From f52adb2bc57164f5f7aecac4d375fac3e21b99a1 Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 8 Aug 2023 05:30:19 -0400 Subject: [PATCH] 17.1 August ASB work Signed-off-by: Tad --- .../android_external_aac/364027.patch | 38 + .../364028-backport.patch | 386 ++++++++++ .../0007-Always_Restict_Serial.patch | 4 +- .../0014-Network_Permission-1.patch | 2 +- .../0014-Network_Permission-2.patch | 2 +- .../0014-Sensors_Permission.patch | 2 +- .../0015-Automatic_Reboot.patch | 14 +- .../android_frameworks_base/364029.patch | 109 +++ .../364030-backport.patch | 104 +++ .../364031-backport.patch | 85 +++ .../android_frameworks_base/364032.patch | 51 ++ .../364033-backport.patch | 242 ++++++ .../android_frameworks_base/364034.patch | 70 ++ .../364035-backport.patch | 61 ++ .../364036-backport.patch | 129 ++++ .../android_frameworks_base/364037.patch | 55 ++ .../364038-backport.patch | 146 ++++ .../364040-backport.patch | 40 + .../364041-backport.patch | 714 ++++++++++++++++++ Scripts/LineageOS-17.1/Patch.sh | 26 +- 20 files changed, 2265 insertions(+), 15 deletions(-) create mode 100644 Patches/LineageOS-17.1/android_external_aac/364027.patch create mode 100644 Patches/LineageOS-17.1/android_external_freetype/364028-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364029.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364030-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364031-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364032.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364033-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364034.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364035-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364036-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364037.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/364038-backport.patch create mode 100644 Patches/LineageOS-17.1/android_packages_providers_TelephonyProvider/364040-backport.patch create mode 100644 Patches/LineageOS-17.1/android_packages_services_Telecomm/364041-backport.patch diff --git a/Patches/LineageOS-17.1/android_external_aac/364027.patch b/Patches/LineageOS-17.1/android_external_aac/364027.patch new file mode 100644 index 00000000..9168e565 --- /dev/null +++ b/Patches/LineageOS-17.1/android_external_aac/364027.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Fraunhofer IIS FDK +Date: Tue, 30 May 2023 16:39:32 +0200 +Subject: [PATCH] Increase patchParam array size by one and fix out-of-bounce + write in resetLppTransposer(). + +Bug: 279766766 +Test: see POC +(cherry picked from commit f682b8787eb312b9f8997dac4c2c18bb779cf0df) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:451762ca48e7fb30a0ce77a8962813a3419ec420) +Merged-In: I206973e0bb21140865efffd930e39f920f477359 +Change-Id: I206973e0bb21140865efffd930e39f920f477359 +--- + libSBRdec/src/lpp_tran.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libSBRdec/src/lpp_tran.h b/libSBRdec/src/lpp_tran.h +index 51b4395..21c4101 100644 +--- a/libSBRdec/src/lpp_tran.h ++++ b/libSBRdec/src/lpp_tran.h +@@ -1,7 +1,7 @@ + /* ----------------------------------------------------------------------------- + Software License for The Fraunhofer FDK AAC Codec Library for Android + +-© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten ++© Copyright 1995 - 2023 Fraunhofer-Gesellschaft zur Förderung der angewandten + Forschung e.V. All rights reserved. + + 1. INTRODUCTION +@@ -207,7 +207,7 @@ typedef struct { + inverse filtering levels */ + + PATCH_PARAM +- patchParam[MAX_NUM_PATCHES]; /*!< new parameter set for patching */ ++ patchParam[MAX_NUM_PATCHES + 1]; /*!< new parameter set for patching */ + WHITENING_FACTORS + whFactors; /*!< the pole moving factors for certain + whitening levels as indicated in the bitstream diff --git a/Patches/LineageOS-17.1/android_external_freetype/364028-backport.patch b/Patches/LineageOS-17.1/android_external_freetype/364028-backport.patch new file mode 100644 index 00000000..504217ce --- /dev/null +++ b/Patches/LineageOS-17.1/android_external_freetype/364028-backport.patch @@ -0,0 +1,386 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Seigo Nonaka +Date: Tue, 2 May 2023 10:01:38 +0900 +Subject: [PATCH] Cherrypick following three changes + +[cherrypick 545bf3a27] [sfnt, truetype] Add `size_reset` to `MetricsVariations`. +[cherrypick daad10810] [truetype] tt_size_reset_height to take FT_Size +[cherrypick 51ad7b243] [services] FT_Size_Reset_Func to return FT_Error + +Bug: 278221085 +Test: TreeHugger +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9fe9411db4b7e715a39c0ccf48d1e0328f1d8e7c) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d63b0bfcbaba361543fd9394b8d86907f52c97d) +Merged-In: I7e839b2a36e35c27974a82cc76e853996a7c7688 +Change-Id: I7e839b2a36e35c27974a82cc76e853996a7c7688 +--- + include/freetype/internal/services/svmetric.h | 10 ++- + include/freetype/internal/tttypes.h | 10 ++- + src/cff/cffdrivr.c | 9 ++- + src/cff/cffobjs.c | 6 +- + src/sfnt/sfobjs.c | 14 ++-- + src/sfnt/ttmtx.c | 2 +- + src/truetype/ttdriver.c | 7 +- + src/truetype/ttgxvar.c | 23 +++--- + src/truetype/ttobjs.c | 70 +++++++++++-------- + src/truetype/ttobjs.h | 6 +- + 10 files changed, 99 insertions(+), 58 deletions(-) + +diff --git a/include/freetype/internal/services/svmetric.h b/include/freetype/internal/services/svmetric.h +index 91de020bc..8eea460a0 100644 +--- a/include/freetype/internal/services/svmetric.h ++++ b/include/freetype/internal/services/svmetric.h +@@ -77,6 +77,9 @@ FT_BEGIN_HEADER + typedef void + (*FT_Metrics_Adjust_Func)( FT_Face face ); + ++ typedef FT_Error ++ (*FT_Size_Reset_Func)( FT_Size size ); ++ + + FT_DEFINE_SERVICE( MetricsVariations ) + { +@@ -90,6 +93,7 @@ FT_BEGIN_HEADER + FT_VOrg_Adjust_Func vorg_adjust; + + FT_Metrics_Adjust_Func metrics_adjust; ++ FT_Size_Reset_Func size_reset; + }; + + +@@ -101,7 +105,8 @@ FT_BEGIN_HEADER + tsb_adjust_, \ + bsb_adjust_, \ + vorg_adjust_, \ +- metrics_adjust_ ) \ ++ metrics_adjust_, \ ++ size_reset_ ) \ + static const FT_Service_MetricsVariationsRec class_ = \ + { \ + hadvance_adjust_, \ +@@ -111,7 +116,8 @@ FT_BEGIN_HEADER + tsb_adjust_, \ + bsb_adjust_, \ + vorg_adjust_, \ +- metrics_adjust_ \ ++ metrics_adjust_, \ ++ size_reset_ \ + }; + + /* */ +diff --git a/include/freetype/internal/tttypes.h b/include/freetype/internal/tttypes.h +index 4df6b298f..fd9f02821 100644 +--- a/include/freetype/internal/tttypes.h ++++ b/include/freetype/internal/tttypes.h +@@ -1650,8 +1650,14 @@ FT_BEGIN_HEADER + void* mm; + + /* a typeless pointer to the FT_Service_MetricsVariationsRec table */ +- /* used to handle the HVAR, VVAR, and MVAR OpenType tables */ +- void* var; ++ /* used to handle the HVAR, VVAR, and MVAR OpenType tables by the */ ++ /* "truetype" driver */ ++ void* tt_var; ++ ++ /* a typeless pointer to the FT_Service_MetricsVariationsRec table */ ++ /* used to handle the HVAR, VVAR, and MVAR OpenType tables by this */ ++ /* TT_Face's driver */ ++ void* face_var; + #endif + + /* a typeless pointer to the PostScript Aux service */ +diff --git a/src/cff/cffdrivr.c b/src/cff/cffdrivr.c +index 997a734fb..6eaad8bbd 100644 +--- a/src/cff/cffdrivr.c ++++ b/src/cff/cffdrivr.c +@@ -940,7 +940,8 @@ + FT_UInt gindex, + FT_Int *avalue ) + { +- FT_Service_MetricsVariations var = (FT_Service_MetricsVariations)face->var; ++ FT_Service_MetricsVariations ++ var = (FT_Service_MetricsVariations)face->tt_var; + + + return var->hadvance_adjust( FT_FACE( face ), gindex, avalue ); +@@ -950,7 +951,8 @@ + static void + cff_metrics_adjust( CFF_Face face ) + { +- FT_Service_MetricsVariations var = (FT_Service_MetricsVariations)face->var; ++ FT_Service_MetricsVariations ++ var = (FT_Service_MetricsVariations)face->tt_var; + + + var->metrics_adjust( FT_FACE( face ) ); +@@ -969,7 +971,8 @@ + (FT_BSB_Adjust_Func) NULL, /* bsb_adjust */ + (FT_VOrg_Adjust_Func) NULL, /* vorg_adjust */ + +- (FT_Metrics_Adjust_Func) cff_metrics_adjust /* metrics_adjust */ ++ (FT_Metrics_Adjust_Func) cff_metrics_adjust, /* metrics_adjust */ ++ (FT_Size_Reset_Func) NULL /* size_reset */ + ) + #endif + +diff --git a/src/cff/cffobjs.c b/src/cff/cffobjs.c +index b3f0f99e3..97d8f8e9f 100644 +--- a/src/cff/cffobjs.c ++++ b/src/cff/cffobjs.c +@@ -709,8 +709,10 @@ + + #ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT + { +- FT_Service_MultiMasters mm = (FT_Service_MultiMasters)face->mm; +- FT_Service_MetricsVariations var = (FT_Service_MetricsVariations)face->var; ++ FT_Service_MultiMasters ++ mm = (FT_Service_MultiMasters)face->mm; ++ FT_Service_MetricsVariations ++ var = (FT_Service_MetricsVariations)face->face_var; + + FT_UInt instance_index = (FT_UInt)face_index >> 16; + +diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c +index 9dfc20e83..764cd23e9 100644 +--- a/src/sfnt/sfobjs.c ++++ b/src/sfnt/sfobjs.c +@@ -896,17 +896,23 @@ + 0 ); + } + +- if ( !face->var ) ++ if ( !face->tt_var ) + { + /* we want the metrics variations interface */ + /* from the `truetype' module only */ + FT_Module tt_module = FT_Get_Module( library, "truetype" ); + + +- face->var = ft_module_get_service( tt_module, +- FT_SERVICE_ID_METRICS_VARIATIONS, +- 0 ); ++ face->tt_var = ft_module_get_service( tt_module, ++ FT_SERVICE_ID_METRICS_VARIATIONS, ++ 0 ); + } ++ ++ if ( !face->face_var ) ++ face->face_var = ft_module_get_service( ++ &face->root.driver->root, ++ FT_SERVICE_ID_METRICS_VARIATIONS, ++ 0 ); + #endif + + FT_TRACE2(( "SFNT driver\n" )); +diff --git a/src/sfnt/ttmtx.c b/src/sfnt/ttmtx.c +index 8edf4e6a3..89e1fb5a5 100644 +--- a/src/sfnt/ttmtx.c ++++ b/src/sfnt/ttmtx.c +@@ -240,7 +240,7 @@ + + #ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT + FT_Service_MetricsVariations var = +- (FT_Service_MetricsVariations)face->var; ++ (FT_Service_MetricsVariations)face->tt_var; + #endif + + +diff --git a/src/truetype/ttdriver.c b/src/truetype/ttdriver.c +index eac736c4a..22e897053 100644 +--- a/src/truetype/ttdriver.c ++++ b/src/truetype/ttdriver.c +@@ -307,7 +307,7 @@ + /* use the scaled metrics, even when tt_size_reset fails */ + FT_Select_Metrics( size->face, strike_index ); + +- tt_size_reset( ttsize, 0 ); /* ignore return value */ ++ tt_size_reset( ttsize ); /* ignore return value */ + } + else + { +@@ -359,7 +359,7 @@ + + if ( FT_IS_SCALABLE( size->face ) ) + { +- error = tt_size_reset( ttsize, 0 ); ++ error = tt_size_reset( ttsize ); + + #ifdef TT_USE_BYTECODE_INTERPRETER + /* for the `MPS' bytecode instruction we need the point size */ +@@ -523,7 +523,8 @@ + (FT_BSB_Adjust_Func) NULL, /* bsb_adjust */ + (FT_VOrg_Adjust_Func) NULL, /* vorg_adjust */ + +- (FT_Metrics_Adjust_Func) tt_apply_mvar /* metrics_adjust */ ++ (FT_Metrics_Adjust_Func) tt_apply_mvar, /* metrics_adjust */ ++ (FT_Size_Reset_Func) tt_size_reset_height /* size_reset */ + ) + + #endif /* TT_CONFIG_OPTION_GX_VAR_SUPPORT */ +diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c +index 3df50d630..f2d2ccabb 100644 +--- a/src/truetype/ttgxvar.c ++++ b/src/truetype/ttgxvar.c +@@ -1300,15 +1300,14 @@ + + + static FT_Error +- tt_size_reset_iterator( FT_ListNode node, ++ ft_size_reset_iterator( FT_ListNode node, + void* user ) + { +- TT_Size size = (TT_Size)node->data; ++ FT_Size size = (FT_Size)node->data; ++ FT_Service_MetricsVariations var = (FT_Service_MetricsVariations)user; + +- FT_UNUSED( user ); + +- +- tt_size_reset( size, 1 ); ++ var->size_reset( size ); + + return FT_Err_Ok; + } +@@ -1370,6 +1369,9 @@ + + /* adjust all derived values */ + { ++ FT_Service_MetricsVariations var = ++ (FT_Service_MetricsVariations)face->face_var; ++ + FT_Face root = &face->root; + + +@@ -1396,11 +1398,12 @@ + face->postscript.underlineThickness / 2; + root->underline_thickness = face->postscript.underlineThickness; + +- /* iterate over all FT_Size objects and call `tt_size_reset' */ +- /* to propagate the metrics changes */ +- FT_List_Iterate( &root->sizes_list, +- tt_size_reset_iterator, +- NULL ); ++ /* iterate over all FT_Size objects and call `var->size_reset' */ ++ /* to propagate the metrics changes */ ++ if ( var && var->size_reset ) ++ FT_List_Iterate( &root->sizes_list, ++ ft_size_reset_iterator, ++ (void*)var ); + } + } + +diff --git a/src/truetype/ttobjs.c b/src/truetype/ttobjs.c +index df6c72a10..e22b6c3c7 100644 +--- a/src/truetype/ttobjs.c ++++ b/src/truetype/ttobjs.c +@@ -1269,39 +1269,29 @@ + /************************************************************************** + * + * @Function: +- * tt_size_reset ++ * tt_size_reset_height + * + * @Description: +- * Reset a TrueType size when resolutions and character dimensions +- * have been changed. ++ * Recompute a TrueType size's ascender, descender, and height ++ * when resolutions and character dimensions have been changed. ++ * Used for variation fonts as an iterator function. + * + * @Input: +- * size :: +- * A handle to the target size object. +- * +- * only_height :: +- * Only recompute ascender, descender, and height; +- * this flag is used for variation fonts where +- * `tt_size_reset' is used as an iterator function. ++ * ft_size :: ++ * A handle to the target TT_Size object. This function will be called ++ * through a `FT_Size_Reset_Func` pointer which takes `FT_Size`. This ++ * function must take `FT_Size` as a result. The passed `FT_Size` is ++ * expected to point to a `TT_Size`. + */ + FT_LOCAL_DEF( FT_Error ) +- tt_size_reset( TT_Size size, +- FT_Bool only_height ) ++ tt_size_reset_height( FT_Size ft_size ) + { +- TT_Face face; +- FT_Size_Metrics* size_metrics; +- +- +- face = (TT_Face)size->root.face; +- +- /* nothing to do for CFF2 */ +- if ( face->is_cff2 ) +- return FT_Err_Ok; ++ TT_Size size = (TT_Size)ft_size; ++ TT_Face face = (TT_Face)size->root.face; ++ FT_Size_Metrics* size_metrics = &size->hinted_metrics; + + size->ttmetrics.valid = FALSE; + +- size_metrics = &size->hinted_metrics; +- + /* copy the result from base layer */ + *size_metrics = size->root.metrics; + +@@ -1328,12 +1318,34 @@ + + size->ttmetrics.valid = TRUE; + +- if ( only_height ) +- { +- /* we must not recompute the scaling values here since */ +- /* `tt_size_reset' was already called (with only_height = 0) */ +- return FT_Err_Ok; +- } ++ return FT_Err_Ok; ++ } ++ ++ ++ /************************************************************************** ++ * ++ * @Function: ++ * tt_size_reset ++ * ++ * @Description: ++ * Reset a TrueType size when resolutions and character dimensions ++ * have been changed. ++ * ++ * @Input: ++ * size :: ++ * A handle to the target size object. ++ */ ++ FT_LOCAL_DEF( FT_Error ) ++ tt_size_reset( TT_Size size ) ++ { ++ FT_Error error; ++ TT_Face face = (TT_Face)size->root.face; ++ FT_Size_Metrics* size_metrics = &size->hinted_metrics; ++ ++ ++ error = tt_size_reset_height( (FT_Size)size ); ++ if ( error ) ++ return error; + + if ( face->header.Flags & 8 ) + { +diff --git a/src/truetype/ttobjs.h b/src/truetype/ttobjs.h +index dcff3f7a0..99895794a 100644 +--- a/src/truetype/ttobjs.h ++++ b/src/truetype/ttobjs.h +@@ -390,8 +390,10 @@ FT_BEGIN_HEADER + #endif /* TT_USE_BYTECODE_INTERPRETER */ + + FT_LOCAL( FT_Error ) +- tt_size_reset( TT_Size size, +- FT_Bool only_height ); ++ tt_size_reset_height( FT_Size size ); ++ ++ FT_LOCAL( FT_Error ) ++ tt_size_reset( TT_Size size ); + + + /************************************************************************** diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch b/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch index 0711cfab..b187ee5a 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch @@ -10,10 +10,10 @@ requiring the READ_PHONE_STATE permission. 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java -index efbccb3b8f94..8d0498c0ca7f 100644 +index 2953c71d5a26..919682207082 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java -@@ -4981,12 +4981,7 @@ public class ActivityManagerService extends IActivityManager.Stub +@@ -5010,12 +5010,7 @@ public class ActivityManagerService extends IActivityManager.Stub } } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch index a95d7086..3290bf6f 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch @@ -9,7 +9,7 @@ Subject: [PATCH] make INTERNET into a special runtime permission 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index 586d9a819d1e..85e86237adf6 100644 +index a8dd041454c9..6940b9eb36ed 100644 --- a/core/res/AndroidManifest.xml +++ b/core/res/AndroidManifest.xml @@ -1540,7 +1540,7 @@ diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-2.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-2.patch index cb524906..5ce86e72 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-2.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-2.patch @@ -22,7 +22,7 @@ index cd78602d9cd9..b99634c11742 100644 field public static final String SENSORS = "android.permission-group.SENSORS"; field public static final String SMS = "android.permission-group.SMS"; diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index 85e86237adf6..a951eb951613 100644 +index 6940b9eb36ed..f49a901ecba0 100644 --- a/core/res/AndroidManifest.xml +++ b/core/res/AndroidManifest.xml @@ -1534,10 +1534,18 @@ diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Sensors_Permission.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Sensors_Permission.patch index 21e2c853..df4acb70 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Sensors_Permission.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Sensors_Permission.patch @@ -47,7 +47,7 @@ index 7f728febe5d9..f9f3ead23fb8 100644 android.os.Build.VERSION_CODES.DONUT, 0), new PackageParser.NewPermissionInfo(android.Manifest.permission.READ_PHONE_STATE, diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index a951eb951613..9b0891d853de 100644 +index f49a901ecba0..59bc207f7fba 100644 --- a/core/res/AndroidManifest.xml +++ b/core/res/AndroidManifest.xml @@ -1332,6 +1332,18 @@ diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0015-Automatic_Reboot.patch b/Patches/LineageOS-17.1/android_frameworks_base/0015-Automatic_Reboot.patch index 3f4ca108..c5968c11 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0015-Automatic_Reboot.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0015-Automatic_Reboot.patch @@ -55,7 +55,7 @@ index 55104b4e0ee2..5ed2807922d9 100644 diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -index f025575623ca..8b36241ea33a 100644 +index a7d5c64dd3a3..f0bb02d21c8a 100644 --- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java @@ -152,6 +152,8 @@ public class KeyguardViewMediator extends SystemUI { @@ -79,7 +79,7 @@ index f025575623ca..8b36241ea33a 100644 /** * If the user has disabled the keyguard, then requests to exit, this is * how we'll ultimately let them know whether it was successful. We use this -@@ -703,6 +710,7 @@ public class KeyguardViewMediator extends SystemUI { +@@ -710,6 +717,7 @@ public class KeyguardViewMediator extends SystemUI { final IntentFilter delayedActionFilter = new IntentFilter(); delayedActionFilter.addAction(DELAYED_KEYGUARD_ACTION); delayedActionFilter.addAction(DELAYED_LOCK_PROFILE_ACTION); @@ -87,7 +87,7 @@ index f025575623ca..8b36241ea33a 100644 mContext.registerReceiver(mDelayedLockBroadcastReceiver, delayedActionFilter, SYSTEMUI_PERMISSION, null /* scheduler */); -@@ -976,6 +984,18 @@ public class KeyguardViewMediator extends SystemUI { +@@ -983,6 +991,18 @@ public class KeyguardViewMediator extends SystemUI { } } @@ -106,7 +106,7 @@ index f025575623ca..8b36241ea33a 100644 private void doKeyguardForChildProfilesLocked() { UserManager um = UserManager.get(mContext); for (int profileId : um.getEnabledProfileIds(UserHandle.myUserId())) { -@@ -993,6 +1013,10 @@ public class KeyguardViewMediator extends SystemUI { +@@ -1000,6 +1020,10 @@ public class KeyguardViewMediator extends SystemUI { mDelayedProfileShowingSequence++; } @@ -117,7 +117,7 @@ index f025575623ca..8b36241ea33a 100644 /** * Let's us know when the device is waking up. */ -@@ -1372,6 +1396,10 @@ public class KeyguardViewMediator extends SystemUI { +@@ -1380,6 +1404,10 @@ public class KeyguardViewMediator extends SystemUI { if (DEBUG) Log.d(TAG, "doKeyguard: showing the lock screen"); showLocked(options); @@ -128,7 +128,7 @@ index f025575623ca..8b36241ea33a 100644 } private void lockProfile(int userId) { -@@ -1535,6 +1563,12 @@ public class KeyguardViewMediator extends SystemUI { +@@ -1543,6 +1571,12 @@ public class KeyguardViewMediator extends SystemUI { } } } @@ -141,7 +141,7 @@ index f025575623ca..8b36241ea33a 100644 } } }; -@@ -1953,6 +1987,7 @@ public class KeyguardViewMediator extends SystemUI { +@@ -1964,6 +1998,7 @@ public class KeyguardViewMediator extends SystemUI { mHideAnimationRun = false; adjustStatusBarLocked(); sendUserPresentBroadcast(); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364029.patch b/Patches/LineageOS-17.1/android_frameworks_base/364029.patch new file mode 100644 index 00000000..4964f627 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364029.patch @@ -0,0 +1,109 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jing Ji +Date: Tue, 25 Oct 2022 22:39:52 -0700 +Subject: [PATCH] DO NOT MERGE: ActivityManager#killBackgroundProcesses can + kill caller's own app only + +unless it's a system app. + +Bug: 239423414 +Bug: 223376078 +Test: atest CtsAppTestCases:ActivityManagerTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8b382775b258220466a977453905797521e159de) +Merged-In: Iac6baa889965b8ffecd9a43179a4c96632ad1d02 +Change-Id: Iac6baa889965b8ffecd9a43179a4c96632ad1d02 +--- + core/java/android/app/ActivityManager.java | 3 ++ + core/res/AndroidManifest.xml | 6 +++- + .../server/am/ActivityManagerService.java | 32 +++++++++++++++++-- + 3 files changed, 38 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/app/ActivityManager.java b/core/java/android/app/ActivityManager.java +index 556b60bafd16..eff49bc1fe95 100644 +--- a/core/java/android/app/ActivityManager.java ++++ b/core/java/android/app/ActivityManager.java +@@ -3452,6 +3452,9 @@ public class ActivityManager { + * processes to reclaim memory; the system will take care of restarting + * these processes in the future as needed. + * ++ *

Third party applications can only use this API to kill their own processes. ++ *

++ * + * @param packageName The name of the package whose processes are to + * be killed. + */ +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index 586d9a819d1e..a8dd041454c9 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -2379,7 +2379,11 @@ + android:protectionLevel="normal" /> + + + = FIRST_APPLICATION_UID ++ && (proc == null || !proc.info.isSystemApp())) { ++ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" ++ + callingPid + ", uid=" + callingUid + " is not allowed"; ++ Slog.w(TAG, msg); ++ // Silently return to avoid existing apps from crashing. ++ return; ++ } ++ + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364030-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/364030-backport.patch new file mode 100644 index 00000000..61b30a92 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364030-backport.patch @@ -0,0 +1,104 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Austin Borger +Date: Sat, 18 Mar 2023 12:56:12 -0700 +Subject: [PATCH] ActivityManagerService: Allow openContentUri from + vendor/system/product. + +Apps should not have direct access to this entry point. Check that the +caller is a vendor, system, or product package. + +Test: Ran PoC app and CtsMediaPlayerTestCases. +Bug: 236688380 +(cherry picked from commit d0ba7467c2cb2815f94f6651cbb1c2f405e8e9c7) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:821f4c0d8ba06be32ce9b46c7a7c09d1cacd7b0e) +Merged-In: I0335496d28fa5fc3bfe1fecd4be90040b0b3687f +Change-Id: I0335496d28fa5fc3bfe1fecd4be90040b0b3687f +--- + .../server/am/ActivityManagerService.java | 59 ++++++++++++++++++- + 1 file changed, 58 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index b4e2e2b9cac9..2953c71d5a26 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -160,6 +160,7 @@ import android.app.AppOpsManager; + import android.app.AppOpsManagerInternal.CheckOpsDelegate; + import android.app.ApplicationErrorReport; + import android.app.ApplicationThreadConstants; ++import android.app.AppOpsManager; + import android.app.BroadcastOptions; + import android.app.ContentProviderHolder; + import android.app.Dialog; +@@ -7865,7 +7866,54 @@ public class ActivityManagerService extends IActivityManager.Stub + Binder token = new Binder(); + sCallerIdentity.set(new Identity( + token, Binder.getCallingPid(), Binder.getCallingUid())); ++ boolean handlingSecurityViolation = false; + try { ++ // This method is exposed to the VNDK and to avoid changing its ++ // signature we just use the first package in the UID. For shared ++ // UIDs we may blame the wrong app but that is Okay as they are ++ // in the same security/privacy sandbox. ++ final int uid = Binder.getCallingUid(); ++ // Here we handle some of the special UIDs (mediaserver, systemserver, etc) ++ // Note: This is moved to AppOpsManager.resolvePackageName in future versions. ++ final String packageName; ++ if (uid == Process.ROOT_UID) { ++ packageName = "root"; ++ } else if (uid == Process.SHELL_UID) { ++ packageName = "com.android.shell"; ++ } else if (uid == Process.MEDIA_UID) { ++ packageName = "media"; ++ } else if (uid == Process.AUDIOSERVER_UID) { ++ packageName = "audioserver"; ++ } else if (uid == Process.CAMERASERVER_UID) { ++ packageName = "cameraserver"; ++ } else if (uid == Process.SYSTEM_UID) { ++ packageName = "android"; ++ } else { ++ packageName = null; ++ } ++ ++ final AndroidPackage androidPackage; ++ if (packageName != null) { ++ androidPackage = mPackageManagerInt.getPackage(packageName); ++ } else { ++ androidPackage = mPackageManagerInt.getPackage(uid); ++ } ++ if (androidPackage == null) { ++ Log.e(TAG, "Cannot find package for uid: " + uid); ++ handlingSecurityViolation = true; ++ return null; ++ } ++ ++ final ApplicationInfo appInfo = mPackageManagerInt.getApplicationInfo( ++ androidPackage.getPackageName(), /*flags*/0, Process.SYSTEM_UID, ++ UserHandle.USER_SYSTEM); ++ if (!appInfo.isVendor() && !appInfo.isSystemApp() && !appInfo.isSystemExt() ++ && !appInfo.isProduct()) { ++ Log.e(TAG, "openContentUri may only be used by vendor/system/product."); ++ handlingSecurityViolation = true; ++ return null; ++ } ++ + pfd = cph.provider.openFile(null, uri, "r", null, token); + } catch (FileNotFoundException e) { + // do nothing; pfd will be returned null +@@ -7873,7 +7921,16 @@ public class ActivityManagerService extends IActivityManager.Stub + // Ensure that whatever happens, we clean up the identity state + sCallerIdentity.remove(); + // Ensure we're done with the provider. +- removeContentProviderExternalUnchecked(name, null, userId); ++ try { ++ removeContentProviderExternalUnchecked(name, null, userId); ++ } catch (SecurityException e) { ++ // A SecurityException may be thrown from computeOomAdjLocked if the calling ++ // UID is that of a malicious app accessing this hidden API. In that case ++ // we're already handling that by returning null, so tolerate this. ++ if (!handlingSecurityViolation) { ++ throw e; ++ } ++ } + } + } else { + Slog.d(TAG, "Failed to get provider for authority '" + name + "'"); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364031-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/364031-backport.patch new file mode 100644 index 00000000..433405c5 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364031-backport.patch @@ -0,0 +1,85 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ioana Alexandru +Date: Thu, 27 Apr 2023 14:55:28 +0000 +Subject: [PATCH] Verify URI permissions for notification shortcutIcon. + +Bug: 277593270 +Test: atest NotificationManagerServiceTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:47e661cbf37e1dedf676f482ac07ffc433c92d0b) +Merged-In: I1efaa1301bca36895ad4322a919d7421156a60df +Change-Id: I1efaa1301bca36895ad4322a919d7421156a60df +--- + core/java/android/app/Notification.java | 19 +++++++++++++++++++ + .../NotificationManagerServiceTest.java | 7 ++++++- + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java +index 3e75c52bf893..107becdfbcff 100644 +--- a/core/java/android/app/Notification.java ++++ b/core/java/android/app/Notification.java +@@ -2434,6 +2434,14 @@ public class Notification implements Parcelable + } + } + ++ private static void visitIconUri(@NonNull Consumer visitor, @Nullable Icon icon) { ++ if (icon == null) return; ++ final int iconType = icon.getType(); ++ if (iconType == TYPE_URI /*|| iconType == TYPE_URI_ADAPTIVE_BITMAP*/) { ++ visitor.accept(icon.getUri()); ++ } ++ } ++ + /** + * Note all {@link Uri} that are referenced internally, with the expectation + * that Uri permission grants will need to be issued to ensure the recipient +@@ -2449,7 +2457,18 @@ public class Notification implements Parcelable + if (bigContentView != null) bigContentView.visitUris(visitor); + if (headsUpContentView != null) headsUpContentView.visitUris(visitor); + ++ visitIconUri(visitor, mSmallIcon); ++ visitIconUri(visitor, mLargeIcon); ++ ++ if (actions != null) { ++ for (Action action : actions) { ++ visitIconUri(visitor, action.getIcon()); ++ } ++ } ++ + if (extras != null) { ++ visitIconUri(visitor, extras.getParcelable(EXTRA_LARGE_ICON_BIG)); ++ + visitor.accept(extras.getParcelable(EXTRA_AUDIO_CONTENTS_URI)); + if (extras.containsKey(EXTRA_BACKGROUND_IMAGE_URI)) { + visitor.accept(Uri.parse(extras.getString(EXTRA_BACKGROUND_IMAGE_URI))); +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +index 6c1620751866..a7a6f7a59ac3 100755 +--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +@@ -3414,6 +3414,8 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + public void testVisitUris() throws Exception { + final Uri audioContents = Uri.parse("content://com.example/audio"); + final Uri backgroundImage = Uri.parse("content://com.example/background"); ++ final Icon smallIcon = Icon.createWithContentUri("content://media/small/icon"); ++ final Icon largeIcon = Icon.createWithContentUri("content://media/large/icon"); + + Bundle extras = new Bundle(); + extras.putParcelable(Notification.EXTRA_AUDIO_CONTENTS_URI, audioContents); +@@ -3421,7 +3423,8 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + + Notification n = new Notification.Builder(mContext, "a") + .setContentTitle("notification with uris") +- .setSmallIcon(android.R.drawable.sym_def_app_icon) ++ .setSmallIcon(smallIcon) ++ .setLargeIcon(largeIcon) + .addExtras(extras) + .build(); + +@@ -3429,6 +3432,8 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + n.visitUris(visitor); + verify(visitor, times(1)).accept(eq(audioContents)); + verify(visitor, times(1)).accept(eq(backgroundImage)); ++ verify(visitor, times(1)).accept(eq(smallIcon.getUri())); ++ verify(visitor, times(1)).accept(eq(largeIcon.getUri())); + } + + @Test diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364032.patch b/Patches/LineageOS-17.1/android_frameworks_base/364032.patch new file mode 100644 index 00000000..1e48222c --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364032.patch @@ -0,0 +1,51 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Beverly +Date: Mon, 8 May 2023 16:33:12 +0000 +Subject: [PATCH] On device lockdown, always show the keyguard + +Manual test steps: +1. Enable app pinning and disable "Ask for PIN before unpinning" setting +2. Pin an app (ie: Settings) +3. Lockdown from the power menu +Observe: user is brought to the keyguard, primary auth is required +to enter the device. After entering credential, the device is still in +app pinning mode. + +Test: atest KeyguardViewMediatorTest +Test: manual steps outlined above +Bug: 218495634 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b23c2d5fb6630ea0da503b937f62880594b13e94) +Merged-In: I9a7c5e1acadabd4484e58573331f98dba895f2a2 +Change-Id: I9a7c5e1acadabd4484e58573331f98dba895f2a2 +--- + .../systemui/keyguard/KeyguardViewMediator.java | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index f025575623ca..cd02fe9a6c2d 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -556,6 +556,13 @@ public class KeyguardViewMediator extends SystemUI { + notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper); + } + } ++ ++ @Override ++ public void onStrongAuthStateChanged(int userId) { ++ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { ++ doKeyguardLocked(null); ++ } ++ } + }; + + ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() { +@@ -1319,7 +1326,8 @@ public class KeyguardViewMediator extends SystemUI { + } + + // if another app is disabling us, don't show +- if (!mExternallyEnabled) { ++ if (!mExternallyEnabled ++ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { + if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); + + mNeedToReshowWhenReenabled = true; diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364033-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/364033-backport.patch new file mode 100644 index 00000000..ed0e2e1f --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364033-backport.patch @@ -0,0 +1,242 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pavel Grafov +Date: Wed, 5 Apr 2023 15:15:41 +0000 +Subject: [PATCH] Ensure policy has no absurdly long strings + +The following APIs now enforce limits and throw IllegalArgumentException +when limits are violated: +* DPM.setTrustAgentConfiguration() limits agent packgage name, + component name, and strings within configuration bundle. +* DPM.setPermittedAccessibilityServices() limits package names. +* DPM.setPermittedInputMethods() limits package names. +* DPM.setAccountManagementDisabled() limits account name. +* DPM.setLockTaskPackages() limits package names. +* DPM.setAffiliationIds() limits id. +* DPM.transferOwnership() limits strings inside the bundle. + +Package names are limited at 223, because they become directory names +and it is a filesystem restriction, see FrameworkParsingPackageUtils. + +All other strings are limited at 65535, because longer ones break binary +XML serializer. + +The following APIs silently truncate strings that are long beyond reason: +* DPM.setShortSupportMessage() truncates message at 200. +* DPM.setLongSupportMessage() truncates message at 20000. +* DPM.setOrganizationName() truncates org name at 200. + +Bug: 260729089 +Test: atest com.android.server.devicepolicy +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb7e82ceaa6d16267e7b0e14563161b506d26be8) +Merged-In: Idcf54e408722f164d16bf2f24a00cd1f5b626d23 +Change-Id: Idcf54e408722f164d16bf2f24a00cd1f5b626d23 +--- + .../app/admin/DevicePolicyManager.java | 3 +- + .../DevicePolicyManagerService.java | 91 ++++++++++++++++++- + 2 files changed, 90 insertions(+), 4 deletions(-) + +diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java +index 5e263b0d05b6..bff9bfdf185d 100644 +--- a/core/java/android/app/admin/DevicePolicyManager.java ++++ b/core/java/android/app/admin/DevicePolicyManager.java +@@ -9075,7 +9075,8 @@ public class DevicePolicyManager { + + /** + * Called by a device admin to set the long support message. This will be displayed to the user +- * in the device administators settings screen. ++ * in the device administrators settings screen. If the message is longer than 20000 characters ++ * it may be truncated. + *

+ * If the long support message needs to be localized, it is the responsibility of the + * {@link DeviceAdminReceiver} to listen to the {@link Intent#ACTION_LOCALE_CHANGED} broadcast +diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +index b2e23da08e2d..682ea6edf726 100644 +--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java ++++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +@@ -278,6 +278,7 @@ import java.lang.reflect.Constructor; + import java.nio.charset.StandardCharsets; + import java.text.DateFormat; + import java.time.LocalDate; ++import java.util.ArrayDeque; + import java.util.ArrayList; + import java.util.Arrays; + import java.util.Collection; +@@ -287,6 +288,7 @@ import java.util.HashMap; + import java.util.List; + import java.util.Map; + import java.util.Map.Entry; ++import java.util.Queue; + import java.util.Set; + import java.util.concurrent.TimeUnit; + import java.util.concurrent.atomic.AtomicBoolean; +@@ -351,6 +353,15 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + + private static final int REQUEST_EXPIRE_PASSWORD = 5571; + ++ // Binary XML serializer doesn't support longer strings ++ private static final int MAX_POLICY_STRING_LENGTH = 65535; ++ // FrameworkParsingPackageUtils#MAX_FILE_NAME_SIZE, Android packages are used in dir names. ++ private static final int MAX_PACKAGE_NAME_LENGTH = 223; ++ ++ private static final int MAX_LONG_SUPPORT_MESSAGE_LENGTH = 20000; ++ private static final int MAX_SHORT_SUPPORT_MESSAGE_LENGTH = 200; ++ private static final int MAX_ORG_NAME_LENGTH = 200; ++ + private static final long MS_PER_DAY = TimeUnit.DAYS.toMillis(1); + + private static final long EXPIRATION_GRACE_PERIOD_MS = 5 * MS_PER_DAY; // 5 days, in ms +@@ -9042,6 +9053,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + } + Preconditions.checkNotNull(admin, "admin is null"); + Preconditions.checkNotNull(agent, "agent is null"); ++ enforceMaxPackageNameLength(agent.getPackageName()); ++ final String agentAsString = agent.flattenToString(); ++ enforceMaxStringLength(agentAsString, "agent name"); ++ if (args != null) { ++ enforceMaxStringLength(args, "args"); ++ } + final int userHandle = UserHandle.getCallingUserId(); + synchronized (getLockObject()) { + ActiveAdmin ap = getActiveAdminForCallerLocked(admin, +@@ -9262,6 +9279,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + Preconditions.checkNotNull(who, "ComponentName is null"); + + if (packageList != null) { ++ for (String pkg : (List) packageList) { ++ enforceMaxPackageNameLength(pkg); ++ } ++ + int userId = UserHandle.getCallingUserId(); + List enabledServices = null; + long id = mInjector.binderClearCallingIdentity(); +@@ -9450,6 +9471,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + } + final int callingUserId = mInjector.userHandleGetCallingUserId(); + if (packageList != null) { ++ for (String pkg : (List) packageList) { ++ enforceMaxPackageNameLength(pkg); ++ } ++ + List enabledImes = InputMethodManagerInternal.get() + .getEnabledInputMethodListAsUser(callingUserId); + if (enabledImes != null) { +@@ -10424,6 +10449,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + return; + } + Preconditions.checkNotNull(who, "ComponentName is null"); ++ enforceMaxStringLength(accountType, "account type"); + synchronized (getLockObject()) { + ActiveAdmin ap = getActiveAdminForCallerLocked(who, + DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); +@@ -10709,6 +10735,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + throws SecurityException { + Preconditions.checkNotNull(who, "ComponentName is null"); + Preconditions.checkNotNull(packages, "packages is null"); ++ for (String pkg : packages) { ++ enforceMaxPackageNameLength(pkg); ++ } + + synchronized (getLockObject()) { + enforceCanCallLockTaskLocked(who); +@@ -12223,6 +12252,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + return; + } + Preconditions.checkNotNull(who, "ComponentName is null"); ++ message = truncateIfLonger(message, MAX_SHORT_SUPPORT_MESSAGE_LENGTH); ++ + final int userHandle = mInjector.userHandleGetCallingUserId(); + synchronized (getLockObject()) { + ActiveAdmin admin = getActiveAdminForUidLocked(who, +@@ -12256,6 +12287,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + if (!mHasFeature) { + return; + } ++ ++ message = truncateIfLonger(message, MAX_LONG_SUPPORT_MESSAGE_LENGTH); ++ + Preconditions.checkNotNull(who, "ComponentName is null"); + final int userHandle = mInjector.userHandleGetCallingUserId(); + synchronized (getLockObject()) { +@@ -12393,6 +12427,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + Preconditions.checkNotNull(who, "ComponentName is null"); + final int userHandle = mInjector.userHandleGetCallingUserId(); + ++ text = truncateIfLonger(text, MAX_ORG_NAME_LENGTH); ++ + synchronized (getLockObject()) { + ActiveAdmin admin = getActiveAdminForCallerLocked(who, + DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); +@@ -12604,9 +12640,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + throw new IllegalArgumentException("ids must not be null"); + } + for (String id : ids) { +- if (TextUtils.isEmpty(id)) { +- throw new IllegalArgumentException("ids must not contain empty string"); +- } ++ Preconditions.checkArgument(!TextUtils.isEmpty(id), "ids must not have empty string"); ++ enforceMaxStringLength(id, "affiliation id"); + } + + final Set affiliationIds = new ArraySet<>(ids); +@@ -13728,6 +13763,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + + Preconditions.checkNotNull(admin, "Admin cannot be null."); + Preconditions.checkNotNull(target, "Target cannot be null."); ++ if (bundle != null) { ++ enforceMaxStringLength(bundle, "bundle"); ++ } + + enforceProfileOrDeviceOwner(admin); + +@@ -14505,4 +14543,51 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + return DevicePolicyConstants.loadFromString( + mInjector.settingsGlobalGetString(Global.DEVICE_POLICY_CONSTANTS)); + } ++ ++ /** ++ * Truncates char sequence to maximum length, nulls are ignored. ++ */ ++ private static CharSequence truncateIfLonger(CharSequence input, int maxLength) { ++ return input == null || input.length() <= maxLength ++ ? input ++ : input.subSequence(0, maxLength); ++ } ++ ++ /** ++ * Throw if string argument is too long to be serialized. ++ */ ++ private static void enforceMaxStringLength(String str, String argName) { ++ Preconditions.checkArgument( ++ str.length() <= MAX_POLICY_STRING_LENGTH, argName + " loo long"); ++ } ++ ++ private static void enforceMaxPackageNameLength(String pkg) { ++ Preconditions.checkArgument( ++ pkg.length() <= MAX_PACKAGE_NAME_LENGTH, "Package name too long"); ++ } ++ ++ /** ++ * Throw if persistable bundle contains any string that we can't serialize. ++ */ ++ private static void enforceMaxStringLength(PersistableBundle bundle, String argName) { ++ // Persistable bundles can have other persistable bundles as values, traverse with a queue. ++ Queue queue = new ArrayDeque<>(); ++ queue.add(bundle); ++ while (!queue.isEmpty()) { ++ PersistableBundle current = queue.remove(); ++ for (String key : current.keySet()) { ++ enforceMaxStringLength(key, "key in " + argName); ++ Object value = current.get(key); ++ if (value instanceof String) { ++ enforceMaxStringLength((String) value, "string value in " + argName); ++ } else if (value instanceof String[]) { ++ for (String str : (String[]) value) { ++ enforceMaxStringLength(str, "string value in " + argName); ++ } ++ } else if (value instanceof PersistableBundle) { ++ queue.add((PersistableBundle) value); ++ } ++ } ++ } ++ } + } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364034.patch b/Patches/LineageOS-17.1/android_frameworks_base/364034.patch new file mode 100644 index 00000000..57753aaf --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364034.patch @@ -0,0 +1,70 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ioana Alexandru +Date: Fri, 12 May 2023 15:41:09 +0000 +Subject: [PATCH] Implement visitUris for RemoteViews ViewGroupActionAdd. + +This is to prevent a vulnerability where notifications can show +resources belonging to other users, since the URI in the nested views +was not being checked. + +Bug: 277740082 +Test: atest RemoteViewsTest NotificationVisitUrisTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:850fd984e5f346645b5a941ed7307387c7e4c4de) +Merged-In: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8 +Change-Id: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8 +--- + core/java/android/widget/RemoteViews.java | 5 ++++ + .../src/android/widget/RemoteViewsTest.java | 24 +++++++++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java +index 21d38b559736..c2e591950e25 100644 +--- a/core/java/android/widget/RemoteViews.java ++++ b/core/java/android/widget/RemoteViews.java +@@ -1663,6 +1663,11 @@ public class RemoteViews implements Parcelable, Filter { + public int getActionTag() { + return VIEW_GROUP_ACTION_ADD_TAG; + } ++ ++ @Override ++ public final void visitUris(@NonNull Consumer visitor) { ++ mNestedViews.visitUris(visitor); ++ } + } + + /** +diff --git a/core/tests/coretests/src/android/widget/RemoteViewsTest.java b/core/tests/coretests/src/android/widget/RemoteViewsTest.java +index 46f2c0928fc3..83ff725b5b75 100644 +--- a/core/tests/coretests/src/android/widget/RemoteViewsTest.java ++++ b/core/tests/coretests/src/android/widget/RemoteViewsTest.java +@@ -528,6 +528,30 @@ public class RemoteViewsTest { + verify(visitor, times(1)).accept(eq(icon4.getUri())); + } + ++ @Test ++ public void visitUris_nestedViews() { ++ final RemoteViews outer = new RemoteViews(mPackage, R.layout.remote_views_test); ++ ++ final RemoteViews inner = new RemoteViews(mPackage, 33); ++ final Uri imageUriI = Uri.parse("content://inner/image"); ++ final Icon icon1 = Icon.createWithContentUri("content://inner/icon1"); ++ final Icon icon2 = Icon.createWithContentUri("content://inner/icon2"); ++ final Icon icon3 = Icon.createWithContentUri("content://inner/icon3"); ++ final Icon icon4 = Icon.createWithContentUri("content://inner/icon4"); ++ inner.setImageViewUri(R.id.image, imageUriI); ++ inner.setTextViewCompoundDrawables(R.id.text, icon1, icon2, icon3, icon4); ++ ++ outer.addView(R.id.layout, inner); ++ ++ Consumer visitor = (Consumer) spy(Consumer.class); ++ outer.visitUris(visitor); ++ verify(visitor, times(1)).accept(eq(imageUriI)); ++ verify(visitor, times(1)).accept(eq(icon1.getUri())); ++ verify(visitor, times(1)).accept(eq(icon2.getUri())); ++ verify(visitor, times(1)).accept(eq(icon3.getUri())); ++ verify(visitor, times(1)).accept(eq(icon4.getUri())); ++ } ++ + @Test + public void visitUris_separateOrientation() { + final RemoteViews landscape = new RemoteViews(mPackage, R.layout.remote_views_test); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364035-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/364035-backport.patch new file mode 100644 index 00000000..4adb229b --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364035-backport.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ioana Alexandru +Date: Mon, 15 May 2023 16:15:55 +0000 +Subject: [PATCH] Check URIs in notification public version. + +Bug: 276294099 +Test: atest NotificationManagerServiceTest NotificationVisitUrisTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9663d493142b59c65311bc09d48427d3bdde0222) +Merged-In: I670198b213abb2cb29a9865eb9d1e897700508b4 +Change-Id: I670198b213abb2cb29a9865eb9d1e897700508b4 +--- + core/java/android/app/Notification.java | 4 ++++ + .../NotificationManagerServiceTest.java | 20 +++++++++++++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java +index 107becdfbcff..b5e9a7839df0 100644 +--- a/core/java/android/app/Notification.java ++++ b/core/java/android/app/Notification.java +@@ -2450,6 +2450,10 @@ public class Notification implements Parcelable + * @hide + */ + public void visitUris(@NonNull Consumer visitor) { ++ if (publicVersion != null) { ++ publicVersion.visitUris(visitor); ++ } ++ + visitor.accept(sound); + + if (tickerView != null) tickerView.visitUris(visitor); +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +index a7a6f7a59ac3..578626482581 100755 +--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +@@ -3436,6 +3436,26 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + verify(visitor, times(1)).accept(eq(largeIcon.getUri())); + } + ++ @Test ++ public void testVisitUris_publicVersion() throws Exception { ++ final Icon smallIconPublic = Icon.createWithContentUri("content://media/small/icon"); ++ final Icon largeIconPrivate = Icon.createWithContentUri("content://media/large/icon"); ++ ++ Notification publicVersion = new Notification.Builder(mContext, "a") ++ .setContentTitle("notification with uris") ++ .setSmallIcon(smallIconPublic) ++ .build(); ++ Notification n = new Notification.Builder(mContext, "a") ++ .setLargeIcon(largeIconPrivate) ++ .setPublicVersion(publicVersion) ++ .build(); ++ ++ Consumer visitor = (Consumer) spy(Consumer.class); ++ n.visitUris(visitor); ++ verify(visitor, times(1)).accept(eq(smallIconPublic.getUri())); ++ verify(visitor, times(1)).accept(eq(largeIconPrivate.getUri())); ++ } ++ + @Test + public void testSetNotificationPolicy_preP_setOldFields() { + ZenModeHelper mZenModeHelper = mock(ZenModeHelper.class); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364036-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/364036-backport.patch new file mode 100644 index 00000000..9b3e4a8f --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364036-backport.patch @@ -0,0 +1,129 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Michael Mikhail +Date: Fri, 28 Apr 2023 16:17:16 +0000 +Subject: [PATCH] Verify URI permissions in MediaMetadata + +Add a check for URI permission to make sure that user can access the URI +set in MediaMetadata. If permission is denied, clear the URI string set +in metadata. + +Bug: 271851153 +Test: atest MediaSessionTest +Test: Verified by POC app attached in bug, image of second user is not +the UMO background of the first user. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f95b7fc61d6b3bf49420ded0357bec031f8cbdcf) +Merged-In: I384f8e230c909d8fc8e5f147e2fd3558fec44626 +Change-Id: I384f8e230c909d8fc8e5f147e2fd3558fec44626 +--- + .../server/media/MediaSessionRecord.java | 52 +++++++++++++++---- + 1 file changed, 43 insertions(+), 9 deletions(-) + +diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java +index e2087e6ca822..5ebbfe92dc20 100644 +--- a/services/core/java/com/android/server/media/MediaSessionRecord.java ++++ b/services/core/java/com/android/server/media/MediaSessionRecord.java +@@ -17,6 +17,8 @@ + package com.android.server.media; + + import android.app.PendingIntent; ++import android.content.ContentProvider; ++import android.content.ContentResolver; + import android.content.Context; + import android.content.Intent; + import android.content.pm.ParceledListSlice; +@@ -48,11 +50,13 @@ import android.os.Process; + import android.os.RemoteException; + import android.os.ResultReceiver; + import android.os.SystemClock; ++import android.text.TextUtils; + import android.util.Log; + import android.util.Slog; + import android.view.KeyEvent; + + import com.android.server.LocalServices; ++import com.android.server.uri.UriGrantsManagerInternal; + + import java.io.PrintWriter; + import java.util.ArrayList; +@@ -64,6 +68,10 @@ import java.util.List; + */ + public class MediaSessionRecord implements IBinder.DeathRecipient { + private static final String TAG = "MediaSessionRecord"; ++ private static final String[] ART_URIS = new String[] { ++ MediaMetadata.METADATA_KEY_ALBUM_ART_URI, ++ MediaMetadata.METADATA_KEY_ART_URI, ++ MediaMetadata.METADATA_KEY_DISPLAY_ICON_URI}; + private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG); + + /** +@@ -85,6 +93,7 @@ public class MediaSessionRecord implements IBinder.DeathRecipient { + private final SessionStub mSession; + private final SessionCb mSessionCb; + private final MediaSessionService mService; ++ private final UriGrantsManagerInternal mUgmInternal; + private final Context mContext; + + private final Object mLock = new Object(); +@@ -142,6 +151,7 @@ public class MediaSessionRecord implements IBinder.DeathRecipient { + mAudioManager = (AudioManager) mContext.getSystemService(Context.AUDIO_SERVICE); + mAudioManagerInternal = LocalServices.getService(AudioManagerInternal.class); + mAudioAttrs = new AudioAttributes.Builder().setUsage(AudioAttributes.USAGE_MEDIA).build(); ++ mUgmInternal = LocalServices.getService(UriGrantsManagerInternal.class); + } + + /** +@@ -870,21 +880,45 @@ public class MediaSessionRecord implements IBinder.DeathRecipient { + public void setMetadata(MediaMetadata metadata, long duration, String metadataDescription) + throws RemoteException { + synchronized (mLock) { +- MediaMetadata temp = metadata == null ? null : new MediaMetadata.Builder(metadata) +- .build(); +- // This is to guarantee that the underlying bundle is unparceled +- // before we set it to prevent concurrent reads from throwing an +- // exception +- if (temp != null) { +- temp.size(); +- } +- mMetadata = temp; + mDuration = duration; + mMetadataDescription = metadataDescription; ++ mMetadata = sanitizeMediaMetadata(metadata); + } + mHandler.post(MessageHandler.MSG_UPDATE_METADATA); + } + ++ private MediaMetadata sanitizeMediaMetadata(MediaMetadata metadata) { ++ if (metadata == null) { ++ return null; ++ } ++ MediaMetadata.Builder metadataBuilder = new MediaMetadata.Builder(metadata); ++ for (String key: ART_URIS) { ++ String uriString = metadata.getString(key); ++ if (TextUtils.isEmpty(uriString)) { ++ continue; ++ } ++ Uri uri = Uri.parse(uriString); ++ if (!ContentResolver.SCHEME_CONTENT.equals(uri.getScheme())) { ++ continue; ++ } ++ try { ++ mUgmInternal.checkGrantUriPermission(getUid(), ++ getPackageName(), ++ ContentProvider.getUriWithoutUserId(uri), ++ Intent.FLAG_GRANT_READ_URI_PERMISSION, ++ ContentProvider.getUserIdFromUri(uri, getUserId())); ++ } catch (SecurityException e) { ++ metadataBuilder.putString(key, null); ++ } ++ } ++ MediaMetadata sanitizedMetadata = metadataBuilder.build(); ++ // sanitizedMetadata.size() guarantees that the underlying bundle is unparceled ++ // before we set it to prevent concurrent reads from throwing an ++ // exception ++ sanitizedMetadata.size(); ++ return sanitizedMetadata; ++ } ++ + @Override + public void setPlaybackState(PlaybackState state) throws RemoteException { + int oldState = mPlaybackState == null diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364037.patch b/Patches/LineageOS-17.1/android_frameworks_base/364037.patch new file mode 100644 index 00000000..dd980058 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364037.patch @@ -0,0 +1,55 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chandru S +Date: Tue, 16 May 2023 10:41:07 -0700 +Subject: [PATCH] Use Settings.System.getIntForUser instead of getInt to make + sure user specific settings are used + +Bug: 265431505 +Test: atest KeyguardViewMediatorTest +(cherry picked from commit 625e009fc195ba5d658ca2d78ebb23d2770cc6c4) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ce6510deba06bcb72a0e468294b483fc4ac4be17) +Merged-In: I66a660c091c90a957a0fd1e144c013840db3f47e +Change-Id: I66a660c091c90a957a0fd1e144c013840db3f47e +--- + .../systemui/keyguard/KeyguardViewMediator.java | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index cd02fe9a6c2d..a7d5c64dd3a3 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -913,9 +913,9 @@ public class KeyguardViewMediator extends SystemUI { + final ContentResolver cr = mContext.getContentResolver(); + + // From SecuritySettings +- final long lockAfterTimeout = Settings.Secure.getInt(cr, ++ final long lockAfterTimeout = Settings.Secure.getIntForUser(cr, + Settings.Secure.LOCK_SCREEN_LOCK_AFTER_TIMEOUT, +- KEYGUARD_LOCK_AFTER_DELAY_DEFAULT); ++ KEYGUARD_LOCK_AFTER_DELAY_DEFAULT, userId); + + // From DevicePolicyAdmin + final long policyTimeout = mLockPatternUtils.getDevicePolicyManager() +@@ -927,8 +927,8 @@ public class KeyguardViewMediator extends SystemUI { + timeout = lockAfterTimeout; + } else { + // From DisplaySettings +- long displayTimeout = Settings.System.getInt(cr, SCREEN_OFF_TIMEOUT, +- KEYGUARD_DISPLAY_TIMEOUT_DELAY_DEFAULT); ++ long displayTimeout = Settings.System.getIntForUser(cr, SCREEN_OFF_TIMEOUT, ++ KEYGUARD_DISPLAY_TIMEOUT_DELAY_DEFAULT, userId); + + // policy in effect. Make sure we don't go beyond policy limit. + displayTimeout = Math.max(displayTimeout, 0); // ignore negative values +@@ -1762,7 +1762,10 @@ public class KeyguardViewMediator extends SystemUI { + private void playSound(int soundId) { + if (soundId == 0) return; + final ContentResolver cr = mContext.getContentResolver(); +- if (Settings.System.getInt(cr, Settings.System.LOCKSCREEN_SOUNDS_ENABLED, 1) == 1) { ++ int lockscreenSoundsEnabled = Settings.System.getIntForUser(cr, ++ Settings.System.LOCKSCREEN_SOUNDS_ENABLED, 1, ++ KeyguardUpdateMonitor.getCurrentUser()); ++ if (lockscreenSoundsEnabled == 1) { + + mLockSounds.stop(mLockSoundStreamId); + // Init mAudioManager diff --git a/Patches/LineageOS-17.1/android_frameworks_base/364038-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/364038-backport.patch new file mode 100644 index 00000000..a4f0f56c --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/364038-backport.patch @@ -0,0 +1,146 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pranav Madapurmath +Date: Thu, 25 May 2023 21:58:19 +0000 +Subject: [PATCH] Resolve StatusHints image exploit across user. + +Because of the INTERACT_ACROSS_USERS permission, an app that implements +a ConnectionService can upload an image icon belonging to another user +by setting it in the StatusHints. Validating the construction of the +StatusHints on the calling user would prevent a malicious app from +registering a connection service with the embedded image icon from a +different user. + +From additional feedback, this CL also addresses potential +vulnerabilities in an app being able to directly invoke the binder for a +means to manipulate the contents of the bundle that are passed with it. +The targeted points of entry are in ConnectionServiceWrapper for the +following APIs: handleCreateConnectionComplete, setStatusHints, +addConferenceCall, and addExistingConnection. + +Fixes: 280797684 +Test: Manual (verified that original exploit is no longer an issue). +Test: Unit test for validating image in StatusHints constructor. +Test: Unit tests to address vulnerabilities via the binder. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48223d6034907349c6a3fab3018c1b37d86367af) +Merged-In: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2 +Change-Id: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2 +--- + .../android/telecom/ParcelableConference.java | 8 +++ + .../java/android/telecom/StatusHints.java | 53 ++++++++++++++++++- + 2 files changed, 59 insertions(+), 2 deletions(-) + +diff --git a/telecomm/java/android/telecom/ParcelableConference.java b/telecomm/java/android/telecom/ParcelableConference.java +index ede05943772e..b2f8ac8cb0ec 100644 +--- a/telecomm/java/android/telecom/ParcelableConference.java ++++ b/telecomm/java/android/telecom/ParcelableConference.java +@@ -155,6 +155,14 @@ public final class ParcelableConference implements Parcelable { + return mAddressPresentation; + } + ++ public String getCallerDisplayName() { ++ return mCallerDisplayName; ++ } ++ ++ public int getCallerDisplayNamePresentation() { ++ return mCallerDisplayNamePresentation; ++ } ++ + public static final @android.annotation.NonNull Parcelable.Creator CREATOR = + new Parcelable.Creator () { + @Override +diff --git a/telecomm/java/android/telecom/StatusHints.java b/telecomm/java/android/telecom/StatusHints.java +index 762c93a49022..b7346331dc60 100644 +--- a/telecomm/java/android/telecom/StatusHints.java ++++ b/telecomm/java/android/telecom/StatusHints.java +@@ -16,14 +16,19 @@ + + package android.telecom; + ++import android.annotation.Nullable; + import android.annotation.SystemApi; + import android.content.ComponentName; + import android.content.Context; + import android.graphics.drawable.Drawable; + import android.graphics.drawable.Icon; ++import android.os.Binder; + import android.os.Bundle; + import android.os.Parcel; + import android.os.Parcelable; ++import android.os.UserHandle; ++ ++import com.android.internal.annotations.VisibleForTesting; + + import java.util.Objects; + +@@ -33,7 +38,7 @@ import java.util.Objects; + public final class StatusHints implements Parcelable { + + private final CharSequence mLabel; +- private final Icon mIcon; ++ private Icon mIcon; + private final Bundle mExtras; + + /** +@@ -48,10 +53,30 @@ public final class StatusHints implements Parcelable { + + public StatusHints(CharSequence label, Icon icon, Bundle extras) { + mLabel = label; +- mIcon = icon; ++ mIcon = validateAccountIconUserBoundary(icon, Binder.getCallingUserHandle()); + mExtras = extras; + } + ++ /** ++ * @param icon ++ * @hide ++ */ ++ @VisibleForTesting ++ public StatusHints(@Nullable Icon icon) { ++ mLabel = null; ++ mExtras = null; ++ mIcon = icon; ++ } ++ ++ /** ++ * ++ * @param icon ++ * @hide ++ */ ++ public void setIcon(@Nullable Icon icon) { ++ mIcon = icon; ++ } ++ + /** + * @return A package used to load the icon. + * +@@ -112,6 +137,30 @@ public final class StatusHints implements Parcelable { + return 0; + } + ++ /** ++ * Validates the StatusHints image icon to see if it's not in the calling user space. ++ * Invalidates the icon if so, otherwise returns back the original icon. ++ * ++ * @param icon ++ * @return icon (validated) ++ * @hide ++ */ ++ public static Icon validateAccountIconUserBoundary(Icon icon, UserHandle callingUserHandle) { ++ // Refer to Icon#getUriString for context. The URI string is invalid for icons of ++ // incompatible types. ++ if (icon != null && (icon.getType() == Icon.TYPE_URI ++ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) { ++ String encodedUser = icon.getUri().getEncodedUserInfo(); ++ // If there is no encoded user, the URI is calling into the calling user space ++ if (encodedUser != null) { ++ int userId = Integer.parseInt(encodedUser); ++ // Do not try to save the icon if the user id isn't in the calling user space. ++ if (userId != callingUserHandle.getIdentifier()) return null; ++ } ++ } ++ return icon; ++ } ++ + @Override + public void writeToParcel(Parcel out, int flags) { + out.writeCharSequence(mLabel); diff --git a/Patches/LineageOS-17.1/android_packages_providers_TelephonyProvider/364040-backport.patch b/Patches/LineageOS-17.1/android_packages_providers_TelephonyProvider/364040-backport.patch new file mode 100644 index 00000000..e68278ce --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_providers_TelephonyProvider/364040-backport.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aishwarya Mallampati +Date: Wed, 10 May 2023 21:54:43 +0000 +Subject: [PATCH] Update file permissions using canonical path + +Bug: 264880895 +Bug: 264880689 +Test: atest android.telephonyprovider.cts.MmsPartTest + atest CtsTelephonyTestCases + Sanity check - sending and receiving sms and mms manually +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6743638a096c32627f398efd2ea78f08b8a2db8c) +Merged-In: I8dd888ea31ec07c9f0de38eb8e8170d3ed255686 +Change-Id: I8dd888ea31ec07c9f0de38eb8e8170d3ed255686 +--- + src/com/android/providers/telephony/MmsProvider.java | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java +index 6ba775ba..7546c246 100644 +--- a/src/com/android/providers/telephony/MmsProvider.java ++++ b/src/com/android/providers/telephony/MmsProvider.java +@@ -819,15 +819,16 @@ public class MmsProvider extends ContentProvider { + String path = getContext().getDir(PARTS_DIR_NAME, 0).getPath() + '/' + + uri.getPathSegments().get(1); + try { ++ File canonicalFile = new File(path).getCanonicalFile(); + String partsDirPath = getContext().getDir(PARTS_DIR_NAME, 0).getCanonicalPath(); +- if (!new File(path).getCanonicalPath().startsWith(partsDirPath)) { ++ if (!canonicalFile.getPath().startsWith(partsDirPath + '/')) { + EventLog.writeEvent(0x534e4554, "240685104", + Binder.getCallingUid(), (TAG + " update: path " + path + + " does not start with " + partsDirPath)); + return 0; + } + // Reset the file permission back to read for everyone but me. +- Os.chmod(path, 0644); ++ Os.chmod(canonicalFile.getPath(), 0644); + if (LOCAL_LOGV) { + Log.d(TAG, "MmsProvider.update chmod is successful for path: " + path); + } diff --git a/Patches/LineageOS-17.1/android_packages_services_Telecomm/364041-backport.patch b/Patches/LineageOS-17.1/android_packages_services_Telecomm/364041-backport.patch new file mode 100644 index 00000000..7506ee37 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_services_Telecomm/364041-backport.patch @@ -0,0 +1,714 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pranav Madapurmath +Date: Thu, 25 May 2023 20:49:21 +0000 +Subject: [PATCH] Resolve StatusHints image exploit across user. + +Because of the INTERACT_ACROSS_USERS permission, an app that implements +a ConnectionService can upload an image icon belonging to another user +by setting it in the StatusHints. Validating the construction of the +StatusHints on the calling user would prevent a malicious app from +registering a connection service with the embedded image icon from a +different user. + +From additional feedback, this CL also addresses potential +vulnerabilities in an app being able to directly invoke the binder for a +means to manipulate the contents of the bundle that are passed with it. +The targeted points of entry are in ConnectionServiceWrapper for the +following APIs: handleCreateConnectionComplete, setStatusHints, +addConferenceCall, and addExistingConnection. + +Fixes: 280797684 +Test: Manual (verified that original exploit is no longer an issue). +Test: Unit test for validating image in StatusHints constructor. +Test: Unit tests to address vulnerabilities via the binder. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49d19dd265bee669b230efa29bf98c83650efea6) +Merged-In: Ie1f6a8866d31d5f1099dd0630cf8e9ee782d389c +Change-Id: Ie1f6a8866d31d5f1099dd0630cf8e9ee782d389c +--- + .../telecom/ConnectionServiceWrapper.java | 32 ++++ + .../server/telecom/tests/BasicCallTests.java | 164 +++++++++++++++++- + .../server/telecom/tests/CallExtrasTest.java | 6 +- + .../tests/ConnectionServiceFixture.java | 21 ++- + .../telecom/tests/TelecomSystemTest.java | 66 ++++--- + .../server/telecom/tests/VideoCallTests.java | 16 +- + 6 files changed, 265 insertions(+), 40 deletions(-) + +diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java +index 4621558d1..d06460784 100644 +--- a/src/com/android/server/telecom/ConnectionServiceWrapper.java ++++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java +@@ -19,6 +19,7 @@ package com.android.server.telecom; + import android.app.AppOpsManager; + import android.content.ComponentName; + import android.content.Context; ++import android.graphics.drawable.Icon; + import android.net.Uri; + import android.os.Binder; + import android.os.Bundle; +@@ -73,10 +74,17 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + public void handleCreateConnectionComplete(String callId, ConnectionRequest request, + ParcelableConnection connection, Session.Info sessionInfo) { + Log.startSession(sessionInfo, LogUtils.Sessions.CSW_HANDLE_CREATE_CONNECTION_COMPLETE); ++ UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { + synchronized (mLock) { + logIncoming("handleCreateConnectionComplete %s", callId); ++ // Check status hints image for cross user access ++ if (connection.getStatusHints() != null) { ++ Icon icon = connection.getStatusHints().getIcon(); ++ connection.getStatusHints().setIcon(StatusHints. ++ validateAccountIconUserBoundary(icon, callingUserHandle)); ++ } + ConnectionServiceWrapper.this + .handleCreateConnectionComplete(callId, request, connection); + +@@ -435,6 +443,15 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + public void addConferenceCall(String callId, ParcelableConference parcelableConference, + Session.Info sessionInfo) { + Log.startSession(sessionInfo, LogUtils.Sessions.CSW_ADD_CONFERENCE_CALL); ++ ++ UserHandle callingUserHandle = Binder.getCallingUserHandle(); ++ // Check status hints image for cross user access ++ if (parcelableConference.getStatusHints() != null) { ++ Icon icon = parcelableConference.getStatusHints().getIcon(); ++ parcelableConference.getStatusHints().setIcon(StatusHints. ++ validateAccountIconUserBoundary(icon, callingUserHandle)); ++ } ++ + long token = Binder.clearCallingIdentity(); + try { + synchronized (mLock) { +@@ -658,10 +675,17 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + public void setStatusHints(String callId, StatusHints statusHints, + Session.Info sessionInfo) { + Log.startSession(sessionInfo, "CSW.sSH"); ++ UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { + synchronized (mLock) { + logIncoming("setStatusHints %s %s", callId, statusHints); ++ // Check status hints image for cross user access ++ if (statusHints != null) { ++ Icon icon = statusHints.getIcon(); ++ statusHints.setIcon(StatusHints.validateAccountIconUserBoundary( ++ icon, callingUserHandle)); ++ } + Call call = mCallIdMapper.getCall(callId); + if (call != null) { + call.setStatusHints(statusHints); +@@ -849,6 +873,14 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + } else { + connectIdToCheck = callId; + } ++ ++ // Check status hints image for cross user access ++ if (connection.getStatusHints() != null) { ++ Icon icon = connection.getStatusHints().getIcon(); ++ connection.getStatusHints().setIcon(StatusHints. ++ validateAccountIconUserBoundary(icon, userHandle)); ++ } ++ + // Check to see if this Connection has already been added. + Call alreadyAddedConnection = mCallsManager + .getAlreadyAddedConnection(connectIdToCheck); +diff --git a/tests/src/com/android/server/telecom/tests/BasicCallTests.java b/tests/src/com/android/server/telecom/tests/BasicCallTests.java +index 95ca3f3be..7889d0487 100644 +--- a/tests/src/com/android/server/telecom/tests/BasicCallTests.java ++++ b/tests/src/com/android/server/telecom/tests/BasicCallTests.java +@@ -16,8 +16,11 @@ + + package com.android.server.telecom.tests; + ++import static com.android.server.telecom.tests.ConnectionServiceFixture.STATUS_HINTS_EXTRA; ++ + import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertFalse; ++import static org.junit.Assert.assertNotNull; + import static org.junit.Assert.assertNull; + import static org.junit.Assert.assertTrue; + import static org.mockito.ArgumentMatchers.nullable; +@@ -35,6 +38,8 @@ import static org.mockito.Mockito.when; + + import android.content.Context; + import android.content.IContentProvider; ++import android.content.Intent; ++import android.graphics.drawable.Icon; + import android.media.AudioManager; + import android.net.Uri; + import android.os.Bundle; +@@ -51,12 +56,14 @@ import android.telecom.Log; + import android.telecom.ParcelableCall; + import android.telecom.PhoneAccount; + import android.telecom.PhoneAccountHandle; ++import android.telecom.StatusHints; + import android.telecom.TelecomManager; + import android.telecom.VideoProfile; + import android.test.suitebuilder.annotation.LargeTest; + import android.test.suitebuilder.annotation.MediumTest; + + import androidx.test.filters.FlakyTest; ++import androidx.test.filters.SmallTest; + + import com.android.internal.telecom.IInCallAdapter; + import com.android.internal.telephony.CallerInfo; +@@ -180,7 +187,7 @@ public class BasicCallTests extends TelecomSystemTest { + @Test + public void testTelecomManagerAcceptRingingVideoCall() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureX.getCall(ids.mCallId).getState()); + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureY.getCall(ids.mCallId).getState()); +@@ -209,7 +216,7 @@ public class BasicCallTests extends TelecomSystemTest { + @Test + public void testTelecomManagerAcceptRingingVideoCallAsAudio() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureX.getCall(ids.mCallId).getState()); + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureY.getCall(ids.mCallId).getState()); +@@ -237,7 +244,7 @@ public class BasicCallTests extends TelecomSystemTest { + @Test + public void testTelecomManagerAcceptRingingInvalidVideoState() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureX.getCall(ids.mCallId).getState()); + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureY.getCall(ids.mCallId).getState()); +@@ -642,13 +649,13 @@ public class BasicCallTests extends TelecomSystemTest { + @MediumTest + @Test + public void testBasicConferenceCall() throws Exception { +- makeConferenceCall(); ++ makeConferenceCall(null, null); + } + + @MediumTest + @Test + public void testAddCallToConference1() throws Exception { +- ParcelableCall conferenceCall = makeConferenceCall(); ++ ParcelableCall conferenceCall = makeConferenceCall(null, null); + IdPair callId3 = startAndMakeActiveOutgoingCall("650-555-1214", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); + // testAddCallToConference{1,2} differ in the order of arguments to InCallAdapter#conference +@@ -666,7 +673,7 @@ public class BasicCallTests extends TelecomSystemTest { + @MediumTest + @Test + public void testAddCallToConference2() throws Exception { +- ParcelableCall conferenceCall = makeConferenceCall(); ++ ParcelableCall conferenceCall = makeConferenceCall(null, null); + IdPair callId3 = startAndMakeActiveOutgoingCall("650-555-1214", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); + mInCallServiceFixtureX.getInCallAdapter() +@@ -922,7 +929,7 @@ public class BasicCallTests extends TelecomSystemTest { + public void testOutgoingCallSelectPhoneAccountVideo() throws Exception { + startOutgoingPhoneCallPendingCreateConnection("650-555-1212", + null, mConnectionServiceFixtureA, +- Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL); ++ Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + assert(call.isVideoCallingSupportedByPhoneAccount()); +@@ -945,7 +952,7 @@ public class BasicCallTests extends TelecomSystemTest { + public void testOutgoingCallSelectPhoneAccountNoVideo() throws Exception { + startOutgoingPhoneCallPendingCreateConnection("650-555-1212", + null, mConnectionServiceFixtureA, +- Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL); ++ Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + assert(call.isVideoCallingSupportedByPhoneAccount()); +@@ -1153,4 +1160,145 @@ public class BasicCallTests extends TelecomSystemTest { + assertTrue(muteValues.get(0)); + assertFalse(muteValues.get(1)); + } ++ ++ /** ++ * Verifies that StatusHints image is validated in ConnectionServiceWrapper#addConferenceCall ++ * when the image doesn't belong to the calling user. Simulates a scenario where an app ++ * could manipulate the contents of the bundle and send it via the binder to upload an image ++ * from another user. ++ * ++ * @throws Exception ++ */ ++ @SmallTest ++ @Test ++ public void testValidateStatusHintsImage_addConferenceCall() throws Exception { ++ Intent callIntent1 = new Intent(); ++ // Stub intent for call2 ++ Intent callIntent2 = new Intent(); ++ Bundle callExtras1 = new Bundle(); ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ // Load StatusHints extra into TelecomManager.EXTRA_OUTGOING_CALL_EXTRAS to be processed ++ // as the call extras. This will be leveraged in ConnectionServiceFixture to set the ++ // StatusHints for the given connection. ++ StatusHints statusHints = new StatusHints(icon); ++ assertNotNull(statusHints.getIcon()); ++ callExtras1.putParcelable(STATUS_HINTS_EXTRA, statusHints); ++ callIntent1.putExtra(TelecomManager.EXTRA_OUTGOING_CALL_EXTRAS, callExtras1); ++ ++ // Start conference call to invoke ConnectionServiceWrapper#addConferenceCall. ++ // Note that the calling user would be User 0. ++ ParcelableCall conferenceCall = makeConferenceCall(callIntent1, callIntent2); ++ ++ // Ensure that StatusHints was set. ++ assertNotNull(mInCallServiceFixtureX.getCall(mInCallServiceFixtureX.mLatestCallId) ++ .getStatusHints()); ++ // Ensure that the StatusHints image icon was disregarded. ++ assertNull(mInCallServiceFixtureX.getCall(mInCallServiceFixtureX.mLatestCallId) ++ .getStatusHints().getIcon()); ++ } ++ ++ /** ++ * Verifies that StatusHints image is validated in ++ * ConnectionServiceWrapper#handleCreateConnectionComplete when the image doesn't belong to the ++ * calling user. Simulates a scenario where an app could manipulate the contents of the ++ * bundle and send it via the binder to upload an image from another user. ++ * ++ * @throws Exception ++ */ ++ @SmallTest ++ @Test ++ public void testValidateStatusHintsImage_handleCreateConnectionComplete() throws Exception { ++ Bundle extras = new Bundle(); ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ // Load the bundle with the test extra in order to simulate an app directly invoking the ++ // binder on ConnectionServiceWrapper#handleCreateConnectionComplete. ++ StatusHints statusHints = new StatusHints(icon); ++ assertNotNull(statusHints.getIcon()); ++ extras.putParcelable(STATUS_HINTS_EXTRA, statusHints); ++ ++ // Start incoming call with StatusHints extras ++ // Note that the calling user in ConnectionServiceWrapper#handleCreateConnectionComplete ++ // would be User 0. ++ IdPair ids = startIncomingPhoneCallWithExtras("650-555-1212", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, extras); ++ ++ // Ensure that StatusHints was set. ++ assertNotNull(mInCallServiceFixtureX.getCall(ids.mCallId).getStatusHints()); ++ // Ensure that the StatusHints image icon was disregarded. ++ assertNull(mInCallServiceFixtureX.getCall(ids.mCallId).getStatusHints().getIcon()); ++ } ++ ++ /** ++ * Verifies that StatusHints image is validated in ConnectionServiceWrapper#setStatusHints ++ * when the image doesn't belong to the calling user. Simulates a scenario where an app ++ * could manipulate the contents of the bundle and send it via the binder to upload an image ++ * from another user. ++ * ++ * @throws Exception ++ */ ++ @SmallTest ++ @Test ++ public void testValidateStatusHintsImage_setStatusHints() throws Exception { ++ IdPair outgoing = startAndMakeActiveOutgoingCall("650-555-1214", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); ++ ++ // Modify existing connection with StatusHints image exploit ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ StatusHints statusHints = new StatusHints(icon); ++ assertNotNull(statusHints.getIcon()); ++ ConnectionServiceFixture.ConnectionInfo connectionInfo = mConnectionServiceFixtureA ++ .mConnectionById.get(outgoing.mConnectionId); ++ connectionInfo.statusHints = statusHints; ++ ++ // Invoke ConnectionServiceWrapper#setStatusHints. ++ // Note that the calling user would be User 0. ++ mConnectionServiceFixtureA.sendSetStatusHints(outgoing.mConnectionId); ++ waitForHandlerAction(mConnectionServiceFixtureA.mConnectionServiceDelegate.getHandler(), ++ TEST_TIMEOUT); ++ ++ // Ensure that StatusHints was set. ++ assertNotNull(mInCallServiceFixtureX.getCall(outgoing.mCallId).getStatusHints()); ++ // Ensure that the StatusHints image icon was disregarded. ++ assertNull(mInCallServiceFixtureX.getCall(outgoing.mCallId) ++ .getStatusHints().getIcon()); ++ } ++ ++ /** ++ * Verifies that StatusHints image is validated in ++ * ConnectionServiceWrapper#addExistingConnection when the image doesn't belong to the calling ++ * user. Simulates a scenario where an app could manipulate the contents of the bundle and ++ * send it via the binder to upload an image from another user. ++ * ++ * @throws Exception ++ */ ++ @SmallTest ++ @Test ++ public void testValidateStatusHintsImage_addExistingConnection() throws Exception { ++ IdPair outgoing = startAndMakeActiveOutgoingCall("650-555-1214", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); ++ Connection existingConnection = mConnectionServiceFixtureA.mLatestConnection; ++ ++ // Modify existing connection with StatusHints image exploit ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ StatusHints modifiedStatusHints = new StatusHints(icon); ++ assertNotNull(modifiedStatusHints.getIcon()); ++ ConnectionServiceFixture.ConnectionInfo connectionInfo = mConnectionServiceFixtureA ++ .mConnectionById.get(outgoing.mConnectionId); ++ connectionInfo.statusHints = modifiedStatusHints; ++ ++ // Invoke ConnectionServiceWrapper#addExistingConnection. ++ // Note that the calling user would be User 0. ++ mConnectionServiceFixtureA.sendAddExistingConnection(outgoing.mConnectionId); ++ waitForHandlerAction(mConnectionServiceFixtureA.mConnectionServiceDelegate.getHandler(), ++ TEST_TIMEOUT); ++ ++ // Ensure that StatusHints was set. Due to test setup, the ParcelableConnection object that ++ // is passed into sendAddExistingConnection is instantiated on invocation. The call's ++ // StatusHints are not updated at the time of completion, so instead, we can verify that ++ // the ParcelableConnection object was modified. ++ assertNotNull(mConnectionServiceFixtureA.mLatestParcelableConnection.getStatusHints()); ++ // Ensure that the StatusHints image icon was disregarded. ++ assertNull(mConnectionServiceFixtureA.mLatestParcelableConnection ++ .getStatusHints().getIcon()); ++ } + } +diff --git a/tests/src/com/android/server/telecom/tests/CallExtrasTest.java b/tests/src/com/android/server/telecom/tests/CallExtrasTest.java +index b97f819e1..28986c374 100644 +--- a/tests/src/com/android/server/telecom/tests/CallExtrasTest.java ++++ b/tests/src/com/android/server/telecom/tests/CallExtrasTest.java +@@ -359,7 +359,7 @@ public class CallExtrasTest extends TelecomSystemTest { + @LargeTest + @Test + public void testConferenceSetExtras() throws Exception { +- ParcelableCall call = makeConferenceCall(); ++ ParcelableCall call = makeConferenceCall(null, null); + String conferenceId = call.getId(); + + Conference conference = mConnectionServiceFixtureA.mLatestConference; +@@ -403,7 +403,7 @@ public class CallExtrasTest extends TelecomSystemTest { + @FlakyTest(bugId = 117751305) + @Test + public void testConferenceExtraOperations() throws Exception { +- ParcelableCall call = makeConferenceCall(); ++ ParcelableCall call = makeConferenceCall(null, null); + String conferenceId = call.getId(); + Conference conference = mConnectionServiceFixtureA.mLatestConference; + assertNotNull(conference); +@@ -439,7 +439,7 @@ public class CallExtrasTest extends TelecomSystemTest { + @LargeTest + @Test + public void testConferenceICS() throws Exception { +- ParcelableCall call = makeConferenceCall(); ++ ParcelableCall call = makeConferenceCall(null, null); + String conferenceId = call.getId(); + Conference conference = mConnectionServiceFixtureA.mLatestConference; + +diff --git a/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java b/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java +index 9655476b4..c3561b64e 100644 +--- a/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java ++++ b/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java +@@ -67,6 +67,7 @@ public class ConnectionServiceFixture implements TestFixture + static int INVALID_VIDEO_STATE = -1; + public CountDownLatch mExtrasLock = new CountDownLatch(1); + static int NOT_SPECIFIED = 0; ++ public static final String STATUS_HINTS_EXTRA = "updateStatusHints"; + + /** + * Implementation of ConnectionService that performs no-ops for tasks normally meant for +@@ -101,6 +102,11 @@ public class ConnectionServiceFixture implements TestFixture + if (mProperties != NOT_SPECIFIED) { + fakeConnection.setConnectionProperties(mProperties); + } ++ // Testing for StatusHints image icon cross user access ++ if (request.getExtras() != null) { ++ fakeConnection.setStatusHints( ++ request.getExtras().getParcelable(STATUS_HINTS_EXTRA)); ++ } + + return fakeConnection; + } +@@ -117,6 +123,11 @@ public class ConnectionServiceFixture implements TestFixture + if (mProperties != NOT_SPECIFIED) { + fakeConnection.setConnectionProperties(mProperties); + } ++ // Testing for StatusHints image icon cross user access ++ if (request.getExtras() != null) { ++ fakeConnection.setStatusHints( ++ request.getExtras().getParcelable(STATUS_HINTS_EXTRA)); ++ } + return fakeConnection; + } + +@@ -133,6 +144,12 @@ public class ConnectionServiceFixture implements TestFixture + Conference fakeConference = new FakeConference(); + fakeConference.addConnection(cxn1); + fakeConference.addConnection(cxn2); ++ if (cxn1.getStatusHints() != null || cxn2.getStatusHints() != null) { ++ // For testing purposes, pick one of the status hints that isn't null. ++ StatusHints statusHints = cxn1.getStatusHints() != null ++ ? cxn1.getStatusHints() : cxn2.getStatusHints(); ++ fakeConference.setStatusHints(statusHints); ++ } + mLatestConference = fakeConference; + addConference(fakeConference); + } else { +@@ -440,6 +457,7 @@ public class ConnectionServiceFixture implements TestFixture + + public String mLatestConnectionId; + public Connection mLatestConnection; ++ public ParcelableConnection mLatestParcelableConnection; + public Conference mLatestConference; + public final Set mConnectionServiceAdapters = new HashSet<>(); + public final Map mConnectionById = new HashMap<>(); +@@ -678,7 +696,7 @@ public class ConnectionServiceFixture implements TestFixture + } + + private ParcelableConnection parcelable(ConnectionInfo c) { +- return new ParcelableConnection( ++ mLatestParcelableConnection = new ParcelableConnection( + c.request.getAccountHandle(), + c.state, + c.capabilities, +@@ -698,5 +716,6 @@ public class ConnectionServiceFixture implements TestFixture + c.disconnectCause, + c.conferenceableConnectionIds, + c.extras); ++ return mLatestParcelableConnection; + } + } +diff --git a/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java b/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java +index 82b17be42..717579046 100644 +--- a/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java ++++ b/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java +@@ -382,12 +382,13 @@ public class TelecomSystemTest extends TelecomTestCase { + super.tearDown(); + } + +- protected ParcelableCall makeConferenceCall() throws Exception { +- IdPair callId1 = startAndMakeActiveOutgoingCall("650-555-1212", +- mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); ++ protected ParcelableCall makeConferenceCall( ++ Intent callIntentExtras1, Intent callIntentExtras2) throws Exception { ++ IdPair callId1 = startAndMakeActiveOutgoingCallWithExtras("650-555-1212", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, callIntentExtras1); + +- IdPair callId2 = startAndMakeActiveOutgoingCall("650-555-1213", +- mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); ++ IdPair callId2 = startAndMakeActiveOutgoingCallWithExtras("650-555-1213", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, callIntentExtras2); + + IInCallAdapter inCallAdapter = mInCallServiceFixtureX.getInCallAdapter(); + inCallAdapter.conference(callId1.mCallId, callId2.mCallId); +@@ -570,7 +571,7 @@ public class TelecomSystemTest extends TelecomTestCase { + + startOutgoingPhoneCallWaitForBroadcaster(number, null, + connectionServiceFixture, Process.myUserHandle(), VideoProfile.STATE_AUDIO_ONLY, +- false /*isEmergency*/); ++ false /*isEmergency*/, null); + + return mInCallServiceFixtureX.mLatestCallId; + } +@@ -600,17 +601,17 @@ public class TelecomSystemTest extends TelecomTestCase { + throws Exception { + + return startOutgoingPhoneCall(number, phoneAccountHandle, connectionServiceFixture, +- initiatingUser, VideoProfile.STATE_AUDIO_ONLY); ++ initiatingUser, VideoProfile.STATE_AUDIO_ONLY, null); + } + + protected IdPair startOutgoingPhoneCall(String number, PhoneAccountHandle phoneAccountHandle, + ConnectionServiceFixture connectionServiceFixture, UserHandle initiatingUser, +- int videoState) throws Exception { ++ int videoState, Intent callIntentExtras) throws Exception { + int startingNumConnections = connectionServiceFixture.mConnectionById.size(); + int startingNumCalls = mInCallServiceFixtureX.mCallById.size(); + + startOutgoingPhoneCallPendingCreateConnection(number, phoneAccountHandle, +- connectionServiceFixture, initiatingUser, videoState); ++ connectionServiceFixture, initiatingUser, videoState, callIntentExtras); + + verify(connectionServiceFixture.getTestDouble(), timeout(TEST_TIMEOUT)) + .createConnectionComplete(anyString(), any()); +@@ -649,7 +650,7 @@ public class TelecomSystemTest extends TelecomTestCase { + mIsEmergencyCall = true; + // Call will not use the ordered broadcaster, since it is an Emergency Call + startOutgoingPhoneCallWaitForBroadcaster(number, phoneAccountHandle, +- connectionServiceFixture, initiatingUser, videoState, true /*isEmergency*/); ++ connectionServiceFixture, initiatingUser, videoState, true /*isEmergency*/, null); + + return outgoingCallCreateConnectionComplete(startingNumConnections, startingNumCalls, + phoneAccountHandle, connectionServiceFixture); +@@ -658,7 +659,7 @@ public class TelecomSystemTest extends TelecomTestCase { + protected void startOutgoingPhoneCallWaitForBroadcaster(String number, + PhoneAccountHandle phoneAccountHandle, + ConnectionServiceFixture connectionServiceFixture, UserHandle initiatingUser, +- int videoState, boolean isEmergency) throws Exception { ++ int videoState, boolean isEmergency, Intent actionCallIntent) throws Exception { + reset(connectionServiceFixture.getTestDouble(), mInCallServiceFixtureX.getTestDouble(), + mInCallServiceFixtureY.getTestDouble()); + +@@ -671,7 +672,9 @@ public class TelecomSystemTest extends TelecomTestCase { + + boolean hasInCallAdapter = mInCallServiceFixtureX.mInCallAdapter != null; + +- Intent actionCallIntent = new Intent(); ++ if (actionCallIntent == null) { ++ actionCallIntent = new Intent(); ++ } + actionCallIntent.setData(Uri.parse("tel:" + number)); + actionCallIntent.putExtra(Intent.EXTRA_PHONE_NUMBER, number); + if(isEmergency) { +@@ -716,9 +719,10 @@ public class TelecomSystemTest extends TelecomTestCase { + protected String startOutgoingPhoneCallPendingCreateConnection(String number, + PhoneAccountHandle phoneAccountHandle, + ConnectionServiceFixture connectionServiceFixture, UserHandle initiatingUser, +- int videoState) throws Exception { ++ int videoState, Intent callIntentExtras) throws Exception { + startOutgoingPhoneCallWaitForBroadcaster(number,phoneAccountHandle, +- connectionServiceFixture, initiatingUser, videoState, false /*isEmergency*/); ++ connectionServiceFixture, initiatingUser, ++ videoState, false /*isEmergency*/, callIntentExtras); + waitForHandlerAction(new Handler(Looper.getMainLooper()), TEST_TIMEOUT); + + verifyAndProcessOutgoingCallBroadcast(phoneAccountHandle); +@@ -823,14 +827,24 @@ public class TelecomSystemTest extends TelecomTestCase { + PhoneAccountHandle phoneAccountHandle, + final ConnectionServiceFixture connectionServiceFixture) throws Exception { + return startIncomingPhoneCall(number, phoneAccountHandle, VideoProfile.STATE_AUDIO_ONLY, +- connectionServiceFixture); ++ connectionServiceFixture, null); ++ } ++ ++ protected IdPair startIncomingPhoneCallWithExtras( ++ String number, ++ PhoneAccountHandle phoneAccountHandle, ++ final ConnectionServiceFixture connectionServiceFixture, ++ Bundle extras) throws Exception { ++ return startIncomingPhoneCall(number, phoneAccountHandle, VideoProfile.STATE_AUDIO_ONLY, ++ connectionServiceFixture, extras); + } + + protected IdPair startIncomingPhoneCall( + String number, + PhoneAccountHandle phoneAccountHandle, + int videoState, +- final ConnectionServiceFixture connectionServiceFixture) throws Exception { ++ final ConnectionServiceFixture connectionServiceFixture, ++ Bundle extras) throws Exception { + reset(connectionServiceFixture.getTestDouble(), mInCallServiceFixtureX.getTestDouble(), + mInCallServiceFixtureY.getTestDouble()); + +@@ -847,7 +861,9 @@ public class TelecomSystemTest extends TelecomTestCase { + new IncomingCallAddedListener(incomingCallAddedLatch); + mTelecomSystem.getCallsManager().addListener(callAddedListener); + +- Bundle extras = new Bundle(); ++ if (extras == null) { ++ extras = new Bundle(); ++ } + extras.putParcelable( + TelecomManager.EXTRA_INCOMING_CALL_ADDRESS, + Uri.fromParts(PhoneAccount.SCHEME_TEL, number, null)); +@@ -933,7 +949,16 @@ public class TelecomSystemTest extends TelecomTestCase { + PhoneAccountHandle phoneAccountHandle, + ConnectionServiceFixture connectionServiceFixture) throws Exception { + return startAndMakeActiveOutgoingCall(number, phoneAccountHandle, connectionServiceFixture, +- VideoProfile.STATE_AUDIO_ONLY); ++ VideoProfile.STATE_AUDIO_ONLY, null); ++ } ++ ++ protected IdPair startAndMakeActiveOutgoingCallWithExtras( ++ String number, ++ PhoneAccountHandle phoneAccountHandle, ++ ConnectionServiceFixture connectionServiceFixture, ++ Intent callIntentExtras) throws Exception { ++ return startAndMakeActiveOutgoingCall(number, phoneAccountHandle, connectionServiceFixture, ++ VideoProfile.STATE_AUDIO_ONLY, callIntentExtras); + } + + // A simple outgoing call, verifying that the appropriate connection service is contacted, +@@ -941,9 +966,10 @@ public class TelecomSystemTest extends TelecomTestCase { + protected IdPair startAndMakeActiveOutgoingCall( + String number, + PhoneAccountHandle phoneAccountHandle, +- ConnectionServiceFixture connectionServiceFixture, int videoState) throws Exception { ++ ConnectionServiceFixture connectionServiceFixture, int videoState, ++ Intent callIntentExtras) throws Exception { + IdPair ids = startOutgoingPhoneCall(number, phoneAccountHandle, connectionServiceFixture, +- Process.myUserHandle(), videoState); ++ Process.myUserHandle(), videoState, callIntentExtras); + + connectionServiceFixture.sendSetDialing(ids.mConnectionId); + if (phoneAccountHandle != mPhoneAccountSelfManaged.getAccountHandle()) { +diff --git a/tests/src/com/android/server/telecom/tests/VideoCallTests.java b/tests/src/com/android/server/telecom/tests/VideoCallTests.java +index 97e71d18b..84beedc0f 100644 +--- a/tests/src/com/android/server/telecom/tests/VideoCallTests.java ++++ b/tests/src/com/android/server/telecom/tests/VideoCallTests.java +@@ -105,7 +105,7 @@ public class VideoCallTests extends TelecomSystemTest { + // Start an incoming video call. + IdPair ids = startAndMakeActiveOutgoingCall("650-555-1212", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, +- VideoProfile.STATE_BIDIRECTIONAL); ++ VideoProfile.STATE_BIDIRECTIONAL, null); + + verifyAudioRoute(CallAudioState.ROUTE_SPEAKER); + } +@@ -121,7 +121,7 @@ public class VideoCallTests extends TelecomSystemTest { + // Start an incoming video call. + IdPair ids = startAndMakeActiveOutgoingCall("650-555-1212", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, +- VideoProfile.STATE_TX_ENABLED); ++ VideoProfile.STATE_TX_ENABLED, null); + + verifyAudioRoute(CallAudioState.ROUTE_SPEAKER); + } +@@ -137,7 +137,7 @@ public class VideoCallTests extends TelecomSystemTest { + // Start an incoming video call. + IdPair ids = startAndMakeActiveOutgoingCall("650-555-1212", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, +- VideoProfile.STATE_AUDIO_ONLY); ++ VideoProfile.STATE_AUDIO_ONLY, null); + + verifyAudioRoute(CallAudioState.ROUTE_EARPIECE); + } +@@ -165,7 +165,7 @@ public class VideoCallTests extends TelecomSystemTest { + @Test + public void testIncomingVideoCallMissedCheckVideoHistory() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + +@@ -182,7 +182,7 @@ public class VideoCallTests extends TelecomSystemTest { + @Test + public void testIncomingVideoCallRejectedCheckVideoHistory() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + +@@ -201,7 +201,7 @@ public class VideoCallTests extends TelecomSystemTest { + public void testOutgoingVideoCallCanceledCheckVideoHistory() throws Exception { + IdPair ids = startOutgoingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), + mConnectionServiceFixtureA, Process.myUserHandle(), +- VideoProfile.STATE_BIDIRECTIONAL); ++ VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + +@@ -219,7 +219,7 @@ public class VideoCallTests extends TelecomSystemTest { + public void testOutgoingVideoCallRejectedCheckVideoHistory() throws Exception { + IdPair ids = startOutgoingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), + mConnectionServiceFixtureA, Process.myUserHandle(), +- VideoProfile.STATE_BIDIRECTIONAL); ++ VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + +@@ -237,7 +237,7 @@ public class VideoCallTests extends TelecomSystemTest { + public void testOutgoingVideoCallAnsweredAsAudio() throws Exception { + IdPair ids = startOutgoingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), + mConnectionServiceFixtureA, Process.myUserHandle(), +- VideoProfile.STATE_BIDIRECTIONAL); ++ VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 779cf532..8f45f3b4 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -97,7 +97,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig -sed -i 's/2023-06-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-07 #XXX +sed -i 's/2023-06-05/2023-08-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-08 #XXX fi; if enterAndClear "build/soong"; then @@ -110,6 +110,10 @@ applyPatch "$DOS_PATCHES/android_device_qcom_sepolicy-legacy/0001-Camera_Fix.pat echo "SELINUX_IGNORE_NEVERALLOWS := true" >> sepolicy.mk; #Ignore neverallow violations XXX: necessary for -user builds of legacy devices fi; +if enterAndClear "external/aac"; then +applyPatch "$DOS_PATCHES/android_external_aac/364027.patch"; #R_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer(). +fi; + if enterAndClear "external/chromium-webview"; then if [ "$(type -t DOS_WEBVIEW_CHERRYPICK)" = "alias" ] ; then DOS_WEBVIEW_CHERRYPICK; fi; #Update the WebView to latest if available if [ "$DOS_WEBVIEW_LFS" = true ]; then git lfs pull; fi; #Ensure the objects are available @@ -121,6 +125,7 @@ fi; if enterAndClear "external/freetype"; then applyPatch "$DOS_PATCHES/android_external_freetype/360951.patch"; #R_asb_2023-07 Cherry-pick two upstream changes +applyPatch "$DOS_PATCHES/android_external_freetype/364028-backport.patch"; #R_asb_2023-08 Cherrypick following three changes fi; if [ "$DOS_GRAPHENE_MALLOC" = true ]; then @@ -152,6 +157,16 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/360959.patch"; #R_asb_2023-07 D applyPatch "$DOS_PATCHES/android_frameworks_base/360960.patch"; #R_asb_2023-07 Increase notification channel limit. applyPatch "$DOS_PATCHES/android_frameworks_base/360962-backport.patch"; #R_asb_2023-07 Truncate ShortcutInfo Id applyPatch "$DOS_PATCHES/android_frameworks_base/360963.patch"; #R_asb_2023-07 Visit URIs in landscape/portrait custom remote views. +applyPatch "$DOS_PATCHES/android_frameworks_base/364029.patch"; #R_asb_2023-08 ActivityManager#killBackgroundProcesses can kill caller's own app only +#applyPatch "$DOS_PATCHES/android_frameworks_base/364030-backport.patch"; #R_asb_2023-08 ActivityManagerService: Allow openContentUri from vendor/system/product. #TODO: needs backport of ca1ea17a +applyPatch "$DOS_PATCHES/android_frameworks_base/364031-backport.patch"; #R_asb_2023-08 Verify URI permissions for notification shortcutIcon. +applyPatch "$DOS_PATCHES/android_frameworks_base/364032.patch"; #R_asb_2023-08 On device lockdown, always show the keyguard +applyPatch "$DOS_PATCHES/android_frameworks_base/364033-backport.patch"; #R_asb_2023-08 Ensure policy has no absurdly long strings +applyPatch "$DOS_PATCHES/android_frameworks_base/364034.patch"; #R_asb_2023-08 Implement visitUris for RemoteViews ViewGroupActionAdd. +applyPatch "$DOS_PATCHES/android_frameworks_base/364035-backport.patch"; #R_asb_2023-08 Check URIs in notification public version. +applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_2023-08 Verify URI permissions in MediaMetadata +applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used +applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user. #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS) @@ -373,9 +388,14 @@ if enterAndClear "packages/providers/DownloadProvider"; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) fi; -#if enterAndClear "packages/providers/TelephonyProvider"; then +if enterAndClear "packages/providers/TelephonyProvider"; then +applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/364040-backport.patch"; #R_asb_2023-08 Update file permissions using canonical path #cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/; -#fi; +fi; + +if enterAndClear "packages/services/Telecomm"; then +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364041-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user. +fi; if enterAndClear "prebuilts/abi-dumps/vndk"; then applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patch"; #Work around ABI changes from compiler hardening (GrapheneOS)