frameworks-base

Fork

Merge remote-tracking branch 'lineage/cm-14.1' into cm-14.1-x86

Fix potential double destroy of AssetManager

Assume there is a XmlBlock [X] created by a AssetManager [A]
([A] will have mNumRefs = 2). After [A].close is called
(mNumRefs = 1) and then both [X] and [A] are going to be GCed,
if [A].finalize is called first (nativeDestroy), the later
[X].finalize will invoke [A].xmlBlockGone that triggers the
second nativeDestroy of [A] and leads to crash.

By clearing the mObject in AssetManager.finalize, the
decRefsLocked from other paths won't call nativeDestroy again.

Bug: 144028297
Test: atest android.security.cts.AssetManagerTest

Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
(cherry picked from commit 93320661ca9a23c7b38b3f166d0facf048f2a8a3)

Revoke 'always' web handler status when not autoverifying

If an app has previously used autoVerify to make claims about its status
re handling web navigation intents, but is updated such that it no
longer makes those claims, step down its "official handler" status as
though it had never invoked autoVerify in the first place.

Bug: 146204120
Test: manual: as described in bug; observe policy before/after via
'adb shell dumpsys package d'
Test: atest CtsOsHostTestCases
Change-Id: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
Merged-In: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
(cherry picked from commit 6cf5f92825df545bd011b7163418f2ea0b337af3)

Fixes NPE when preparing app data during init

When deleting an unused static shared library on Q, the user manager was
fetched via mContext.getSystemService. At this time during boot, the
service wasn't registered and so null was returned. This has already
been addressed in R with a move to injecting dependencies in the
PackageManagerService constructor.

Bug: 142083996
Bug: 141413692
Test: manual; remove static dependency on eng Q build and reboot
Change-Id: I8ae4e331d09b4734c54cdc6887b273705dce88b1
Merged-In: I8ae4e331d09b4734c54cdc6887b273705dce88b1
(cherry picked from commit 5d3fc339b57950fd8621cb410865e8800ccb6873)

Handles null outInfo in deleteSystemPackageLI

This change adds null checks before accessing outInfo in
deleteSystemPackageLI.

Bug: 142083996
Bug: 141413692
Test: manual; remove static dependency on eng build and reboot
Change-Id: If0fd48343e89cbb77ccd25826656194195d5b0cd
(cherry picked from commit 17471016508bb9c9ffb8c3946dda0b4897d722f1)
Merged-In: If0fd48343e89cbb77ccd25826656194195d5b0cd
(cherry picked from commit 6afabce549f5725988b9c03de932c34e9d22f10e)

Fix security problem on PermissionMonitor#hasPermission

PermissionMonitor#hasPermission only checks permssions that app
requested but it doesn't check whether the permission can be
granted to this app. If requested permission doens't be granted
to app, this method still returns that app has this permission.
Then PermissionMonitor will pass this info to netd that means
this app still can use network even restricted network without
granted privileged permission like CONNECTIVITY_INTERNAL or
CONNECTIVITY_USE_RESTRICTED_NETWORKS.

Bug: 144679405
Test: Build, flash, manual test
Change-Id: I5eba4909e4c2e1d9f275f66be90ac36466b93e90
Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
Merged-In: Iae9c273af822b18c2e6fce04848a86f8dea6410a
(cherry picked from commit 305946b910a9ab3974daa4277f155614a3fc27a4)

RESTRICT AUTOMERGE Make toasts non-clickable

Since enforcement was only on client-side, in Toast class, an app could
use reflection (or other means) to make the Toast clickable. This is a
security vulnerability since it allows tapjacking, that is, intercept touch
events and do stuff like steal PINs and passwords.

This CL brings the enforcement to the system by applying flag
FLAG_NOT_TOUCHABLE.

Test: atest CtsWindowManagetDeviceTestCases:ToastTest
Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
log click events. Then:
1) Observe click events are logged without this CL.
2) Observer click events are not logged with this CL.
Bug: 128674520

(cherry picked from commit 6bf18c39d9fc727523fa3201567b836032bb2114)
Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0

DO NOT MERGE back porting for fixing sysui direct reply

Root cause: systemui run as user 0 service to handle all of users'
notifications. And, the users can user the copy/cut/paste
functionality.

Solution: To crate @hide API in TextView let SystemUI to mark the
TextView instance should check if the power of
INTERACT_ACROSS_USER_FULL is needed to be restricted.
e.x. Keyguard password textview/Notificaiton entries

Bug: 123232892
Test: manual test
Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139
Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393
Reference: I975baa748c821538e5a733bb98a33ac609bf40a7

Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937
(cherry picked from commit 08391b3da7e2da3b0220eb5766e0a1774d28e9a5)

[basilgello: Back-ported to 14.1:
- packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java ->
packages/Keyguard/src/com/android/keyguard/KeyguardPasswordView.java]

Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>
Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139

DO NOT MERGE: Disable SpellChecker in secondary user's direct reply

For secondary users, when AOSP keyboard is used to type in
direct-reply, unknown words can be added to dictionary.
It's *not* OK for SpellCheckerService of primary user to
check unknown words typed by a secondary user.
The dialog to add these words shows up in primary user instead.

TextView uses TextView#isSuggestionsEnabled() to determine if
SpellChecker is enabled. This can be disabled by setting the flag
TYPE_TEXT_FLAG_NO_SUGGESTIONS in inputType.

Note: This doesn't affect workprofile users on P or older versions since
they use same SpellCheckerService for all workprofiles.

Bug: 123232892
Test: Manually tested using the steps mentioned in the bug.
1. Flash latest P build.
2. Install AOSP keyboard (LatinIME) and set it as default.
3. Install and open EditTextVariations
4. Initiate direct reply in primary user and type non-english
words like "ggggg hhhhh".
5. Observe that they get red underline and tapping it brings "add
to dictionary" popup.
6. Create a new secondary user and switch to it.
7. Once the setup completes, initiate a direct reply and type words
similar to step 4.
8. Verify that red underlines dont appear.
9. switch back to primary user and verify direct reply still has red
underlines.

(cherry picked from commit b5c0e01aca6f19ae3e305ce6d1c1ecec6aba0532)
Change-Id: I93918eb2c12e37908e03a7951a9e2c5375bc0ecc

Prevent system uid component from running in an isolated app process

Bug: 140055304
Test: Manua
Change-Id: Ie7f6ed23f0c6009aad0f67a00af119b02cdceac3
Merged-In: I5a1618fab529cb0300d4a8e9c7762ee218ca09eb
(cherry picked from commit 0bfebadf304bdd5f921e80f93de3e0d13b88b79c)

Only allow INSTALL_ALLOW_TEST from shell or root

Bug: 141169173
Test: Manual. App can't be installed as test-only
Change-Id: Ib6dcca7901aa549d620448c0165c22270a3042be
Merged-In: Ib6dcca7901aa549d620448c0165c22270a3042be
(cherry picked from commit 702d394762a9b162cb2a2b04bb726fd8053f24d3)

DO NOT MERGE Validate wallpaper dimension while generating crop

If dimensions of cropped wallpaper image exceed max texture size that
GPU can support, it will cause ImageWallpaper keep crashing
because hwui crashes by invalid operation (0x502).

Bug: 120847476.
Test: Write a custom app to set a 8000x800 bitmap as wallpaper.
Test: The cropped file will be 29600x2960 and make sysui keep crashing.
Test: After applyed this cl, wallpaper will use fallback.
Test: Sysui will not keep crashing any more.
Change-Id: I8ed5931298c652a2230858cf62df3f6fcd345c5a
(cherry picked from commit f1e1f4f04d0165ed065637a4ba556583a7c79ef0)

Do not compute outside given range in TextLine

This is second attempt of I646851973b3816bf9ba32dfe26748c0345a5a081
which breaks various layout test on application.
The empty string must be also handled by the TextLine since it
retrieves the default line height from the empty string.

Bug: 140632678
Test: StaticLayoutTest
Test: Manually done
Change-Id: I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735

RESTRICT AUTOMERGE Strict SQLiteQueryBuilder needs to be stricter.

Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.

This change offers setStrictGrammar() to prevent this by outright
blocking subqueries in WHERE and HAVING clauses, and by requiring
that GROUP BY and ORDER BY clauses be composed only of valid columns.

This change also offers setStrictColumns() to require that all
untrusted column names are valid, such as those in ContentValues.

Relaxes to always allow aggregation operators on returned columns,
since untrusted callers can always calculate these manually.

Bug: 135270103
Bug: 135269143
Test: atest android.database.sqlite.cts.SQLiteQueryBuilderTest
Test: atest FrameworksCoreTests:android.database.sqlite.SQLiteTokenizerTest
Exempt-From-Owner-Approval: already approved in downstream branch
Change-Id: I6290afd19c966a8bdca71c377c88210d921a9f25
(cherry picked from commit 216bbc2a2e4f697d88f8fd633646e3c0433246f1)

Set default phonebook access to ACCESS_REJECTED when user didn't choose one

When there's no users' choice to tell us whether to share their
phonebook information to the Bluetooth device, set the phonebook access
permission to ACCESS_REJECTED.

Bug: 138529441
Test: Manual test
Change-Id: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
Merged-In: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
(cherry picked from commit 9b3cb0f06b7c4907c293aa65e68c7ed6e4962d4b)

RESTRICT AUTOMERGE Enable stricter SQLiteQueryBuilder options.

Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.

This change starts using setStrictColumns() and setStrictGrammar()
on SQLiteQueryBuilder to block this class of attacks. This means we
now need to define the projection mapping of valid columns, which
consists of both the columns defined in the public API and columns
read internally by DownloadInfo.Reader.

We're okay growing sAppReadableColumnsSet like this, since we're
relying on our trusted WHERE clause to filter away any rows that
don't belong to the calling UID.

Remove the legacy Lexer code, since we're now internally relying on
the robust and well-tested SQLiteTokenizer logic.

Bug: 135270103
Bug: 135269143
Test: atest DownloadProviderTests
Test: atest CtsAppTestCases:android.app.cts.DownloadManagerTest
Change-Id: Iec1e8ce18dc4a9564318e0473d9d3863c8c2988a
(cherry picked from commit 382d5c0c199f3743514e024d2fd921248f7b14b3)

Add MANAGED_PROVISIONING_DPC_DOWNLOADED (nyc).

Test: Just adding a constant
Bug: 132261064
Change-Id: I1527be03a10fa1a2fde09e3e41d6b7e83a986fc0
Merged-In: I2bce277ff8f2de4614e19d5385fe6712b076f9c9
(cherry picked from commit 20e5d92613268c196b508865b7275b59f00688f5)

Merge remote-tracking branch 'lineage/cm-14.1' into cm-14.1-x86

[RESTRICT AUTOMERGE] Pass correct realCallingUid to startActivity() from startActivityInPackage

Previously startActivity would assume that the system was the calling user when
startActivityInPackage was called. Now the uid of the calling application is
forwarded by the system.

Test: manual; we added logging statements to check the value of realCallingUid
in startActivitiesMayWait when launching the calendar app from the calendar widget
and verified that it was the calendar uid rather than the system uid.

Bug: 123013720
Change-Id: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
Merged-In: I0ef42c2f89b537a720f1ad5aefac756b0ccac52e
(cherry picked from commit 216f65bf60a9fb6f3a495d083e5fbb54ae2a9f66)

Fix Layout.primaryIsTrailingPreviousAllLineOffsets

The CL fixes a crash in Layout.primaryIsTrailingPreviousAllLineOffsets.
The crash was happening when the method was called for a line beginning
with an empty bidi run. This could happen, for example, for empty text -
I was unable to find any other case. The CL improves the existing test
for the method with this case, which was previously crashing.

The CL also fixes a potential crash in getLineHorizontals. However, this
bug could never happen as in the current code path clamped is always
false (and kept as parameter for parity with getHorizontal).

Bug: 135444178
Bug: 78464361
Test: atest FrameworksCoreTests:android.text.LayoutTest\#testPrimaryIsTrailingPrevious
Change-Id: I47157abe1d74675884734e3810628a566e40c1b4
(cherry picked from commit 7ad499d00716f45fffdf7331493ed21d1b8d9b77)
(cherry picked from commit d3e81cd63f91533915feb159e0b4241729592963)

HidProfile: sync isPreferred() with HidHostService

HidHostService allow to connect when priority is PRIORITY_UNDEFINED.
HidProfile should return ture when priority is PRIORITY_UNDEFINED.
Otherwise, the "Input device" toggle in off state when HID device
connected.

Bug: 132456322
Test: manual
Change-Id: Id7bae694c57aec17e019d591c0a677e3cb64f845
(cherry picked from commit 830217f277e31e63d9ab8acd21ee2a8f81ee1c8f)

Clear the Parcel before writing an exception during a transaction

This prevents any object data from being accidentally overwritten by the
exception, which could cause unexpected malformed objects to be sent
across the transaction.

Test: atest CtsOsTestCases:ParcelTest#testExceptionOverwritesObject
Bug: 34175893
Change-Id: Iaf80a0ad711762992b8ae60f76d861c97a403013
Merged-In: Iaf80a0ad711762992b8ae60f76d861c97a403013
(cherry picked from commit f8ef5bcf21c87d8617f5e11810cc94350298d114)

Protect VPN dialogs against overlay.

Bug: 130568701
Test: manual. After this, can't display on top of it
Change-Id: Ib032f800edb0416cc15f01a34954340d0d0ffa78
Merged-In: Ib032f800edb0416cc15f01a34954340d0d0ffa78
(cherry picked from commit 4e80dc2861614d25a1f957f50040a8cf04812d11)
(cherry picked from commit 016c72c8abfbae08eda269afb8923e8fc8a4ce44)

Make Lock task default behaviour consistent with Settings.

Bug: 127605586
Test: Manual
Change-Id: I5b5b0f9184220a4ed3080ca27792f66d1f5d41aa
(cherry picked from commit fe9f143d2c713475ed2e354e893ea26f5c2f7afa)

Automatic translation import

Change-Id: I8d3e72edb04d5cb6d9cc279418ec46d10b4a0f84

[BACKPORT]NetworkManagement : Add ability to restrict app vpn usage

Cherry-picked from https://review.lineageos.org/#/c/LineageOS/android_frameworks_base/+/232796/

VPN restriction independent from WiFi and mobile data.

Change-Id: I18728542e4a22733f4e096dc429386e61f2a3a06

Adding SUPL NI Emergency Extension Time

Configurable by carrier config.xml resource

Bug: 118839234
Bug: 115361555
Bug: 112159033
Test: On device, see b/115361555#comment14
Change-Id: I52e61656cca8b6fa6468d32d2e69bf60f4c83c61
(cherry picked from commit a725dd6650846090f70ed9811f1a94f036ab3f29)

Add cross user permission check - areNotificationsEnabledForPackage

Test: atest
Fixes: 128599467
Change-Id: I13a0ca7590f8c4b44379730e0ee2088aba400c2a
Merged-In: I13a0ca7590f8c4b44379730e0ee2088aba400c2a
(cherry picked from commit 657d164136199126ae241848887de0230699cea0)
(cherry picked from commit 63846a7093ca7c6d89b73fc77bdff267b3ecb4ef)

Limit IsSeparateProfileChallengeAllowed to system callers

Fixes: 128599668
Test: build, set up separate challenge
Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a
(cherry picked from commit 1b6301cf2430f192c9842a05fc22984d782bade9)

Permission Check For DPM.getPermittedAccessibilityServices

Bug: 128599660
Test: com.android.server.devicepolicy.DevicePolicyManagerTest
Test: com.google.android.gts.devicepolicy.DeviceOwnerTest
Change-Id: I8be915bd6a4ff99884d23005a4c6f0100806dbe8
Merged-In: I8ee3f876fcaffa63636645f0f59709cd147254ef
(cherry picked from commit 4fd13eefcf99d9b9b0d5f5ea99fdc7c799c83d23)