Merge tag 'android-security-11.0.0_r57' of https://android.googlesource.com/platform/frameworks/base into staging/lineage-18.1_merge_android-security-11.0.0_r57

Android security 11.0.0 release 57

* tag 'android-security-11.0.0_r57' of https://android.googlesource.com/platform/frameworks/base:
  Crash invalid FGS notifications
  [RESTRICT AUTOMERGE] Log to EventLog on prepareUserStorage failure
  [RESTRICT AUTOMERGE] Ignore errors preparing user storage for existing users
  [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery for system user only
  [RESTRICT AUTOMERGE] UserDataPreparer: reboot to recovery if preparing user storage fails
  [RESTRICT AUTOMERGE] StorageManagerService: don't ignore failures to prepare user storage

Change-Id: Ia902573185b3700e03308aa1a5f995b0ad0c9ee0

Merge tag 'android-security-11.0.0_r56' of https://android.googlesource.com/platform/frameworks/base into staging/lineage-18.1_merge_android-security-11.0.0_r56

Android Security 11.0.0 Release 56 (8528208)

* tag 'android-security-11.0.0_r56' of https://android.googlesource.com/platform/frameworks/base:
  Disallow PAP authentication when MPPE is requested
  limit TelecomManager#registerPhoneAccount to 10; api doc update
  [rvc] RESTRICT AUTOMERGE Add finalizeWorkProfileProvisioning.
  Fix NPE
  Prevent non-admin users from deleting system apps.
  Fix security hole in GateKeeperResponse
  DO NOT MERGE Add an OEM configurable limit for zen rules
  Update GeofenceHardwareRequestParcelable to match parcel/unparcel format.

Change-Id: I253da8c9f716439e73108e0568f9934a1984c134

Aaron Kling authored Jan 14, 2020 and Jan Altensen committed May 20, 2022

This is for handheld gaming devices that have batteries and are
using Android TV.

Change-Id: I22592699214d40aac2a733203b05c076b2a1ae70

Merge cherrypicks of [17416247, 17416248, 17416249, 17416250, 17452194, 17874414, 17864680] into security-aosp-rvc-release.

Change-Id: I2f6c72a9a9ab7c22c481e167f1215ffcf29028de

Test: CTS, ActivityManagerProcessStateTest
Fixes: 191981182
Change-Id: I13a0202b25c8118db47edba11a93c1939c94b392
(cherry picked from commit 6f657f8f)
(cherry picked from commit cb3c5c30092fb8527ff14118ccf04eae3a8363cb)
Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392

Bug: 224585613
Change-Id: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
(cherry picked from commit fbb632ea95ac5b6d9efa89e09d0988a9df4f19e4)
Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
(cherry picked from commit 0762961674f1454b7c7012a0ab53c427570e836c)
Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5

Unfortunately we can't rule out the existence of devices where the user
storage wasn't properly prepared, due to StorageManagerService
previously ignoring errors from mVold.prepareUserStorage, combined with
OEMs potentially creating files in per-user directories too early.  And
forcing these broken devices to be factory reset upon taking an OTA is
not currently considered to be acceptable.

One option is to only check for prepareUserStorage errors on devices
that launched with T or later.  However, this is a serious issue and it
would be strongly preferable to do more than that.

Therefore, this CL makes it so that errors are checked for all new
users, rather than all new devices.  A field ignorePrepareStorageErrors
is added to the user record; it is only ever set to true implicitly,
when reading a user record from disk that lacks this field.  This field
is used by StorageManagerService to decide whether to check for errors.

Bug: 164488924
Bug: 224585613
Test: Intentionally made a device affected by this issue by reverting
      the CLs that introduced the error checks, and changing vold to
      inject an error into prepareUserStorage.   Then, flashed a build
      with this CL without wiping userdata.  The device still boots, as
      expected, and the log shows that the error was intentionally
      ignored.  Tested that if a second user is added, the error is
      *not* ignored and the second user's storage is destroyed before it
      can be used.  Finally, wiped the device and verified that it won't
      boot up anymore, as expected since error checking is enabled for
      the system user in that case.
Change-Id: I9bdd1a4bf5b14542adb901f264a91d489115c89b
(cherry picked from commit 60d8318c47b7b659716d71243d087b34ab327f64)
Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b
(cherry picked from commit e03e987337accde646e4e86c1fdfe02c0d78d743)
Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b

With the next CL, old devices might contain a combination of old users
with prepareUserStorage error checking disabled and new users with
prepareUserStorage error checking enabled.  Factory resetting the whole
device when any user fails to prepare may be too aggressive.  Also,
UserDataPreparer already destroys the affected user's storage when it
fails to prepare, which seems to be fairly effective at breaking things
for that user (absent proper error handling by upper layers).

Therefore, let's only factory reset the device if the failing user is
the system user.

Bug: 164488924
Bug: 224585613
Change-Id: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
(cherry picked from commit 4c76da76c9831266e4e63c0618150bed10a929a7)
Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
(cherry picked from commit ecf569bd1623231984e9ec9823edb82f52d7846a)
Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97

StorageManager.prepareUserStorage() can throw an exception if a
directory cannot be encrypted, for example due to already being
nonempty.  In this case, usage of the directory must not be allowed to
proceed.  UserDataPreparer currently handles this by deleting the user's
directories, but the error is still ultimately suppressed and starting
the user is still allowed to proceed.

The correct behavior in this case is to reboot into recovery to ask the
user to factory reset the device.  This is already what happens when
'init' fails to encrypt a directory with the system DE policy.  However,
this was overlooked for the user directories.  Start doing this.

Bug: 164488924
Bug: 224585613
Change-Id: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
(cherry picked from commit 5256365e65882b81509ec2f6b9dfe2dcf0025254)
Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
(cherry picked from commit 69c3ce70c6dcabf57219d338af86e569ea672ef5)
Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54

We must never leave directories unencrypted.

Bug: 164488924
Bug: 224585613
Change-Id: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
(cherry picked from commit 50946dd15fd14cbf92b5c7e32ac7a0f088b8b302)
Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
(cherry picked from commit ecffe3ecbf4cb01055bd2f852d95396f2475fc01)
Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2

Android Security 11.0.0 Release 55 (8287685)

* tag 'android-security-11.0.0_r55':
  Always restart apps if base.apk gets updated.
  Verify caller before auto granting slice permission
  [DO NOT MERGE] Keyguard - Treat messsages to lock with priority
  [RESTRICT AUTOMERGE] Do not resume activity if behind a translucent task
  Filter notification APIs by user

Conflicts:
	services/core/java/com/android/server/wm/RootWindowContainer.java

Change-Id: I3de384c44e161c0ad6b2dd0540e9ad0eb5346c11

Merge cherrypicks of [16961349, 17186290, 17046136, 17343925, 17408864, 17591190, 17591530, 16908080, 17614780] into security-aosp-rvc-release.

Change-Id: I47e20d457154fa79820017454ec6034645ffb1d5

MPPE cannot work if PAP is used as authentication, so it is not useful
to allow PAP authentication when MPPE is enforced: establishing the
tunnel would fail anyway with "MPPE required, but MS-CHAP[v2] auth not
performed".
Also users enforcing MPPE may assume that this means PAP will not be
used for authentication, so without this change MPPE enforcement gives a
false sense of security, as PAP uses plain-text credentials.

Bug: 201660636
Test: atest VpnTest
Merged-In: Ie318d45fe44294e97cf38da7f1834cf014cb4417
Change-Id: Ie318d45fe44294e97cf38da7f1834cf014cb4417
(cherry picked from commit 997a4a39268b4f3af7ccc388269b5eb1972d3624)
(cherry picked from commit 4f319df8)
Merged-In: Ie318d45fe44294e97cf38da7f1834cf014cb4417

bug: 209814693
Bug: 217934478
Test: CTS
Change-Id: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
(cherry picked from commit f0f67b5a)
Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57

Test: atest android.devicepolicy.cts.DevicePolicyManagerTest
Bug: 210469972
Change-Id: I2de99f9ccd8b27ffdc2562fa451f132e73d54317
(cherry picked from commit bde28d28)
Merged-In: I2de99f9ccd8b27ffdc2562fa451f132e73d54317

NPE happens when there is an orphaned session which we've
tried to prevent in all cases.

Log an error message if this situation happens.

Bug: 227342978
Test: atest CtsRootPackageInstallerHostTestCases
Change-Id: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
(cherry picked from commit 07e31dfb1efabc8110d64819f26a06e12a35e020)
Merged-In: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc
(cherry picked from commit e58049a3)
Merged-In: Ia21323926bd9db1a6f05461904deb45b4c3dd0bc

This addresses a security issue where the guest user can remove updates
for system apps.

With this CL, attempts to uninstall/downgrade system apps will fail if
attempted by a non-admin user.

This is a backport of ag/17352264.

Bug: 170646036
Test: manual, try uninstalling system app update as guest
Change-Id: I79c3bf303e729e00d8fb12c40330bc10c5ffec6e
Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165
(cherry picked from commit 6c870e15)
Merged-In: I79c3bf303e729e00d8fb12c40330bc10c5ffec6e

GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.

We fixed related issues previously for GateKeeperResponse class, but
one of the case was remaining when payload is byte array of size 0,
Fixing this case now.

Bug: 220303465
Test: With the POC provided in the bug.
Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586
Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586

(cherry picked from commit 46653a91c30245ca29d41d69174813979a910496)

Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958
(cherry picked from commit 658c53c4)
Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958

Test: ZenModeHelperTest
Bug: 220735360
Change-Id: I3da105951af90007bf48dc6cf00aed3e28778b36
Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
(cherry picked from commit 1db5d402)
Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36

Test: manual
Bug: 216631962

Change-Id: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
(cherry picked from commit ba3acb3e)
Merged-In: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3

Android security 11.0.0 release 54

* tag 'android-security-11.0.0_r54':
  [RESTRICT AUTOMERGE] Add hide-non-system-overlay flag for HarmfulAppWarningActivity
  BG-FGS-start while-in-use permission restriction improvement.
  Restrict AdbManager broadcasts to apps with MANAGE_DEBUGGING permission.
  Prevent apps from creating blocked channel groups

Change-Id: I8b6370cb873a42f9c41ca24f24a69a18d3b1e0fc

Upstream change 5d30b701 ("BG-FGS-start while-in-use permission
restriction improvement") properly fixes what we needed to work-around.

This reverts commit b64352d7.

Change-Id: I00b3ab4161dceddff015e4f5365cd777acfe2faa

Pretend the device does not support key attestation

See merge request !113

Indeed, adding this extra space at the end of the model name
prevent the enforcement of hardware-backend attestation.

This patch is based on kdrag0n's patch:
https://github.com/ProtonAOSP/android_frameworks_base/commit/f1d08fac5cc41c7d44961ca8ab554574864f5579

This allow us to pass SafetyNet.

We shunt hardware-backed key attestation to fallback
to basic integrity check.

This patch is based on kdrag0n's patch:
https://github.com/ProtonAOSP/android_frameworks_base/commit/1981f91e9c86aa8284d5858b950364ba0b1859c2

There is no longer a requirement for IEC61937 streams to be stereo.
For high bit-rate streams they may have 8 channels.

Test: create AudioTrack with 8 channel IEC61937
Bug: 31916412
Change-Id: I4dfd3e78041a81601d5bde47a4deaa0313066028

Location: always return false when querying mock provider

See merge request !111

Using Resources.getDrawable(int) is deprecated because it lacks theme information,
and I was seeing a crash because theme attributes were not fully resolved.

Test: manual
Change-Id: Idf1b13e16362c2e06227813f4298091ba4406bd5

Change-Id: Ib001ce767067e3789ea5957ac9b23ed416341d18

Merge cherrypicks of [16873394, 16811765, 16371387, 17089346, 17112304] into security-aosp-rvc-release.

Change-Id: I8b72dbaa21562144b6555532ff531a5edd22b3a5