… no privilege"

This reverts commit fa8d6362348738284b3f33a13e1fa5cdd0af67b2.

Reason for revert: apps crashed due to the top activity info trimmed

Bug: 264269392 263434196 263438172
Change-Id: I57d37649acb31bd93bd5aa10507f548cd77fc8f2
(cherry picked from commit b37e4e7e6f465c4b6a291be6c65587dbd75b4ae4)
Merged-In: I57d37649acb31bd93bd5aa10507f548cd77fc8f2

Occasionally ILockSettings can fail to be initialized otherwise
Fixes: 232714129
Test: boot (and eventually bootstress/reboot-long)

Change-Id: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002
Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002
(cherry picked from commit 8e27854)
(cherry picked from commit d262fa6)
Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002

The NotificationManagerService registers a LockPatternUtils.StrongAuthTracker
to observe the StrongAuth changes of every user.
More specifically, it’s the STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN flag.
Via this flag, NotificationManagerService can perform the following operations
when the user enter or exit lockdown mode:

Enter lockdown:
1. Remove all the notifications belonging to the user.
2. Set the local flag to indicate the lockdown is on for the user.
   The local flag will suppress the user's notifications on the
   post, remove and update functions.

Exit lockdown:
1. Clear the local flag to indicate the lockdown is off for the user.
2. Repost the user’s notifications (suppressed during lockdown mode).

The CL also updates corresponding tests.

Bug: 173721373
Bug: 250743174
Test: atest NotificationManagerServiceTest
Test: atest NotificationListenersTest
Ignore-AOSP-First: pending fix for a security issue.

Change-Id: I4f30e56550729db7d673a92d2a1250509713f36d
Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d
(cherry picked from commit de3b12fca23178d8c821058261572449b67d5967)
(cherry picked from commit 0b56ec9aa245f7bbdf065a4b33b5ef00a558dbe4)
Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d

Prior to this CL, WorkSources would Parcel their list of WorkChains as
-1 if null, or the size of the list followed by the list itself if
non-null. When reading it back in, on the other hand, they would check
if the size was positive, and only then read the list from the Parcel.
This works for all cases except when the WorkSource has an empty but
non-null list of WorkChains as the list would get written to the parcel,
but then never read on the other side.

If parceling a list was a no-op when empty this wouldn't be an issue,
but it must write at least its size into the parcel to know how many
elements to extract. In the empty list case, this single element is left
unread as the size is not positive which essentially corrupts any future
items read from that same parcelable.

Bug: 220302519
Test: atest android.security.cts.WorkSourceTest#testWorkChainParceling
Change-Id: I2fec40dfced420ca38e717059b0e95ee8ef9946a
(cherry picked from commit 266b3bddcf14d448c0972db64b42950f76c759e3)
Merged-In: I2fec40dfced420ca38e717059b0e95ee8ef9946a

…package name

This change makes sure that the extracted component name in a
MediaButtonReceiverHolder matches the Media Session owner's package
name. This avoids incorrectly routing media button events and potential
security issues.

Bug: 244312001
Bug: 238177121
Test: atest CtsMediaBetterTogetherTestCases
Change-Id: Ifac9cf53889222e31d18c14c1e096ee68c0a346c
(cherry picked from commit 185c3e252397bfa37592edbb5b2f5ae97db92eda)
Merged-In: Ifac9cf53889222e31d18c14c1e096ee68c0a346c
(cherry picked from commit 48c388277880e56ab5cc29e145e4d00aa383ce01)
Merged-In: Ifac9cf53889222e31d18c14c1e096ee68c0a346c

Adds check that enforces ComponentName's package belongs to calling app.
This avoids privileged execution of arbitrary code through media button
events.

This is a partial revert revert of ag/19338169.

Bug: 238177121
Test: atest CtsMediaBetterTogetherTestCases
Change-Id: I4aba866a9758366175ea4af0d434729ad98fa48d
(cherry picked from commit 1b2fa2486cc97fd9515300f858d4da2af8d8908c)
Merged-In: I4aba866a9758366175ea4af0d434729ad98fa48d
(cherry picked from commit 863d396f4ccabee91d51b04f72f44c34ffe351f0)
(cherry picked from commit 833af484ecbe732ec086ee08a068c6010cd070c9)
Merged-In: I4aba866a9758366175ea4af0d434729ad98fa48d

This reverts commit c4d3106e347922610f8c554de3ae238175ed393e.

Reason for revert: b/264884187, b/264885689 

Change-Id: I9fb0d66327f3f872a92e6b9d682d58489e81e6ba
(cherry picked from commit 7bb933f48ff15d8f08d2185005b7b3e212915276)
Merged-In: I9fb0d66327f3f872a92e6b9d682d58489e81e6ba

…L only now.

Or, if an instrumentation starts another instrumentation and so on,
and the original instrumentation is started from SHELL, allow all
Context#startInstrumentation calls in this chain.

Otherwise, it'll throw a SecurityException.

Bug: 237766679
Test: atest CtsAppTestCases:InstrumentationTest
Merged-In: Ia08f225c21a3933067d066a578ea4af9c23e7d4c
Merged-In: I1b76f61c5fd6c9f7e738978592260945a606f40c
Merged-In: I3ea7aa27bd776fec546908a37f667f680da9c892
Change-Id: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406
(cherry picked from commit 5985225e777cdb96b738aeda859dff49f6c6f853)
Merged-In: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406

The checkKeyIntentParceledCorrectly method was added in checkKeyIntent, which was originaly  only invoked when AccountManagerService deserializes the KEY_INTENT value as not NULL. However, due to the self-changing bundle technique in Parcel mismatch problems, the Intent value can change after reparceling; hence would bypass the added checkKeyIntentParceledCorrectly call.

This CL did the following:

- Ensure the checkKeyIntent method is also called when result.getParcelable(AccountManager.KEY_INTENT) == null.

Bug: 260567867
Bug: 262230405
Test: local test, see b/262230405
Test: atest CtsAccountManagerTestCases
Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477
Change-Id: I7b528f52c41767ae12731838fdd36aa26a8f3477
(cherry picked from commit 9f623983a8d4ec48d58b0eda56fa461fc6748981)
Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477

Test: manual testing done on device by installing test APK and checking if receiver can register
Bug: 242040055
Change-Id: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
(cherry picked from commit 790a8d0dd329460bc60456681cb446accf2a27e0)
(cherry picked from commit 8460609f01147d2a7e849eca1ca895211530b589)
Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d

Avoids deserialization error when the scheme contains a
reserved character.

Bug: 261858325

Test: atest android.content.cts.IntentTest#testEncoding

Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470
Change-Id: Ic34b3f796b762763db5aa7b5d7c109ae70607470
(cherry picked from commit bfe7e8bab48caff53dbcf2913f724de2e4f5aa81)
Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470

…f no privilege

The activity info could be from another uid which is different
from the app that hosts the task. The information should be
trimmed if the caller app doesn't have the privilege.

However, removing the entire info may result in app compatibility
issues. So, only swiping the info that are sensitive to empty
string.

Bug: 243130512
Test: verified market app locally
Test: atest RecentTasksTest
Change-Id: I5b6775dd3c4e2ccdacd30741884d336b2eaa70da
Merged-In: I5b6775dd3c4e2ccdacd30741884d336b2eaa70da
(cherry picked from commit 5ba72200f6a66b5da48c9c3abd103a73aea1ef95)
(cherry picked from commit 7be9e6efb63884f8f4bb647e537a29746bbeb9fa)
Merged-In: I5b6775dd3c4e2ccdacd30741884d336b2eaa70da

Same as exists for channels

This is a backport of the fix in ag/16659457, including the adjustment from ag/20920023 (changed the max value from 50000 to 6000).

Test: PreferencesHelperTest
Bug: 210114537
Bug: 261723753
Change-Id: Ic27efba4c54e22eebca16fc948879e652df4467b
(cherry picked from commit 37b3549 & I3f3a99765c161369e1b026686a0e5f0c83ed839e)
Merged-In: I3f3a99765c161369e1b026686a0e5f0c83ed839e
(cherry picked from commit 38257af19e18d19075483dfa351c7e5cbb9cbf75)
Merged-In: Ic27efba4c54e22eebca16fc948879e652df4467b

Bug: 235823542
Test: atest LocationProviderManagerTest and manual tests
Change-Id: I2a0fa7b99c3ad5ae839d8018ec70cb5c26e33240
(cherry picked from commit 750af79d5ccb282bb79ef40932858fbae801a48b)
Merged-In: I2a0fa7b99c3ad5ae839d8018ec70cb5c26e33240

Opt-in for BAL of PendingIntent for following APIs:

* PackageInstaller.uninstall()
* PackageInstaller.installExistingPackage()
* PackageInstaller.uninstallExistingPackage()
* PackageInstaller.Session.commit()
* PackageInstaller.Session.commitTransferred()
* PackageManager.freeStorage()

Bug: 230492955
Bug: 243377226
Test: atest android.security.cts.PackageInstallerTest
Test: atest CtsStagedInstallHostTestCases
Change-Id: I9b6f801d69ea6d2244a38dbe689e81afa4e798bf
(cherry picked from commit 5f00e89989392c9ae00b360e1388d0179dfb36d7)
Merged-In: I9b6f801d69ea6d2244a38dbe689e81afa4e798bf

This reverts commit 22261fa.

Reason for revert: Re-release due to functional regression

Change-Id: I9ca1fa2f140d640159fabec1424c52867cf01a60
(cherry picked from commit 23bf0bda7d9b97a82ea04257318bb90677561476)
Merged-In: I9ca1fa2f140d640159fabec1424c52867cf01a60

…wer than preload

Also remove misleading commandline output.

BUG: 256202273

Test: manual
1. Install preload system app v90, reboot
2. (W/O data, W/ Flag, 90->80 NOK) adb install -d ~/Downloads/PrivApplication_80.apk
Performing Streamed Install
adb: failed to install /usr/local/google/home/schfan/Downloads/PrivApplication_80.apk: Failure [INSTALL_FAILED_VERSION_DOWNGRADE: System app: com.example.privapplication cannot be downgraded to older than its preloaded version on the system image. Update version code 80 is older than current 90]
3. (90->100) Install data app v100
4. (W/ data, W/O Flag, 100->90 NOK) adb install ~/Downloads/PrivApplication_90.apk
Performing Streamed Install
adb: failed to install /usr/local/google/home/schfan/Downloads/PrivApplication_90.apk: Failure [INSTALL_FAILED_VERSION_DOWNGRADE: Downgrade detected: Update version code 90 is older than current 100]
5. (W/ data, W/ Flag, 100->90 downgrade OK) adb install -d ~/Downloads/PrivApplication_90.apk
Performing Streamed Install
Success
6. (90->100) Install v100
6. (W/data, W/ Flag, 100->80 NOK) adb install -d ~/Downloads/PrivApplication_80.apk
Performing Streamed Install
adb: failed to install /usr/local/google/home/schfan/Downloads/PrivApplication_80.apk: Failure [INSTALL_FAILED_VERSION_DOWNGRADE: System app: com.example.privapplication cannot be downgraded to older than its preloaded version on the system image. Update version code 80 is older than current 90]

Change-Id: I5a8ee9e29a3a58f6e3fd188e0122355744b8b0ce
(cherry picked from commit a4484d7f1be1fa413258fe18644d61f85611f586)
(cherry picked from commit on googleplex-android-review.googlesource.com host: cc9d3867082ac1518b7264c3752442f5ca112aa1)
Merged-In: I5a8ee9e29a3a58f6e3fd188e0122355744b8b0ce

…ades

Turns out we do have internal tests that downgrades system apps, so adding this exception to allow for that.

BUG: 267232653
BUG: 256202273

Test: manual
Change-Id: Ie281bbdc8788ee64ff99a7c5150da7ce7926235e
(cherry picked from commit ceeca68b8c3f0ed8427b0212f63defe2f075146e)
(cherry picked from commit on googleplex-android-review.googlesource.com host: 636cdf22b90ccb4866f380c307b7e1b92da03ed9)
Merged-In: Ie281bbdc8788ee64ff99a7c5150da7ce7926235e

- If too large when parsing service XMLs then skip this service.
- If too large when a service attempts to update its own info
  then throw an error.

Bug: 261589597
Test: atest AccessibilityServiceInfoTest
Change-Id: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
(cherry picked from commit on googleplex-android-review.googlesource.com host: 553232c29079fbeab28f95307d025c1426aa7142)
Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906

The interpretation of the path depends on whether the scheme or
authority are specified and should be observed when unparcelling
URIs.

Bug: 171966843
Test: atest FrameworksCoreTests:android.net.UriTest
Test: atest com.android.devicehealthchecks.SystemAppCheck
Change-Id: I06981d1c6e387b16df792494523994518848db37
(cherry picked from commit f37a94ae920fa5879c557603fc285942ec4b84b1)
(cherry picked from commit on googleplex-android-review.googlesource.com host: d83281c73070f2428754912ede95ecb0e3d69cd5)
Merged-In: I06981d1c6e387b16df792494523994518848db37

- include disable accounts when looking up accounts for a package to
  check if the limit is reached (10)
- put a new limit of 10 supported schemes
- put a new limit of 256 characters per scheme
- put a new limit of 256 characters per address
- ensure the Icon can write to memory w/o throwing an exception

bug: 259064622
bug: 256819769
Test: cts + unit
Change-Id: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7
Merged-In: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7
(cherry picked from commit on googleplex-android-review.googlesource.com host: 6a02885f90fa64d88bac31efbcdbc2bfe0a9328f)
Merged-In: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7

Block touches from passing through activities by adding a dedicated
surface that consumes all touches that would otherwise pass through the
bounds availble to the Activity.

+ Keep displayId in sync for ActivityRecord

Bug: 194480991
Test: atest CtsWindowManagerDeviceTestCases:ActivityRecordInputSinkTests
Test: atest CtsWindowManagerDeviceTestCases:CrossAppDragAndDropTests
Test: atest CtsWindowManagerDeviceTestCases:PinnedStackTests
Test: Used "System > Developer Options > Simulate secondary display" to
test that moving activites between displays work as intended.

Change-Id: Ie74674c87c81c571089463349ac6233717ed9f33
(cherry picked from commit on googleplex-android-review.googlesource.com host: a418847bb8de788905aced4f59437de7cbfc5360)
Merged-In: Ie74674c87c81c571089463349ac6233717ed9f33

This is a backport of ag/20581190 and includes the fix in ag/20778075.
Note that on this branch, clearData doesn't seem to actually clear persistent storage.

Bug: 258422365
Test: atest NotificationManagerServiceTest SnoozeHelperTest
Change-Id: If7c7db6694330ffbac551d044efadb26219fe17f
Merged-In: I5a2823f10053ea8c83c612a567d6d4f1b6af23e7
Merged-In: Ie809cb4d648a40622618e0fb374f36b6d8dc972a
(cherry picked from commit on googleplex-android-review.googlesource.com host: b8a07871459ed895fc814730e198df4a0b5860dc)
Merged-In: If7c7db6694330ffbac551d044efadb26219fe17f

This is a second attempt at fixing the issue, the previous CL
ag/20642213 was reverted because it simply throws an exception when the
limit is reached, which causes apps to crash since chat apps tends to be
sending large amount of conversation shortcuts and they have no way to
know how many of these shortcuts are still cached by the system.

Instead of throwing an exception, this CL simply removes excessive
shortcuts to avoid crashes. Currently there is a limit on the number
of shortcuts an app can publish in respect to each launcher activity.
This CL further implements a global maximum of total number of shortcuts
that can be retained for an app to mitigate from any potential system
health issue.

When the global maximum is reached, ShortcutService will proactively
removes shortcuts from system memory. Cached shortcuts are removed
first, followed by dynamic shortcuts, using last updated time as
tie-breaker.

This CL additionally addresses an unexpected flow where re-publishing
previously removed shortcuts that are still retained by the system could
cause the total number of shortcuts to exceed previously set limit.

Bug: 250576066 233155034
Test: manual
Change-Id: I001c7a87b62aefa9487bf8efaf3cd02d7cb21521
Merged-In: I001c7a87b62aefa9487bf8efaf3cd02d7cb21521
(cherry picked from commit on googleplex-android-review.googlesource.com host: 94437e989c0391b2dbf28d33120fdc28a4ce8d4d)
Merged-In: I001c7a87b62aefa9487bf8efaf3cd02d7cb21521

The conditional permission was introduced for TaskFragmentOrganizer, but
not really needed. Remove the conditional check.

Bug: 259938771
Test: pass existing tests
Merged-In: I666b9ee6b6076766513b97e675fdbaa002428601
Change-Id: I666b9ee6b6076766513b97e675fdbaa002428601
(cherry picked from commit on googleplex-android-review.googlesource.com host: 6d848929eab6249b0ba1b8bd6d454744850b1718)
Merged-In: I666b9ee6b6076766513b97e675fdbaa002428601

This is to prevent malicious app entering PiP without being visible
first, like blocking onResume from completion. Which in turn
leaves the PiP window in limbo and non-interactable.

Bug: 265293293
Test: atest PinnedStackTests
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4fad1456409b79d6e649a29d5116a4fe3160bd21)
Merged-In: I458a9508662e72a1adb9d9818105f2e9d7096d44
Change-Id: I458a9508662e72a1adb9d9818105f2e9d7096d44

…g notifications

 NotificationContentInflater waits on SysUiBg thread for images to load, with a timeout
 of 1000ms.

Test: 1. Build a test app that posts MessagingStyle notifications with a huge image (8k+) set as data Uri.
 2. SystemUi should not ANR
 3. adb logcat | grep NotificationInlineImageCache  - shows timeout/cancellation logs

Bug: 252766417
Bug: 223859644

(cherry picked from commit 195043f40e46ddcd2fe534a9dac344792d39d91c)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b9cd15ad8a2f87893164ad2ab518039bb0b61424)
Merged-In: I341db60223214cf2282b5c0270e343e1ce95fa01
Change-Id: I341db60223214cf2282b5c0270e343e1ce95fa01

  Catch canvas drawing exceptions caused  by unsuported image sizes.

Test: 1. Post a custom view notification with a layout
	containing an ImageView that references a 5k x 5k image
2. Add an App Widget to the home screen with that has the
	layout mentioned above as preview/initial layout.

Bug: 268193777
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c3db1e4451490ddc7f6033a6ab7d54e71ebda9d8)
Merged-In: Ib3bda769c499b4069b49c566b1b227f98f707a8a
Change-Id: Ib3bda769c499b4069b49c566b1b227f98f707a8a

Change-Id: Ibbaa234b663bc8e40d2a0a0f076a8676b6b1bc16

This change updates the privapp allowlist to grant the MANAGE_USERS
permission to Traceur. This permission is needed to query admin user
status, as Traceur shouldn't be able to start if the current user is not
an admin.

Test: Using ABTD, apply this change with ag/22119816 to verify that
      Traceur still works as intended (opening app, tracing, etc.).
Bug: 262243665
Bug: 262244249
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f42db15239663604eb5d36edb04a0f9a04576568)
Merged-In: I8e2174065b686c052cb080b3590ea4d89e7a7783
Change-Id: I8e2174065b686c052cb080b3590ea4d89e7a7783

Bug: 265015796
Test: atest
FrameworksServicesTests: com.android.server.accounts.AccountManagerServiceTest
(cherry picked from commit e53a96304352e2965176c8d32ac1b504e52ef185)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e01f68bdabe8aa7154e1ed936235b5304f4c0cd)
Merged-In: Ie16f8654337bd75eaad3156817470674b4f0cee3
Change-Id: Ie16f8654337bd75eaad3156817470674b4f0cee3

Catch exceptions that may be thrown if invalid data ended up in the
persisted job file.

Bug: 246541702
Bug: 246542132
Bug: 246542285
Bug: 246542330
Test: install test app with invalid job config, start app to schedule job, then reboot device
(cherry picked from commit c98fb42b480b3beedc2d94de6110f50212c4aa0b)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bdc1e8a3affd8534a829744001ef3ea26cce074)
Merged-In: Id0ceba345942baf21177f687b8dd85ef001c0a9e
Change-Id: Id0ceba345942baf21177f687b8dd85ef001c0a9e

Test: ServiceListingTest
Bug: 260570119
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a9c75de2b4ae92f4b7e7aade8433fd44ef376e11)
Merged-In: Ib4740ba401667de62fa1a33334c2c1fbee25b760
Change-Id: Ib4740ba401667de62fa1a33334c2c1fbee25b760

…dbyController

When deciding an app's standby bucket, check if the
app has its user control disabled by an IT admin. If so,
the app should be the exempted restricted bucket.

Bug: 272042183
Test: atest AppStandbyControllerTests
(cherry picked from commit 269fcb6873dee199dd8023831f882aafff1f6291)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3dbab873d6d8f78c4d498a575ad37fd0dc20efbe)
Merged-In: I4279dc37f0e17aedb1c2a87468478248443a253e
Change-Id: I4279dc37f0e17aedb1c2a87468478248443a253e

Bug: 274759612
Test: atest NotificationInterruptStateProviderImplTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1bc1be92ce0d8bd8abd9efa13e85ac0d33556a3b)
Merged-In: I40e1aa6377b8a60d91cb2f4189df1e9a4a4578a2
Change-Id: I40e1aa6377b8a60d91cb2f4189df1e9a4a4578a2

Bug: 261036568
Test: manually via supplied tool (see bug)
(cherry picked from commit 3062b80fb28014a7482d5fa8b2a5c852134a5845)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:08809fa8c938ccc6f0cd21036fcc464a96d93384)
Merged-In: I21accf6f753d2f676f1602d6e1ce829c5ef29e9a
Change-Id: I21accf6f753d2f676f1602d6e1ce829c5ef29e9a

This commit will try to sanitize the content of VpnDialog. This
commit creates a function which will try to sanitize the VPN
label, if the sanitized VPN label is different from the original
one, which means the VPN label might contain HTML tag or the VPN
label violates the words restriction(may contain some wording
which will mislead the user). For this kind of case, show the
package name instead of the VPN label to prevent misleading the
user.

The malicious VPN app might be able to add a large number of line
breaks with HTML in order to hide the system-displayed text from
the user in the connection request dialog. Thus, sanitizing the
content of the dialog is needed.

Bug: 204554636
Test: N/A
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2178216b98bf9865edee198f45192f0b883624ab)
Merged-In: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
Change-Id: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d

The v1 and v2 APK Signature Schemes support multiple signers; this
was intended to allow multiple entities to sign an APK. Previously,
the platform had no limits placed on the number of signers supported
in an APK, but this commit sets a hard limit of 10 supported signers
for these signature schemes to ensure a large number of signers
does not place undue burden on the platform.

Bug: 266580022
Test: Manually verified the platform only allowed an APK with the
       maximum number of supported signers.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6f6ee8a55f37c2b8c0df041b2bd53ec928764597)
Merged-In: I6aa86b615b203cdc69d58a593ccf8f18474ca091
Change-Id: I6aa86b615b203cdc69d58a593ccf8f18474ca091

This will also verify that the caller app can actually grant them.

Fix: 274592467
Test: atest NotificationManagerServiceTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4dee5aab12e95cd8b4d663ad050f07b0f2433596)
Merged-In: I83429f9e63e51c615a6e3f03befb76bb5b8ea7fc
Change-Id: I83429f9e63e51c615a6e3f03befb76bb5b8ea7fc

Bug: 243794108
Test: atest CtsSecurityBulletinHostTestCases:android.security.cts.CVE_2023_20918
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c62d2e1021a030f4f0ae5fcfc8fe8e0875fa669f)
Merged-In: I5d329beecef1902c36704e93d0bc5cb60d0e2f5b
Change-Id: I5d329beecef1902c36704e93d0bc5cb60d0e2f5b

security method is none. This is mostly to fix the case where we auth
sim pin in the set up wizard and it goes straight to keyguard instead of
the setup wizard activity.

This works with the prevent bypass keyguard flag because the device
should be noe secure in this case.

Fixes: 222446076
Test: turn locked sim on, which opens the sim pin screen. Auth the
screen and observe that keyguard is not shown.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6)
Cherry-picking this CL as a security fix

Bug: 222446076
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:65ea56f54c059584eb27ec53d486dba8161316ab)
Merged-In: Id302c41f63028bc6dd58ba686e23d73565de9675
Change-Id: Id302c41f63028bc6dd58ba686e23d73565de9675

Also added the person URIs in the test, since they weren't being
checked.

Test: atest NotificationManagerServiceTest & tested with POC from bug
Bug: 276729064
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43b1711332763788c7abf05c3baa931296c45bbb)
Merged-In: I848545f7aee202495c515f47a32871a2cb6ae707
Change-Id: I848545f7aee202495c515f47a32871a2cb6ae707

Creating Conversation with a ShortcutId longer than 65_535 (max unsigned short), we did not save the conversation settings into the notification_policy.xml due to a restriction in FastDataOutput.
This put us to a state where the user changing the importance or turning off the notifications for the given conversation had no effect on notification behavior.

Fixes: 273729476
Test: atest ShortcutManagerTest2
Test: Create a test app which creates a Conversation with a long shortcutId. Go to the Conversation Settings and turn off Notifications. Post a new Notification to this Conversation and see if it is displayed.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab0c8ac5b47509a71f27c4e5e9ce104d51bab0a8)
Merged-In: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
Change-Id: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5

Bug: 277740848
Test: atest RemoteViewsTest NotificationManagerServiceTest & tested with POC from bug
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b4692946c10d11c1e935869e11dc709a9cdcba69)
Merged-In: I7d3d35df0ec38945019f71755bed8797b7af4517
Change-Id: I7d3d35df0ec38945019f71755bed8797b7af4517

…s from using Alarm

Manager to bypass BAL restrictions.

Test: atest-src BackgroundActivityLaunchTest
Bug: 195756028
Change-Id: I33112ff59d913d8a7244289fe1a43512844e902a
(cherry picked from commit 7a41e2fbc983ce0083b288e9489288de60dc8d8b)
Merged-In: I33112ff59d913d8a7244289fe1a43512844e902a

…'s own app only

unless it's a system app.

Bug: 239423414
Bug: 223376078
Test: atest CtsAppTestCases:ActivityManagerTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d1c95670b248df945784b0f2830acf83b5682de3)
Merged-In: Iac6baa889965b8ffecd9a43179a4c96632ad1d02
Change-Id: Iac6baa889965b8ffecd9a43179a4c96632ad1d02

Apps should not have direct access to this entry point. Check that the
caller is a vendor, system, or product package.

Test: Ran PoC app and CtsMediaPlayerTestCases.
Bug: 236688380
(cherry picked from commit d0ba7467c2cb2815f94f6651cbb1c2f405e8e9c7)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e37820e47c383aecf9d1173a0676c27e6a59ce4f)
Merged-In: I0335496d28fa5fc3bfe1fecd4be90040b0b3687f
Change-Id: I0335496d28fa5fc3bfe1fecd4be90040b0b3687f

with content URI.

This prevents the primary user from accessing the secondary user's
photos for QAW card images.

Test: manually, atest
Bug: 272020068
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ff753ae693065685d85bbda6af2953905fdf434c)
Merged-In: I6932c5131b3c795bac4ea9b537938e7ef4f3ea4e
Change-Id: I6932c5131b3c795bac4ea9b537938e7ef4f3ea4e

Bug: 277593270
Test: atest NotificationManagerServiceTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:beb185c5cd60edc68f4ef386c4407eba9c02c698)
Merged-In: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1
Change-Id: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1

The following APIs now enforce limits and throw IllegalArgumentException
when limits are violated:
* DPM.setTrustAgentConfiguration() limits agent packgage name,
  component name, and strings within configuration bundle.
* DPM.setPermittedAccessibilityServices() limits package names.
* DPM.setPermittedInputMethods() limits package names.
* DPM.setAccountManagementDisabled() limits account name.
* DPM.setLockTaskPackages() limits package names.
* DPM.setAffiliationIds() limits id.
* DPM.transferOwnership() limits strings inside the bundle.

Package names are limited at 223, because they become directory names
and it is a filesystem restriction, see FrameworkParsingPackageUtils.

All other strings are limited at 65535, because longer ones break binary
XML serializer.

The following APIs silently truncate strings that are long beyond reason:
* DPM.setShortSupportMessage() truncates message at 200.
* DPM.setLongSupportMessage() truncates message at 20000.
* DPM.setOrganizationName() truncates org name at 200.

Bug: 260729089
Test: atest com.android.server.devicepolicy
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:12c201509e911f4dddabf371bd22c93e097e5d99)
Merged-In: Idcf54e408722f164d16bf2f24a00cd1f5b626d23
Change-Id: Idcf54e408722f164d16bf2f24a00cd1f5b626d23

Manual test steps:
1. Enable app pinning and disable "Ask for PIN before unpinning" setting
2. Pin an app (ie: Settings)
3. Lockdown from the power menu
Observe: user is brought to the keyguard, primary auth is required
to enter the device. After entering credential, the device is still in
app pinning mode.

Test: atest KeyguardViewMediatorTest
Test: manual steps outlined above
Bug: 218495634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b23c2d5fb6630ea0da503b937f62880594b13e94)
Merged-In: I9a7c5e1acadabd4484e58573331f98dba895f2a2
Change-Id: I9a7c5e1acadabd4484e58573331f98dba895f2a2

Change-Id: Ia967920c8b3f2388d7a1d4ce7a717525b2680923

PermissionManagerServiceImpl.restorePermissionState() creates a new
UID permission state for non-shared-UID packages that have been
updated (i.e. replaced), however the existing logic for non-runtime
permission never carried over the flags from the old state. This
wasn't an issue for much older platforms because permission flags
weren't used for non-runtime permissions, however since we are
starting to use them for role protected permissions (ROLE_GRANTED) and
app op permissions (USER_SET), we do need to preserver the permission
flags.

This change merges the logic for granting and revoking a non-runtime
permission in restorePermissionState() into a single if branch, and
appends the logic to copy the flag from the old state in that branch.

Bug: 283006437
Test: PermissionFlagsTest#nonRuntimePermissionFlagsPreservedAfterReinstall
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e1ebd84e27f5d4fa8bc6577705293251bcbac4f)
Merged-In: Iea3c66710e7d28c6fc730b1939da64f1172b08db
Change-Id: Iea3c66710e7d28c6fc730b1939da64f1172b08db

Bug: 276294099
Test: atest NotificationManagerServiceTest NotificationVisitUrisTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67cd169d073486c7c047b80ab83843cdee69bf53)
Merged-In: I670198b213abb2cb29a9865eb9d1e897700508b4
Change-Id: I670198b213abb2cb29a9865eb9d1e897700508b4

This is to prevent a vulnerability where notifications can show
resources belonging to other users, since the URI in the nested views
was not being checked.

Bug: 277740082
Test: atest RemoteViewsTest NotificationVisitUrisTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:850fd984e5f346645b5a941ed7307387c7e4c4de)
Merged-In: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8
Change-Id: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8

This is a security fix for b/270049379.

Bug: 270049379
Test: atest CtsMediaMiscTestCases
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c573c83a2aa36ca022302f675d705518dd723a3c)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba546a306217389a8ff9e5e948612651fd496081)
Merged-In: I05626f7abf1efef86c9e01ee3f077d7177d7f662
Change-Id: I05626f7abf1efef86c9e01ee3f077d7177d7f662

Bug: 277741109
Test: atest RemoteViewsTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ae0d45137b0f8ea49a085bbce4d39f901685c4a5)
Merged-In: Iceb33606da3a49b9638ab21aeae17a168c1b411a
Change-Id: Iceb33606da3a49b9638ab21aeae17a168c1b411a

Bug: 281807669
Test: Manual, i.e. posting the following sequence of events (within few milliseconds) to the scheduler and observe the behaviour with and without the fix: Mic in use -> Mic not in use -> Mic in use
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a45e1d045770eaabfdbf0e1212c9eb84caf1d565)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:20ea049a4a52dbc8d4e5ed957a2b6b9aa02a2f34)
Merged-In: I9851e6ed4cb956d0459ef56251eb0ef3210764b8
Change-Id: I9851e6ed4cb956d0459ef56251eb0ef3210764b8

Bug: 281018094
Test: atest RemoteViewsTest NotificationVisitUrisTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:634a69b7700017eac534f3f58cdcc2572f3cc659)
Merged-In: I2014bf21cf90267f7f1b3f370bf00ab7001b064e
Change-Id: I2014bf21cf90267f7f1b3f370bf00ab7001b064e

…re user specific settings are used" into rvc-dev am: d198f5165c am: 886d492c8c

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/23475765

Signed-off-by: Automerger Merge Worker <[email protected]>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f37a92b8c8c98ca40f858782fe3720362565c16c)
Merged-In: Idda8cdb4c853b6046ba19d35eeea2a1a6ee73541
Change-Id: Idda8cdb4c853b6046ba19d35eeea2a1a6ee73541

Bug: 213170822

Remove the code that CursorWindow::writeToParcel() uses to ensure slot
data is 4-byte aligned.  Because mAllocOffset and mSlotsOffset are
already 4-byte aligned, the alignment step here is unnecessary.

CursorWindow::spaceInUse() returns the total space used.  The tests
verify that the total space used is always a multiple of 4 bytes.

Test: atest
 * libandroidfw_tests
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d4afa0986cbc440f458b4b8db05fd176ef3e6d2)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:548b0a183859fb023dee7ecd7d9f05bf7fed00f8)
Merged-In: I720699093d5c5a584283e5b76851938f449ffa21
Change-Id: I720699093d5c5a584283e5b76851938f449ffa21

Add a check for URI permission to make sure that user can access the URI
set in MediaMetadata. If permission is denied, clear the URI string set
in metadata.

Bug: 271851153
Test: atest MediaSessionTest
Test: Verified by POC app attached in bug, image of second user is not
the UMO background of the first user.

(cherry picked from commit b8a7fd8e6f41ee54d27c1e7aaa15b4a3f5365a02)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91705f7cc95a87a5cc7814f543669adcd3b35f09)
Merged-In: I384f8e230c909d8fc8e5f147e2fd3558fec44626
Change-Id: I384f8e230c909d8fc8e5f147e2fd3558fec44626

…m: 543e6febbf am: 8c3d465b5e

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/23438530

Fixes: 285650146
Fixes: 280797684
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:06456af560729b8a8d209613bb117ede3496fd9d)
Merged-In: I7822bf2bb75c775faaaa7023fd2c9af9f6d6888f
Change-Id: I7822bf2bb75c775faaaa7023fd2c9af9f6d6888f