Merge tag 'android-security-11.0.0_r49' into staging/lineage-18.1_merge-android-security-11.0.0_r49

Android security 11.0.0 release 49

* tag 'android-security-11.0.0_r49':
  Changed INTERACT_ACROSS_PROFILES appop to be set per UID
  TIF: fix issue of using caller-aware methods after clearCallingIdentity()
  Backporting the change of ag/15629060 to rvc-dev
  Bluetooth: Fix formatting in getAlias()
  Fix parsing code parcelling errors
  camera2: Fix exception swallowing in params classes createFromParcel
  Revert "BG-FGS-start while-in-use permission restriction improve..."
  Make sure that only the owner can call stopVpnProfile()
  DO NOT MERGE Apply a maximum char count to the load label api
  Send targeted broadcasts to prevent other apps from receiving them.
  Guard DISABLE_PLUGIN with PLUGIN permission.
  Fix a potential thread safety issue in VectorDrawable
  Fix background bypass via notifications
  Change ownership of the account request notification.
  Revert "wifidisplay: restrict broadcast by the proper permission"
  Use IntentFilter CREATOR directly for serializing ParsedIntentInfo
  Don't export HeapDumpProvider.
  Don't attach private Notification to A11yEvent when user locked
  Avoid locking profile task when it is already lock
  Improve ellipsize performance
  Fix side effects of trace-ipc and dumpheap commands
  DO NOT MERGE Add cross-user check for getDefaultSmsPackage().
  BG-FGS-start while-in-use permission restriction improvement.
  Remove ParsedIntentInfo CREATOR
  Fix race condition between lockNow() and updateLockscreenTimeout
  [security] SubscriptionGroup is exposed to unprivileged callers
  Block SAF directory access to /sdcard/Android
  [RESTRICT AUTOMERGE] Fix OOB write in noteAtomLogged
  Remove sendNetworkConditionsBroadcast
  Ensure storage permission revoke happens for all users
  Restrict alarm broadcast
  Detects all activities for whether showing work challenge
  DO NOT MERGE - Disallow deletion of channels with FGS notifications
  Increase maximum allowed size for status bar icons
  [DO NOT MERGE] Make PendingIntents in screenshots immutable
  wifidisplay: restrict broadcast by the proper permission
  Fix legacy APIs when VPN switches to suspended underlying network.
  Backport test coverage from aosp/1547496.
  Backport some helpers in ConnectivityServiceTest.
  Test for bugs with suspended VPN underlying networks.
  Add a test for getDefaultNetworkCapabilitiesForUser.
  Improve testing of CONNECTIVITY_ACTION broadcasts.
  Test passing an underlying network array with null network in it.
  Make testVpnNetworkActive more deterministic.
  Make MockVpn more realistic and easier to use.
  Increase test coverage for VPN info sent to NetworkStatsService.
  Simplify MockVpn.
  Test a VPN with an underlying network that does not yet exist.
  Limit maximum allowed size for a status bar icon
  Adds caller check to getAllPackages()
  Restrict the overridden min size for PiP
  Add pkg target to snoozing alarm
  Allow empty tokens in strict grammar
  Allow empty tokens in strict grammar
  [DO NOT MERGE] Make screenshot error notification PendingIntent immutable
  DO NOT MERGE: Associate notif cancels with notif posts
  [RESTRICT AUTOMERGE] Use userId instead of USER_CURRENT in shouldLockKeyguard.
  Revoke storage on SDK downgrade or new full storage request
  [DO NOT MERGE] Close screenshot process on user switched
  Fix thread safety issue on clearing cache
  [SettingsProvider] extend font size scale range
  DO NOT MERGE: Do not inject mock location to chipset
  [RESTRICT AUTOMERGE] Fix potential out of bounds writes in LogEvent.
  Check mode/boost index before accessing cached support value
  Only update native InputApplicationHandle once
  Allow CDM to hide overlays
  Prevent non-system overlays from showing over CDM UI
  RESTRICT AUTOMERGE: Set mAllowWhileInUsePermissionInFgs correctly when bindService() from background.
  Protect account chooser activities against overlay.
  [SettingsProvider] fix font size scale validator
  Ensure caller identity is restored in CP quick-path.
  Remove updateIntentVerificationStatusAsUser from ResolverActivity
  Revoke the uri permission when the file is deleted
  Ignore GrantCredentials call with unexpected calling uid.
  Protect GrantCredentialsPermissionActivity against overlay.
  Revoke permission on non-runtime -> runtime upgrade
  Ensure permissions are revoked on state changes
  Hide overlays over uninstall confirm dialog
  RESTRICT AUTOMERGE Fix CDM package check
  remove sensitive pii from safetynet logging
  Revoke install permissions when the permission defining app is uninstalled.
  DO NOT MERGE Check fingerprint client against top activity in auth callback
  Fix the issue provider can be wrong when requesting slice permission
  Enforce permission checks in getting app exit reasons
  Fix storing the wrong value of mLockdown in setting
  [BACKPORT] Improve location checks in TelephonyRegistry
  Do not re-initialize synthetic password
  Fix VrDisplayTest failure
  Require permission to create trusted displays
  Accept repeated locale as an input of LocaleList construction.
  Sanitize more of the notification text fields
  DO NOT MERGE Fix NPE in executeDeletePackageLIF.
  DO NOT MERGE Don't allow non-instant permissions for instant apps.
  Mark implicit PendingIntents as immutable
  Add missing isShellUser check
  Decouple FUSE mount from main thread for demo user
  Set the NetworkInfo subtype to 0.
  Reduce demo user FUSE volume mount timeout
  Propagate AudioAttributes flags to VibrationAttributes
  Allow network stack UID caller to retrieve cell identity
  Ignore GONE views in shade when processing sections
  Fix unintended preferred activity reset
  Skip bg PSS collection for apps using a camera
  Fix missing IME switcher icon (w/ a hardware keyboard)
  Java docs update: Advise not to include PII in setProcessStateSummary
  Grant visibility even when not granting URI perm
  Fix NavigationBarColorTest
  Prevent exception when surrounding text retrieval
  Resume-on-Reboot: remove special string
  Wait for remote animation to stop freezing display
  Remove incorrect optimization in visibility cache
  Early exit when target app ID < FIRST_APP_UID
  Fixes broadcast filtering for multi-user sys apps
  Repopulate cache with sibling visibility on remove
  Revert "Hide bubbles' IME after screenshot is taken."
  Ensure we always bind to overview service when starting up
  Fix missing icon for one-to-one convos
  Fix missing icon for one-to-one convos
  Revert "Exception if receive move withouth down"
  Revert "Consolidating MODIFY_AUDIO_SETTINGS permission checks"
  Revert "Flip ENABLE_DYNAMIC_PERMISSIONS, attempt #5."
  Revert "Flip ENABLE_DYNAMIC_PERMISSIONS, attempt #4."
  Revert "Flip ENABLE_DYNAMIC_PERMISSIONS."
  Revert "Flip ENABLE_DYNAMIC_PERMISSIONS."
  Revert "System Bars animation for fixed rotation transform"
  Revert "Don't readd pending notifs to NEM's allNotifs list"
  Fixed a bug where the brighness mirror would make everything invisible
  Fix crash caused by unhandled bucket
  Adding UiModeManager Custom Tests
  Revert "Fix missing animation when launch activity from notification."
  Revert "Prevent NPE in PulseExpansionHandler"
  Revert "Fix missing animation when launch activity from notification."
  Revert "Prevent NPE in PulseExpansionHandler"
  Revert "Fix missing animation when launch activity from notification."
  Check URI is valid for loading images
  Add READ_PHONE_STATE back to pregranted phone permissions
  Add delay between quota check alarms.
  Add READ_PHONE_STATE back to pregranted phone permissions
  Add READ_PHONE_STATE back to pregranted phone permissions
  Fix Ime consumer isRequestedVisible
  Disable overflow menu on lock screen.
  Ensure power menu overflow dismissed when dialog dismissed.
  Fix NPE when ranking update causes reinflation
  Only give DisplayInsetsController control over IME in split-screen
  Re-send the IME control after IME is re-created
  Update destination bounds if rotation finishes first
  Reboot the soundtrigger HAL on failure
  Add /apex to the list of allowed SystemServer paths
  Revert "Fix exception handling in getState() binder cache"
  Only use the IME target from IMMS to update the IME control target
  WindowInsetsAnimation: Fix app driven closing of IME
  WindowInsetsAnimation: Synchronously dispatch window insets animation callbacks
  WindowInsets: Ignore consumeStableInsets()
  Request fit system windows if soft input mode updates
  Update insets state for each window if its mBehindIme is changed
  Fixes NPE and adds @nullable to PackageSetting.pkg
  startop: Fix a string format bug in EventSequenceValidator.
  Work around for display info mismatch during the PiP transition
  Work around for display info mismatch during the PiP transition
  Give tethering bluetooth privilege permission
  Make canBeImeTarget be compatible with legacy behavior
  Give tethering bluetooth privilege permission
  Revert "Don't override activity display adjustments with app config"
  Make canBeImeTarget be compatible with legacy behavior
  fix enrollment application permission check
  add KEYPHRASE_ENROLLMENT_APPLICATION permission
  Make canBeImeTarget be compatible with legacy behavior
  Fixes query logic when not instant
  Fixes query logic when not instant
  Make canBeImeTarget be compatible with legacy behavior
  Call setAdapter from handleLayoutChanged.
  Use BIND_INCLUDE_CAPABILITIES for SoundTriggerService
  Assign a BluetoothAdapter on creation of LMM
  Use the bounds received in taskAppeared
  Assign a BluetoothAdapter on creation of LMM
  Revert "Do not block autofill on waiting for the IME response"
  Revert "Fix bouncer race condition"
  Null-check notif chan when ident people notifs
  Don't apply ime adjustments/dims if split is not active
  Restores PiP to its original app bounds
  Revert "media: lazy MediaCodec.release()"
  Some clean-up of divider code in preparation for bugfixes
  Revert "Some clean-up of divider code in preparation for bugfixes"
  Revert "Don't apply ime adjustments/dims if split is not active"
  Don't apply ime adjustments/dims if split is not active
  Some clean-up of divider code in preparation for bugfixes
  Revert "media: lazy MediaCodec.release()"
  InsetController: Release leashes from RenderThread
  Fix instances of ContentObserver#onChange in SystemUI
  Adjust users of hidden APIs.
  Revert "Turn on QS media player by default"
  Dark theme upgrade broken
  Change animation-leash to be a container layer
  Dark theme upgrade broken
  Reset controls when playback state is NONE
  Relax permission checks in sound trigger middleware
  Revert "Turn on QS media player by default"
  Dark theme not working bug
  Dark theme not working bug
  Revert "Fix permission check for get/setSmscAddress."
  Ignore unchecked IME show/hide when no root
  Initialize PackageManagerService ApplicationInfo instances to system user
  Ensures display rotation triggers PiP re-position
  DO NOT MERGE: Fix FLAG_NOT_FOCUSABLE ime target
  Revert "Avoid creating new instance on top when started for resu..."
  Don't crash if NSSL gets incomplete gesture
  DO NOT MERGE: Fix FLAG_NOT_FOCUSABLE ime target
  Revert "Avoid creating new instance on top when started for resu..."
  Don't crash if NSSL gets incomplete gesture
  Revert "Avoid creating new instance on top when started for resu..."
  Don't crash if NSSL gets incomplete gesture
  Fix PackageSetting isUpdatedSystemApp and SYSTEM_EXT rescan
  Revert "Avoid creating new instance on top when started for resu..."
  Do not attempt to special case uncompressed font assets.
  Fix crash during SysUI dumpsys
  Re-add compile_multilib to statsd apex
  Revert "Limit metricslogger call into statsdw for events"
  Revert "Remove libstats_jni from the platform"
  Revert "Move libstatspull to the apex"
  Revert "Require user pass in a non-null BluetoothDevice to all B..."
  Fail silently on MediaScannerConnection#onScanCompleted
  Revert "Prevents an NPE when content provider is slow to start"
  Fix content views not updating
  Fix content views not updating
  Fix the NPE when reading the call log or SMS if a device has multiple user profiles
  Fix Keyboard won't display when RemoteInput active
  Revert "Add permissions for using PlatformCompat methods"
  Revert "API for Inline Presentation Renderer in ExtServices."
  Fixup SDCARD_RW GID for multi-user.
  Revert "Move text toast creation to system UI"
  MediaSessionRecord: fix volume stream query
  Always set NetworkInfo objects to available.
  Fix emergency button overlap with nav bar
  Revert "Convert NotificationContentInflater to singleton"
  Revert "Move a bunch of row setters into an init method."
  Remove resource overlayable configuration
  AudioService: log result of AudioSystem calls for A2DP devices
  AudioService: fix A2DP disconnection / reconnection
  AudioService: fix A2DP disconnection / reconnection
  Revert "Rmove @UnsupportedAppUsage"
  Revert "Merge "switch to new SkPathDirection enum""
  RecoverySystem: do not check if socket is closed
  Fix swiping down on the notch.
  Add synchronization for PermissionData.
  Revert "Replace framework-annotation-proc java lib with framework-all"
  Freeup lock when IME is set inactive and unbound
  Revert submission
  Revert "Clean up visibility related flags in ActivityRecord"
  Revert "Clean up visibility related flags in WindowToken"
  Revert "Clean up visibility related flags in ActivityRecord"
  Call appOps changed from main thread
  Revert "Create unit tests for GnssManagerService"
  Initialize AppCompatCallbacks in system server
  Prevent crash when invoking GNSS apis
  Return resume result in resumeFocusedStacksTopActivities
  Prevent crash when invoking GNSS apis
  Return resume result in resumeFocusedStacksTopActivities
  Return resume result in resumeFocusedStacksTopActivities
  Revert "Move DozeServiceHost out of StatusBar."
  Ensure next home activity is ready before finish FallbackHome
  Temporarily do not remove biometric view when animating to credential
  Revert "Move DozeServiceHost out of StatusBar."
  Ensure next home activity is ready before finish FallbackHome
  Mark BiometricUnlockController as @singleton
  Add userId to the package name API.
  Revert "Example for disabling changes at test time"
  Revert "Drop all caches in UI_HIDDEN"
  Make KeyguardUpdateMonitor a singleton
  Ensure that view is initialized properlly upon inflation.
  Revert "Remove many (most) of the calls to Dependency.get() from StatusBar."
  Fix NavigationBarController NPE
  Fix NavigationBarController NPE
  SurfaceView: Release Surfaces where SurfaceControl are released.
  Breaks isInstantApp into public and internal
  Clears calling identity when calling isInstantApp
  Workaround multiple instance of AppComponentFactory.
  Ensure that the Application is constructed before any Service.
  Remove KeyguardUpdateMonitor.getInstance().
  Fixes regression caused by ag/9259064
  Fix regression in updating gesture exclusion rects
  Fix regression in updating gesture exclusion rects
  Fix regression in updating gesture exclusion rects
  Fix regression in updating gesture exclusion rects
  Clear calling identity as broadcast needs permission
  WifiManager: Return dummy values when wifi service is not up
  Adding null checks
  Revert SurfaceView back to Q's version
  Revert "Use the SubId in the TM.getNetworkType if Valid"
  Retire unused android::nio_{get,release}Buffer functions
  Skip idmap1 generation if target defines overlayable
  Ensure all fields of AutoBufferPointer are initialized

Change-Id: I4838416fa76f01643eccb8c6689c10499f5862d4

Author: haggertk

core/java/android/bluetooth/BluetoothDevice.java

@@ -1230,7 +1230,10 @@ public String getAlias() {
             if (alias == null) {
                 return getName();
             }
-            return alias;
+            return alias
+                    .replace('\t', ' ')
+                    .replace('\n', ' ')
+                    .replace('\r', ' ');
         } catch (RemoteException e) {
             Log.e(TAG, "", e);
         }

core/java/android/content/pm/parsing/ParsingPackageImpl.java

@@ -1007,7 +1007,7 @@ public void writeToParcel(Parcel dest, int flags) {
         sForInternedStringList.parcel(this.requestedPermissions, dest, flags);
         sForInternedStringList.parcel(this.implicitPermissions, dest, flags);
         sForStringSet.parcel(this.upgradeKeySets, dest, flags);
-        dest.writeMap(this.keySetMapping);
+        ParsingPackageUtils.writeKeySetMapping(dest, this.keySetMapping);
         sForInternedStringList.parcel(this.protectedBroadcasts, dest, flags);
         dest.writeTypedList(this.activities);
         dest.writeTypedList(this.receivers);
@@ -1026,7 +1026,7 @@ public void writeToParcel(Parcel dest, int flags) {
         dest.writeBoolean(this.use32BitAbi);
         dest.writeBoolean(this.visibleToInstantApps);
         dest.writeBoolean(this.forceQueryable);
-        dest.writeParcelableList(this.queriesIntents, flags);
+        dest.writeTypedList(this.queriesIntents, flags);
         sForInternedStringList.parcel(this.queriesPackages, dest, flags);
         sForInternedStringSet.parcel(this.queriesProviders, dest, flags);
         dest.writeString(this.appComponentFactory);
@@ -1169,7 +1169,7 @@ public ParsingPackageImpl(Parcel in) {
         this.requestedPermissions = sForInternedStringList.unparcel(in);
         this.implicitPermissions = sForInternedStringList.unparcel(in);
         this.upgradeKeySets = sForStringSet.unparcel(in);
-        this.keySetMapping = in.readHashMap(boot);
+        this.keySetMapping = ParsingPackageUtils.readKeySetMapping(in);
         this.protectedBroadcasts = sForInternedStringList.unparcel(in);
 
         this.activities = in.createTypedArrayList(ParsedActivity.CREATOR);

core/java/android/content/pm/parsing/ParsingPackageUtils.java

@@ -84,6 +84,7 @@
 import android.os.Build;
 import android.os.Bundle;
 import android.os.FileUtils;
+import android.os.Parcel;
 import android.os.RemoteException;
 import android.os.Trace;
 import android.os.ext.SdkExtensions;
@@ -2834,6 +2835,68 @@ private static String nonResString(@StyleableRes int index, TypedArray sa) {
         return sa.getNonResourceString(index);
     }
 
+    /**
+     * Writes the keyset mapping to the provided package. {@code null} mappings are permitted.
+     */
+    public static void writeKeySetMapping(@NonNull Parcel dest,
+            @NonNull Map<String, ArraySet<PublicKey>> keySetMapping) {
+        if (keySetMapping == null) {
+            dest.writeInt(-1);
+            return;
+        }
+
+        final int N = keySetMapping.size();
+        dest.writeInt(N);
+
+        for (String key : keySetMapping.keySet()) {
+            dest.writeString(key);
+            ArraySet<PublicKey> keys = keySetMapping.get(key);
+            if (keys == null) {
+                dest.writeInt(-1);
+                continue;
+            }
+
+            final int M = keys.size();
+            dest.writeInt(M);
+            for (int j = 0; j < M; j++) {
+                dest.writeSerializable(keys.valueAt(j));
+            }
+        }
+    }
+
+    /**
+     * Reads a keyset mapping from the given parcel at the given data position. May return
+     * {@code null} if the serialized mapping was {@code null}.
+     */
+    @NonNull
+    public static ArrayMap<String, ArraySet<PublicKey>> readKeySetMapping(@NonNull Parcel in) {
+        final int N = in.readInt();
+        if (N == -1) {
+            return null;
+        }
+
+        ArrayMap<String, ArraySet<PublicKey>> keySetMapping = new ArrayMap<>();
+        for (int i = 0; i < N; ++i) {
+            String key = in.readString();
+            final int M = in.readInt();
+            if (M == -1) {
+                keySetMapping.put(key, null);
+                continue;
+            }
+
+            ArraySet<PublicKey> keys = new ArraySet<>(M);
+            for (int j = 0; j < M; ++j) {
+                PublicKey pk = (PublicKey) in.readSerializable();
+                keys.add(pk);
+            }
+
+            keySetMapping.put(key, keys);
+        }
+
+        return keySetMapping;
+    }
+
+
     /**
      * Callback interface for retrieving information that may be needed while parsing
      * a package.

core/java/android/hardware/camera2/params/OutputConfiguration.java

@@ -631,13 +631,7 @@ public int getSurfaceGroupId() {
             new Parcelable.Creator<OutputConfiguration>() {
         @Override
         public OutputConfiguration createFromParcel(Parcel source) {
-            try {
-                OutputConfiguration outputConfiguration = new OutputConfiguration(source);
-                return outputConfiguration;
-            } catch (Exception e) {
-                Log.e(TAG, "Exception creating OutputConfiguration from parcel", e);
-                return null;
-            }
+            return new OutputConfiguration(source);
         }
 
         @Override

core/java/android/hardware/camera2/params/SessionConfiguration.java

@@ -143,13 +143,7 @@ private SessionConfiguration(@NonNull Parcel source) {
             new Parcelable.Creator<SessionConfiguration> () {
         @Override
         public SessionConfiguration createFromParcel(Parcel source) {
-            try {
-                SessionConfiguration sessionConfiguration = new SessionConfiguration(source);
-                return sessionConfiguration;
-            } catch (Exception e) {
-                Log.e(TAG, "Exception creating SessionConfiguration from parcel", e);
-                return null;
-            }
+            return new SessionConfiguration(source);
         }
 
         @Override

core/java/android/hardware/camera2/params/VendorTagDescriptor.java

@@ -36,13 +36,7 @@ private VendorTagDescriptor(Parcel source) {
             new Parcelable.Creator<VendorTagDescriptor>() {
         @Override
         public VendorTagDescriptor createFromParcel(Parcel source) {
-            try {
-                VendorTagDescriptor vendorDescriptor = new VendorTagDescriptor(source);
-                return vendorDescriptor;
-            } catch (Exception e) {
-                Log.e(TAG, "Exception creating VendorTagDescriptor from parcel", e);
-                return null;
-            }
+            return new VendorTagDescriptor(source);
         }
 
         @Override

core/java/android/hardware/camera2/params/VendorTagDescriptorCache.java

@@ -36,13 +36,7 @@ private VendorTagDescriptorCache(Parcel source) {
             new Parcelable.Creator<VendorTagDescriptorCache>() {
         @Override
         public VendorTagDescriptorCache createFromParcel(Parcel source) {
-            try {
-                VendorTagDescriptorCache vendorDescriptorCache = new VendorTagDescriptorCache(source);
-                return vendorDescriptorCache;
-            } catch (Exception e) {
-                Log.e(TAG, "Exception creating VendorTagDescriptorCache from parcel", e);
-                return null;
-            }
+            return new VendorTagDescriptorCache(source);
         }
 
         @Override

core/java/android/hardware/display/DisplayManager.java

@@ -61,9 +61,6 @@ public final class DisplayManager {
      * {@link #EXTRA_WIFI_DISPLAY_STATUS} extra.
      * </p><p>
      * This broadcast is only sent to registered receivers and can only be sent by the system.
-     * </p><p>
-     * {@link android.Manifest.permission#ACCESS_FINE_LOCATION} permission is required to
-     * receive this broadcast.
      * </p>
      * @hide
      */

packages/CompanionDeviceManager/src/com/android/companiondevicemanager/DeviceChooserActivity.java

@@ -66,8 +66,8 @@ public void onCreate(Bundle savedInstanceState) {
             final DeviceFilterPair selectedDevice = getService().mDevicesFound.get(0);
             setTitle(Html.fromHtml(getString(
                     R.string.confirmation_title,
-                    getCallingAppName(),
-                    selectedDevice.getDisplayName()), 0));
+                    Html.escapeHtml(getCallingAppName()),
+                    Html.escapeHtml(selectedDevice.getDisplayName())), 0));
             mPairButton = findViewById(R.id.button_pair);
             mPairButton.setOnClickListener(v -> onDeviceConfirmed(getService().mSelectedDevice));
             getService().mSelectedDevice = selectedDevice;
@@ -76,7 +76,8 @@ public void onCreate(Bundle savedInstanceState) {
             setContentView(R.layout.device_chooser);
             mPairButton = findViewById(R.id.button_pair);
             mPairButton.setVisibility(View.GONE);
-            setTitle(Html.fromHtml(getString(R.string.chooser_title, getCallingAppName()), 0));
+            setTitle(Html.fromHtml(getString(R.string.chooser_title,
+                    Html.escapeHtml(getCallingAppName())), 0));
             mDeviceListView = findViewById(R.id.device_list);
             final DeviceDiscoveryService.DevicesAdapter adapter = getService().mDevicesAdapter;
             mDeviceListView.setAdapter(adapter);

services/core/java/com/android/server/am/ActiveServices.java

@@ -734,8 +734,11 @@ ComponentName startServiceLocked(IApplicationThread caller, Intent service, Stri
         }
         ComponentName cmp = startServiceInnerLocked(smap, service, r, callerFg, addToStarting);
 
-        setFgsRestrictionLocked(callingPackage, callingPid, callingUid, r,
-                allowBackgroundActivityStarts);
+        if (!r.mAllowWhileInUsePermissionInFgs) {
+            r.mAllowWhileInUsePermissionInFgs =
+                    shouldAllowWhileInUsePermissionInFgsLocked(callingPackage, callingPid,
+                            callingUid, service, r, allowBackgroundActivityStarts);
+        }
 
         return cmp;
     }
@@ -1408,6 +1411,14 @@ private void setServiceForegroundInnerLocked(final ServiceRecord r, int id,
                         +  String.format("0x%08X", manifestType)
                         + " in service element of manifest file");
                 }
+                // If the foreground service is not started from TOP process, do not allow it to
+                // have while-in-use location/camera/microphone access.
+                if (!r.mAllowWhileInUsePermissionInFgs) {
+                    Slog.w(TAG,
+                            "Foreground service started from background can not have "
+                                    + "location/camera/microphone access: service "
+                                    + r.shortInstanceName);
+                }
             }
             boolean alreadyStartedOp = false;
             boolean stopProcStatsOp = false;
@@ -1455,57 +1466,6 @@ && appRestrictedAnyInBackground(r.appInfo.uid, r.packageName)) {
                     ignoreForeground = true;
                 }
 
-                if (!ignoreForeground) {
-                    if (r.mStartForegroundCount == 0) {
-                        /*
-                        If the service was started with startService(), not
-                        startForegroundService(), and if startForeground() isn't called within
-                        mFgsStartForegroundTimeoutMs, then we check the state of the app
-                        (who owns the service, which is the app that called startForeground())
-                        again. If the app is in the foreground, or in any other cases where
-                        FGS-starts are allowed, then we still allow the FGS to be started.
-                        Otherwise, startForeground() would fail.
-
-                        If the service was started with startForegroundService(), then the service
-                        must call startForeground() within a timeout anyway, so we don't need this
-                        check.
-                        */
-                        if (!r.fgRequired) {
-                            final long delayMs = SystemClock.elapsedRealtime() - r.createRealTime;
-                            if (delayMs > mAm.mConstants.mFgsStartForegroundTimeoutMs) {
-                                resetFgsRestrictionLocked(r);
-                                setFgsRestrictionLocked(r.serviceInfo.packageName, r.app.pid,
-                                        r.appInfo.uid, r, false);
-                                EventLog.writeEvent(0x534e4554, "183147114",
-                                        r.appInfo.uid,
-                                        "call setFgsRestrictionLocked again due to "
-                                                + "startForegroundTimeout");
-                            }
-                        }
-                    } else if (r.mStartForegroundCount >= 1) {
-                        // The second or later time startForeground() is called after service is
-                        // started. Check for app state again.
-                        final long delayMs = SystemClock.elapsedRealtime() -
-                                r.mLastSetFgsRestrictionTime;
-                        if (delayMs > mAm.mConstants.mFgsStartForegroundTimeoutMs) {
-                            resetFgsRestrictionLocked(r);
-                            setFgsRestrictionLocked(r.serviceInfo.packageName, r.app.pid,
-                                    r.appInfo.uid, r, false);
-                            EventLog.writeEvent(0x534e4554, "183147114", r.appInfo.uid,
-                                    "call setFgsRestrictionLocked for "
-                                            + (r.mStartForegroundCount + 1) + "th startForeground");
-                        }
-                    }
-                    // If the foreground service is not started from TOP process, do not allow it to
-                    // have while-in-use location/camera/microphone access.
-                    if (!r.mAllowWhileInUsePermissionInFgs) {
-                        Slog.w(TAG,
-                                "Foreground service started from background can not have "
-                                        + "location/camera/microphone access: service "
-                                        + r.shortInstanceName);
-                    }
-                }
-
                 // Apps under strict background restrictions simply don't get to have foreground
                 // services, so now that we've enforced the startForegroundService() contract
                 // we only do the machinery of making the service foreground when the app
@@ -1541,7 +1501,6 @@ must call startForeground() within a timeout anyway, so we don't need this
                             active.mNumActive++;
                         }
                         r.isForeground = true;
-                        r.mStartForegroundCount++;
                         if (!stopProcStatsOp) {
                             ServiceState stracker = r.getTracker();
                             if (stracker != null) {
@@ -1600,7 +1559,6 @@ must call startForeground() within a timeout anyway, so we don't need this
                     decActiveForegroundAppLocked(smap, r);
                 }
                 r.isForeground = false;
-                resetFgsRestrictionLocked(r);
                 ServiceState stracker = r.getTracker();
                 if (stracker != null) {
                     stracker.setForeground(false, mAm.mProcessStats.getMemFactorLocked(),
@@ -2160,7 +2118,12 @@ public void run() {
                 }
             }
 
-            setFgsRestrictionLocked(callingPackage, callingPid, callingUid, s, false);
+            if (!s.mAllowWhileInUsePermissionInFgs) {
+                s.mAllowWhileInUsePermissionInFgs =
+                        shouldAllowWhileInUsePermissionInFgsLocked(callingPackage,
+                                callingPid, callingUid,
+                                service, s, false);
+            }
 
             if (s.app != null) {
                 if ((flags&Context.BIND_TREAT_LIKE_ACTIVITY) != 0) {
@@ -3456,7 +3419,7 @@ private final void bringDownServiceLocked(ServiceRecord r) {
         r.isForeground = false;
         r.foregroundId = 0;
         r.foregroundNoti = null;
-        resetFgsRestrictionLocked(r);
+        r.mAllowWhileInUsePermissionInFgs = false;
 
         // Clear start entries.
         r.clearDeliveredStartsLocked();
@@ -4937,7 +4900,7 @@ private void dumpService(String prefix, FileDescriptor fd, PrintWriter pw,
      * @return true if allow, false otherwise.
      */
     private boolean shouldAllowWhileInUsePermissionInFgsLocked(String callingPackage,
-            int callingPid, int callingUid, ServiceRecord r,
+            int callingPid, int callingUid, Intent intent, ServiceRecord r,
             boolean allowBackgroundActivityStarts) {
         // Is the background FGS start restriction turned on?
         if (!mAm.mConstants.mFlagBackgroundFgsStartRestrictionEnabled) {
@@ -5019,32 +4982,4 @@ private boolean shouldAllowWhileInUsePermissionInFgsLocked(String callingPackage
         }
         return false;
     }
-
-    boolean canAllowWhileInUsePermissionInFgsLocked(int callingPid, int callingUid,
-            String callingPackage) {
-        return shouldAllowWhileInUsePermissionInFgsLocked(
-                callingPackage, callingPid, callingUid, null, false);
-    }
-
-    /**
-     * In R, mAllowWhileInUsePermissionInFgs is to allow while-in-use permissions in foreground
-     *  service or not. while-in-use permissions in FGS started from background might be restricted.
-     * @param callingPackage caller app's package name.
-     * @param callingUid caller app's uid.
-     * @param r the service to start.
-     * @return true if allow, false otherwise.
-     */
-    private void setFgsRestrictionLocked(String callingPackage,
-            int callingPid, int callingUid, ServiceRecord r,
-            boolean allowBackgroundActivityStarts) {
-        r.mLastSetFgsRestrictionTime = SystemClock.elapsedRealtime();
-        if (!r.mAllowWhileInUsePermissionInFgs) {
-            r.mAllowWhileInUsePermissionInFgs = shouldAllowWhileInUsePermissionInFgsLocked(
-                    callingPackage, callingPid, callingUid, r, allowBackgroundActivityStarts);
-        }
-    }
-
-    private void resetFgsRestrictionLocked(ServiceRecord r) {
-        r.mAllowWhileInUsePermissionInFgs = false;
-    }
 }