Bug: 67319274
Test: run cts-dev --module CtsPermissionTestCases --test android.permission.cts.RemovePermissionTest#permissionShouldBeRevokedIfRemoved
Change-Id: I2771c048e13529e168121c5a5501aa26fc21e30f
(cherry picked from commit 82107644)

Developers often accept selection clauses from untrusted code, and
SQLiteQueryBuilder already supports a "strict" mode to help catch
SQL injection attacks.  This change extends the builder to support
update() and delete() calls, so that we can help secure those
selection clauses too.

Bug: 111085900
Test: atest packages/providers/DownloadProvider/tests/
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/SQLiteQueryBuilderTest.java
Change-Id: Ib4fc8400f184755ee7e971ab5f2095186341730c
Merged-In: Ib4fc8400f184755ee7e971ab5f2095186341730c
(cherry picked from commit 09d49531)

SQLiteQueryBuilder has a setStrict() mode which can be used to
detect SQL attacks from untrusted sources, which it does by running
each query twice: once with an extra set of parentheses, and if that
succeeds, it runs the original query verbatim.

This sadly doesn't catch inputs of the type "1=1) OR (1=1", which
creates valid statements for both tests above, but the final executed
query ends up leaking data due to SQLite operator precedence.

Instead, we need to continue compiling both variants, but we need
to execute the query with the additional parentheses to ensure
data won't be leaked.

Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/SQLiteQueryBuilderTest.java
Bug: 111085900
Change-Id: I6e8746fa48f9de13adae37d2990de11c9c585381
Merged-In: I6e8746fa48f9de13adae37d2990de11c9c585381
(cherry picked from commit 5a55a72f)

When FLAG_GRANT_PERSISTABLE_URI_PERMISSION is requested, we still
need to check permissions between the source and target packages,
instead of shortcutting past them.

The spirit of the original change is remains intact: if the caller
requested FLAG_GRANT_PERSISTABLE_URI_PERMISSION, then we avoid
returning "-1", which would prevent the grant data structure from
being allocated.

Bug: 111934948
Test: atest android.appsecurity.cts.AppSecurityTests
Change-Id: Ief0fc922aa09fc3d9bb6a126c2ff5855347cd030
Merged-In: Ief0fc922aa09fc3d9bb6a126c2ff5855347cd030
(cherry picked from commit 05519b7e)

Layout#getOffsetForHorizontal was running in O(n^2) time, where n is the
length of the current line. The method is used when a touch event
happens on a text line, to compute the cursor offset (and the character)
where it happened. Although this is not an issue in common usecases,
where the number of characters on a line is relatively small, this can
be very inefficient as a consequence of Unicode containing 0-width
(invisible) characters. Specifically, there are characters defining the
text direction (LTR or RTL), which cause our algorithm to touch the
worst case quadratic runtime. For example, a person is able to send a
message containing a few visible characters, and also a lot of these
direction changing invisible ones. When the receiver touches the message
(causing the Layout#getOffsetForHorizontal method to be called), the
receiver's application would become not responsive.

This CL optimizes the method to run in O(n) worst case. This is achieved
by computing the measurements of all line prefixes at first, which can
be done in a single pass. Then, all the prefix measurement queries will
be answered in O(1), rather than O(n) as it was happening before.

Bug: 79215201
Test: manual testing
Change-Id: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
Merged-In: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
(cherry picked from commit 69b589b2)

Merge cherrypicks of [4741663, 4741664, 4741665, 4741666, 4743080, 4743081, 4743082, 4743083, 4741262, 4741263, 4741264, 4741265, 4741266, 4741667, 4743084, 4741242, 4741243, 4741741, 4741742, 4741743, 4741744, 4741822, 4743085, 4741668, 4741338, 4743055, 4743056, 4743070, 4743073, 4743075, 4743076, 4743078, 4743079, 4743161, 4743162, 4743164, 4743165, 4743167, 4743168, 4743169, 4743170, 4741681, 4741682, 4741683, 4741684, 4741685, 4741686, 4741687, 4741688, 4741689, 4741690, 4741691, 4741692, 4741693, 4741694, 4741695, 4741696, 4741697, 4741698, 4741699, 4743240, 4743241, 4743242, 4743243, 4741745, 4741823, 4741824, 4741825, 4741267, 4741268, 4743244, 4743280, 4743281, 4743224, 4743203, 4743204, 4743205, 4741746, 4741747, 4743245, 4741826, 4741827, 4741828, 4741829, 4741748, 4741749, 4741750, 4743233, 4743282, 4741244, 4741245, 4741246, 4741247, 4743206, 4743207, 4743208, 4743209, 4743210, 4743211, 4743212, 4743213, 4743214, 4743215, 4743216, 4743217, 4743218, 4743219, 4743360, 4743361, 4743362, 4743363, 4743364, 4743365, 4743366, 4743367, 4743368, 4743369, 4743370, 4743371, 4743372, 4743373, 4743374, 4743375, 4743376, 4743377, 4743283, 4743284, 4741830, 4742501, 4743246, 4743086, 4743087, 4743378, 4743379, 4741751] into sparse-4749909-L04200000199131547

Change-Id: I1492186998ee5230a67cd2efaf8c68d8b008cb7e

Bug: 77600398
Change-Id: Ia316f1c5dc4879f6851fdb78fe8b9039579be7bc
(cherry picked from commit 0d2dc943)

This won't leak any traffic outside the VPN as long as there are no
processes owned by uid 0 which generate network traffic (which is
currently the case).

Bug: 69873852
Test: compared the output of 'adb shell ip rule show' before and after
Test: runtest -x frameworks/base/tests/net/java/com/android/server/connectivity/VpnTest.java
Test: local CTS tests run: android.net.cts.VpnServiceTest
Test: local CTS tests run: com.android.cts.devicepolicy.MixedDeviceOwnerTest
Change-Id: I8758e576c9d961d73f62bfcf0559dd7ecee6e8e6
Merged-In: I8758e576c9d961d73f62bfcf0559dd7ecee6e8e6
Merged-In: I1f9b78c8f828ec2df7aba71b39d62be0c4db2550
Merged-In: I8edeb0942e661c8385ff0cd3fdb72e6f62a8f218
(cherry picked from commit 00000fe5)
(cherry picked from commit ef2910dc)

Bug: 77599679
Test: Compile only
Change-Id: Ib417a5cb4d51744442d2fb14437cabbe5fd1c266
(cherry picked from commit abe5a73a)

Test: cts-tradefed run cts -m CtsShortcutManagerTestCases -t android.content.pm.cts.shortcutmanager.ShortcutManagerFakingPublisherTest
Bug: 109824443

Change-Id: I90443973aaef157d357b98b739572866125b2bbc
Merged-In: I78948446a63b428ae750464194558fd44a658493
(cherry picked from commit 9e21579a)

DynamicRefTables parsed from apks are missing bounds checks that prevent
buffer overflows. This changes verifies the bounds of the header before
attempting to preform operations on the chunk.

Bug: 79488511
Test: run cts -m CtsAppSecurityHostTestCases \
        -t android.appsecurity.cts.CorruptApkTests

Change-Id: I02c8ad957da244fce777ac68a482e4e8fa70f846
Merged-In: I02c8ad957da244fce777ac68a482e4e8fa70f846
(cherry picked from commit 18a6ada4)

Changes the logs adding in a previous security fix to warnings so
devices with malformed APKs currently on them will not undergo DOS when
they are upgraded to P.

Bug: 79724567
Test: run cts -m CtsAppSecurityHostTestCases \
          -t android.appsecurity.cts.CorruptApkTests

Change-Id: Ied54e4bb14abdaf79da562022c7ea6075187c1f8
(cherry picked from commit f05f47b2)
(cherry picked from commit c31cf800)

* limit the absolute maximum size of the label to 50000 characters
[which is probably far more than necessary, but, can be dialed down]

* use a string buffer while processing the string [instead of creating
multiple string objects]

Bug: 62537081
Test: Manual. Install APK in bug and see that it can be uninstalled
Change-Id: Ibf63c2691ad7438a123e92110d95b1f50050f8b1
Merged-In: Ibf63c2691ad7438a123e92110d95b1f50050f8b1
(cherry picked from commit 2263da95)

Fixes an issue where input intended for the keyguard could end up going
to a different display.

To prevent this, make sure that only the default display can get focused
when the keyguard is showing.

Change-Id: I6463c44aedca06930d2c9bda7c45ffd93141308c
Merged-In: I6463c44aedca06930d2c9bda7c45ffd93141308c
Fixes: 71786287
Test: atest DisplayContentTests
(cherry picked from commit 3cd5e3d9)

These new tests ensure that VPNs report the meteredness of their
underlying networks correctly. The added test verifies VPN meteredness
for cases of metered and unmetered WiFi and Cell

Bug: 78644887
Test: This; ran on walleye-eng
Change-Id: I28bdc71a336bfd97f7908455d4781d774df44b87
(cherry picked from commit 66bc5288)

This patch corrects ConnectivityController's meteredness checks to
perform correct meteredness checks while VPNs are running. This fixes a
bug in O-MR1 where any apps using the DownloadProvider with unmetered
network constraints fail to start while the VPN is enabled.

This change adds a bespoke method for ConnectivityController, allowing
it to correctly identify the meteredness without affecting public API
surfaces.

Bug: 78644887
Test: Built, flashed on Walleye, and tested.
Test: Additional test coverage in subsequent patch(es).
Change-Id: Ie1d11d93d51d936ce81cd5984af61bde30325983
(cherry picked from commit d08ab5a6)

Fix: 70585244
Bug: 69981755

Test: Enable any accessibility service -> inflate work profile
      -> Tap on any work app -> no longer crash

Test: cts-tradefed run cts-dev --module DevicePolicyManager --test com.android.cts.devicepolicy.CrossProfileAppsHostSideTest.testPrimaryUserToManagedProfile
Change-Id: I80d18f4e2ab76a228cb0aa2c8312c323a9b5c84d
(cherry picked from commit 857326e3)

Test: presubmit
Fixes: 70506475
Bug: 69981755
Change-Id: I187bed4889a4901a7137a2995178ea651ed09186
(cherry picked from commit 6c68a692)

Bug: 77600924
Change-Id: I46d765892e8e6839ed5140a3b0d6bb1815ccf9bc
Signed-off-by: Ecco Park <eccopark@google.com>
(cherry picked from commit 9a59cf84)

Test: manual
Bug: 73173182
Change-Id: I7f2201cab36adf7f01d1a794d783cb78a536811f
(cherry picked from commit 24da173b)

(backport from a fix merged in pi-dev)

Bug: 73884967
Test: Treehugger
Change-Id: I9deaae20893184cde36dcd936fe83708fa60b830
Merged-In: I0cf7920e138892fbcab71fae0eed1293f0b2e404
Merged-In: I9e3456e5f1e479b0e2b102f6c90db57cd0e977fe
(cherry picked from commit 7b52a48d)

If a run time permission of a group is already granted we grant the
other permission of the group automatically when requested.

Hence if an already granted permission changed its group during an
update suddenly permission of a potentially not approved group will
get auto-granted.

This is undesirable, hence we revoke the permission during the update
process.

Test: atest android.permission.cts.PermissionGroupChange
Change-Id: Ib2165d1ae53b80455ebe02e07775853e37a2e339
Fixes: 72710897
(cherry picked from commit 0ed1b472)

Adds detection of attacker-modified size and data fields passed to
ResStringPool::setTo(). These attacks are modified apks that AAPT would
not normally generate. In the rare case this occurs, the installation
cannot be allowed to continue.

Bug: 71361168
Bug: 71360999
Test: run cts -m CtsAppSecurityHostTestCases \
          -t android.appsecurity.cts.CorruptApkTests

Change-Id: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
Merged-In: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
(cherry picked from commit 7e54c3f2)

Test: added AccessibilityEndToEndTest#testPackageNameCannotBeFaked
      cts-tradefed run cts -m CtsAccessibilityServiceTestCases
      cts-tradefed run cts -m CtsAccessibilityTestCases

Bug: 69981755
Change-Id: If3752e106aa7fdee4645dc9852289af471ceff18
Merged-In: I13304efbee10d1affa087e9c8bc4ec237643283e
(cherry picked from commit c36db6d4)

Replaced readTypedArrayList/writeTypedArrayList with
writeTypedList/createTypedArrayList(CREATOR)

Bug: 71508348
Test: CtsAutoFillServiceTestCases pass
Merged-In: I2a8321023b40cc74b7026eb0fb32a9cc5f5543a9
Change-Id: Id17d02e40a4ae567bf2d74d2ea8ba4d8a943bdb7
(cherry picked from commit 4921986d)

Bug: 63766886
Test: ran CTS tests
Change-Id: I1f92bb014e275eafe3f42aef1f8c817f187c6608
(cherry picked from commit 6d2096f3)

This method broke on O-MR1 when I3abf999eb6056c1df7982780bae43b58337c0668
was chery-picked from master.

Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases \
      -t android.autofillservice.cts.AttachedContextActivityTest#testAutofill
Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases

Also individually ran tests that failed (due to flakiness) when ran in a suite:

Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases \
-t android.autofillservice.cts.OptionalSaveActivityTest#testDontShowSaveUiWhenUserManuallyFilled_oneDatasetAllRequiredFields

Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases -t android.autofillservice.cts.PreSimpleSaveActivityTest #testTapLink_tapBack_thenStartOverBySayingYesAndManualRequest

Fixes: 71960322

Change-Id: Ia093dcefe6699dc9493c46d671e48c2000214b31
Merged-In: I3abf999eb6056c1df7982780bae43b58337c0668
(cherry picked from commit b25b4736)

Test: adb shell am start com.android.settings/.RadioInfo
Bug: 69981710
Fixes: 70506888

Change-Id: Id29bad2d20b621f7379eb6144c95dcc819949b3d
Merged-In: Id29bad2d20b621f7379eb6144c95dcc819949b3d
(cherry picked from commit 97f16a76db29269619d9a1b45d4cea49026a5b6a)
(cherry picked from commit 92b5d278)

Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases -t android.autofillservice.cts.VirtualContainerActivityTest#testAppCannotFakePackageName
Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases

Bug: 69981710

Change-Id: Id6036cddb51dd8dd0c9128b7212d573f630d693f
Merged-In: Id6036cddb51dd8dd0c9128b7212d573f630d693f
(cherry picked from commit 23e61a90)

Merge cherrypicks of [3898937, 3898958, 3899077, 3897885, 3898496, 3898245, 3898959, 3898960, 3897790, 3898312, 3898313, 3898314, 3899155, 3899156, 3899157, 3898289, 3898290, 3899061, 3898291, 3898292, 3896951, 3899158, 3898961, 3898938, 3898246] into sparse-4657601-L30800000163316240

Change-Id: Ic46c21eef4b216774452afbac399e3d04947f053

The writeToParcel and readFromParcel is not symmetry, fixed it.

Test: no test
Bug: 70721937
Change-Id: I01f6f6b2ab778ee8b638d9b69fe0a6b9aa7ee395
(cherry picked from commit 8c55a707)

Merged-In: Ic4569b21d8a26a62bba91742b442f0c3ea8bcc9e
Change-Id: I17d085be9ce1a139e75264f1e715df7f565cd41b
Fixes: 71992105
Test: manual
(cherry picked from commit 187964ac)

Fixes: 73511076, 73311729
Test: presubmit
Change-Id: Ie98f67ffee4744050ac85d8b229370a16a76a194
(cherry picked from commit 726b51a2)
(cherry picked from commit 5a28e533)

Bug: 63000005
Test: runtest frameworks-net -c com.android.server.connectivity.VpnTest
Test: cts-tradefed run cts-dev -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.MixedDeviceOwnerTest#testAlwaysOnVpnLockDown
Merged-In: Ia1a82ee73d8617f3124032986fe6c09c14bf7752
Change-Id: Ia1a82ee73d8617f3124032986fe6c09c14bf7752
(cherry picked from commit f915e04d)

Length of the last array in readFromParcel should be the same as
value of mNextIndex.

Test: PoC app in the bug
Bug: 73252178
Change-Id: I69f935949e945c3a036b19b4f88684d906079ea5
(cherry picked from commit 3b8bc2e4)

Change-Id: Id2935bbe1630247131e87ed78cc70a7e3aaa0f5b

Merge cherrypicks of [3594034, 3594272, 3594273, 3594274, 3594275, 3594347, 3594035, 3592471] into oc-mr1-release

Change-Id: Id0214b5206fd01da1829b1475cef34ecac46f4e2

Bug: 72871435
Test: flashed and verified, also ran runtest framework-net

Change-Id: I69319a7db269489053426bb2d41574180be2d43d
(cherry picked from commit c81ef199)

On Android, if the process containing the service being bound to
crashes before the bind succeeds, the app doing the binding won't
get a success or failure callback.

When that happens in this code, this leaves notif. manager thinking
that a binding is in progress, so it never attempts to rebind until
the device is rebooted.

Bug: 69064494
Test: manual, crashed listener on proc start, verified not unbound forever
Change-Id: Id2082744208e21a709d9453365f282449a2e9407
(cherry picked from commit 4a86a51b)
(cherry picked from commit 1936097a)

The strict whitelist of settings for Instant Apps is leading to too much
unintended breakage, remove the enforcement until better infrastructure
can be added to make sure settings that should be whitelisted are.

Bug: 71009655
Test: Coming in a follow up

(cherry picked from commit b6108d62)

Change-Id: Iaa1d71331407cee86c10105c1e5668ffd0c925a1
(cherry picked from commit 26ae1d35)