16.0: June ASB picks

Signed-off-by: Tavi <[email protected]>

Author: SkewedZeppelin

Patches/LineageOS-16.0/android_frameworks_base/394877.patch

@@ -0,0 +1,128 @@
+From 361c828f654b646f968644dbadf8a1f5f8ad67d8 Mon Sep 17 00:00:00 2001
+From: Valentin Iftime <[email protected]>
+Date: Thu, 1 Feb 2024 13:58:49 +0100
+Subject: [PATCH] [BACKPORT] Verify URI permission for channel sound update
+ from NotificationListenerService
+
+ Check that a privileged NotificationListenerService (CDM) has the permission to access the sound URI
+  when updating a notification channel.
+
+Test: atest com.android.server.notification.NotificationManagerServiceTest#testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission
+Bug: 317357401
+(cherry picked from commit 9b7bbbf5ad542ecf9ecbf8cd819b468791b443c0)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f090c0538a27d8658d8a860046d5c5e931302341)
+Merged-In: Ic7d2e96e43565e98d2aa29b8f2ba35c142387ba9
+Change-Id: Ic7d2e96e43565e98d2aa29b8f2ba35c142387ba9
+---
+ .../NotificationManagerService.java           | 22 +++++++
+ .../NotificationManagerServiceTest.java       | 57 +++++++++++++++++++
+ 2 files changed, 79 insertions(+)
+
+diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
+index a1e8cd15fd7ee..e793dc024156a 100755
+--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
+@@ -3668,6 +3668,10 @@ public void updateNotificationChannelFromPrivilegedListener(INotificationListene
+             Preconditions.checkNotNull(user);
+ 
+             verifyPrivilegedListener(token, user);
++
++            final NotificationChannel originalChannel = mRankingHelper.getNotificationChannel(
++                    pkg, getUidForPackageAndUser(pkg, user), channel.getId(), true);
++            verifyPrivilegedListenerUriPermission(Binder.getCallingUid(), channel, originalChannel);
+             updateNotificationChannelInt(pkg, getUidForPackageAndUser(pkg, user), channel, true);
+         }
+ 
+@@ -3709,6 +3713,24 @@ private void verifyPrivilegedListener(INotificationListener token, UserHandle us
+             }
+         }
+ 
++        private void verifyPrivilegedListenerUriPermission(int sourceUid,
++                @NonNull NotificationChannel updateChannel,
++                @Nullable NotificationChannel originalChannel) {
++            // Check that the NLS has the required permissions to access the channel
++            final Uri soundUri = updateChannel.getSound();
++            final Uri originalSoundUri =
++                    (originalChannel != null) ? originalChannel.getSound() : null;
++            if (soundUri != null && !Objects.equals(originalSoundUri, soundUri)) {
++                Binder.withCleanCallingIdentity(() -> {
++                    mAm.checkGrantUriPermission(sourceUid, null,
++                            ContentProvider.getUriWithoutUserId(soundUri),
++                            Intent.FLAG_GRANT_READ_URI_PERMISSION,
++                            ContentProvider.getUserIdFromUri(soundUri,
++                            UserHandle.getUserId(sourceUid)));
++                });
++            }
++        }
++
+         private int getUidForPackageAndUser(String pkg, UserHandle user) throws RemoteException {
+             int uid = 0;
+             long identity = Binder.clearCallingIdentity();
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+index 379290bcf0ad0..db83d8f1a4f07 100644
+--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+@@ -1681,6 +1681,63 @@ public void testUpdateNotificationChannelFromPrivilegedListener_badUser() throws
+                 eq(NotificationListenerService.NOTIFICATION_CHANNEL_OR_GROUP_UPDATED));
+     }
+ 
++    @Test
++    public void testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission()
++            throws Exception {
++        mService.setPreferencesHelper(mPreferencesHelper);
++        List<String> associations = new ArrayList<>();
++        associations.add("a");
++        when(mCompanionMgr.getAssociations(PKG, UserHandle.getUserId(mUid)))
++                .thenReturn(associations);
++        when(mPreferencesHelper.getNotificationChannel(eq(PKG), anyInt(),
++                eq(mTestNotificationChannel.getId()), anyBoolean()))
++                .thenReturn(mTestNotificationChannel);
++        final Uri soundUri = Uri.parse("content://media/test/sound/uri");
++        final NotificationChannel updatedNotificationChannel = new NotificationChannel(
++                TEST_CHANNEL_ID, TEST_CHANNEL_ID, IMPORTANCE_DEFAULT);
++        updatedNotificationChannel.setSound(soundUri,
++                updatedNotificationChannel.getAudioAttributes());
++        doThrow(new SecurityException("no access")).when(mUgmInternal)
++                .checkGrantUriPermission(eq(Process.myUid()), any(), eq(soundUri),
++                anyInt(), eq(Process.myUserHandle().getIdentifier()));
++        assertThrows(SecurityException.class,
++                () -> mBinderService.updateNotificationChannelFromPrivilegedListener(null, PKG,
++                Process.myUserHandle(), updatedNotificationChannel));
++        verify(mPreferencesHelper, never()).updateNotificationChannel(
++                anyString(), anyInt(), any(), anyBoolean());
++        verify(mListeners, never()).notifyNotificationChannelChanged(eq(PKG),
++                eq(Process.myUserHandle()), eq(mTestNotificationChannel),
++                eq(NotificationListenerService.NOTIFICATION_CHANNEL_OR_GROUP_UPDATED));
++    }
++
++    @Test
++    public void testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission_sameSound()
++            throws Exception {
++        mService.setPreferencesHelper(mPreferencesHelper);
++        List<String> associations = new ArrayList<>();
++        associations.add("a");
++        when(mCompanionMgr.getAssociations(PKG, UserHandle.getUserId(mUid)))
++                .thenReturn(associations);
++        when(mPreferencesHelper.getNotificationChannel(eq(PKG), anyInt(),
++                eq(mTestNotificationChannel.getId()), anyBoolean()))
++                .thenReturn(mTestNotificationChannel);
++        final Uri soundUri = Settings.System.DEFAULT_NOTIFICATION_URI;
++        final NotificationChannel updatedNotificationChannel = new NotificationChannel(
++                TEST_CHANNEL_ID, TEST_CHANNEL_ID, IMPORTANCE_DEFAULT);
++        updatedNotificationChannel.setSound(soundUri,
++                updatedNotificationChannel.getAudioAttributes());
++        doThrow(new SecurityException("no access")).when(mUgmInternal)
++                .checkGrantUriPermission(eq(Process.myUid()), any(), eq(soundUri),
++                    anyInt(), eq(Process.myUserHandle().getIdentifier()));
++        mBinderService.updateNotificationChannelFromPrivilegedListener(
++                null, PKG, Process.myUserHandle(), updatedNotificationChannel);
++        verify(mPreferencesHelper, times(1)).updateNotificationChannel(
++                anyString(), anyInt(), any(), anyBoolean());
++        verify(mListeners, never()).notifyNotificationChannelChanged(eq(PKG),
++                eq(Process.myUserHandle()), eq(mTestNotificationChannel),
++                eq(NotificationListenerService.NOTIFICATION_CHANNEL_OR_GROUP_UPDATED));
++    }
++
+     @Test
+     public void testGetNotificationChannelFromPrivilegedListener_success() throws Exception {
+         mService.setRankingHelper(mRankingHelper);

Patches/LineageOS-16.0/android_frameworks_base/394878.patch

@@ -0,0 +1,43 @@
+From 2d2a31353a07daf096aa9e2ca09e18ad2773b1ba Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <[email protected]>
+Date: Tue, 26 Mar 2024 10:31:44 -0700
+Subject: [PATCH] Add more checkKeyIntent checks to AccountManagerService.
+
+Another verification is needed after Bundle modification.
+Bug: 321941232
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f)
+Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297
+Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297
+---
+ .../android/server/accounts/AccountManagerService.java | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 4e4c261d0cc46..19e1a4c55120a 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -3453,6 +3453,11 @@ public void onResult(Bundle result) {
+ 
+             // Strip auth token from result.
+             result.remove(AccountManager.KEY_AUTHTOKEN);
++            if (!checkKeyIntent(Binder.getCallingUid(), result)) {
++                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
++                        "invalid intent in bundle returned");
++                return;
++            }
+ 
+             if (Log.isLoggable(TAG, Log.VERBOSE)) {
+                 Log.v(TAG,
+@@ -5039,6 +5044,11 @@ public void onResult(Bundle result) {
+                     } else {
+                         if (mStripAuthTokenFromResult) {
+                             result.remove(AccountManager.KEY_AUTHTOKEN);
++                            if (!checkKeyIntent(Binder.getCallingUid(), result)) {
++                                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
++                                        "invalid intent in bundle returned");
++                                return;
++                            }
+                         }
+                         if (Log.isLoggable(TAG, Log.VERBOSE)) {
+                             Log.v(TAG, getClass().getSimpleName()

Patches/LineageOS-16.0/android_frameworks_base/394879.patch

@@ -0,0 +1,53 @@
+From a568a9144f1a804e4ac136522dfcd1f8aaae81a3 Mon Sep 17 00:00:00 2001
+From: Chris Wailes <[email protected]>
+Date: Thu, 18 Apr 2019 18:25:57 -0700
+Subject: [PATCH] Adds additional sanitization for Zygote command arguments.
+
+Previously we were only insuring that the arguments provided to the
+Zygote didn't contain any newlines.  This adds additional checks for
+carriage returns and standalone integer arguments to protect against
+malicious argument and packet injection respectively.
+
+Bug: 130164289
+Test: m & flash & boot & check logs
+Change-Id: I4055c50d52db0047c02c11096710fd07b429660c
+Merged-In: I4055c50d52db0047c02c11096710fd07b429660c
+(cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a)
+---
+ core/java/android/os/ZygoteProcess.java | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
+index 6994033a963a8..904ec46859fa4 100644
+--- a/core/java/android/os/ZygoteProcess.java
++++ b/core/java/android/os/ZygoteProcess.java
+@@ -16,6 +16,7 @@
+ 
+ package android.os;
+ 
++import android.annotation.NonNull;
+ import android.net.LocalSocket;
+ import android.net.LocalSocketAddress;
+ import android.util.Log;
+@@ -278,15 +279,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr
+      */
+     @GuardedBy("mLock")
+     private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
+-            ZygoteState zygoteState, ArrayList<String> args)
++            ZygoteState zygoteState, @NonNull ArrayList<String> args)
+             throws ZygoteStartFailedEx {
+         try {
+             // Throw early if any of the arguments are malformed. This means we can
+             // avoid writing a partial response to the zygote.
+             int sz = args.size();
+             for (int i = 0; i < sz; i++) {
++                // Making two indexOf calls here is faster than running a manually fused loop due
++                // to the fact that indexOf is a optimized intrinsic.
+                 if (args.get(i).indexOf('\n') >= 0) {
+-                    throw new ZygoteStartFailedEx("embedded newlines not allowed");
++                    throw new ZygoteStartFailedEx("Embedded newlines not allowed");
++                } else if (args.get(i).indexOf('\r') >= 0) {
++                    throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
+                 }
+             }
+ 

Patches/LineageOS-16.0/android_frameworks_base/394880.patch

@@ -0,0 +1,32 @@
+From 00ff56bb646c525192f06cbeed96c3dc78d45795 Mon Sep 17 00:00:00 2001
+From: Hans Boehm <[email protected]>
+Date: Tue, 2 Jan 2024 16:53:13 -0800
+Subject: [PATCH] Check hidden API exemptions
+
+Refuse to deal with newlines and null characters in
+HiddenApiSettings.update(). Also disallow nulls in process start
+arguments.
+
+Bug: 316153291
+Test: Treehugger for now
+(cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8)
+Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
+Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
+---
+ core/java/android/os/ZygoteProcess.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
+index 904ec46859fa4..aab1d9d578031 100644
+--- a/core/java/android/os/ZygoteProcess.java
++++ b/core/java/android/os/ZygoteProcess.java
+@@ -292,6 +292,8 @@ private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
+                     throw new ZygoteStartFailedEx("Embedded newlines not allowed");
+                 } else if (args.get(i).indexOf('\r') >= 0) {
+                     throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
++                } else if (args.get(i).indexOf('\u0000') >= 0) {
++                    throw new ZygoteStartFailedEx("Embedded nulls not allowed");
+                 }
+             }
+ 

Patches/LineageOS-16.0/android_frameworks_base/394881.patch

@@ -0,0 +1,60 @@
+From a73947c4826f59babc2368754e478942eb9b28a1 Mon Sep 17 00:00:00 2001
+From: Ameer Armaly <[email protected]>
+Date: Fri, 8 Mar 2024 19:41:06 +0000
+Subject: [PATCH] AccessibilityManagerService: remove uninstalled services from
+ enabled list after service update.
+
+Bug: 326485767
+Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5405514a23edcba0cf30e6ec78189e3f4e7d95cf)
+Merged-In: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
+Change-Id: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
+---
+ .../AccessibilityManagerService.java          | 23 +++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+index fd87be3e5649f..39ac2f3c1bdbf 100644
+--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+@@ -1553,10 +1553,13 @@ private void updateServicesLocked(UserState userState) {
+         boolean isUnlockingOrUnlocked = LocalServices.getService(UserManagerInternal.class)
+                     .isUserUnlockingOrUnlocked(userState.mUserId);
+ 
++        // Store the list of installed services.
++        mTempComponentNameSet.clear();
+         for (int i = 0, count = userState.mInstalledServices.size(); i < count; i++) {
+             AccessibilityServiceInfo installedService = userState.mInstalledServices.get(i);
+             ComponentName componentName = ComponentName.unflattenFromString(
+                     installedService.getId());
++            mTempComponentNameSet.add(componentName);
+ 
+             AccessibilityServiceConnection service = componentNameToServiceMap.get(componentName);
+ 
+@@ -1602,6 +1605,26 @@ private void updateServicesLocked(UserState userState) {
+         if (audioManager != null) {
+             audioManager.setAccessibilityServiceUids(mTempIntArray);
+         }
++
++        // If any services have been removed, remove them from the enabled list and the touch
++        // exploration granted list.
++        boolean anyServiceRemoved =
++                userState.mEnabledServices.removeIf((comp) -> !mTempComponentNameSet.contains(comp))
++                        || userState.mTouchExplorationGrantedServices.removeIf(
++                                (comp) -> !mTempComponentNameSet.contains(comp));
++        if (anyServiceRemoved) {
++            // Update the enabled services setting.
++            persistComponentNamesToSettingLocked(
++                    Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
++                    userState.mEnabledServices,
++                    userState.mUserId);
++            // Update the touch exploration granted services setting.
++            persistComponentNamesToSettingLocked(
++                    Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
++                    userState.mTouchExplorationGrantedServices,
++                    userState.mUserId);
++        }
++        mTempComponentNameSet.clear();
+         updateAccessibilityEnabledSetting(userState);
+     }
+ 

Patches/LineageOS-16.0/android_frameworks_base/394882.patch

@@ -0,0 +1,40 @@
+From 538cc6c384985f272dc7ab6c7cc7222a59b4c341 Mon Sep 17 00:00:00 2001
+From: Guojing Yuan <[email protected]>
+Date: Thu, 14 Dec 2023 19:30:04 +0000
+Subject: [PATCH] [BACKPORT] Check permissions for CDM shell commands
+
+Override handleShellCommand instead of onShellCommand because
+Binder.onShellCommand checks the necessary permissions of the caller.
+
+Backport by [email protected]:
+In Pie, method handleShellCommand does not exist, only Binder.onShellCommand, in which
+the caller uid check isn't yet implemented. Backport: Take over the uid check from A11
+and implement it in the method override.
+
+Bug: 313428840
+
+Test: manually tested CDM shell commands
+(cherry picked from commit 1761a0fee9c2cd9787bbb7fbdbe30b4c2b03396e)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d008c61451dba86aa9f14c6bcd661db2cea4856)
+Merged-In: I5539b3594feb5544c458c0fd1061b51a0a808900
+Change-Id: I5539b3594feb5544c458c0fd1061b51a0a808900
+---
+ .../server/companion/CompanionDeviceManagerService.java      | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+index 087fe8560fc80..8ffb53f8a3b9d 100644
+--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+@@ -345,6 +345,11 @@ private void checkUsesFeature(String pkg, int userId) {
+         public void onShellCommand(FileDescriptor in, FileDescriptor out, FileDescriptor err,
+                 String[] args, ShellCallback callback, ResultReceiver resultReceiver)
+                 throws RemoteException {
++            final int callingUid = Binder.getCallingUid();
++            if (callingUid != Process.ROOT_UID && callingUid != Process.SHELL_UID) {
++                resultReceiver.send(-1, null);
++                throw new RemoteException("Shell commands are only callable by ADB");
++            }
+             new ShellCmd().exec(this, in, out, err, args, callback, resultReceiver);
+         }
+     }