Merge cherrypicks of [14129459, 14130267, 14129460, 14130198, 14130202, 14130204, 14130305, 14130306, 14130307, 14129440, 14129442, 14129443, 14129735, 14129736, 14129737, 14129738, 14129739, 14129444, 14130346, 14129741, 14130347, 14130348, 14129742, 14130349, 14130350, 14130351, 14130352, 14130244, 14129743, 14129744, 14130365, 14130037, 14130321, 14130322, 14130323, 14130324, 14130405] into security-aosp-rvc-release

Change-Id: I8786a91b48d55bcb8c3db013f1c0ffa37ad23c49

Author: android-build-team Robot

core/java/android/app/ActivityManagerInternal.java

@@ -377,6 +377,21 @@ public abstract void setDebugFlagsForStartingActivity(ActivityInfo aInfo, int st
      */
     public abstract boolean hasRunningForegroundService(int uid, int foregroundServiceType);
 
+    /**
+     * Returns {@code true} if the given notification channel currently has a
+     * notification associated with a foreground service.  This is an AMS check
+     * because that is the source of truth for the FGS state.
+     */
+    public abstract boolean hasForegroundServiceNotification(String pkg, @UserIdInt int userId,
+            String channelId);
+
+    /**
+     * If the given app has any FGSs whose notifications are in the given channel,
+     * stop them.
+     */
+    public abstract void stopForegroundServicesForChannel(String pkg, @UserIdInt int userId,
+            String channelId);
+
     /**
      * Registers the specified {@code processObserver} to be notified of future changes to
      * process state.

core/java/android/hardware/display/DisplayManager.java

@@ -61,6 +61,9 @@ public final class DisplayManager {
      * {@link #EXTRA_WIFI_DISPLAY_STATUS} extra.
      * </p><p>
      * This broadcast is only sent to registered receivers and can only be sent by the system.
+     * </p><p>
+     * {@link android.Manifest.permission#ACCESS_FINE_LOCATION} permission is required to
+     * receive this broadcast.
      * </p>
      * @hide
      */

core/java/android/os/Process.java

@@ -202,6 +202,12 @@ public class Process {
      */
     public static final int SE_UID = 1068;
 
+    /**
+     * Defines the UID/GID for the iorapd.
+     * @hide
+     */
+    public static final int IORAPD_UID = 1071;
+
     /**
      * Defines the UID/GID for the NetworkStack app.
      * @hide

packages/SystemUI/src/com/android/systemui/screenshot/SaveImageInBackgroundTask.java

@@ -283,8 +283,10 @@ Notification.Action createShareAction(Context context, Resources r, Uri uri) {
                         .addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
 
         // cancel current pending intent (if any) since clipData isn't used for matching
-        PendingIntent pendingIntent = PendingIntent.getActivityAsUser(context, 0,
-                sharingChooserIntent, PendingIntent.FLAG_CANCEL_CURRENT, null, UserHandle.CURRENT);
+        PendingIntent pendingIntent = PendingIntent.getActivityAsUser(
+                context, 0, sharingChooserIntent,
+                PendingIntent.FLAG_CANCEL_CURRENT | PendingIntent.FLAG_IMMUTABLE,
+                null, UserHandle.CURRENT);
 
         // Create a share action for the notification
         PendingIntent shareAction = PendingIntent.getBroadcastAsUser(context, requestCode,
@@ -296,7 +298,8 @@ Notification.Action createShareAction(Context context, Resources r, Uri uri) {
                                 mSmartActionsEnabled)
                         .setAction(Intent.ACTION_SEND)
                         .addFlags(Intent.FLAG_RECEIVER_FOREGROUND),
-                PendingIntent.FLAG_CANCEL_CURRENT, UserHandle.SYSTEM);
+                PendingIntent.FLAG_CANCEL_CURRENT | PendingIntent.FLAG_IMMUTABLE,
+                UserHandle.SYSTEM);
 
         Notification.Action.Builder shareActionBuilder = new Notification.Action.Builder(
                 Icon.createWithResource(r, R.drawable.ic_screenshot_share),
@@ -325,7 +328,7 @@ Notification.Action createEditAction(Context context, Resources r, Uri uri) {
         editIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
 
         PendingIntent pendingIntent = PendingIntent.getActivityAsUser(context, 0,
-                editIntent, 0, null, UserHandle.CURRENT);
+                editIntent, PendingIntent.FLAG_IMMUTABLE, null, UserHandle.CURRENT);
 
         // Make sure pending intents for the system user are still unique across users
         // by setting the (otherwise unused) request code to the current user id.
@@ -342,7 +345,8 @@ Notification.Action createEditAction(Context context, Resources r, Uri uri) {
                                 mSmartActionsEnabled)
                         .setAction(Intent.ACTION_EDIT)
                         .addFlags(Intent.FLAG_RECEIVER_FOREGROUND),
-                PendingIntent.FLAG_CANCEL_CURRENT, UserHandle.SYSTEM);
+                PendingIntent.FLAG_CANCEL_CURRENT | PendingIntent.FLAG_IMMUTABLE,
+                UserHandle.SYSTEM);
         Notification.Action.Builder editActionBuilder = new Notification.Action.Builder(
                 Icon.createWithResource(r, R.drawable.ic_screenshot_edit),
                 r.getString(com.android.internal.R.string.screenshot_edit), editAction);
@@ -364,7 +368,9 @@ Notification.Action createDeleteAction(Context context, Resources r, Uri uri) {
                         .putExtra(GlobalScreenshot.EXTRA_SMART_ACTIONS_ENABLED,
                                 mSmartActionsEnabled)
                         .addFlags(Intent.FLAG_RECEIVER_FOREGROUND),
-                PendingIntent.FLAG_CANCEL_CURRENT | PendingIntent.FLAG_ONE_SHOT);
+                PendingIntent.FLAG_CANCEL_CURRENT
+                        | PendingIntent.FLAG_ONE_SHOT
+                        | PendingIntent.FLAG_IMMUTABLE);
         Notification.Action.Builder deleteActionBuilder = new Notification.Action.Builder(
                 Icon.createWithResource(r, R.drawable.ic_screenshot_delete),
                 r.getString(com.android.internal.R.string.delete), deleteAction);
@@ -405,7 +411,7 @@ private List<Notification.Action> buildSmartActions(
             PendingIntent broadcastIntent = PendingIntent.getBroadcast(context,
                     mRandom.nextInt(),
                     intent,
-                    PendingIntent.FLAG_CANCEL_CURRENT);
+                    PendingIntent.FLAG_CANCEL_CURRENT | PendingIntent.FLAG_IMMUTABLE);
             broadcastActions.add(new Notification.Action.Builder(action.getIcon(), action.title,
                     broadcastIntent).setContextual(true).addExtras(extras).build());
         }

packages/SystemUI/src/com/android/systemui/statusbar/StatusBarIconView.java

@@ -33,6 +33,7 @@
 import android.graphics.ColorMatrixColorFilter;
 import android.graphics.Paint;
 import android.graphics.Rect;
+import android.graphics.drawable.BitmapDrawable;
 import android.graphics.drawable.Drawable;
 import android.graphics.drawable.Icon;
 import android.os.Parcelable;
@@ -83,6 +84,16 @@ public class StatusBarIconView extends AnimatedImageView implements StatusIconDi
     public static final int STATE_DOT = 1;
     public static final int STATE_HIDDEN = 2;
 
+    /**
+     * Maximum allowed byte count for an icon bitmap
+     * @see android.graphics.RecordingCanvas.MAX_BITMAP_SIZE
+     */
+    private static final int MAX_BITMAP_SIZE = 100 * 1024 * 1024; // 100 MB
+    /**
+     * Maximum allowed width or height for an icon drawable, if we can't get byte count
+     */
+    private static final int MAX_IMAGE_SIZE = 5000;
+
     private static final String TAG = "StatusBarIconView";
     private static final Property<StatusBarIconView, Float> ICON_APPEAR_AMOUNT
             = new FloatProperty<StatusBarIconView>("iconAppearAmount") {
@@ -378,6 +389,22 @@ private boolean updateDrawable(boolean withClear) {
             Log.w(TAG, "No icon for slot " + mSlot + "; " + mIcon.icon);
             return false;
         }
+
+        if (drawable instanceof BitmapDrawable && ((BitmapDrawable) drawable).getBitmap() != null) {
+            // If it's a bitmap we can check the size directly
+            int byteCount = ((BitmapDrawable) drawable).getBitmap().getByteCount();
+            if (byteCount > MAX_BITMAP_SIZE) {
+                Log.w(TAG, "Drawable is too large (" + byteCount + " bytes) " + mIcon);
+                return false;
+            }
+        } else if (drawable.getIntrinsicWidth() > MAX_IMAGE_SIZE
+                || drawable.getIntrinsicHeight() > MAX_IMAGE_SIZE) {
+            // Otherwise, check dimensions
+            Log.w(TAG, "Drawable is too large (" + drawable.getIntrinsicWidth() + "x"
+                    + drawable.getIntrinsicHeight() + ") " + mIcon);
+            return false;
+        }
+
         if (withClear) {
             setImageDrawable(null);
         }

packages/SystemUI/tests/src/com/android/systemui/statusbar/StatusBarIconViewTest.java

@@ -35,6 +35,7 @@
 import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageManager;
 import android.content.res.Resources;
+import android.graphics.Bitmap;
 import android.graphics.Color;
 import android.graphics.drawable.Icon;
 import android.os.UserHandle;
@@ -123,4 +124,13 @@ public void testGetContrastedStaticDrawableColor() {
         assertEquals("Transparent backgrounds should fallback to drawable color",
                 color, mIconView.getStaticDrawableColor());
     }
+
+    @Test
+    public void testGiantImageNotAllowed() {
+        Bitmap largeBitmap = Bitmap.createBitmap(6000, 6000, Bitmap.Config.ARGB_8888);
+        Icon icon = Icon.createWithBitmap(largeBitmap);
+        StatusBarIcon largeIcon = new StatusBarIcon(UserHandle.ALL, "mockPackage",
+                icon, 0, 0, "");
+        assertFalse(mIconView.set(largeIcon));
+    }
 }

services/core/java/com/android/server/ConnectivityService.java

@@ -6316,6 +6316,25 @@ private NetworkCapabilities mixInCapabilities(NetworkAgentInfo nai, NetworkCapab
         return newNc;
     }
 
+    private void updateNetworkInfoForRoamingAndSuspended(NetworkAgentInfo nai,
+            NetworkCapabilities prevNc, NetworkCapabilities newNc) {
+        final boolean prevSuspended = !prevNc.hasCapability(NET_CAPABILITY_NOT_SUSPENDED);
+        final boolean suspended = !newNc.hasCapability(NET_CAPABILITY_NOT_SUSPENDED);
+        final boolean prevRoaming = !prevNc.hasCapability(NET_CAPABILITY_NOT_ROAMING);
+        final boolean roaming = !newNc.hasCapability(NET_CAPABILITY_NOT_ROAMING);
+        if (prevSuspended != suspended) {
+            // TODO (b/73132094) : remove this call once the few users of onSuspended and
+            // onResumed have been removed.
+            notifyNetworkCallbacks(nai, suspended ? ConnectivityManager.CALLBACK_SUSPENDED
+                    : ConnectivityManager.CALLBACK_RESUMED);
+        }
+        if (prevSuspended != suspended || prevRoaming != roaming) {
+            // updateNetworkInfo will mix in the suspended info from the capabilities and
+            // take appropriate action for the network having possibly changed state.
+            updateNetworkInfo(nai, nai.networkInfo);
+        }
+    }
+
     /**
      * Update the NetworkCapabilities for {@code nai} to {@code nc}. Specifically:
      *
@@ -6347,25 +6366,13 @@ private void updateCapabilities(final int oldScore, @NonNull final NetworkAgentI
             // on this network. We might have been called by rematchNetworkAndRequests when a
             // network changed foreground state.
             processListenRequests(nai);
-            final boolean prevSuspended = !prevNc.hasCapability(NET_CAPABILITY_NOT_SUSPENDED);
-            final boolean suspended = !newNc.hasCapability(NET_CAPABILITY_NOT_SUSPENDED);
-            final boolean prevRoaming = !prevNc.hasCapability(NET_CAPABILITY_NOT_ROAMING);
-            final boolean roaming = !newNc.hasCapability(NET_CAPABILITY_NOT_ROAMING);
-            if (prevSuspended != suspended || prevRoaming != roaming) {
-                // TODO (b/73132094) : remove this call once the few users of onSuspended and
-                // onResumed have been removed.
-                notifyNetworkCallbacks(nai, suspended ? ConnectivityManager.CALLBACK_SUSPENDED
-                        : ConnectivityManager.CALLBACK_RESUMED);
-                // updateNetworkInfo will mix in the suspended info from the capabilities and
-                // take appropriate action for the network having possibly changed state.
-                updateNetworkInfo(nai, nai.networkInfo);
-            }
         } else {
             // If the requestable capabilities have changed or the score changed, we can't have been
             // called by rematchNetworkAndRequests, so it's safe to start a rematch.
             rematchAllNetworksAndRequests();
             notifyNetworkCallbacks(nai, ConnectivityManager.CALLBACK_CAP_CHANGED);
         }
+        updateNetworkInfoForRoamingAndSuspended(nai, prevNc, newNc);
 
         // TODO : static analysis indicates that prevNc can't be null here (getAndSetNetworkCaps
         // never returns null), so mark the relevant members and functions in nai as @NonNull and

services/core/java/com/android/server/am/ActiveServices.java

@@ -119,6 +119,7 @@
 import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.List;
+import java.util.Objects;
 import java.util.Set;
 import java.util.function.Predicate;
 
@@ -433,6 +434,45 @@ boolean hasBackgroundServicesLocked(int callingUser) {
         return smap != null ? smap.mStartingBackground.size() >= mMaxStartingBackground : false;
     }
 
+    boolean hasForegroundServiceNotificationLocked(String pkg, int userId, String channelId) {
+        final ServiceMap smap = mServiceMap.get(userId);
+        if (smap != null) {
+            for (int i = 0; i < smap.mServicesByInstanceName.size(); i++) {
+                final ServiceRecord sr = smap.mServicesByInstanceName.valueAt(i);
+                if (sr.appInfo.packageName.equals(pkg) && sr.isForeground) {
+                    if (Objects.equals(sr.foregroundNoti.getChannelId(), channelId)) {
+                        if (DEBUG_FOREGROUND_SERVICE) {
+                            Slog.d(TAG_SERVICE, "Channel u" + userId + "/pkg=" + pkg
+                                    + "/channelId=" + channelId
+                                    + " has fg service notification");
+                        }
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+
+    void stopForegroundServicesForChannelLocked(String pkg, int userId, String channelId) {
+        final ServiceMap smap = mServiceMap.get(userId);
+        if (smap != null) {
+            for (int i = 0; i < smap.mServicesByInstanceName.size(); i++) {
+                final ServiceRecord sr = smap.mServicesByInstanceName.valueAt(i);
+                if (sr.appInfo.packageName.equals(pkg) && sr.isForeground) {
+                    if (Objects.equals(sr.foregroundNoti.getChannelId(), channelId)) {
+                        if (DEBUG_FOREGROUND_SERVICE) {
+                            Slog.d(TAG_SERVICE, "Stopping FGS u" + userId + "/pkg=" + pkg
+                                    + "/channelId=" + channelId
+                                    + " for conversation channel clear");
+                        }
+                        stopServiceLocked(sr);
+                    }
+                }
+            }
+        }
+    }
+
     private ServiceMap getServiceMapLocked(int callingUser) {
         ServiceMap smap = mServiceMap.get(callingUser);
         if (smap == null) {

services/core/java/com/android/server/am/ActivityManagerService.java

@@ -19730,6 +19730,22 @@ public boolean hasRunningForegroundService(int uid, int foregroundServicetype) {
             return false;
         }
 
+        @Override
+        public boolean hasForegroundServiceNotification(String pkg, int userId,
+                String channelId) {
+            synchronized (ActivityManagerService.this) {
+                return mServices.hasForegroundServiceNotificationLocked(pkg, userId, channelId);
+            }
+        }
+
+        @Override
+        public void stopForegroundServicesForChannel(String pkg, int userId,
+                String channelId) {
+            synchronized (ActivityManagerService.this) {
+                mServices.stopForegroundServicesForChannelLocked(pkg, userId, channelId);
+            }
+        }
+
         @Override
         public void registerProcessObserver(IProcessObserver processObserver) {
             ActivityManagerService.this.registerProcessObserver(processObserver);

services/core/java/com/android/server/connectivity/Vpn.java

@@ -194,7 +194,8 @@ public class Vpn {
     @VisibleForTesting protected String mPackage;
     private int mOwnerUID;
     private boolean mIsPackageTargetingAtLeastQ;
-    private String mInterface;
+    @VisibleForTesting
+    protected String mInterface;
     private Connection mConnection;
 
     /** Tracks the runners for all VPN types managed by the platform (eg. LegacyVpn, PlatformVpn) */