diff --git a/Patches/LineageOS-15.1/android_frameworks_base/330961-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/330961-backport.patch new file mode 100644 index 00000000..20e71f8e --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/330961-backport.patch @@ -0,0 +1,157 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Matt Pietal +Date: Fri, 1 Oct 2021 11:03:16 -0400 +Subject: [PATCH] Keyguard - Treat messsages to lock with priority + +When switching users and attempting to lock the device, the sysui main +thread becomes overwhelmed with events, creating a significant lag +between the time a message is posted and processed on the main +thread. This can be dangerous when these events are critical for +security, such as calls coming from PhoneWindowManager#lockNow() that +call KeyguardViewMediator#doKeyguardTimeout(). On older devices with +slower CPUs and less memory, the delay in processing can be +significant (15 - 30s). + +The result of not prioritizing these events leads to a window of time +where a guest user can switch back to the owner, and gain access to +the owner's homescreen without needing to unlock the device with the +owner's credentials. + +As a mitigation, prioritize two events originating in two specific +methods to make sure the device locks as soon as possible as well as +have the system server preemptively update its local cache. + +Bug: 151095871 +Test: Very manual race condition - follow steps listed in bug +Change-Id: I7585a0a5eeb308e0e32a4f77f581556d883b5cda +Merged-In: I7585a0a5eeb308e0e32a4f77f581556d883b5cda +(cherry picked from commit 28c53ab8bca26af58b45625c1ebba8b9051c107d) +(cherry picked from commit 563fdf4259d0e28fd960acbb63431e146707d11b) +Merged-In: I7585a0a5eeb308e0e32a4f77f581556d883b5cda +--- + .../internal/policy/IKeyguardStateCallback.aidl | 2 +- + .../systemui/keyguard/KeyguardViewMediator.java | 16 +++++++++++----- + .../policy/keyguard/KeyguardServiceWrapper.java | 6 ++++++ + .../policy/keyguard/KeyguardStateMonitor.java | 8 +++++--- + 4 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl b/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl +index 8e454db4cb04..a8003a1169e9 100644 +--- a/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl ++++ b/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl +@@ -16,7 +16,7 @@ + package com.android.internal.policy; + + interface IKeyguardStateCallback { +- void onShowingStateChanged(boolean showing); ++ void onShowingStateChanged(boolean showing, int userId); + void onSimSecureStateChanged(boolean simSecure); + void onInputRestrictedStateChanged(boolean inputRestricted); + void onTrustedChanged(boolean trusted); +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index 83141f135c90..55db01aca600 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -1226,7 +1226,9 @@ public class KeyguardViewMediator extends SystemUI { + public void doKeyguardTimeout(Bundle options) { + mHandler.removeMessages(KEYGUARD_TIMEOUT); + Message msg = mHandler.obtainMessage(KEYGUARD_TIMEOUT, options); +- mHandler.sendMessage(msg); ++ // Treat these messages with priority - A call to timeout means the device should lock ++ // as soon as possible and not wait for other messages on the thread to process first. ++ mHandler.sendMessageAtFrontOfQueue(msg); + } + + /** +@@ -1421,12 +1423,15 @@ public class KeyguardViewMediator extends SystemUI { + * @see #handleShow + */ + private void showLocked(Bundle options) { +- Trace.beginSection("KeyguardViewMediator#showLocked aqcuiring mShowKeyguardWakeLock"); ++ Trace.beginSection("KeyguardViewMediator#showLocked acquiring mShowKeyguardWakeLock"); + if (DEBUG) Log.d(TAG, "showLocked"); + // ensure we stay awake until we are finished displaying the keyguard + mShowKeyguardWakeLock.acquire(); + Message msg = mHandler.obtainMessage(SHOW, options); +- mHandler.sendMessage(msg); ++ // Treat these messages with priority - This call can originate from #doKeyguardTimeout, ++ // meaning the device should lock as soon as possible and not wait for other messages on ++ // the thread to process first. ++ mHandler.sendMessageAtFrontOfQueue(msg); + Trace.endSection(); + } + +@@ -1579,6 +1584,7 @@ public class KeyguardViewMediator extends SystemUI { + case KEYGUARD_TIMEOUT: + synchronized (KeyguardViewMediator.this) { + doKeyguardLocked((Bundle) msg.obj); ++ notifyDefaultDisplayCallbacks(mShowing); + } + break; + case DISMISS: +@@ -2122,7 +2128,7 @@ public class KeyguardViewMediator extends SystemUI { + for (int i = size - 1; i >= 0; i--) { + IKeyguardStateCallback callback = mKeyguardStateCallbacks.get(i); + try { +- callback.onShowingStateChanged(showing); ++ callback.onShowingStateChanged(showing, KeyguardUpdateMonitor.getCurrentUser()); + } catch (RemoteException e) { + Slog.w(TAG, "Failed to call onShowingStateChanged", e); + if (e instanceof DeadObjectException) { +@@ -2170,7 +2176,7 @@ public class KeyguardViewMediator extends SystemUI { + mKeyguardStateCallbacks.add(callback); + try { + callback.onSimSecureStateChanged(mUpdateMonitor.isSimPinSecure()); +- callback.onShowingStateChanged(mShowing); ++ callback.onShowingStateChanged(mShowing, KeyguardUpdateMonitor.getCurrentUser()); + callback.onInputRestrictedStateChanged(mInputRestricted); + callback.onTrustedChanged(mUpdateMonitor.getUserHasTrust( + KeyguardUpdateMonitor.getCurrentUser())); +diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java b/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java +index 952e0b017041..6bbc20338b02 100644 +--- a/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java ++++ b/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java +@@ -192,6 +192,12 @@ public class KeyguardServiceWrapper implements IKeyguardService { + + @Override // Binder interface + public void doKeyguardTimeout(Bundle options) { ++ int userId = mKeyguardStateMonitor.getCurrentUser(); ++ if (mKeyguardStateMonitor.isSecure(userId)) { ++ // Preemptively inform the cache that the keyguard will soon be showing, as calls to ++ // doKeyguardTimeout are a signal to lock the device as soon as possible. ++ mKeyguardStateMonitor.onShowingStateChanged(true, userId); ++ } + try { + mService.doKeyguardTimeout(options); + } catch (RemoteException e) { +diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java +index fd34c510d98d..d454f26a4317 100644 +--- a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java ++++ b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java +@@ -84,7 +84,9 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub { + } + + @Override // Binder interface +- public void onShowingStateChanged(boolean showing) { ++ public void onShowingStateChanged(boolean showing, int userId) { ++ if (userId != mCurrentUserId) return; ++ + mIsShowing = showing; + + mCallback.onShowingChanged(); +@@ -99,7 +101,7 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub { + mCurrentUserId = userId; + } + +- private synchronized int getCurrentUser() { ++ public synchronized int getCurrentUser() { + return mCurrentUserId; + } + +@@ -133,4 +135,4 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub { + pw.println(prefix + "mTrusted=" + mTrusted); + pw.println(prefix + "mCurrentUserId=" + mCurrentUserId); + } +-} +\ No newline at end of file ++} diff --git a/Patches/LineageOS-15.1/android_frameworks_base/331108.patch b/Patches/LineageOS-15.1/android_frameworks_base/331108.patch new file mode 100644 index 00000000..126c0b7f --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/331108.patch @@ -0,0 +1,87 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alex Buynytskyy +Date: Thu, 24 Feb 2022 21:40:13 -0800 +Subject: [PATCH] Always restart apps if base.apk gets updated. + +Bug: 219044664 +Fixes: 219044664 +Test: atest PackageManagerShellCommandTest +Change-Id: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296 +Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296 +(cherry picked from commit a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2) +Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296 +--- + .../android/content/pm/IPackageInstallerSession.aidl | 2 ++ + core/java/android/content/pm/PackageInstaller.java | 12 ++++++++++++ + .../android/server/pm/PackageInstallerSession.java | 10 ++++++++++ + 3 files changed, 24 insertions(+) + +diff --git a/core/java/android/content/pm/IPackageInstallerSession.aidl b/core/java/android/content/pm/IPackageInstallerSession.aidl +index 0b16852246f8..7e395ba13c49 100644 +--- a/core/java/android/content/pm/IPackageInstallerSession.aidl ++++ b/core/java/android/content/pm/IPackageInstallerSession.aidl +@@ -35,4 +35,6 @@ interface IPackageInstallerSession { + void commit(in IntentSender statusReceiver, boolean forTransferred); + void transfer(in String packageName); + void abandon(); ++ ++ int getInstallFlags(); + } +diff --git a/core/java/android/content/pm/PackageInstaller.java b/core/java/android/content/pm/PackageInstaller.java +index 8fdbf64c2759..81f04b7450bc 100644 +--- a/core/java/android/content/pm/PackageInstaller.java ++++ b/core/java/android/content/pm/PackageInstaller.java +@@ -1012,6 +1012,18 @@ public class PackageInstaller { + throw e.rethrowFromSystemServer(); + } + } ++ ++ /** ++ * @return Session's {@link SessionParams#installFlags}. ++ * @hide ++ */ ++ public int getInstallFlags() { ++ try { ++ return mSession.getInstallFlags(); ++ } catch (RemoteException e) { ++ throw e.rethrowFromSystemServer(); ++ } ++ } + } + + /** +diff --git a/services/core/java/com/android/server/pm/PackageInstallerSession.java b/services/core/java/com/android/server/pm/PackageInstallerSession.java +index ab1079c8da4d..2d3ddf19cf3a 100644 +--- a/services/core/java/com/android/server/pm/PackageInstallerSession.java ++++ b/services/core/java/com/android/server/pm/PackageInstallerSession.java +@@ -81,6 +81,7 @@ import android.system.OsConstants; + import android.system.StructStat; + import android.text.TextUtils; + import android.util.ArraySet; ++import android.util.EventLog; + import android.util.ExceptionUtils; + import android.util.MathUtils; + import android.util.Slog; +@@ -1147,6 +1148,10 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { + if (mResolvedBaseFile == null) { + mResolvedBaseFile = new File(appInfo.getBaseCodePath()); + mResolvedInheritedFiles.add(mResolvedBaseFile); ++ } else if ((params.installFlags & PackageManager.INSTALL_DONT_KILL_APP) != 0) { ++ EventLog.writeEvent(0x534e4554, "219044664"); ++ // Installing base.apk. Make sure the app is restarted. ++ params.setDontKillApp(false); + } + + // Inherit splits if not overridden +@@ -1514,6 +1519,11 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { + dispatchSessionFinished(INSTALL_FAILED_ABORTED, "Session was abandoned", null); + } + ++ @Override ++ public int getInstallFlags() { ++ return params.installFlags; ++ } ++ + private void dispatchSessionFinished(int returnCode, String msg, Bundle extras) { + final IPackageInstallObserver2 observer; + final String packageName; diff --git a/Patches/LineageOS-15.1/android_frameworks_base/332449.patch b/Patches/LineageOS-15.1/android_frameworks_base/332449.patch new file mode 100644 index 00000000..6833bee0 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/332449.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Tue, 1 Mar 2022 10:30:27 -0500 +Subject: [PATCH] DO NOT MERGE Add an OEM configurable limit for zen rules + +Test: ZenModeHelperTest +Bug: 220735360 +Change-Id: I3da105951af90007bf48dc6cf00aed3e28778b36 +Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36 +(cherry picked from commit 3072d98c2dc2b709bd8ffc343c101557a53dd188) +Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36 +--- + .../com/android/server/notification/ZenModeHelper.java | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/services/core/java/com/android/server/notification/ZenModeHelper.java b/services/core/java/com/android/server/notification/ZenModeHelper.java +index ffdafc562673..6b72ae63c463 100644 +--- a/services/core/java/com/android/server/notification/ZenModeHelper.java ++++ b/services/core/java/com/android/server/notification/ZenModeHelper.java +@@ -83,6 +83,7 @@ public class ZenModeHelper { + + // The amount of time rules instances can exist without their owning app being installed. + private static final int RULE_INSTANCE_GRACE_PERIOD = 1000 * 60 * 60 * 72; ++ static final int RULE_LIMIT_PER_PACKAGE = 100; + + private final Context mContext; + private final H mHandler; +@@ -305,8 +306,10 @@ public class ZenModeHelper { + ruleInstanceLimit = owner.metaData.getInt( + ConditionProviderService.META_DATA_RULE_INSTANCE_LIMIT, -1); + } +- if (ruleInstanceLimit > 0 && ruleInstanceLimit +- < (getCurrentInstanceCount(automaticZenRule.getOwner()) + 1)) { ++ int newRuleInstanceCount = getCurrentInstanceCount(automaticZenRule.getOwner()) ++ + 1; ++ if (newRuleInstanceCount > RULE_LIMIT_PER_PACKAGE ++ || (ruleInstanceLimit > 0 && ruleInstanceLimit < newRuleInstanceCount)) { + throw new IllegalArgumentException("Rule instance limit exceeded"); + } + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/332757.patch b/Patches/LineageOS-15.1/android_frameworks_base/332757.patch new file mode 100644 index 00000000..2ef9e2f4 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/332757.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Mon, 31 Jan 2022 20:31:42 +0000 +Subject: [PATCH] limit TelecomManager#registerPhoneAccount to 10; api doc + update + +bug: 209814693 +Bug: 217934478 +Test: CTS +Change-Id: I8e4425a4e7de716f86b1f1f56ea605d93f357a57 +Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57 +(cherry picked from commit f0f67b5a319efedbf8693b436a641fa65bc2d8be) +Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57 +--- + telecomm/java/android/telecom/TelecomManager.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java +index 53ebbe47d23a..6dc3f917533a 100644 +--- a/telecomm/java/android/telecom/TelecomManager.java ++++ b/telecomm/java/android/telecom/TelecomManager.java +@@ -960,9 +960,14 @@ public class TelecomManager { + * when placing calls. The user may still need to enable the {@link PhoneAccount} within + * the phone app settings before the account is usable. + *

++ * Note: Each package is limited to 10 {@link PhoneAccount} registrations. ++ *

+ * A {@link SecurityException} will be thrown if an app tries to register a + * {@link PhoneAccountHandle} where the package name specified within + * {@link PhoneAccountHandle#getComponentName()} does not match the package name of the app. ++ *

++ * A {@link IllegalArgumentException} will be thrown if an app tries to register a ++ * {@link PhoneAccount} when the upper bound limit, 10, has already been reached. + * + * @param account The complete {@link PhoneAccount}. + */ diff --git a/Patches/LineageOS-15.1/android_frameworks_base/332776.patch b/Patches/LineageOS-15.1/android_frameworks_base/332776.patch new file mode 100644 index 00000000..164488bc --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/332776.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: David Christie +Date: Fri, 11 Mar 2022 01:13:31 +0000 +Subject: [PATCH] Update GeofenceHardwareRequestParcelable to match + parcel/unparcel format. + +Test: manual +Bug: 216631962 + +Change-Id: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3 +(cherry picked from commit 3e1ffdb29417f4fb994587a013fa56c83e157f6f) +Merged-In: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3 +--- + .../location/GeofenceHardwareRequestParcelable.java | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java +index d3311f5c8c5e..fc27d1de6372 100644 +--- a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java ++++ b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java +@@ -16,9 +16,9 @@ + + package android.hardware.location; + ++import android.os.BadParcelableException; + import android.os.Parcel; + import android.os.Parcelable; +-import android.util.Log; + + /** + * Geofence Hardware Request used for internal location services communication. +@@ -139,11 +139,8 @@ public final class GeofenceHardwareRequestParcelable implements Parcelable { + @Override + public GeofenceHardwareRequestParcelable createFromParcel(Parcel parcel) { + int geofenceType = parcel.readInt(); +- if(geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) { +- Log.e( +- "GeofenceHardwareRequest", +- String.format("Invalid Geofence type: %d", geofenceType)); +- return null; ++ if (geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) { ++ throw new BadParcelableException("Invalid Geofence type: " + geofenceType); + } + + GeofenceHardwareRequest request = GeofenceHardwareRequest.createCircularGeofence( diff --git a/Patches/LineageOS-15.1/android_frameworks_base/332778.patch b/Patches/LineageOS-15.1/android_frameworks_base/332778.patch new file mode 100644 index 00000000..e2c4d589 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/332778.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ayush Sharma +Date: Wed, 16 Mar 2022 10:32:23 +0000 +Subject: [PATCH] Fix security hole in GateKeeperResponse + +GateKeeperResponse has inconsistent writeToParcel() and +createFromParcel() methods, making it possible for a malicious app to +create a Bundle that changes contents after reserialization. Such +Bundles can be used to execute Intents with system privileges. + +We fixed related issues previously for GateKeeperResponse class, but +one of the case was remaining when payload is byte array of size 0, +Fixing this case now. + +Bug: 220303465 +Test: With the POC provided in the bug. +Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586 +Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586 + +(cherry picked from commit 46653a91c30245ca29d41d69174813979a910496) + +Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958 +(cherry picked from commit 658c53c47c0d1b6a74d3c0a72372aaaba16c2516) +Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958 +--- + core/java/android/service/gatekeeper/GateKeeperResponse.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java +index 9b529345851b..4502c0ef2898 100644 +--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java ++++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java +@@ -103,7 +103,7 @@ public final class GateKeeperResponse implements Parcelable { + dest.writeInt(mTimeout); + } else if (mResponseCode == RESPONSE_OK) { + dest.writeInt(mShouldReEnroll ? 1 : 0); +- if (mPayload != null) { ++ if (mPayload != null && mPayload.length > 0) { + dest.writeInt(mPayload.length); + dest.writeByteArray(mPayload); + } else { diff --git a/Patches/LineageOS-15.1/android_frameworks_base/332779.patch b/Patches/LineageOS-15.1/android_frameworks_base/332779.patch new file mode 100644 index 00000000..0c374de6 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/332779.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Fri, 25 Mar 2022 10:02:41 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Prevent non-admin users from deleting + system apps. + +This addresses a security issue where the guest user can remove updates +for system apps. + +With this CL, attempts to uninstall/downgrade system apps will fail if +attempted by a non-admin user. + +This is a backport of ag/17352264. + +Bug: 170646036 +Test: manual, try uninstalling system app update as guest +Change-Id: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb +Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165 +(cherry picked from commit a7621e0ce00f1d140b375518e26cf75693314203) +Merged-In: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb +--- + .../com/android/server/pm/PackageManagerService.java | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index c0845d07d753..235e7d19d8f1 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -19837,6 +19837,16 @@ public class PackageManagerService extends IPackageManager.Stub + return PackageManager.DELETE_FAILED_INTERNAL_ERROR; + } + ++ if (isSystemApp(uninstalledPs)) { ++ UserInfo userInfo = sUserManager.getUserInfo(userId); ++ if (userInfo == null || !userInfo.isAdmin()) { ++ Slog.w(TAG, "Not removing package " + packageName ++ + " as only admin user may downgrade system apps"); ++ EventLog.writeEvent(0x534e4554, "170646036", -1, packageName); ++ return PackageManager.DELETE_FAILED_USER_RESTRICTED; ++ } ++ } ++ + // Static shared libs can be declared by any package, so let us not + // allow removing a package if it provides a lib others depend on. + pkg = mPackages.get(packageName); diff --git a/Patches/LineageOS-15.1/android_frameworks_base/334257-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/334257-backport.patch new file mode 100644 index 00000000..3e5f416f --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/334257-backport.patch @@ -0,0 +1,55 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 24 Jan 2022 20:33:11 +0000 +Subject: [PATCH] UserDataPreparer: reboot to recovery if preparing user + storage fails + +StorageManager.prepareUserStorage() can throw an exception if a +directory cannot be encrypted, for example due to already being +nonempty. In this case, usage of the directory must not be allowed to +proceed. UserDataPreparer currently handles this by deleting the user's +directories, but the error is still ultimately suppressed and starting +the user is still allowed to proceed. + +The correct behavior in this case is to reboot into recovery to ask the +user to factory reset the device. This is already what happens when +'init' fails to encrypt a directory with the system DE policy. However, +this was overlooked for the user directories. Start doing this. + +Bug: 164488924 +Bug: 224585613 +Change-Id: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54 +(cherry picked from commit 5256365e65882b81509ec2f6b9dfe2dcf0025254) +Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54 +(cherry picked from commit ea010f3dd213bb6b5f3ed28b89988754ed26aac6) +Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54 +--- + .../core/java/com/android/server/pm/UserDataPreparer.java | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/UserDataPreparer.java b/services/core/java/com/android/server/pm/UserDataPreparer.java +index b8b00af448eb..aaba1800949b 100644 +--- a/services/core/java/com/android/server/pm/UserDataPreparer.java ++++ b/services/core/java/com/android/server/pm/UserDataPreparer.java +@@ -20,6 +20,7 @@ import android.content.Context; + import android.content.pm.UserInfo; + import android.os.Environment; + import android.os.FileUtils; ++import android.os.RecoverySystem; + import android.os.storage.StorageManager; + import android.os.storage.VolumeInfo; + import android.system.ErrnoException; +@@ -104,6 +105,13 @@ class UserDataPreparer { + if (allowRecover) { + // Try one last time; if we fail again we're really in trouble + prepareUserDataLI(volumeUuid, userId, userSerial, flags, false); ++ } else { ++ try { ++ Log.e(TAG, "prepareUserData failed", e); ++ RecoverySystem.rebootPromptAndWipeUserData(mContext, "prepareUserData failed"); ++ } catch (IOException e2) { ++ throw new RuntimeException("error rebooting into recovery", e2); ++ } + } + } + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/334258-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/334258-backport.patch new file mode 100644 index 00000000..a7f43ffc --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/334258-backport.patch @@ -0,0 +1,53 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 4 Mar 2022 00:07:29 +0000 +Subject: [PATCH] UserDataPreparer: reboot to recovery for system user only + +With the next CL, old devices might contain a combination of old users +with prepareUserStorage error checking disabled and new users with +prepareUserStorage error checking enabled. Factory resetting the whole +device when any user fails to prepare may be too aggressive. Also, +UserDataPreparer already destroys the affected user's storage when it +fails to prepare, which seems to be fairly effective at breaking things +for that user (absent proper error handling by upper layers). + +Therefore, let's only factory reset the device if the failing user is +the system user. + +Bug: 164488924 +Bug: 224585613 +Change-Id: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97 +(cherry picked from commit 4c76da76c9831266e4e63c0618150bed10a929a7) +Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97 +(cherry picked from commit a296a2b724f3b7233952740231a49d432949276b) +Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97 +--- + .../core/java/com/android/server/pm/UserDataPreparer.java | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/UserDataPreparer.java b/services/core/java/com/android/server/pm/UserDataPreparer.java +index aaba1800949b..965e6096e103 100644 +--- a/services/core/java/com/android/server/pm/UserDataPreparer.java ++++ b/services/core/java/com/android/server/pm/UserDataPreparer.java +@@ -21,6 +21,7 @@ import android.content.pm.UserInfo; + import android.os.Environment; + import android.os.FileUtils; + import android.os.RecoverySystem; ++import android.os.UserHandle; + import android.os.storage.StorageManager; + import android.os.storage.VolumeInfo; + import android.system.ErrnoException; +@@ -107,8 +108,11 @@ class UserDataPreparer { + prepareUserDataLI(volumeUuid, userId, userSerial, flags, false); + } else { + try { +- Log.e(TAG, "prepareUserData failed", e); +- RecoverySystem.rebootPromptAndWipeUserData(mContext, "prepareUserData failed"); ++ Log.wtf(TAG, "prepareUserData failed for user " + userId, e); ++ if (userId == UserHandle.USER_SYSTEM) { ++ RecoverySystem.rebootPromptAndWipeUserData(mContext, ++ "prepareUserData failed for system user"); ++ } + } catch (IOException e2) { + throw new RuntimeException("error rebooting into recovery", e2); + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/334262.patch b/Patches/LineageOS-15.1/android_frameworks_base/334262.patch new file mode 100644 index 00000000..95e30184 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/334262.patch @@ -0,0 +1,56 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Wed, 7 Jul 2021 16:19:44 -0400 +Subject: [PATCH] DO NOT MERGE Crash invalid FGS notifications + +Test: CTS, ActivityManagerProcessStateTest +Fixes: 191981182 +Change-Id: I13a0202b25c8118db47edba11a93c1939c94b392 +Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392 +(cherry picked from commit 6f657f8f5b7d41af426d6cd8d60bfda6e12057c0) +(cherry picked from commit b6b2906ea6472d182e6ae03c581a63802cd84f08) +Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392 + +Backport to P: +Make method Notification.isForegroundService() public, as it is the case +in Android 10 and later, see Ia13c1aac0cf91c400594df96ce267e768133f8d1 + +Change-Id: I214b6ab4f6ecab332fb8b3293fbc3b2212790b38 +--- + core/java/android/app/Notification.java | 3 ++- + .../server/notification/NotificationManagerService.java | 7 +++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java +index eda12623cf65..b7d265c26f22 100644 +--- a/core/java/android/app/Notification.java ++++ b/core/java/android/app/Notification.java +@@ -5208,8 +5208,9 @@ public class Notification implements Parcelable + + /** + * @return whether this notification is a foreground service notification ++ * @hide + */ +- private boolean isForegroundService() { ++ public boolean isForegroundService() { + return (flags & Notification.FLAG_FOREGROUND_SERVICE) != 0; + } + +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index 54f13956e6b7..9e63265e4e93 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -3535,8 +3535,11 @@ public class NotificationManagerService extends SystemService { + notification.flags &= ~Notification.FLAG_CAN_COLORIZE; + } + +- } catch (NameNotFoundException e) { +- Slog.e(TAG, "Cannot create a context for sending app", e); ++ } catch (Exception e) { ++ if (notification.isForegroundService()) { ++ throw new SecurityException("Invalid FGS notification", e); ++ } ++ Slog.e(TAG, "Cannot fix notification", e); + return; + } + diff --git a/Patches/LineageOS-15.1/android_frameworks_base/335117-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/335117-backport.patch new file mode 100644 index 00000000..956a609b --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/335117-backport.patch @@ -0,0 +1,136 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jeff Chang +Date: Wed, 29 Sep 2021 16:49:00 +0800 +Subject: [PATCH] Only allow system and same app to apply + relinquishTaskIdentity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Any malicious application could hijack tasks by +android:relinquishTaskIdentity. This vulnerability can perform UI +spoofing or spy on user’s activities. + +This CL limit the usage which only allow system and same app to apply +relinquishTaskIdentity + +Bug: 185810717 +Test: atest IntentTests + atest ActivityStarterTests +Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049 +(cherry picked from commit cd1f9e72cf9752c9a31e990822ab34ae3d475fec) +Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049 +--- + .../com/android/server/am/TaskRecord.java | 51 ++++++++++++++----- + 1 file changed, 39 insertions(+), 12 deletions(-) + +diff --git a/services/core/java/com/android/server/am/TaskRecord.java b/services/core/java/com/android/server/am/TaskRecord.java +index f83310954c3d..d44f4e3eacbb 100644 +--- a/services/core/java/com/android/server/am/TaskRecord.java ++++ b/services/core/java/com/android/server/am/TaskRecord.java +@@ -40,6 +40,7 @@ import android.graphics.Point; + import android.graphics.Rect; + import android.os.Debug; + import android.os.ParcelFileDescriptor; ++import android.os.Process; + import android.os.RemoteException; + import android.os.Trace; + import android.os.UserHandle; +@@ -190,6 +191,11 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta + // Do not move the stack as a part of reparenting + public static final int REPARENT_LEAVE_STACK_IN_PLACE = 2; + ++ /** ++ * Used to identify if the activity that is installed from device's system image. ++ */ ++ boolean mIsEffectivelySystemApp; ++ + final int taskId; // Unique identifier for this task. + String affinity; // The affinity name for this task, or null; may change identity. + String rootAffinity; // Initial base affinity, or null; does not change from initial root. +@@ -791,16 +797,24 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta + + /** Sets the original intent, and the calling uid and package. */ + void setIntent(ActivityRecord r) { +- mCallingUid = r.launchedFromUid; +- mCallingPackage = r.launchedFromPackage; +- setIntent(r.intent, r.info); ++ boolean updateIdentity = false; ++ if (this.intent == null) { ++ updateIdentity = true; ++ } else if (!mNeverRelinquishIdentity) { ++ updateIdentity = (effectiveUid == Process.SYSTEM_UID || mIsEffectivelySystemApp ++ || effectiveUid == r.info.applicationInfo.uid); ++ } ++ if (updateIdentity) { ++ mCallingUid = r.launchedFromUid; ++ mCallingPackage = r.launchedFromPackage; ++ setIntent(r.intent, r.info); ++ } + } + + /** Sets the original intent, _without_ updating the calling uid or package. */ + private void setIntent(Intent _intent, ActivityInfo info) { + if (intent == null) { +- mNeverRelinquishIdentity = +- (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0; ++ mNeverRelinquishIdentity = (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0; + } else if (mNeverRelinquishIdentity) { + return; + } +@@ -813,6 +827,7 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta + rootAffinity = affinity; + } + effectiveUid = info.applicationInfo.uid; ++ mIsEffectivelySystemApp = info.applicationInfo.isSystemApp(); + stringName = null; + + if (info.targetActivity == null) { +@@ -1648,12 +1663,12 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta + // utility activities. + int activityNdx; + final int numActivities = mActivities.size(); +- final boolean relinquish = numActivities != 0 && +- (mActivities.get(0).info.flags & FLAG_RELINQUISH_TASK_IDENTITY) != 0; +- for (activityNdx = Math.min(numActivities, 1); activityNdx < numActivities; +- ++activityNdx) { ++ for (activityNdx = 0; activityNdx < numActivities; ++activityNdx) { + final ActivityRecord r = mActivities.get(activityNdx); +- if (relinquish && (r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) { ++ if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0 ++ || (r.info.applicationInfo.uid != Process.SYSTEM_UID ++ && !r.info.applicationInfo.isSystemApp() ++ && r.info.applicationInfo.uid != effectiveUid)) { + // This will be the top activity for determining taskDescription. Pre-inc to + // overcome initial decrement below. + ++activityNdx; +@@ -1711,15 +1726,27 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta + int findEffectiveRootIndex() { + int effectiveNdx = 0; + final int topActivityNdx = mActivities.size() - 1; ++ ActivityRecord root = null; + for (int activityNdx = 0; activityNdx <= topActivityNdx; ++activityNdx) { + final ActivityRecord r = mActivities.get(activityNdx); + if (r.finishing) { + continue; + } +- effectiveNdx = activityNdx; +- if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) { ++ ++ if (root == null) { ++ // Set this as the candidate root since it isn't finishing. ++ root = r; ++ effectiveNdx = activityNdx; ++ } ++ final int uid = root == r ? effectiveUid : r.info.applicationInfo.uid; ++ if ((root.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0 ++ || (root.info.applicationInfo.uid != Process.SYSTEM_UID ++ && !root.info.applicationInfo.isSystemApp() ++ && root.info.applicationInfo.uid != uid)) { + break; + } ++ effectiveNdx = activityNdx; ++ root = r; + } + return effectiveNdx; + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/335119.patch b/Patches/LineageOS-15.1/android_frameworks_base/335119.patch new file mode 100644 index 00000000..cb7cd2ba --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/335119.patch @@ -0,0 +1,72 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Raphael Kim +Date: Fri, 22 Apr 2022 00:32:08 +0000 +Subject: [PATCH] Remove package title from notification access confirmation + intent + +Bug: 228178437 +Test: Manually confirmed on an application +Change-Id: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184 +Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184 +(cherry picked from commit 51d47ec7c875cf964f46965a27a5d36343ea999d) +Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184 +--- + ...NotificationAccessConfirmationActivityContract.java | 10 ++++++---- + .../companion/CompanionDeviceManagerService.java | 9 ++------- + 2 files changed, 8 insertions(+), 11 deletions(-) + +diff --git a/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java b/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java +index 4ce6f609ef73..fdf0e9046eef 100644 +--- a/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java ++++ b/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java +@@ -17,6 +17,7 @@ + package com.android.internal.notification; + + import android.content.ComponentName; ++import android.content.Context; + import android.content.Intent; + + public final class NotificationAccessConfirmationActivityContract { +@@ -25,13 +26,14 @@ public final class NotificationAccessConfirmationActivityContract { + "com.android.settings.notification.NotificationAccessConfirmationActivity"); + public static final String EXTRA_USER_ID = "user_id"; + public static final String EXTRA_COMPONENT_NAME = "component_name"; +- public static final String EXTRA_PACKAGE_TITLE = "package_title"; + +- public static Intent launcherIntent(int userId, ComponentName component, String packageTitle) { ++ /** ++ * Creates a launcher intent for NotificationAccessConfirmationActivity. ++ */ ++ public static Intent launcherIntent(Context context, int userId, ComponentName component) { + return new Intent() + .setComponent(COMPONENT_NAME) + .putExtra(EXTRA_USER_ID, userId) +- .putExtra(EXTRA_COMPONENT_NAME, component) +- .putExtra(EXTRA_PACKAGE_TITLE, packageTitle); ++ .putExtra(EXTRA_COMPONENT_NAME, component); + } + } +diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +index 6dce7eed5eba..727631a346cb 100644 +--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java ++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +@@ -288,17 +288,12 @@ public class CompanionDeviceManagerService extends SystemService implements Bind + String callingPackage = component.getPackageName(); + checkCanCallNotificationApi(callingPackage); + int userId = getCallingUserId(); +- String packageTitle = BidiFormatter.getInstance().unicodeWrap( +- getPackageInfo(callingPackage, userId) +- .applicationInfo +- .loadSafeLabel(getContext().getPackageManager()) +- .toString()); +- long identity = Binder.clearCallingIdentity(); ++ final long identity = Binder.clearCallingIdentity(); + try { + return PendingIntent.getActivity(getContext(), + 0 /* request code */, + NotificationAccessConfirmationActivityContract.launcherIntent( +- userId, component, packageTitle), ++ getContext(), userId, component), + PendingIntent.FLAG_IMMUTABLE | PendingIntent.FLAG_ONE_SHOT + | PendingIntent.FLAG_CANCEL_CURRENT); + } finally { diff --git a/Patches/LineageOS-15.1/android_frameworks_base/335120.patch b/Patches/LineageOS-15.1/android_frameworks_base/335120.patch new file mode 100644 index 00000000..3cec0561 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/335120.patch @@ -0,0 +1,70 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: chiachangwang +Date: Thu, 2 Jun 2022 10:22:20 +0000 +Subject: [PATCH] Stop using invalid URL to prevent unexpected crash + +Verify the input PAC Uri before performing follow-up actions. + +Check if the URL is a valid URL to filter some invalid URLs since +these invalid URLs could not fall into any subclass of existing +URLConnections. When the PAC Uri is other invalid URL scheme, it +will cause an UnsupportedOperationException if there is no proper +subclass that implements the openConnection() method. +A malformed URL may crash the system. + +Even it's a valid URL, some subclasses(e.g. JarURLConnection) +may not have openConnection() implemented. It will also hit the +problem, so convert the possbile exception from openConnection() +to re-throw it to IOException which is handled in the existing +code. + +Bug: 219498290 +Test: atest FrameworksNetTests CtsNetTestCases +Test: Test with malformed URL +Merged-In: I22903414380b62051f514e43b93af992f45740b4 +Merged-In: I2abff75ec59a17628ef006aad348c53fadbed076 +Change-Id: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3 +(cherry picked from commit 6390b37a3b32fc7583154d53fda3af8fbd95f59f) +(cherry picked from commit 6d6f4106948bbad67b9845603392d084078997c4) +Merged-In: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3 +--- + .../server/connectivity/PacManager.java | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/services/core/java/com/android/server/connectivity/PacManager.java b/services/core/java/com/android/server/connectivity/PacManager.java +index d56fb1ab09f9..7593553f7e68 100644 +--- a/services/core/java/com/android/server/connectivity/PacManager.java ++++ b/services/core/java/com/android/server/connectivity/PacManager.java +@@ -37,6 +37,7 @@ import android.os.SystemClock; + import android.os.SystemProperties; + import android.provider.Settings; + import android.util.Log; ++import android.webkit.URLUtil; + + import com.android.internal.annotations.GuardedBy; + import com.android.net.IProxyCallback; +@@ -213,8 +214,22 @@ public class PacManager { + * @throws IOException + */ + private static String get(Uri pacUri) throws IOException { +- URL url = new URL(pacUri.toString()); +- URLConnection urlConnection = url.openConnection(java.net.Proxy.NO_PROXY); ++ if (!URLUtil.isValidUrl(pacUri.toString())) { ++ throw new IOException("Malformed URL:" + pacUri); ++ } ++ ++ final URL url = new URL(pacUri.toString()); ++ URLConnection urlConnection; ++ try { ++ urlConnection = url.openConnection(java.net.Proxy.NO_PROXY); ++ // Catch the possible exceptions and rethrow as IOException to not to crash the system ++ // for illegal input. ++ } catch (IllegalArgumentException e) { ++ throw new IOException("Incorrect proxy type for " + pacUri); ++ } catch (UnsupportedOperationException e) { ++ throw new IOException("Unsupported URL connection type for " + pacUri); ++ } ++ + long contentLength = -1; + try { + contentLength = Long.parseLong(urlConnection.getHeaderField("Content-Length")); diff --git a/Patches/LineageOS-15.1/android_frameworks_base/335121-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/335121-backport.patch new file mode 100644 index 00000000..10968a85 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/335121-backport.patch @@ -0,0 +1,66 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Makoto Onuki +Date: Tue, 19 Apr 2022 10:54:18 -0700 +Subject: [PATCH] Only allow the system server to connect to sync adapters + +Bug: 203229608 +Test: Manual test with changing the check logic + debug log +Change-Id: If18009f61360564d02dcda9b1e5fa15685e3250f +(cherry picked from commit 58270527d11ac7e5f07d337a402d8edf046a63ee) +(cherry picked from commit 7d1397a54475ed7fee632339ef7c60b432f0fbff) +Merged-In: If18009f61360564d02dcda9b1e5fa15685e3250f +--- + .../content/AbstractThreadedSyncAdapter.java | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/core/java/android/content/AbstractThreadedSyncAdapter.java b/core/java/android/content/AbstractThreadedSyncAdapter.java +index 2629929e91ce..be78f4047ab1 100644 +--- a/core/java/android/content/AbstractThreadedSyncAdapter.java ++++ b/core/java/android/content/AbstractThreadedSyncAdapter.java +@@ -17,6 +17,7 @@ + package android.content; + + import android.accounts.Account; ++import android.os.Binder; + import android.os.Build; + import android.os.Bundle; + import android.os.IBinder; +@@ -165,15 +166,28 @@ public abstract class AbstractThreadedSyncAdapter { + } + + private class ISyncAdapterImpl extends ISyncAdapter.Stub { ++ private boolean isCallerSystem() { ++ final long callingUid = Binder.getCallingUid(); ++ if (callingUid != Process.SYSTEM_UID) { ++ android.util.EventLog.writeEvent(0x534e4554, "203229608", -1, ""); ++ return false; ++ } ++ return true; ++ } ++ + @Override + public void startSync(ISyncContext syncContext, String authority, Account account, + Bundle extras) { ++ if (!isCallerSystem()) { ++ return; ++ } + if (ENABLE_LOG) { + if (extras != null) { + extras.size(); // Unparcel so its toString() will show the contents. + } + Log.d(TAG, "startSync() start " + authority + " " + account + " " + extras); + } ++ + try { + final SyncContext syncContextClient = new SyncContext(syncContext); + +@@ -229,6 +243,9 @@ public abstract class AbstractThreadedSyncAdapter { + + @Override + public void cancelSync(ISyncContext syncContext) { ++ if (!isCallerSystem()) { ++ return; ++ } + try { + // synchronize to make sure that mSyncThreads doesn't change between when we + // check it and when we use it diff --git a/Patches/LineageOS-15.1/android_frameworks_native/326752.patch b/Patches/LineageOS-15.1/android_frameworks_native/326752.patch new file mode 100644 index 00000000..31996957 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_native/326752.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Siarhei Vishniakou +Date: Wed, 9 Dec 2020 08:07:46 -1000 +Subject: [PATCH] Check if the window is partially obscured for slippery enters + +Currently, we only check whether a window is partially obscured during +the initial tap down. However, there is another use case: slippery +enter. + +During a slippery enter, the touch down is generated into the +slipped-into window, and touch cancel is generated for the slipped-from +window. The window receiving the slippery enter does not need to have +any flags. + +Until we figure out whether we can restrict the usage of this flag to +system components, add this check as an intermediate fix. + +Bug: 157929241 +Test: atest FlagSlipperyTest +Test: atest inputflinger_tests +Change-Id: I93d9681479f41244ffed4b1f88cceb69be71adf2 +Merged-In: I93d9681479f41244ffed4b1f88cceb69be71adf2 +(cherry picked from commit 870ececa8d5dfb293e671c716f98ccddae24147f) +(cherry picked from commit 6e689ffe3fad4b190629e11222936fb7cda041c2) +Merged-In:I93d9681479f41244ffed4b1f88cceb69be71adf2 +--- + services/inputflinger/InputDispatcher.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/services/inputflinger/InputDispatcher.cpp b/services/inputflinger/InputDispatcher.cpp +index aed16bff29..dadce23d9c 100644 +--- a/services/inputflinger/InputDispatcher.cpp ++++ b/services/inputflinger/InputDispatcher.cpp +@@ -1329,6 +1329,8 @@ int32_t InputDispatcher::findTouchedWindowTargetsLocked(nsecs_t currentTime, + } + if (isWindowObscuredAtPointLocked(newTouchedWindowHandle, x, y)) { + targetFlags |= InputTarget::FLAG_WINDOW_IS_OBSCURED; ++ } else if (isWindowObscuredLocked(newTouchedWindowHandle)) { ++ targetFlags |= InputTarget::FLAG_WINDOW_IS_PARTIALLY_OBSCURED; + } + + BitSet32 pointerIds; diff --git a/Patches/LineageOS-15.1/android_packages_apps_Bluetooth/332758-backport.patch b/Patches/LineageOS-15.1/android_packages_apps_Bluetooth/332758-backport.patch new file mode 100644 index 00000000..89c0a2b2 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Bluetooth/332758-backport.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Rahul Sabnis +Date: Wed, 6 Apr 2022 18:08:18 +0000 +Subject: [PATCH] Removes app access to BluetoothAdapter#setScanMode by + requiring BLUETOOTH_PRIVILEGED permission. + +Bug: 203431023 +Test: Manual +Merged-In: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c +Change-Id: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c +(cherry picked from commit 95cbb22647ef5e4505f64d97b7dcbfad2a9fb0e0) +Merged-In: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c +--- + src/com/android/bluetooth/btservice/AdapterService.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java +index 8da1baf1c..763718c01 100644 +--- a/src/com/android/bluetooth/btservice/AdapterService.java ++++ b/src/com/android/bluetooth/btservice/AdapterService.java +@@ -1483,7 +1483,8 @@ public class AdapterService extends Service { + } + + boolean setScanMode(int mode, int duration) { +- enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission"); ++ enforceCallingOrSelfPermission( ++ BLUETOOTH_PRIVILEGED, "Need BLUETOOTH PRIVILEGED permission"); + + setDiscoverableTimeout(duration); + diff --git a/Patches/LineageOS-15.1/android_packages_apps_Bluetooth/332759-backport.patch b/Patches/LineageOS-15.1/android_packages_apps_Bluetooth/332759-backport.patch new file mode 100644 index 00000000..22839918 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Bluetooth/332759-backport.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Rahul Sabnis +Date: Wed, 6 Apr 2022 22:44:01 +0000 +Subject: [PATCH] Removes app access to BluetoothAdapter#setDiscoverableTimeout + by requiring BLUETOOTH_PRIVILEGED permission. + +Bug: 206807679 +Test: Manual +Merged-In: I73288f495d35280a5724d070248db54e2fe537fd +Change-Id: I73288f495d35280a5724d070248db54e2fe537fd +(cherry picked from commit 528ea846133dc7dc4ce843e5b649abd50b58d527) +Merged-In: I73288f495d35280a5724d070248db54e2fe537fd +--- + src/com/android/bluetooth/btservice/AdapterService.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java +index 763718c01..64c28029e 100644 +--- a/src/com/android/bluetooth/btservice/AdapterService.java ++++ b/src/com/android/bluetooth/btservice/AdapterService.java +@@ -1499,7 +1499,8 @@ public class AdapterService extends Service { + } + + boolean setDiscoverableTimeout(int timeout) { +- enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission"); ++ enforceCallingOrSelfPermission( ++ BLUETOOTH_PRIVILEGED, "Need BLUETOOTH PRIVILEGED permission"); + + return mAdapterProperties.setDiscoverableTimeout(timeout); + } diff --git a/Patches/LineageOS-15.1/android_packages_apps_Contacts/332760.patch b/Patches/LineageOS-15.1/android_packages_apps_Contacts/332760.patch new file mode 100644 index 00000000..9d902535 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Contacts/332760.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: John Shao +Date: Thu, 24 Feb 2022 22:20:11 +0000 +Subject: [PATCH] No longer export CallSubjectDialog + +This is most likely not used outside of the app and can be potentially +exploited + +Bug: 218341397 +Test: Manual +Change-Id: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455 +Merged-In: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455 +(cherry picked from commit eadb0b1cc94deaa238bfdf225a504119a8a24388) +(cherry picked from commit 1f6d68c79699a9790e6cf0ab82bdc15c64eb7f5a) +Merged-In: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455 +--- + AndroidManifest.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/AndroidManifest.xml b/AndroidManifest.xml +index 87491c80d..b399cc343 100644 +--- a/AndroidManifest.xml ++++ b/AndroidManifest.xml +@@ -565,6 +565,7 @@ + + + diff --git a/Patches/LineageOS-15.1/android_packages_apps_Dialer/332761.patch b/Patches/LineageOS-15.1/android_packages_apps_Dialer/332761.patch new file mode 100644 index 00000000..74ae4a04 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Dialer/332761.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tatsuaki Machida +Date: Mon, 28 Feb 2022 10:36:08 +0000 +Subject: [PATCH] No longer export CallSubjectDialog + +Bug: 221802256 +Change-Id: Ibfc10e706d204131c33071a5fd5b6596ba5c2d48 +Test: N/A +(cherry picked from commit d96b98bbb21118356726588d0ff3707246369fdb) +(cherry picked from commit 1ab4eeb65ed117745b9576769b069cf0b38eafb0) +Merged-In: Ibfc10e706d204131c33071a5fd5b6596ba5c2d48 +--- + java/com/android/contacts/common/AndroidManifest.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/java/com/android/contacts/common/AndroidManifest.xml b/java/com/android/contacts/common/AndroidManifest.xml +index e97221549..84ac96fdb 100644 +--- a/java/com/android/contacts/common/AndroidManifest.xml ++++ b/java/com/android/contacts/common/AndroidManifest.xml +@@ -21,6 +21,7 @@ + + + diff --git a/Patches/LineageOS-15.1/android_packages_apps_KeyChain/334264.patch b/Patches/LineageOS-15.1/android_packages_apps_KeyChain/334264.patch new file mode 100644 index 00000000..e6d8e340 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_KeyChain/334264.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ayush Sharma +Date: Tue, 10 May 2022 14:09:40 +0000 +Subject: [PATCH] Encode authority part of uri before showing in UI + +As per rfc2396, allowing only characters that are reserved|unreserved|@ +to be in non escaped form, all the other characters will be escaped. +This would cover all the possible characters there can be in valid +authority as per the rfc2396. android.net.Uri conforms to RFC 2396. + +Bug: 221859869 +Test: Manual +Change-Id: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed +Merged-In: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed +(cherry picked from commit 8550c37c186099926ce364b65b61ffbf6ed7958d) +Merged-In: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed +--- + src/com/android/keychain/KeyChainActivity.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/com/android/keychain/KeyChainActivity.java b/src/com/android/keychain/KeyChainActivity.java +index 99a6568..6b0b35c 100644 +--- a/src/com/android/keychain/KeyChainActivity.java ++++ b/src/com/android/keychain/KeyChainActivity.java +@@ -301,7 +301,7 @@ public class KeyChainActivity extends Activity { + Uri uri = getIntent().getParcelableExtra(KeyChain.EXTRA_URI); + if (uri != null) { + String hostMessage = String.format(res.getString(R.string.requesting_server), +- uri.getAuthority()); ++ Uri.encode(uri.getAuthority(), "$,;:@&=+")); + if (contextMessage == null) { + contextMessage = hostMessage; + } else { diff --git a/Patches/LineageOS-15.1/android_packages_apps_Nfc/328346.patch b/Patches/LineageOS-15.1/android_packages_apps_Nfc/328346.patch new file mode 100644 index 00000000..2fec3f1a --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Nfc/328346.patch @@ -0,0 +1,59 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jack Yu +Date: Thu, 13 Jan 2022 16:27:22 +0800 +Subject: [PATCH] Do not set default contactless application without user + interaction + +Keep the default contactless apllication "not set" if user does not +select one from the Settings page. + +Bug: 212610736 +Test: Manual +Merged-In: I8e1d67528eca037f4f88380a96f8c542965a1981 +Change-Id: I8e1d67528eca037f4f88380a96f8c542965a1981 +(cherry picked from commit 4177b086cf2f1ae9c1831cb1a7ed88233c7a6aca) +Merged-In:I8e1d67528eca037f4f88380a96f8c542965a1981 +--- + .../cardemulation/CardEmulationManager.java | 27 +++---------------- + 1 file changed, 4 insertions(+), 23 deletions(-) + +diff --git a/src/com/android/nfc/cardemulation/CardEmulationManager.java b/src/com/android/nfc/cardemulation/CardEmulationManager.java +index 3fc58fd0..05b5825c 100644 +--- a/src/com/android/nfc/cardemulation/CardEmulationManager.java ++++ b/src/com/android/nfc/cardemulation/CardEmulationManager.java +@@ -206,31 +206,12 @@ public class CardEmulationManager implements RegisteredServicesCache.Callback, + + void verifyDefaults(int userId, List services) { + ComponentName defaultPaymentService = +- getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, false); ++ getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, true); + if (DBG) Log.d(TAG, "Current default: " + defaultPaymentService); + if (defaultPaymentService == null) { +- // A payment service may have been removed, leaving only one; +- // in that case, automatically set that app as default. +- int numPaymentServices = 0; +- ComponentName lastFoundPaymentService = null; +- for (ApduServiceInfo service : services) { +- if (service.hasCategory(CardEmulation.CATEGORY_PAYMENT)) { +- numPaymentServices++; +- lastFoundPaymentService = service.getComponent(); +- } +- } +- if (numPaymentServices > 1) { +- // More than one service left, leave default unset +- if (DBG) Log.d(TAG, "No default set, more than one service left."); +- } else if (numPaymentServices == 1) { +- // Make single found payment service the default +- if (DBG) Log.d(TAG, "No default set, making single service default."); +- setDefaultServiceForCategoryChecked(userId, lastFoundPaymentService, +- CardEmulation.CATEGORY_PAYMENT); +- } else { +- // No payment services left, leave default at null +- if (DBG) Log.d(TAG, "No default set, last payment service removed."); +- } ++ // A payment service may have been removed, set default payment selection to "not set". ++ if (DBG) Log.d(TAG, "No default set, last payment service removed."); ++ setDefaultServiceForCategoryChecked(userId, null, CardEmulation.CATEGORY_PAYMENT); + } + } + diff --git a/Patches/LineageOS-15.1/android_packages_apps_Nfc/332455-backport.patch b/Patches/LineageOS-15.1/android_packages_apps_Nfc/332455-backport.patch new file mode 100644 index 00000000..726016de --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Nfc/332455-backport.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Fri, 18 Mar 2022 17:13:05 -0700 +Subject: [PATCH] OOB read in phNciNfc_RecvMfResp() + +The size of RspBuff for Mifare shall be at least 2 bytes: +Mifare Req/Rsp Id + Status + +Bug: 221852424 +Test: build ok +Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e +(cherry picked from commit f0d86f7fe23499cd4c6631348618463fbc496436) +Merged-In: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e +--- + nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +index 01d83f59..86657d53 100755 +--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c ++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +@@ -1231,7 +1231,7 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo, + } + else + { +- if((0 == (RspBuffInfo->wLen)) ++ if(((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > RspBuffInfo->wLen) + || (PH_NCINFC_STATUS_OK != wStatus) + || (NULL == (RspBuffInfo->pBuff)) + ) +@@ -1271,12 +1271,6 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo, + status = NFCSTATUS_SUCCESS; + uint16_t wRecvDataSz = 0; + +- if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > +- RspBuffInfo->wLen) +- { +- android_errorWriteLog(0x534e4554, "181346550"); +- return NFCSTATUS_FAILED; +- } + /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */ + wPldDataSize = ((RspBuffInfo->wLen) - + (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE)); diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/326758.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/326758.patch new file mode 100644 index 00000000..754778ab --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/326758.patch @@ -0,0 +1,85 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Edgar Wang +Date: Thu, 6 Jan 2022 20:53:48 +0800 +Subject: [PATCH] Fix bypass CALL_PRIVILEGED permission in + AppRestrictionsFragment + +In onReceive of AppRestrictionsFragment.java, there is a possible way to +start a phone call without permissions due to a confused deputy. +This could lead to local escalation of privilege with no additional +execution privileges needed. + +We should not allow the restrictionsIntent to startActivity simply +because it resolves to multiple activities. +Instead, we should call resolveActivity and check the result's package +name is same as current package name, then it is safe to startActivity. + +Bug: 200688991 +Test: manual verify +Change-Id: Iaa2d3a9497c3266babe0789961befc9776a4db7a +Merged-In: Iaa2d3a9497c3266babe0789961befc9776a4db7a +(cherry picked from commit 359512cd9553c940af3c9045b856647b7529731a) +(cherry picked from commit f57d75f127fe96e91250585208a339763f1a2253) +Merged-In: Iaa2d3a9497c3266babe0789961befc9776a4db7a +--- + .../users/AppRestrictionsFragment.java | 24 +++++++++++++------ + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java +index d487c70c66..10d714401e 100644 +--- a/src/com/android/settings/users/AppRestrictionsFragment.java ++++ b/src/com/android/settings/users/AppRestrictionsFragment.java +@@ -17,6 +17,7 @@ + package com.android.settings.users; + + import android.app.Activity; ++import android.content.ActivityNotFoundException; + import android.content.BroadcastReceiver; + import android.content.Context; + import android.content.Intent; +@@ -44,6 +45,7 @@ import android.support.v7.preference.Preference.OnPreferenceChangeListener; + import android.support.v7.preference.Preference.OnPreferenceClickListener; + import android.support.v7.preference.PreferenceGroup; + import android.support.v7.preference.PreferenceViewHolder; ++import android.util.EventLog; + import android.util.Log; + import android.view.View; + import android.view.View.OnClickListener; +@@ -634,7 +636,15 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen + } else if (restrictionsIntent != null) { + preference.setRestrictions(restrictions); + if (invokeIfCustom && AppRestrictionsFragment.this.isResumed()) { +- assertSafeToStartCustomActivity(restrictionsIntent); ++ try { ++ assertSafeToStartCustomActivity(restrictionsIntent); ++ } catch (ActivityNotFoundException | SecurityException e) { ++ // return without startActivity ++ Log.e(TAG, "Cannot start restrictionsIntent " + e); ++ EventLog.writeEvent(0x534e4554, "200688991", -1 /* UID */, ""); ++ return; ++ } ++ + int requestCode = generateCustomActivityRequestCode( + RestrictionsResultReceiver.this.preference); + AppRestrictionsFragment.this.startActivityForResult( +@@ -648,14 +658,14 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen + if (intent.getPackage() != null && intent.getPackage().equals(packageName)) { + return; + } +- // Activity can be started if intent resolves to multiple activities +- List resolveInfos = AppRestrictionsFragment.this.mPackageManager +- .queryIntentActivities(intent, 0 /* no flags */); +- if (resolveInfos.size() != 1) { +- return; ++ ResolveInfo resolveInfo = mPackageManager.resolveActivity( ++ intent, PackageManager.MATCH_DEFAULT_ONLY); ++ ++ if (resolveInfo == null) { ++ throw new ActivityNotFoundException("No result for resolving " + intent); + } + // Prevent potential privilege escalation +- ActivityInfo activityInfo = resolveInfos.get(0).activityInfo; ++ ActivityInfo activityInfo = resolveInfo.activityInfo; + if (!packageName.equals(activityInfo.packageName)) { + throw new SecurityException("Application " + packageName + + " is not allowed to start activity " + intent); diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/326759.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/326759.patch new file mode 100644 index 00000000..20ab23a8 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/326759.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alex Johnston +Date: Wed, 5 Jan 2022 22:19:29 +0000 +Subject: [PATCH] Add caller check to com.android.credentials.RESET + +* Only the Settings app can reset credentials + via com.android.credentials.RESET. +* com.android.credentials.INSTALL should still be + callable by CertInstaller. + +Manual testing steps: +* Install certificate via Settings +* Verify unable to reset certificates via test app + provided in the bug (app-debug.apk) +* Verify able to reset certificates via Settings +* Verify com.android.credentials.INSTALL isn't changed + +Bug: 200164168 +Test: manual +Change-Id: I9dfde586616d004befbee529f2ae842d22795065 +(cherry picked from commit 4c1272a921bb9037e17a01e1e5a0692f7f704c3d) +Merged-In: I9dfde586616d004befbee529f2ae842d22795065 +(cherry picked from commit 35e3d0c1b0598b2032fc6c134c657255f1907594) +Merged-In: I9dfde586616d004befbee529f2ae842d22795065 +--- + src/com/android/settings/CredentialStorage.java | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java +index e5d40b7add..c0726719e0 100644 +--- a/src/com/android/settings/CredentialStorage.java ++++ b/src/com/android/settings/CredentialStorage.java +@@ -131,7 +131,7 @@ public final class CredentialStorage extends Activity { + String action = intent.getAction(); + UserManager userManager = (UserManager) getSystemService(Context.USER_SERVICE); + if (!userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_CREDENTIALS)) { +- if (ACTION_RESET.equals(action)) { ++ if (ACTION_RESET.equals(action) && checkCallerIsSelf()) { + new ResetDialog(); + } else { + if (ACTION_INSTALL.equals(action) && checkCallerIsCertInstallerOrSelfInProfile()) { +@@ -390,6 +390,19 @@ public final class CredentialStorage extends Activity { + } + } + ++ /** ++ * Check that the caller is Settings. ++ */ ++ private boolean checkCallerIsSelf() { ++ try { ++ return Process.myUid() == android.app.ActivityManager.getService() ++ .getLaunchedFromUid(getActivityToken()); ++ } catch (RemoteException re) { ++ // Error talking to ActivityManager, just give up ++ return false; ++ } ++ } ++ + /** + * Check that the caller is either certinstaller or Settings running in a profile of this user. + */ diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/327099.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/327099.patch new file mode 100644 index 00000000..290c9efa --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/327099.patch @@ -0,0 +1,79 @@ +From fef5461b2b30113364e7c6336de0ddebf7889156 Mon Sep 17 00:00:00 2001 +From: Alex Johnston +Date: Wed, 5 Jan 2022 22:19:29 +0000 +Subject: [PATCH] Add caller check to com.android.credentials.RESET [Backport] + +* Only the Settings app can reset credentials + via com.android.credentials.RESET. +* com.android.credentials.INSTALL should still be + callable by CertInstaller. + +Manual testing steps: +* Install certificate via Settings +* Verify unable to reset certificates via test app + provided in the bug (app-debug.apk) +* Verify able to reset certificates via Settings +* Verify com.android.credentials.INSTALL isn't changed + +Bug: 200164168 +Test: manual + +Change-Id: I9dfde586616d004befbee529f2ae842d22795065 +(cherry picked from commit 4c1272a921bb9037e17a01e1e5a0692f7f704c3d) +Merged-In: I9dfde586616d004befbee529f2ae842d22795065 +(cherry picked from commit 35e3d0c1b0598b2032fc6c134c657255f1907594) +Merged-In: I9dfde586616d004befbee529f2ae842d22795065 +--- + .../android/settings/CredentialStorage.java | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java +index eed380bae4f..1c82bff713f 100644 +--- a/src/com/android/settings/CredentialStorage.java ++++ b/src/com/android/settings/CredentialStorage.java +@@ -17,6 +17,7 @@ + package com.android.settings; + + import android.app.Activity; ++import android.app.ActivityManagerNative; + import android.app.AlertDialog; + import android.app.admin.DevicePolicyManager; + import android.content.Context; +@@ -27,6 +28,7 @@ + import android.content.res.Resources; + import android.os.AsyncTask; + import android.os.Bundle; ++import android.os.IBinder; + import android.os.Process; + import android.os.RemoteException; + import android.os.UserHandle; +@@ -128,7 +130,7 @@ protected void onResume() { + String action = intent.getAction(); + UserManager userManager = (UserManager) getSystemService(Context.USER_SERVICE); + if (!userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_CREDENTIALS)) { +- if (ACTION_RESET.equals(action)) { ++ if (ACTION_RESET.equals(action) && checkCallerIsSelf()) { + new ResetDialog(); + } else { + if (ACTION_INSTALL.equals(action) && checkCallerIsCertInstallerOrSelfInProfile()) { +@@ -405,6 +407,20 @@ private ConfigureKeyGuardDialog() { + } + } + ++ /** ++ * Check that the caller is Settings. ++ */ ++ private boolean checkCallerIsSelf() { ++ try { ++ IBinder activityToken = getActivityToken(); ++ return Process.myUid() == ActivityManagerNative.getDefault() ++ .getLaunchedFromUid(activityToken); ++ } catch (RemoteException re) { ++ // Error talking to ActivityManager, just give up ++ return false; ++ } ++ } ++ + /** + * Check that the caller is either certinstaller or Settings running in a profile of this user. + */ diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/332763.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/332763.patch new file mode 100644 index 00000000..bbcfc9b1 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/332763.patch @@ -0,0 +1,133 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Fri, 25 Feb 2022 15:22:27 +0000 +Subject: [PATCH] Prevent exfiltration of system files via user image settings. + +This is a backport of ag/17005706. + +This adds mitigations to prevent system files being exfiltrated +via the settings content provider when a content URI is provided +as a chosen user image. + +The mitigations are: + +1) Copy the image to a new URI rather than the existing takePictureUri +prior to cropping. + +2) Only allow a system handler to respond to the CROP intent. + +Bug: 187702830 +Test: build and check functionality +Change-Id: Ia6314b6810afb5efa0329f3eeaee9ccfff791966 +Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb +(cherry picked from commit 8950a9002402de6e1218bab3da52868a51104a95) +Merged-In: Ia6314b6810afb5efa0329f3eeaee9ccfff791966 +--- + .../users/EditUserPhotoController.java | 42 +++++++++++++------ + 1 file changed, 29 insertions(+), 13 deletions(-) + +diff --git a/src/com/android/settings/users/EditUserPhotoController.java b/src/com/android/settings/users/EditUserPhotoController.java +index 0f67b181de..cdf392b9df 100644 +--- a/src/com/android/settings/users/EditUserPhotoController.java ++++ b/src/com/android/settings/users/EditUserPhotoController.java +@@ -22,6 +22,7 @@ import android.content.ClipData; + import android.content.ContentResolver; + import android.content.Context; + import android.content.Intent; ++import android.content.pm.ActivityInfo; + import android.content.pm.PackageManager; + import android.database.Cursor; + import android.graphics.Bitmap; +@@ -75,6 +76,7 @@ public class EditUserPhotoController { + private static final int REQUEST_CODE_TAKE_PHOTO = 1002; + private static final int REQUEST_CODE_CROP_PHOTO = 1003; + ++ private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg"; + private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg"; + private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg"; + private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png"; +@@ -85,6 +87,7 @@ public class EditUserPhotoController { + private final Fragment mFragment; + private final ImageView mImageView; + ++ private final Uri mPreCropPictureUri; + private final Uri mCropPictureUri; + private final Uri mTakePictureUri; + +@@ -96,6 +99,8 @@ public class EditUserPhotoController { + mContext = view.getContext(); + mFragment = fragment; + mImageView = view; ++ ++ mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting); + mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting); + mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting); + mPhotoSize = getPhotoSize(mContext); +@@ -130,7 +135,7 @@ public class EditUserPhotoController { + case REQUEST_CODE_TAKE_PHOTO: + case REQUEST_CODE_CHOOSE_PHOTO: + if (mTakePictureUri.equals(pictureUri)) { +- cropPhoto(); ++ cropPhoto(pictureUri); + } else { + copyAndCropPhoto(pictureUri); + } +@@ -239,7 +244,7 @@ public class EditUserPhotoController { + protected Void doInBackground(Void... params) { + final ContentResolver cr = mContext.getContentResolver(); + try (InputStream in = cr.openInputStream(pictureUri); +- OutputStream out = cr.openOutputStream(mTakePictureUri)) { ++ OutputStream out = cr.openOutputStream(mPreCropPictureUri)) { + Streams.copy(in, out); + } catch (IOException e) { + Log.w(TAG, "Failed to copy photo", e); +@@ -250,27 +255,38 @@ public class EditUserPhotoController { + @Override + protected void onPostExecute(Void result) { + if (!mFragment.isAdded()) return; +- cropPhoto(); ++ cropPhoto(mPreCropPictureUri); + } + }.execute(); + } + +- private void cropPhoto() { ++ private void cropPhoto(final Uri pictureUri) { + // TODO: Use a public intent, when there is one. + Intent intent = new Intent("com.android.camera.action.CROP"); +- intent.setDataAndType(mTakePictureUri, "image/*"); ++ intent.setDataAndType(pictureUri, "image/*"); + appendOutputExtra(intent, mCropPictureUri); + appendCropExtras(intent); +- if (intent.resolveActivity(mContext.getPackageManager()) != null) { +- try { +- StrictMode.disableDeathOnFileUriExposure(); +- mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO); +- } finally { +- StrictMode.enableDeathOnFileUriExposure(); ++ try { ++ StrictMode.disableDeathOnFileUriExposure(); ++ if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) { ++ return; + } +- } else { +- onPhotoCropped(mTakePictureUri, false); ++ } finally { ++ StrictMode.enableDeathOnFileUriExposure(); ++ } ++ onPhotoCropped(mTakePictureUri, false); ++ } ++ ++ private boolean startSystemActivityForResult(Intent intent, int code) { ++ ActivityInfo info = intent.resolveActivityInfo(mContext.getPackageManager(), ++ PackageManager.MATCH_SYSTEM_ONLY); ++ if (info == null) { ++ Log.w(TAG, "No system package activity could be found for code " + code); ++ return false; + } ++ intent.setPackage(info.packageName); ++ mFragment.startActivityForResult(intent, code); ++ return true; + } + + private void appendOutputExtra(Intent intent, Uri pictureUri) { diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/334265.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/334265.patch new file mode 100644 index 00000000..578fe316 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/334265.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Edgar Wang +Date: Wed, 6 Apr 2022 17:30:27 +0800 +Subject: [PATCH] Fix LaunchAnyWhere in AppRestrictionsFragment + +If the intent's package equals to the app's package, this intent +will be allowed to startActivityForResult. +But this check is unsafe, because if the component of this intent +is set, the package field will just be ignored. So if we set the +component to any activity we like and set package to the app's +package, it will pass the assertSafeToStartCustomActivity check +and now we can launch anywhere. + +Bug: 223578534 +Test: robotest and manual verify +Change-Id: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4 +(cherry picked from commit 90e095dbe372f29823ad4788c0cc2d781ae3bb24) +(cherry picked from commit b3eecdd13d9f3d9fde99e9881c9e451ff199f7ad) +Merged-In: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4 +--- + src/com/android/settings/users/AppRestrictionsFragment.java | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java +index 10d714401e..bf0f3da8d0 100644 +--- a/src/com/android/settings/users/AppRestrictionsFragment.java ++++ b/src/com/android/settings/users/AppRestrictionsFragment.java +@@ -654,10 +654,7 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen + } + + private void assertSafeToStartCustomActivity(Intent intent) { +- // Activity can be started if it belongs to the same app +- if (intent.getPackage() != null && intent.getPackage().equals(packageName)) { +- return; +- } ++ EventLog.writeEvent(0x534e4554, "223578534", -1 /* UID */, ""); + ResolveInfo resolveInfo = mPackageManager.resolveActivity( + intent, PackageManager.MATCH_DEFAULT_ONLY); + diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/335111.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/335111.patch new file mode 100644 index 00000000..c0320bc0 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/335111.patch @@ -0,0 +1,54 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Arc Wang +Date: Fri, 6 May 2022 17:42:30 +0800 +Subject: [PATCH] Verify ringtone from ringtone picker is audio + +To improve privacy. + +Bug: 221041256 +Test: atest com.android.settings.DefaultRingtonePreferenceTest +Change-Id: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d +Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d +(cherry picked from commit e4c22580c9a66a3d5523782c2daa707531210227) +(cherry picked from commit 640eab60f2baa9052d395fccd4a0324103ad6c7a) +Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d +--- + .../settings/DefaultRingtonePreference.java | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java +index 9f9f832b10..751eb8c8e7 100644 +--- a/src/com/android/settings/DefaultRingtonePreference.java ++++ b/src/com/android/settings/DefaultRingtonePreference.java +@@ -22,6 +22,7 @@ import android.content.Intent; + import android.media.RingtoneManager; + import android.net.Uri; + import android.util.AttributeSet; ++import android.util.Log; + + public class DefaultRingtonePreference extends RingtonePreference { + private static final String TAG = "DefaultRingtonePreference"; +@@ -43,6 +44,23 @@ public class DefaultRingtonePreference extends RingtonePreference { + + @Override + protected void onSaveRingtone(Uri ringtoneUri) { ++ String mimeType = getContext().getContentResolver().getType(ringtoneUri); ++ if (mimeType == null) { ++ Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri ++ + " ignored: failure to find mimeType (no access from this context?)"); ++ return; ++ } ++ ++ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) { ++ Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri ++ + " ignored: associated mimeType:" + mimeType + " is not an audio type"); ++ return; ++ } ++ ++ setActualDefaultRingtoneUri(ringtoneUri); ++ } ++ ++ void setActualDefaultRingtoneUri(Uri ringtoneUri) { + RingtoneManager.setActualDefaultRingtoneUri(mUserContext, getRingtoneType(), ringtoneUri); + } + diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/335114.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/335114.patch new file mode 100644 index 00000000..81a746fc --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/335114.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Arc Wang +Date: Mon, 16 May 2022 14:36:19 +0800 +Subject: [PATCH] Fix Settings crash when setting a null ringtone + +Ringtone picker may callback a null ringtone Uri +if users select None. + +This change pass null ringtone Uri to RingtoneManager +and return. + +Bug: 232502532 +Bug: 221041256 +Test: maunal + Settings - Sound & Vibration -> Phone ringtone + -> My Sounds -> None +Change-Id: I044b680871472a3c272f6264c4ef272df542112e +Merged-In: I044b680871472a3c272f6264c4ef272df542112e +(cherry picked from commit d94b73b3041614a5ff57c7745f50f235bf6c7783) +Merged-In: I044b680871472a3c272f6264c4ef272df542112e +--- + src/com/android/settings/DefaultRingtonePreference.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java +index 751eb8c8e7..226cde693b 100644 +--- a/src/com/android/settings/DefaultRingtonePreference.java ++++ b/src/com/android/settings/DefaultRingtonePreference.java +@@ -44,6 +44,11 @@ public class DefaultRingtonePreference extends RingtonePreference { + + @Override + protected void onSaveRingtone(Uri ringtoneUri) { ++ if (ringtoneUri == null) { ++ setActualDefaultRingtoneUri(ringtoneUri); ++ return; ++ } ++ + String mimeType = getContext().getContentResolver().getType(ringtoneUri); + if (mimeType == null) { + Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/335115.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/335115.patch new file mode 100644 index 00000000..9af3c71f --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/335115.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tsung-Mao Fang +Date: Fri, 27 May 2022 15:52:30 +0800 +Subject: [PATCH] Fix can't change notification sound for work profile. + +Use correct user id context to query the type, +so we won't get empty result unexpectedly. + +If we get the null result, then we won't set sound sucessfully. + +Bug: 233580016 +Bug: 221041256 +Test: Manual test and set work profile sound works. +Change-Id: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad +Merged-In: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad +(cherry picked from commit edf44161770a8d3aa5105b51d701c3abdae1776e) +Merged-In: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad +--- + src/com/android/settings/DefaultRingtonePreference.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java +index 226cde693b..f3eeff9df2 100644 +--- a/src/com/android/settings/DefaultRingtonePreference.java ++++ b/src/com/android/settings/DefaultRingtonePreference.java +@@ -49,7 +49,7 @@ public class DefaultRingtonePreference extends RingtonePreference { + return; + } + +- String mimeType = getContext().getContentResolver().getType(ringtoneUri); ++ String mimeType = mUserContext.getContentResolver().getType(ringtoneUri); + if (mimeType == null) { + Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri + + " ignored: failure to find mimeType (no access from this context?)"); diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/335116.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/335116.patch new file mode 100644 index 00000000..a4c43036 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/335116.patch @@ -0,0 +1,94 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Raphael Kim +Date: Fri, 22 Apr 2022 00:40:06 +0000 +Subject: [PATCH] Extract app label from component name in notification access + confirmation UI + +Bug: 228178437 +Test: Manually tested on POC +Change-Id: I8613d9b87a53d4641c0689bca9c961c66a2e9415 +Merged-In: I8613d9b87a53d4641c0689bca9c961c66a2e9415 +(cherry picked from commit 8d749c55f4efd6b2e514d90204667ffa804eb0f9) +Merged-In: I8613d9b87a53d4641c0689bca9c961c66a2e9415 +--- + ...otificationAccessConfirmationActivity.java | 36 ++++++++++++++++--- + 1 file changed, 31 insertions(+), 5 deletions(-) + +diff --git a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java +index db75f62fb5..664465f799 100644 +--- a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java ++++ b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java +@@ -21,8 +21,6 @@ import static android.view.WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYST + + import static com.android.internal.notification.NotificationAccessConfirmationActivityContract + .EXTRA_COMPONENT_NAME; +-import static com.android.internal.notification.NotificationAccessConfirmationActivityContract +- .EXTRA_PACKAGE_TITLE; + import static com.android.internal.notification.NotificationAccessConfirmationActivityContract + .EXTRA_USER_ID; + +@@ -33,10 +31,13 @@ import android.app.NotificationManager; + import android.content.ComponentName; + import android.content.Context; + import android.content.DialogInterface; ++import android.content.pm.ApplicationInfo; ++import android.content.pm.PackageItemInfo; + import android.content.pm.PackageManager; + import android.content.pm.ServiceInfo; + import android.os.Bundle; + import android.os.UserHandle; ++import android.text.TextUtils; + import android.util.Slog; + import android.view.WindowManager; + import android.view.accessibility.AccessibilityEvent; +@@ -52,6 +53,8 @@ public class NotificationAccessConfirmationActivity extends Activity + private static final boolean DEBUG = false; + private static final String LOG_TAG = "NotificationAccessConfirmationActivity"; + ++ private static final float DEFAULT_MAX_LABEL_SIZE_PX = 500f; ++ + private int mUserId; + private ComponentName mComponentName; + private NotificationManager mNm; +@@ -66,15 +69,38 @@ public class NotificationAccessConfirmationActivity extends Activity + + mComponentName = getIntent().getParcelableExtra(EXTRA_COMPONENT_NAME); + mUserId = getIntent().getIntExtra(EXTRA_USER_ID, UserHandle.USER_NULL); +- String pkgTitle = getIntent().getStringExtra(EXTRA_PACKAGE_TITLE); ++ CharSequence mAppLabel; ++ ++ if (mComponentName == null || mComponentName.getPackageName() == null) { ++ finish(); ++ return; ++ } ++ ++ try { ++ ApplicationInfo applicationInfo = getPackageManager().getApplicationInfo( ++ mComponentName.getPackageName(), 0); ++ mAppLabel = applicationInfo.loadSafeLabel(getPackageManager(), ++ DEFAULT_MAX_LABEL_SIZE_PX, ++ PackageItemInfo.SAFE_LABEL_FLAG_TRIM ++ | PackageItemInfo.SAFE_LABEL_FLAG_FIRST_LINE); ++ } catch (PackageManager.NameNotFoundException e) { ++ Slog.e(LOG_TAG, "Couldn't find app with package name for " + mComponentName, e); ++ finish(); ++ return; ++ } ++ ++ if (TextUtils.isEmpty(mAppLabel)) { ++ finish(); ++ return; ++ } + + AlertController.AlertParams p = new AlertController.AlertParams(this); + p.mTitle = getString( + R.string.notification_listener_security_warning_title, +- pkgTitle); ++ mAppLabel); + p.mMessage = getString( + R.string.notification_listener_security_warning_summary, +- pkgTitle); ++ mAppLabel); + p.mPositiveButtonText = getString(R.string.allow); + p.mPositiveButtonListener = (a, b) -> onAllow(); + p.mNegativeButtonText = getString(R.string.deny); diff --git a/Patches/LineageOS-15.1/android_packages_providers_ContactsProvider/335110.patch b/Patches/LineageOS-15.1/android_packages_providers_ContactsProvider/335110.patch new file mode 100644 index 00000000..2bce990a --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_providers_ContactsProvider/335110.patch @@ -0,0 +1,150 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Thu, 28 Apr 2022 16:53:40 -0700 +Subject: [PATCH] enforce stricter CallLogProvider query + +changes: +- phoneNumber is now a selectionArgument +- if the user makes a query request for the CALLS_FILTER case, + throw a SE if the cursor is empty && SQL is detected + +Bug: 224771921 +Test: 2 manual, + manual 1: test app 1 can still make valid call filter query + manual 2: test app 2 with invalid query crashes b/c of SE + + 2 CTS tests, + test 1: ensures the existing functionality still works + test 2: ensures a SE is thrown on an invalid query for call filter + +Change-Id: Ia445bb59581abb14e247aa8d9f0177e02307cf96 +Merged-In: Ia445bb59581abb14e247aa8d9f0177e02307cf96 +(cherry picked from commit c8b6397d364c2741baf5d850bfdd1693782af940) +Merged-In: Ia445bb59581abb14e247aa8d9f0177e02307cf96 +--- + .../providers/contacts/CallLogProvider.java | 77 ++++++++++++++++++- + 1 file changed, 75 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/providers/contacts/CallLogProvider.java b/src/com/android/providers/contacts/CallLogProvider.java +index bbd58e2b..97a4c9ae 100644 +--- a/src/com/android/providers/contacts/CallLogProvider.java ++++ b/src/com/android/providers/contacts/CallLogProvider.java +@@ -31,6 +31,7 @@ import android.database.Cursor; + import android.database.DatabaseUtils; + import android.database.sqlite.SQLiteDatabase; + import android.database.sqlite.SQLiteQueryBuilder; ++import android.database.sqlite.SQLiteTokenizer; + import android.net.Uri; + import android.os.Binder; + import android.os.UserHandle; +@@ -42,6 +43,7 @@ import android.telecom.PhoneAccountHandle; + import android.telecom.TelecomManager; + import android.text.TextUtils; + import android.util.ArrayMap; ++import android.util.EventLog; + import android.util.Log; + + import com.android.internal.annotations.VisibleForTesting; +@@ -52,6 +54,9 @@ import com.android.providers.contacts.util.UserUtils; + + import java.util.Arrays; + import java.util.List; ++import java.util.Locale; ++import java.util.Set; ++import java.util.UUID; + import java.util.concurrent.CountDownLatch; + + /** +@@ -273,9 +278,10 @@ public class CallLogProvider extends ContentProvider { + List pathSegments = uri.getPathSegments(); + String phoneNumber = pathSegments.size() >= 2 ? pathSegments.get(2) : null; + if (!TextUtils.isEmpty(phoneNumber)) { +- qb.appendWhere("PHONE_NUMBERS_EQUAL(number, "); +- qb.appendWhereEscapeString(phoneNumber); ++ qb.appendWhere("PHONE_NUMBERS_EQUAL(number, ?"); + qb.appendWhere(mUseStrictPhoneNumberComparation ? ", 1)" : ", 0)"); ++ selectionArgs = copyArrayAndAppendElement(selectionArgs, ++ "'" + phoneNumber + "'"); + } else { + qb.appendWhere(Calls.NUMBER_PRESENTATION + "!=" + + Calls.PRESENTATION_ALLOWED); +@@ -297,12 +303,79 @@ public class CallLogProvider extends ContentProvider { + final SQLiteDatabase db = mDbHelper.getReadableDatabase(); + final Cursor c = qb.query(db, projection, selectionBuilder.build(), selectionArgs, null, + null, sortOrder, limitClause); ++ ++ if (match == CALLS_FILTER && selectionArgs.length > 0) { ++ // throw SE if the user is sending requests that try to bypass voicemail permissions ++ examineEmptyCursorCause(c, selectionArgs[selectionArgs.length - 1]); ++ } ++ + if (c != null) { + c.setNotificationUri(getContext().getContentResolver(), CallLog.CONTENT_URI); + } + return c; + } + ++ /** ++ * Helper method for queryInternal that appends an extra argument to the existing selection ++ * arguments array. ++ * ++ * @param oldSelectionArguments the existing selection argument array in queryInternal ++ * @param phoneNumber the phoneNumber that was passed into queryInternal ++ * @return the new selection argument array with the phoneNumber as the last argument ++ */ ++ private String[] copyArrayAndAppendElement(String[] oldSelectionArguments, String phoneNumber) { ++ if (oldSelectionArguments == null) { ++ return new String[]{phoneNumber}; ++ } ++ String[] newSelectionArguments = new String[oldSelectionArguments.length + 1]; ++ System.arraycopy(oldSelectionArguments, 0, newSelectionArguments, 0, ++ oldSelectionArguments.length); ++ newSelectionArguments[oldSelectionArguments.length] = phoneNumber; ++ return newSelectionArguments; ++ } ++ ++ /** ++ * Helper that throws a Security Exception if the Cursor object is empty && the phoneNumber ++ * appears to have SQL. ++ * ++ * @param cursor returned from the query. ++ * @param phoneNumber string to check for SQL. ++ */ ++ private void examineEmptyCursorCause(Cursor cursor, String phoneNumber) { ++ // checks if the cursor is empty ++ if ((cursor == null) || !cursor.moveToFirst()) { ++ try { ++ // tokenize the phoneNumber and run each token through a checker ++ SQLiteTokenizer.tokenize(phoneNumber, SQLiteTokenizer.OPTION_NONE, ++ this::enforceStrictPhoneNumber); ++ } catch (IllegalArgumentException e) { ++ EventLog.writeEvent(0x534e4554, "224771921", Binder.getCallingUid(), ++ ("invalid phoneNumber passed to queryInternal")); ++ throw new SecurityException("invalid phoneNumber passed to queryInternal"); ++ } ++ } ++ } ++ ++ private void enforceStrictPhoneNumber(String token) { ++ boolean isAllowedKeyword = SQLiteTokenizer.isKeyword(token); ++ switch (token.toUpperCase(Locale.US)) { ++ case "SELECT": ++ case "FROM": ++ case "WHERE": ++ case "GROUP": ++ case "HAVING": ++ case "WINDOW": ++ case "VALUES": ++ case "ORDER": ++ case "LIMIT": ++ isAllowedKeyword = false; ++ break; ++ } ++ if (!isAllowedKeyword) { ++ throw new IllegalArgumentException("Invalid token " + token); ++ } ++ } ++ + private void queryForTesting(Uri uri) { + if (!uri.getBooleanQueryParameter(PARAM_KEY_QUERY_FOR_TESTING, false)) { + return; diff --git a/Patches/LineageOS-15.1/android_packages_services_Telecomm/332764.patch b/Patches/LineageOS-15.1/android_packages_services_Telecomm/332764.patch new file mode 100644 index 00000000..ad84ddce --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_services_Telecomm/332764.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Sat, 15 Jan 2022 01:15:29 +0000 +Subject: [PATCH] limit TelecomManager#registerPhoneAccount to 10 + +bug: 209814693 +Bug: 217934478 +Test: CTS +Change-Id: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af +Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af +(cherry picked from commit eb3394e3a8e21cd07c4f7a7ad43494ba14a8cbf4) +Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af +--- + .../server/telecom/PhoneAccountRegistrar.java | 23 +++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/server/telecom/PhoneAccountRegistrar.java b/src/com/android/server/telecom/PhoneAccountRegistrar.java +index 074f3254a..5323a9669 100644 +--- a/src/com/android/server/telecom/PhoneAccountRegistrar.java ++++ b/src/com/android/server/telecom/PhoneAccountRegistrar.java +@@ -138,6 +138,7 @@ public class PhoneAccountRegistrar { + private static final String FILE_NAME = "phone-account-registrar-state.xml"; + @VisibleForTesting + public static final int EXPECTED_STATE_VERSION = 9; ++ public static final int MAX_PHONE_ACCOUNT_REGISTRATIONS = 10; + + /** Keep in sync with the same in SipSettings.java */ + private static final String SIP_SHARED_PREFERENCES = "SIP_PREFERENCES"; +@@ -628,8 +629,13 @@ public class PhoneAccountRegistrar { + return getPhoneAccountHandles(0, null, packageName, false, userHandle); + } + +- // TODO: Should we implement an artificial limit for # of accounts associated with a single +- // ComponentName? ++ /** ++ * Performs checks before calling addOrReplacePhoneAccount(PhoneAccount) ++ * ++ * @param account The {@code PhoneAccount} to add or replace. ++ * @throws SecurityException if package does not have BIND_TELECOM_CONNECTION_SERVICE permission ++ * @throws IllegalArgumentException if MAX_PHONE_ACCOUNT_REGISTRATIONS are reached ++ */ + public void registerPhoneAccount(PhoneAccount account) { + // Enforce the requirement that a connection service for a phone account has the correct + // permission. +@@ -640,6 +646,19 @@ public class PhoneAccountRegistrar { + throw new SecurityException("PhoneAccount connection service requires " + + "BIND_TELECOM_CONNECTION_SERVICE permission."); + } ++ //Enforce an upper bound on the number of PhoneAccount's a package can register. ++ // Most apps should only require 1-2. ++ if (getPhoneAccountsForPackage( ++ account.getAccountHandle().getComponentName().getPackageName(), ++ account.getAccountHandle().getUserHandle()).size() ++ >= MAX_PHONE_ACCOUNT_REGISTRATIONS) { ++ Log.w(this, "Phone account %s reached max registration limit for package", ++ account.getAccountHandle()); ++ throw new IllegalArgumentException( ++ "Error, cannot register phone account " + account.getAccountHandle() ++ + " because the limit, " + MAX_PHONE_ACCOUNT_REGISTRATIONS ++ + ", has been reached"); ++ } + + addOrReplacePhoneAccount(account); + } diff --git a/Patches/LineageOS-15.1/android_system_bt/328347.patch b/Patches/LineageOS-15.1/android_system_bt/328347.patch new file mode 100644 index 00000000..fa151d52 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/328347.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ted Wang +Date: Thu, 13 Jan 2022 15:00:32 +0800 +Subject: [PATCH] Security fix OOB read due to invalid count in + stack/avrc/avrc_pars_ct + +Bug: 205837191 +Tag: #security +Test: PoC test program +Ignore-AOSP-First: Security +Change-Id: I7b5bcb6551a8c0c015566327e13ba719271ce374 +Merged-In: I7b5bcb6551a8c0c015566327e13ba719271ce374 +(cherry picked from commit 60a5d2f63bf95ed386a2ca6c43f1d88bb1d07003) +Merged-In:I7b5bcb6551a8c0c015566327e13ba719271ce374 +--- + stack/avrc/avrc_pars_ct.cc | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc +index f3483d7fe..ef5aa1647 100644 +--- a/stack/avrc/avrc_pars_ct.cc ++++ b/stack/avrc/avrc_pars_ct.cc +@@ -543,6 +543,10 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, + p_result->get_caps.capability_id, + p_result->get_caps.count); + if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) { ++ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) { ++ android_errorWriteLog(0x534e4554, "205837191"); ++ return AVRC_STS_INTERNAL_ERR; ++ } + min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3; + if (len < min_len) goto length_error; + for (int xx = 0; ((xx < p_result->get_caps.count) && +@@ -552,6 +556,10 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, + } + } else if (p_result->get_caps.capability_id == + AVRC_CAP_EVENTS_SUPPORTED) { ++ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_EVT_ID) { ++ android_errorWriteLog(0x534e4554, "205837191"); ++ return AVRC_STS_INTERNAL_ERR; ++ } + min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID); + if (len < min_len) goto length_error; + for (int xx = 0; ((xx < p_result->get_caps.count) && diff --git a/Patches/LineageOS-15.1/android_system_bt/334266.patch b/Patches/LineageOS-15.1/android_system_bt/334266.patch new file mode 100644 index 00000000..fd82340e --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/334266.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chen Chen +Date: Fri, 15 Apr 2022 14:24:48 -0700 +Subject: [PATCH] Security: Fix out of bound write in HFP client + +Bug: 224536184 +Test: build +Tag: #security +Ignore-AOSP-First: Security bug +Change-Id: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda +(cherry picked from commit 01136338f6d739226e027716b6e5304df379fa4c) +Merged-In: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda +--- + bta/hf_client/bta_hf_client_at.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc +index 5d8493be5..9489b5111 100644 +--- a/bta/hf_client/bta_hf_client_at.cc ++++ b/bta/hf_client/bta_hf_client_at.cc +@@ -332,6 +332,10 @@ static void bta_hf_client_handle_cind_list_item(tBTA_HF_CLIENT_CB* client_cb, + + APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max); + ++ if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) { ++ return; ++ } ++ + /* look for a matching indicator on list of supported ones */ + for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) { + if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) { diff --git a/Patches/LineageOS-15.1/android_system_bt/334267.patch b/Patches/LineageOS-15.1/android_system_bt/334267.patch new file mode 100644 index 00000000..32575fd6 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/334267.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: William Escande +Date: Mon, 2 May 2022 09:48:59 -0700 +Subject: [PATCH] Check Avrcp packet vendor length before extracting length + +Bug: 205571133 +Test: build + ag/18105403 for sts test +Ignore-AOSP-First: Security vulnerability +Change-Id: Ic9fa9400ab15785cfdb251af66b1867daf09570e +(cherry picked from commit 003e42896493afb7a0cd7406720987725d4e9da3) +Merged-In: Ic9fa9400ab15785cfdb251af66b1867daf09570e +--- + stack/avrc/avrc_pars_tg.cc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc +index 88b8d0083..7042f4da7 100644 +--- a/stack/avrc/avrc_pars_tg.cc ++++ b/stack/avrc/avrc_pars_tg.cc +@@ -44,6 +44,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg, + tAVRC_COMMAND* p_result) { + tAVRC_STS status = AVRC_STS_NO_ERROR; + ++ if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16 ++ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4", ++ __func__, p_msg->vendor_len); ++ android_errorWriteLog(0x534e4554, "205571133"); ++ return AVRC_STS_INTERNAL_ERR; ++ } + uint8_t* p = p_msg->p_vendor_data; + p_result->pdu = *p++; + AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu); diff --git a/Patches/LineageOS-15.1/android_system_bt/334268.patch b/Patches/LineageOS-15.1/android_system_bt/334268.patch new file mode 100644 index 00000000..791388e5 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/334268.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Josh Wu +Date: Fri, 29 Apr 2022 00:02:23 -0700 +Subject: [PATCH] Security: Fix out of bound read in AT_SKIP_REST + +Bug: 220732646 +Test: build +Tag: #security +Ignore-AOSP-First: Security bug +Change-Id: Ia49f26e4979f9e57c448190a52d0d01b70e342c4 +(cherry picked from commit 4ce5a3c374fb5d24f367a202a6a3dcab4ba4dffd) +Merged-In: Ia49f26e4979f9e57c448190a52d0d01b70e342c4 +--- + bta/hf_client/bta_hf_client_at.cc | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc +index 9489b5111..6c52edadc 100644 +--- a/bta/hf_client/bta_hf_client_at.cc ++++ b/bta/hf_client/bta_hf_client_at.cc +@@ -787,9 +787,9 @@ void bta_hf_client_binp(tBTA_HF_CLIENT_CB* client_cb, char* number) { + } while (0) + + /* skip rest of AT string up to */ +-#define AT_SKIP_REST(buf) \ +- do { \ +- while (*(buf) != '\r') (buf)++; \ ++#define AT_SKIP_REST(buf) \ ++ do { \ ++ while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \ + } while (0) + + static char* bta_hf_client_parse_ok(tBTA_HF_CLIENT_CB* client_cb, diff --git a/Patches/LineageOS-15.1/android_system_bt/335109.patch b/Patches/LineageOS-15.1/android_system_bt/335109.patch new file mode 100644 index 00000000..25cb585c --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/335109.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Roopa Sattiraju +Date: Wed, 25 May 2022 21:00:01 +0000 +Subject: [PATCH] Removing bonded device when auth fails due to missing keys + +Bug: 231161832 +Test: Test against trying to connect using the same address +Change-Id: I2a23440303758faf281989abdb2a614708f05d36 +Merged-In: I2a23440303758faf281989abdb2a614708f05d36 +(cherry picked from commit 21df1076a4b9c1d1bbe3f5ecb475fe0b7c1b8c2a) +Merged-In: I2a23440303758faf281989abdb2a614708f05d36 +--- + btif/src/btif_dm.cc | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc +index e1bfacf8e..572640e01 100644 +--- a/btif/src/btif_dm.cc ++++ b/btif/src/btif_dm.cc +@@ -1150,14 +1150,12 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { + break; + + case HCI_ERR_PAIRING_NOT_ALLOWED: +- btif_storage_remove_bonded_device(&bd_addr); + status = BT_STATUS_AUTH_REJECTED; + break; + + /* map the auth failure codes, so we can retry pairing if necessary */ + case HCI_ERR_AUTH_FAILURE: + case HCI_ERR_KEY_MISSING: +- btif_storage_remove_bonded_device(&bd_addr); + case HCI_ERR_HOST_REJECT_SECURITY: + case HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE: + case HCI_ERR_UNIT_KEY_USED: +@@ -1187,7 +1185,6 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { + /* Remove Device as bonded in nvram as authentication failed */ + BTIF_TRACE_DEBUG("%s(): removing hid pointing device from nvram", + __func__); +- btif_storage_remove_bonded_device(&bd_addr); + } + bond_state_changed(status, bd_addr, state); + } diff --git a/Patches/LineageOS-15.1/android_system_core/332765.patch b/Patches/LineageOS-15.1/android_system_core/332765.patch new file mode 100644 index 00000000..91dc278d --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_core/332765.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Shaju Mathew +Date: Tue, 5 Apr 2022 04:01:04 -0700 +Subject: [PATCH] Backport of Win-specific suppression of potentially rogue + construct that can engage in directory traversal on the host. + +Bug:209438553 + +Ignore-AOSP-First: Resolution for potential security exploit. + +Test: Synced just system/core, therefore relying on presubmits for now. +Will followup with a full-fledged sync and manual cursory test. + +Signed-off-by: Shaju Mathew +Change-Id: I993a00ce6130478b7becfdbea816c348824f319f +Merged-In: Ie1f82db2fb14e1bdd183bf8d3d93d5e9f974be5d +(cherry picked from commit a36a342ec9721240e5a48ca50e833b9a35bef256) +Merged-In: I993a00ce6130478b7becfdbea816c348824f319f +--- + adb/file_sync_client.cpp | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/adb/file_sync_client.cpp b/adb/file_sync_client.cpp +index 2576fb15b..47ef2f49b 100644 +--- a/adb/file_sync_client.cpp ++++ b/adb/file_sync_client.cpp +@@ -629,6 +629,18 @@ static bool sync_ls(SyncConnection& sc, const char* path, + if (!ReadFdExactly(sc.fd, buf, len)) return false; + buf[len] = 0; + ++ // Address the unlikely scenario wherein a ++ // compromised device/service might be able to ++ // traverse across directories on the host. Let's ++ // shut that door! ++ if (strchr(buf, '/') ++#if defined(_WIN32) ++ || strchr(buf, '\\') ++#endif ++ ) { ++ return false; ++ } ++ + func(msg.dent.mode, msg.dent.size, msg.dent.time, buf); + } + } diff --git a/Patches/LineageOS-15.1/android_system_nfc/332767.patch b/Patches/LineageOS-15.1/android_system_nfc/332767.patch new file mode 100644 index 00000000..68bd2827 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_nfc/332767.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 8 Mar 2022 17:27:34 -0800 +Subject: [PATCH] Double Free in ce_t4t_data_cback + +Bug: 221862119 +Test: build ok +Change-Id: If12f98033b8c1bc1b57b27d338fa33b6a3cce640 +(cherry picked from commit 2fcf7d677bcebae5a00db43938460bcce267149e) +Merged-In: If12f98033b8c1bc1b57b27d338fa33b6a3cce640 +--- + src/nfc/tags/ce_t4t.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/nfc/tags/ce_t4t.c b/src/nfc/tags/ce_t4t.c +index f204c8a..e16557a 100644 +--- a/src/nfc/tags/ce_t4t.c ++++ b/src/nfc/tags/ce_t4t.c +@@ -633,6 +633,7 @@ static void ce_t4t_data_cback(uint8_t conn_id, tNFC_CONN_EVT event, + } else { + GKI_freebuf(p_c_apdu); + ce_t4t_send_status(T4T_RSP_NOT_FOUND); ++ return; + } + } else if (ce_cb.mem.t4t.status & CE_T4T_STATUS_WILDCARD_AID_SELECTED) { + CE_TRACE_DEBUG0("CET4T: Forward raw frame to wildcard AID handler"); diff --git a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch new file mode 100644 index 00000000..b690f5ec --- /dev/null +++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Thu, 17 Mar 2022 15:39:20 -0700 +Subject: [PATCH] Out of Bounds Read in nfa_dm_check_set_config + +Bug: 221216105 +Test: build ok +Change-Id: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229 +(cherry picked from commit 88c5c267e889699c71412022e3fcb03d20100e99) +Merged-In: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229 +--- + src/nfa/dm/nfa_dm_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/nfa/dm/nfa_dm_main.c b/src/nfa/dm/nfa_dm_main.c +index 688de0e0..b0fd1777 100644 +--- a/src/nfa/dm/nfa_dm_main.c ++++ b/src/nfa/dm/nfa_dm_main.c +@@ -283,6 +283,14 @@ tNFA_STATUS nfa_dm_check_set_config(uint8_t tlv_list_len, uint8_t* p_tlv_list, + p_value = p_tlv_list + xx + 2; + p_cur_len = NULL; + ++ if (len > (tlv_list_len - xx - 2)) ++ { ++ NFA_TRACE_ERROR2 ("error: invalid TLV length: t:0x%x, l:%d", ++ type, len); ++ android_errorWriteLog(0x534e4554, "221216105"); ++ return NFA_STATUS_FAILED; ++ } ++ + switch (type) { + /* + ** Poll F Configuration diff --git a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch new file mode 100644 index 00000000..bc64d773 --- /dev/null +++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Mon, 21 Mar 2022 19:31:28 -0700 +Subject: [PATCH] OOBR in nfc_ncif_proc_ee_discover_req() + +Bug: 221856662 +Test: build ok +Change-Id: If4b4872e4101fc65172596b4f7579b259b6f6b63 +(cherry picked from commit 1c6ab25b3d76c2ced764dc649bec6cf05aecd198) +Merged-In: If4b4872e4101fc65172596b4f7579b259b6f6b63 +--- + src/nfc/nfc/nfc_ncif.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c +index 1e183df0..015a65db 100644 +--- a/src/nfc/nfc/nfc_ncif.c ++++ b/src/nfc/nfc/nfc_ncif.c +@@ -1904,6 +1904,11 @@ void nfc_ncif_proc_ee_discover_req(uint8_t* p, uint16_t plen) { + uint8_t u8; + + NFC_TRACE_DEBUG2("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen); ++ if (!plen) ++ { ++ android_errorWriteLog(0x534e4554, "221856662"); ++ return; ++ } + if (p_cback) { + u8 = *p; + ee_disc_req.status = NFC_STATUS_OK; diff --git a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch new file mode 100644 index 00000000..ce5facb1 --- /dev/null +++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 8 Mar 2022 17:27:34 -0800 +Subject: [PATCH] Double Free in ce_t4t_data_cback + +Bug: 221862119 +Test: build ok +Change-Id: If12f98033b8c1bc1b57b27d338fa33b6a3cce640 +(cherry picked from commit 2fcf7d677bcebae5a00db43938460bcce267149e) +Merged-In: If12f98033b8c1bc1b57b27d338fa33b6a3cce640 +--- + src/nfc/tags/ce_t4t.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/nfc/tags/ce_t4t.c b/src/nfc/tags/ce_t4t.c +index ae3af2a4..510110dd 100644 +--- a/src/nfc/tags/ce_t4t.c ++++ b/src/nfc/tags/ce_t4t.c +@@ -604,6 +604,7 @@ static void ce_t4t_data_cback(uint8_t conn_id, tNFC_CONN_EVT event, + } else { + GKI_freebuf(p_c_apdu); + ce_t4t_send_status(T4T_RSP_NOT_FOUND); ++ return; + } + } else if (ce_cb.mem.t4t.status & CE_T4T_STATUS_WILDCARD_AID_SELECTED) { + CE_TRACE_DEBUG0("CET4T: Forward raw frame to wildcard AID handler"); diff --git a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch new file mode 100644 index 00000000..13941b88 --- /dev/null +++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jack Yu +Date: Thu, 13 Jan 2022 16:27:22 +0800 +Subject: [PATCH] Do not set default contactless application without user + interaction + +Keep the default contactless apllication "not set" if user does not +select one from the Settings page. + +Bug: 212610736 +Test: Manual +Merged-In: I8e1d67528eca037f4f88380a96f8c542965a1981 +Change-Id: I8e1d67528eca037f4f88380a96f8c542965a1981 +(cherry picked from commit 4177b086cf2f1ae9c1831cb1a7ed88233c7a6aca) +Merged-In: I8e1d67528eca037f4f88380a96f8c542965a1981 +--- + .../cardemulation/CardEmulationManager.java | 27 +++---------------- + 1 file changed, 4 insertions(+), 23 deletions(-) + +diff --git a/src/com/android/nfc/cardemulation/CardEmulationManager.java b/src/com/android/nfc/cardemulation/CardEmulationManager.java +index 6d9670ab..e0217e1c 100644 +--- a/src/com/android/nfc/cardemulation/CardEmulationManager.java ++++ b/src/com/android/nfc/cardemulation/CardEmulationManager.java +@@ -240,7 +240,7 @@ public class CardEmulationManager implements RegisteredServicesCache.Callback, + + void verifyDefaults(int userId, List services) { + ComponentName defaultPaymentService = +- getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, false); ++ getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, true); + if (DBG) Log.d(TAG, "Current default: " + defaultPaymentService); + if (defaultPaymentService != null) { + // Validate the default is still installed and handling payment +@@ -285,28 +285,9 @@ public class CardEmulationManager implements RegisteredServicesCache.Callback, + if (DBG) Log.d(TAG, "Default payment service still ok."); + } + } else { +- // A payment service may have been removed, leaving only one; +- // in that case, automatically set that app as default. +- int numPaymentServices = 0; +- ComponentName lastFoundPaymentService = null; +- for (NQApduServiceInfo service : services) { +- if ((service.hasCategory(CardEmulation.CATEGORY_PAYMENT))&&(!service.getAids().isEmpty())) { +- numPaymentServices++; +- lastFoundPaymentService = service.getComponent(); +- } +- } +- if (numPaymentServices > 1) { +- // More than one service left, leave default unset +- if (DBG) Log.d(TAG, "No default set, more than one service left."); +- } else if (numPaymentServices == 1) { +- // Make single found payment service the default +- if (DBG) Log.d(TAG, "No default set, making single service default."); +- setDefaultServiceForCategoryChecked(userId, lastFoundPaymentService, +- CardEmulation.CATEGORY_PAYMENT); +- } else { +- // No payment services left, leave default at null +- if (DBG) Log.d(TAG, "No default set, last payment service removed."); +- } ++ // A payment service may have been removed, set default payment selection to "not set". ++ if (DBG) Log.d(TAG, "No default set, last payment service removed."); ++ setDefaultServiceForCategoryChecked(userId, null, CardEmulation.CATEGORY_PAYMENT); + } + } + diff --git a/Patches/LineageOS-18.1/android_device_lge_mako/0001-LTE.patch b/Patches/LineageOS-18.1/android_device_lge_mako/0001-LTE.patch index e299b80e..d297a1ea 100644 --- a/Patches/LineageOS-18.1/android_device_lge_mako/0001-LTE.patch +++ b/Patches/LineageOS-18.1/android_device_lge_mako/0001-LTE.patch @@ -12,10 +12,10 @@ Change-Id: I36cbd7ce1a070201da24dc237154355e780d01b4 create mode 100644 overlay/packages/services/Telephony/res/values/config.xml diff --git a/overlay/frameworks/base/core/res/res/values/config.xml b/overlay/frameworks/base/core/res/res/values/config.xml -index 560ab27..63a5014 100644 +index 35452d5..0b0b09a 100644 --- a/overlay/frameworks/base/core/res/res/values/config.xml +++ b/overlay/frameworks/base/core/res/res/values/config.xml -@@ -178,7 +178,7 @@ +@@ -168,7 +168,7 @@ Empty is viewed as "all". Only used on devices which don't support RIL_REQUEST_GET_RADIO_CAPABILITY format is UMTS|LTE|... --> @@ -53,10 +53,10 @@ index 0000000..53c62dd + + diff --git a/system_prop.mk b/system_prop.mk -index 547da5f..e240393 100644 +index 716e920..984f25d 100644 --- a/system_prop.mk +++ b/system_prop.mk -@@ -47,7 +47,7 @@ PRODUCT_PROPERTY_OVERRIDES += \ +@@ -45,7 +45,7 @@ PRODUCT_PROPERTY_OVERRIDES += \ # RIL PRODUCT_PROPERTY_OVERRIDES += \ rild.libpath=/vendor/lib/libril-qc-qmi-1.so \ diff --git a/Scripts/Common/Optimize.sh b/Scripts/Common/Optimize.sh index fc3c0226..2293d366 100644 --- a/Scripts/Common/Optimize.sh +++ b/Scripts/Common/Optimize.sh @@ -46,7 +46,7 @@ sed -i 's/zramsize=.*/zramsize=75%,max_comp_streams=4/' asus/fugu/fstab.fugu &>/ sed -i 's/zramsize=.*/zramsize=75%,max_comp_streams=4/' motorola/msm8916-common/rootdir/etc/fstab.qcom &>/dev/null || true; #2GB (1GB) sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=2/' htc/flounder/fstab.flounder &>/dev/null || true; -sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=4/' asus/flox/rootdir/etc/fstab.flox htc/msm8974-common/rootdir/etc/fstab.qcom lge/g2-common/rootdir/etc/fstab.g2 motorola/victara/rootdir/etc/fstab.qcom samsung/klte-common/rootdir/etc/fstab.qcom &>/dev/null || true; +sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=4/' asus/flox/rootdir/etc/fstab.flox htc/msm8974-common/rootdir/etc/fstab.qcom lge/g2-common/rootdir/etc/fstab.g2 lge/mako/rootdir/etc/fstab.mako motorola/victara/rootdir/etc/fstab.qcom samsung/klte-common/rootdir/etc/fstab.qcom &>/dev/null || true; #2/3GB (1/1.5GB) sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=4/' lge/d850/rootdir/etc/fstab.g3 lge/d851/rootdir/etc/fstab.g3 lge/d852/rootdir/etc/fstab.g3 lge/d855/rootdir/etc/fstab.g3 samsung/apq8084-common/rootdir/etc/fstab.qcom &>/dev/null || true; sed -i 's/zramsize=.*/zramsize=50%,max_comp_streams=6/' lge/bullhead/fstab*.bullhead &>/dev/null || true; diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh index cdbbbd0a..fe210211 100644 --- a/Scripts/LineageOS-15.1/Functions.sh +++ b/Scripts/LineageOS-15.1/Functions.sh @@ -87,8 +87,6 @@ patchWorkspace() { if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi; #source build/envsetup.sh; - #TODO: pull in P_asb_2022-07, and recheck n-asb-2022-07 - #TODO: pull in P_asb_2022-08 and n-asb-2022-08 sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 47cdea0a..40c0a236 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. if [ "$DOS_SILENCE_INCLUDED" = true ]; then sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/treble_common.mk; fi; #Replace the Messaging app with Silence awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2021-10-05/2022-02-05/' core/version_defaults.mk; #Bump Security String #O_asb_2022-02 #XXX +sed -i 's/2021-10-05/2022-08-05/' core/version_defaults.mk; #Bump Security String #XXX fi; if enterAndClear "build/soong"; then @@ -112,12 +112,20 @@ fi; #fi; if enterAndClear "frameworks/base"; then -git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/08/331108/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-05 Always restart apps if base.apk gets updated. -git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/49/332449/2 && git cherry-pick FETCH_HEAD; #n-asb-2022-06 DO NOT MERGE Add an OEM configurable limit for zen rules -git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/57/332757/2 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update -git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/76/332776/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format. -git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/78/332778/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Fix security hole in GateKeeperResponse -git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/79/332779/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 RESTRICT AUTOMERGE Prevent non-admin users from deleting system apps. +applyPatch "$DOS_PATCHES/android_frameworks_base/330961-backport.patch"; #P_asb_2022-05 Keyguard - Treat messsages to lock with priority +applyPatch "$DOS_PATCHES/android_frameworks_base/331108.patch"; #n-asb-2022-05 Always restart apps if base.apk gets updated. +applyPatch "$DOS_PATCHES/android_frameworks_base/332449.patch"; #n-asb-2022-06 Add an OEM configurable limit for zen rules +applyPatch "$DOS_PATCHES/android_frameworks_base/332757.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update +applyPatch "$DOS_PATCHES/android_frameworks_base/332776.patch"; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format. +applyPatch "$DOS_PATCHES/android_frameworks_base/332778.patch"; #P_asb_2022-06 Fix security hole in GateKeeperResponse +applyPatch "$DOS_PATCHES/android_frameworks_base/332779.patch"; #P_asb_2022-06 Prevent non-admin users from deleting system apps. +applyPatch "$DOS_PATCHES/android_frameworks_base/334257-backport.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails +applyPatch "$DOS_PATCHES/android_frameworks_base/334258-backport.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only +applyPatch "$DOS_PATCHES/android_frameworks_base/334262.patch"; #P_asb_2022-07 Crash invalid FGS notifications +applyPatch "$DOS_PATCHES/android_frameworks_base/335117-backport.patch"; #P_asb_2022-08 Only allow system and same app to apply relinquishTaskIdentity +#applyPatch "$DOS_PATCHES/android_frameworks_base/335119.patch"; #P_asb_2022-08 Remove package title from notification access confirmation intent TODO: 335116 must be backported +applyPatch "$DOS_PATCHES/android_frameworks_base/335120.patch"; #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash +applyPatch "$DOS_PATCHES/android_frameworks_base/335121-backport.patch"; #P_asb_2022-08 Only allow the system server to connect to sync adapters applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS) @@ -137,7 +145,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta fi; if enterAndClear "frameworks/native"; then -git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/326752/2 && git cherry-pick FETCH_HEAD; #P_asb_2022-03 Check if the window is partially obscured for slippery enters +applyPatch "$DOS_PATCHES/android_frameworks_native/326752.patch"; #P_asb_2022-03 Check if the window is partially obscured for slippery enters if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969) fi; @@ -199,23 +207,23 @@ if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAud fi; if enterAndClear "packages/apps/Bluetooth"; then -git fetch https://github.com/LineageOS/android_packages_apps_Bluetooth refs/changes/51/332451/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission. -git fetch https://github.com/LineageOS/android_packages_apps_Bluetooth refs/changes/52/332452/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission. +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332758-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission. +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission. fi; if enterAndClear "packages/apps/Contacts"; then -git fetch https://github.com/LineageOS/android_packages_apps_Contacts refs/changes/60/332760/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 No longer export CallSubjectDialog +applyPatch "$DOS_PATCHES/android_packages_apps_Contacts/332760.patch"; #P_asb_2022-06 No longer export CallSubjectDialog applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0001-No_Google_Links.patch"; #Remove Privacy Policy and Terms of Service links (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0003-Skip_Accounts.patch"; #Don't prompt to add account when creating a contact (CalyxOS) applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0004-No_GMaps.patch"; #Use common intent for directions instead of Google Maps URL (GrapheneOS) fi; if enterAndClear "packages/apps/Dialer"; then -git fetch https://github.com/LineageOS/android_packages_apps_Dialer refs/changes/61/332761/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 No longer export CallSubjectDialog +applyPatch "$DOS_PATCHES/android_packages_apps_Dialer/332761.patch"; #P_asb_2022-06 No longer export CallSubjectDialog fi; if enterAndClear "packages/apps/KeyChain"; then -git fetch https://github.com/LineageOS/android_packages_apps_KeyChain refs/changes/36/334036/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-07 Encode authority part of uri before showing in UI +applyPatch "$DOS_PATCHES/android_packages_apps_KeyChain/334264.patch"; #P_asb_2022-07 Encode authority part of uri before showing in UI fi; if enterAndClear "packages/apps/LineageParts"; then @@ -224,14 +232,20 @@ applyPatch "$DOS_PATCHES/android_packages_apps_LineageParts/0001-Remove_Analytic fi; if enterAndClear "packages/apps/Nfc"; then -git fetch https://github.com/LineageOS/android_packages_apps_Nfc refs/changes/46/328346/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-04 Do not set default contactless application without user interaction +applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328346.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction +applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455-backport.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp() fi; if enterAndClear "packages/apps/Settings"; then -git fetch https://github.com/LineageOS/android_packages_apps_Settings refs/changes/99/327099/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-03 Add caller check to com.android.credentials.RESET [Backport] -git fetch https://github.com/LineageOS/android_packages_apps_Settings refs/changes/58/326758/2 && git cherry-pick FETCH_HEAD; #P_asb_2022-03 Fix bypass CALL_PRIVILEGED permission in AppRestrictionsFragment -git fetch https://github.com/LineageOS/android_packages_apps_Settings refs/changes/63/332763/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Prevent exfiltration of system files via user image settings. -git fetch https://github.com/LineageOS/android_packages_apps_Settings refs/changes/37/334037/1 && git cherry-pick FETCH_HEAD; #n-asb-2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/326758.patch"; #P_asb_2022-03 Fix bypass CALL_PRIVILEGED permission in AppRestrictionsFragment +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/326759.patch"; #P_asb_2022-03 Add caller check to com.android.credentials.RESET +#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/327099.patch"; #n-asb-2022-03 Add caller check to com.android.credentials.RESET +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/332763.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings. +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334265.patch"; #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335111.patch"; #P_asb_2022-08 Verify ringtone from ringtone picker is audio +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335114.patch"; #P_asb_2022-08 Fix Settings crash when setting a null ringtone +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335115.patch"; #P_asb_2022-08 Fix can't change notification sound for work profile. +#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335116.patch"; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI #TODO: needs backport git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) if [ "$DOS_SENSORS_PERM" = true ]; then @@ -264,12 +278,16 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS) fi; +if enterAndClear "packages/providers/ContactsProvider"; then +applyPatch "$DOS_PATCHES/android_packages_providers_ContactsProvider/335110.patch"; #P_asb_2022-08 enforce stricter CallLogProvider query +fi; + if enterAndClear "packages/providers/MediaProvider"; then applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/0001-External_Permission.patch"; #Fix permission denial (luca.stefani) fi; if enterAndClear "packages/services/Telecomm"; then -git fetch https://github.com/LineageOS/android_packages_services_Telecomm refs/changes/64/332764/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10 +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10 fi; if enterAndClear "packages/services/Telephony"; then @@ -278,11 +296,15 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred fi; if enterAndClear "system/bt"; then -git fetch https://github.com/LineageOS/android_system_bt refs/changes/47/328347/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-04 Security fix OOB read due to invalid count in stack/avrc/avrc_pars_ct +applyPatch "$DOS_PATCHES/android_system_bt/328347.patch"; #P_asb_2022-04 Security fix OOB read due to invalid count in stack/avrc/avrc_pars_ct +applyPatch "$DOS_PATCHES/android_system_bt/334266.patch"; #P_asb_2022-07 Security: Fix out of bound write in HFP client +applyPatch "$DOS_PATCHES/android_system_bt/334267.patch"; #P_asb_2022-07 Check Avrcp packet vendor length before extracting length +applyPatch "$DOS_PATCHES/android_system_bt/334268.patch"; #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST +applyPatch "$DOS_PATCHES/android_system_bt/335109.patch"; #P_asb_2022-08 Removing bonded device when auth fails due to missing keys fi; if enterAndClear "system/core"; then -git fetch https://github.com/LineageOS/android_system_core refs/changes/65/332765/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host. +applyPatch "$DOS_PATCHES/android_system_core/332765.patch"; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host. if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file git revert --no-edit a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4; #Always update recovery applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS) @@ -290,7 +312,7 @@ applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts fi; if enterAndClear "system/nfc"; then -git fetch https://github.com/LineageOS/android_system_nfc refs/changes/67/332767/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Double Free in ce_t4t_data_cback +applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback fi; if enterAndClear "system/sepolicy"; then @@ -304,7 +326,13 @@ applyPatch "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable fi; if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then -git fetch https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci refs/changes/71/332771/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-06 Double Free in ce_t4t_data_cback +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +fi; + +if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction fi; if enterAndClear "vendor/lineage"; then diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index d948b05d..ef0d35d0 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -177,7 +177,7 @@ sed -i 's/entry == null/entry == null || true/' core/java/android/os/RecoverySys sed -i 's/!Build.isBuildConsistent()/false/' services/core/java/com/android/server/wm/ActivityTaskManagerService.java; #Disable partition fingerprint mismatch warnings XXX: TEMPORARY FIX sed -i 's/MAX_PASSWORD_LENGTH = 16/MAX_PASSWORD_LENGTH = 64/' core/java/android/app/admin/DevicePolicyManager.java; #Increase default max password length to 64 (GrapheneOS) sed -i 's/DEFAULT_STRONG_AUTH_TIMEOUT_MS = 72 \* 60 \* 60 \* 1000;/DEFAULT_STRONG_AUTH_TIMEOUT_MS = 12 * 60 * 60 * 1000;/' core/java/android/app/admin/DevicePolicyManager.java; #Decrease the strong auth prompt timeout to occur more often -##sed -i '282i\ if(packageList != null && packageList.size() > 0) { packageList.add("net.sourceforge.opencamera"); }' core/java/android/hardware/Camera.java; #Add Open Camera to aux camera allowlist XXX: needs testing, broke boot last time +#sed -i '282i\ if(packageList != null && packageList.size() > 0) { packageList.add("net.sourceforge.opencamera"); }' core/java/android/hardware/Camera.java; #Add Open Camera to aux camera allowlist XXX: needs testing, broke boot last time if [ "$DOS_MICROG_INCLUDED" != "FULL" ]; then rm -rf packages/CompanionDeviceManager; fi; #Used to support Android Wear (which hard depends on GMS) rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps fi;