Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-06-17 18:33:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

15.1 ASB work

Browse Source 
Compile tested

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-08-12 16:37:51 -04:00
parent 8b67d5c41e
commit ebdf629cbc
49 changed files with 2550 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
Patches/LineageOS-15.1/android_frameworks_base/330961-backport.patch Normal file
View File

@ -0,0 +1,157 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Matt Pietal <mpietal@google.com>
Date: Fri, 1 Oct 2021 11:03:16 -0400
Subject: [PATCH] Keyguard - Treat messsages to lock with priority
When switching users and attempting to lock the device, the sysui main
thread becomes overwhelmed with events, creating a significant lag
between the time a message is posted and processed on the main
thread. This can be dangerous when these events are critical for
security, such as calls coming from PhoneWindowManager#lockNow() that
call KeyguardViewMediator#doKeyguardTimeout(). On older devices with
slower CPUs and less memory, the delay in processing can be
significant (15 - 30s).
The result of not prioritizing these events leads to a window of time
where a guest user can switch back to the owner, and gain access to
the owner's homescreen without needing to unlock the device with the
owner's credentials.
As a mitigation, prioritize two events originating in two specific
methods to make sure the device locks as soon as possible as well as
have the system server preemptively update its local cache.
Bug: 151095871
Test: Very manual race condition - follow steps listed in bug
Change-Id: I7585a0a5eeb308e0e32a4f77f581556d883b5cda
Merged-In: I7585a0a5eeb308e0e32a4f77f581556d883b5cda
(cherry picked from commit 28c53ab8bca26af58b45625c1ebba8b9051c107d)
(cherry picked from commit 563fdf4259d0e28fd960acbb63431e146707d11b)
Merged-In: I7585a0a5eeb308e0e32a4f77f581556d883b5cda
---
.../internal/policy/IKeyguardStateCallback.aidl | 2 +-
.../systemui/keyguard/KeyguardViewMediator.java | 16 +++++++++++-----
.../policy/keyguard/KeyguardServiceWrapper.java | 6 ++++++
.../policy/keyguard/KeyguardStateMonitor.java | 8 +++++---
4 files changed, 23 insertions(+), 9 deletions(-)
diff --git a/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl b/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl
index 8e454db4cb04..a8003a1169e9 100644
--- a/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl
+++ b/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl
@@ -16,7 +16,7 @@
package com.android.internal.policy;
interface IKeyguardStateCallback {
- void onShowingStateChanged(boolean showing);
+ void onShowingStateChanged(boolean showing, int userId);
void onSimSecureStateChanged(boolean simSecure);
void onInputRestrictedStateChanged(boolean inputRestricted);
void onTrustedChanged(boolean trusted);
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
index 83141f135c90..55db01aca600 100644
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
@@ -1226,7 +1226,9 @@ public class KeyguardViewMediator extends SystemUI {
public void doKeyguardTimeout(Bundle options) {
mHandler.removeMessages(KEYGUARD_TIMEOUT);
Message msg = mHandler.obtainMessage(KEYGUARD_TIMEOUT, options);
- mHandler.sendMessage(msg);
+ // Treat these messages with priority - A call to timeout means the device should lock
+ // as soon as possible and not wait for other messages on the thread to process first.
+ mHandler.sendMessageAtFrontOfQueue(msg);
}
/**
@@ -1421,12 +1423,15 @@ public class KeyguardViewMediator extends SystemUI {
* @see #handleShow
*/
private void showLocked(Bundle options) {
- Trace.beginSection("KeyguardViewMediator#showLocked aqcuiring mShowKeyguardWakeLock");
+ Trace.beginSection("KeyguardViewMediator#showLocked acquiring mShowKeyguardWakeLock");
if (DEBUG) Log.d(TAG, "showLocked");
// ensure we stay awake until we are finished displaying the keyguard
mShowKeyguardWakeLock.acquire();
Message msg = mHandler.obtainMessage(SHOW, options);
- mHandler.sendMessage(msg);
+ // Treat these messages with priority - This call can originate from #doKeyguardTimeout,
+ // meaning the device should lock as soon as possible and not wait for other messages on
+ // the thread to process first.
+ mHandler.sendMessageAtFrontOfQueue(msg);
Trace.endSection();
}
@@ -1579,6 +1584,7 @@ public class KeyguardViewMediator extends SystemUI {
case KEYGUARD_TIMEOUT:
synchronized (KeyguardViewMediator.this) {
doKeyguardLocked((Bundle) msg.obj);
+ notifyDefaultDisplayCallbacks(mShowing);
}
break;
case DISMISS:
@@ -2122,7 +2128,7 @@ public class KeyguardViewMediator extends SystemUI {
for (int i = size - 1; i >= 0; i--) {
IKeyguardStateCallback callback = mKeyguardStateCallbacks.get(i);
try {
- callback.onShowingStateChanged(showing);
+ callback.onShowingStateChanged(showing, KeyguardUpdateMonitor.getCurrentUser());
} catch (RemoteException e) {
Slog.w(TAG, "Failed to call onShowingStateChanged", e);
if (e instanceof DeadObjectException) {
@@ -2170,7 +2176,7 @@ public class KeyguardViewMediator extends SystemUI {
mKeyguardStateCallbacks.add(callback);
try {
callback.onSimSecureStateChanged(mUpdateMonitor.isSimPinSecure());
- callback.onShowingStateChanged(mShowing);
+ callback.onShowingStateChanged(mShowing, KeyguardUpdateMonitor.getCurrentUser());
callback.onInputRestrictedStateChanged(mInputRestricted);
callback.onTrustedChanged(mUpdateMonitor.getUserHasTrust(
KeyguardUpdateMonitor.getCurrentUser()));
diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java b/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java
index 952e0b017041..6bbc20338b02 100644
--- a/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java
+++ b/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java
@@ -192,6 +192,12 @@ public class KeyguardServiceWrapper implements IKeyguardService {
@Override // Binder interface
public void doKeyguardTimeout(Bundle options) {
+ int userId = mKeyguardStateMonitor.getCurrentUser();
+ if (mKeyguardStateMonitor.isSecure(userId)) {
+ // Preemptively inform the cache that the keyguard will soon be showing, as calls to
+ // doKeyguardTimeout are a signal to lock the device as soon as possible.
+ mKeyguardStateMonitor.onShowingStateChanged(true, userId);
+ }
try {
mService.doKeyguardTimeout(options);
} catch (RemoteException e) {
diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
index fd34c510d98d..d454f26a4317 100644
--- a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
+++ b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
@@ -84,7 +84,9 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub {
}
@Override // Binder interface
- public void onShowingStateChanged(boolean showing) {
+ public void onShowingStateChanged(boolean showing, int userId) {
+ if (userId != mCurrentUserId) return;
+
mIsShowing = showing;
mCallback.onShowingChanged();
@@ -99,7 +101,7 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub {
mCurrentUserId = userId;
}
- private synchronized int getCurrentUser() {
+ public synchronized int getCurrentUser() {
return mCurrentUserId;
}
@@ -133,4 +135,4 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub {
pw.println(prefix + "mTrusted=" + mTrusted);
pw.println(prefix + "mCurrentUserId=" + mCurrentUserId);
}
-}
\ No newline at end of file
+}

87
Patches/LineageOS-15.1/android_frameworks_base/331108.patch Normal file
View File

@ -0,0 +1,87 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alex Buynytskyy <alexbuy@google.com>
Date: Thu, 24 Feb 2022 21:40:13 -0800
Subject: [PATCH] Always restart apps if base.apk gets updated.
Bug: 219044664
Fixes: 219044664
Test: atest PackageManagerShellCommandTest
Change-Id: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296
Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296
(cherry picked from commit a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2)
Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296
---
.../android/content/pm/IPackageInstallerSession.aidl | 2 ++
core/java/android/content/pm/PackageInstaller.java | 12 ++++++++++++
.../android/server/pm/PackageInstallerSession.java | 10 ++++++++++
3 files changed, 24 insertions(+)
diff --git a/core/java/android/content/pm/IPackageInstallerSession.aidl b/core/java/android/content/pm/IPackageInstallerSession.aidl
index 0b16852246f8..7e395ba13c49 100644
--- a/core/java/android/content/pm/IPackageInstallerSession.aidl
+++ b/core/java/android/content/pm/IPackageInstallerSession.aidl
@@ -35,4 +35,6 @@ interface IPackageInstallerSession {
void commit(in IntentSender statusReceiver, boolean forTransferred);
void transfer(in String packageName);
void abandon();
+
+ int getInstallFlags();
}
diff --git a/core/java/android/content/pm/PackageInstaller.java b/core/java/android/content/pm/PackageInstaller.java
index 8fdbf64c2759..81f04b7450bc 100644
--- a/core/java/android/content/pm/PackageInstaller.java
+++ b/core/java/android/content/pm/PackageInstaller.java
@@ -1012,6 +1012,18 @@ public class PackageInstaller {
throw e.rethrowFromSystemServer();
}
}
+
+ /**
+ * @return Session's {@link SessionParams#installFlags}.
+ * @hide
+ */
+ public int getInstallFlags() {
+ try {
+ return mSession.getInstallFlags();
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
+ }
}
/**
diff --git a/services/core/java/com/android/server/pm/PackageInstallerSession.java b/services/core/java/com/android/server/pm/PackageInstallerSession.java
index ab1079c8da4d..2d3ddf19cf3a 100644
--- a/services/core/java/com/android/server/pm/PackageInstallerSession.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerSession.java
@@ -81,6 +81,7 @@ import android.system.OsConstants;
import android.system.StructStat;
import android.text.TextUtils;
import android.util.ArraySet;
+import android.util.EventLog;
import android.util.ExceptionUtils;
import android.util.MathUtils;
import android.util.Slog;
@@ -1147,6 +1148,10 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
if (mResolvedBaseFile == null) {
mResolvedBaseFile = new File(appInfo.getBaseCodePath());
mResolvedInheritedFiles.add(mResolvedBaseFile);
+ } else if ((params.installFlags & PackageManager.INSTALL_DONT_KILL_APP) != 0) {
+ EventLog.writeEvent(0x534e4554, "219044664");
+ // Installing base.apk. Make sure the app is restarted.
+ params.setDontKillApp(false);
}
// Inherit splits if not overridden
@@ -1514,6 +1519,11 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
dispatchSessionFinished(INSTALL_FAILED_ABORTED, "Session was abandoned", null);
}
+ @Override
+ public int getInstallFlags() {
+ return params.installFlags;
+ }
+
private void dispatchSessionFinished(int returnCode, String msg, Bundle extras) {
final IPackageInstallObserver2 observer;
final String packageName;

40
Patches/LineageOS-15.1/android_frameworks_base/332449.patch Normal file
View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julia Reynolds <juliacr@google.com>
Date: Tue, 1 Mar 2022 10:30:27 -0500
Subject: [PATCH] DO NOT MERGE Add an OEM configurable limit for zen rules
Test: ZenModeHelperTest
Bug: 220735360
Change-Id: I3da105951af90007bf48dc6cf00aed3e28778b36
Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
(cherry picked from commit 3072d98c2dc2b709bd8ffc343c101557a53dd188)
Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
---
.../com/android/server/notification/ZenModeHelper.java | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/notification/ZenModeHelper.java b/services/core/java/com/android/server/notification/ZenModeHelper.java
index ffdafc562673..6b72ae63c463 100644
--- a/services/core/java/com/android/server/notification/ZenModeHelper.java
+++ b/services/core/java/com/android/server/notification/ZenModeHelper.java
@@ -83,6 +83,7 @@ public class ZenModeHelper {
// The amount of time rules instances can exist without their owning app being installed.
private static final int RULE_INSTANCE_GRACE_PERIOD = 1000 * 60 * 60 * 72;
+ static final int RULE_LIMIT_PER_PACKAGE = 100;
private final Context mContext;
private final H mHandler;
@@ -305,8 +306,10 @@ public class ZenModeHelper {
ruleInstanceLimit = owner.metaData.getInt(
ConditionProviderService.META_DATA_RULE_INSTANCE_LIMIT, -1);
}
- if (ruleInstanceLimit > 0 && ruleInstanceLimit
- < (getCurrentInstanceCount(automaticZenRule.getOwner()) + 1)) {
+ int newRuleInstanceCount = getCurrentInstanceCount(automaticZenRule.getOwner())
+ + 1;
+ if (newRuleInstanceCount > RULE_LIMIT_PER_PACKAGE
+ || (ruleInstanceLimit > 0 && ruleInstanceLimit < newRuleInstanceCount)) {
throw new IllegalArgumentException("Rule instance limit exceeded");
}
}

36
Patches/LineageOS-15.1/android_frameworks_base/332757.patch Normal file
View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Mon, 31 Jan 2022 20:31:42 +0000
Subject: [PATCH] limit TelecomManager#registerPhoneAccount to 10; api doc
update
bug: 209814693
Bug: 217934478
Test: CTS
Change-Id: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
(cherry picked from commit f0f67b5a319efedbf8693b436a641fa65bc2d8be)
Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
---
telecomm/java/android/telecom/TelecomManager.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java
index 53ebbe47d23a..6dc3f917533a 100644
--- a/telecomm/java/android/telecom/TelecomManager.java
+++ b/telecomm/java/android/telecom/TelecomManager.java
@@ -960,9 +960,14 @@ public class TelecomManager {
* when placing calls. The user may still need to enable the {@link PhoneAccount} within
* the phone app settings before the account is usable.
* <p>
+ * Note: Each package is limited to 10 {@link PhoneAccount} registrations.
+ * <p>
* A {@link SecurityException} will be thrown if an app tries to register a
* {@link PhoneAccountHandle} where the package name specified within
* {@link PhoneAccountHandle#getComponentName()} does not match the package name of the app.
+ * <p>
+ * A {@link IllegalArgumentException} will be thrown if an app tries to register a
+ * {@link PhoneAccount} when the upper bound limit, 10, has already been reached.
*
* @param account The complete {@link PhoneAccount}.
*/

45
Patches/LineageOS-15.1/android_frameworks_base/332776.patch Normal file
View File

@ -0,0 +1,45 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: David Christie <dnchrist@google.com>
Date: Fri, 11 Mar 2022 01:13:31 +0000
Subject: [PATCH] Update GeofenceHardwareRequestParcelable to match
parcel/unparcel format.
Test: manual
Bug: 216631962
Change-Id: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
(cherry picked from commit 3e1ffdb29417f4fb994587a013fa56c83e157f6f)
Merged-In: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
---
.../location/GeofenceHardwareRequestParcelable.java | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java
index d3311f5c8c5e..fc27d1de6372 100644
--- a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java
+++ b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java
@@ -16,9 +16,9 @@
package android.hardware.location;
+import android.os.BadParcelableException;
import android.os.Parcel;
import android.os.Parcelable;
-import android.util.Log;
/**
* Geofence Hardware Request used for internal location services communication.
@@ -139,11 +139,8 @@ public final class GeofenceHardwareRequestParcelable implements Parcelable {
@Override
public GeofenceHardwareRequestParcelable createFromParcel(Parcel parcel) {
int geofenceType = parcel.readInt();
- if(geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {
- Log.e(
- "GeofenceHardwareRequest",
- String.format("Invalid Geofence type: %d", geofenceType));
- return null;
+ if (geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {
+ throw new BadParcelableException("Invalid Geofence type: " + geofenceType);
}
GeofenceHardwareRequest request = GeofenceHardwareRequest.createCircularGeofence(

41
Patches/LineageOS-15.1/android_frameworks_base/332778.patch Normal file
View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ayush Sharma <ayushsha@google.com>
Date: Wed, 16 Mar 2022 10:32:23 +0000
Subject: [PATCH] Fix security hole in GateKeeperResponse
GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.
We fixed related issues previously for GateKeeperResponse class, but
one of the case was remaining when payload is byte array of size 0,
Fixing this case now.
Bug: 220303465
Test: With the POC provided in the bug.
Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586
Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586
(cherry picked from commit 46653a91c30245ca29d41d69174813979a910496)
Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958
(cherry picked from commit 658c53c47c0d1b6a74d3c0a72372aaaba16c2516)
Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958
---
core/java/android/service/gatekeeper/GateKeeperResponse.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
index 9b529345851b..4502c0ef2898 100644
--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -103,7 +103,7 @@ public final class GateKeeperResponse implements Parcelable {
dest.writeInt(mTimeout);
} else if (mResponseCode == RESPONSE_OK) {
dest.writeInt(mShouldReEnroll ? 1 : 0);
- if (mPayload != null) {
+ if (mPayload != null && mPayload.length > 0) {
dest.writeInt(mPayload.length);
dest.writeByteArray(mPayload);
} else {

45
Patches/LineageOS-15.1/android_frameworks_base/332779.patch Normal file
View File

@ -0,0 +1,45 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Oli Lan <olilan@google.com>
Date: Fri, 25 Mar 2022 10:02:41 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Prevent non-admin users from deleting
system apps.
This addresses a security issue where the guest user can remove updates
for system apps.
With this CL, attempts to uninstall/downgrade system apps will fail if
attempted by a non-admin user.
This is a backport of ag/17352264.
Bug: 170646036
Test: manual, try uninstalling system app update as guest
Change-Id: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165
(cherry picked from commit a7621e0ce00f1d140b375518e26cf75693314203)
Merged-In: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
---
.../com/android/server/pm/PackageManagerService.java | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index c0845d07d753..235e7d19d8f1 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -19837,6 +19837,16 @@ public class PackageManagerService extends IPackageManager.Stub
return PackageManager.DELETE_FAILED_INTERNAL_ERROR;
}
+ if (isSystemApp(uninstalledPs)) {
+ UserInfo userInfo = sUserManager.getUserInfo(userId);
+ if (userInfo == null || !userInfo.isAdmin()) {
+ Slog.w(TAG, "Not removing package " + packageName
+ + " as only admin user may downgrade system apps");
+ EventLog.writeEvent(0x534e4554, "170646036", -1, packageName);
+ return PackageManager.DELETE_FAILED_USER_RESTRICTED;
+ }
+ }
+
// Static shared libs can be declared by any package, so let us not
// allow removing a package if it provides a lib others depend on.
pkg = mPackages.get(packageName);

55
Patches/LineageOS-15.1/android_frameworks_base/334257-backport.patch Normal file
View File

@ -0,0 +1,55 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Mon, 24 Jan 2022 20:33:11 +0000
Subject: [PATCH] UserDataPreparer: reboot to recovery if preparing user
storage fails
StorageManager.prepareUserStorage() can throw an exception if a
directory cannot be encrypted, for example due to already being
nonempty. In this case, usage of the directory must not be allowed to
proceed. UserDataPreparer currently handles this by deleting the user's
directories, but the error is still ultimately suppressed and starting
the user is still allowed to proceed.
The correct behavior in this case is to reboot into recovery to ask the
user to factory reset the device. This is already what happens when
'init' fails to encrypt a directory with the system DE policy. However,
this was overlooked for the user directories. Start doing this.
Bug: 164488924
Bug: 224585613
Change-Id: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
(cherry picked from commit 5256365e65882b81509ec2f6b9dfe2dcf0025254)
Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
(cherry picked from commit ea010f3dd213bb6b5f3ed28b89988754ed26aac6)
Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
---
.../core/java/com/android/server/pm/UserDataPreparer.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/services/core/java/com/android/server/pm/UserDataPreparer.java b/services/core/java/com/android/server/pm/UserDataPreparer.java
index b8b00af448eb..aaba1800949b 100644
--- a/services/core/java/com/android/server/pm/UserDataPreparer.java
+++ b/services/core/java/com/android/server/pm/UserDataPreparer.java
@@ -20,6 +20,7 @@ import android.content.Context;
import android.content.pm.UserInfo;
import android.os.Environment;
import android.os.FileUtils;
+import android.os.RecoverySystem;
import android.os.storage.StorageManager;
import android.os.storage.VolumeInfo;
import android.system.ErrnoException;
@@ -104,6 +105,13 @@ class UserDataPreparer {
if (allowRecover) {
// Try one last time; if we fail again we're really in trouble
prepareUserDataLI(volumeUuid, userId, userSerial, flags, false);
+ } else {
+ try {
+ Log.e(TAG, "prepareUserData failed", e);
+ RecoverySystem.rebootPromptAndWipeUserData(mContext, "prepareUserData failed");
+ } catch (IOException e2) {
+ throw new RuntimeException("error rebooting into recovery", e2);
+ }
}
}
}

53
Patches/LineageOS-15.1/android_frameworks_base/334258-backport.patch Normal file
View File

@ -0,0 +1,53 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Fri, 4 Mar 2022 00:07:29 +0000
Subject: [PATCH] UserDataPreparer: reboot to recovery for system user only
With the next CL, old devices might contain a combination of old users
with prepareUserStorage error checking disabled and new users with
prepareUserStorage error checking enabled. Factory resetting the whole
device when any user fails to prepare may be too aggressive. Also,
UserDataPreparer already destroys the affected user's storage when it
fails to prepare, which seems to be fairly effective at breaking things
for that user (absent proper error handling by upper layers).
Therefore, let's only factory reset the device if the failing user is
the system user.
Bug: 164488924
Bug: 224585613
Change-Id: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
(cherry picked from commit 4c76da76c9831266e4e63c0618150bed10a929a7)
Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
(cherry picked from commit a296a2b724f3b7233952740231a49d432949276b)
Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
---
.../core/java/com/android/server/pm/UserDataPreparer.java | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/pm/UserDataPreparer.java b/services/core/java/com/android/server/pm/UserDataPreparer.java
index aaba1800949b..965e6096e103 100644
--- a/services/core/java/com/android/server/pm/UserDataPreparer.java
+++ b/services/core/java/com/android/server/pm/UserDataPreparer.java
@@ -21,6 +21,7 @@ import android.content.pm.UserInfo;
import android.os.Environment;
import android.os.FileUtils;
import android.os.RecoverySystem;
+import android.os.UserHandle;
import android.os.storage.StorageManager;
import android.os.storage.VolumeInfo;
import android.system.ErrnoException;
@@ -107,8 +108,11 @@ class UserDataPreparer {
prepareUserDataLI(volumeUuid, userId, userSerial, flags, false);
} else {
try {
- Log.e(TAG, "prepareUserData failed", e);
- RecoverySystem.rebootPromptAndWipeUserData(mContext, "prepareUserData failed");
+ Log.wtf(TAG, "prepareUserData failed for user " + userId, e);
+ if (userId == UserHandle.USER_SYSTEM) {
+ RecoverySystem.rebootPromptAndWipeUserData(mContext,
+ "prepareUserData failed for system user");
+ }
} catch (IOException e2) {
throw new RuntimeException("error rebooting into recovery", e2);
}

56
Patches/LineageOS-15.1/android_frameworks_base/334262.patch Normal file
View File

@ -0,0 +1,56 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julia Reynolds <juliacr@google.com>
Date: Wed, 7 Jul 2021 16:19:44 -0400
Subject: [PATCH] DO NOT MERGE Crash invalid FGS notifications
Test: CTS, ActivityManagerProcessStateTest
Fixes: 191981182
Change-Id: I13a0202b25c8118db47edba11a93c1939c94b392
Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392
(cherry picked from commit 6f657f8f5b7d41af426d6cd8d60bfda6e12057c0)
(cherry picked from commit b6b2906ea6472d182e6ae03c581a63802cd84f08)
Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392
Backport to P:
Make method Notification.isForegroundService() public, as it is the case
in Android 10 and later, see Ia13c1aac0cf91c400594df96ce267e768133f8d1
Change-Id: I214b6ab4f6ecab332fb8b3293fbc3b2212790b38
---
core/java/android/app/Notification.java | 3 ++-
.../server/notification/NotificationManagerService.java | 7 +++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
index eda12623cf65..b7d265c26f22 100644
--- a/core/java/android/app/Notification.java
+++ b/core/java/android/app/Notification.java
@@ -5208,8 +5208,9 @@ public class Notification implements Parcelable
/**
* @return whether this notification is a foreground service notification
+ * @hide
*/
- private boolean isForegroundService() {
+ public boolean isForegroundService() {
return (flags & Notification.FLAG_FOREGROUND_SERVICE) != 0;
}
diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
index 54f13956e6b7..9e63265e4e93 100755
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
@@ -3535,8 +3535,11 @@ public class NotificationManagerService extends SystemService {
notification.flags &= ~Notification.FLAG_CAN_COLORIZE;
}
- } catch (NameNotFoundException e) {
- Slog.e(TAG, "Cannot create a context for sending app", e);
+ } catch (Exception e) {
+ if (notification.isForegroundService()) {
+ throw new SecurityException("Invalid FGS notification", e);
+ }
+ Slog.e(TAG, "Cannot fix notification", e);
return;
}

136
Patches/LineageOS-15.1/android_frameworks_base/335117-backport.patch Normal file
View File

@ -0,0 +1,136 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeff Chang <chengjeff@google.com>
Date: Wed, 29 Sep 2021 16:49:00 +0800
Subject: [PATCH] Only allow system and same app to apply
relinquishTaskIdentity
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Any malicious application could hijack tasks by
android:relinquishTaskIdentity. This vulnerability can perform UI
spoofing or spy on users activities.
This CL limit the usage which only allow system and same app to apply
relinquishTaskIdentity
Bug: 185810717
Test: atest IntentTests
atest ActivityStarterTests
Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
(cherry picked from commit cd1f9e72cf9752c9a31e990822ab34ae3d475fec)
Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
---
.../com/android/server/am/TaskRecord.java | 51 ++++++++++++++-----
1 file changed, 39 insertions(+), 12 deletions(-)
diff --git a/services/core/java/com/android/server/am/TaskRecord.java b/services/core/java/com/android/server/am/TaskRecord.java
index f83310954c3d..d44f4e3eacbb 100644
--- a/services/core/java/com/android/server/am/TaskRecord.java
+++ b/services/core/java/com/android/server/am/TaskRecord.java
@@ -40,6 +40,7 @@ import android.graphics.Point;
import android.graphics.Rect;
import android.os.Debug;
import android.os.ParcelFileDescriptor;
+import android.os.Process;
import android.os.RemoteException;
import android.os.Trace;
import android.os.UserHandle;
@@ -190,6 +191,11 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta
// Do not move the stack as a part of reparenting
public static final int REPARENT_LEAVE_STACK_IN_PLACE = 2;
+ /**
+ * Used to identify if the activity that is installed from device's system image.
+ */
+ boolean mIsEffectivelySystemApp;
+
final int taskId; // Unique identifier for this task.
String affinity; // The affinity name for this task, or null; may change identity.
String rootAffinity; // Initial base affinity, or null; does not change from initial root.
@@ -791,16 +797,24 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta
/** Sets the original intent, and the calling uid and package. */
void setIntent(ActivityRecord r) {
- mCallingUid = r.launchedFromUid;
- mCallingPackage = r.launchedFromPackage;
- setIntent(r.intent, r.info);
+ boolean updateIdentity = false;
+ if (this.intent == null) {
+ updateIdentity = true;
+ } else if (!mNeverRelinquishIdentity) {
+ updateIdentity = (effectiveUid == Process.SYSTEM_UID || mIsEffectivelySystemApp
+ || effectiveUid == r.info.applicationInfo.uid);
+ }
+ if (updateIdentity) {
+ mCallingUid = r.launchedFromUid;
+ mCallingPackage = r.launchedFromPackage;
+ setIntent(r.intent, r.info);
+ }
}
/** Sets the original intent, _without_ updating the calling uid or package. */
private void setIntent(Intent _intent, ActivityInfo info) {
if (intent == null) {
- mNeverRelinquishIdentity =
- (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0;
+ mNeverRelinquishIdentity = (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0;
} else if (mNeverRelinquishIdentity) {
return;
}
@@ -813,6 +827,7 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta
rootAffinity = affinity;
}
effectiveUid = info.applicationInfo.uid;
+ mIsEffectivelySystemApp = info.applicationInfo.isSystemApp();
stringName = null;
if (info.targetActivity == null) {
@@ -1648,12 +1663,12 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta
// utility activities.
int activityNdx;
final int numActivities = mActivities.size();
- final boolean relinquish = numActivities != 0 &&
- (mActivities.get(0).info.flags & FLAG_RELINQUISH_TASK_IDENTITY) != 0;
- for (activityNdx = Math.min(numActivities, 1); activityNdx < numActivities;
- ++activityNdx) {
+ for (activityNdx = 0; activityNdx < numActivities; ++activityNdx) {
final ActivityRecord r = mActivities.get(activityNdx);
- if (relinquish && (r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) {
+ if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0
+ || (r.info.applicationInfo.uid != Process.SYSTEM_UID
+ && !r.info.applicationInfo.isSystemApp()
+ && r.info.applicationInfo.uid != effectiveUid)) {
// This will be the top activity for determining taskDescription. Pre-inc to
// overcome initial decrement below.
++activityNdx;
@@ -1711,15 +1726,27 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta
int findEffectiveRootIndex() {
int effectiveNdx = 0;
final int topActivityNdx = mActivities.size() - 1;
+ ActivityRecord root = null;
for (int activityNdx = 0; activityNdx <= topActivityNdx; ++activityNdx) {
final ActivityRecord r = mActivities.get(activityNdx);
if (r.finishing) {
continue;
}
- effectiveNdx = activityNdx;
- if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) {
+
+ if (root == null) {
+ // Set this as the candidate root since it isn't finishing.
+ root = r;
+ effectiveNdx = activityNdx;
+ }
+ final int uid = root == r ? effectiveUid : r.info.applicationInfo.uid;
+ if ((root.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0
+ || (root.info.applicationInfo.uid != Process.SYSTEM_UID
+ && !root.info.applicationInfo.isSystemApp()
+ && root.info.applicationInfo.uid != uid)) {
break;
}
+ effectiveNdx = activityNdx;
+ root = r;
}
return effectiveNdx;
}

72
Patches/LineageOS-15.1/android_frameworks_base/335119.patch Normal file
View File

@ -0,0 +1,72 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Raphael Kim <raphk@google.com>
Date: Fri, 22 Apr 2022 00:32:08 +0000
Subject: [PATCH] Remove package title from notification access confirmation
intent
Bug: 228178437
Test: Manually confirmed on an application
Change-Id: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
(cherry picked from commit 51d47ec7c875cf964f46965a27a5d36343ea999d)
Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
---
...NotificationAccessConfirmationActivityContract.java | 10 ++++++----
.../companion/CompanionDeviceManagerService.java | 9 ++-------
2 files changed, 8 insertions(+), 11 deletions(-)
diff --git a/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java b/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java
index 4ce6f609ef73..fdf0e9046eef 100644
--- a/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java
+++ b/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java
@@ -17,6 +17,7 @@
package com.android.internal.notification;
import android.content.ComponentName;
+import android.content.Context;
import android.content.Intent;
public final class NotificationAccessConfirmationActivityContract {
@@ -25,13 +26,14 @@ public final class NotificationAccessConfirmationActivityContract {
"com.android.settings.notification.NotificationAccessConfirmationActivity");
public static final String EXTRA_USER_ID = "user_id";
public static final String EXTRA_COMPONENT_NAME = "component_name";
- public static final String EXTRA_PACKAGE_TITLE = "package_title";
- public static Intent launcherIntent(int userId, ComponentName component, String packageTitle) {
+ /**
+ * Creates a launcher intent for NotificationAccessConfirmationActivity.
+ */
+ public static Intent launcherIntent(Context context, int userId, ComponentName component) {
return new Intent()
.setComponent(COMPONENT_NAME)
.putExtra(EXTRA_USER_ID, userId)
- .putExtra(EXTRA_COMPONENT_NAME, component)
- .putExtra(EXTRA_PACKAGE_TITLE, packageTitle);
+ .putExtra(EXTRA_COMPONENT_NAME, component);
}
}
diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
index 6dce7eed5eba..727631a346cb 100644
--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
@@ -288,17 +288,12 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
String callingPackage = component.getPackageName();
checkCanCallNotificationApi(callingPackage);
int userId = getCallingUserId();
- String packageTitle = BidiFormatter.getInstance().unicodeWrap(
- getPackageInfo(callingPackage, userId)
- .applicationInfo
- .loadSafeLabel(getContext().getPackageManager())
- .toString());
- long identity = Binder.clearCallingIdentity();
+ final long identity = Binder.clearCallingIdentity();
try {
return PendingIntent.getActivity(getContext(),
0 /* request code */,
NotificationAccessConfirmationActivityContract.launcherIntent(
- userId, component, packageTitle),
+ getContext(), userId, component),
PendingIntent.FLAG_IMMUTABLE | PendingIntent.FLAG_ONE_SHOT
| PendingIntent.FLAG_CANCEL_CURRENT);
} finally {

70
Patches/LineageOS-15.1/android_frameworks_base/335120.patch Normal file
View File

@ -0,0 +1,70 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: chiachangwang <chiachangwang@google.com>
Date: Thu, 2 Jun 2022 10:22:20 +0000
Subject: [PATCH] Stop using invalid URL to prevent unexpected crash
Verify the input PAC Uri before performing follow-up actions.
Check if the URL is a valid URL to filter some invalid URLs since
these invalid URLs could not fall into any subclass of existing
URLConnections. When the PAC Uri is other invalid URL scheme, it
will cause an UnsupportedOperationException if there is no proper
subclass that implements the openConnection() method.
A malformed URL may crash the system.
Even it's a valid URL, some subclasses(e.g. JarURLConnection)
may not have openConnection() implemented. It will also hit the
problem, so convert the possbile exception from openConnection()
to re-throw it to IOException which is handled in the existing
code.
Bug: 219498290
Test: atest FrameworksNetTests CtsNetTestCases
Test: Test with malformed URL
Merged-In: I22903414380b62051f514e43b93af992f45740b4
Merged-In: I2abff75ec59a17628ef006aad348c53fadbed076
Change-Id: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
(cherry picked from commit 6390b37a3b32fc7583154d53fda3af8fbd95f59f)
(cherry picked from commit 6d6f4106948bbad67b9845603392d084078997c4)
Merged-In: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
---
.../server/connectivity/PacManager.java | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/connectivity/PacManager.java b/services/core/java/com/android/server/connectivity/PacManager.java
index d56fb1ab09f9..7593553f7e68 100644
--- a/services/core/java/com/android/server/connectivity/PacManager.java
+++ b/services/core/java/com/android/server/connectivity/PacManager.java
@@ -37,6 +37,7 @@ import android.os.SystemClock;
import android.os.SystemProperties;
import android.provider.Settings;
import android.util.Log;
+import android.webkit.URLUtil;
import com.android.internal.annotations.GuardedBy;
import com.android.net.IProxyCallback;
@@ -213,8 +214,22 @@ public class PacManager {
* @throws IOException
*/
private static String get(Uri pacUri) throws IOException {
- URL url = new URL(pacUri.toString());
- URLConnection urlConnection = url.openConnection(java.net.Proxy.NO_PROXY);
+ if (!URLUtil.isValidUrl(pacUri.toString())) {
+ throw new IOException("Malformed URL:" + pacUri);
+ }
+
+ final URL url = new URL(pacUri.toString());
+ URLConnection urlConnection;
+ try {
+ urlConnection = url.openConnection(java.net.Proxy.NO_PROXY);
+ // Catch the possible exceptions and rethrow as IOException to not to crash the system
+ // for illegal input.
+ } catch (IllegalArgumentException e) {
+ throw new IOException("Incorrect proxy type for " + pacUri);
+ } catch (UnsupportedOperationException e) {
+ throw new IOException("Unsupported URL connection type for " + pacUri);
+ }
+
long contentLength = -1;
try {
contentLength = Long.parseLong(urlConnection.getHeaderField("Content-Length"));

66
Patches/LineageOS-15.1/android_frameworks_base/335121-backport.patch Normal file
View File

@ -0,0 +1,66 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Makoto Onuki <omakoto@google.com>
Date: Tue, 19 Apr 2022 10:54:18 -0700
Subject: [PATCH] Only allow the system server to connect to sync adapters
Bug: 203229608
Test: Manual test with changing the check logic + debug log
Change-Id: If18009f61360564d02dcda9b1e5fa15685e3250f
(cherry picked from commit 58270527d11ac7e5f07d337a402d8edf046a63ee)
(cherry picked from commit 7d1397a54475ed7fee632339ef7c60b432f0fbff)
Merged-In: If18009f61360564d02dcda9b1e5fa15685e3250f
---
.../content/AbstractThreadedSyncAdapter.java | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/core/java/android/content/AbstractThreadedSyncAdapter.java b/core/java/android/content/AbstractThreadedSyncAdapter.java
index 2629929e91ce..be78f4047ab1 100644
--- a/core/java/android/content/AbstractThreadedSyncAdapter.java
+++ b/core/java/android/content/AbstractThreadedSyncAdapter.java
@@ -17,6 +17,7 @@
package android.content;
import android.accounts.Account;
+import android.os.Binder;
import android.os.Build;
import android.os.Bundle;
import android.os.IBinder;
@@ -165,15 +166,28 @@ public abstract class AbstractThreadedSyncAdapter {
}
private class ISyncAdapterImpl extends ISyncAdapter.Stub {
+ private boolean isCallerSystem() {
+ final long callingUid = Binder.getCallingUid();
+ if (callingUid != Process.SYSTEM_UID) {
+ android.util.EventLog.writeEvent(0x534e4554, "203229608", -1, "");
+ return false;
+ }
+ return true;
+ }
+
@Override
public void startSync(ISyncContext syncContext, String authority, Account account,
Bundle extras) {
+ if (!isCallerSystem()) {
+ return;
+ }
if (ENABLE_LOG) {
if (extras != null) {
extras.size(); // Unparcel so its toString() will show the contents.
}
Log.d(TAG, "startSync() start " + authority + " " + account + " " + extras);
}
+
try {
final SyncContext syncContextClient = new SyncContext(syncContext);
@@ -229,6 +243,9 @@ public abstract class AbstractThreadedSyncAdapter {
@Override
public void cancelSync(ISyncContext syncContext) {
+ if (!isCallerSystem()) {
+ return;
+ }
try {
// synchronize to make sure that mSyncThreads doesn't change between when we
// check it and when we use it

42
Patches/LineageOS-15.1/android_frameworks_native/326752.patch Normal file
View File

@ -0,0 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Siarhei Vishniakou <svv@google.com>
Date: Wed, 9 Dec 2020 08:07:46 -1000
Subject: [PATCH] Check if the window is partially obscured for slippery enters
Currently, we only check whether a window is partially obscured during
the initial tap down. However, there is another use case: slippery
enter.
During a slippery enter, the touch down is generated into the
slipped-into window, and touch cancel is generated for the slipped-from
window. The window receiving the slippery enter does not need to have
any flags.
Until we figure out whether we can restrict the usage of this flag to
system components, add this check as an intermediate fix.
Bug: 157929241
Test: atest FlagSlipperyTest
Test: atest inputflinger_tests
Change-Id: I93d9681479f41244ffed4b1f88cceb69be71adf2
Merged-In: I93d9681479f41244ffed4b1f88cceb69be71adf2
(cherry picked from commit 870ececa8d5dfb293e671c716f98ccddae24147f)
(cherry picked from commit 6e689ffe3fad4b190629e11222936fb7cda041c2)
Merged-In:I93d9681479f41244ffed4b1f88cceb69be71adf2
---
services/inputflinger/InputDispatcher.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/services/inputflinger/InputDispatcher.cpp b/services/inputflinger/InputDispatcher.cpp
index aed16bff29..dadce23d9c 100644
--- a/services/inputflinger/InputDispatcher.cpp
+++ b/services/inputflinger/InputDispatcher.cpp
@@ -1329,6 +1329,8 @@ int32_t InputDispatcher::findTouchedWindowTargetsLocked(nsecs_t currentTime,
}
if (isWindowObscuredAtPointLocked(newTouchedWindowHandle, x, y)) {
targetFlags |= InputTarget::FLAG_WINDOW_IS_OBSCURED;
+ } else if (isWindowObscuredLocked(newTouchedWindowHandle)) {
+ targetFlags |= InputTarget::FLAG_WINDOW_IS_PARTIALLY_OBSCURED;
}
BitSet32 pointerIds;

30
Patches/LineageOS-15.1/android_packages_apps_Bluetooth/332758-backport.patch Normal file
View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rahul Sabnis <rahulsabnis@google.com>
Date: Wed, 6 Apr 2022 18:08:18 +0000
Subject: [PATCH] Removes app access to BluetoothAdapter#setScanMode by
requiring BLUETOOTH_PRIVILEGED permission.
Bug: 203431023
Test: Manual
Merged-In: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c
Change-Id: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c
(cherry picked from commit 95cbb22647ef5e4505f64d97b7dcbfad2a9fb0e0)
Merged-In: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c
---
src/com/android/bluetooth/btservice/AdapterService.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java
index 8da1baf1c..763718c01 100644
--- a/src/com/android/bluetooth/btservice/AdapterService.java
+++ b/src/com/android/bluetooth/btservice/AdapterService.java
@@ -1483,7 +1483,8 @@ public class AdapterService extends Service {
}
boolean setScanMode(int mode, int duration) {
- enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
+ enforceCallingOrSelfPermission(
+ BLUETOOTH_PRIVILEGED, "Need BLUETOOTH PRIVILEGED permission");
setDiscoverableTimeout(duration);

30
Patches/LineageOS-15.1/android_packages_apps_Bluetooth/332759-backport.patch Normal file
View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rahul Sabnis <rahulsabnis@google.com>
Date: Wed, 6 Apr 2022 22:44:01 +0000
Subject: [PATCH] Removes app access to BluetoothAdapter#setDiscoverableTimeout
by requiring BLUETOOTH_PRIVILEGED permission.
Bug: 206807679
Test: Manual
Merged-In: I73288f495d35280a5724d070248db54e2fe537fd
Change-Id: I73288f495d35280a5724d070248db54e2fe537fd
(cherry picked from commit 528ea846133dc7dc4ce843e5b649abd50b58d527)
Merged-In: I73288f495d35280a5724d070248db54e2fe537fd
---
src/com/android/bluetooth/btservice/AdapterService.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java
index 763718c01..64c28029e 100644
--- a/src/com/android/bluetooth/btservice/AdapterService.java
+++ b/src/com/android/bluetooth/btservice/AdapterService.java
@@ -1499,7 +1499,8 @@ public class AdapterService extends Service {
}
boolean setDiscoverableTimeout(int timeout) {
- enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
+ enforceCallingOrSelfPermission(
+ BLUETOOTH_PRIVILEGED, "Need BLUETOOTH PRIVILEGED permission");
return mAdapterProperties.setDiscoverableTimeout(timeout);
}

31
Patches/LineageOS-15.1/android_packages_apps_Contacts/332760.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: John Shao <johnshao@google.com>
Date: Thu, 24 Feb 2022 22:20:11 +0000
Subject: [PATCH] No longer export CallSubjectDialog
This is most likely not used outside of the app and can be potentially
exploited
Bug: 218341397
Test: Manual
Change-Id: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455
Merged-In: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455
(cherry picked from commit eadb0b1cc94deaa238bfdf225a504119a8a24388)
(cherry picked from commit 1f6d68c79699a9790e6cf0ab82bdc15c64eb7f5a)
Merged-In: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455
---
AndroidManifest.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 87491c80d..b399cc343 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -565,6 +565,7 @@
<activity
android:name="com.android.contacts.dialog.CallSubjectDialog"
android:theme="@style/Theme.CallSubjectDialogTheme"
+ android:exported="false"
android:windowSoftInputMode="stateVisible|adjustResize">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>

27
Patches/LineageOS-15.1/android_packages_apps_Dialer/332761.patch Normal file
View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tatsuaki Machida <tmachida@google.com>
Date: Mon, 28 Feb 2022 10:36:08 +0000
Subject: [PATCH] No longer export CallSubjectDialog
Bug: 221802256
Change-Id: Ibfc10e706d204131c33071a5fd5b6596ba5c2d48
Test: N/A
(cherry picked from commit d96b98bbb21118356726588d0ff3707246369fdb)
(cherry picked from commit 1ab4eeb65ed117745b9576769b069cf0b38eafb0)
Merged-In: Ibfc10e706d204131c33071a5fd5b6596ba5c2d48
---
java/com/android/contacts/common/AndroidManifest.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/java/com/android/contacts/common/AndroidManifest.xml b/java/com/android/contacts/common/AndroidManifest.xml
index e97221549..84ac96fdb 100644
--- a/java/com/android/contacts/common/AndroidManifest.xml
+++ b/java/com/android/contacts/common/AndroidManifest.xml
@@ -21,6 +21,7 @@
<activity
android:name="com.android.contacts.common.dialog.CallSubjectDialog"
android:theme="@style/Theme.CallSubjectDialogTheme"
+ android:exported="false"
android:windowSoftInputMode="stateVisible|adjustResize">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>

33
Patches/LineageOS-15.1/android_packages_apps_KeyChain/334264.patch Normal file
View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ayush Sharma <ayushsha@google.com>
Date: Tue, 10 May 2022 14:09:40 +0000
Subject: [PATCH] Encode authority part of uri before showing in UI
As per rfc2396, allowing only characters that are reserved|unreserved|@
to be in non escaped form, all the other characters will be escaped.
This would cover all the possible characters there can be in valid
authority as per the rfc2396. android.net.Uri conforms to RFC 2396.
Bug: 221859869
Test: Manual
Change-Id: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed
Merged-In: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed
(cherry picked from commit 8550c37c186099926ce364b65b61ffbf6ed7958d)
Merged-In: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed
---
src/com/android/keychain/KeyChainActivity.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/com/android/keychain/KeyChainActivity.java b/src/com/android/keychain/KeyChainActivity.java
index 99a6568..6b0b35c 100644
--- a/src/com/android/keychain/KeyChainActivity.java
+++ b/src/com/android/keychain/KeyChainActivity.java
@@ -301,7 +301,7 @@ public class KeyChainActivity extends Activity {
Uri uri = getIntent().getParcelableExtra(KeyChain.EXTRA_URI);
if (uri != null) {
String hostMessage = String.format(res.getString(R.string.requesting_server),
- uri.getAuthority());
+ Uri.encode(uri.getAuthority(), "$,;:@&=+"));
if (contextMessage == null) {
contextMessage = hostMessage;
} else {

59
Patches/LineageOS-15.1/android_packages_apps_Nfc/328346.patch Normal file
View File

@ -0,0 +1,59 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jack Yu <jackcwyu@google.com>
Date: Thu, 13 Jan 2022 16:27:22 +0800
Subject: [PATCH] Do not set default contactless application without user
interaction
Keep the default contactless apllication "not set" if user does not
select one from the Settings page.
Bug: 212610736
Test: Manual
Merged-In: I8e1d67528eca037f4f88380a96f8c542965a1981
Change-Id: I8e1d67528eca037f4f88380a96f8c542965a1981
(cherry picked from commit 4177b086cf2f1ae9c1831cb1a7ed88233c7a6aca)
Merged-In:I8e1d67528eca037f4f88380a96f8c542965a1981
---
.../cardemulation/CardEmulationManager.java | 27 +++----------------
1 file changed, 4 insertions(+), 23 deletions(-)
diff --git a/src/com/android/nfc/cardemulation/CardEmulationManager.java b/src/com/android/nfc/cardemulation/CardEmulationManager.java
index 3fc58fd0..05b5825c 100644
--- a/src/com/android/nfc/cardemulation/CardEmulationManager.java
+++ b/src/com/android/nfc/cardemulation/CardEmulationManager.java
@@ -206,31 +206,12 @@ public class CardEmulationManager implements RegisteredServicesCache.Callback,
void verifyDefaults(int userId, List<ApduServiceInfo> services) {
ComponentName defaultPaymentService =
- getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, false);
+ getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, true);
if (DBG) Log.d(TAG, "Current default: " + defaultPaymentService);
if (defaultPaymentService == null) {
- // A payment service may have been removed, leaving only one;
- // in that case, automatically set that app as default.
- int numPaymentServices = 0;
- ComponentName lastFoundPaymentService = null;
- for (ApduServiceInfo service : services) {
- if (service.hasCategory(CardEmulation.CATEGORY_PAYMENT)) {
- numPaymentServices++;
- lastFoundPaymentService = service.getComponent();
- }
- }
- if (numPaymentServices > 1) {
- // More than one service left, leave default unset
- if (DBG) Log.d(TAG, "No default set, more than one service left.");
- } else if (numPaymentServices == 1) {
- // Make single found payment service the default
- if (DBG) Log.d(TAG, "No default set, making single service default.");
- setDefaultServiceForCategoryChecked(userId, lastFoundPaymentService,
- CardEmulation.CATEGORY_PAYMENT);
- } else {
- // No payment services left, leave default at null
- if (DBG) Log.d(TAG, "No default set, last payment service removed.");
- }
+ // A payment service may have been removed, set default payment selection to "not set".
+ if (DBG) Log.d(TAG, "No default set, last payment service removed.");
+ setDefaultServiceForCategoryChecked(userId, null, CardEmulation.CATEGORY_PAYMENT);
}
}

43
Patches/LineageOS-15.1/android_packages_apps_Nfc/332455-backport.patch Normal file
View File

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Fri, 18 Mar 2022 17:13:05 -0700
Subject: [PATCH] OOB read in phNciNfc_RecvMfResp()
The size of RspBuff for Mifare shall be at least 2 bytes:
Mifare Req/Rsp Id + Status
Bug: 221852424
Test: build ok
Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
(cherry picked from commit f0d86f7fe23499cd4c6631348618463fbc496436)
Merged-In: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
---
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
index 01d83f59..86657d53 100755
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
@@ -1231,7 +1231,7 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
}
else
{
- if((0 == (RspBuffInfo->wLen))
+ if(((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > RspBuffInfo->wLen)
|| (PH_NCINFC_STATUS_OK != wStatus)
|| (NULL == (RspBuffInfo->pBuff))
)
@@ -1271,12 +1271,6 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
status = NFCSTATUS_SUCCESS;
uint16_t wRecvDataSz = 0;
- if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
- RspBuffInfo->wLen)
- {
- android_errorWriteLog(0x534e4554, "181346550");
- return NFCSTATUS_FAILED;
- }
/* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
wPldDataSize = ((RspBuffInfo->wLen) -
(PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));

85
Patches/LineageOS-15.1/android_packages_apps_Settings/326758.patch Normal file
View File

@ -0,0 +1,85 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Edgar Wang <edgarwang@google.com>
Date: Thu, 6 Jan 2022 20:53:48 +0800
Subject: [PATCH] Fix bypass CALL_PRIVILEGED permission in
AppRestrictionsFragment
In onReceive of AppRestrictionsFragment.java, there is a possible way to
start a phone call without permissions due to a confused deputy.
This could lead to local escalation of privilege with no additional
execution privileges needed.
We should not allow the restrictionsIntent to startActivity simply
because it resolves to multiple activities.
Instead, we should call resolveActivity and check the result's package
name is same as current package name, then it is safe to startActivity.
Bug: 200688991
Test: manual verify
Change-Id: Iaa2d3a9497c3266babe0789961befc9776a4db7a
Merged-In: Iaa2d3a9497c3266babe0789961befc9776a4db7a
(cherry picked from commit 359512cd9553c940af3c9045b856647b7529731a)
(cherry picked from commit f57d75f127fe96e91250585208a339763f1a2253)
Merged-In: Iaa2d3a9497c3266babe0789961befc9776a4db7a
---
.../users/AppRestrictionsFragment.java | 24 +++++++++++++------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
index d487c70c66..10d714401e 100644
--- a/src/com/android/settings/users/AppRestrictionsFragment.java
+++ b/src/com/android/settings/users/AppRestrictionsFragment.java
@@ -17,6 +17,7 @@
package com.android.settings.users;
import android.app.Activity;
+import android.content.ActivityNotFoundException;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
@@ -44,6 +45,7 @@ import android.support.v7.preference.Preference.OnPreferenceChangeListener;
import android.support.v7.preference.Preference.OnPreferenceClickListener;
import android.support.v7.preference.PreferenceGroup;
import android.support.v7.preference.PreferenceViewHolder;
+import android.util.EventLog;
import android.util.Log;
import android.view.View;
import android.view.View.OnClickListener;
@@ -634,7 +636,15 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen
} else if (restrictionsIntent != null) {
preference.setRestrictions(restrictions);
if (invokeIfCustom && AppRestrictionsFragment.this.isResumed()) {
- assertSafeToStartCustomActivity(restrictionsIntent);
+ try {
+ assertSafeToStartCustomActivity(restrictionsIntent);
+ } catch (ActivityNotFoundException | SecurityException e) {
+ // return without startActivity
+ Log.e(TAG, "Cannot start restrictionsIntent " + e);
+ EventLog.writeEvent(0x534e4554, "200688991", -1 /* UID */, "");
+ return;
+ }
+
int requestCode = generateCustomActivityRequestCode(
RestrictionsResultReceiver.this.preference);
AppRestrictionsFragment.this.startActivityForResult(
@@ -648,14 +658,14 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen
if (intent.getPackage() != null && intent.getPackage().equals(packageName)) {
return;
}
- // Activity can be started if intent resolves to multiple activities
- List<ResolveInfo> resolveInfos = AppRestrictionsFragment.this.mPackageManager
- .queryIntentActivities(intent, 0 /* no flags */);
- if (resolveInfos.size() != 1) {
- return;
+ ResolveInfo resolveInfo = mPackageManager.resolveActivity(
+ intent, PackageManager.MATCH_DEFAULT_ONLY);
+
+ if (resolveInfo == null) {
+ throw new ActivityNotFoundException("No result for resolving " + intent);
}
// Prevent potential privilege escalation
- ActivityInfo activityInfo = resolveInfos.get(0).activityInfo;
+ ActivityInfo activityInfo = resolveInfo.activityInfo;
if (!packageName.equals(activityInfo.packageName)) {
throw new SecurityException("Application " + packageName
+ " is not allowed to start activity " + intent);

61
Patches/LineageOS-15.1/android_packages_apps_Settings/326759.patch Normal file
View File

@ -0,0 +1,61 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alex Johnston <acjohnston@google.com>
Date: Wed, 5 Jan 2022 22:19:29 +0000
Subject: [PATCH] Add caller check to com.android.credentials.RESET
* Only the Settings app can reset credentials
via com.android.credentials.RESET.
* com.android.credentials.INSTALL should still be
callable by CertInstaller.
Manual testing steps:
* Install certificate via Settings
* Verify unable to reset certificates via test app
provided in the bug (app-debug.apk)
* Verify able to reset certificates via Settings
* Verify com.android.credentials.INSTALL isn't changed
Bug: 200164168
Test: manual
Change-Id: I9dfde586616d004befbee529f2ae842d22795065
(cherry picked from commit 4c1272a921bb9037e17a01e1e5a0692f7f704c3d)
Merged-In: I9dfde586616d004befbee529f2ae842d22795065
(cherry picked from commit 35e3d0c1b0598b2032fc6c134c657255f1907594)
Merged-In: I9dfde586616d004befbee529f2ae842d22795065
---
src/com/android/settings/CredentialStorage.java | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java
index e5d40b7add..c0726719e0 100644
--- a/src/com/android/settings/CredentialStorage.java
+++ b/src/com/android/settings/CredentialStorage.java
@@ -131,7 +131,7 @@ public final class CredentialStorage extends Activity {
String action = intent.getAction();
UserManager userManager = (UserManager) getSystemService(Context.USER_SERVICE);
if (!userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_CREDENTIALS)) {
- if (ACTION_RESET.equals(action)) {
+ if (ACTION_RESET.equals(action) && checkCallerIsSelf()) {
new ResetDialog();
} else {
if (ACTION_INSTALL.equals(action) && checkCallerIsCertInstallerOrSelfInProfile()) {
@@ -390,6 +390,19 @@ public final class CredentialStorage extends Activity {
}
}
+ /**
+ * Check that the caller is Settings.
+ */
+ private boolean checkCallerIsSelf() {
+ try {
+ return Process.myUid() == android.app.ActivityManager.getService()
+ .getLaunchedFromUid(getActivityToken());
+ } catch (RemoteException re) {
+ // Error talking to ActivityManager, just give up
+ return false;
+ }
+ }
+
/**
* Check that the caller is either certinstaller or Settings running in a profile of this user.
*/

79
Patches/LineageOS-15.1/android_packages_apps_Settings/327099.patch Normal file
View File

@ -0,0 +1,79 @@
From fef5461b2b30113364e7c6336de0ddebf7889156 Mon Sep 17 00:00:00 2001
From: Alex Johnston <acjohnston@google.com>
Date: Wed, 5 Jan 2022 22:19:29 +0000
Subject: [PATCH] Add caller check to com.android.credentials.RESET [Backport]
* Only the Settings app can reset credentials
via com.android.credentials.RESET.
* com.android.credentials.INSTALL should still be
callable by CertInstaller.
Manual testing steps:
* Install certificate via Settings
* Verify unable to reset certificates via test app
provided in the bug (app-debug.apk)
* Verify able to reset certificates via Settings
* Verify com.android.credentials.INSTALL isn't changed
Bug: 200164168
Test: manual
Change-Id: I9dfde586616d004befbee529f2ae842d22795065
(cherry picked from commit 4c1272a921bb9037e17a01e1e5a0692f7f704c3d)
Merged-In: I9dfde586616d004befbee529f2ae842d22795065
(cherry picked from commit 35e3d0c1b0598b2032fc6c134c657255f1907594)
Merged-In: I9dfde586616d004befbee529f2ae842d22795065
---
.../android/settings/CredentialStorage.java | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java
index eed380bae4f..1c82bff713f 100644
--- a/src/com/android/settings/CredentialStorage.java
+++ b/src/com/android/settings/CredentialStorage.java
@@ -17,6 +17,7 @@
package com.android.settings;
import android.app.Activity;
+import android.app.ActivityManagerNative;
import android.app.AlertDialog;
import android.app.admin.DevicePolicyManager;
import android.content.Context;
@@ -27,6 +28,7 @@
import android.content.res.Resources;
import android.os.AsyncTask;
import android.os.Bundle;
+import android.os.IBinder;
import android.os.Process;
import android.os.RemoteException;
import android.os.UserHandle;
@@ -128,7 +130,7 @@ protected void onResume() {
String action = intent.getAction();
UserManager userManager = (UserManager) getSystemService(Context.USER_SERVICE);
if (!userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_CREDENTIALS)) {
- if (ACTION_RESET.equals(action)) {
+ if (ACTION_RESET.equals(action) && checkCallerIsSelf()) {
new ResetDialog();
} else {
if (ACTION_INSTALL.equals(action) && checkCallerIsCertInstallerOrSelfInProfile()) {
@@ -405,6 +407,20 @@ private ConfigureKeyGuardDialog() {
}
}
+ /**
+ * Check that the caller is Settings.
+ */
+ private boolean checkCallerIsSelf() {
+ try {
+ IBinder activityToken = getActivityToken();
+ return Process.myUid() == ActivityManagerNative.getDefault()
+ .getLaunchedFromUid(activityToken);
+ } catch (RemoteException re) {
+ // Error talking to ActivityManager, just give up
+ return false;
+ }
+ }
+
/**
* Check that the caller is either certinstaller or Settings running in a profile of this user.
*/

133
Patches/LineageOS-15.1/android_packages_apps_Settings/332763.patch Normal file
View File

@ -0,0 +1,133 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Oli Lan <olilan@google.com>
Date: Fri, 25 Feb 2022 15:22:27 +0000
Subject: [PATCH] Prevent exfiltration of system files via user image settings.
This is a backport of ag/17005706.
This adds mitigations to prevent system files being exfiltrated
via the settings content provider when a content URI is provided
as a chosen user image.
The mitigations are:
1) Copy the image to a new URI rather than the existing takePictureUri
prior to cropping.
2) Only allow a system handler to respond to the CROP intent.
Bug: 187702830
Test: build and check functionality
Change-Id: Ia6314b6810afb5efa0329f3eeaee9ccfff791966
Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb
(cherry picked from commit 8950a9002402de6e1218bab3da52868a51104a95)
Merged-In: Ia6314b6810afb5efa0329f3eeaee9ccfff791966
---
.../users/EditUserPhotoController.java | 42 +++++++++++++------
1 file changed, 29 insertions(+), 13 deletions(-)
diff --git a/src/com/android/settings/users/EditUserPhotoController.java b/src/com/android/settings/users/EditUserPhotoController.java
index 0f67b181de..cdf392b9df 100644
--- a/src/com/android/settings/users/EditUserPhotoController.java
+++ b/src/com/android/settings/users/EditUserPhotoController.java
@@ -22,6 +22,7 @@ import android.content.ClipData;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.ActivityInfo;
import android.content.pm.PackageManager;
import android.database.Cursor;
import android.graphics.Bitmap;
@@ -75,6 +76,7 @@ public class EditUserPhotoController {
private static final int REQUEST_CODE_TAKE_PHOTO = 1002;
private static final int REQUEST_CODE_CROP_PHOTO = 1003;
+ private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg";
private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";
private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";
@@ -85,6 +87,7 @@ public class EditUserPhotoController {
private final Fragment mFragment;
private final ImageView mImageView;
+ private final Uri mPreCropPictureUri;
private final Uri mCropPictureUri;
private final Uri mTakePictureUri;
@@ -96,6 +99,8 @@ public class EditUserPhotoController {
mContext = view.getContext();
mFragment = fragment;
mImageView = view;
+
+ mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting);
mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting);
mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting);
mPhotoSize = getPhotoSize(mContext);
@@ -130,7 +135,7 @@ public class EditUserPhotoController {
case REQUEST_CODE_TAKE_PHOTO:
case REQUEST_CODE_CHOOSE_PHOTO:
if (mTakePictureUri.equals(pictureUri)) {
- cropPhoto();
+ cropPhoto(pictureUri);
} else {
copyAndCropPhoto(pictureUri);
}
@@ -239,7 +244,7 @@ public class EditUserPhotoController {
protected Void doInBackground(Void... params) {
final ContentResolver cr = mContext.getContentResolver();
try (InputStream in = cr.openInputStream(pictureUri);
- OutputStream out = cr.openOutputStream(mTakePictureUri)) {
+ OutputStream out = cr.openOutputStream(mPreCropPictureUri)) {
Streams.copy(in, out);
} catch (IOException e) {
Log.w(TAG, "Failed to copy photo", e);
@@ -250,27 +255,38 @@ public class EditUserPhotoController {
@Override
protected void onPostExecute(Void result) {
if (!mFragment.isAdded()) return;
- cropPhoto();
+ cropPhoto(mPreCropPictureUri);
}
}.execute();
}
- private void cropPhoto() {
+ private void cropPhoto(final Uri pictureUri) {
// TODO: Use a public intent, when there is one.
Intent intent = new Intent("com.android.camera.action.CROP");
- intent.setDataAndType(mTakePictureUri, "image/*");
+ intent.setDataAndType(pictureUri, "image/*");
appendOutputExtra(intent, mCropPictureUri);
appendCropExtras(intent);
- if (intent.resolveActivity(mContext.getPackageManager()) != null) {
- try {
- StrictMode.disableDeathOnFileUriExposure();
- mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO);
- } finally {
- StrictMode.enableDeathOnFileUriExposure();
+ try {
+ StrictMode.disableDeathOnFileUriExposure();
+ if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) {
+ return;
}
- } else {
- onPhotoCropped(mTakePictureUri, false);
+ } finally {
+ StrictMode.enableDeathOnFileUriExposure();
+ }
+ onPhotoCropped(mTakePictureUri, false);
+ }
+
+ private boolean startSystemActivityForResult(Intent intent, int code) {
+ ActivityInfo info = intent.resolveActivityInfo(mContext.getPackageManager(),
+ PackageManager.MATCH_SYSTEM_ONLY);
+ if (info == null) {
+ Log.w(TAG, "No system package activity could be found for code " + code);
+ return false;
}
+ intent.setPackage(info.packageName);
+ mFragment.startActivityForResult(intent, code);
+ return true;
}
private void appendOutputExtra(Intent intent, Uri pictureUri) {

39
Patches/LineageOS-15.1/android_packages_apps_Settings/334265.patch Normal file
View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Edgar Wang <edgarwang@google.com>
Date: Wed, 6 Apr 2022 17:30:27 +0800
Subject: [PATCH] Fix LaunchAnyWhere in AppRestrictionsFragment
If the intent's package equals to the app's package, this intent
will be allowed to startActivityForResult.
But this check is unsafe, because if the component of this intent
is set, the package field will just be ignored. So if we set the
component to any activity we like and set package to the app's
package, it will pass the assertSafeToStartCustomActivity check
and now we can launch anywhere.
Bug: 223578534
Test: robotest and manual verify
Change-Id: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4
(cherry picked from commit 90e095dbe372f29823ad4788c0cc2d781ae3bb24)
(cherry picked from commit b3eecdd13d9f3d9fde99e9881c9e451ff199f7ad)
Merged-In: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4
---
src/com/android/settings/users/AppRestrictionsFragment.java | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
index 10d714401e..bf0f3da8d0 100644
--- a/src/com/android/settings/users/AppRestrictionsFragment.java
+++ b/src/com/android/settings/users/AppRestrictionsFragment.java
@@ -654,10 +654,7 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen
}
private void assertSafeToStartCustomActivity(Intent intent) {
- // Activity can be started if it belongs to the same app
- if (intent.getPackage() != null && intent.getPackage().equals(packageName)) {
- return;
- }
+ EventLog.writeEvent(0x534e4554, "223578534", -1 /* UID */, "");
ResolveInfo resolveInfo = mPackageManager.resolveActivity(
intent, PackageManager.MATCH_DEFAULT_ONLY);

54
Patches/LineageOS-15.1/android_packages_apps_Settings/335111.patch Normal file
View File

@ -0,0 +1,54 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Arc Wang <arcwang@google.com>
Date: Fri, 6 May 2022 17:42:30 +0800
Subject: [PATCH] Verify ringtone from ringtone picker is audio
To improve privacy.
Bug: 221041256
Test: atest com.android.settings.DefaultRingtonePreferenceTest
Change-Id: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
(cherry picked from commit e4c22580c9a66a3d5523782c2daa707531210227)
(cherry picked from commit 640eab60f2baa9052d395fccd4a0324103ad6c7a)
Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
---
.../settings/DefaultRingtonePreference.java | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
index 9f9f832b10..751eb8c8e7 100644
--- a/src/com/android/settings/DefaultRingtonePreference.java
+++ b/src/com/android/settings/DefaultRingtonePreference.java
@@ -22,6 +22,7 @@ import android.content.Intent;
import android.media.RingtoneManager;
import android.net.Uri;
import android.util.AttributeSet;
+import android.util.Log;
public class DefaultRingtonePreference extends RingtonePreference {
private static final String TAG = "DefaultRingtonePreference";
@@ -43,6 +44,23 @@ public class DefaultRingtonePreference extends RingtonePreference {
@Override
protected void onSaveRingtone(Uri ringtoneUri) {
+ String mimeType = getContext().getContentResolver().getType(ringtoneUri);
+ if (mimeType == null) {
+ Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri
+ + " ignored: failure to find mimeType (no access from this context?)");
+ return;
+ }
+
+ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
+ Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri
+ + " ignored: associated mimeType:" + mimeType + " is not an audio type");
+ return;
+ }
+
+ setActualDefaultRingtoneUri(ringtoneUri);
+ }
+
+ void setActualDefaultRingtoneUri(Uri ringtoneUri) {
RingtoneManager.setActualDefaultRingtoneUri(mUserContext, getRingtoneType(), ringtoneUri);
}

40
Patches/LineageOS-15.1/android_packages_apps_Settings/335114.patch Normal file
View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Arc Wang <arcwang@google.com>
Date: Mon, 16 May 2022 14:36:19 +0800
Subject: [PATCH] Fix Settings crash when setting a null ringtone
Ringtone picker may callback a null ringtone Uri
if users select None.
This change pass null ringtone Uri to RingtoneManager
and return.
Bug: 232502532
Bug: 221041256
Test: maunal
Settings - Sound & Vibration -> Phone ringtone
-> My Sounds -> None
Change-Id: I044b680871472a3c272f6264c4ef272df542112e
Merged-In: I044b680871472a3c272f6264c4ef272df542112e
(cherry picked from commit d94b73b3041614a5ff57c7745f50f235bf6c7783)
Merged-In: I044b680871472a3c272f6264c4ef272df542112e
---
src/com/android/settings/DefaultRingtonePreference.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
index 751eb8c8e7..226cde693b 100644
--- a/src/com/android/settings/DefaultRingtonePreference.java
+++ b/src/com/android/settings/DefaultRingtonePreference.java
@@ -44,6 +44,11 @@ public class DefaultRingtonePreference extends RingtonePreference {
@Override
protected void onSaveRingtone(Uri ringtoneUri) {
+ if (ringtoneUri == null) {
+ setActualDefaultRingtoneUri(ringtoneUri);
+ return;
+ }
+
String mimeType = getContext().getContentResolver().getType(ringtoneUri);
if (mimeType == null) {
Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri

34
Patches/LineageOS-15.1/android_packages_apps_Settings/335115.patch Normal file
View File

@ -0,0 +1,34 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tsung-Mao Fang <tmfang@google.com>
Date: Fri, 27 May 2022 15:52:30 +0800
Subject: [PATCH] Fix can't change notification sound for work profile.
Use correct user id context to query the type,
so we won't get empty result unexpectedly.
If we get the null result, then we won't set sound sucessfully.
Bug: 233580016
Bug: 221041256
Test: Manual test and set work profile sound works.
Change-Id: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad
Merged-In: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad
(cherry picked from commit edf44161770a8d3aa5105b51d701c3abdae1776e)
Merged-In: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad
---
src/com/android/settings/DefaultRingtonePreference.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
index 226cde693b..f3eeff9df2 100644
--- a/src/com/android/settings/DefaultRingtonePreference.java
+++ b/src/com/android/settings/DefaultRingtonePreference.java
@@ -49,7 +49,7 @@ public class DefaultRingtonePreference extends RingtonePreference {
return;
}
- String mimeType = getContext().getContentResolver().getType(ringtoneUri);
+ String mimeType = mUserContext.getContentResolver().getType(ringtoneUri);
if (mimeType == null) {
Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri
+ " ignored: failure to find mimeType (no access from this context?)");

94
Patches/LineageOS-15.1/android_packages_apps_Settings/335116.patch Normal file
View File

@ -0,0 +1,94 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Raphael Kim <raphk@google.com>
Date: Fri, 22 Apr 2022 00:40:06 +0000
Subject: [PATCH] Extract app label from component name in notification access
confirmation UI
Bug: 228178437
Test: Manually tested on POC
Change-Id: I8613d9b87a53d4641c0689bca9c961c66a2e9415
Merged-In: I8613d9b87a53d4641c0689bca9c961c66a2e9415
(cherry picked from commit 8d749c55f4efd6b2e514d90204667ffa804eb0f9)
Merged-In: I8613d9b87a53d4641c0689bca9c961c66a2e9415
---
...otificationAccessConfirmationActivity.java | 36 ++++++++++++++++---
1 file changed, 31 insertions(+), 5 deletions(-)
diff --git a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java
index db75f62fb5..664465f799 100644
--- a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java
+++ b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java
@@ -21,8 +21,6 @@ import static android.view.WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYST
import static com.android.internal.notification.NotificationAccessConfirmationActivityContract
.EXTRA_COMPONENT_NAME;
-import static com.android.internal.notification.NotificationAccessConfirmationActivityContract
- .EXTRA_PACKAGE_TITLE;
import static com.android.internal.notification.NotificationAccessConfirmationActivityContract
.EXTRA_USER_ID;
@@ -33,10 +31,13 @@ import android.app.NotificationManager;
import android.content.ComponentName;
import android.content.Context;
import android.content.DialogInterface;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageItemInfo;
import android.content.pm.PackageManager;
import android.content.pm.ServiceInfo;
import android.os.Bundle;
import android.os.UserHandle;
+import android.text.TextUtils;
import android.util.Slog;
import android.view.WindowManager;
import android.view.accessibility.AccessibilityEvent;
@@ -52,6 +53,8 @@ public class NotificationAccessConfirmationActivity extends Activity
private static final boolean DEBUG = false;
private static final String LOG_TAG = "NotificationAccessConfirmationActivity";
+ private static final float DEFAULT_MAX_LABEL_SIZE_PX = 500f;
+
private int mUserId;
private ComponentName mComponentName;
private NotificationManager mNm;
@@ -66,15 +69,38 @@ public class NotificationAccessConfirmationActivity extends Activity
mComponentName = getIntent().getParcelableExtra(EXTRA_COMPONENT_NAME);
mUserId = getIntent().getIntExtra(EXTRA_USER_ID, UserHandle.USER_NULL);
- String pkgTitle = getIntent().getStringExtra(EXTRA_PACKAGE_TITLE);
+ CharSequence mAppLabel;
+
+ if (mComponentName == null || mComponentName.getPackageName() == null) {
+ finish();
+ return;
+ }
+
+ try {
+ ApplicationInfo applicationInfo = getPackageManager().getApplicationInfo(
+ mComponentName.getPackageName(), 0);
+ mAppLabel = applicationInfo.loadSafeLabel(getPackageManager(),
+ DEFAULT_MAX_LABEL_SIZE_PX,
+ PackageItemInfo.SAFE_LABEL_FLAG_TRIM
+ | PackageItemInfo.SAFE_LABEL_FLAG_FIRST_LINE);
+ } catch (PackageManager.NameNotFoundException e) {
+ Slog.e(LOG_TAG, "Couldn't find app with package name for " + mComponentName, e);
+ finish();
+ return;
+ }
+
+ if (TextUtils.isEmpty(mAppLabel)) {
+ finish();
+ return;
+ }
AlertController.AlertParams p = new AlertController.AlertParams(this);
p.mTitle = getString(
R.string.notification_listener_security_warning_title,
- pkgTitle);
+ mAppLabel);
p.mMessage = getString(
R.string.notification_listener_security_warning_summary,
- pkgTitle);
+ mAppLabel);
p.mPositiveButtonText = getString(R.string.allow);
p.mPositiveButtonListener = (a, b) -> onAllow();
p.mNegativeButtonText = getString(R.string.deny);

150
Patches/LineageOS-15.1/android_packages_providers_ContactsProvider/335110.patch Normal file
View File

@ -0,0 +1,150 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Thu, 28 Apr 2022 16:53:40 -0700
Subject: [PATCH] enforce stricter CallLogProvider query
changes:
- phoneNumber is now a selectionArgument
- if the user makes a query request for the CALLS_FILTER case,
throw a SE if the cursor is empty && SQL is detected
Bug: 224771921
Test: 2 manual,
manual 1: test app 1 can still make valid call filter query
manual 2: test app 2 with invalid query crashes b/c of SE
2 CTS tests,
test 1: ensures the existing functionality still works
test 2: ensures a SE is thrown on an invalid query for call filter
Change-Id: Ia445bb59581abb14e247aa8d9f0177e02307cf96
Merged-In: Ia445bb59581abb14e247aa8d9f0177e02307cf96
(cherry picked from commit c8b6397d364c2741baf5d850bfdd1693782af940)
Merged-In: Ia445bb59581abb14e247aa8d9f0177e02307cf96
---
.../providers/contacts/CallLogProvider.java | 77 ++++++++++++++++++-
1 file changed, 75 insertions(+), 2 deletions(-)
diff --git a/src/com/android/providers/contacts/CallLogProvider.java b/src/com/android/providers/contacts/CallLogProvider.java
index bbd58e2b..97a4c9ae 100644
--- a/src/com/android/providers/contacts/CallLogProvider.java
+++ b/src/com/android/providers/contacts/CallLogProvider.java
@@ -31,6 +31,7 @@ import android.database.Cursor;
import android.database.DatabaseUtils;
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteQueryBuilder;
+import android.database.sqlite.SQLiteTokenizer;
import android.net.Uri;
import android.os.Binder;
import android.os.UserHandle;
@@ -42,6 +43,7 @@ import android.telecom.PhoneAccountHandle;
import android.telecom.TelecomManager;
import android.text.TextUtils;
import android.util.ArrayMap;
+import android.util.EventLog;
import android.util.Log;
import com.android.internal.annotations.VisibleForTesting;
@@ -52,6 +54,9 @@ import com.android.providers.contacts.util.UserUtils;
import java.util.Arrays;
import java.util.List;
+import java.util.Locale;
+import java.util.Set;
+import java.util.UUID;
import java.util.concurrent.CountDownLatch;
/**
@@ -273,9 +278,10 @@ public class CallLogProvider extends ContentProvider {
List<String> pathSegments = uri.getPathSegments();
String phoneNumber = pathSegments.size() >= 2 ? pathSegments.get(2) : null;
if (!TextUtils.isEmpty(phoneNumber)) {
- qb.appendWhere("PHONE_NUMBERS_EQUAL(number, ");
- qb.appendWhereEscapeString(phoneNumber);
+ qb.appendWhere("PHONE_NUMBERS_EQUAL(number, ?");
qb.appendWhere(mUseStrictPhoneNumberComparation ? ", 1)" : ", 0)");
+ selectionArgs = copyArrayAndAppendElement(selectionArgs,
+ "'" + phoneNumber + "'");
} else {
qb.appendWhere(Calls.NUMBER_PRESENTATION + "!="
+ Calls.PRESENTATION_ALLOWED);
@@ -297,12 +303,79 @@ public class CallLogProvider extends ContentProvider {
final SQLiteDatabase db = mDbHelper.getReadableDatabase();
final Cursor c = qb.query(db, projection, selectionBuilder.build(), selectionArgs, null,
null, sortOrder, limitClause);
+
+ if (match == CALLS_FILTER && selectionArgs.length > 0) {
+ // throw SE if the user is sending requests that try to bypass voicemail permissions
+ examineEmptyCursorCause(c, selectionArgs[selectionArgs.length - 1]);
+ }
+
if (c != null) {
c.setNotificationUri(getContext().getContentResolver(), CallLog.CONTENT_URI);
}
return c;
}
+ /**
+ * Helper method for queryInternal that appends an extra argument to the existing selection
+ * arguments array.
+ *
+ * @param oldSelectionArguments the existing selection argument array in queryInternal
+ * @param phoneNumber the phoneNumber that was passed into queryInternal
+ * @return the new selection argument array with the phoneNumber as the last argument
+ */
+ private String[] copyArrayAndAppendElement(String[] oldSelectionArguments, String phoneNumber) {
+ if (oldSelectionArguments == null) {
+ return new String[]{phoneNumber};
+ }
+ String[] newSelectionArguments = new String[oldSelectionArguments.length + 1];
+ System.arraycopy(oldSelectionArguments, 0, newSelectionArguments, 0,
+ oldSelectionArguments.length);
+ newSelectionArguments[oldSelectionArguments.length] = phoneNumber;
+ return newSelectionArguments;
+ }
+
+ /**
+ * Helper that throws a Security Exception if the Cursor object is empty && the phoneNumber
+ * appears to have SQL.
+ *
+ * @param cursor returned from the query.
+ * @param phoneNumber string to check for SQL.
+ */
+ private void examineEmptyCursorCause(Cursor cursor, String phoneNumber) {
+ // checks if the cursor is empty
+ if ((cursor == null) || !cursor.moveToFirst()) {
+ try {
+ // tokenize the phoneNumber and run each token through a checker
+ SQLiteTokenizer.tokenize(phoneNumber, SQLiteTokenizer.OPTION_NONE,
+ this::enforceStrictPhoneNumber);
+ } catch (IllegalArgumentException e) {
+ EventLog.writeEvent(0x534e4554, "224771921", Binder.getCallingUid(),
+ ("invalid phoneNumber passed to queryInternal"));
+ throw new SecurityException("invalid phoneNumber passed to queryInternal");
+ }
+ }
+ }
+
+ private void enforceStrictPhoneNumber(String token) {
+ boolean isAllowedKeyword = SQLiteTokenizer.isKeyword(token);
+ switch (token.toUpperCase(Locale.US)) {
+ case "SELECT":
+ case "FROM":
+ case "WHERE":
+ case "GROUP":
+ case "HAVING":
+ case "WINDOW":
+ case "VALUES":
+ case "ORDER":
+ case "LIMIT":
+ isAllowedKeyword = false;
+ break;
+ }
+ if (!isAllowedKeyword) {
+ throw new IllegalArgumentException("Invalid token " + token);
+ }
+ }
+
private void queryForTesting(Uri uri) {
if (!uri.getBooleanQueryParameter(PARAM_KEY_QUERY_FOR_TESTING, false)) {
return;

64
Patches/LineageOS-15.1/android_packages_services_Telecomm/332764.patch Normal file
View File

@ -0,0 +1,64 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Sat, 15 Jan 2022 01:15:29 +0000
Subject: [PATCH] limit TelecomManager#registerPhoneAccount to 10
bug: 209814693
Bug: 217934478
Test: CTS
Change-Id: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af
Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af
(cherry picked from commit eb3394e3a8e21cd07c4f7a7ad43494ba14a8cbf4)
Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af
---
.../server/telecom/PhoneAccountRegistrar.java | 23 +++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/com/android/server/telecom/PhoneAccountRegistrar.java b/src/com/android/server/telecom/PhoneAccountRegistrar.java
index 074f3254a..5323a9669 100644
--- a/src/com/android/server/telecom/PhoneAccountRegistrar.java
+++ b/src/com/android/server/telecom/PhoneAccountRegistrar.java
@@ -138,6 +138,7 @@ public class PhoneAccountRegistrar {
private static final String FILE_NAME = "phone-account-registrar-state.xml";
@VisibleForTesting
public static final int EXPECTED_STATE_VERSION = 9;
+ public static final int MAX_PHONE_ACCOUNT_REGISTRATIONS = 10;
/** Keep in sync with the same in SipSettings.java */
private static final String SIP_SHARED_PREFERENCES = "SIP_PREFERENCES";
@@ -628,8 +629,13 @@ public class PhoneAccountRegistrar {
return getPhoneAccountHandles(0, null, packageName, false, userHandle);
}
- // TODO: Should we implement an artificial limit for # of accounts associated with a single
- // ComponentName?
+ /**
+ * Performs checks before calling addOrReplacePhoneAccount(PhoneAccount)
+ *
+ * @param account The {@code PhoneAccount} to add or replace.
+ * @throws SecurityException if package does not have BIND_TELECOM_CONNECTION_SERVICE permission
+ * @throws IllegalArgumentException if MAX_PHONE_ACCOUNT_REGISTRATIONS are reached
+ */
public void registerPhoneAccount(PhoneAccount account) {
// Enforce the requirement that a connection service for a phone account has the correct
// permission.
@@ -640,6 +646,19 @@ public class PhoneAccountRegistrar {
throw new SecurityException("PhoneAccount connection service requires "
+ "BIND_TELECOM_CONNECTION_SERVICE permission.");
}
+ //Enforce an upper bound on the number of PhoneAccount's a package can register.
+ // Most apps should only require 1-2.
+ if (getPhoneAccountsForPackage(
+ account.getAccountHandle().getComponentName().getPackageName(),
+ account.getAccountHandle().getUserHandle()).size()
+ >= MAX_PHONE_ACCOUNT_REGISTRATIONS) {
+ Log.w(this, "Phone account %s reached max registration limit for package",
+ account.getAccountHandle());
+ throw new IllegalArgumentException(
+ "Error, cannot register phone account " + account.getAccountHandle()
+ + " because the limit, " + MAX_PHONE_ACCOUNT_REGISTRATIONS
+ + ", has been reached");
+ }
addOrReplacePhoneAccount(account);
}

44
Patches/LineageOS-15.1/android_system_bt/328347.patch Normal file
View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 13 Jan 2022 15:00:32 +0800
Subject: [PATCH] Security fix OOB read due to invalid count in
stack/avrc/avrc_pars_ct
Bug: 205837191
Tag: #security
Test: PoC test program
Ignore-AOSP-First: Security
Change-Id: I7b5bcb6551a8c0c015566327e13ba719271ce374
Merged-In: I7b5bcb6551a8c0c015566327e13ba719271ce374
(cherry picked from commit 60a5d2f63bf95ed386a2ca6c43f1d88bb1d07003)
Merged-In:I7b5bcb6551a8c0c015566327e13ba719271ce374
---
stack/avrc/avrc_pars_ct.cc | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index f3483d7fe..ef5aa1647 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -543,6 +543,10 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
p_result->get_caps.capability_id,
p_result->get_caps.count);
if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) {
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;
if (len < min_len) goto length_error;
for (int xx = 0; ((xx < p_result->get_caps.count) &&
@@ -552,6 +556,10 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
}
} else if (p_result->get_caps.capability_id ==
AVRC_CAP_EVENTS_SUPPORTED) {
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_EVT_ID) {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);
if (len < min_len) goto length_error;
for (int xx = 0; ((xx < p_result->get_caps.count) &&

31
Patches/LineageOS-15.1/android_system_bt/334266.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chen Chen <cncn@google.com>
Date: Fri, 15 Apr 2022 14:24:48 -0700
Subject: [PATCH] Security: Fix out of bound write in HFP client
Bug: 224536184
Test: build
Tag: #security
Ignore-AOSP-First: Security bug
Change-Id: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda
(cherry picked from commit 01136338f6d739226e027716b6e5304df379fa4c)
Merged-In: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda
---
bta/hf_client/bta_hf_client_at.cc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc
index 5d8493be5..9489b5111 100644
--- a/bta/hf_client/bta_hf_client_at.cc
+++ b/bta/hf_client/bta_hf_client_at.cc
@@ -332,6 +332,10 @@ static void bta_hf_client_handle_cind_list_item(tBTA_HF_CLIENT_CB* client_cb,
APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max);
+ if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {
+ return;
+ }
+
/* look for a matching indicator on list of supported ones */
for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) {
if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) {

32
Patches/LineageOS-15.1/android_system_bt/334267.patch Normal file
View File

@ -0,0 +1,32 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: William Escande <wescande@google.com>
Date: Mon, 2 May 2022 09:48:59 -0700
Subject: [PATCH] Check Avrcp packet vendor length before extracting length
Bug: 205571133
Test: build + ag/18105403 for sts test
Ignore-AOSP-First: Security vulnerability
Change-Id: Ic9fa9400ab15785cfdb251af66b1867daf09570e
(cherry picked from commit 003e42896493afb7a0cd7406720987725d4e9da3)
Merged-In: Ic9fa9400ab15785cfdb251af66b1867daf09570e
---
stack/avrc/avrc_pars_tg.cc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 88b8d0083..7042f4da7 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -44,6 +44,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg,
tAVRC_COMMAND* p_result) {
tAVRC_STS status = AVRC_STS_NO_ERROR;
+ if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+ __func__, p_msg->vendor_len);
+ android_errorWriteLog(0x534e4554, "205571133");
+ return AVRC_STS_INTERNAL_ERR;
+ }
uint8_t* p = p_msg->p_vendor_data;
p_result->pdu = *p++;
AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);

33
Patches/LineageOS-15.1/android_system_bt/334268.patch Normal file
View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Josh Wu <joshwu@google.com>
Date: Fri, 29 Apr 2022 00:02:23 -0700
Subject: [PATCH] Security: Fix out of bound read in AT_SKIP_REST
Bug: 220732646
Test: build
Tag: #security
Ignore-AOSP-First: Security bug
Change-Id: Ia49f26e4979f9e57c448190a52d0d01b70e342c4
(cherry picked from commit 4ce5a3c374fb5d24f367a202a6a3dcab4ba4dffd)
Merged-In: Ia49f26e4979f9e57c448190a52d0d01b70e342c4
---
bta/hf_client/bta_hf_client_at.cc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc
index 9489b5111..6c52edadc 100644
--- a/bta/hf_client/bta_hf_client_at.cc
+++ b/bta/hf_client/bta_hf_client_at.cc
@@ -787,9 +787,9 @@ void bta_hf_client_binp(tBTA_HF_CLIENT_CB* client_cb, char* number) {
} while (0)
/* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf) \
- do { \
- while (*(buf) != '\r') (buf)++; \
+#define AT_SKIP_REST(buf) \
+ do { \
+ while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \
} while (0)
static char* bta_hf_client_parse_ok(tBTA_HF_CLIENT_CB* client_cb,

42
Patches/LineageOS-15.1/android_system_bt/335109.patch Normal file
View File

@ -0,0 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Roopa Sattiraju <sattiraju@google.com>
Date: Wed, 25 May 2022 21:00:01 +0000
Subject: [PATCH] Removing bonded device when auth fails due to missing keys
Bug: 231161832
Test: Test against trying to connect using the same address
Change-Id: I2a23440303758faf281989abdb2a614708f05d36
Merged-In: I2a23440303758faf281989abdb2a614708f05d36
(cherry picked from commit 21df1076a4b9c1d1bbe3f5ecb475fe0b7c1b8c2a)
Merged-In: I2a23440303758faf281989abdb2a614708f05d36
---
btif/src/btif_dm.cc | 3 ---
1 file changed, 3 deletions(-)
diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc
index e1bfacf8e..572640e01 100644
--- a/btif/src/btif_dm.cc
+++ b/btif/src/btif_dm.cc
@@ -1150,14 +1150,12 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) {
break;
case HCI_ERR_PAIRING_NOT_ALLOWED:
- btif_storage_remove_bonded_device(&bd_addr);
status = BT_STATUS_AUTH_REJECTED;
break;
/* map the auth failure codes, so we can retry pairing if necessary */
case HCI_ERR_AUTH_FAILURE:
case HCI_ERR_KEY_MISSING:
- btif_storage_remove_bonded_device(&bd_addr);
case HCI_ERR_HOST_REJECT_SECURITY:
case HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE:
case HCI_ERR_UNIT_KEY_USED:
@@ -1187,7 +1185,6 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) {
/* Remove Device as bonded in nvram as authentication failed */
BTIF_TRACE_DEBUG("%s(): removing hid pointing device from nvram",
__func__);
- btif_storage_remove_bonded_device(&bd_addr);
}
bond_state_changed(status, bd_addr, state);
}

45
Patches/LineageOS-15.1/android_system_core/332765.patch Normal file
View File

@ -0,0 +1,45 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shaju Mathew <shaju@google.com>
Date: Tue, 5 Apr 2022 04:01:04 -0700
Subject: [PATCH] Backport of Win-specific suppression of potentially rogue
construct that can engage in directory traversal on the host.
Bug:209438553
Ignore-AOSP-First: Resolution for potential security exploit.
Test: Synced just system/core, therefore relying on presubmits for now.
Will followup with a full-fledged sync and manual cursory test.
Signed-off-by: Shaju Mathew <shaju@google.com>
Change-Id: I993a00ce6130478b7becfdbea816c348824f319f
Merged-In: Ie1f82db2fb14e1bdd183bf8d3d93d5e9f974be5d
(cherry picked from commit a36a342ec9721240e5a48ca50e833b9a35bef256)
Merged-In: I993a00ce6130478b7becfdbea816c348824f319f
---
adb/file_sync_client.cpp | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/adb/file_sync_client.cpp b/adb/file_sync_client.cpp
index 2576fb15b..47ef2f49b 100644
--- a/adb/file_sync_client.cpp
+++ b/adb/file_sync_client.cpp
@@ -629,6 +629,18 @@ static bool sync_ls(SyncConnection& sc, const char* path,
if (!ReadFdExactly(sc.fd, buf, len)) return false;
buf[len] = 0;
+ // Address the unlikely scenario wherein a
+ // compromised device/service might be able to
+ // traverse across directories on the host. Let's
+ // shut that door!
+ if (strchr(buf, '/')
+#if defined(_WIN32)
+ || strchr(buf, '\\')
+#endif
+ ) {
+ return false;
+ }
+
func(msg.dent.mode, msg.dent.size, msg.dent.time, buf);
}
}

26
Patches/LineageOS-15.1/android_system_nfc/332767.patch Normal file
View File

@ -0,0 +1,26 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Tue, 8 Mar 2022 17:27:34 -0800
Subject: [PATCH] Double Free in ce_t4t_data_cback
Bug: 221862119
Test: build ok
Change-Id: If12f98033b8c1bc1b57b27d338fa33b6a3cce640
(cherry picked from commit 2fcf7d677bcebae5a00db43938460bcce267149e)
Merged-In: If12f98033b8c1bc1b57b27d338fa33b6a3cce640
---
src/nfc/tags/ce_t4t.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/nfc/tags/ce_t4t.c b/src/nfc/tags/ce_t4t.c
index f204c8a..e16557a 100644
--- a/src/nfc/tags/ce_t4t.c
+++ b/src/nfc/tags/ce_t4t.c
@@ -633,6 +633,7 @@ static void ce_t4t_data_cback(uint8_t conn_id, tNFC_CONN_EVT event,
} else {
GKI_freebuf(p_c_apdu);
ce_t4t_send_status(T4T_RSP_NOT_FOUND);
+ return;
}
} else if (ce_cb.mem.t4t.status & CE_T4T_STATUS_WILDCARD_AID_SELECTED) {
CE_TRACE_DEBUG0("CET4T: Forward raw frame to wildcard AID handler");

33
Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch Normal file
View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Thu, 17 Mar 2022 15:39:20 -0700
Subject: [PATCH] Out of Bounds Read in nfa_dm_check_set_config
Bug: 221216105
Test: build ok
Change-Id: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229
(cherry picked from commit 88c5c267e889699c71412022e3fcb03d20100e99)
Merged-In: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229
---
src/nfa/dm/nfa_dm_main.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/nfa/dm/nfa_dm_main.c b/src/nfa/dm/nfa_dm_main.c
index 688de0e0..b0fd1777 100644
--- a/src/nfa/dm/nfa_dm_main.c
+++ b/src/nfa/dm/nfa_dm_main.c
@@ -283,6 +283,14 @@ tNFA_STATUS nfa_dm_check_set_config(uint8_t tlv_list_len, uint8_t* p_tlv_list,
p_value = p_tlv_list + xx + 2;
p_cur_len = NULL;
+ if (len > (tlv_list_len - xx - 2))
+ {
+ NFA_TRACE_ERROR2 ("error: invalid TLV length: t:0x%x, l:%d",
+ type, len);
+ android_errorWriteLog(0x534e4554, "221216105");
+ return NFA_STATUS_FAILED;
+ }
+
switch (type) {
/*
** Poll F Configuration

30
Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch Normal file
View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Mon, 21 Mar 2022 19:31:28 -0700
Subject: [PATCH] OOBR in nfc_ncif_proc_ee_discover_req()
Bug: 221856662
Test: build ok
Change-Id: If4b4872e4101fc65172596b4f7579b259b6f6b63
(cherry picked from commit 1c6ab25b3d76c2ced764dc649bec6cf05aecd198)
Merged-In: If4b4872e4101fc65172596b4f7579b259b6f6b63
---
src/nfc/nfc/nfc_ncif.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index 1e183df0..015a65db 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -1904,6 +1904,11 @@ void nfc_ncif_proc_ee_discover_req(uint8_t* p, uint16_t plen) {
uint8_t u8;
NFC_TRACE_DEBUG2("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen);
+ if (!plen)
+ {
+ android_errorWriteLog(0x534e4554, "221856662");
+ return;
+ }
if (p_cback) {
u8 = *p;
ee_disc_req.status = NFC_STATUS_OK;

26
Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch Normal file
View File

@ -0,0 +1,26 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Tue, 8 Mar 2022 17:27:34 -0800
Subject: [PATCH] Double Free in ce_t4t_data_cback
Bug: 221862119
Test: build ok
Change-Id: If12f98033b8c1bc1b57b27d338fa33b6a3cce640
(cherry picked from commit 2fcf7d677bcebae5a00db43938460bcce267149e)
Merged-In: If12f98033b8c1bc1b57b27d338fa33b6a3cce640
---
src/nfc/tags/ce_t4t.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/nfc/tags/ce_t4t.c b/src/nfc/tags/ce_t4t.c
index ae3af2a4..510110dd 100644
--- a/src/nfc/tags/ce_t4t.c
+++ b/src/nfc/tags/ce_t4t.c
@@ -604,6 +604,7 @@ static void ce_t4t_data_cback(uint8_t conn_id, tNFC_CONN_EVT event,
} else {
GKI_freebuf(p_c_apdu);
ce_t4t_send_status(T4T_RSP_NOT_FOUND);
+ return;
}
} else if (ce_cb.mem.t4t.status & CE_T4T_STATUS_WILDCARD_AID_SELECTED) {
CE_TRACE_DEBUG0("CET4T: Forward raw frame to wildcard AID handler");

64
Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch Normal file
View File

@ -0,0 +1,64 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jack Yu <jackcwyu@google.com>
Date: Thu, 13 Jan 2022 16:27:22 +0800
Subject: [PATCH] Do not set default contactless application without user
interaction
Keep the default contactless apllication "not set" if user does not
select one from the Settings page.
Bug: 212610736
Test: Manual
Merged-In: I8e1d67528eca037f4f88380a96f8c542965a1981
Change-Id: I8e1d67528eca037f4f88380a96f8c542965a1981
(cherry picked from commit 4177b086cf2f1ae9c1831cb1a7ed88233c7a6aca)
Merged-In: I8e1d67528eca037f4f88380a96f8c542965a1981
---
.../cardemulation/CardEmulationManager.java | 27 +++----------------
1 file changed, 4 insertions(+), 23 deletions(-)
diff --git a/src/com/android/nfc/cardemulation/CardEmulationManager.java b/src/com/android/nfc/cardemulation/CardEmulationManager.java
index 6d9670ab..e0217e1c 100644
--- a/src/com/android/nfc/cardemulation/CardEmulationManager.java
+++ b/src/com/android/nfc/cardemulation/CardEmulationManager.java
@@ -240,7 +240,7 @@ public class CardEmulationManager implements RegisteredServicesCache.Callback,
void verifyDefaults(int userId, List<NQApduServiceInfo> services) {
ComponentName defaultPaymentService =
- getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, false);
+ getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, true);
if (DBG) Log.d(TAG, "Current default: " + defaultPaymentService);
if (defaultPaymentService != null) {
// Validate the default is still installed and handling payment
@@ -285,28 +285,9 @@ public class CardEmulationManager implements RegisteredServicesCache.Callback,
if (DBG) Log.d(TAG, "Default payment service still ok.");
}
} else {
- // A payment service may have been removed, leaving only one;
- // in that case, automatically set that app as default.
- int numPaymentServices = 0;
- ComponentName lastFoundPaymentService = null;
- for (NQApduServiceInfo service : services) {
- if ((service.hasCategory(CardEmulation.CATEGORY_PAYMENT))&&(!service.getAids().isEmpty())) {
- numPaymentServices++;
- lastFoundPaymentService = service.getComponent();
- }
- }
- if (numPaymentServices > 1) {
- // More than one service left, leave default unset
- if (DBG) Log.d(TAG, "No default set, more than one service left.");
- } else if (numPaymentServices == 1) {
- // Make single found payment service the default
- if (DBG) Log.d(TAG, "No default set, making single service default.");
- setDefaultServiceForCategoryChecked(userId, lastFoundPaymentService,
- CardEmulation.CATEGORY_PAYMENT);
- } else {
- // No payment services left, leave default at null
- if (DBG) Log.d(TAG, "No default set, last payment service removed.");
- }
+ // A payment service may have been removed, set default payment selection to "not set".
+ if (DBG) Log.d(TAG, "No default set, last payment service removed.");
+ setDefaultServiceForCategoryChecked(userId, null, CardEmulation.CATEGORY_PAYMENT);
}
}

8
Patches/LineageOS-18.1/android_device_lge_mako/0001-LTE.patch
View File

@ -12,10 +12,10 @@ Change-Id: I36cbd7ce1a070201da24dc237154355e780d01b4
create mode 100644 overlay/packages/services/Telephony/res/values/config.xml
diff --git a/overlay/frameworks/base/core/res/res/values/config.xml b/overlay/frameworks/base/core/res/res/values/config.xml
index 560ab27..63a5014 100644
index 35452d5..0b0b09a 100644
--- a/overlay/frameworks/base/core/res/res/values/config.xml
+++ b/overlay/frameworks/base/core/res/res/values/config.xml
@@ -178,7 +178,7 @@
@@ -168,7 +168,7 @@
Empty is viewed as "all". Only used on devices which
don't support RIL_REQUEST_GET_RADIO_CAPABILITY
format is UMTS|LTE|... -->
@ -53,10 +53,10 @@ index 0000000..53c62dd
+
+</resources>
diff --git a/system_prop.mk b/system_prop.mk
index 547da5f..e240393 100644
index 716e920..984f25d 100644
--- a/system_prop.mk
+++ b/system_prop.mk
@@ -47,7 +47,7 @@ PRODUCT_PROPERTY_OVERRIDES += \
@@ -45,7 +45,7 @@ PRODUCT_PROPERTY_OVERRIDES += \
# RIL
PRODUCT_PROPERTY_OVERRIDES += \
rild.libpath=/vendor/lib/libril-qc-qmi-1.so \

2
Scripts/Common/Optimize.sh
View File

@ -46,7 +46,7 @@ sed -i 's/zramsize=.*/zramsize=75%,max_comp_streams=4/' asus/fugu/fstab.fugu &>/
sed -i 's/zramsize=.*/zramsize=75%,max_comp_streams=4/' motorola/msm8916-common/rootdir/etc/fstab.qcom &>/dev/null || true;
#2GB (1GB)
sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=2/' htc/flounder/fstab.flounder &>/dev/null || true;
sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=4/' asus/flox/rootdir/etc/fstab.flox htc/msm8974-common/rootdir/etc/fstab.qcom lge/g2-common/rootdir/etc/fstab.g2 motorola/victara/rootdir/etc/fstab.qcom samsung/klte-common/rootdir/etc/fstab.qcom &>/dev/null || true;
sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=4/' asus/flox/rootdir/etc/fstab.flox htc/msm8974-common/rootdir/etc/fstab.qcom lge/g2-common/rootdir/etc/fstab.g2 lge/mako/rootdir/etc/fstab.mako motorola/victara/rootdir/etc/fstab.qcom samsung/klte-common/rootdir/etc/fstab.qcom &>/dev/null || true;
#2/3GB (1/1.5GB)
sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=4/' lge/d850/rootdir/etc/fstab.g3 lge/d851/rootdir/etc/fstab.g3 lge/d852/rootdir/etc/fstab.g3 lge/d855/rootdir/etc/fstab.g3 samsung/apq8084-common/rootdir/etc/fstab.qcom &>/dev/null || true;
sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=6/' lge/bullhead/fstab*.bullhead &>/dev/null || true;

2
Scripts/LineageOS-15.1/Functions.sh
View File

@ -87,8 +87,6 @@ patchWorkspace() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
#source build/envsetup.sh;
#TODO: pull in P_asb_2022-07, and recheck n-asb-2022-07
#TODO: pull in P_asb_2022-08 and n-asb-2022-08
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

74
Scripts/LineageOS-15.1/Patch.sh
View File

@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
if [ "$DOS_SILENCE_INCLUDED" = true ]; then sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/treble_common.mk; fi; #Replace the Messaging app with Silence
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2021-10-05/2022-02-05/' core/version_defaults.mk; #Bump Security String #O_asb_2022-02 #XXX
sed -i 's/2021-10-05/2022-08-05/' core/version_defaults.mk; #Bump Security String #XXX
fi;
if enterAndClear "build/soong"; then
@ -112,12 +112,20 @@ fi;
#fi;
if enterAndClear "frameworks/base"; then
git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/08/331108/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-05 Always restart apps if base.apk gets updated.
git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/49/332449/2 && git cherry-pick FETCH_HEAD; #n-asb-2022-06 DO NOT MERGE Add an OEM configurable limit for zen rules
git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/57/332757/2 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update
git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/76/332776/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format.
git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/78/332778/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Fix security hole in GateKeeperResponse
git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/79/332779/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 RESTRICT AUTOMERGE Prevent non-admin users from deleting system apps.
applyPatch "$DOS_PATCHES/android_frameworks_base/330961-backport.patch"; #P_asb_2022-05 Keyguard - Treat messsages to lock with priority
applyPatch "$DOS_PATCHES/android_frameworks_base/331108.patch"; #n-asb-2022-05 Always restart apps if base.apk gets updated.
applyPatch "$DOS_PATCHES/android_frameworks_base/332449.patch"; #n-asb-2022-06 Add an OEM configurable limit for zen rules
applyPatch "$DOS_PATCHES/android_frameworks_base/332757.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update
applyPatch "$DOS_PATCHES/android_frameworks_base/332776.patch"; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format.
applyPatch "$DOS_PATCHES/android_frameworks_base/332778.patch"; #P_asb_2022-06 Fix security hole in GateKeeperResponse
applyPatch "$DOS_PATCHES/android_frameworks_base/332779.patch"; #P_asb_2022-06 Prevent non-admin users from deleting system apps.
applyPatch "$DOS_PATCHES/android_frameworks_base/334257-backport.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails
applyPatch "$DOS_PATCHES/android_frameworks_base/334258-backport.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only
applyPatch "$DOS_PATCHES/android_frameworks_base/334262.patch"; #P_asb_2022-07 Crash invalid FGS notifications
applyPatch "$DOS_PATCHES/android_frameworks_base/335117-backport.patch"; #P_asb_2022-08 Only allow system and same app to apply relinquishTaskIdentity
#applyPatch "$DOS_PATCHES/android_frameworks_base/335119.patch"; #P_asb_2022-08 Remove package title from notification access confirmation intent TODO: 335116 must be backported
applyPatch "$DOS_PATCHES/android_frameworks_base/335120.patch"; #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash
applyPatch "$DOS_PATCHES/android_frameworks_base/335121-backport.patch"; #P_asb_2022-08 Only allow the system server to connect to sync adapters
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
@ -137,7 +145,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta
fi;
if enterAndClear "frameworks/native"; then
git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/326752/2 && git cherry-pick FETCH_HEAD; #P_asb_2022-03 Check if the window is partially obscured for slippery enters
applyPatch "$DOS_PATCHES/android_frameworks_native/326752.patch"; #P_asb_2022-03 Check if the window is partially obscured for slippery enters
if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
fi;
@ -199,23 +207,23 @@ if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAud
fi;
if enterAndClear "packages/apps/Bluetooth"; then
git fetch https://github.com/LineageOS/android_packages_apps_Bluetooth refs/changes/51/332451/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
git fetch https://github.com/LineageOS/android_packages_apps_Bluetooth refs/changes/52/332452/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332758-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
fi;
if enterAndClear "packages/apps/Contacts"; then
git fetch https://github.com/LineageOS/android_packages_apps_Contacts refs/changes/60/332760/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 No longer export CallSubjectDialog
applyPatch "$DOS_PATCHES/android_packages_apps_Contacts/332760.patch"; #P_asb_2022-06 No longer export CallSubjectDialog
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0001-No_Google_Links.patch"; #Remove Privacy Policy and Terms of Service links (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0003-Skip_Accounts.patch"; #Don't prompt to add account when creating a contact (CalyxOS)
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0004-No_GMaps.patch"; #Use common intent for directions instead of Google Maps URL (GrapheneOS)
fi;
if enterAndClear "packages/apps/Dialer"; then
git fetch https://github.com/LineageOS/android_packages_apps_Dialer refs/changes/61/332761/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 No longer export CallSubjectDialog
applyPatch "$DOS_PATCHES/android_packages_apps_Dialer/332761.patch"; #P_asb_2022-06 No longer export CallSubjectDialog
fi;
if enterAndClear "packages/apps/KeyChain"; then
git fetch https://github.com/LineageOS/android_packages_apps_KeyChain refs/changes/36/334036/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-07 Encode authority part of uri before showing in UI
applyPatch "$DOS_PATCHES/android_packages_apps_KeyChain/334264.patch"; #P_asb_2022-07 Encode authority part of uri before showing in UI
fi;
if enterAndClear "packages/apps/LineageParts"; then
@ -224,14 +232,20 @@ applyPatch "$DOS_PATCHES/android_packages_apps_LineageParts/0001-Remove_Analytic
fi;
if enterAndClear "packages/apps/Nfc"; then
git fetch https://github.com/LineageOS/android_packages_apps_Nfc refs/changes/46/328346/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-04 Do not set default contactless application without user interaction
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328346.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455-backport.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp()
fi;
if enterAndClear "packages/apps/Settings"; then
git fetch https://github.com/LineageOS/android_packages_apps_Settings refs/changes/99/327099/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-03 Add caller check to com.android.credentials.RESET [Backport]
git fetch https://github.com/LineageOS/android_packages_apps_Settings refs/changes/58/326758/2 && git cherry-pick FETCH_HEAD; #P_asb_2022-03 Fix bypass CALL_PRIVILEGED permission in AppRestrictionsFragment
git fetch https://github.com/LineageOS/android_packages_apps_Settings refs/changes/63/332763/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Prevent exfiltration of system files via user image settings.
git fetch https://github.com/LineageOS/android_packages_apps_Settings refs/changes/37/334037/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/326758.patch"; #P_asb_2022-03 Fix bypass CALL_PRIVILEGED permission in AppRestrictionsFragment
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/326759.patch"; #P_asb_2022-03 Add caller check to com.android.credentials.RESET
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/327099.patch"; #n-asb-2022-03 Add caller check to com.android.credentials.RESET
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/332763.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings.
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334265.patch"; #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335111.patch"; #P_asb_2022-08 Verify ringtone from ringtone picker is audio
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335114.patch"; #P_asb_2022-08 Fix Settings crash when setting a null ringtone
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335115.patch"; #P_asb_2022-08 Fix can't change notification sound for work profile.
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335116.patch"; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI #TODO: needs backport
git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
if [ "$DOS_SENSORS_PERM" = true ]; then
@ -264,12 +278,16 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic
applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
fi;
if enterAndClear "packages/providers/ContactsProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_ContactsProvider/335110.patch"; #P_asb_2022-08 enforce stricter CallLogProvider query
fi;
if enterAndClear "packages/providers/MediaProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/0001-External_Permission.patch"; #Fix permission denial (luca.stefani)
fi;
if enterAndClear "packages/services/Telecomm"; then
git fetch https://github.com/LineageOS/android_packages_services_Telecomm refs/changes/64/332764/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10
fi;
if enterAndClear "packages/services/Telephony"; then
@ -278,11 +296,15 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred
fi;
if enterAndClear "system/bt"; then
git fetch https://github.com/LineageOS/android_system_bt refs/changes/47/328347/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-04 Security fix OOB read due to invalid count in stack/avrc/avrc_pars_ct
applyPatch "$DOS_PATCHES/android_system_bt/328347.patch"; #P_asb_2022-04 Security fix OOB read due to invalid count in stack/avrc/avrc_pars_ct
applyPatch "$DOS_PATCHES/android_system_bt/334266.patch"; #P_asb_2022-07 Security: Fix out of bound write in HFP client
applyPatch "$DOS_PATCHES/android_system_bt/334267.patch"; #P_asb_2022-07 Check Avrcp packet vendor length before extracting length
applyPatch "$DOS_PATCHES/android_system_bt/334268.patch"; #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST
applyPatch "$DOS_PATCHES/android_system_bt/335109.patch"; #P_asb_2022-08 Removing bonded device when auth fails due to missing keys
fi;
if enterAndClear "system/core"; then
git fetch https://github.com/LineageOS/android_system_core refs/changes/65/332765/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host.
applyPatch "$DOS_PATCHES/android_system_core/332765.patch"; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host.
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert --no-edit a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4; #Always update recovery
applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
@ -290,7 +312,7 @@ applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts
fi;
if enterAndClear "system/nfc"; then
git fetch https://github.com/LineageOS/android_system_nfc refs/changes/67/332767/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Double Free in ce_t4t_data_cback
applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
fi;
if enterAndClear "system/sepolicy"; then
@ -304,7 +326,13 @@ applyPatch "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable
fi;
if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then
git fetch https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci refs/changes/71/332771/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Double Free in ce_t4t_data_cback
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
fi;
if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction
fi;
if enterAndClear "vendor/lineage"; then

2
Scripts/LineageOS-19.1/Patch.sh
View File

@ -177,7 +177,7 @@ sed -i 's/entry == null/entry == null || true/' core/java/android/os/RecoverySys
sed -i 's/!Build.isBuildConsistent()/false/' services/core/java/com/android/server/wm/ActivityTaskManagerService.java; #Disable partition fingerprint mismatch warnings XXX: TEMPORARY FIX
sed -i 's/MAX_PASSWORD_LENGTH = 16/MAX_PASSWORD_LENGTH = 64/' core/java/android/app/admin/DevicePolicyManager.java; #Increase default max password length to 64 (GrapheneOS)
sed -i 's/DEFAULT_STRONG_AUTH_TIMEOUT_MS = 72 \* 60 \* 60 \* 1000;/DEFAULT_STRONG_AUTH_TIMEOUT_MS = 12 * 60 * 60 * 1000;/' core/java/android/app/admin/DevicePolicyManager.java; #Decrease the strong auth prompt timeout to occur more often
##sed -i '282i\ if(packageList != null && packageList.size() > 0) { packageList.add("net.sourceforge.opencamera"); }' core/java/android/hardware/Camera.java; #Add Open Camera to aux camera allowlist XXX: needs testing, broke boot last time
#sed -i '282i\ if(packageList != null && packageList.size() > 0) { packageList.add("net.sourceforge.opencamera"); }' core/java/android/hardware/Camera.java; #Add Open Camera to aux camera allowlist XXX: needs testing, broke boot last time
if [ "$DOS_MICROG_INCLUDED" != "FULL" ]; then rm -rf packages/CompanionDeviceManager; fi; #Used to support Android Wear (which hard depends on GMS)
rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps
fi;