Change-Id: If0d0259161266be3749ad45539e6480cfe3cc3e5

Bug: 154319182
Test: manual
Change-Id: I5958a8fb442cf4506e1824243493f91aea34a7cc
Merged-In: I5958a8fb442cf4506e1824243493f91aea34a7cc
(cherry picked from commit d541f6d8)

The previous size was causing some apps to crash which otherwise worked
fine. This more closely matches the hard limit in RecordingCanvas
(which we need to stay below to prevent SystemUI from crashing).

Fixes: 182891864
Fixes: 182232777
Bug: 169255797
Test: atest StatusBarIconViewTest
Test: manual - posting notifications with different drawable sizes
Change-Id: I8deacc651e05a202ec980eeb8bcdf4f92daea8eb
(cherry picked from commit 5cd7976f)
(cherry picked from commit 8875da52)

Bug: 169255797
Test: atest StatusBarIconViewTest
Test: verified that app crashes instead of SysUI following repro steps
Change-Id: I66e3bb873841b5babfd522c82cea7bed361fc14c
(cherry picked from commit 4394595debfd3f625b45a8b2280cdbec61f8dc71)
(cherry picked from commit 5791303c)

Bug: 177561690
Test: on device
Change-Id: Icafbdf54fe807f8779377b13cb4e4eb265db692e
(cherry picked from commit 579b74d5)

Currently, we keep the process up even if the user switches,
meaning that in some cases (if the user is switched while the
screenshot UI is up) we will save images to the wrong profile.
This change makes ScreenshotHelper listen for user switches and
close the screenshot service, so that a new screenshot is
guaranteed to be constructed with the correct user's context.

Bug: 170474245
Fix: 170474245
Test: manual -- verified bad state occurs if user switches within
the timeout period, ensured that screenshots work immediately
after switching with this change.

Change-Id: I9d32d0928e6c2bda161d04555438d0dd7afef0ba
(cherry picked from commit 7ef1a5dd)
(cherry picked from commit 8a2656d4)

NO_INPUT_CHANNEL is a hidden WM flag that allows creation of a window
without an input channel. Unfortunately in releases prior to Android R
this would allow creation of a Window which will not be known to the
InputDispatcher at all. This means that the logic generating
FLAG_OBSCURED will work and a window will be able to overlay another
window without the overlayed window being notified. In Android R and
later this isn't a problem as the InputDispatcher is informed of all
windows, input channel or not. For past Android releases, this patch
disables NO_INPUT_CHANNEL for use outside of the WM.

Bug: 152064592
Test: Existing tests pass
(cherry picked from commit 9661bf7a

)

[basilgello: Back-port to 14.1:
 - SYSTEM_UID -> Process.SYSTEM_UID]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>
Change-Id: I7e1f45cba139eab92e7df88d1e052baba0ae2cc6

Bug: 172841550
Test: manual
Merged-In: I1a16808426934f4a8d12410576d769443e4c2a04
Merged-In: I3cd5a94386f15cf60a7fe3095b00815e4a6485ae
Change-Id: I35dc86b5721a4531447a6d99d6c30f23543130cb
(cherry picked from commit fedbadf5)

When the file is deleted, renamed or moved, revoke all uri
permissions with the file

Bug: 157474195
Test: manual test with DocumentsUI
Test: atest DocumentsTest#testAfterMoveDocumentInStorage_revokeUriPermission
Change-Id: I4ffb183630aadb2d87b0965e8cecf88af15f4534
Merged-In: I4ffb183630aadb2d87b0965e8cecf88af15f4534
(cherry picked from commit 9efd606f)
(cherry picked from commit 42c44f36)

As WindowState#startAnimation for restricting window animation duration
(currently is 10 secs),

For security reason, we also need to restrict app transition animation
duration as 3 secs to prevent malicious app may set a long duration or
infinity repeat counts through ActivityOption#makeCustomAnimation or
Activity#overridePendingTransition with custom animation set.

Bug: 145728687
Test: manual as issue provided test app
Change-Id: I39051d6e4d2b681ce2becbafe14aab3f3d8ebf6b
(cherry picked from commit 36bcc773)

Bug: 172935267
Test: PoC in bug
Change-Id: I469bde7d0a0f89c94f1234cf40983395048962e2
(cherry picked from commit 79062d79)

DO NOT CHERRY PICK ANYWHERE: Security issue

This API is meant to grant an app complete verification over the
domains it has declared, meaning it will always resolve the domains it
declares for web links.

This can allow an app to take over links that are unowned. Any time a
user selects "Always" when resolving an Intent in the diambiguation
dialog, this API would be called, and all subsequent resolutions of any
domain declared by the app selected would be automatically directed to
that app, with no prompt to the user.

From a quick search, it's possible that all usages of this API are
actually unintended and should be removed. Should be considered for
deprecation in the future.

Bug: 163358811

Test: none, this is not generally testable, see linked bug for context

Merged-In: Iff7f788a83af68c7fbb1c6b9a8be7b47136be2b6
Change-Id: Iff7f788a83af68c7fbb1c6b9a8be7b47136be2b6
(cherry picked from commit 4e71b31e)

[NOUGAT] Fix bad icons of permission groups

See merge request !89

Change-Id: Ic183158c0d9e835317dbd0ab8d4b0395a96c403c

Bug: 169763814
Test: manual
Merged-In: I15dd22791fcc61ef02b06ad51d9e4409d11c0181
Change-Id: I0d8f901d100a5e2a022c96fa6c2be75a11c58059
(cherry picked from commit deddb784)

Mutable pending intents are a security risk. This change adds the
IMMUTABLE flag to all PendingIntents created in GlobalScreenshot.

Bug: 162738636
Test: manual
Change-Id: I1044b6aaf2b1650ff91d9a72181684d2aaea9a62
(cherry picked from commit 3aa7d375)

Activity can be used only in two cases.
1) Calling uid matches uid grantee.
2) Calling uid is is system. This flow is used by getToken methods with
notifyAuthFailure=true.

Test: Existing CTS tests
Bug: 158480899
Merged-In: I983fa

[basilgello: Back-port to 14.1:
 - ActivityManager.getService() -> ActivityManagerNative.getDefault()]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: I8da362df269decd7c3930a2387f42e09796e732f
(cherry picked from commit 88787b77)

Bug: 129287265
Test: manual
(cherry picked from commit 32e85796)
(cherry picked from commit 0992000a)
Change-Id: I8431eb27cc4c6dfd3048b28ff635474f14433308

Due to a race condition with activity task stack broadcasts, it's
currently possible for fingerprint authentication to succeed for a
non-top activity. This means, for example, that a malicious overlay
could be drawn in order to mislead the user about what they are
authenticating for.

This commit addresses the issue by adding a check to the fingerprint
authentication client interface that ensures the authenticating
activity is on top at the time of authentication. Otherwise, the
pending authentication will fail, as if an incorrect biometric
been presented.

Test: Follow steps from b/159249069:
1. Install com.pro100svitlo.fingerprintauthdemo from the Play store.
2. Install the PoC attack app from b/159249069.
3. Start the PoC attack app and press the "Launch PoC attack" button.
4. Use fingerprint to authenticate while the overlay is showing.

Before: Authentication succeeds, and a new activity is launched.
After: Authentication fails, and no new activity is launched.

Bug: 159249069
Change-Id: I0707c3f55eaf2a69c6625a3ceb3b5626b3676b26
Merged-In: If5cdf8ffaf3aa7d8a1ac81272e3bfb2cc7cdddf1
Merged-In: Iee6af379515385777984da55048c1efd9339ed88
Merged-In: I9b242a9fee0acbfb430875061e2d809c00fe4b97
Merged-In: I1241a12eafa0bdbac59a8ddd4cf6a0637d467b19
Merged-In: Ie5a0f8c3e9b92d348a78678a6ed192d440c45ffc
Merged-In: I289d67e5c7055ed60f7a96725c523d07cd047b23
(cherry picked from commit 7786f490

)

[basilgello: Back-port to 14.1:
 - No android.hardware.biometrics.fingerprint.V2_1.IBiometricsFingerprint present,

 - import com.android.internal.logging.nano.MetricsProto.MetricsEvent ->
   import com.android.internal.logging.MetricsProto.MetricsEvent,

 - ActivityManager.getService() -> activityManagerNative.getDefault()]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>
Change-Id: I0bffe9dd72b239cbb6ddeb2dc0c83f06033723dd

Require that the PendingIntent be immutable so that a malicious app is
not able to hijack and mutate any of the details.

Fixes: 154915372
Test: build & flash, change wallpaper manually.
Change-Id: I59b48811b26736bf0575769107dd940ca33ccf8d
(cherry picked from commit d4bd69ce)
(cherry picked from commit b3929030)

Repeated locale has not been accepted and IllegalArgumentException
is thrown. Instead of throwing exception, dropping repeated locale
instead.

Bug: 152410253
Test: atest LocaleListTest
Change-Id: I80f243678ac3024eaeb0349f770cff897df7f332
(cherry picked from commit 142ce41b)

Test: manual; monitor SystemUI performance when an app tries to
post a messaging style notification with messages with long text
Bug: 158304295
Bug: 147358092

Merged-In: c953fdf6
Change-Id: I0e2ea12fc3351b1a56645b556720ea2306f5422a
(cherry picked from commit c953fdf6)
(cherry picked from commit a19f9ed2)

Bug: 160390416
Test: verified command still works from shell

[basilgello: Back-port to 14.1:
 - {ROOT,SHELL}_UID -> Process.{ROOT,SHELL}_UID]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit 03542611)
Merged-In: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit 5e2931c6)
(cherry picked from commit 4a31000e6072c14608ec1c59321481c8aa330313)

Re-run app link verification at update time only when the set of hosts
has expanded.  Intentionally revoke verify history when an app stops
using autoVerify, as a one-time measure to place it back into the
non-autoverify model for tracking the user's launch preferences.  If the
app starts using autoVerify again later, it behaves identically to an
app that has never done so before.

Bug: 151475497
Bug: 146204120
Test: described on master CL

Merged-In: I200d85085ce79842a3ed39377d1f75ec381c8991
Merged-In: Ibaf087946966ad82d60c7b255e3ee75990716b63
(cherry picked from commit 90b716a4

)

[basilgello: Backport to 14.1:
 - idleController.addPowerSaveTempWhitelistApp does not exist,
 - domains is ArrayList<String> not ArraySet<String> so adding
   dummy domainsList]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: Ibaf087946966ad82d60c7b255e3ee75990716b63

Without this check, any package can set the installer package of
another package whose installer has been removed or was never set.
This provides access to other privileged actions and is undesired.

Bug: 150857253

Test: manual verify with proof of concept in linked bug
Test: atest android.appsecurity.cts.PackageSetInstallerTest

[basilgello: Backport to 14.1:
 - callingUid -> Binder.getCallingUid()]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: I2159c357911ff39ffd819054b42f96ae86bc98bc
(cherry picked from commit fc8bfed5)

This reverts commit f697cd3b.

Reason for revert: Inadvertently broke link handling stickiness even for well behaved apps

Bug: 146204120
Test: install app that handles web urls; set to 'always' in Settings;
install same apk again.  Verify that app is still in 'always' state via
'adb shell dumpsys package d'

Merged-In: If9046cb420961b8ef0333e9f1115eb69fb92242e
Change-Id: I36d9c352e741e88b9fc773b084bef3991b6d96ed

nougat grant /e/ mail default permissions

See merge request !81

Change tasks app permission name from "org.dmfs" to "foundation.e"

See merge request !73