17.1: June ASB work

Signed-off-by: Tavi <[email protected]>

Author: SkewedZeppelin

Patches/LineageOS-17.1/android_frameworks_base/393587.patch

@@ -1,7 +1,7 @@
-From 27549d452e6524778c69c1e7a5e0ab6cae04750e Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Valentin Iftime <[email protected]>
 Date: Mon, 16 Oct 2023 09:29:17 +0200
-Subject: [PATCH] [BACKPORT] Prioritize system toasts
+Subject: [PATCH] Prioritize system toasts
 
  Insert toasts from system packages at the front of the queue
   to ensure that apps can't spam with toast to delay system toasts from showing.
@@ -17,10 +17,10 @@ Change-Id: I13547f853476bc88d12026c545aba9f857ce8724
  2 files changed, 104 insertions(+), 4 deletions(-)
 
 diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
-index e09491867f91a..d769ff8e75055 100755
+index e09491867f91..d769ff8e7505 100755
 --- a/services/core/java/com/android/server/notification/NotificationManagerService.java
 +++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
-@@ -744,17 +744,21 @@ private void writePolicyXml(OutputStream stream, boolean forBackup, int userId)
+@@ -744,17 +744,21 @@ public class NotificationManagerService extends SystemService {
 
      private static final class ToastRecord
      {
@@ -43,7 +43,7 @@ index e09491867f91a..d769ff8e75055 100755
              this.callback = callback;
              this.duration = duration;
              this.token = token;
-@@ -2481,10 +2485,21 @@ record = mToastQueue.get(index);
+@@ -2481,10 +2485,21 @@ public class NotificationManagerService extends SystemService {
 
                          Binder token = new Binder();
                          mWindowManagerInternal.addWindowToken(token, TYPE_TOAST, displayId);
@@ -68,7 +68,7 @@ index e09491867f91a..d769ff8e75055 100755
                          keepProcessAliveIfNeededLocked(callingPid);
                      }
                      // If it's at index 0, it's the current toast.  It doesn't matter if it's
-@@ -2500,6 +2515,23 @@ record = new ToastRecord(callingPid, pkg, callback, duration, token,
+@@ -2500,6 +2515,23 @@ public class NotificationManagerService extends SystemService {
              }
          }
 
@@ -93,10 +93,10 @@ index e09491867f91a..d769ff8e75055 100755
          public void cancelToast(String pkg, ITransientNotification callback) {
              Slog.i(TAG, "cancelToast pkg=" + pkg + " callback=" + callback);
 diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
-index bcb4c49336cf5..4a0aa7c9e8e74 100755
+index bcb4c49336cf..4a0aa7c9e8e7 100755
 --- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
 +++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
-@@ -4480,6 +4480,74 @@ public void testAlwaysAllowSystemToasts() throws Exception {
+@@ -4480,6 +4480,74 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
          assertEquals(1, mService.mToastQueue.size());
      }
 

Patches/LineageOS-17.1/android_frameworks_base/393588.patch

@@ -1,4 +1,4 @@
-From 9a28c009d937e060bb5c10034cb5370129b8ce81 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Jan Tomljanovic <[email protected]>
 Date: Fri, 6 Nov 2020 11:28:09 +0000
 Subject: [PATCH] Don't try to show the current toast again while it's showing.
@@ -19,7 +19,7 @@ Change-Id: Ie4953109314113efae49fa0c5e0c236e6e0dbb23
  2 files changed, 39 insertions(+)
 
 diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
-index d769ff8e75055..7b1c0ac27ab30 100755
+index d769ff8e7505..7b1c0ac27ab3 100755
 --- a/services/core/java/com/android/server/notification/NotificationManagerService.java
 +++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
 @@ -437,6 +437,10 @@ public class NotificationManagerService extends SystemService {
@@ -33,7 +33,7 @@ index d769ff8e75055..7b1c0ac27ab30 100755
      // The last key in this list owns the hardware.
      ArrayList<String> mLights = new ArrayList<>();
 
-@@ -6482,12 +6486,17 @@ public void run() {
+@@ -6482,12 +6486,17 @@ public class NotificationManagerService extends SystemService {
 
      @GuardedBy("mToastQueue")
      void showNextToastLocked() {
@@ -51,7 +51,7 @@ index d769ff8e75055..7b1c0ac27ab30 100755
                  return;
              } catch (RemoteException e) {
                  Slog.w(TAG, "Object died trying to show notification " + record.callback
-@@ -6519,6 +6528,10 @@ void cancelToastLocked(int index) {
+@@ -6519,6 +6528,10 @@ public class NotificationManagerService extends SystemService {
              // the list anyway
          }
 
@@ -63,10 +63,10 @@ index d769ff8e75055..7b1c0ac27ab30 100755
 
          mWindowManagerInternal.removeWindowToken(lastToast.token, false /* removeWindows */,
 diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
-index 4a0aa7c9e8e74..0e8cea43063b9 100755
+index 4a0aa7c9e8e7..0e8cea43063b 100755
 --- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
 +++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
-@@ -4415,6 +4415,32 @@ public void testAllowForegroundToasts() throws Exception {
+@@ -4415,6 +4415,32 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
      }
 
      @Test

Patches/LineageOS-17.1/android_frameworks_base/394553.patch

@@ -0,0 +1,47 @@
+From 00961ad29e26dde5d4f56de90ac333ceb2fc8d34 Mon Sep 17 00:00:00 2001
+From: Jing Ji <[email protected]>
+Date: Tue, 25 Oct 2022 22:39:52 -0700
+Subject: [PATCH] DO NOT MERGE: ActivityManager#killBackgroundProcesses can
+ kill caller's own app only
+
+unless it's a system app.
+
+Bug: 239423414
+Bug: 223376078
+Test: atest CtsAppTestCases:ActivityManagerTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d1c95670b248df945784b0f2830acf83b5682de3)
+Merged-In: Iac6baa889965b8ffecd9a43179a4c96632ad1d02
+AOSP-Change-Id: Iac6baa889965b8ffecd9a43179a4c96632ad1d02
+
+Change-Id: I41cd6fa1f71e950db18a9fd450355c4e6f80ec7d
+---
+ .../server/am/ActivityManagerService.java        | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 234b23a996267..815ddf63e565a 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -4486,6 +4486,22 @@ void killAllBackgroundProcessesExcept(int minTargetSdk, int maxProcState) {
+             throw new SecurityException(msg);
+         }
+ 
++        final int callingUid = Binder.getCallingUid();
++        final int callingPid = Binder.getCallingPid();
++
++        ProcessRecord proc;
++        synchronized (mPidsSelfLocked) {
++            proc = mPidsSelfLocked.get(callingPid);
++        }
++        if (callingUid >= FIRST_APPLICATION_UID
++                && (proc == null || !proc.info.isSystemApp())) {
++            final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
++                    + callingPid + ", uid=" + callingUid + " is not allowed";
++            Slog.w(TAG, msg);
++            // Silently return to avoid existing apps from crashing.
++            return;
++        }
++
+         final long callingId = Binder.clearCallingIdentity();
+         try {
+             synchronized (this) {

Patches/LineageOS-17.1/android_frameworks_base/394554.patch

@@ -0,0 +1,46 @@
+From 14804676d97278009b746073e8339374b0cce927 Mon Sep 17 00:00:00 2001
+From: Jing Ji <[email protected]>
+Date: Thu, 19 Oct 2023 14:22:58 -0700
+Subject: [PATCH] DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses
+ permissions
+
+In the pevious CL, we incorrectly added the permission check in the
+killBackgroundProcessesExcept. Now fix this issue.
+
+Bug: 239423414
+Bug: 223376078
+Test: atest CtsAppTestCases:ActivityManagerTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140fce861944419a375c669010c6c47cd7ff5b37)
+Merged-In: I9471a77188ee63ec32cd0c81569193e4ccad885b
+Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b
+---
+ .../server/am/ActivityManagerService.java        | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 815ddf63e565a..234b23a996267 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -4486,22 +4486,6 @@ void killAllBackgroundProcessesExcept(int minTargetSdk, int maxProcState) {
+             throw new SecurityException(msg);
+         }
+ 
+-        final int callingUid = Binder.getCallingUid();
+-        final int callingPid = Binder.getCallingPid();
+-
+-        ProcessRecord proc;
+-        synchronized (mPidsSelfLocked) {
+-            proc = mPidsSelfLocked.get(callingPid);
+-        }
+-        if (callingUid >= FIRST_APPLICATION_UID
+-                && (proc == null || !proc.info.isSystemApp())) {
+-            final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
+-                    + callingPid + ", uid=" + callingUid + " is not allowed";
+-            Slog.w(TAG, msg);
+-            // Silently return to avoid existing apps from crashing.
+-            return;
+-        }
+-
+         final long callingId = Binder.clearCallingIdentity();
+         try {
+             synchronized (this) {

Patches/LineageOS-17.1/android_frameworks_base/394555-backport.patch

@@ -0,0 +1,137 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Valentin Iftime <[email protected]>
+Date: Thu, 1 Feb 2024 13:58:49 +0100
+Subject: [PATCH] Verify URI permission for channel sound update from
+ NotificationListenerService
+
+ Check that a privileged NotificationListenerService (CDM) has the permission to access the sound URI
+  when updating a notification channel.
+
+Test: atest com.android.server.notification.NotificationManagerServiceTest#testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission
+Bug: 317357401
+(cherry picked from commit 9b7bbbf5ad542ecf9ecbf8cd819b468791b443c0)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f090c0538a27d8658d8a860046d5c5e931302341)
+Merged-In: Ic7d2e96e43565e98d2aa29b8f2ba35c142387ba9
+Change-Id: Ic7d2e96e43565e98d2aa29b8f2ba35c142387ba9
+---
+ .../NotificationManagerService.java           | 21 ++++++
+ .../NotificationManagerServiceTest.java       | 67 +++++++++++++++++++
+ 2 files changed, 88 insertions(+)
+
+diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
+index 7b1c0ac27ab3..ca957e4d16e3 100755
+--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
+@@ -4333,6 +4333,9 @@ public class NotificationManagerService extends SystemService {
+             Preconditions.checkNotNull(user);
+ 
+             verifyPrivilegedListener(token, user, false);
++            final NotificationChannel originalChannel = mPreferencesHelper.getNotificationChannel(
++                    pkg, getUidForPackageAndUser(pkg, user), channel.getId(), true);
++            verifyPrivilegedListenerUriPermission(Binder.getCallingUid(), channel, originalChannel);
+             updateNotificationChannelInt(pkg, getUidForPackageAndUser(pkg, user), channel, true);
+         }
+ 
+@@ -4412,6 +4415,24 @@ public class NotificationManagerService extends SystemService {
+             }
+         }
+ 
++        private void verifyPrivilegedListenerUriPermission(int sourceUid,
++                @NonNull NotificationChannel updateChannel,
++                @Nullable NotificationChannel originalChannel) {
++            // Check that the NLS has the required permissions to access the channel
++            final Uri soundUri = updateChannel.getSound();
++            final Uri originalSoundUri =
++                    (originalChannel != null) ? originalChannel.getSound() : null;
++            if (soundUri != null && !Objects.equals(originalSoundUri, soundUri)) {
++                Binder.withCleanCallingIdentity(() -> {
++                    mUgmInternal.checkGrantUriPermission(sourceUid, null,
++                            ContentProvider.getUriWithoutUserId(soundUri),
++                            Intent.FLAG_GRANT_READ_URI_PERMISSION,
++                            ContentProvider.getUserIdFromUri(soundUri,
++                            UserHandle.getUserId(sourceUid)));
++                });
++            }
++        }
++
+         private int getUidForPackageAndUser(String pkg, UserHandle user) throws RemoteException {
+             int uid = 0;
+             long identity = Binder.clearCallingIdentity();
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+index 0e8cea43063b..403772d0f875 100755
+--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+@@ -2037,6 +2037,73 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+                 eq(NotificationListenerService.NOTIFICATION_CHANNEL_OR_GROUP_UPDATED));
+     }
+ 
++    @Test
++    public void testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission()
++            throws Exception {
++        mService.setPreferencesHelper(mPreferencesHelper);
++        List<String> associations = new ArrayList<>();
++        associations.add("a");
++        when(mCompanionMgr.getAssociations(PKG, UserHandle.getUserId(mUid)))
++                .thenReturn(associations);
++        when(mPreferencesHelper.getNotificationChannel(eq(PKG), anyInt(),
++                eq(mTestNotificationChannel.getId()), anyBoolean()))
++                .thenReturn(mTestNotificationChannel);
++
++        final Uri soundUri = Uri.parse("content://media/test/sound/uri");
++        final NotificationChannel updatedNotificationChannel = new NotificationChannel(
++                TEST_CHANNEL_ID, TEST_CHANNEL_ID, IMPORTANCE_DEFAULT);
++        updatedNotificationChannel.setSound(soundUri,
++                updatedNotificationChannel.getAudioAttributes());
++
++        doThrow(new SecurityException("no access")).when(mUgmInternal)
++                .checkGrantUriPermission(eq(Process.myUid()), any(), eq(soundUri),
++                anyInt(), eq(Process.myUserHandle().getIdentifier()));
++
++        assertThrows(SecurityException.class,
++                () -> mBinderService.updateNotificationChannelFromPrivilegedListener(null, PKG,
++                Process.myUserHandle(), updatedNotificationChannel));
++
++        verify(mPreferencesHelper, never()).updateNotificationChannel(
++                anyString(), anyInt(), any(), anyBoolean());
++
++        verify(mListeners, never()).notifyNotificationChannelChanged(eq(PKG),
++                eq(Process.myUserHandle()), eq(mTestNotificationChannel),
++                eq(NotificationListenerService.NOTIFICATION_CHANNEL_OR_GROUP_UPDATED));
++    }
++
++    @Test
++    public void testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission_sameSound()
++            throws Exception {
++        mService.setPreferencesHelper(mPreferencesHelper);
++        List<String> associations = new ArrayList<>();
++        associations.add("a");
++        when(mCompanionMgr.getAssociations(PKG, UserHandle.getUserId(mUid)))
++                .thenReturn(associations);
++        when(mPreferencesHelper.getNotificationChannel(eq(PKG), anyInt(),
++                eq(mTestNotificationChannel.getId()), anyBoolean()))
++                .thenReturn(mTestNotificationChannel);
++
++        final Uri soundUri = Settings.System.DEFAULT_NOTIFICATION_URI;
++        final NotificationChannel updatedNotificationChannel = new NotificationChannel(
++                TEST_CHANNEL_ID, TEST_CHANNEL_ID, IMPORTANCE_DEFAULT);
++        updatedNotificationChannel.setSound(soundUri,
++                updatedNotificationChannel.getAudioAttributes());
++
++        doThrow(new SecurityException("no access")).when(mUgmInternal)
++                .checkGrantUriPermission(eq(Process.myUid()), any(), eq(soundUri),
++                    anyInt(), eq(Process.myUserHandle().getIdentifier()));
++
++        mBinderService.updateNotificationChannelFromPrivilegedListener(
++                null, PKG, Process.myUserHandle(), updatedNotificationChannel);
++
++        verify(mPreferencesHelper, times(1)).updateNotificationChannel(
++                anyString(), anyInt(), any(), anyBoolean());
++
++        verify(mListeners, never()).notifyNotificationChannelChanged(eq(PKG),
++                eq(Process.myUserHandle()), eq(mTestNotificationChannel),
++                eq(NotificationListenerService.NOTIFICATION_CHANNEL_OR_GROUP_UPDATED));
++    }
++
+     @Test
+     public void testGetNotificationChannelFromPrivilegedListener_cdm_success() throws Exception {
+         mService.setPreferencesHelper(mPreferencesHelper);