diff --git a/aosp_diff/preliminary/frameworks/base/0046-Remove-flag-fixAvatarCrossUserLeak.bulletin.patch b/aosp_diff/preliminary/frameworks/base/0046-Remove-flag-fixAvatarCrossUserLeak.bulletin.patch new file mode 100644 index 0000000000..b5ee8f7e9a --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0046-Remove-flag-fixAvatarCrossUserLeak.bulletin.patch @@ -0,0 +1,41 @@ +From 2b4d662a462c6b0269a6e6035ce443ec29fd860e Mon Sep 17 00:00:00 2001 +From: Anna Bauza +Date: Tue, 26 Nov 2024 20:13:07 +0000 +Subject: [PATCH] Remove flag fixAvatarCrossUserLeak + +Remove flag since this is a security fix and missing the flag on security branch is causing build failure. + +Bug: 341688848 +Test: N/A +Flag: EXEMPT bugfix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2ab1084a748a2303289624e6063d2c60d10ec922) +Merged-In: I7d92e0bdb750a5e0a81e9bfd03ea50686c82f6e0 +Change-Id: I7d92e0bdb750a5e0a81e9bfd03ea50686c82f6e0 +--- + .../settingslib/users/EditUserPhotoController.java | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java b/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java +index f38e91ac0d8a..0143e5ebf116 100644 +--- a/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java ++++ b/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java +@@ -134,12 +134,10 @@ public class EditUserPhotoController { + if (Flags.avatarSync()) { + intent.putExtra(EXTRA_IS_USER_NEW, isUserNew); + // Fix vulnerability b/341688848 by explicitly set the class name of avatar picker. +- if (Flags.fixAvatarCrossUserLeak()) { +- final String packageName = +- mActivity.getString(R.string.config_avatar_picker_package); +- final String className = mActivity.getString(R.string.config_avatar_picker_class); +- intent.setClassName(packageName, className); +- } ++ final String packageName = ++ mActivity.getString(R.string.config_avatar_picker_package); ++ final String className = mActivity.getString(R.string.config_avatar_picker_class); ++ intent.setClassName(packageName, className); + } else { + // SettingsLib is used by multiple apps therefore we need to know out of all apps + // using settingsLib which one is the one we return value to. +-- +2.48.1.262.g85cc9f2d1e-goog + diff --git a/aosp_diff/preliminary/frameworks/base/0047-Verify-that-the-caller-has-permissions-for-the-icons-it-provided.bulletin.patch b/aosp_diff/preliminary/frameworks/base/0047-Verify-that-the-caller-has-permissions-for-the-icons-it-provided.bulletin.patch new file mode 100644 index 0000000000..f07ea98f1c --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0047-Verify-that-the-caller-has-permissions-for-the-icons-it-provided.bulletin.patch @@ -0,0 +1,115 @@ +From ee65c97e3a19224548376ca2b7bd93fe366e94e8 Mon Sep 17 00:00:00 2001 +From: Andrey Yepin +Date: Mon, 9 Dec 2024 21:34:17 -0800 +Subject: [PATCH] Verify that the caller has permissions for the icons it + provided. + +Bug: 277207798 +Test: manual testing: first reroduce the issue as described in the + ticket then check that it is not reproduceable after the fix. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bad47a2280c7107e1213f4adc5a3825a62698d00) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c108d3866a3e6b1d7780325d862f20450a36d573) +Merged-In: I08992550507572a4878c501184360a58adef53ad +Change-Id: I08992550507572a4878c501184360a58adef53ad +--- + .../android/internal/app/ChooserActivity.java | 50 ++++++++++++++++++- + 1 file changed, 49 insertions(+), 1 deletion(-) + +diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java +index ab456a84d9ad..3911777912ca 100644 +--- a/core/java/com/android/internal/app/ChooserActivity.java ++++ b/core/java/com/android/internal/app/ChooserActivity.java +@@ -21,6 +21,7 @@ import static android.app.admin.DevicePolicyResources.Strings.Core.RESOLVER_CANT + import static android.app.admin.DevicePolicyResources.Strings.Core.RESOLVER_CANT_SHARE_WITH_PERSONAL; + import static android.app.admin.DevicePolicyResources.Strings.Core.RESOLVER_CANT_SHARE_WITH_WORK; + import static android.app.admin.DevicePolicyResources.Strings.Core.RESOLVER_CROSS_PROFILE_BLOCKED_TITLE; ++import static android.content.ContentProvider.getUriWithoutUserId; + import static android.content.ContentProvider.getUserIdFromUri; + import static android.stats.devicepolicy.DevicePolicyEnums.RESOLVER_EMPTY_STATE_NO_SHARING_TO_PERSONAL; + import static android.stats.devicepolicy.DevicePolicyEnums.RESOLVER_EMPTY_STATE_NO_SHARING_TO_WORK; +@@ -40,7 +41,9 @@ import android.annotation.Nullable; + import android.app.Activity; + import android.app.ActivityManager; + import android.app.ActivityOptions; ++import android.app.IUriGrantsManager; + import android.app.SharedElementCallback; ++import android.app.UriGrantsManager; + import android.app.prediction.AppPredictionContext; + import android.app.prediction.AppPredictionManager; + import android.app.prediction.AppPredictor; +@@ -77,6 +80,7 @@ import android.graphics.Paint; + import android.graphics.Path; + import android.graphics.drawable.AnimatedVectorDrawable; + import android.graphics.drawable.Drawable; ++import android.graphics.drawable.Icon; + import android.metrics.LogMaker; + import android.net.Uri; + import android.os.AsyncTask; +@@ -86,6 +90,7 @@ import android.os.Handler; + import android.os.Message; + import android.os.Parcelable; + import android.os.PatternMatcher; ++import android.os.RemoteException; + import android.os.ResultReceiver; + import android.os.UserHandle; + import android.os.UserManager; +@@ -684,7 +689,11 @@ public class ChooserActivity extends ResolverActivity implements + targets = null; + break; + } +- targets[i] = (ChooserTarget) pa[i]; ++ ChooserTarget chooserTarget = (ChooserTarget) pa[i]; ++ if (!hasValidIcon(chooserTarget)) { ++ chooserTarget = removeIcon(chooserTarget); ++ } ++ targets[i] = chooserTarget; + } + mCallerChooserTargets = targets; + } +@@ -4206,4 +4215,43 @@ public class ChooserActivity extends ResolverActivity implements + private boolean shouldNearbyShareBeIncludedAsActionButton() { + return !shouldNearbyShareBeFirstInRankedRow(); + } ++ ++ private boolean hasValidIcon(ChooserTarget target) { ++ Icon icon = target.getIcon(); ++ if (icon == null) { ++ return true; ++ } ++ if (icon.getType() == Icon.TYPE_URI || icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP) { ++ Uri uri = icon.getUri(); ++ try { ++ getUriGrantsManager().checkGrantUriPermission_ignoreNonSystem( ++ getLaunchedFromUid(), ++ getPackageName(), ++ getUriWithoutUserId(uri), ++ Intent.FLAG_GRANT_READ_URI_PERMISSION, ++ getUserIdFromUri(uri) ++ ); ++ } catch (SecurityException | RemoteException e) { ++ Log.e(TAG, "Failed to get URI permission for: " + uri, e); ++ return false; ++ } ++ } ++ return true; ++ } ++ ++ private IUriGrantsManager getUriGrantsManager() { ++ return UriGrantsManager.getService(); ++ } ++ ++ private static ChooserTarget removeIcon(ChooserTarget target) { ++ if (target == null) { ++ return null; ++ } ++ return new ChooserTarget( ++ target.getTitle(), ++ null, ++ target.getScore(), ++ target.getComponentName(), ++ target.getIntentExtras()); ++ } + } +-- +2.48.1.262.g85cc9f2d1e-goog + diff --git a/aosp_diff/preliminary/frameworks/base/0048-Fix-Block-opening-settings-app-on-keyguard-without-u.patch b/aosp_diff/preliminary/frameworks/base/0048-Fix-Block-opening-settings-app-on-keyguard-without-u.patch new file mode 100644 index 0000000000..77904d9b0c --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0048-Fix-Block-opening-settings-app-on-keyguard-without-u.patch @@ -0,0 +1,32 @@ +From 98a78553442199cc8601d6446081619be1471ac4 Mon Sep 17 00:00:00 2001 +From: Vaibhav Devmurari +Date: Mon, 9 Dec 2024 13:15:03 +0000 +Subject: [PATCH] Fix: Block opening settings app on keyguard without user auth + +Test: atest KeyGestureEventTests +Bug: 378900798 +Flag: EXEMPT bugfix +(cherry picked from commit d615298466085c4a88c6733804160e0c1ee7e31e) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e4d483a2ef99a71c6fcd6ad2e6c2f8f88ba380f4) +Merged-In: I89d43872108710d20e0c4ef7e652d389896155d7 +Change-Id: I89d43872108710d20e0c4ef7e652d389896155d7 +--- + .../core/java/com/android/server/policy/PhoneWindowManager.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/policy/PhoneWindowManager.java b/services/core/java/com/android/server/policy/PhoneWindowManager.java +index f1a481155458..23b448b064c4 100644 +--- a/services/core/java/com/android/server/policy/PhoneWindowManager.java ++++ b/services/core/java/com/android/server/policy/PhoneWindowManager.java +@@ -3576,7 +3576,7 @@ public class PhoneWindowManager implements WindowManagerPolicy { + } + break; + case KeyEvent.KEYCODE_I: +- if (firstDown && event.isMetaPressed()) { ++ if (firstDown && event.isMetaPressed() && isUserSetupComplete() && !keyguardOn) { + showSystemSettings(); + notifyKeyGestureCompleted(event, + KeyGestureEvent.KEY_GESTURE_TYPE_LAUNCH_SYSTEM_SETTINGS); +-- +2.34.1 + diff --git a/aosp_diff/preliminary/frameworks/base/0049-BaseBundle-fix-unparcel-error-logic.bulletin.patch b/aosp_diff/preliminary/frameworks/base/0049-BaseBundle-fix-unparcel-error-logic.bulletin.patch new file mode 100644 index 0000000000..de905c1438 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0049-BaseBundle-fix-unparcel-error-logic.bulletin.patch @@ -0,0 +1,99 @@ +From 567af706fd9db016b0b7a7c4ffc5e2b2fd3bbb5f Mon Sep 17 00:00:00 2001 +From: Steven Moreland +Date: Tue, 10 Dec 2024 21:54:36 +0000 +Subject: [PATCH] BaseBundle: fix unparcel error logic + +This code considered a success case to be an unsuccessful +case. + +Bug: 373357090 +Test: repro in bug no longer works +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:86cfb77a4664110c44ea147e8457a65e69e6d5d9) +Merged-In: Id423936872cbb0e0265ccf2855092357cb175d47 +Change-Id: Id423936872cbb0e0265ccf2855092357cb175d47 +--- + core/java/android/os/BaseBundle.java | 10 +++++----- + core/java/android/os/Parcel.java | 12 +++++------- + 2 files changed, 10 insertions(+), 12 deletions(-) + +diff --git a/core/java/android/os/BaseBundle.java b/core/java/android/os/BaseBundle.java +index 49ab15a40a8e..36a1c1b08289 100644 +--- a/core/java/android/os/BaseBundle.java ++++ b/core/java/android/os/BaseBundle.java +@@ -471,10 +471,10 @@ public class BaseBundle { + map.erase(); + map.ensureCapacity(count); + } +- int numLazyValues = 0; ++ int[] numLazyValues = new int[]{0}; + try { +- numLazyValues = parcelledData.readArrayMap(map, count, !parcelledByNative, +- /* lazy */ ownsParcel, mClassLoader); ++ parcelledData.readArrayMap(map, count, !parcelledByNative, ++ /* lazy */ ownsParcel, mClassLoader, numLazyValues); + } catch (BadParcelableException e) { + if (sShouldDefuse) { + Log.w(TAG, "Failed to parse Bundle, but defusing quietly", e); +@@ -485,14 +485,14 @@ public class BaseBundle { + } finally { + mWeakParcelledData = null; + if (ownsParcel) { +- if (numLazyValues == 0) { ++ if (numLazyValues[0] == 0) { + recycleParcel(parcelledData); + } else { + mWeakParcelledData = new WeakReference<>(parcelledData); + } + } + +- mLazyValues = numLazyValues; ++ mLazyValues = numLazyValues[0]; + mParcelledByNative = false; + mMap = map; + // Set field last as it is volatile +diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java +index 136c45d1695f..b6eac10413aa 100644 +--- a/core/java/android/os/Parcel.java ++++ b/core/java/android/os/Parcel.java +@@ -5519,7 +5519,7 @@ public final class Parcel { + + private void readArrayMapInternal(@NonNull ArrayMap outVal, + int size, @Nullable ClassLoader loader) { +- readArrayMap(outVal, size, /* sorted */ true, /* lazy */ false, loader); ++ readArrayMap(outVal, size, /* sorted */ true, /* lazy */ false, loader, null); + } + + /** +@@ -5529,17 +5529,16 @@ public final class Parcel { + * @param lazy Whether to populate the map with lazy {@link Function} objects for + * length-prefixed values. See {@link Parcel#readLazyValue(ClassLoader)} for more + * details. +- * @return a count of the lazy values in the map ++ * @param lazyValueCount number of lazy values added here + * @hide + */ +- int readArrayMap(ArrayMap map, int size, boolean sorted, +- boolean lazy, @Nullable ClassLoader loader) { +- int lazyValues = 0; ++ void readArrayMap(ArrayMap map, int size, boolean sorted, ++ boolean lazy, @Nullable ClassLoader loader, int[] lazyValueCount) { + while (size > 0) { + String key = readString(); + Object value = (lazy) ? readLazyValue(loader) : readValue(loader); + if (value instanceof LazyValue) { +- lazyValues++; ++ lazyValueCount[0]++; + } + if (sorted) { + map.append(key, value); +@@ -5551,7 +5550,6 @@ public final class Parcel { + if (sorted) { + map.validate(); + } +- return lazyValues; + } + + /** +-- +2.48.1.262.g85cc9f2d1e-goog + diff --git a/aosp_diff/preliminary/frameworks/base/0050-Check-underlying-intent-as-well-as-intent-selector.bulletin.patch b/aosp_diff/preliminary/frameworks/base/0050-Check-underlying-intent-as-well-as-intent-selector.bulletin.patch new file mode 100644 index 0000000000..dbaa6e9406 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0050-Check-underlying-intent-as-well-as-intent-selector.bulletin.patch @@ -0,0 +1,72 @@ +From 8612a293fb4ae27225454db9463f38a925cd4d46 Mon Sep 17 00:00:00 2001 +From: oli +Date: Tue, 28 Jan 2025 16:28:31 +0000 +Subject: [PATCH] Check underlying intent as well as intent selector + +When checking if an intent can be forwarded across profiles, the +selector action is checked rather than the intent itself. +This means badIntents can be spoofed with a different selector and +launched across profiles. + +Bug: 376674080 +Test: manually tested +Flag: EXEMPT bugfix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fc28861349e0113f807016501da3e1fd963b59fa) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc7e4fffc58d535c6eaba6c382c8c89e35136389) +Merged-In: If04e1020fc5a09f04630ba08d7e3b3012f2aa577 +Change-Id: If04e1020fc5a09f04630ba08d7e3b3012f2aa577 +--- + .../internal/app/IntentForwarderActivity.java | 27 +++++++++++++------ + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/core/java/com/android/internal/app/IntentForwarderActivity.java b/core/java/com/android/internal/app/IntentForwarderActivity.java +index d72207d9b9ef..a1bb325534dd 100644 +--- a/core/java/com/android/internal/app/IntentForwarderActivity.java ++++ b/core/java/com/android/internal/app/IntentForwarderActivity.java +@@ -586,24 +586,35 @@ public class IntentForwarderActivity extends Activity { + Intent.FLAG_ACTIVITY_FORWARD_RESULT | Intent.FLAG_ACTIVITY_PREVIOUS_IS_TOP); + sanitizeIntent(forwardIntent); + +- Intent intentToCheck = forwardIntent; +- if (Intent.ACTION_CHOOSER.equals(forwardIntent.getAction())) { ++ if (!canForwardInner(forwardIntent, sourceUserId, targetUserId, packageManager, ++ contentResolver)) { + return null; + } + if (forwardIntent.getSelector() != null) { +- intentToCheck = forwardIntent.getSelector(); ++ sanitizeIntent(forwardIntent.getSelector()); ++ if (!canForwardInner(forwardIntent.getSelector(), sourceUserId, targetUserId, ++ packageManager, contentResolver)) { ++ return null; ++ } ++ } ++ return forwardIntent; ++ } ++ ++ private static boolean canForwardInner(Intent intent, int sourceUserId, int targetUserId, ++ IPackageManager packageManager, ContentResolver contentResolver) { ++ if (Intent.ACTION_CHOOSER.equals(intent.getAction())) { ++ return false; + } +- String resolvedType = intentToCheck.resolveTypeIfNeeded(contentResolver); +- sanitizeIntent(intentToCheck); ++ String resolvedType = intent.resolveTypeIfNeeded(contentResolver); + try { + if (packageManager.canForwardTo( +- intentToCheck, resolvedType, sourceUserId, targetUserId)) { +- return forwardIntent; ++ intent, resolvedType, sourceUserId, targetUserId)) { ++ return true; + } + } catch (RemoteException e) { + Slog.e(TAG, "PackageManagerService is dead?"); + } +- return null; ++ return false; + } + + /** +-- +2.48.1.262.g85cc9f2d1e-goog + diff --git a/aosp_diff/preliminary/frameworks/base/0051-Do-not-allow-non-system-apps-to-provide-unverified-a.patch b/aosp_diff/preliminary/frameworks/base/0051-Do-not-allow-non-system-apps-to-provide-unverified-a.patch new file mode 100644 index 0000000000..4f7bdfb01f --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0051-Do-not-allow-non-system-apps-to-provide-unverified-a.patch @@ -0,0 +1,263 @@ +From baf4d6fc809f8b44fc471abee03caea739bfc778 Mon Sep 17 00:00:00 2001 +From: Nate Myren +Date: Thu, 9 Jan 2025 10:09:56 -0800 +Subject: [PATCH] Do not allow non-system apps to provide unverified + attributions + +Some apps (the shell, system server, etc) are exempt from the +requirement that attribution tags be registered. However, in the proxy +case, the tag provied by the proxy app is trusted if the proxied app is +one of these exemptions. We should only trust these tags if the proxy +app is a system app. + +This CL also adds a second restriction check when a restriction is +removed, to verify that an op is free of all restrictions, before +resuming a started op + +Bug: 375623125 +Test: upcoming +Flag: EXEMPT: See bug +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9dd915f74a88459fab5dc0b6518708b0d3df66e5) +Merged-In: I6a7b0a24359097c0ea2f52cc69637d929a931b4f +Change-Id: I6a7b0a24359097c0ea2f52cc69637d929a931b4f +--- + .../android/server/appop/AppOpsService.java | 92 ++++++++++++------- + 1 file changed, 58 insertions(+), 34 deletions(-) + +diff --git a/services/core/java/com/android/server/appop/AppOpsService.java b/services/core/java/com/android/server/appop/AppOpsService.java +index 101271ad86b4..784c11750409 100644 +--- a/services/core/java/com/android/server/appop/AppOpsService.java ++++ b/services/core/java/com/android/server/appop/AppOpsService.java +@@ -610,7 +610,7 @@ public class AppOpsService extends IAppOpsService.Stub { + } + } + +- /** Returned from {@link #verifyAndGetBypass(int, String, String, String, boolean)}. */ ++ /** Returned from {@link #verifyAndGetBypass(int, String, String, int, String, boolean)}. */ + private static final class PackageVerificationResult { + + final RestrictionBypass bypass; +@@ -3111,10 +3111,10 @@ public class AppOpsService extends IAppOpsService.Stub { + public int checkPackage(int uid, String packageName) { + Objects.requireNonNull(packageName); + try { +- verifyAndGetBypass(uid, packageName, null, null, true); ++ verifyAndGetBypass(uid, packageName, null, Process.INVALID_UID, null, true); + // When the caller is the system, it's possible that the packageName is the special + // one (e.g., "root") which isn't actually existed. +- if (resolveUid(packageName) == uid ++ if (resolveNonAppUid(packageName) == uid + || (isPackageExisted(packageName) + && !filterAppAccessUnlocked(packageName, UserHandle.getUserId(uid)))) { + return AppOpsManager.MODE_ALLOWED; +@@ -3313,7 +3313,7 @@ public class AppOpsService extends IAppOpsService.Stub { + boolean shouldCollectMessage) { + PackageVerificationResult pvr; + try { +- pvr = verifyAndGetBypass(uid, packageName, attributionTag, proxyPackageName); ++ pvr = verifyAndGetBypass(uid, packageName, attributionTag, proxyUid, proxyPackageName); + if (!pvr.isAttributionTagValid) { + attributionTag = null; + } +@@ -3900,7 +3900,7 @@ public class AppOpsService extends IAppOpsService.Stub { + // Test if the proxied operation will succeed before starting the proxy operation + final SyncNotedAppOp testProxiedOp = startOperationDryRun(code, + proxiedUid, resolvedProxiedPackageName, proxiedAttributionTag, +- proxiedVirtualDeviceId, resolvedProxyPackageName, proxiedFlags, ++ proxiedVirtualDeviceId, proxyUid, resolvedProxyPackageName, proxiedFlags, + startIfModeDefault); + + if (!shouldStartForMode(testProxiedOp.getOpMode(), startIfModeDefault)) { +@@ -3940,7 +3940,7 @@ public class AppOpsService extends IAppOpsService.Stub { + int attributionChainId) { + PackageVerificationResult pvr; + try { +- pvr = verifyAndGetBypass(uid, packageName, attributionTag, proxyPackageName); ++ pvr = verifyAndGetBypass(uid, packageName, attributionTag, proxyUid, proxyPackageName); + if (!pvr.isAttributionTagValid) { + attributionTag = null; + } +@@ -4067,11 +4067,11 @@ public class AppOpsService extends IAppOpsService.Stub { + */ + private SyncNotedAppOp startOperationDryRun(int code, int uid, + @NonNull String packageName, @Nullable String attributionTag, int virtualDeviceId, +- String proxyPackageName, @OpFlags int flags, ++ int proxyUid, String proxyPackageName, @OpFlags int flags, + boolean startIfModeDefault) { + PackageVerificationResult pvr; + try { +- pvr = verifyAndGetBypass(uid, packageName, attributionTag, proxyPackageName); ++ pvr = verifyAndGetBypass(uid, packageName, attributionTag, proxyUid, proxyPackageName); + if (!pvr.isAttributionTagValid) { + attributionTag = null; + } +@@ -4266,8 +4266,7 @@ public class AppOpsService extends IAppOpsService.Stub { + int virtualDeviceId) { + PackageVerificationResult pvr; + try { +- pvr = verifyAndGetBypass(proxiedUid, proxiedPackageName, attributionTag, +- proxyPackageName); ++ pvr = verifyAndGetBypass(proxiedUid, proxiedPackageName, attributionTag, proxyUid, proxyPackageName); + if (!pvr.isAttributionTagValid) { + attributionTag = null; + } +@@ -4638,13 +4637,17 @@ public class AppOpsService extends IAppOpsService.Stub { + private boolean isSpecialPackage(int callingUid, @Nullable String packageName) { + final String resolvedPackage = AppOpsManager.resolvePackageName(callingUid, packageName); + return callingUid == Process.SYSTEM_UID +- || resolveUid(resolvedPackage) != Process.INVALID_UID; ++ || resolveNonAppUid(resolvedPackage) != Process.INVALID_UID; + } + + private boolean isCallerAndAttributionTrusted(@NonNull AttributionSource attributionSource) { + if (attributionSource.getUid() != Binder.getCallingUid() + && attributionSource.isTrusted(mContext)) { +- return true; ++ // if there is a next attribution source, it must be trusted, as well. ++ if (attributionSource.getNext() == null ++ || attributionSource.getNext().isTrusted(mContext)) { ++ return true; ++ } + } + return mContext.checkPermission(android.Manifest.permission.UPDATE_APP_OPS_STATS, + Binder.getCallingPid(), Binder.getCallingUid(), null) +@@ -4739,19 +4742,20 @@ public class AppOpsService extends IAppOpsService.Stub { + } + + /** +- * @see #verifyAndGetBypass(int, String, String, String, boolean) ++ * @see #verifyAndGetBypass(int, String, String, int, String, boolean) + */ + private @NonNull PackageVerificationResult verifyAndGetBypass(int uid, String packageName, + @Nullable String attributionTag) { +- return verifyAndGetBypass(uid, packageName, attributionTag, null); ++ return verifyAndGetBypass(uid, packageName, attributionTag, Process.INVALID_UID, null); + } + + /** +- * @see #verifyAndGetBypass(int, String, String, String, boolean) ++ * @see #verifyAndGetBypass(int, String, String, int, String, boolean) + */ + private @NonNull PackageVerificationResult verifyAndGetBypass(int uid, String packageName, +- @Nullable String attributionTag, @Nullable String proxyPackageName) { +- return verifyAndGetBypass(uid, packageName, attributionTag, proxyPackageName, false); ++ @Nullable String attributionTag, int proxyUid, @Nullable String proxyPackageName) { ++ return verifyAndGetBypass(uid, packageName, attributionTag, proxyUid, proxyPackageName, ++ false); + } + + /** +@@ -4762,14 +4766,15 @@ public class AppOpsService extends IAppOpsService.Stub { + * @param uid The uid the package belongs to + * @param packageName The package the might belong to the uid + * @param attributionTag attribution tag or {@code null} if no need to verify +- * @param proxyPackageName The proxy package, from which the attribution tag is to be pulled ++ * @param proxyUid The proxy uid, from which the attribution tag is to be pulled ++ * @param proxyPackageName The proxy package, from which the attribution tag may be pulled + * @param suppressErrorLogs Whether to print to logcat about nonmatching parameters + * + * @return PackageVerificationResult containing {@link RestrictionBypass} and whether the + * attribution tag is valid + */ + private @NonNull PackageVerificationResult verifyAndGetBypass(int uid, String packageName, +- @Nullable String attributionTag, @Nullable String proxyPackageName, ++ @Nullable String attributionTag, int proxyUid, @Nullable String proxyPackageName, + boolean suppressErrorLogs) { + if (uid == Process.ROOT_UID) { + // For backwards compatibility, don't check package name for root UID, unless someone +@@ -4817,34 +4822,47 @@ public class AppOpsService extends IAppOpsService.Stub { + + int callingUid = Binder.getCallingUid(); + +- // Allow any attribution tag for resolvable uids +- int pkgUid; ++ // Allow any attribution tag for resolvable, non-app uids ++ int nonAppUid; + if (Objects.equals(packageName, "com.android.shell")) { + // Special case for the shell which is a package but should be able + // to bypass app attribution tag restrictions. +- pkgUid = Process.SHELL_UID; ++ nonAppUid = Process.SHELL_UID; + } else { +- pkgUid = resolveUid(packageName); ++ nonAppUid = resolveNonAppUid(packageName); + } +- if (pkgUid != Process.INVALID_UID) { +- if (pkgUid != UserHandle.getAppId(uid)) { ++ if (nonAppUid != Process.INVALID_UID) { ++ if (nonAppUid != UserHandle.getAppId(uid)) { + if (!suppressErrorLogs) { + Slog.e(TAG, "Bad call made by uid " + callingUid + ". " +- + "Package \"" + packageName + "\" does not belong to uid " + uid +- + "."); ++ + "Package \"" + packageName + "\" does not belong to uid " + uid ++ + "."); ++ } ++ String otherUidMessage = ++ DEBUG ? " but it is really " + nonAppUid : " but it is not"; ++ throw new SecurityException("Specified package \"" + packageName ++ + "\" under uid " + UserHandle.getAppId(uid) + otherUidMessage); ++ } ++ // We only allow bypassing the attribution tag verification if the proxy is a ++ // system app (or is null), in order to prevent abusive apps clogging the appops ++ // system with unlimited attribution tags via proxy calls. ++ boolean proxyIsSystemAppOrNull = true; ++ if (proxyPackageName != null) { ++ int proxyAppId = UserHandle.getAppId(proxyUid); ++ if (proxyAppId >= Process.FIRST_APPLICATION_UID) { ++ proxyIsSystemAppOrNull = ++ mPackageManagerInternal.isSystemPackage(proxyPackageName); + } +- String otherUidMessage = DEBUG ? " but it is really " + pkgUid : " but it is not"; +- throw new SecurityException("Specified package \"" + packageName + "\" under uid " +- + UserHandle.getAppId(uid) + otherUidMessage); + } + return new PackageVerificationResult(RestrictionBypass.UNRESTRICTED, +- /* isAttributionTagValid */ true); ++ /* isAttributionTagValid */ proxyIsSystemAppOrNull); + } + + int userId = UserHandle.getUserId(uid); + RestrictionBypass bypass = null; + boolean isAttributionTagValid = false; + ++ int pkgUid = nonAppUid; + final long ident = Binder.clearCallingIdentity(); + try { + PackageManagerInternal pmInt = LocalServices.getService(PackageManagerInternal.class); +@@ -5646,7 +5664,7 @@ public class AppOpsService extends IAppOpsService.Stub { + if (nonpackageUid != -1) { + packageName = null; + } else { +- packageUid = resolveUid(packageName); ++ packageUid = resolveNonAppUid(packageName); + if (packageUid < 0) { + packageUid = AppGlobals.getPackageManager().getPackageUid(packageName, + PackageManager.MATCH_UNINSTALLED_PACKAGES, userId); +@@ -6746,7 +6764,13 @@ public class AppOpsService extends IAppOpsService.Stub { + if (restricted && attrOp.isRunning()) { + attrOp.pause(); + } else if (attrOp.isPaused()) { +- attrOp.resume(); ++ RestrictionBypass bypass = verifyAndGetBypass(uid, ops.packageName, attrOp.tag) ++ .bypass; ++ if (!isOpRestrictedLocked(uid, code, ops.packageName, attrOp.tag, ++ Context.DEVICE_ID_DEFAULT, bypass, false)) { ++ // Only resume if there are no other restrictions remaining on this op ++ attrOp.resume(); ++ } + } + } + } +@@ -7195,7 +7219,7 @@ public class AppOpsService extends IAppOpsService.Stub { + } + } + +- private static int resolveUid(String packageName) { ++ private static int resolveNonAppUid(String packageName) { + if (packageName == null) { + return Process.INVALID_UID; + } +-- +2.34.1 + diff --git a/aosp_diff/preliminary/frameworks/base/0052-DO-NOT-MERGE-Update-ActivityRecordInputSink-using-the-pending-t.bulletin.patch b/aosp_diff/preliminary/frameworks/base/0052-DO-NOT-MERGE-Update-ActivityRecordInputSink-using-the-pending-t.bulletin.patch new file mode 100644 index 0000000000..40cbd8220d --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0052-DO-NOT-MERGE-Update-ActivityRecordInputSink-using-the-pending-t.bulletin.patch @@ -0,0 +1,53 @@ +From d0c52fbde58768bc7fc6cf618c59d01057edd954 Mon Sep 17 00:00:00 2001 +From: Vishnu Nair +Date: Fri, 24 Jan 2025 05:37:23 +0000 +Subject: [PATCH] DO NOT MERGE: Update ActivityRecordInputSink using the + pending transaction + +In some cases where finishTransition happens before the pending +transaction is applied, we can end up with a stale state. Subsequent +prepareSurfaces does not fix the issue because the InputWindowHandle is +only applied on changes. + +Fix the race by only using pending transactions to apply +ActivityRecordInputSink state changes. + +Bug: 332277530 +Test: POC from bug +Flag: EXEMPT bug fix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:24aeaa1b55d3c602ddd4e53a44bf304a21c8d3df) +Merged-In: If93840ad7b2abbcb48c0c332870c48046c0f8fdc +Change-Id: If93840ad7b2abbcb48c0c332870c48046c0f8fdc +--- + .../core/java/com/android/server/wm/Transition.java | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/services/core/java/com/android/server/wm/Transition.java b/services/core/java/com/android/server/wm/Transition.java +index dcfe350b1c42..2702557bf4af 100644 +--- a/services/core/java/com/android/server/wm/Transition.java ++++ b/services/core/java/com/android/server/wm/Transition.java +@@ -1398,16 +1398,15 @@ class Transition implements BLASTSyncEngine.TransactionReadyListener { + } + + // Update the input-sink (touch-blocking) state now that the animation is finished. +- SurfaceControl.Transaction inputSinkTransaction = null; ++ boolean scheduleAnimation = false; + for (int i = 0; i < mParticipants.size(); ++i) { + final ActivityRecord ar = mParticipants.valueAt(i).asActivityRecord(); + if (ar == null || !ar.isVisible() || ar.getParent() == null) continue; +- if (inputSinkTransaction == null) { +- inputSinkTransaction = ar.mWmService.mTransactionFactory.get(); +- } +- ar.mActivityRecordInputSink.applyChangesToSurfaceIfChanged(inputSinkTransaction); ++ scheduleAnimation = true; ++ ar.mActivityRecordInputSink.applyChangesToSurfaceIfChanged(ar.getPendingTransaction()); + } +- if (inputSinkTransaction != null) inputSinkTransaction.apply(); ++ // To apply pending transactions. ++ if (scheduleAnimation) mController.mAtm.mWindowManager.scheduleAnimationLocked(); + + // Always schedule stop processing when transition finishes because activities don't + // stop while they are in a transition thus their stop could still be pending. +-- +2.48.1.262.g85cc9f2d1e-goog + diff --git a/aosp_diff/preliminary/frameworks/base/0053-Disable-Developer-options-by-default-for-managed-pro.patch b/aosp_diff/preliminary/frameworks/base/0053-Disable-Developer-options-by-default-for-managed-pro.patch new file mode 100644 index 0000000000..9b830d0efd --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0053-Disable-Developer-options-by-default-for-managed-pro.patch @@ -0,0 +1,102 @@ +From f80ed8965e0f5765978b1530083a013d49319a27 Mon Sep 17 00:00:00 2001 +From: Sinduran Sivarajan +Date: Mon, 3 Feb 2025 08:47:40 -0800 +Subject: [PATCH] Disable "Developer options" by default for managed profiles. + +Bug: 382064697 +Test: go/work-profile-creation-developer-access +Flag: EXEMPT bugfix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:73b54cdf4b70831c4f952d7556274609cb46214e) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a44611648b44ceee8e2337dfba92398475c72602) +Merged-In: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c +Change-Id: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c +--- + .../server/pm/UserRestrictionsUtils.java | 3 +- + .../DevicePolicyManagerService.java | 32 +++++++++++++------ + 2 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java +index 2bc6d53147fb..a1082481abb8 100644 +--- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java ++++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java +@@ -309,7 +309,8 @@ public class UserRestrictionsUtils { + * in settings. So it is handled separately. + */ + private static final Set DEFAULT_ENABLED_FOR_MANAGED_PROFILES = Sets.newArraySet( +- UserManager.DISALLOW_BLUETOOTH_SHARING ++ UserManager.DISALLOW_BLUETOOTH_SHARING, ++ UserManager.DISALLOW_DEBUGGING_FEATURES + ); + + /** +diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +index 537f78bb0e54..674289b90734 100644 +--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java ++++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +@@ -2746,16 +2746,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + } + } + +- /** +- * Apply default restrictions that haven't been applied to a given admin yet. +- */ ++ /** Apply default restrictions that haven't been applied to a given admin yet. */ + private void maybeSetDefaultRestrictionsForAdminLocked(int userId, ActiveAdmin admin) { +- Set defaultRestrictions = +- UserRestrictionsUtils.getDefaultEnabledForManagedProfiles(); +- if (defaultRestrictions.equals(admin.defaultEnabledRestrictionsAlreadySet)) { ++ Set newDefaultRestrictions = new HashSet( ++ UserRestrictionsUtils.getDefaultEnabledForManagedProfiles()); ++ newDefaultRestrictions.removeAll(admin.defaultEnabledRestrictionsAlreadySet); ++ if (newDefaultRestrictions.isEmpty()) { + return; // The same set of default restrictions has been already applied. + } +- for (String restriction : defaultRestrictions) { ++ ++ for (String restriction : newDefaultRestrictions) { + mDevicePolicyEngine.setLocalPolicy( + PolicyDefinition.getPolicyDefinitionForUserRestriction(restriction), + EnforcingAdmin.createEnterpriseEnforcingAdmin( +@@ -2764,9 +2764,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + new BooleanPolicyValue(true), + userId); + } +- admin.defaultEnabledRestrictionsAlreadySet.addAll(defaultRestrictions); ++ admin.defaultEnabledRestrictionsAlreadySet.addAll(newDefaultRestrictions); + Slogf.i(LOG_TAG, "Enabled the following restrictions by default: " +- + defaultRestrictions); ++ + newDefaultRestrictions); + } + + private void maybeStartSecurityLogMonitorOnActivityManagerReady() { +@@ -10357,7 +10357,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + return false; + } + +- if (isAdb(caller)) { ++ boolean isAdb = isAdb(caller); ++ if (isAdb) { + // Log profile owner provisioning was started using adb. + MetricsLogger.action(mContext, PROVISIONING_ENTRY_POINT_ADB, LOG_TAG_PROFILE_OWNER); + DevicePolicyEventLogger +@@ -10379,6 +10380,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + maybeSetDefaultRestrictionsForAdminLocked(userHandle, admin); + ensureUnknownSourcesRestrictionForProfileOwnerLocked(userHandle, admin, + true /* newOwner */); ++ if (isAdb) { ++ // DISALLOW_DEBUGGING_FEATURES is being added to newly-created ++ // work profile by default due to b/382064697 . This would have ++ // impacted certain CTS test flows when they interact with the ++ // work profile via ADB (for example installing an app into the ++ // work profile). Remove DISALLOW_DEBUGGING_FEATURES here to ++ // reduce the potential impact. ++ setLocalUserRestrictionInternal( ++ EnforcingAdmin.createEnterpriseEnforcingAdmin(who, userHandle), ++ UserManager.DISALLOW_DEBUGGING_FEATURES, false, userHandle); ++ } + } + sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_PROFILE_OWNER_CHANGED, + userHandle); +-- +2.34.1 + diff --git a/aosp_diff/preliminary/packages/apps/Settings/0012-Check-the-permission-of-the-callingUid-instead-of-the-calling-pa.bulletin.patch b/aosp_diff/preliminary/packages/apps/Settings/0012-Check-the-permission-of-the-callingUid-instead-of-the-calling-pa.bulletin.patch new file mode 100644 index 0000000000..3173d579c8 --- /dev/null +++ b/aosp_diff/preliminary/packages/apps/Settings/0012-Check-the-permission-of-the-callingUid-instead-of-the-calling-pa.bulletin.patch @@ -0,0 +1,72 @@ +From 9dba6f50302b1432ac7ca8b33c98220d822a1815 Mon Sep 17 00:00:00 2001 +From: Fan Wu +Date: Thu, 2 Jan 2025 11:18:59 +0800 +Subject: [PATCH] Check the permission of the callingUid instead of the calling + package + +Bug: 372671447 +Test: atest +Flag: EXEMPT bug fix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e719575e92c1e6bd0b9088663e6c909bccf2b007) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5bd45baa9365ea8db42249bf83d780c7a0473656) +Merged-In: Ib36c0a3ba482bcddd53c2c09409ea818e6f43cad +Change-Id: Ib36c0a3ba482bcddd53c2c09409ea818e6f43cad +--- + .../settings/applications/AppInfoBase.java | 25 ++++++++++--------- + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/src/com/android/settings/applications/AppInfoBase.java b/src/com/android/settings/applications/AppInfoBase.java +index f55aee23f9..8422ece89d 100644 +--- a/src/com/android/settings/applications/AppInfoBase.java ++++ b/src/com/android/settings/applications/AppInfoBase.java +@@ -20,6 +20,7 @@ import static com.android.settingslib.RestrictedLockUtils.EnforcedAdmin; + + import android.Manifest; + import android.app.Activity; ++import android.app.ActivityManager; + import android.app.Dialog; + import android.app.admin.DevicePolicyManager; + import android.app.settings.SettingsEnums; +@@ -34,6 +35,7 @@ import android.content.pm.PackageManager.NameNotFoundException; + import android.hardware.usb.IUsbManager; + import android.os.Bundle; + import android.os.IBinder; ++import android.os.RemoteException; + import android.os.ServiceManager; + import android.os.UserHandle; + import android.os.UserManager; +@@ -176,20 +178,19 @@ public abstract class AppInfoBase extends SettingsPreferenceFragment + if (!(activity instanceof SettingsActivity)) { + return false; + } +- final String callingPackageName = +- ((SettingsActivity) activity).getInitialCallingPackage(); +- +- if (TextUtils.isEmpty(callingPackageName)) { +- Log.w(TAG, "Not able to get calling package name for permission check"); +- return false; +- } +- if (mPm.checkPermission(Manifest.permission.INTERACT_ACROSS_USERS_FULL, callingPackageName) +- != PackageManager.PERMISSION_GRANTED) { +- Log.w(TAG, "Package " + callingPackageName + " does not have required permission " +- + Manifest.permission.INTERACT_ACROSS_USERS_FULL); ++ try { ++ int callerUid = ActivityManager.getService().getLaunchedFromUid( ++ activity.getActivityToken()); ++ if (ActivityManager.checkUidPermission(Manifest.permission.INTERACT_ACROSS_USERS_FULL, ++ callerUid) != PackageManager.PERMISSION_GRANTED) { ++ Log.w(TAG, "Uid " + callerUid + " does not have required permission " ++ + Manifest.permission.INTERACT_ACROSS_USERS_FULL); ++ return false; ++ } ++ return true; ++ } catch (RemoteException e) { + return false; + } +- return true; + } + + protected void setIntentAndFinish(boolean appChanged) { +-- +2.48.1.262.g85cc9f2d1e-goog + diff --git a/aosp_diff/preliminary/packages/apps/Settings/0013-Remove-incorrect-call-to-Window.addFlags-with-a-syst.patch b/aosp_diff/preliminary/packages/apps/Settings/0013-Remove-incorrect-call-to-Window.addFlags-with-a-syst.patch new file mode 100644 index 0000000000..81edd59389 --- /dev/null +++ b/aosp_diff/preliminary/packages/apps/Settings/0013-Remove-incorrect-call-to-Window.addFlags-with-a-syst.patch @@ -0,0 +1,89 @@ +From 9a16a76220d2bb32ef8f3fbfc7bd88623729fce7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= +Date: Fri, 3 Jan 2025 13:38:10 +0100 +Subject: [PATCH] Remove incorrect call to Window.addFlags with a system flag + +The same flag is being (correctly) added in onCreate, so on top of being wrong this was also completely unnecessary. + +Bug: 368579654 +Test: atest NotificationAccessConfirmationActivityTest +Flag: EXEMPT bugfix + +(cherry picked from commit e0510a62eba04140e459cdd8232f35087aa3073b) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4b2cf3f23788ec210863757217ead902ee1f3bb4) +Merged-In: I539fca77a1d136bdd0e4892993020884430b8a4e +Change-Id: I539fca77a1d136bdd0e4892993020884430b8a4e +--- + .../NotificationAccessConfirmationActivity.java | 15 --------------- + ...otificationAccessConfirmationActivityTest.java | 15 +++++++++++++++ + 2 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java +index 7d3e7a0d698..541c1051913 100644 +--- a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java ++++ b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java +@@ -41,7 +41,6 @@ import android.os.UserManager; + import android.service.notification.NotificationListenerService; + import android.text.TextUtils; + import android.util.Slog; +-import android.view.WindowManager; + import android.view.accessibility.AccessibilityEvent; + import android.widget.Toast; + +@@ -161,20 +160,6 @@ public class NotificationAccessConfirmationActivity extends Activity + getWindow().setCloseOnTouchOutside(false); + } + +- @Override +- public void onResume() { +- super.onResume(); +- getWindow().addFlags( +- WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); +- } +- +- @Override +- public void onPause() { +- getWindow().clearFlags( +- WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); +- super.onPause(); +- } +- + private void onAllow() { + mNm.setNotificationListenerAccessGranted(mComponentName, true); + +diff --git a/tests/robotests/src/com/android/settings/notification/NotificationAccessConfirmationActivityTest.java b/tests/robotests/src/com/android/settings/notification/NotificationAccessConfirmationActivityTest.java +index 0a953615abf..8ae242f0869 100644 +--- a/tests/robotests/src/com/android/settings/notification/NotificationAccessConfirmationActivityTest.java ++++ b/tests/robotests/src/com/android/settings/notification/NotificationAccessConfirmationActivityTest.java +@@ -16,6 +16,8 @@ + + package com.android.settings.notification; + ++import static android.view.WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS; ++ + import static com.android.internal.notification.NotificationAccessConfirmationActivityContract.EXTRA_COMPONENT_NAME; + + import static com.google.common.truth.Truth.assertThat; +@@ -42,6 +44,19 @@ import org.robolectric.RuntimeEnvironment; + @RunWith(RobolectricTestRunner.class) + public class NotificationAccessConfirmationActivityTest { + ++ @Test ++ public void onCreate_setsWindowFlags() { ++ ComponentName cn = new ComponentName("com.example", "com.example.SomeService"); ++ installPackage(cn.getPackageName(), "Example"); ++ ++ NotificationAccessConfirmationActivity activity = startActivityWithIntent(cn); ++ ++ assertThat(activity.getWindow().getAttributes().privateFlags ++ & SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS).isNotEqualTo(0); ++ assertThat(activity.getWindow().getAttributes().flags ++ & SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS).isEqualTo(0); ++ } ++ + @Test + public void start_withMissingIntentFilter_finishes() { + ComponentName cn = new ComponentName("com.example", "com.example.SomeService"); +-- +2.34.1 + diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/0007-Fix-type-confusion-in-avdt_msg.cc.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/0007-Fix-type-confusion-in-avdt_msg.cc.patch new file mode 100644 index 0000000000..3dfbe508f6 --- /dev/null +++ b/aosp_diff/preliminary/packages/modules/Bluetooth/0007-Fix-type-confusion-in-avdt_msg.cc.patch @@ -0,0 +1,43 @@ +From 2d8c5da7576f62c2cece9dd6cad6ccfbe104864e Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Fri, 11 Oct 2024 21:06:29 +0000 +Subject: [PATCH] Fix type confusion in avdt_msg.cc + +It is possible for a malicious user to reply to a pending AVDT message +with the wrong type, leading to type confusion and an eventual OOB +access. + +Add message type validation. + +Bug: 273995284 +Test: m libbluetooth +Ignore-AOSP-First: security +Tag: #security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:80c094a66067efc42837cb8da445de4c3f5b637f) +Merged-In: I87a0df92710658d6c27d9b63ee7813a0d45a301a +Change-Id: I87a0df92710658d6c27d9b63ee7813a0d45a301a +--- + system/stack/avdt/avdt_msg.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/system/stack/avdt/avdt_msg.cc b/system/stack/avdt/avdt_msg.cc +index eb623b1b2a..f94adb1017 100644 +--- a/system/stack/avdt/avdt_msg.cc ++++ b/system/stack/avdt/avdt_msg.cc +@@ -1554,6 +1554,13 @@ void avdt_msg_ind(AvdtpCcb* p_ccb, BT_HDR* p_buf) { + ok = false; + } + } ++ ++ /* validate reject/response against cached sig */ ++ if (((msg_type == AVDT_MSG_TYPE_RSP) || (msg_type == AVDT_MSG_TYPE_REJ)) && ++ (p_ccb->p_curr_cmd == nullptr || p_ccb->p_curr_cmd->event != sig)) { ++ log::warn("Dropping msg with mismatched sig; sig=%d", sig); ++ ok = false; ++ } + } + + log::verbose("msg_type={}, sig={}", msg_type, sig); +-- +2.34.1 + diff --git a/aosp_diff/preliminary/packages/services/Telecomm/0005-Revert-Unbind-CS-if-connection-is-not-created-within.patch b/aosp_diff/preliminary/packages/services/Telecomm/0005-Revert-Unbind-CS-if-connection-is-not-created-within.patch new file mode 100644 index 0000000000..0c8c2a5fea --- /dev/null +++ b/aosp_diff/preliminary/packages/services/Telecomm/0005-Revert-Unbind-CS-if-connection-is-not-created-within.patch @@ -0,0 +1,225 @@ +From 32153b887abbedf7a67b1b24c69f1ba498944611 Mon Sep 17 00:00:00 2001 +From: Grant Menke +Date: Thu, 8 Aug 2024 22:57:21 +0000 +Subject: [PATCH] Revert "Unbind CS if connection is not created within 15 + seconds." + +This reverts commit 7aa55ffca65d6166145fd9660e0f7340c07053bf. + +Reason for revert: NPE + +(cherry picked from commit aa443e673ee0e1ca984117025955cbd0614f2f87) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:95588c25993a5a3cfdbf05765af77d1b1fe72f86) +Merged-In: Ib845c6d52c5839b12cb9f8fa8b72cd0c7b10dbe5 +Change-Id: Ib845c6d52c5839b12cb9f8fa8b72cd0c7b10dbe5 +--- + .../telecom/ConnectionServiceWrapper.java | 66 ------------------- + src/com/android/server/telecom/LogUtils.java | 2 - + .../server/telecom/tests/BasicCallTests.java | 2 - + .../telecom/tests/CallsManagerTest.java | 38 ----------- + 4 files changed, 108 deletions(-) + +diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java +index 915d3ea71..004ed4103 100644 +--- a/src/com/android/server/telecom/ConnectionServiceWrapper.java ++++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java +@@ -1638,39 +1638,6 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + .setParticipants(call.getParticipants()) + .setIsAdhocConferenceCall(call.isAdhocConferenceCall()) + .build(); +- Runnable r = new Runnable("CSW.cC", mLock) { +- @Override +- public void loggedRun() { +- if (!call.isCreateConnectionComplete()) { +- Log.e(this, new Exception(), +- "Conference %s creation timeout", +- getComponentName()); +- Log.addEvent(call, LogUtils.Events.CREATE_CONFERENCE_TIMEOUT, +- Log.piiHandle(call.getHandle()) + " via:" + +- getComponentName().getPackageName()); +- mAnomalyReporter.reportAnomaly( +- CREATE_CONFERENCE_TIMEOUT_ERROR_UUID, +- CREATE_CONFERENCE_TIMEOUT_ERROR_MSG); +- response.handleCreateConferenceFailure( +- new DisconnectCause(DisconnectCause.ERROR)); +- } +- } +- }; +- if (mScheduledExecutor != null && !mScheduledExecutor.isShutdown()) { +- try { +- // Post cleanup to the executor service and cache the future, +- // so we can cancel it if needed. +- ScheduledFuture future = mScheduledExecutor.schedule( +- r.getRunnableToCancel(),SERVICE_BINDING_TIMEOUT, +- TimeUnit.MILLISECONDS); +- mScheduledFutureMap.put(call, future); +- } catch (RejectedExecutionException e) { +- Log.e(this, e, "createConference: mScheduledExecutor was " +- + "already shutdown"); +- } +- } else { +- Log.w(this, "createConference: Scheduled executor is null or shutdown"); +- } + try { + mServiceInterface.createConference( + call.getConnectionManagerPhoneAccount(), +@@ -1777,39 +1744,6 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + .setRttPipeFromInCall(call.getInCallToCsRttPipeForCs()) + .setRttPipeToInCall(call.getCsToInCallRttPipeForCs()) + .build(); +- Runnable r = new Runnable("CSW.cC", mLock) { +- @Override +- public void loggedRun() { +- if (!call.isCreateConnectionComplete()) { +- Log.e(this, new Exception(), +- "Connection %s creation timeout", +- getComponentName()); +- Log.addEvent(call, LogUtils.Events.CREATE_CONNECTION_TIMEOUT, +- Log.piiHandle(call.getHandle()) + " via:" + +- getComponentName().getPackageName()); +- mAnomalyReporter.reportAnomaly( +- CREATE_CONNECTION_TIMEOUT_ERROR_UUID, +- CREATE_CONNECTION_TIMEOUT_ERROR_MSG); +- response.handleCreateConnectionFailure( +- new DisconnectCause(DisconnectCause.ERROR)); +- } +- } +- }; +- if (mScheduledExecutor != null && !mScheduledExecutor.isShutdown()) { +- try { +- // Post cleanup to the executor service and cache the future, +- // so we can cancel it if needed. +- ScheduledFuture future = mScheduledExecutor.schedule( +- r.getRunnableToCancel(),SERVICE_BINDING_TIMEOUT, +- TimeUnit.MILLISECONDS); +- mScheduledFutureMap.put(call, future); +- } catch (RejectedExecutionException e) { +- Log.e(this, e, "createConnection: mScheduledExecutor was " +- + "already shutdown"); +- } +- } else { +- Log.w(this, "createConnection: Scheduled executor is null or shutdown"); +- } + try { + if (mFlags.cswServiceInterfaceIsNull() && mServiceInterface == null) { + if (mFlags.dontTimeoutDestroyedCalls()) { +diff --git a/src/com/android/server/telecom/LogUtils.java b/src/com/android/server/telecom/LogUtils.java +index d98ebfe6b..0d6acd51d 100644 +--- a/src/com/android/server/telecom/LogUtils.java ++++ b/src/com/android/server/telecom/LogUtils.java +@@ -139,10 +139,8 @@ public class LogUtils { + public static final String STOP_CALL_WAITING_TONE = "STOP_CALL_WAITING_TONE"; + public static final String START_CONNECTION = "START_CONNECTION"; + public static final String CREATE_CONNECTION_FAILED = "CREATE_CONNECTION_FAILED"; +- public static final String CREATE_CONNECTION_TIMEOUT = "CREATE_CONNECTION_TIMEOUT"; + public static final String START_CONFERENCE = "START_CONFERENCE"; + public static final String CREATE_CONFERENCE_FAILED = "CREATE_CONFERENCE_FAILED"; +- public static final String CREATE_CONFERENCE_TIMEOUT = "CREATE_CONFERENCE_TIMEOUT"; + public static final String BIND_CS = "BIND_CS"; + public static final String CS_BOUND = "CS_BOUND"; + public static final String CONFERENCE_WITH = "CONF_WITH"; +diff --git a/tests/src/com/android/server/telecom/tests/BasicCallTests.java b/tests/src/com/android/server/telecom/tests/BasicCallTests.java +index 7646c2d08..4bca30de1 100644 +--- a/tests/src/com/android/server/telecom/tests/BasicCallTests.java ++++ b/tests/src/com/android/server/telecom/tests/BasicCallTests.java +@@ -1036,7 +1036,6 @@ public class BasicCallTests extends TelecomSystemTest { + call.setTargetPhoneAccount(mPhoneAccountA1.getAccountHandle()); + assert(call.isVideoCallingSupportedByPhoneAccount()); + assertEquals(VideoProfile.STATE_BIDIRECTIONAL, call.getVideoState()); +- call.setIsCreateConnectionComplete(true); + } + + /** +@@ -1060,7 +1059,6 @@ public class BasicCallTests extends TelecomSystemTest { + call.setTargetPhoneAccount(mPhoneAccountA2.getAccountHandle()); + assert(!call.isVideoCallingSupportedByPhoneAccount()); + assertEquals(VideoProfile.STATE_AUDIO_ONLY, call.getVideoState()); +- call.setIsCreateConnectionComplete(true); + } + + /** +diff --git a/tests/src/com/android/server/telecom/tests/CallsManagerTest.java b/tests/src/com/android/server/telecom/tests/CallsManagerTest.java +index 79fd3d501..744a702b3 100644 +--- a/tests/src/com/android/server/telecom/tests/CallsManagerTest.java ++++ b/tests/src/com/android/server/telecom/tests/CallsManagerTest.java +@@ -59,7 +59,6 @@ import android.media.AudioManager; + import android.net.Uri; + import android.os.Bundle; + import android.os.Handler; +-import android.os.IBinder; + import android.os.Looper; + import android.os.OutcomeReceiver; + import android.os.Process; +@@ -88,7 +87,6 @@ import android.widget.Toast; + import androidx.test.filters.MediumTest; + import androidx.test.filters.SmallTest; + +-import com.android.internal.telecom.IConnectionService; + import com.android.server.telecom.AnomalyReporterAdapter; + import com.android.server.telecom.AsyncRingtonePlayer; + import com.android.server.telecom.Call; +@@ -107,7 +105,6 @@ import com.android.server.telecom.ClockProxy; + import com.android.server.telecom.ConnectionServiceFocusManager; + import com.android.server.telecom.ConnectionServiceFocusManager.ConnectionServiceFocusManagerFactory; + import com.android.server.telecom.ConnectionServiceWrapper; +-import com.android.server.telecom.CreateConnectionResponse; + import com.android.server.telecom.DefaultDialerCache; + import com.android.server.telecom.EmergencyCallDiagnosticLogger; + import com.android.server.telecom.EmergencyCallHelper; +@@ -420,17 +417,11 @@ public class CallsManagerTest extends TelecomTestCase { + .thenReturn(mMockCreateContextAsUser); + when(mMockCreateContextAsUser.getSystemService(UserManager.class)) + .thenReturn(mMockCurrentUserManager); +- when(mIConnectionService.asBinder()).thenReturn(mock(IBinder.class)); +- +- mComponentContextFixture.addConnectionService( +- SIM_1_ACCOUNT.getAccountHandle().getComponentName(), mIConnectionService); + } + + @Override + @After + public void tearDown() throws Exception { +- mComponentContextFixture.removeConnectionService( +- SIM_1_ACCOUNT.getAccountHandle().getComponentName(), mIConnectionService); + super.tearDown(); + } + +@@ -3251,35 +3242,6 @@ public class CallsManagerTest extends TelecomTestCase { + assertTrue(result.contains("onReceiveResult")); + } + +- @Test +- public void testConnectionServiceCreateConnectionTimeout() throws Exception { +- ConnectionServiceWrapper service = new ConnectionServiceWrapper( +- SIM_1_ACCOUNT.getAccountHandle().getComponentName(), null, +- mPhoneAccountRegistrar, mCallsManager, mContext, mLock, null, mFeatureFlags); +- TestScheduledExecutorService scheduledExecutorService = new TestScheduledExecutorService(); +- service.setScheduledExecutorService(scheduledExecutorService); +- Call call = addSpyCall(); +- service.addCall(call); +- when(call.isCreateConnectionComplete()).thenReturn(false); +- CreateConnectionResponse response = mock(CreateConnectionResponse.class); +- +- service.createConnection(call, response); +- waitUntilConditionIsTrueOrTimeout(new Condition() { +- @Override +- public Object expected() { +- return true; +- } +- +- @Override +- public Object actual() { +- return scheduledExecutorService.isRunnableScheduledAtTime(15000L); +- } +- }, 5000L, "Expected job failed to schedule"); +- scheduledExecutorService.advanceTime(15000L); +- verify(response).handleCreateConnectionFailure( +- eq(new DisconnectCause(DisconnectCause.ERROR))); +- } +- + @SmallTest + @Test + public void testOnFailedOutgoingCallUnholdsCallAfterLocallyDisconnect() { +-- +2.34.1 + diff --git a/aosp_diff/preliminary/packages/services/Telecomm/0006-Unbind-CS-if-connection-is-not-created-within-15-sec.patch b/aosp_diff/preliminary/packages/services/Telecomm/0006-Unbind-CS-if-connection-is-not-created-within-15-sec.patch new file mode 100644 index 0000000000..b2ebdb49bc --- /dev/null +++ b/aosp_diff/preliminary/packages/services/Telecomm/0006-Unbind-CS-if-connection-is-not-created-within-15-sec.patch @@ -0,0 +1,140 @@ +From 87a1032402cfcda99606312d205c1e518cf1b1c8 Mon Sep 17 00:00:00 2001 +From: Grant Menke +Date: Mon, 28 Oct 2024 16:42:25 -0700 +Subject: [PATCH] Unbind CS if connection is not created within 15 seconds. + +This CL adds a check to ensure that connection creation occurs within 15 seconds after binding to that ConnectionService. If the connection/conference is not created in that timespan, this CL adds logic to manually unbind the ConnectionService at that point in time. This prevents malicious apps from keeping a declared permission in forever even in the background. This updated CL includes a null check to avoid a NPE that occurred in the first iteration of this change. + +Bug: 293458004 +Test: manually using the provided apk + atest CallsManagerTest +Flag: EXEMPT Security High/Critical Severity CVE +(cherry picked from commit 48d6b0df91fb1c8c0b11891f878084c6d8f9fa8a) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d729374b71266e9e9f5f855d18f2b1c202d322a7) +Merged-In: If46cfa26278f09854c10266af6eaa73382f20296 +Change-Id: If46cfa26278f09854c10266af6eaa73382f20296 +--- + src/com/android/server/telecom/LogUtils.java | 2 + + .../server/telecom/tests/BasicCallTests.java | 2 + + .../telecom/tests/CallsManagerTest.java | 38 +++++++++++++++++++ + 3 files changed, 42 insertions(+) + +diff --git a/src/com/android/server/telecom/LogUtils.java b/src/com/android/server/telecom/LogUtils.java +index 0d6acd51d..d98ebfe6b 100644 +--- a/src/com/android/server/telecom/LogUtils.java ++++ b/src/com/android/server/telecom/LogUtils.java +@@ -139,8 +139,10 @@ public class LogUtils { + public static final String STOP_CALL_WAITING_TONE = "STOP_CALL_WAITING_TONE"; + public static final String START_CONNECTION = "START_CONNECTION"; + public static final String CREATE_CONNECTION_FAILED = "CREATE_CONNECTION_FAILED"; ++ public static final String CREATE_CONNECTION_TIMEOUT = "CREATE_CONNECTION_TIMEOUT"; + public static final String START_CONFERENCE = "START_CONFERENCE"; + public static final String CREATE_CONFERENCE_FAILED = "CREATE_CONFERENCE_FAILED"; ++ public static final String CREATE_CONFERENCE_TIMEOUT = "CREATE_CONFERENCE_TIMEOUT"; + public static final String BIND_CS = "BIND_CS"; + public static final String CS_BOUND = "CS_BOUND"; + public static final String CONFERENCE_WITH = "CONF_WITH"; +diff --git a/tests/src/com/android/server/telecom/tests/BasicCallTests.java b/tests/src/com/android/server/telecom/tests/BasicCallTests.java +index 4bca30de1..7646c2d08 100644 +--- a/tests/src/com/android/server/telecom/tests/BasicCallTests.java ++++ b/tests/src/com/android/server/telecom/tests/BasicCallTests.java +@@ -1036,6 +1036,7 @@ public class BasicCallTests extends TelecomSystemTest { + call.setTargetPhoneAccount(mPhoneAccountA1.getAccountHandle()); + assert(call.isVideoCallingSupportedByPhoneAccount()); + assertEquals(VideoProfile.STATE_BIDIRECTIONAL, call.getVideoState()); ++ call.setIsCreateConnectionComplete(true); + } + + /** +@@ -1059,6 +1060,7 @@ public class BasicCallTests extends TelecomSystemTest { + call.setTargetPhoneAccount(mPhoneAccountA2.getAccountHandle()); + assert(!call.isVideoCallingSupportedByPhoneAccount()); + assertEquals(VideoProfile.STATE_AUDIO_ONLY, call.getVideoState()); ++ call.setIsCreateConnectionComplete(true); + } + + /** +diff --git a/tests/src/com/android/server/telecom/tests/CallsManagerTest.java b/tests/src/com/android/server/telecom/tests/CallsManagerTest.java +index 744a702b3..79fd3d501 100644 +--- a/tests/src/com/android/server/telecom/tests/CallsManagerTest.java ++++ b/tests/src/com/android/server/telecom/tests/CallsManagerTest.java +@@ -59,6 +59,7 @@ import android.media.AudioManager; + import android.net.Uri; + import android.os.Bundle; + import android.os.Handler; ++import android.os.IBinder; + import android.os.Looper; + import android.os.OutcomeReceiver; + import android.os.Process; +@@ -87,6 +88,7 @@ import android.widget.Toast; + import androidx.test.filters.MediumTest; + import androidx.test.filters.SmallTest; + ++import com.android.internal.telecom.IConnectionService; + import com.android.server.telecom.AnomalyReporterAdapter; + import com.android.server.telecom.AsyncRingtonePlayer; + import com.android.server.telecom.Call; +@@ -105,6 +107,7 @@ import com.android.server.telecom.ClockProxy; + import com.android.server.telecom.ConnectionServiceFocusManager; + import com.android.server.telecom.ConnectionServiceFocusManager.ConnectionServiceFocusManagerFactory; + import com.android.server.telecom.ConnectionServiceWrapper; ++import com.android.server.telecom.CreateConnectionResponse; + import com.android.server.telecom.DefaultDialerCache; + import com.android.server.telecom.EmergencyCallDiagnosticLogger; + import com.android.server.telecom.EmergencyCallHelper; +@@ -417,11 +420,17 @@ public class CallsManagerTest extends TelecomTestCase { + .thenReturn(mMockCreateContextAsUser); + when(mMockCreateContextAsUser.getSystemService(UserManager.class)) + .thenReturn(mMockCurrentUserManager); ++ when(mIConnectionService.asBinder()).thenReturn(mock(IBinder.class)); ++ ++ mComponentContextFixture.addConnectionService( ++ SIM_1_ACCOUNT.getAccountHandle().getComponentName(), mIConnectionService); + } + + @Override + @After + public void tearDown() throws Exception { ++ mComponentContextFixture.removeConnectionService( ++ SIM_1_ACCOUNT.getAccountHandle().getComponentName(), mIConnectionService); + super.tearDown(); + } + +@@ -3242,6 +3251,35 @@ public class CallsManagerTest extends TelecomTestCase { + assertTrue(result.contains("onReceiveResult")); + } + ++ @Test ++ public void testConnectionServiceCreateConnectionTimeout() throws Exception { ++ ConnectionServiceWrapper service = new ConnectionServiceWrapper( ++ SIM_1_ACCOUNT.getAccountHandle().getComponentName(), null, ++ mPhoneAccountRegistrar, mCallsManager, mContext, mLock, null, mFeatureFlags); ++ TestScheduledExecutorService scheduledExecutorService = new TestScheduledExecutorService(); ++ service.setScheduledExecutorService(scheduledExecutorService); ++ Call call = addSpyCall(); ++ service.addCall(call); ++ when(call.isCreateConnectionComplete()).thenReturn(false); ++ CreateConnectionResponse response = mock(CreateConnectionResponse.class); ++ ++ service.createConnection(call, response); ++ waitUntilConditionIsTrueOrTimeout(new Condition() { ++ @Override ++ public Object expected() { ++ return true; ++ } ++ ++ @Override ++ public Object actual() { ++ return scheduledExecutorService.isRunnableScheduledAtTime(15000L); ++ } ++ }, 5000L, "Expected job failed to schedule"); ++ scheduledExecutorService.advanceTime(15000L); ++ verify(response).handleCreateConnectionFailure( ++ eq(new DisconnectCause(DisconnectCause.ERROR))); ++ } ++ + @SmallTest + @Test + public void testOnFailedOutgoingCallUnholdsCallAfterLocallyDisconnect() { +-- +2.34.1 + diff --git a/aosp_diff/preliminary/packages/services/Telephony/0003-Prevent-overlays-on-Telephony-settings-screen-.bulletin.patch b/aosp_diff/preliminary/packages/services/Telephony/0003-Prevent-overlays-on-Telephony-settings-screen-.bulletin.patch new file mode 100644 index 0000000000..c6939bf98c --- /dev/null +++ b/aosp_diff/preliminary/packages/services/Telephony/0003-Prevent-overlays-on-Telephony-settings-screen-.bulletin.patch @@ -0,0 +1,306 @@ +From 81cc0fd56aa9644aa4a31a42f898b244f3b6d6a6 Mon Sep 17 00:00:00 2001 +From: Tyler Gunn +Date: Fri, 17 Jan 2025 23:34:46 +0000 +Subject: [PATCH] Prevent overlays on Telephony settings screen. + +Ensure only system overlays are allowed on telephony settings screens. + +Flag: NONE Security fix +Bug: 335387175 +Test: Manually launched activities to verify no overlays are possible. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:46e18ac57da3ac50271fc2be5b20bd7799637eae) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5b543fefa148900c8cff77cef143bede0a8f49b9) +Merged-In: I953667309753ff6fc966956e246512de97ad8638 +Change-Id: I953667309753ff6fc966956e246512de97ad8638 +--- + src/com/android/phone/ADNList.java | 3 +++ + src/com/android/phone/CallFeaturesSetting.java | 4 ++++ + src/com/android/phone/CdmaCallForwardOptions.java | 4 ++++ + src/com/android/phone/CdmaCallOptions.java | 4 ++++ + src/com/android/phone/ChangeIccPinScreen.java | 4 ++++ + src/com/android/phone/EmergencyDialer.java | 4 ++++ + src/com/android/phone/EnableIccPinScreen.java | 4 ++++ + src/com/android/phone/GsmUmtsAdditionalCallOptions.java | 4 ++++ + src/com/android/phone/GsmUmtsCallBarringOptions.java | 5 +++++ + src/com/android/phone/GsmUmtsCallForwardOptions.java | 4 ++++ + src/com/android/phone/GsmUmtsCallOptions.java | 4 ++++ + src/com/android/phone/SimContacts.java | 4 ++++ + src/com/android/phone/settings/fdn/BaseFdnContactScreen.java | 3 +++ + .../android/phone/settings/fdn/DeleteFdnContactScreen.java | 4 ++++ + src/com/android/phone/settings/fdn/EditFdnContactScreen.java | 3 +++ + src/com/android/phone/settings/fdn/FdnList.java | 4 ++++ + src/com/android/phone/settings/fdn/FdnSetting.java | 4 ++++ + src/com/android/phone/settings/fdn/GetPin2Screen.java | 4 ++++ + 18 files changed, 70 insertions(+) + +diff --git a/src/com/android/phone/ADNList.java b/src/com/android/phone/ADNList.java +index 18b48fad5..bcf1a8914 100644 +--- a/src/com/android/phone/ADNList.java ++++ b/src/com/android/phone/ADNList.java +@@ -81,6 +81,9 @@ public class ADNList extends ListActivity { + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + getWindow().requestFeature(Window.FEATURE_INDETERMINATE_PROGRESS); ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); + setContentView(R.layout.adn_list); + mEmptyText = (TextView) findViewById(android.R.id.empty); + mQueryHandler = new QueryHandler(getContentResolver()); +diff --git a/src/com/android/phone/CallFeaturesSetting.java b/src/com/android/phone/CallFeaturesSetting.java +index 1dfcde7ef..9d949b817 100644 +--- a/src/com/android/phone/CallFeaturesSetting.java ++++ b/src/com/android/phone/CallFeaturesSetting.java +@@ -256,6 +256,10 @@ public class CallFeaturesSetting extends PreferenceActivity + super.onCreate(icicle); + if (DBG) log("onCreate: Intent is " + getIntent()); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + // Make sure we are running as an admin user. + UserManager userManager = (UserManager) getSystemService(Context.USER_SERVICE); + if (!userManager.isAdminUser()) { +diff --git a/src/com/android/phone/CdmaCallForwardOptions.java b/src/com/android/phone/CdmaCallForwardOptions.java +index d70e7099b..62c945f0c 100644 +--- a/src/com/android/phone/CdmaCallForwardOptions.java ++++ b/src/com/android/phone/CdmaCallForwardOptions.java +@@ -73,6 +73,10 @@ public class CdmaCallForwardOptions extends TimeConsumingPreferenceActivity { + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + addPreferencesFromResource(R.xml.callforward_options); + + mSubscriptionInfoHelper = new SubscriptionInfoHelper(this, getIntent()); +diff --git a/src/com/android/phone/CdmaCallOptions.java b/src/com/android/phone/CdmaCallOptions.java +index 4f94b5810..fe6d77728 100644 +--- a/src/com/android/phone/CdmaCallOptions.java ++++ b/src/com/android/phone/CdmaCallOptions.java +@@ -59,6 +59,10 @@ public class CdmaCallOptions extends TimeConsumingPreferenceActivity { + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + addPreferencesFromResource(R.xml.cdma_call_privacy); + + SubscriptionInfoHelper subInfoHelper = new SubscriptionInfoHelper(this, getIntent()); +diff --git a/src/com/android/phone/ChangeIccPinScreen.java b/src/com/android/phone/ChangeIccPinScreen.java +index 078449573..898b21b3f 100644 +--- a/src/com/android/phone/ChangeIccPinScreen.java ++++ b/src/com/android/phone/ChangeIccPinScreen.java +@@ -95,6 +95,10 @@ public class ChangeIccPinScreen extends Activity { + public void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + mUserManager = this.getSystemService(UserManager.class); + if (mUserManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) { + mDisallowedConfig = true; +diff --git a/src/com/android/phone/EmergencyDialer.java b/src/com/android/phone/EmergencyDialer.java +index a608b1bd1..1f1430149 100644 +--- a/src/com/android/phone/EmergencyDialer.java ++++ b/src/com/android/phone/EmergencyDialer.java +@@ -256,6 +256,10 @@ public class EmergencyDialer extends Activity implements View.OnClickListener, + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + mEntryType = getIntent().getIntExtra(EXTRA_ENTRY_TYPE, ENTRY_TYPE_UNKNOWN); + Log.d(LOG_TAG, "Launched from " + entryTypeToString(mEntryType)); + +diff --git a/src/com/android/phone/EnableIccPinScreen.java b/src/com/android/phone/EnableIccPinScreen.java +index 092fa64af..2e6ce6e3e 100644 +--- a/src/com/android/phone/EnableIccPinScreen.java ++++ b/src/com/android/phone/EnableIccPinScreen.java +@@ -68,6 +68,10 @@ public class EnableIccPinScreen extends Activity { + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + mUserManager = this.getSystemService(UserManager.class); + if (mUserManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) { + mDisallowedConfig = true; +diff --git a/src/com/android/phone/GsmUmtsAdditionalCallOptions.java b/src/com/android/phone/GsmUmtsAdditionalCallOptions.java +index 6e289221c..6048c927a 100644 +--- a/src/com/android/phone/GsmUmtsAdditionalCallOptions.java ++++ b/src/com/android/phone/GsmUmtsAdditionalCallOptions.java +@@ -42,6 +42,10 @@ public class GsmUmtsAdditionalCallOptions extends TimeConsumingPreferenceActivit + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + addPreferencesFromResource(R.xml.gsm_umts_additional_options); + + mSubscriptionInfoHelper = new SubscriptionInfoHelper(this, getIntent()); +diff --git a/src/com/android/phone/GsmUmtsCallBarringOptions.java b/src/com/android/phone/GsmUmtsCallBarringOptions.java +index 99dc92fea..5cafa8a3a 100644 +--- a/src/com/android/phone/GsmUmtsCallBarringOptions.java ++++ b/src/com/android/phone/GsmUmtsCallBarringOptions.java +@@ -351,6 +351,11 @@ public class GsmUmtsCallBarringOptions extends TimeConsumingPreferenceActivity + @Override + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); ++ ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + if (DBG) { + Log.d(LOG_TAG, "onCreate, reading callbarring_options.xml file"); + } +diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java +index db830deb6..6a5cb83d5 100644 +--- a/src/com/android/phone/GsmUmtsCallForwardOptions.java ++++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java +@@ -58,6 +58,10 @@ public class GsmUmtsCallForwardOptions extends TimeConsumingPreferenceActivity { + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + addPreferencesFromResource(R.xml.callforward_options); + + mSubscriptionInfoHelper = new SubscriptionInfoHelper(this, getIntent()); +diff --git a/src/com/android/phone/GsmUmtsCallOptions.java b/src/com/android/phone/GsmUmtsCallOptions.java +index be5295d53..0e666a5ba 100644 +--- a/src/com/android/phone/GsmUmtsCallOptions.java ++++ b/src/com/android/phone/GsmUmtsCallOptions.java +@@ -43,6 +43,10 @@ public class GsmUmtsCallOptions extends PreferenceActivity { + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + addPreferencesFromResource(R.xml.gsm_umts_call_options); + + SubscriptionInfoHelper subInfoHelper = new SubscriptionInfoHelper(this, getIntent()); +diff --git a/src/com/android/phone/SimContacts.java b/src/com/android/phone/SimContacts.java +index 4229482f2..b98434ed0 100644 +--- a/src/com/android/phone/SimContacts.java ++++ b/src/com/android/phone/SimContacts.java +@@ -231,6 +231,10 @@ public class SimContacts extends ADNList { + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + Intent intent = getIntent(); + if (intent != null) { + final String accountName = intent.getStringExtra("account_name"); +diff --git a/src/com/android/phone/settings/fdn/BaseFdnContactScreen.java b/src/com/android/phone/settings/fdn/BaseFdnContactScreen.java +index 5beff34db..b33421a89 100644 +--- a/src/com/android/phone/settings/fdn/BaseFdnContactScreen.java ++++ b/src/com/android/phone/settings/fdn/BaseFdnContactScreen.java +@@ -71,6 +71,9 @@ public abstract class BaseFdnContactScreen extends Activity + super.onCreate(savedInstanceState); + resolveIntent(); + getWindow().requestFeature(Window.FEATURE_INDETERMINATE_PROGRESS); ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); + } + + protected void authenticatePin2() { +diff --git a/src/com/android/phone/settings/fdn/DeleteFdnContactScreen.java b/src/com/android/phone/settings/fdn/DeleteFdnContactScreen.java +index 7cd4c935c..ab14c836f 100644 +--- a/src/com/android/phone/settings/fdn/DeleteFdnContactScreen.java ++++ b/src/com/android/phone/settings/fdn/DeleteFdnContactScreen.java +@@ -32,6 +32,10 @@ public class DeleteFdnContactScreen extends BaseFdnContactScreen { + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + // Starts PIN2 authentication only for the first time. + if (icicle == null) authenticatePin2(); + setContentView(R.layout.delete_fdn_contact_screen); +diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java +index 0884e1262..0e942ca97 100644 +--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java ++++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java +@@ -88,6 +88,9 @@ public class EditFdnContactScreen extends BaseFdnContactScreen { + @Override + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); + + setContentView(R.layout.edit_fdn_contact_screen); + setupView(); +diff --git a/src/com/android/phone/settings/fdn/FdnList.java b/src/com/android/phone/settings/fdn/FdnList.java +index c2ecbc670..e2b349020 100644 +--- a/src/com/android/phone/settings/fdn/FdnList.java ++++ b/src/com/android/phone/settings/fdn/FdnList.java +@@ -98,6 +98,10 @@ public class FdnList extends ADNList { + public void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + ActionBar actionBar = getActionBar(); + if (actionBar != null) { + // android.R.id.home will be triggered in onOptionsItemSelected() +diff --git a/src/com/android/phone/settings/fdn/FdnSetting.java b/src/com/android/phone/settings/fdn/FdnSetting.java +index ddbcc99b3..e9a1aed06 100644 +--- a/src/com/android/phone/settings/fdn/FdnSetting.java ++++ b/src/com/android/phone/settings/fdn/FdnSetting.java +@@ -509,6 +509,10 @@ public class FdnSetting extends PreferenceActivity + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + mSubscriptionInfoHelper = new SubscriptionInfoHelper(this, getIntent()); + mPhone = mSubscriptionInfoHelper.getPhone(); + +diff --git a/src/com/android/phone/settings/fdn/GetPin2Screen.java b/src/com/android/phone/settings/fdn/GetPin2Screen.java +index 09cab46d7..7f3b60c4e 100644 +--- a/src/com/android/phone/settings/fdn/GetPin2Screen.java ++++ b/src/com/android/phone/settings/fdn/GetPin2Screen.java +@@ -48,6 +48,10 @@ public class GetPin2Screen extends Activity implements TextView.OnEditorActionLi + protected void onCreate(Bundle icicle) { + super.onCreate(icicle); + ++ getWindow().addSystemFlags( ++ android.view.WindowManager.LayoutParams ++ .SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + setContentView(R.layout.get_pin2_screen); + + mPin2Field = (EditText) findViewById(R.id.pin); +-- +2.48.1.262.g85cc9f2d1e-goog +