git.osdn.net Git - android-x86/frameworks-base.git/log

Merge tag 'android-9.0.0_r61' into pie-x86

Android 9.0.0 Release 61 (6780336)

Add missing isShellUser check

Bug: 160390416
Test: verified command still works from shell
Change-Id: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit 03542611973e4ce3ddca522ee12bcc85e59ce901)
Merged-In: I23bb06e00f1623e4f27c02d7eb2c0d273b40771b
(cherry picked from commit 5e2931c6569aa8084be9d0690a1ca30534f49c46)
(cherry picked from commit 4a31000e6072c14608ec1c59321481c8aa330313)

Mark implicit PendingIntents as immutable

Bug: 156020795
Test: manual, atest
Change-Id: I72206c7a52b067b77d6542d170a6483713dfeee7
(cherry picked from commit 84e08280d3882cfe4bad12ab426016c6d0efc7fb)
(cherry picked from commit db245b0310220ad329c55289ba299f0a1bf8a30b)

Require a more specific intent

Bug: 147606347
Fixes: 161150380
Test: run poc, device didn't reboot
Change-Id: I8f721ca659d58271880a7adbf386b270b331e55b
Merged-In: I8f721ca659d58271880a7adbf386b270b331e55b
(cherry picked from commit a9afc32ddc013424e2d17a091ef3fdfbe18c0d76)
(cherry picked from commit d16e86f466c2fc18448b654cbe71089c7fede991)
(cherry picked from commit 6dbda27f98ccfdc97b41e8f3990b3a316bb928dd)

RESTRICT AUTOMERGE
Do not set referrerUri on SessionInfo for non-owners

This change leaves the referrerUri field null when the caller leading to
its production is not the owner of the session.

Bug: 142125338
Test: atest SessionReferrerUriTest
Change-Id: I84679ea0636aa2097e25e23813c48134c9cc1d75
(cherry picked from commit 681b2364225aca50e7770d82be83f3e129a8cb11)

Remove unused intent in NiNotification

Bug: 154319182
Test: manual
Change-Id: I5958a8fb442cf4506e1824243493f91aea34a7cc
Merged-In: I5958a8fb442cf4506e1824243493f91aea34a7cc
(cherry picked from commit d541f6d85e9030c5e0e7372332854684d8a32916)

Impl basic window round corner with Outline

Signed-off-by: utzcoz <utzcoz@outlook.com>

Keep stack order when starting activity from recents

When starting activity from recents, the AMS will move home stack to
front and then move selected activity stack to front. So when we start
many freeform windows, the operation will move unselected freeform
windows to back. It's not good for usage. So this patch will remove the
logic to move home stack to front when starting activity from recents,
and move recents stack to background to dismiss the recents page.

For split screen secondary windowing, we keep the origin logic to move
home stack to front. If we find rigid problems when starting split
screen window or pip window, we should review this patch again to check
whether this patch causes the problem.

Signed-off-by: utzcoz <utzcoz@outlook.com>

Use systemui recents as default pc recents

1. Enable grid layout of systemui recents.
2. Disable OverviewProxyService to use systemui recents, instead of
recents that implements OverviewProxyService such as Launcher3.
3. Show freeform task in systemui recents.
4. Fix IndexOutArrayException of systemui recents grid layout when
starting many freeform tasks.

Signed-off-by: utzcoz <utzcoz@outlook.com>

Merge branch 'pie-x86' of https://pf.osdn.net/gitroot/e/el/electrikjesus/frameworks-base into pie-x86

Update back button graphics

Thanks again @rogerdott for the artwork

Merge branch 'boringdroid-x86-9.0.0' of https://github.com/boringdroid/platform_frameworks_base into pie-x86

Revert "Ignores protected broadcasts if not priv-app"

Revert of I5bd2bf3bd7c38fd9cc563a02b24bc569495d79ed

For now, allow all system apps to declare protected
broadcasts. This will be cleaned up in a future change.

Bug: 158570769

Merged-In: I54d236c0a6daaa934bd64a3bd05e2654e0e868fe
Change-Id: I54d236c0a6daaa934bd64a3bd05e2654e0e868fe
(cherry picked from commit b5e3addc5f27149d1b0bbc213ced47b2ade732bf)

Only autoVerify at install for new hosts

Re-run app link verification at update time only when the set of hosts
has expanded. Intentionally revoke verify history when an app stops
using autoVerify, as a one-time measure to place it back into the
non-autoverify model for tracking the user's launch preferences. If the
app starts using autoVerify again later, it behaves identically to an
app that has never done so before.

Bug: 151475497
Bug: 146204120
Test: described on master CL

Merged-In: I200d85085ce79842a3ed39377d1f75ec381c8991
Change-Id: Ibaf087946966ad82d60c7b255e3ee75990716b63
(cherry picked from commit 3e76c30b7db2cb431e84a3e933c839fefe283c6d)

DO NOT MERGE: Verify INSTALL_PACKAGES permissions when adding installer package

Without this check, any package can set the installer package of
another package whose installer has been removed or was never set.
This provides access to other privileged actions and is undesired.

Bug: 150857253

Test: manual verify with proof of concept in linked bug
Test: atest android.appsecurity.cts.PackageSetInstallerTest

Merged-In: I2159c357911ff39ffd819054b42f96ae86bc98bc
Change-Id: I2159c357911ff39ffd819054b42f96ae86bc98bc
(cherry picked from commit 8220483a2ed83dbaf838803d45bc58cadede4208)

Revert "Revoke 'always' web handler status when not autoverifying"

This reverts commit ce22265eeda3a96613b9a7bb7dd898c69d295964.

Reason for revert: Inadvertently broke link handling stickiness even for well behaved apps

Bug: 146204120
Test: install app that handles web urls; set to 'always' in Settings;
install same apk again. Verify that app is still in 'always' state via
'adb shell dumpsys package d'

Merged-In: Ifac4f0c044c2c575a29bdd5ce5d14d12373fbe70
Merged-In: If9046cb420961b8ef0333e9f1115eb69fb92242e
Change-Id: Ife6cd66e0bae5738c08962a8fa9397973e33f28e
(cherry picked from commit 63b6cfd96485c11b906ca4ecc83245335d531364)

Ignore system ui visibility for decor caption view visibility

The decor caption will show only for freeform window, and we don't need
to care system ui visibility for freeform window.

Signed-off-by: utzcoz <utzcoz@outlook.com>

Reset pointer icon type after leaving resizing region

We should reset pointer icon type when hover exit task. If we start freeform
window from Taskbar, and move pointer to resize region, the pointer type will
change to TYPE_*_DOUBLE_ARROW, but when we move pointer outer freeform window
resize region, the pointer type will keep to TYPE_*_DOUBLE_ARROW. The reset
operation will help to fix this problem.

Signed-off-by: utzcoz <utzcoz@outlook.com>

Support persist window bounds

1. Add methods in WMS to store/restore window bounds in
SharedPreferences.
2. When resizing/moving window, save its value.
3. When launching window, use saved value as launch bounds.

This patch also disable the launch bounds in ActivityOptions, because
the starter doesn't know the new window bounds after resizing. The
Taskbar sets the launch bounds to the center position of screen
forcibly, and it will cause saved bounds can't work. Before finding a
solution to let Taskbar to manage freeform window bounds, we will
disable launch bounds of ActivityOptions.

Signed-off-by: utzcoz <utzcoz@outlook.com>

Add back button for freeform window

Signed-off-by: utzcoz <utzcoz@outlook.com>

Trigger resize when window from freeform to fullscreen

It will fix blankscreen when changing freeform window to fullscreen.

Signed-off-by: utzcoz <utzcoz@outlook.com>

Fix drag-resizing jump of freeform

When starting to drag freeform window, the DecorView will create
BackdropFrameRenderer to drop back drop frame for freeform window.
The BackdropFrameRenderer will create a render node called back drop
render node, and set its bounds to window frame bounds. But in the
FrameBuilder.cpp in hwui will calculate the distance between back drop
render node bounds with frame contents drawing bounds, and translate
window content with this distance to adapt back drop position. But there
exists a problem, the back drop bounds is set with window frame bounds
what are relative to display, but the content drawing bounds are
relative to window left/top point. So it will cause the problem freeform
window will jump when drag-resizing, and come back to the correct size
after drag-resizing. So we change the back drop bounds to be relative
to window left/top point too to fix this problem.

Test: start settings from Taskbar, and drag shadow of window to resize
window, and the window's left and top position keep the origin
location and doesn't jump when resizing.

Signed-off-by: utzcoz <utzcoz@outlook.com>

DO NOT MERGE Make intents immutable

Test: make
Fixes: 154719656
Change-Id: I212ca5f1a48174ed85311b551259da314718f082
Merged-In: I212ca5f1a48174ed85311b551259da314718f082
(cherry picked from commit 36b3352784ae90326a2b308542b1d2cfe18661a0)
(cherry picked from commit f596432fde8008f3571fa7157e7eb8a85ece5d7b)

More fixes towards the race conditions in AMS

Bug: 142986887
Bug: 140108616
Test: Manual
Change-Id: I6e0bdc8c02bab54f6278096b3a3acadd97c064c6
Merged-In: I6e0bdc8c02bab54f6278096b3a3acadd97c064c6
(cherry picked from commit b2e84f0406139156442984943d8de7dd37d51368)
(cherry picked from commit 9f8923d54a2d3740d1a293728b1d5b5b2451627b)

Add back enforceReadPermission for getmetadata

Test: manually tested
Bug: 151095863

Change-Id: I29ef120c10c488550b85269e598aeb6ff9505038
Merged-In: I4f04f08f76d039196c2c67bac80d4a46ebec87f2
(cherry picked from commit 71ec29b05022b06ffd4596dc8b339d2067cf58c0)

RESTRICT AUTOMERGE

This change is the union of
I2aaab1903dee54190338f7b6e49888aa51437108 and I58834636e092f992e403342e36b475dc60e8f20ai

Original CL descriptions:

*** I2aaab1903dee54190338f7b6e49888aa51437108
Block TYPE_PRESENTATION windows on default display

... and any other display that isn't considered a public presentation
display, as per Display.isPublicPresentation()

*** I58834636e092f992e403342e36b475dc60e8f20a
Use TYPE_PRIVATE_PRESENTATION for private presentations
Detect if the Presenation is targeting a private virtual display, and if they
are use the windowType TYPE_PRIVATE_PRESENTATION.
***

Bug: 141745510
Test: atest CtsWindowManagerDeviceTestCases:android.server.wm.PresentationTest CtsDisplayTestCases:android.display.cts.VirtualDisplayTest

Change-Id: I9f1c4b140ab4bc6183151aafc5501e8648fbc3fa
(cherry picked from commit d663d274ea8cdb7169d08bc3a4efa81517a8724a)

DO NOT MERGE - Kill apps outright for API contract violations

...rather than relying on in-app code to perform the shutdown.

Backport of security fix.

Bug: 128649910
Bug: 140108616
Test: manual
Test: atest OsHostTests#testForegroundServiceBadNotification
Change-Id: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
Merged-In: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
(cherry picked from commit a79b6ba5c59dc6aaa8adbe1ffa3ee4b761f45e7f)

ResolverActivity: use hardware rendering for Intent Resolver dialog

Workaround to avoid graphic glitches with gbm_gralloc happening
when launcher needs to be selected at first boot

Suggested by Franco Catrin for issues affecting software rendering path:
https://github.com/android-rpi/device_brcm_rpi3/issues/49

Fix ime_switcher icon misplaced

Copy code from Android 10.

RESTRICT AUTOMERGE
Prevent accessing companion records from arbitrary uids

Test: manual
Fixes: 129476618
Change-Id: I7b18cfcdf58e62a445cbb508116c6ce7c1cea8d7
(cherry picked from commit 84cccfe6cdbc57ee372ee1a0fea64c7a11c53766)

Merge tag 'android-9.0.0_r56' into pie-x86

Android 9.0.0 release 56

Verify all possible hosts that match web nav

Even if an <intent-filter> matches non-web schemes in addition to http
or https, make sure to include its cited hosts in the autoVerify
evaluation.

Bug: 150038428
Test: atest OsHostTests#testIntentFilterHostValidation
Change-Id: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
Merged-In: If9ef0fc53d96e6581c56d86f89fe63bc9a5fb89a
(cherry picked from commit 1fba0f897f276d5d47962534867e764da8061105)
(cherry picked from commit bfa779601082d9021ea4e7d4cca571575bd0b13b)

RESTRICT AUTOMERGE
Prevent accessing companion records from arbitrary uids

Test: manual
Fixes: 129476618
Change-Id: I7b18cfcdf58e62a445cbb508116c6ce7c1cea8d7
(cherry picked from commit 84cccfe6cdbc57ee372ee1a0fea64c7a11c53766)

Revert "DO NOT MERGE - Kill apps outright for API contract violations"

This reverts commit ca006a7de870f58587dbd9054aa98b3ea21157f6.

[Pie port] Add minimize & pip buttons to freeform windows

Thanks to @farmerbb for assistance and @rogerdott for the graphics

Change-Id: I8ddad6eab27f52574ee1c10e8006612fb46a83c5

Merge tag 'android-9.0.0_r54' into pie-x86

Android 9.0.0 release 54

RESTRICT AUTOMERGE Use consistent calling uid and package in navigateUpTo

Originally, if the caller of navigateUpTo is alive, even the calling
uid is set to the caller who launched the existing destination activity,
the uid from caller process has higher priority to replace the given
calling uid. So this change doesn't modify the existing behavior if
the caller process is valid. Besides, the case of delivering new intent
uses the source record as calling identity too, so the case of starting
new activity should be consistent.

Also forbid attaching null application thread to avoid unexpected state
in process record.

Bug: 144285917
Test: atest ActivityStackTests#testNavigateUpTo
Test: atest CtsSecurityTestCases:ActivityManagerTest# \
testActivityManager_attachNullApplication
Change-Id: I60732f430256d37cb926d08d093581f051c4afed
(cherry picked from commit da78af4d6696dda77c692a7c6f2f49d4277cf341)

RESTRICT AUTOMERGE Create separated tasks for different apps from startActivities

Assume there are 2 applications A, B with different uids.
There are 4 activities A1, A2, B1, B2 with default task
affinity and launch mode.

After A1 called startActivities(B1, A2, B2):
Original : Task(A1, B1, A2, B2)
This Change: Task(A1, B1), Task(A2, B2)
In other words, the source caller cannot launch its activity
above the activity of other application in the same task, and
it can still launch activity of other application in its task.

Bug: 145669109
Test: atest StartActivityTests# \
testStartActivitiesWithDiffUidNotInSameTask
Change-Id: I97bd875146a52f62b8fe82235487ccefb2955e8e
(cherry picked from commit 48d8d370f3d1dac06719ca6a52bda5f45a1a533a)

DO NOT MERGE - Kill apps outright for API contract violations

...rather than relying on in-app code to perform the shutdown.

Backport of security fix.

Bug: 128649910
Bug: 140108616
Test: manual
Test: atest OsHostTests#testForegroundServiceBadNotification
Change-Id: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
Merged-In: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
(cherry picked from commit a79b6ba5c59dc6aaa8adbe1ffa3ee4b761f45e7f)

DO NOT MERGE Ensure package names read from config are system packages.

Bug: 145981139
Test: manually tested ensureSystemPackageName() returns null for non-system app
Change-Id: I1d23910cbd282f6702785c9dfb059d7be6b0e895
(cherry picked from commit 6a56247200e1a8afc4dacc2497ec384efa200b92)
(cherry picked from commit 584d73a0b066e01b0877b475c8e2b1a85fcf5328)

RESTRICT AUTOMERGE
Update keyguard locked state from TrustManagerService

TrustManagerService holds the ground truth about whether a user is
locked or not, so update keystore using the information there,
instead of doing it from KeyguardStateMonitor. This fixes the issue
of work profile locked state not being correctly pushed to keystore.

Note: since this change is likely to be backported as a security
patch, I'm refraining from doing major refactoring right now.

Bug: 141329041
Bug: 144430870
Test: manually with KeyPairSampleApp
Change-Id: I3472ece73d573a775345ebcceeeb2cc460374c9b
(cherry picked from commit 0860a5c5c303426073c36763bef28644673ff441)

Only suspend package from system or shell

Test: manual
Bug: 148059175
Change-Id: I50ee768e792266ad2091f1913168e89d5d1463ed
Merged-In: I50ee768e792266ad2091f1913168e89d5d1463ed
(cherry picked from commit 1c943a2670c1ff499669b42ef72dcd9f07db08c3)
(cherry picked from commit adc39de3a148a2058d63bd7a1b8b71ee0a3524ac)
(cherry picked from commit eb4f716bf3a0ee3ac8015cde48305aeb82724039)

Work around foreground app not updating issue

The foreground app not updating anymore after the second sleep/wake
sequence. I managed to work around it using this patch.

Merge tag 'android-9.0.0_r53' into pie-x86

Android 9.0.0 Release 53 (6107734)

Fix potential double destroy of AssetManager

Assume there is a XmlBlock [X] created by a AssetManager [A]
([A] will have mNumRefs = 2). After [A].close is called
(mNumRefs = 1) and then both [X] and [A] are going to be GCed,
if [A].finalize is called first (nativeDestroy), the later
[X].finalize will invoke [A].xmlBlockGone that triggers the
second nativeDestroy of [A] and leads to crash.

By clearing the mObject in AssetManager.finalize, the
decRefsLocked from other paths won't call nativeDestroy again.

Bug: 136721562
Bug: 144028297
Test: atest AssetManagerTest
Test: Build and install CorePerfTests
      adb shell am instrument -w -r --no-hidden-api-checks -e class \
      android.app.ResourcesPerfTest#getLayoutAndTravese,android.graphics.perftests.RenderNodePerfTest \
      com.android.perftests.core/androidx.test.runner.AndroidJUnitRunner

Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
(cherry picked from commit 0a8a1e9d40a3cdff06150c43c623fa4c415226b6)

Revoke 'always' web handler status when not autoverifying

If an app has previously used autoVerify to make claims about its status
re handling web navigation intents, but is updated such that it no
longer makes those claims, step down its "official handler" status as
though it had never invoked autoVerify in the first place.

Bug: 146204120
Test: manual: as described in bug; observe policy before/after via
'adb shell dumpsys package d'
Test: atest CtsOsHostTestCases
Change-Id: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
Merged-In: I58502d1b32d793aba9aa772fa2ad5ac38acca48a
(cherry picked from commit ce22265eeda3a96613b9a7bb7dd898c69d295964)

Merge tag 'android-9.0.0_r52' into pie-x86

Android 9.0.0 release 52

Fixes NPE when preparing app data during init

When deleting an unused static shared library on Q, the user manager was
fetched via mContext.getSystemService. At this time during boot, the
service wasn't registered and so null was returned. This has already
been addressed in R with a move to injecting dependencies in the
PackageManagerService constructor.

Bug: 142083996
Bug: 141413692
Test: manual; remove static dependency on eng Q build and reboot
Change-Id: I8ae4e331d09b4734c54cdc6887b273705dce88b1
Merged-In: I8ae4e331d09b4734c54cdc6887b273705dce88b1
(cherry picked from commit 5d3fc339b57950fd8621cb410865e8800ccb6873)

Use KNOWN_PACKAGES when shared lib consumers

This change ensures we find ALL known packages that could be consuming a
shared library, not only currently installed ones. Without this check,
the system may get into a state in which we have currently uninstalled
but on-device apps that depend on a shared library that does not exist
on device.

This change also leaves static shared library packages on device even if
it's not installed for any of the remaining users as it could still be
used, but marked uninstalled for users in which it is consumed.

Bug: 141413692
Bug: 142083996
Test: Manual; attempt to remove shared lib after marking its consumer uninstalled.
Test: atest StaticSharedLibsHostTests
Change-Id: Id4e37c3e4d3ea3ad5fddae5d2c7305e56f50eeea
Merged-In: Id4e37c3e4d3ea3ad5fddae5d2c7305e56f50eeea
(cherry picked from commit 08315953bc42fb392c32293418dfb2a3e4ffbe53)

Handles null outInfo in deleteSystemPackageLI

This change adds null checks before accessing outInfo in
deleteSystemPackageLI.

Bug: 142083996
Bug: 141413692
Test: manual; remove static dependency on eng build and reboot
Change-Id: If0fd48343e89cbb77ccd25826656194195d5b0cd
(cherry picked from commit 17471016508bb9c9ffb8c3946dda0b4897d722f1)
Merged-In: If0fd48343e89cbb77ccd25826656194195d5b0cd
(cherry picked from commit 6afabce549f5725988b9c03de932c34e9d22f10e)

Fix security problem on PermissionMonitor#hasPermission

PermissionMonitor#hasPermission only checks permssions that app
requested but it doesn't check whether the permission can be
granted to this app. If requested permission doens't be granted
to app, this method still returns that app has this permission.
Then PermissionMonitor will pass this info to netd that means
this app still can use network even restricted network without
granted privileged permission like CONNECTIVITY_INTERNAL or
CONNECTIVITY_USE_RESTRICTED_NETWORKS.

Bug: 144679405
Test: Build, flash, manual test
Change-Id: Iae9c273af822b18c2e6fce04848a86f8dea6410a
Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
Merged-In: I2da730feda4d7ebed1f158b073167bb3964b3e7d
(cherry picked from commit d0205a3469dc8d8122e89072c19d0e9f18e7452f)

Support strict mode private DNS on VPNs that provide Internet.

Currently, strict mode private DNS does not work on VPNs because
NetworkMonitor does not validate VPNs. When a VPN connects, it
immediately transitions to ValidatedState, skipping private DNS
hostname resolution.

This change makes NetworkMonitor perform private DNS hostname
resolution and evaluation even on VPNs.

In order to ensure that the system always immediately switches to
the VPN as soon as it connects, remove the unvalidated penalty
for VPN networks. This ensures that the VPN score is always 101
and the VPN always outscores other networks as soon as it
connects. Previously, it would only outscore other networks
when no-op validation completed.

Backport of 414b8c8b1ce8ae2ad6ef95c1ffba19062077d3e6.

Bug: 122652057
Test: atest FrameworksNetTests
Test: manually ran a VPN with private DNS in strict mode
Test: atest android.net.cts.ConnectivityManagerTest com.android.cts.net.HostsideVpnTests
Change-Id: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
Merged-In: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
(cherry picked from commit 029d9ea11921b7ca5652d24a9563b66c2b70fafc)

Add test coverage for strict mode private DNS.

Support faking out the DNS lookups used by NetworkMonitor to
resolve strict mode DNS, and add more test coverage.

These tests were partly adapted from tests we have in Q but
also contain new coverage. This is because in Q the interface
between ConnectivityService and NetworkMonitor changed
substantially, and it is impractical to backport
NetworkMonitorTest.

Bug: 122652057
Test: atest FrameworksNetTests
Change-Id: I6497b7efa539267576d38d3036eef0af0df4e9cb
Merged-In: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
(cherry picked from commit 60cd85533d3a9ad4e3758de4804d1716e7fe0371)

RESTRICT AUTOMERGE
Make toasts non-clickable

Since enforcement was only on client-side, in Toast class, an app could
use reflection (or other means) to make the Toast clickable. This is a
security vulnerability since it allows tapjacking, that is, intercept touch
events and do stuff like steal PINs and passwords.

This CL brings the enforcement to the system by applying flag
FLAG_NOT_TOUCHABLE.

Test: atest CtsWindowManagetDeviceTestCases:ToastTest
Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
      log click events. Then:
      1) Observe click events are logged without this CL.
      2) Observer click events are not logged with this CL.
Bug: 128674520

Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0
(cherry picked from commit 6bf18c39d9fc727523fa3201567b836032bb2114)

DO NOT MERGE back porting for fixing sysui direct reply

Root cause: systemui run as user 0 service to handle all of users'
notifications. And, the users can user the copy/cut/paste
functionality.

Solution: To crate @hide API in TextView let SystemUI to mark the
TextView instance should check if the power of
INTERACT_ACROSS_USER_FULL is needed to be restricted.
e.x. Keyguard password textview/Notificaiton entries

Bug: 123232892
Test: manual test
Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139
Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393
Reference: I975baa748c821538e5a733bb98a33ac609bf40a7

Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139
Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937
(cherry picked from commit 08391b3da7e2da3b0220eb5766e0a1774d28e9a5)

RESTRICT AUTOMERGE Disable TextClassifier for RemoteInputView.

Sys UI runs in the primary user. This means that TextView components
such as RemoteInputView and KeyguardPasswordView running in it could
leak data across users.

This CL disables the TextClassifier for RemoteInputView.
It also logs when fixed issue is "potentially" exercised.
There is no need to explicitly disable the TextClassifier for
KeyguardPasswordView. It is a password field
(TYPE_CLASS_TEXT | TYPE_TEXT_VARIATION_PASSWORD) and the
TextClassifier does not run for such fields.

Test: manually attempt to excercise the bug.
See the bug in 123232892 for more information.

Bug: 136483597
Bug: 123232892
Change-Id: Ia1e4843d1505e204f2e78d2459da198c9988f7f2
(cherry picked from commit 579abbd2d8ad37c4e07e1396002ad5be5bd41365)

DO NOT MERGE: Disable SpellChecker in secondary user's direct reply

For secondary users, when AOSP keyboard is used to type in
direct-reply, unknown words can be added to dictionary.
It's *not* OK for SpellCheckerService of primary user to
check unknown words typed by a secondary user.
The dialog to add these words shows up in primary user instead.

TextView uses TextView#isSuggestionsEnabled() to determine if
SpellChecker is enabled. This can be disabled by setting the flag
TYPE_TEXT_FLAG_NO_SUGGESTIONS in inputType.

Note: This doesn't affect workprofile users on P or older versions since
they use same SpellCheckerService for all workprofiles.

Bug: 123232892
Test: Manually tested using the steps mentioned in the bug.
1. Flash latest P build.
2. Install AOSP keyboard (LatinIME) and set it as default.
3. Install and open EditTextVariations
4. Initiate direct reply in primary user and type non-english
    words like "ggggg hhhhh".
5. Observe that they get red underline and tapping it brings "add
    to dictionary" popup.
6. Create a new secondary user and switch to it.
7. Once the setup completes, initiate a direct reply and type words
    similar to step 4.
8. Verify that red underlines dont appear.
9. switch back to primary user and verify direct reply still has red
    underlines.

Change-Id: I93918eb2c12e37908e03a7951a9e2c5375bc0ecc
(cherry picked from commit b5c0e01aca6f19ae3e305ce6d1c1ecec6aba0532)

Fix QuickSetting panel width

Suggested-by: fguy <fguy2102@gmail.com>

Align the pageBlockOrder to the kerne 4.19 kernel

Change-Id: Ieb76e3d78856c80c0450e239b5ba026219920c2e
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-70044
Signed-off-by: he, bo <bo.he@intel.com>

Check if mClingWindow is already added before adding.

If not to check if it's added, the previous one will leak
and cannot be removed any more.

Change-Id: Ifd50b57badd8c630aaa1e202695c7c4525b3a30e
Tracked-On: OAM-72403
Signed-off-by: Yan, WalterX <walterx.yan@intel.com>

Enabling suspend on IVI after clicking sleep from the power button menu.

Tracked-on: OAM-56502

Change-Id: Ib8e5f351815474d8e99739938ac5845227f711ff
Signed-off-by: Madhusudhan S <madhusudhan.s@intel.com>

GlobalActions: Handle 'sleep' action

Some Intel platforms do not provide separate
events for power key press and release. This
makes it impossible to detect long press of
power button. So, the solution is to handle
only short press and add 'sleep' also as an
option in GlobalActions menu. This patch
handles 'sleep' option.

Change-Id: Iaae59b324e5ba6eaed9e507fdaa8e5006535716c
Tracked-On: OAM-56502
Signed-off-by: saranya <saranya.gopal@intel.com>
Signed-off-by: Madhusudhan S <madhusudhan.s@intel.com>

Fix forceDefaultOrientation

Ignore screen size when determines mForceDefaultOrientation.

Fix the bug in the calculation of left and top of DisplayContent
when default orientation is forced. (by Ladehunter)

android_view_ThreadedRenderer: prevent Null Pointer Exception in createBitmap

To avoid Playstore crashes with nouveau and Hardware Bitmap,
a check is added to bitmap returned by Bitmap::createFrom(buffer)
inspired by similar behavior in Bitmap.cpp Bitmap_createHardwareBitmap()

Fixes the following crash:

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Android-x86/android_x86/x86:8.1.0/OPM8.181005.003/uten01131829:userdebug/test-keys'
Revision: '0'
ABI: 'x86'
pid: 4644, tid: 4644, name: android.vending  >>> com.android.vending <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xc
Cause: null pointer dereference
    eax 89195380  ebx b1d36290  ecx 00000000  edx ae783074
    esi 00000000  edi ae7a9380
    xcs 00000073  xds 0000007b  xes 0000007b  xfs 0000003b  xss 0000007b
    eip b1c4f7c8  ebp bff902c8  esp bff9028c  flags 00010246

backtrace:
    #00 pc 000fd7c8  /system/lib/libandroid_runtime.so (android::bitmap::createBitmap(_JNIEnv*, android::Bitmap*, int, _jbyteArray*, _jobject*, int)+104)
    #01 pc 000d08ca  /system/lib/libandroid_runtime.so (android::android_view_ThreadedRenderer_createHardwareBitmapFromRenderNode(_JNIEnv*, _jobject*, long long, int, int)+1002)

pm: ignore restorecon failure

On the 9p filesystem, restorecon won't work. It causes apk can't be
installed. Just ignore the errors to workaround it.

Modify color inversion matrix to swap Red and Blue colors

Instead of color inversion it will produce Red and Blue colors swap,
in order to correct displayed colors for R4xx and other old drivers
still based on KMS API

ABIPicker: match package name by patterns

PRC apps from different markets usually have different package names.
This change tries to match them by patterns.

To test it, install the Implosion apps from Wandoujia and CoolMarket
and run them OK.

Fix the memory leak bug introduced by PRC compatibility feature

Fix the memory leak bug introduced by PRC compatibility feature,
introduced by https://android.intel.com/#/c/471490/

Change-Id: Iaf9bd21afa17f3a81ab700c63ae7c0bb0851a594
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-27449
Signed-off-by: jgu21 <jinghui.gu@intel.com>
Reviewed-on: https://android.intel.com:443/489353

Fix KW issues on PRC compatibility

Fix KW issues on PRC compatibility,introduced by below commit.
https://android.intel.com/#/c/484542/

Change-Id: Ib10899655dd2a18569387dbafbe33856acf5df59
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-26904
Signed-off-by: jgu21 <jinghui.gu@intel.com>
Reviewed-on: https://android.intel.com:443/487804

Reduce the overhead of the PRC compatibility package feature during system bootup

The PRC compatibility package introduced too heavy overhead
in system bootup. This commit aims to reduce the overhead
in system bootup and improve the performance of PRC
compatibility package.

NOTE: The format of ThirdPartySO has been changed to improve
the performance. From now on, the lib name should be trimmed
as below if want to add into the list. For "libabc_v1_2_3.so",
add "abc_v" into the list, that is, the version information
at the tail of lib name should be removed.

Change-Id: Ic374e363d3d31f9bd69be839b33b1bd65950ef61
Tracked-On:https://jira01.devtools.intel.com/browse/OAM-25819
Signed-off-by: xiajiang <xia1.jiang@intel.com>
Reviewed-on: https://android.intel.com:443/484542

Enable the PRC compatibility package feature for PRC market

In PRC market, some APKs are packed in non-standard way, that is,
the x86(_64) libraries aren't workable although they're found in the APK.
This patch intends to relieve the impact from below 2 defects,
which is based-on the heuristic algorithm.

NOTE: To enable this feature, set "PRC_COMPATIBILITY_PACKAGE := true"
in device BoardConfig.mk before enabling houdini.

1. Missing x86(_64) libraries: The x86(_64) libraries are ported and
   existing in the APK. But it's incomplete, and not workable.
2. Mixed arm(64) libraries: Several libraries are existing in lib/x86(_64)/
   directory in the APK. But some of them are arm(64) libraries,
   instead of x86(_64) ones.

All of above always cause APP crash if installed x86(_64) libraries
by PackageManager.

This patch aims to improve PackageManager to figure out these defects
and install arm(64) libraries to run the APP with houdini support.
The basic idea is to compare x86(_64) libraries with arm(64) alternatives
to determine which one should be workable.

To customize it for specific APPs, 3 lists are provided under
/system/vendor/etc/misc/ on the device.

1. /system/vendor/etc/misc/.OEMWhiteList:
   This patch will be disabled for the APPs containing in the OEMWhiteList
2. /system/vendor/etc/misc/.OEMBlackList:
   The APP is enforced to install the arm(64) libraries if existed.
3. /system/vendor/etc/misc/.ThirdPartySO:
   This is another list which contains the names of all 3rd-party libraries,
   which will impact on the final decision of APP installation.

Change-Id: I2613d9ebc8fe012c801f4a38fc5dede413f15a91
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-20470
Signed-off-by: xiajiang <xia1.jiang@intel.com>
Reviewed-on: https://android.intel.com:443/471490

fd_utils: fix DEBUG mode booting issue (pie-x86)

Porting to pie-x86 codebase of oreo-86 commit
c283ba107a ("fd_utils: fix DEBUG mode booting issue")

Original commit message:

Remove the "/android/" prefix before the white list checking.

Suggested by Chris Vandomelen <chris@sightworks.com>.

Camera: ignore exceptions from getSupportedPreviewFpsRange

input: simulate long press properly

The original implementation of long press sends two ACTION_DOWN events
which would be interpreted as a double tap. For example, sending
a long press POWER key will launch the camera:

11-21 16:27:37.320  2223  2223 I Input   : injectKeyEvent: KeyEvent { action=ACTION_DOWN, keyCode=KEYCODE_POWER, scanCode=0, metaState=0, flags=0x0, repeatCount=0, eventTime=39641, downTime=39641, deviceId=-1, source=0x101 }
11-21 16:27:37.321  2223  2223 I Input   : injectKeyEvent: KeyEvent { action=ACTION_DOWN, keyCode=KEYCODE_POWER, scanCode=0, metaState=0, flags=0x80, repeatCount=1, eventTime=39641, downTime=39641, deviceId=-1, source=0x101 }
11-21 16:27:37.322  1411  1565 I GestureLauncherService: Power button double tap gesture detected, launching camera. Interval=0ms
11-21 16:27:37.322  2223  2223 I Input   : injectKeyEvent: KeyEvent { action=ACTION_UP, keyCode=KEYCODE_POWER, scanCode=0, metaState=0, flags=0x0, repeatCount=0, eventTime=39641, downTime=39641, deviceId=-1, source=0x101 }

This is unexpected and incorrect.

Just simulate the long press by delaying ACTION_UP one second.

DiskInfo: support CD/DVD type

Detect HDMI audio by switch events

If detect SW_VIDEOOUT_INSERT, assume HDMI is plugged.

analytics: send anonymous usage information

Send usage information to google analytics when applications are started
or throws exceptions.

Support save local time to RTC

Make it work for dual boot with Windows, we could set property
persist.rtc_local_time to 1, so that RemixOS and Windows both
use local time in rtc.

NO_REF_TASK
Tested:
1) set time in android, reboot to bios, make sure the time in bois is
local time
2) reboot back to android, the current time should be correct local time
(this need another change)

Change-Id: Id2c0ce150fb9320b132ad8bdd83b38dcae1070db

Map keycode 120 to APP_SWITCH

Define the unused keycode 120 to be APP_SWITCH.

InputReader: read the pointercal from TSCalibration2

Watch the pointercal and reload it on changed.

SystemUI: Recycle the old wallpaper background bitmap after we choose a new wallpaper.

BZ: 101064

RootCause: ImageWallpaper didn't call old background bitmap's recycle before
set it to null.

Category: aosp improvement
Domain: AOSP-Framework-Media
Origin: internal
Upstream-Candidate: yes

Orig-Change-Id: I27f6971a3edd26472b69e59b542b27fd7c8e7b90
Change-Id: Ice59aea79f8137d5995d7a5ce9a6ed7903750d30
Signed-off-by: jshe32X<jianchunx.shen@intel.com>

MediaFile: support more media types

Make "windows" key to act as "home" key

Issue: AXIA-1893
Change-Id: I7b2b19f7e34ec8a1867e8e6ce522e65133e5267f
Signed-off-by: juntingwang <Junting.Wang@windriver.com>

camera: fix NullPointerException

GLSurfaceView: Be less picky about EGLConfig alpha sizes

EGLChooseConfig returns a "best match" set of visuals meeting or
exceeding the required r/g/b/a component depths. But GLSurfaceView
oddly requires that the returned visual be an exact match. Add to
that that the (rarely used outside of CTS) default request specifies
zero alpha bits and that not all drivers expose a zero-alpha
EGLConfig, and the default configuration will fail needlessly.

It's not incorrect to have alpha bits you didn't request: the only way
to produce divergent behavior is for a fragment shader to write out
explicit alpha values (into the channel it didn't want to begin with!)
with values other than 1.0 and then rely on them being ignored and
treated as 1.0.

For: AXIA-1448
Change-Id: I2f64995d7b9de1ae082aa47822af525390102083
Signed-off-by: Andy Ross <andy.ross@windriver.com>

import YuvToEncoder R3 patches, BZ 18528, 19092, 19696

BZ: 47824

Please refer http://umgbugzilla.sh.intel.com:41006/show_bug.cgi?id=19092 and
external/jpeg/libjpeg.doc

The MCU height is max_v_samp_factor = 2 DCT rows so you must pass at least 16
scanlines on each call to jpeg_write_raw_data(), which is to say 16 actual
sample rows of Y and 8 each of Cb and Cr.

The original implement of Yuv420SpToJpegEncoder::compress didn't add padding to the frame buffer
when height and width aren't aligned with 16 pixel. It will cause illegal memory violation and core dump.

Category: aosp improvement
Domain: Video.Media-jpeg
Origin: Internal
Upstream: Yes

Change-Id: Ibcf14230d616e2d440ace244bb420723b5c01dc2
Orig-Change-Id: Ic1b7494b98ee9c1997b226d58abd034b1dcb18f6
Signed-off-by: Tong, Bo <box.tong@intel.com>
Signed-off-by: Zhao Liang <leo.zhao@intel.com>

Prevent system uid component from running in an isolated app process

Bug: 140055304
Test: Manua
Change-Id: Ie7f6ed23f0c6009aad0f67a00af119b02cdceac3
Merged-In: I5a1618fab529cb0300d4a8e9c7762ee218ca09eb
(cherry picked from commit 0bfebadf304bdd5f921e80f93de3e0d13b88b79c)

Only allow INSTALL_ALLOW_TEST from shell or root

Bug: 141169173
Test: Manual. App can't be installed as test-only
Change-Id: Ib6dcca7901aa549d620448c0165c22270a3042be
Merged-In: Ib6dcca7901aa549d620448c0165c22270a3042be
(cherry picked from commit 702d394762a9b162cb2a2b04bb726fd8053f24d3)

DO NOT MERGE Validate wallpaper dimension while generating crop

If dimensions of cropped wallpaper image exceed max texture size that
GPU can support, it will cause ImageWallpaper keep crashing
because hwui crashes by invalid operation (0x502).

Bug: 120847476.
Test: Write a custom app to set a 8000x800 bitmap as wallpaper.
Test: The cropped file will be 29600x2960 and make sysui keep crashing.
Test: After applyed this cl, wallpaper will use fallback.
Test: Sysui will not keep crashing any more.
Change-Id: I8ed5931298c652a2230858cf62df3f6fcd345c5a
(cherry picked from commit f1e1f4f04d0165ed065637a4ba556583a7c79ef0)

RESTRICT AUTOMERGE
Revive runLimit check logic

The runLimit check logic was accidentally removed by
I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735

Bug: 142134328
Bug: 140632678
Test: Manually done with reported step
Test: StaticLayoutTest passes
Change-Id: Ib1d5efdcb9adcc18a6a43370dc016ea464f48148
(cherry picked from commit fd1a7e8663feb23ba912e1c519630a2385b452fc)

Force FGS notifications to show for a minimum time

It's possible for a service to do a start/stop foreground and cause a
couple of things to happen:

NotificationManagerService will enqueue a EnqueueNotificationRunnable,
post a PostNotificationRunnable (for the startForeground), and then also
enqueue a CancelNotificationRunnable. There is some racy behavior here
in that the cancel runnable can get triggered in between enqueue and
post runnables. If the cancel happens first, then
NotificationListenerServices will never get the message.

This behavior is technically allowed, however for foreground services we
want to ensure that there is a minmum amount of time that notification
listeners are aware of the foreground service so that (for instance) the
FGS notification can be shown.

This CL does two things to mitigate this problem:

1. Introduce checking in the CancelNotificationRunnable such that it
will not cancel until after PostNotificationRunnable has finished
executing.

2. Introduce a NotificationLifetimeExtender method that will allow a
lifetime extender to manage the lifetime of a notification that has been
enqueued but not inflated yet.

Bug: 119041698
Test: atest NotificationManagerServiceTest
Test: atest ForegroundServiceLifetimeExtenderTest
Change-Id: I0680034ed9315aa2c05282524d48faaed066ebd0
Merged-In: I0680034ed9315aa2c05282524d48faaed066ebd0
(cherry picked from commit 3b8c4743f630dcd370bfc5dc9683b551983fbe28)

RESTRICT AUTOMERGE
Do not compute outside given range in TextLine

This is second attempt of I646851973b3816bf9ba32dfe26748c0345a5a081
which breaks various layout test on application.
The empty string must be also handled by the TextLine since it
retrieves the default line height from the empty string.

Bug: 140632678
Test: StaticLayoutTest
Test: Manually done
Change-Id: I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735
(cherry picked from commit f582b9bc9834c80f48070b032637dd1c94ebe6f4)

DO NOT MERGE revoke certain app-ops on suspend

Revoking an apps authorizations to use camera and record or play audio
while suspended. Appops watchers will also be notified of this change to
re-evaluate privileges at the time of suspension.

Test: atest FrameworksServicesTests:SuspendPackagesTest

Bug: 138636979
Change-Id: Ie95555856afdd56728125f7e60b6a78cf9fc0e58
Merged-In: Ie95555856afdd56728125f7e60b6a78cf9fc0e58
Merged-In: Ic5fb1807deceabfd956b666fa76f8bcc94020ac3
(cherry picked from commit ed5edb77dcdbf0e65acb58188698027036fb8d05)

RESTRICT AUTOMERGE
Strict SQLiteQueryBuilder needs to be stricter.

Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.

This change offers setStrictGrammar() to prevent this by outright
blocking subqueries in WHERE and HAVING clauses, and by requiring
that GROUP BY and ORDER BY clauses be composed only of valid columns.

This change also offers setStrictColumns() to require that all
untrusted column names are valid, such as those in ContentValues.

Relaxes to always allow aggregation operators on returned columns,
since untrusted callers can always calculate these manually.

Bug: 135270103
Bug: 135269143
Test: atest android.database.sqlite.cts.SQLiteQueryBuilderTest
Test: atest FrameworksCoreTests:android.database.sqlite.SQLiteTokenizerTest
Exempt-From-Owner-Approval: already approved in downstream branch
Change-Id: I6290afd19c966a8bdca71c377c88210d921a9f25
(cherry picked from commit 216bbc2a2e4f697d88f8fd633646e3c0433246f1)

Set default phonebook access to ACCESS_REJECTED when user didn't choose
one

When there's no users' choice to tell us whether to share their
phonebook information to the Bluetooth device, set the phonebook access
permission to ACCESS_REJECTED.

Bug: 138529441
Test: Manual test
Change-Id: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
Merged-In: Iefabeb731b941f09fe1272ac7b7cd2feba75c8df
(cherry picked from commit 9b3cb0f06b7c4907c293aa65e68c7ed6e4962d4b)

RESTRICT AUTOMERGE
Enable stricter SQLiteQueryBuilder options.

Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.

This change starts using setStrictColumns() and setStrictGrammar()
on SQLiteQueryBuilder to block this class of attacks. This means we
now need to define the projection mapping of valid columns, which
consists of both the columns defined in the public API and columns
read internally by DownloadInfo.Reader.

We're okay growing sAppReadableColumnsSet like this, since we're
relying on our trusted WHERE clause to filter away any rows that
don't belong to the calling UID.

Remove the legacy Lexer code, since we're now internally relying on
the robust and well-tested SQLiteTokenizer logic.

Bug: 135270103
Bug: 135269143
Test: atest DownloadProviderTests
Test: atest CtsAppTestCases:android.app.cts.DownloadManagerTest
Change-Id: Iec1e8ce18dc4a9564318e0473d9d3863c8c2988a
(cherry picked from commit 382d5c0c199f3743514e024d2fd921248f7b14b3)

fixes a security vulnerability in slice provider

Bug: 138441555
Test: Manual
Change-Id: Ib1b4fba54ebd3599fe11021d21dc9b09d34e8965
Merged-In: Ib1b4fba54ebd3599fe11021d21dc9b09d34e8965
(cherry picked from commit 2b415a4c4465a6294e51ad1a8fcf2e6c1497853b)
(cherry picked from commit 46368e4f5cf4ff4582942bcc8ab23636c702daa3)

Add MANAGED_PROVISIONING_DPC_DOWNLOADED (nyc).

Test: Just adding a constant
Bug: 132261064
Change-Id: I1527be03a10fa1a2fde09e3e41d6b7e83a986fc0
Merged-In: I2bce277ff8f2de4614e19d5385fe6712b076f9c9
(cherry picked from commit 20e5d92613268c196b508865b7275b59f00688f5)

[RESTRICT AUTOMERGE] Pass correct realCallingUid to startActivity() if provided by PendingIntentRecord#sendInner()

Previously we'd ignore realCallingPid and realCallingUid that
PendingIntentRecord#sendInner() provided to startActivityInPackage().
Now we correctly pass it on, preserving past behaviour if none
provided.

Test: manual; we added logging statements to check the value of realCallingUid
in startActivitiesMayWait when launching the calendar app from the calendar widget
and verified that it was the calendar uid rather than the system uid.

Bug: 123013720
Change-Id: If0c0b67880c2e7a8774f31fbb1ba5f50544d2972
(cherry picked from commit b255e64a5d282f860bd58ae8f85158b5badce7ba)