More backports

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-14.1/android_frameworks_base/399075-backport.patch

@@ -0,0 +1,147 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Thu, 30 Nov 2023 23:12:39 +0000
+Subject: [PATCH] Added throttle when reporting shortcut usage
+
+Bug: 304290201
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:76121eb73d4c40829d5513b073871333520fe0a2)
+Merged-In: I96370cbd4f6a55f894c1a93307e5f82dfd394652
+Change-Id: I96370cbd4f6a55f894c1a93307e5f82dfd394652
+---
+ .../android/server/pm/ShortcutPackage.java    | 35 +++++++++++++++++++
+ .../android/server/pm/ShortcutService.java    | 12 +++----
+ .../server/pm/ShortcutManagerTest2.java       |  2 ++
+ 3 files changed, 41 insertions(+), 8 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java
+index 0a98002feb14..36e775a3a237 100644
+--- a/services/core/java/com/android/server/pm/ShortcutPackage.java
++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java
+@@ -19,17 +19,20 @@ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.annotation.UserIdInt;
+ import android.content.ComponentName;
++import android.app.usage.UsageStatsManagerInternal;
+ import android.content.Intent;
+ import android.content.pm.PackageInfo;
+ import android.content.pm.ShortcutInfo;
+ import android.content.res.Resources;
+ import android.os.PersistableBundle;
++import android.os.SystemClock;
+ import android.text.format.Formatter;
+ import android.util.ArrayMap;
+ import android.util.ArraySet;
+ import android.util.Log;
+ import android.util.Slog;
+ 
++import com.android.internal.annotations.GuardedBy;
+ import com.android.internal.annotations.VisibleForTesting;
+ import com.android.internal.util.Preconditions;
+ import com.android.internal.util.XmlUtils;
+@@ -103,6 +106,11 @@ class ShortcutPackage extends ShortcutPackageItem {
+     private static final String KEY_BITMAPS = "bitmaps";
+     private static final String KEY_BITMAP_BYTES = "bitmapBytes";
+ 
++    @VisibleForTesting
++    public static final int REPORT_USAGE_BUFFER_SIZE = 3;
++
++    private final Object mLock = new Object();
++
+     /**
+      * All the shortcuts from the package, keyed on IDs.
+      */
+@@ -122,6 +130,9 @@ class ShortcutPackage extends ShortcutPackageItem {
+ 
+     private long mLastKnownForegroundElapsedTime;
+ 
++    @GuardedBy("mLock")
++    private List<Long> mLastReportedTime = new ArrayList<>();
++
+     private ShortcutPackage(ShortcutUser shortcutUser,
+             int packageUserId, String packageName, ShortcutPackageInfo spi) {
+         super(shortcutUser, packageUserId, packageName,
+@@ -1144,6 +1155,30 @@ class ShortcutPackage extends ShortcutPackageItem {
+         return false;
+     }
+ 
++    void reportShortcutUsed(@NonNull final UsageStatsManagerInternal usageStatsManagerInternal,
++            @NonNull final String shortcutId) {
++        synchronized (mLock) {
++            final long currentTS = SystemClock.elapsedRealtime();
++            final ShortcutService s = mShortcutUser.mService;
++            if (mLastReportedTime.isEmpty()
++                    || mLastReportedTime.size() < REPORT_USAGE_BUFFER_SIZE) {
++                mLastReportedTime.add(currentTS);
++            } else if (currentTS - mLastReportedTime.get(0) > s.mSaveDelayMillis) {
++                mLastReportedTime.remove(0);
++                mLastReportedTime.add(currentTS);
++            } else {
++                return;
++            }
++            final long token = s.injectClearCallingIdentity();
++            try {
++                usageStatsManagerInternal.reportShortcutUsage(getPackageName(), shortcutId,
++                        getUser().getUserId());
++            } finally {
++                s.injectRestoreCallingIdentity(token);
++            }
++        }
++    }
++
+     public void dump(@NonNull PrintWriter pw, @NonNull String prefix) {
+         pw.println();
+ 
+diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
+index 2cfc3461c697..6d57f7163b87 100644
+--- a/services/core/java/com/android/server/pm/ShortcutService.java
++++ b/services/core/java/com/android/server/pm/ShortcutService.java
+@@ -290,7 +290,7 @@ public class ShortcutService extends IShortcutService.Stub {
+     private CompressFormat mIconPersistFormat;
+     private int mIconPersistQuality;
+ 
+-    private int mSaveDelayMillis;
++    int mSaveDelayMillis;
+ 
+     private final IPackageManager mIPackageManager;
+     private final PackageManagerInternal mPackageManagerInternal;
+@@ -2045,10 +2045,11 @@ public class ShortcutService extends IShortcutService.Stub {
+                     shortcutId, packageName, userId));
+         }
+ 
++        final ShortcutPackage ps;
+         synchronized (mLock) {
+             throwIfUserLockedL(userId);
+ 
+-            final ShortcutPackage ps = getPackageShortcutsForPublisherLocked(packageName, userId);
++            ps = getPackageShortcutsForPublisherLocked(packageName, userId);
+ 
+             if (ps.findShortcutById(shortcutId) == null) {
+                 Log.w(TAG, String.format("reportShortcutUsed: package %s doesn't have shortcut %s",
+@@ -2057,12 +2058,7 @@ public class ShortcutService extends IShortcutService.Stub {
+             }
+         }
+ 
+-        final long token = injectClearCallingIdentity();
+-        try {
+-            mUsageStatsManagerInternal.reportShortcutUsage(packageName, shortcutId, userId);
+-        } finally {
+-            injectRestoreCallingIdentity(token);
+-        }
++        ps.reportShortcutUsed(mUsageStatsManagerInternal, shortcutId);
+     }
+ 
+     /**
+diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+index 6b86ef0e0704..579657981ff9 100644
+--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
++++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+@@ -1809,6 +1809,8 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest {
+ 
+     public void testReportShortcutUsed() {
+         mRunningUsers.put(USER_10, true);
++        mService.updateConfigurationLocked(
++                ShortcutService.ConfigConstants.KEY_SAVE_DELAY_MILLIS + "=1");
+ 
+         runWithCaller(CALLING_PACKAGE_1, USER_10, () -> {
+             reset(mMockUsageStatsManagerInternal);

Patches/LineageOS-15.1/android_frameworks_base/399075-backport.patch

@@ -0,0 +1,147 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Thu, 30 Nov 2023 23:12:39 +0000
+Subject: [PATCH] Added throttle when reporting shortcut usage
+
+Bug: 304290201
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:76121eb73d4c40829d5513b073871333520fe0a2)
+Merged-In: I96370cbd4f6a55f894c1a93307e5f82dfd394652
+Change-Id: I96370cbd4f6a55f894c1a93307e5f82dfd394652
+---
+ .../android/server/pm/ShortcutPackage.java    | 35 +++++++++++++++++++
+ .../android/server/pm/ShortcutService.java    | 12 +++----
+ .../server/pm/ShortcutManagerTest2.java       |  2 ++
+ 3 files changed, 41 insertions(+), 8 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java
+index a0fd43640e61..8dc3005ae81a 100644
+--- a/services/core/java/com/android/server/pm/ShortcutPackage.java
++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java
+@@ -19,17 +19,20 @@ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.annotation.UserIdInt;
+ import android.content.ComponentName;
++import android.app.usage.UsageStatsManagerInternal;
+ import android.content.Intent;
+ import android.content.pm.PackageInfo;
+ import android.content.pm.ShortcutInfo;
+ import android.content.res.Resources;
+ import android.os.PersistableBundle;
++import android.os.SystemClock;
+ import android.text.format.Formatter;
+ import android.util.ArrayMap;
+ import android.util.ArraySet;
+ import android.util.Log;
+ import android.util.Slog;
+ 
++import com.android.internal.annotations.GuardedBy;
+ import com.android.internal.annotations.VisibleForTesting;
+ import com.android.internal.util.Preconditions;
+ import com.android.internal.util.XmlUtils;
+@@ -103,6 +106,11 @@ class ShortcutPackage extends ShortcutPackageItem {
+     private static final String KEY_BITMAPS = "bitmaps";
+     private static final String KEY_BITMAP_BYTES = "bitmapBytes";
+ 
++    @VisibleForTesting
++    public static final int REPORT_USAGE_BUFFER_SIZE = 3;
++
++    private final Object mLock = new Object();
++
+     /**
+      * All the shortcuts from the package, keyed on IDs.
+      */
+@@ -122,6 +130,9 @@ class ShortcutPackage extends ShortcutPackageItem {
+ 
+     private long mLastKnownForegroundElapsedTime;
+ 
++    @GuardedBy("mLock")
++    private List<Long> mLastReportedTime = new ArrayList<>();
++
+     private ShortcutPackage(ShortcutUser shortcutUser,
+             int packageUserId, String packageName, ShortcutPackageInfo spi) {
+         super(shortcutUser, packageUserId, packageName,
+@@ -1145,6 +1156,30 @@ class ShortcutPackage extends ShortcutPackageItem {
+         return false;
+     }
+ 
++    void reportShortcutUsed(@NonNull final UsageStatsManagerInternal usageStatsManagerInternal,
++            @NonNull final String shortcutId) {
++        synchronized (mLock) {
++            final long currentTS = SystemClock.elapsedRealtime();
++            final ShortcutService s = mShortcutUser.mService;
++            if (mLastReportedTime.isEmpty()
++                    || mLastReportedTime.size() < REPORT_USAGE_BUFFER_SIZE) {
++                mLastReportedTime.add(currentTS);
++            } else if (currentTS - mLastReportedTime.get(0) > s.mSaveDelayMillis) {
++                mLastReportedTime.remove(0);
++                mLastReportedTime.add(currentTS);
++            } else {
++                return;
++            }
++            final long token = s.injectClearCallingIdentity();
++            try {
++                usageStatsManagerInternal.reportShortcutUsage(getPackageName(), shortcutId,
++                        getUser().getUserId());
++            } finally {
++                s.injectRestoreCallingIdentity(token);
++            }
++        }
++    }
++
+     public void dump(@NonNull PrintWriter pw, @NonNull String prefix) {
+         pw.println();
+ 
+diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
+index 83b817559c2a..d9e80fb1d0ad 100644
+--- a/services/core/java/com/android/server/pm/ShortcutService.java
++++ b/services/core/java/com/android/server/pm/ShortcutService.java
+@@ -302,7 +302,7 @@ public class ShortcutService extends IShortcutService.Stub {
+     private CompressFormat mIconPersistFormat;
+     private int mIconPersistQuality;
+ 
+-    private int mSaveDelayMillis;
++    int mSaveDelayMillis;
+ 
+     private final IPackageManager mIPackageManager;
+     private final PackageManagerInternal mPackageManagerInternal;
+@@ -2130,10 +2130,11 @@ public class ShortcutService extends IShortcutService.Stub {
+                     shortcutId, packageName, userId));
+         }
+ 
++        final ShortcutPackage ps;
+         synchronized (mLock) {
+             throwIfUserLockedL(userId);
+ 
+-            final ShortcutPackage ps = getPackageShortcutsForPublisherLocked(packageName, userId);
++            ps = getPackageShortcutsForPublisherLocked(packageName, userId);
+ 
+             if (ps.findShortcutById(shortcutId) == null) {
+                 Log.w(TAG, String.format("reportShortcutUsed: package %s doesn't have shortcut %s",
+@@ -2142,12 +2143,7 @@ public class ShortcutService extends IShortcutService.Stub {
+             }
+         }
+ 
+-        final long token = injectClearCallingIdentity();
+-        try {
+-            mUsageStatsManagerInternal.reportShortcutUsage(packageName, shortcutId, userId);
+-        } finally {
+-            injectRestoreCallingIdentity(token);
+-        }
++        ps.reportShortcutUsed(mUsageStatsManagerInternal, shortcutId);
+     }
+ 
+     @Override
+diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+index 3220ea960f5d..48493df71dce 100644
+--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
++++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+@@ -1867,6 +1867,8 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest {
+ 
+     public void testReportShortcutUsed() {
+         mRunningUsers.put(USER_10, true);
++        mService.updateConfigurationLocked(
++                ShortcutService.ConfigConstants.KEY_SAVE_DELAY_MILLIS + "=1");
+ 
+         runWithCaller(CALLING_PACKAGE_1, USER_10, () -> {
+             reset(mMockUsageStatsManagerInternal);

Patches/LineageOS-15.1/android_frameworks_base/399076.patch

@@ -0,0 +1,53 @@
+From a8d8d9bb68570d395ddb20449ee466e2b468840c Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Tue, 20 Jul 2021 00:01:29 +0000
+Subject: [PATCH] Prevend user spoofing in isRequestPinItemSupported
+
+This CL ensure the caller process is from the same user when calling
+ShortcutService#isRequestPinItemSupported.
+
+Bug: 191772737
+Test: atest ShortcutManagerTest1 ShortcutManagerTest2
+    ShortcutManagerTest3 ShortcutManagerTest4 ShortcutManagerTest5
+    ShortcutManagerTest6 ShortcutManagerTest7 ShortcutManagerTest8
+    ShortcutManagerTest9 ShortcutManagerTest10 ShortcutManagerTest11
+    ShortcutManagerTest12
+Test: atest CtsShortcutManagerTestCases
+Change-Id: Icab7cdf25b870b88ecfde9b99e107bbeda0eb485
+---
+ .../com/android/server/pm/ShortcutService.java    | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
+index c18cdcb891409..f4c8127439181 100644
+--- a/services/core/java/com/android/server/pm/ShortcutService.java
++++ b/services/core/java/com/android/server/pm/ShortcutService.java
+@@ -1566,6 +1566,19 @@ void injectEnforceCallingPermission(
+         mContext.enforceCallingPermission(permission, message);
+     }
+ 
++    private void verifyCallerUserId(@UserIdInt int userId) {
++        if (isCallerSystem()) {
++            return; // no check
++        }
++
++        final int callingUid = injectBinderCallingUid();
++
++        // Otherwise, make sure the arguments are valid.
++        if (UserHandle.getUserId(callingUid) != userId) {
++            throw new SecurityException("Invalid user-ID");
++        }
++    }
++
+     private void verifyCaller(@NonNull String packageName, @UserIdInt int userId) {
+         Preconditions.checkStringNotEmpty(packageName, "packageName");
+ 
+@@ -2303,6 +2316,8 @@ public void reportShortcutUsed(String packageName, String shortcutId, int userId
+ 
+     @Override
+     public boolean isRequestPinItemSupported(int callingUserId, int requestType) {
++        verifyCallerUserId(callingUserId);
++
+         final long token = injectClearCallingIdentity();
+         try {
+             return mShortcutRequestPinProcessor

Patches/LineageOS-16.0/android_frameworks_base/399075-backport.patch

@@ -0,0 +1,147 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Thu, 30 Nov 2023 23:12:39 +0000
+Subject: [PATCH] Added throttle when reporting shortcut usage
+
+Bug: 304290201
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:76121eb73d4c40829d5513b073871333520fe0a2)
+Merged-In: I96370cbd4f6a55f894c1a93307e5f82dfd394652
+Change-Id: I96370cbd4f6a55f894c1a93307e5f82dfd394652
+---
+ .../android/server/pm/ShortcutPackage.java    | 35 +++++++++++++++++++
+ .../android/server/pm/ShortcutService.java    | 12 +++----
+ .../server/pm/ShortcutManagerTest2.java       |  2 ++
+ 3 files changed, 41 insertions(+), 8 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java
+index 92e261a72617..10ca7f8cb6ee 100644
+--- a/services/core/java/com/android/server/pm/ShortcutPackage.java
++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java
+@@ -19,17 +19,20 @@ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.annotation.UserIdInt;
+ import android.content.ComponentName;
++import android.app.usage.UsageStatsManagerInternal;
+ import android.content.Intent;
+ import android.content.pm.PackageInfo;
+ import android.content.pm.ShortcutInfo;
+ import android.content.res.Resources;
+ import android.os.PersistableBundle;
++import android.os.SystemClock;
+ import android.text.format.Formatter;
+ import android.util.ArrayMap;
+ import android.util.ArraySet;
+ import android.util.Log;
+ import android.util.Slog;
+ 
++import com.android.internal.annotations.GuardedBy;
+ import com.android.internal.annotations.VisibleForTesting;
+ import com.android.internal.util.Preconditions;
+ import com.android.internal.util.XmlUtils;
+@@ -105,6 +108,11 @@ class ShortcutPackage extends ShortcutPackageItem {
+     private static final String KEY_BITMAPS = "bitmaps";
+     private static final String KEY_BITMAP_BYTES = "bitmapBytes";
+ 
++    @VisibleForTesting
++    public static final int REPORT_USAGE_BUFFER_SIZE = 3;
++
++    private final Object mLock = new Object();
++
+     /**
+      * All the shortcuts from the package, keyed on IDs.
+      */
+@@ -124,6 +132,9 @@ class ShortcutPackage extends ShortcutPackageItem {
+ 
+     private long mLastKnownForegroundElapsedTime;
+ 
++    @GuardedBy("mLock")
++    private List<Long> mLastReportedTime = new ArrayList<>();
++
+     private ShortcutPackage(ShortcutUser shortcutUser,
+             int packageUserId, String packageName, ShortcutPackageInfo spi) {
+         super(shortcutUser, packageUserId, packageName,
+@@ -1236,6 +1247,30 @@ class ShortcutPackage extends ShortcutPackageItem {
+         return false;
+     }
+ 
++    void reportShortcutUsed(@NonNull final UsageStatsManagerInternal usageStatsManagerInternal,
++            @NonNull final String shortcutId) {
++        synchronized (mLock) {
++            final long currentTS = SystemClock.elapsedRealtime();
++            final ShortcutService s = mShortcutUser.mService;
++            if (mLastReportedTime.isEmpty()
++                    || mLastReportedTime.size() < REPORT_USAGE_BUFFER_SIZE) {
++                mLastReportedTime.add(currentTS);
++            } else if (currentTS - mLastReportedTime.get(0) > s.mSaveDelayMillis) {
++                mLastReportedTime.remove(0);
++                mLastReportedTime.add(currentTS);
++            } else {
++                return;
++            }
++            final long token = s.injectClearCallingIdentity();
++            try {
++                usageStatsManagerInternal.reportShortcutUsage(getPackageName(), shortcutId,
++                        getUser().getUserId());
++            } finally {
++                s.injectRestoreCallingIdentity(token);
++            }
++        }
++    }
++
+     public void dump(@NonNull PrintWriter pw, @NonNull String prefix, DumpFilter filter) {
+         pw.println();
+ 
+diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
+index e30da13d7d16..8d7f9501e34c 100644
+--- a/services/core/java/com/android/server/pm/ShortcutService.java
++++ b/services/core/java/com/android/server/pm/ShortcutService.java
+@@ -311,7 +311,7 @@ public class ShortcutService extends IShortcutService.Stub {
+     private CompressFormat mIconPersistFormat;
+     private int mIconPersistQuality;
+ 
+-    private int mSaveDelayMillis;
++    int mSaveDelayMillis;
+ 
+     private final IPackageManager mIPackageManager;
+     private final PackageManagerInternal mPackageManagerInternal;
+@@ -2215,10 +2215,11 @@ public class ShortcutService extends IShortcutService.Stub {
+                     shortcutId, packageName, userId));
+         }
+ 
++        final ShortcutPackage ps;
+         synchronized (mLock) {
+             throwIfUserLockedL(userId);
+ 
+-            final ShortcutPackage ps = getPackageShortcutsForPublisherLocked(packageName, userId);
++            ps = getPackageShortcutsForPublisherLocked(packageName, userId);
+ 
+             if (ps.findShortcutById(shortcutId) == null) {
+                 Log.w(TAG, String.format("reportShortcutUsed: package %s doesn't have shortcut %s",
+@@ -2227,12 +2228,7 @@ public class ShortcutService extends IShortcutService.Stub {
+             }
+         }
+ 
+-        final long token = injectClearCallingIdentity();
+-        try {
+-            mUsageStatsManagerInternal.reportShortcutUsage(packageName, shortcutId, userId);
+-        } finally {
+-            injectRestoreCallingIdentity(token);
+-        }
++        ps.reportShortcutUsed(mUsageStatsManagerInternal, shortcutId);
+     }
+ 
+     @Override
+diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+index fcdadaccd2ac..296265100e09 100644
+--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
++++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+@@ -1869,6 +1869,8 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest {
+ 
+     public void testReportShortcutUsed() {
+         mRunningUsers.put(USER_10, true);
++        mService.updateConfigurationLocked(
++                ShortcutService.ConfigConstants.KEY_SAVE_DELAY_MILLIS + "=1");
+ 
+         runWithCaller(CALLING_PACKAGE_1, USER_10, () -> {
+             reset(mMockUsageStatsManagerInternal);

Patches/LineageOS-16.0/android_frameworks_base/399076.patch

@@ -0,0 +1,53 @@
+From a8d8d9bb68570d395ddb20449ee466e2b468840c Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Tue, 20 Jul 2021 00:01:29 +0000
+Subject: [PATCH] Prevend user spoofing in isRequestPinItemSupported
+
+This CL ensure the caller process is from the same user when calling
+ShortcutService#isRequestPinItemSupported.
+
+Bug: 191772737
+Test: atest ShortcutManagerTest1 ShortcutManagerTest2
+    ShortcutManagerTest3 ShortcutManagerTest4 ShortcutManagerTest5
+    ShortcutManagerTest6 ShortcutManagerTest7 ShortcutManagerTest8
+    ShortcutManagerTest9 ShortcutManagerTest10 ShortcutManagerTest11
+    ShortcutManagerTest12
+Test: atest CtsShortcutManagerTestCases
+Change-Id: Icab7cdf25b870b88ecfde9b99e107bbeda0eb485
+---
+ .../com/android/server/pm/ShortcutService.java    | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
+index c18cdcb891409..f4c8127439181 100644
+--- a/services/core/java/com/android/server/pm/ShortcutService.java
++++ b/services/core/java/com/android/server/pm/ShortcutService.java
+@@ -1566,6 +1566,19 @@ void injectEnforceCallingPermission(
+         mContext.enforceCallingPermission(permission, message);
+     }
+ 
++    private void verifyCallerUserId(@UserIdInt int userId) {
++        if (isCallerSystem()) {
++            return; // no check
++        }
++
++        final int callingUid = injectBinderCallingUid();
++
++        // Otherwise, make sure the arguments are valid.
++        if (UserHandle.getUserId(callingUid) != userId) {
++            throw new SecurityException("Invalid user-ID");
++        }
++    }
++
+     private void verifyCaller(@NonNull String packageName, @UserIdInt int userId) {
+         Preconditions.checkStringNotEmpty(packageName, "packageName");
+ 
+@@ -2303,6 +2316,8 @@ public void reportShortcutUsed(String packageName, String shortcutId, int userId
+ 
+     @Override
+     public boolean isRequestPinItemSupported(int callingUserId, int requestType) {
++        verifyCallerUserId(callingUserId);
++
+         final long token = injectClearCallingIdentity();
+         try {
+             return mShortcutRequestPinProcessor

Patches/LineageOS-18.1/android_frameworks_base/399075-backport.patch

@@ -0,0 +1,174 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Thu, 30 Nov 2023 23:12:39 +0000
+Subject: [PATCH] Added throttle when reporting shortcut usage
+
+Bug: 304290201
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:76121eb73d4c40829d5513b073871333520fe0a2)
+Merged-In: I96370cbd4f6a55f894c1a93307e5f82dfd394652
+Change-Id: I96370cbd4f6a55f894c1a93307e5f82dfd394652
+---
+ .../android/server/pm/ShortcutPackage.java    | 35 +++++++++++++++++++
+ .../server/pm/ShortcutPackage.java.rej        | 16 +++++++++
+ .../android/server/pm/ShortcutService.java    | 12 +++----
+ .../server/pm/ShortcutManagerTest2.java       |  2 ++
+ 4 files changed, 57 insertions(+), 8 deletions(-)
+ create mode 100644 services/core/java/com/android/server/pm/ShortcutPackage.java.rej
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java
+index 4bc3cdb730a3..dabbf375a5e2 100644
+--- a/services/core/java/com/android/server/pm/ShortcutPackage.java
++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java
+@@ -19,6 +19,7 @@ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.annotation.UserIdInt;
+ import android.app.Person;
++import android.app.usage.UsageStatsManagerInternal;
+ import android.content.ComponentName;
+ import android.content.Intent;
+ import android.content.IntentFilter;
+@@ -29,6 +30,7 @@ import android.content.pm.ShortcutManager;
+ import android.content.res.Resources;
+ import android.graphics.drawable.Icon;
+ import android.os.PersistableBundle;
++import android.os.SystemClock;
+ import android.text.format.Formatter;
+ import android.util.ArrayMap;
+ import android.util.ArraySet;
+@@ -37,6 +39,7 @@ import android.util.Log;
+ import android.util.Slog;
+ import android.util.Xml;
+ 
++import com.android.internal.annotations.GuardedBy;
+ import com.android.internal.annotations.VisibleForTesting;
+ import com.android.internal.util.ArrayUtils;
+ import com.android.internal.util.CollectionUtils;
+@@ -132,6 +135,11 @@ class ShortcutPackage extends ShortcutPackageItem {
+     private static final String KEY_BITMAPS = "bitmaps";
+     private static final String KEY_BITMAP_BYTES = "bitmapBytes";
+ 
++    @VisibleForTesting
++    public static final int REPORT_USAGE_BUFFER_SIZE = 3;
++
++    private final Object mLock = new Object();
++
+     /**
+      * All the shortcuts from the package, keyed on IDs.
+      */
+@@ -156,6 +164,9 @@ class ShortcutPackage extends ShortcutPackageItem {
+ 
+     private long mLastKnownForegroundElapsedTime;
+ 
++    @GuardedBy("mLock")
++    private List<Long> mLastReportedTime = new ArrayList<>();
++
+     private ShortcutPackage(ShortcutUser shortcutUser,
+             int packageUserId, String packageName, ShortcutPackageInfo spi) {
+         super(shortcutUser, packageUserId, packageName,
+@@ -1545,6 +1556,30 @@ class ShortcutPackage extends ShortcutPackageItem {
+         return false;
+     }
+ 
++    void reportShortcutUsed(@NonNull final UsageStatsManagerInternal usageStatsManagerInternal,
++            @NonNull final String shortcutId) {
++        synchronized (mLock) {
++            final long currentTS = SystemClock.elapsedRealtime();
++            final ShortcutService s = mShortcutUser.mService;
++            if (mLastReportedTime.isEmpty()
++                    || mLastReportedTime.size() < REPORT_USAGE_BUFFER_SIZE) {
++                mLastReportedTime.add(currentTS);
++            } else if (currentTS - mLastReportedTime.get(0) > s.mSaveDelayMillis) {
++                mLastReportedTime.remove(0);
++                mLastReportedTime.add(currentTS);
++            } else {
++                return;
++            }
++            final long token = s.injectClearCallingIdentity();
++            try {
++                usageStatsManagerInternal.reportShortcutUsage(getPackageName(), shortcutId,
++                        getUser().getUserId());
++            } finally {
++                s.injectRestoreCallingIdentity(token);
++            }
++        }
++    }
++
+     public void dump(@NonNull PrintWriter pw, @NonNull String prefix, DumpFilter filter) {
+         pw.println();
+ 
+diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java.rej b/services/core/java/com/android/server/pm/ShortcutPackage.java.rej
+new file mode 100644
+index 000000000000..fee101cb86a7
+--- /dev/null
++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java.rej
+@@ -0,0 +1,16 @@
++diff a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java	(rejected hunks)
++@@ -28,12 +29,14 @@
++ import android.content.pm.ShortcutManager;
++ import android.content.res.Resources;
++ import android.os.PersistableBundle;
+++import android.os.SystemClock;
++ import android.text.format.Formatter;
++ import android.util.ArrayMap;
++ import android.util.ArraySet;
++ import android.util.Log;
++ import android.util.Slog;
++ 
+++import com.android.internal.annotations.GuardedBy;
++ import com.android.internal.annotations.VisibleForTesting;
++ import com.android.internal.util.ArrayUtils;
++ import com.android.internal.util.Preconditions;
+diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
+index 2b00ab5d6669..3d1fce98307d 100644
+--- a/services/core/java/com/android/server/pm/ShortcutService.java
++++ b/services/core/java/com/android/server/pm/ShortcutService.java
+@@ -338,7 +338,7 @@ public class ShortcutService extends IShortcutService.Stub {
+     private CompressFormat mIconPersistFormat;
+     private int mIconPersistQuality;
+ 
+-    private int mSaveDelayMillis;
++    int mSaveDelayMillis;
+ 
+     private final IPackageManager mIPackageManager;
+     private final PackageManagerInternal mPackageManagerInternal;
+@@ -2591,10 +2591,11 @@ public class ShortcutService extends IShortcutService.Stub {
+                     shortcutId, packageName, userId));
+         }
+ 
++        final ShortcutPackage ps;
+         synchronized (mLock) {
+             throwIfUserLockedL(userId);
+ 
+-            final ShortcutPackage ps = getPackageShortcutsForPublisherLocked(packageName, userId);
++            ps = getPackageShortcutsForPublisherLocked(packageName, userId);
+ 
+             if (ps.findShortcutById(shortcutId) == null) {
+                 Log.w(TAG, String.format("reportShortcutUsed: package %s doesn't have shortcut %s",
+@@ -2603,12 +2604,7 @@ public class ShortcutService extends IShortcutService.Stub {
+             }
+         }
+ 
+-        final long token = injectClearCallingIdentity();
+-        try {
+-            mUsageStatsManagerInternal.reportShortcutUsage(packageName, shortcutId, userId);
+-        } finally {
+-            injectRestoreCallingIdentity(token);
+-        }
++        ps.reportShortcutUsed(mUsageStatsManagerInternal, shortcutId);
+     }
+ 
+     @Override
+diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+index 088d693205c2..c509cb8baf0d 100644
+--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
++++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+@@ -2130,6 +2130,8 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest {
+ 
+     public void testReportShortcutUsed() {
+         mRunningUsers.put(USER_10, true);
++        mService.updateConfigurationLocked(
++                ShortcutService.ConfigConstants.KEY_SAVE_DELAY_MILLIS + "=1");
+ 
+         runWithCaller(CALLING_PACKAGE_1, USER_10, () -> {
+             reset(mMockUsageStatsManagerInternal);

Patches/LineageOS-18.1/android_frameworks_base/399076.patch

@@ -0,0 +1,53 @@
+From a8d8d9bb68570d395ddb20449ee466e2b468840c Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Tue, 20 Jul 2021 00:01:29 +0000
+Subject: [PATCH] Prevend user spoofing in isRequestPinItemSupported
+
+This CL ensure the caller process is from the same user when calling
+ShortcutService#isRequestPinItemSupported.
+
+Bug: 191772737
+Test: atest ShortcutManagerTest1 ShortcutManagerTest2
+    ShortcutManagerTest3 ShortcutManagerTest4 ShortcutManagerTest5
+    ShortcutManagerTest6 ShortcutManagerTest7 ShortcutManagerTest8
+    ShortcutManagerTest9 ShortcutManagerTest10 ShortcutManagerTest11
+    ShortcutManagerTest12
+Test: atest CtsShortcutManagerTestCases
+Change-Id: Icab7cdf25b870b88ecfde9b99e107bbeda0eb485
+---
+ .../com/android/server/pm/ShortcutService.java    | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
+index c18cdcb891409..f4c8127439181 100644
+--- a/services/core/java/com/android/server/pm/ShortcutService.java
++++ b/services/core/java/com/android/server/pm/ShortcutService.java
+@@ -1566,6 +1566,19 @@ void injectEnforceCallingPermission(
+         mContext.enforceCallingPermission(permission, message);
+     }
+ 
++    private void verifyCallerUserId(@UserIdInt int userId) {
++        if (isCallerSystem()) {
++            return; // no check
++        }
++
++        final int callingUid = injectBinderCallingUid();
++
++        // Otherwise, make sure the arguments are valid.
++        if (UserHandle.getUserId(callingUid) != userId) {
++            throw new SecurityException("Invalid user-ID");
++        }
++    }
++
+     private void verifyCaller(@NonNull String packageName, @UserIdInt int userId) {
+         Preconditions.checkStringNotEmpty(packageName, "packageName");
+ 
+@@ -2303,6 +2316,8 @@ public void reportShortcutUsed(String packageName, String shortcutId, int userId
+ 
+     @Override
+     public boolean isRequestPinItemSupported(int callingUserId, int requestType) {
++        verifyCallerUserId(callingUserId);
++
+         final long token = injectClearCallingIdentity();
+         try {
+             return mShortcutRequestPinProcessor

Scripts/LineageOS-14.1/Patch.sh

@@ -282,6 +282,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/378956.patch"; #n-asb-2024-01 F
 applyPatch "$DOS_PATCHES/android_frameworks_base/385241.patch"; #n-asb-2024-03 Resolve custom printer icon boundary exploit.
 applyPatch "$DOS_PATCHES/android_frameworks_base/385242.patch"; #n-asb-2024-03 Close AccountManagerService.session after timeout.
 applyPatch "$DOS_PATCHES/android_frameworks_base/388831.patch"; #n-asb-2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
+applyPatch "$DOS_PATCHES/android_frameworks_base/399075-backport.patch"; #Q_asb_2024-06 Added throttle when reporting shortcut usage
 applyPatch "$DOS_PATCHES/android_frameworks_base/393646.patch"; #n-asb-2024-06 Add more checkKeyIntent checks to AccountManagerService.
 applyPatch "$DOS_PATCHES/android_frameworks_base/393647.patch"; #n-asb-2024-06 Adds additional sanitization for Zygote command arguments.
 applyPatch "$DOS_PATCHES/android_frameworks_base/393648.patch"; #n-asb-2024-06 Check hidden API exemptions

Scripts/LineageOS-15.1/Patch.sh

@@ -258,6 +258,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 R
 applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 Disallow system apps to be installed/updated as instant.
 applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout.
 applyPatch "$DOS_PATCHES/android_frameworks_base/389014-backport.patch"; #S_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
+applyPatch "$DOS_PATCHES/android_frameworks_base/399075-backport.patch"; #Q_asb_2024-06 Added throttle when reporting shortcut usage
+applyPatch "$DOS_PATCHES/android_frameworks_base/399076.patch"; #Q_asb_2024-06 Prevend user spoofing in isRequestPinItemSupported
 applyPatch "$DOS_PATCHES/android_frameworks_base/394878.patch"; #P_asb_2024-06 Add more checkKeyIntent checks to AccountManagerService.
 applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 Adds additional sanitization for Zygote command arguments.
 applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions
@@ -556,6 +558,10 @@ applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts
 applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; #(GrapheneOS)
 fi;
 
+if enterAndClear "system/libfmq"; then
+applyPatch "$DOS_PATCHES_COMMON/android_system_libfmq/399071.patch"; #Q_asb_2024-06 Use the values of the ptrs that we check
+fi;
+
 if enterAndClear "system/netd"; then
 applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run #XXX
 #applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS) #XXX can break apps without relaxed variant backport

Scripts/LineageOS-16.0/Patch.sh

@@ -321,6 +321,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 C
 applyPatch "$DOS_PATCHES/android_frameworks_base/389269.patch"; #P_asb_2024-04 isUserInLockDown can be true when there are other strong auth requirements
 applyPatch "$DOS_PATCHES/android_frameworks_base/389270.patch"; #P_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
 applyPatch "$DOS_PATCHES/android_frameworks_base/394877.patch"; #P_asb_2024-06 Verify URI permission for channel sound update from NotificationListenerService
+applyPatch "$DOS_PATCHES/android_frameworks_base/399075-backport.patch"; #Q_asb_2024-06 Added throttle when reporting shortcut usage
+applyPatch "$DOS_PATCHES/android_frameworks_base/399076.patch"; #Q_asb_2024-06 Prevend user spoofing in isRequestPinItemSupported
 applyPatch "$DOS_PATCHES/android_frameworks_base/394878.patch"; #P_asb_2024-06 Add more checkKeyIntent checks to AccountManagerService.
 applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 Adds additional sanitization for Zygote command arguments.
 applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions
@@ -684,6 +686,10 @@ if enterAndClear "system/extras"; then
 applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
 fi;
 
+if enterAndClear "system/libfmq"; then
+applyPatch "$DOS_PATCHES_COMMON/android_system_libfmq/399071.patch"; #Q_asb_2024-06 Use the values of the ptrs that we check
+fi;
+
 if enterAndClear "system/netd"; then
 applyPatch "$DOS_PATCHES/android_system_netd/378480.patch"; #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
 #applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)

Scripts/LineageOS-17.1/Patch.sh

@@ -664,7 +664,7 @@ applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #
 fi;
 
 if enterAndClear "system/libfmq"; then
-applyPatch "$DOS_PATCHES/android_system_libfmq/399071.patch"; #Q_asb_2024-06 Use the values of the ptrs that we check
+applyPatch "$DOS_PATCHES_COMMON/android_system_libfmq/399071.patch"; #Q_asb_2024-06 Use the values of the ptrs that we check
 fi;
 
 if enterAndClear "system/netd"; then

Scripts/LineageOS-18.1/Patch.sh

@@ -148,6 +148,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/392207.patch"; #R_asb_2024-05 P
 applyPatch "$DOS_PATCHES/android_frameworks_base/394553.patch"; #R_asb_2024-06 ActivityManager#killBackgroundProcesses can kill caller's own app only
 applyPatch "$DOS_PATCHES/android_frameworks_base/394554.patch"; #R_asb_2024-06 Fix ActivityManager#killBackgroundProcesses permissions
 applyPatch "$DOS_PATCHES/android_frameworks_base/394555.patch"; #R_asb_2024-06 Verify URI permission for channel sound update from NotificationListenerService
+applyPatch "$DOS_PATCHES/android_frameworks_base/399075-backport.patch"; #Q_asb_2024-06 Added throttle when reporting shortcut usage
+applyPatch "$DOS_PATCHES/android_frameworks_base/399076.patch"; #Q_asb_2024-06 Prevend user spoofing in isRequestPinItemSupported
 applyPatch "$DOS_PATCHES/android_frameworks_base/394556.patch"; #R_asb_2024-06 Check for NLS bind permission when rebinding services
 applyPatch "$DOS_PATCHES/android_frameworks_base/394557.patch"; #R_asb_2024-06 Hide window immediately if itself doesn't run hide animation
 applyPatch "$DOS_PATCHES/android_frameworks_base/394558.patch"; #R_asb_2024-06 Fix error handling for non-dynamic permissions
@@ -451,6 +453,10 @@ if enterAndClear "system/extras"; then
 applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
 fi;
 
+if enterAndClear "system/libfmq"; then
+applyPatch "$DOS_PATCHES_COMMON/android_system_libfmq/399071.patch"; #Q_asb_2024-06 Use the values of the ptrs that we check
+fi;
+
 if enterAndClear "system/netd"; then
 applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_system_netd/0002-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)