
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@ -204,6 +211,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta
 fi;

 if enterAndClear "frameworks/native"; then
+applyPatch "$DOS_PATCHES/android_frameworks_native/353953-backport.patch"; #R_asb_2023-04 Mitigate the security vulnerability by sanitizing the transaction flags.
 applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
 fi;

@ -214,7 +222,7 @@ fi;
 fi;

 if enterAndClear "frameworks/opt/net/wifi"; then
-applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/351437-backport.patch"; #R_asb_2023-03 Revert "[DO NOT MERGE] wifi: remove certificates for network factory reset"
+#applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/351437-backport.patch"; #R_asb_2023-03 Revert "[DO NOT MERGE] wifi: remove certificates for network factory reset" #XXX: reverted in R_asb_2023-04
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
 fi;
@ -319,6 +327,7 @@ if enterAndClear "packages/apps/Settings"; then
 git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351440-backport.patch"; #R_asb_2023-03 FRP bypass defense in the settings app
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351441.patch"; #R_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/353956.patch"; #R_asb_2023-04 Only primary user is allowed to control secure nfc
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) #FIXME: needs work
@ -366,10 +375,18 @@ if enterAndClear "packages/providers/DownloadProvider"; then
 applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
 fi;

+if enterAndClear "packages/providers/MediaProvider"; then
+applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/353957-backport.patch"; #R_asb_2023-04 Canonicalise path before extracting relative path
+fi;
+
 #if enterAndClear "packages/providers/TelephonyProvider"; then
 #cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/;
 #fi;

+if enterAndClear "packages/services/Telecomm"; then
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/353959.patch"; #R_asb_2023-04 Do not process content uri in call Intents
+fi;
+
 if enterAndClear "prebuilts/abi-dumps/vndk"; then
 applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patch"; #Work around ABI changes from compiler hardening (GrapheneOS)
 fi;
@ -378,6 +395,8 @@ if enterAndClear "system/bt"; then
 applyPatch "$DOS_PATCHES/android_system_bt/351443.patch"; #R_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate
 applyPatch "$DOS_PATCHES/android_system_bt/351444.patch"; #R_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
 applyPatch "$DOS_PATCHES/android_system_bt/351445.patch"; #R_asb_2023-03 Fix an OOB write in SDP_AddAttribute
+applyPatch "$DOS_PATCHES/android_system_bt/353960.patch"; #R_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag
+applyPatch "$DOS_PATCHES/android_system_bt/353961.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp
 applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@ -403,6 +422,18 @@ applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Ex
 applyPatch "$DOS_PATCHES/android_system_netd/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS)
 fi;

+if enterAndClear "system/nfc"; then
+applyPatch "$DOS_PATCHES/android_system_nfc/353962.patch"; #R_asb_2023-04 OOBW in nci_snd_set_routing_cmd()
+fi;
+
+if enterAndClear "vendor/nxp/opensource/commonsys/external/libnfc-nci"; then
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/353963.patch"; #R_asb_2023-04 OOBW in nci_snd_set_routing_cmd()
+fi;
+
+if enterAndClear "vendor/nxp/opensource/pn5xx/halimpl"; then
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_pn5xx_halimpl/353964.patch"; #R_asb_2023-04 OOBW in nci_snd_set_routing_cmd()
+fi;
+
 if enterAndClear "system/sepolicy"; then
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
@ -448,6 +479,8 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351448.patch";
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351449.patch"; #R_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351450.patch"; #R_asb_2023-03 Fix an OOB write in SDP_AddAttribute
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351451.patch"; #R_asb_2023-03 AVRCP: Fix potential buffer overflow
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353967.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353968.patch"; #R_asb_2023-04 AVDTP: Fix a potential overflow about the media payload offset
 fi;
 #
 #END OF ROM CHANGES