android-12.1.0_r1 to android-security-12.1.0_r1 AOSP changelog

2a57341178 : Version bump to SSV2.220224.077 [core/build_id.mk]
cd50d0fdd6 : Version bump to SSV2.220224.076 [core/build_id.mk]
c0644f6b3f : Version bump to SSV2.220224.075 [core/build_id.mk]
5178428526 : Version bump to SSV2.220224.074 [core/build_id.mk]
d1c550e8f7 : Version bump to SSV2.220224.073 [core/build_id.mk]
1db07587ce : Version bump to SSV2.220224.072 [core/build_id.mk]
f0bcda30d7 : Version bump to SSV2.220224.071 [core/build_id.mk]
245fa3ef8a : Version bump to SSV2.220224.070 [core/build_id.mk]
99f491fd47 : Version bump to SSV2.220224.069 [core/build_id.mk]
91b910c90f : Version bump to SSV2.220224.068 [core/build_id.mk]
9520ebb4c0 : Version bump to SSV2.220224.067 [core/build_id.mk]
d1dbed01ad : Version bump to SSV2.220224.066 [core/build_id.mk]
b13ab65e64 : Version bump to SSV2.220224.065 [core/build_id.mk]
cfb9b586a0 : Version bump to SSV2.220224.064 [core/build_id.mk]
9e5d575018 : Version bump to SSV2.220224.063 [core/build_id.mk]
09c8a4c7a2 : Version bump to SSV2.220224.062 [core/build_id.mk]
859802d166 : Version bump to SSV2.220224.061 [core/build_id.mk]
a557f4e20e : Version bump to SSV2.220224.060 [core/build_id.mk]
f5cf02b543 : Version bump to SSV2.220224.059 [core/build_id.mk]
1d364bf001 : Version bump to SSV2.220224.058 [core/build_id.mk]
988bb1eb4f : Version bump to SSV2.220224.057 [core/build_id.mk]
05eb2834bc : Version bump to SSV2.220224.056 [core/build_id.mk]
8fe106bd99 : Version bump to SSV2.220224.055 [core/build_id.mk]
82e533daa2 : Version bump to SSV2.220224.054 [core/build_id.mk]
84efcaf7fa : Version bump to SSV2.220224.053 [core/build_id.mk]
4b9ec47e79 : Version bump to SSV2.220224.052 [core/build_id.mk]
eb9f660847 : Version bump to SSV2.220224.051 [core/build_id.mk]
b517baa21e : Version bump to SSV2.220224.050 [core/build_id.mk]
f8c9abe305 : Version bump to SSV2.220224.049 [core/build_id.mk]
2841ca8d0d : Version bump to SSV2.220224.048 [core/build_id.mk]
84018ef542 : Version bump to SSV2.220224.047 [core/build_id.mk]
8079071d76 : Version bump to SSV2.220224.046 [core/build_id.mk]
63aba00f63 : Version bump to SSV2.220224.045 [core/build_id.mk]
bef0d4a7a6 : Version bump to SSV2.220224.044 [core/build_id.mk]
c1528cf226 : Version bump to SSV2.220224.043 [core/build_id.mk]
d7acfbb853 : Version bump to SSV2.220224.042 [core/build_id.mk]
5b4f6aadd8 : Version bump to SSV2.220224.041 [core/build_id.mk]
1b6976c90a : Version bump to SSV2.220224.040 [core/build_id.mk]
df78ae629d : Version bump to SSV2.220224.039 [core/build_id.mk]
f87ab98ec3 : Version bump to SSV2.220224.038 [core/build_id.mk]
524f5c6457 : Version bump to SSV2.220224.037 [core/build_id.mk]
b358bfb8a7 : Version bump to SSV2.220224.036 [core/build_id.mk]
e0798611ca : Version bump to SSV2.220224.035 [core/build_id.mk]
e75c76b85e : Version bump to SSV2.220224.034 [core/build_id.mk]
c5a076386f : Version bump to SSV2.220224.033 [core/build_id.mk]
cef0bc2c8c : Version bump to SSV2.220224.032 [core/build_id.mk]
d31ded19e9 : Version bump to SSV2.220224.031 [core/build_id.mk]
e760e9fce2 : Version bump to SSV2.220224.030 [core/build_id.mk]
6510948350 : Version bump to SSV2.220224.029 [core/build_id.mk]
85e9abfb00 : Version bump to SSV2.220224.028 [core/build_id.mk]
61b907e4e3 : Version bump to SSV2.220224.027 [core/build_id.mk]
d7085224ed : Version bump to SSV2.220224.026 [core/build_id.mk]
69cc2bbdc4 : Version bump to SSV2.220224.025 [core/build_id.mk]
a728ab9395 : Version bump to SSV2.220224.024 [core/build_id.mk]
5683d6bfcc : Version bump to SSV2.220224.023 [core/build_id.mk]
a4ce88545a : Version bump to SSV2.220224.022 [core/build_id.mk]
ce533764e2 : Version bump to SSV2.220224.021 [core/build_id.mk]
1ca1de8568 : Version bump to SSV2.220224.020 [core/build_id.mk]
c85273016c : Version bump to SSV2.220224.019 [core/build_id.mk]
06ccf897e2 : Version bump to SSV2.220224.018 [core/build_id.mk]
d74aa3862b : Version bump to SSV2.220224.017 [core/build_id.mk]
0b1949fb18 : Version bump to SSV2.220224.016 [core/build_id.mk]
4593e0366a : Version bump to SSV2.220224.015 [core/build_id.mk]
205a297e69 : Version bump to SSV2.220224.014 [core/build_id.mk]
45ca509500 : Version bump to SSV2.220224.013 [core/build_id.mk]
09e4ad3777 : Version bump to SSV2.220224.012 [core/build_id.mk]
0e5f9a49ca : Version bump to SSV2.220224.011 [core/build_id.mk]
922772d3cf : Version bump to SSV2.220224.010 [core/build_id.mk]
c3d021695f : Version bump to SSV2.220224.009 [core/build_id.mk]
ca130ffe06 : Version bump to SSV2.220224.008 [core/build_id.mk]
f3f39d5655 : Version bump to SSV2.220224.007 [core/build_id.mk]
e27f6c4c7e : Version bump to SSV2.220224.006 [core/build_id.mk]
74aa5cfa01 : Version bump to SSV2.220224.005 [core/build_id.mk]
f7f6a56587 : Version bump to SSV2.220224.004 [core/build_id.mk]
b710a209ee : Version bump to SSV2.220224.003 [core/build_id.mk]
51d3adcb70 : Version bump to SSV2.220224.002 [core/build_id.mk]

5a0e790f55b : Change open jpeg folder name

70d9e0c : Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer().
32092f9 : Reject invalid out of band config in transportDec_OutOfBandConfig() and skip re-allocation.

2e45246b00 : Fix a bug when getting a gzip header extra field with inflate().

bf0ed85 : [automerge] libfdt: fdt_path_offset_namelen: Reject empty paths 2p: a6ac6d916d am: bfb9c7cab7
b2f70f0 : [automerge] Fix integer wrap sanitisation. 2p: 2b597691ef am: 312bb25a2c
b4de7ba : [automerge] FROMGIT: libfdt: fdt_offset_ptr(): Fix comparison warnings 2p: 6f0fef2b2a

c343ffd9 : [CVE-2022-43680] Fix overeager DTD destruction (fixes #649)
af59a741 : Prevent more integer overflows
01416711 : Prevent integer overflow in function doProlog
8847b626 : Prevent XML_GetBuffer signed integer overflow
b8819d3b : Prevent integer overflow in copyString

58f4e693e : Cherrypick following three changes
82313ab60 : DO NOT MERGE - Cherry-pick two upstream changes

ab6d3bea : malloc-fail: Fix OOB read after xmlRegGetCounter

96a44d29c : Update pdfium to Chrome 114.0.5735.130 pdfium

f596b65 : fix buffer overrun in eas_wtengine

4dc9bc75 : update to v1.2.0-8-g20ceff7e

7702e56 : Fix a bug when getting a gzip header extra field with inflate().

326c584eba : omx: check HDR10+ info param size
73d11ac20f : StagefrightRecoder: Disabling B-frame support
07df1d8dd9 : libmediatranscoding: handle death recipient cookie ownership differently
ff81922f52 : Revert "Audio policy: anonymize Bluetooth MAC addresses"
fab76f21e5 : Fix out of bounds read and write in onQueueFilled in outQueue
2b4e096ce0 : SoftVideoDecodeOMXComponent: validate OMX params for dynamic HDR
486c19ee9d : Validate OMX Params for VPx encoders
7a6c850b80 : Audio policy: anonymize Bluetooth MAC addresses
68c514fe5e : Update mtp packet buffer
d3b6fab037 : Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth.
51939c9bc0 : Codec2BufferUtils: Use cropped dimensions in RGB to YUV conversion
02936dda1e : Revert "NdkMedia: fix android.mediav2.cts.CodecEncoderSurfaceTest failed."
c47a125961 : NdkMedia: fix android.mediav2.cts.CodecEncoderSurfaceTest failed.
3c28a81aa6 : Condition background record restriction on Sdk
f7b5a2f8c3 : Correct attribution source for MMAP thread
76225338a8 : httplive: fix use-after-free
8dad47c382 : Initialise VPS buffer to NULL in constructor
18c566f984 : Fix heap-use-after-free issue flagged by fuzzer test.
9df8884c12 : Fix for heap buffer overflow issue flagged by fuzzer test.
aca5e8f9c2 : Fix Segv on unknown address error flagged by fuzzer test.
a2ce4cc4f3 : Force unsilence record clients on startInput
c484bda0ac : Fix NuMediaExtractor::readSampleData buffer Handling
08d0401fd2 : C2SurfaceSyncObj: prevent OOB read in Import
e2c6753c4d : move MediaCodec metrics processing to looper thread
81b19a23cb : RESTRICT AUTOMERGE Use static token for myAttributionSource in ServiceUtilities
596645591c : Fix Out of Bounds Read in AAVCAssembler
cd88ddb22a : audio: fix missing package name in attribution source
cb83d38b56 : libstagefright: fix heap use after free issue
17fce0f5ce : [Fix vulnerability] setSecurityLevel in clearkey
3c037dc548 : Add missing bounds checks
8929b6fa52 : Cache MMAP client silenced state.
656897557b : Fix Out of Bounds read in TextDescriptions.cpp
64b5257c6f : Avoid read out of bounds
e9a8ccd909 : C2Allocator: protetct memory mappings from race condition
e73833e0ec : Safe parsing of HEIF framecount information
096cf0280a : C2AllocatorIon:protect mMappings using mutex

98f07007e7b6 : RESTRICT AUTOMERGE Delete keystore keys from RecoveryService.rebootRecoveryWithCommand()
a03f1e63c34b : DO NOT MERGE Ignore - Sanitized uri scheme by removing scheme delimiter
e411339df935 : Hide SAW subwindows
5b23e7cf0f7c : Add the protection to avoid data overflow in BinaryXmlSerializer.java
11a632e1591c : Restrict USB poups while setup is in progress
781ce614bc86 : Rate limiting PiP aspect ratio change request
338e0ac6ac70 : RESTRICT AUTOMERGE Backport preventing BAL bypass via bound service
58a0ab5bc7ab : Fix security vulnerability of non-dynamic permission removal
6c0e2b7df047 : Verify UID of incoming Zygote connections.
8dfb447bc757 : [DO NOT MERGE][CDM] Fix setSkipPrompt on Android S
a3e88190d66c : Fix security vulnerability allowing apps to start from background
5c5d028d3cd2 : [RESTRICT AUTOMERGE][PM] Send ACTION_PACKAGE_CHANGED when mimeGroups are changed
cdf39d929ac0 : [RESTRICT AUTOMERGE] AccessibilityManagerService: remove uninstalled services from enabled list after service update.
9b5390322b1a : [CDM][CMD] Check permissions for CDM shell commands
4432d030d8e7 : Resolve message/conversation image Uris with the correct user id
44e744a5d20f : Check hidden API exemptions
c4d81d3eecd5 : [DO NOT MERGE][Autofill Framework] Add in check for intent filter when setting/updating service
9432acc7d528 : [DO NOT MERGE][CDM] Fix a security issue that allow 3p apps to skip prompt by setSkipPrompt
c713eb91ae51 : Add more checkKeyIntent checks to AccountManagerService.
13f35720cb76 : Fix vulnerability in AttributionSource due to incorrect Binder call
57ba37a9fc7f : Fix error handling for non-dynamic permissions
64e7a3910456 : Hide window immediately if itself doesn't run hide animation
c55be0c2dfe7 : Check for NLS bind permission when rebinding services
680c8bc8b86a : Added throttle when reporting shortcut usage
ba46960bacdb : Verify URI permission for channel sound update from NotificationListenerService
cea77d5719a5 : DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses permissions
f670a2fe9762 : DO NOT MERGE: ActivityManager#killBackgroundProcesses can kill caller's own app only
346a778e609e : Update media visibility on lock screen
7687744bf662 : Revert "Refactor the SADeviceState to AdiDeviceState"
a9dc2b63c990 : Revert "AudioService: anonymize Bluetooth MAC addresses"
e07c04db6118 : Prioritize system toasts
84aee654e63f : Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
505edca35e06 : isUserInLockDown can be true when there are other strong auth requirements
67f148ad393f : Don't store invalid pkgs when migrating filters
4208b31baa97 : RESTRICT AUTOMERGE Added limitations for attributions to handle invalid cases
9d47c52e9d9f : Disallow system apps to be installed/updated as instant.
a0ee17725891 : Close AccountManagerService.session after timeout.
4b46bacd1d97 : Validate package names passed to the installer.
638ea6d4642f : Resolve custom printer icon boundary exploit.
5c446eb70fa4 : AudioService: anonymize Bluetooth MAC addresses
375f7c239e19 : Refactor the SADeviceState to AdiDeviceState
772f02bd68ae : Enforce persisted snoozed notifications limits
4fca85d7bb6b : [RESTRICT AUTOMERGE] Check permission of Autofill icon URIs
97ef4659b780 : Restrict activity launch when caller is running in the background
2601009f4aa4 : DO NOT MERGE Disallow Wallpaper service to launch activity from background.
2976f9b05fcc : Unbind TileService onNullBinding
a6321142ea43 : DO NOT MERGE: "Hide" /Android/data|obb|sanbox/ on shared storage
daa5e2976c50 : DO NOT MERGE Ensure finish lockscreen when usersetup incomplete
af574093dec4 : DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses permissions
32221876b827 : Fix vulnerability that allowed attackers to start arbitary activities
eb4aa8717dcf : RESTRICT AUTOMERGE Log to detect usage of whitelistToken when sending non-PI target
a41773ae3f5e : [SB][Privacy] Fetch current active appops on startup.
a08795bd566a : [CDM] Validate component name length before requesting notification access.
049d942fe683 : Truncate user data to a limit of 500 characters
443e17286504 : RESTRICT AUTOMERGE: Check URI permissions for resumable media artwork
32691367d0b8 : Move startWatchingModeWithFlags to the native supported binder calls
d1c5a11b51ba : Updated: always show the keyguard on device lockdown
52ba8f1ae209 : Adding in verification of calling UID in onShellCommand
57cd7d2ae504 : Revert "On device lockdown, always show the keyguard"
1cf1b7d442c3 : Validate userId when publishing shortcuts
825a59b3ca27 : Use readUniqueFileDescriptor in incidentd service
f155cd02a720 : Restrict number of shortcuts can be added through addDynamicShortcuts
5c1ac2cb77bb : Require permission to unlock keyguard
f8c2411e2151 : Validate URI-based shortcut icon at creation time.
8638149a03c6 : Disable priority conversation widget for secondary users
bdf1a2937abc : RESTRICT AUTOMERGE: Drop invalid data.
58bca18a346a : Visit Uris related to Notification style extras
d030cfd73ddf : Fix bypass BAL via `requestGeofence`
7707d6a8f9fa : Visit Uris added by WearableExtender
da9dd005ceaf : [SettingsProvider] verify ringtone URI before setting
c0503393550a : Use type safe API of readParcelableArray
9f928748ac06 : [DO NOT MERGE] Check caller's uid in backupAgentCreated callback
0028157ff706 : DO NOT MERGE Fix BAL via notification.publicVersion
8ba763834d1b : Revert "Dismiss keyguard when simpin auth'd and..."
18c3b194642f : [RESTRICT AUTOMERGE] Ignore small source rect hint
ab61895c5bb6 : RESTRICT AUTOMERGE: SettingsProvider: exclude secure_frp_mode from resets
78674527c841 : Add userId check before loading icon in Device Controls
e44c450970f1 : Fixing DatabaseUtils to detect malformed UTF-16 strings
697c280f33d8 : Disallow loading icon from content URI to PipMenu
5db921458dd4 : [DO NOT MERGE] Verify URI Permissions in Autofill RemoteViews
60fa3b74e80b : Do not share key mappings with JNI object
270027cbd5b2 : Verify URI permissions for EXTRA_REMOTE_INPUT_HISTORY_ITEMS.
023fdcfb4f0f : Import translations. DO NOT MERGE ANYWHERE
c9ed6f674f90 : Add placeholder when media control title is blank
bcc4a16e5bde : RingtoneManager: verify default ringtone is audio
1ebce10f0536 : Improve user handling when querying for resumable media
8c2662e018ac : Update AccountManagerService checkKeyIntentParceledCorrectly.
f5f974599512 : Forbid granting access to NLSes with too-long component names
0c34be23de4e : Ignore virtual presentation windows - RESTRICT AUTOMERGE
ff0d658194ba : [DO NOT MERGE] Update quickshare intent rather than recreating
73ad2a106146 : DO NOT MERGE Grant carrier privileges if package has carrier config access.
4b6b632bc4f4 : DO NOT MERGE Revert "Verify URI permissions for EXTRA_REMOTE_INPUT_HISTORY_ITEMS."
bff69113f171 : Remove unnecessary padding code
ae9945cf21b6 : Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
36721f26908a : Resolve StatusHints image exploit across user.
c84b7d2dece7 : Visit URIs in themed remoteviews icons.
569251643fea : Fix PrivacyChip not visible issue
01124af96c52 : Check URIs in sized remote views.
dee248374a54 : Verify URI permissions in MediaMetadata
9e8255cf410b : Validate ComponentName for MediaButtonBroadcastReceiver
4111de7b3912 : Implement visitUris for RemoteViews ViewGroupActionAdd.
4f6882363816 : Check URIs in notification public version.
5f15749ff3c3 : Preserve flags for non-runtime permissions upon package update.
5e04f4794484 : Ensure policy has no absurdly long strings
55dd32871f43 : On device lockdown, always show the keyguard
8ac4a9aea9ff : Verify URI permissions for notification shortcutIcon.
6c18f90d83e2 : Do not load drawable for wallet card if the card image icon iscreated with content URI.
2087ec342fcc : ActivityManagerService: Allow openContentUri from vendor/system/product.
7d3814d37c10 : DO NOT MERGE: ActivityManager#killBackgroundProcesses can kill caller's own app only
a14d9266f43f : Visit URIs in landscape/portrait custom remote views.
f38c2a049ad2 : Truncate ShortcutInfo Id
685bca1b916b : Verify URI permissions for EXTRA_REMOTE_INPUT_HISTORY_ITEMS.
09aa5ec63650 : Dismiss keyguard when simpin auth'd and...
dfe08ce06bfe : Only allow NEW_TASK flag when adjusting pending intents
821dd6fe53a9 : Grant URI permissions to the CallStyle-related ones
7cbbce516b5c : Limit the number of supported v1 and v2 signers
de1c16b2f673 : Sanitize VPN label to prevent HTML injection
c6b4947a21b7 : Revert "Ensure that only SysUI can override pending intent launch flags"
71afc6aeb0bb : Ensure that only SysUI can override pending intent launch flags
fe5bf524cfbb : [RESTRICT AUTOMERGE] Add BubbleMetadata detection to block FSI
c8b2481f418e : Enforce DevicePolicyManager.setUserControlDisabledPackages in AppStandbyController
8e52eeb56339 : Handle invalid data during job loading.
f21c0b9123ff : Allow filtering of services
add9717e93f1 : DO NOT MERGE: Grant MANAGE_USERS access to Traceur
766fe1dd6068 : Check key intent for selectors and prohibited flags
4b7745152bda : [DO NOT MERGE] Prevent RemoteViews crashing SystemUi
b65a3653bed3 : [DO NOT MERGE] Wait for preloading images to complete before inflating notifications
4c20a1db541f : Prevent sharesheet from previewing unowned URIs
f44beb7e652e : Remove Activity if it enters PiP without window
bde7755e4f4a : Limit the number of shortcuts per app that can be retained by system
2e0102e551ee : Trim strings added to persistent snoozed notification storage.
491402db836c : enforce stricter rules when registering phoneAccounts
4dea696369a3 : Uri: check authority and scheme as part of determining URI path
6fb0ad7b4e56 : Re-enforce MANAGE_ACTIVITY_TASKS for applySyncTransaction
647114a022ed : Checks if AccessibilityServiceInfo is within parcelable size.
719c08648d98 : [RESTRICT AUTOMERGE][pm] still allow debuggable for system app downgrades
43fabc0a3e42 : [RESTRICT AUTOMERGE][pm] prevent system app downgrades of versions lower than preload
8273a3aece8c : [RESTRICT AUTOMERGE] Fix bypass BG-FGS and BAL via package manager APIs
ab24ebd18780 : Fix bypass BAL via LocationManager.requestFlush
1b0136433311 : Add a limit on channel group creation
0ab919ad8e88 : [DO NOT MERGE] Backport BAL restrictions from T to S, this blocks apps from using Alarm Manager to bypass BAL restrictions.
a18dce4e10ac : [RESTRICT AUTOMERGE] Strip part of the activity info of another uid if no privilege
69e95cea07a7 : Encode Intent scheme when serializing to URI string RESTRICT AUTOMERGE
39841cd4dfc9 : Fix checkKeyIntentParceledCorrectly's bypass
b20d7dc21ca2 : Checking if package belongs to UID before registering broadcast receiver
6638c048b9cc : Revert "[RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege"
b613961dcfef : [RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege
b6c77bdbbae4 : DO NOT MERGE: Context#startInstrumentation could be started from SHELL only now.
963d38e290b7 : Revert "Ensure that only SysUI can override pending intent launch flags"
2a9ef6ff6ebf : Enforce MediaButtonReceiver extracted component name matches session package name
eb5c388a0644 : Reconcile WorkSource parcel and unparcel code.
5d1c1f0af755 : Move service initialization
0ca417933f27 : Enforce MediaButtonReceiver ComponentName belongs to app
e4ac5c8cdf58 : Revert "[RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege"
0e3142f91943 : [DO NOT MERGE] Disallow clicks on privacy chip before provisioned
feebb44edbe5 : [RESTRICT AUTOMERGE] Do not send new Intent to non-exported activity when navigateUpTo
30ca0444d8ab : RESTRICT AUTOMERGE Use chain start token in performOpTransaction
cbf892ce119f : Use rule package name in addAutomaticZenRule; specify "android" for all system apps
536b667ceb6c : Convert argument to intent in ChooseTypeAndAccountActivity
358d340762f4 : fpService#authWithPrompt uses correct user handle.
f172ab6d13c2 : [RESTRICT AUTOMERGE] Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
023d867b6186 : [DO NOT MERGE] Revert "Check rule package name in ZenModeHelper.addAutomaticRule"
6a7f18d06bb4 : [DO NOT MERGE] Revert "Fix system zen rules by using owner package name if caller is system"
4169de565f06 : Fix system zen rules by using owner package name if caller is system
7f1791adcf1e : Make Activites touch opaque - DO NOT MERGE
b39120dc45cb : [DO NOT MERGE] Do not clear calling identify when using BiometricPrompt from FingerprintService.
855ae434a0fa : [RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege
5faf9a2ca45b : Ensure that only SysUI can override pending intent launch flags
170a96fee739 : Enable user graularity for lockdown mode
270cf0c8be0d : Fix sharing to another profile where an app has multiple targets
4f04c34ea197 : Add protections against queueing a UsbRequest when the underlying UsbDeviceConnection is closed.
d8055c997d4d : RESTRICT AUTOMERGE Revoke SYSTEM_ALERT_WINDOW on upgrade past api 23
e0794f1616c1 : [RESTRICT AUTOMERGE][SettingsProvider] key size limit for mutating settings
83f2b6a817ea : RESTRICT AUTOMERGE Validate permission tree size on permission update
ff36cdfa737e : Backport missing permission check for querying main activity intent
8bae92e8bbd4 : [RESTRICT AUTOMERGE] [SettingsProvider] mem limit should be checked before settings are updated
8cad24ddaa3e : [DO NOT MERGE] Fix conditionId string trimming in AutomaticZenRule
eeb67077d87f : Disable all A11yServices from an uninstalled package.
7a5bf02701d2 : Limit length and number of MIME types you can set
244a971ce347 : Limit lengths of fields in Condition to a max length.
6a7aca4c77ca : [DO NOT MERGE] Revert "Fix system zen rules by using owner package name if caller is system"
b1aa422f7d0d : [DO NOT MERGE] Update window with FLAG_SECURE when bouncer is showing
82483782d8bd : Add safety checks on KEY_INTENT mismatch.
59d4d5fe863f : [DO NOT MERGE] Fix permanent denial of service via setComponentEnabledSetting
4b7d52e9d4a5 : Lower per-app notificationchannel limit
48c005cfdffc : [Do Not Merge] Ignore malformed shortcuts
75c616e9b3a7 : Prevent exfiltration of system files via avatar picker.
c8da0b159b36 : [RESTRICT AUTOMERGE] Allow activity to be reparent while allowTaskReparenting is applied
0b74066996fb : Fix a security issue in app widget service.
09ceb1a67234 : Fix NPE
1d1fcdbd7628 : [pm] forbid deletion of protected packages
92f73766da02 : Include all enabled services when FEEDBACK_ALL_MASK.
78ff513a3772 : Validate package name passed to setApplicationRestrictions. (Reland)
c818f41822d8 : Prevent non-admin users from deleting system apps.
d3e0d2cfd21f : Limit the size of NotificationChannel and NotificationChannelGroup
544df6981b85 : Revert "Prevent exfiltration of system files via user image settings."
0f1d76cfdf42 : Revert "Prevent non-admin users from deleting system apps."
8019cd236054 : Stop crashing the system on hitting the alarm limit
dee9f5ccd5c9 : [DO NOT MERGE] Do not dismiss keyguard after SIM PUK unlock
52ad8efc3c79 : Make sure parallel broadcasts enforce excluded permissions
6fda1c93a25d : Fix system zen rules by using owner package name if caller is system
c25ab79c4cfa : Trim any long string inputs that come in to AutomaticZenRule
f7cad71094a8 : DO NOT MERGE Fix auto-grant of AR runtime permission if device is upgrading from pre-Q
5a0770b40e83 : Check rule package name in ZenModeHelper.addAutomaticRule
fcdb59834f91 : Do not send AccessibilityEvent if notification is for different user.
ff5bd1e24c96 : [RESTRICT AUTOMERGE] Do not send new Intent to non-exported activity when navigateUpTo
3f40e485f06a : switch TelecomManager List getters to ParceledListSlice
f942e1607471 : DO NOT MERGE Move accountname and typeName length check from Account.java to AccountManagerService.
59d00491007e : Add excludedPackages parameter to broadcast
78d5f907029d : Enforce zen rule limit on a package level.
2260d53ca8cf : Strip transition information from activityoptions when sent to app
d61a8e8c8050 : Remove package name from SafetyNet logs
aa656b72f77d : Fix Notification redaction when power cycling a non-dozing device while occluded.
ef08edd227ba : Fix duplicate permission privilege escalation
839fc54249a7 : Block FullScreenIntent while device is in use if notification has a silencing GroupAlertBehavior.
5e1ee5933856 : Parcel: recycle recycles
4e61372db1e7 : Limit the number of concurrently snoozed notifications
ef813bb9728e : Restrict getInputMethodWindowVisibleHeight
5768be944009 : DO NOT MERGE Suppress notifications when device enter lockdown
2e173a31cdba : Only allow the system server to connect to sync adapters
5f1d1a509ddf : Stop using invalid URL to prevent unexpected crash
74d3ec9109c8 : Remove package title from notification access confirmation intent
5009919a8f9d : Make CheckOp return allowed if any attr tag for a package is excluded
37ce73970270 : Allow system server uid to bypass location restriction
361d56e9e37d : Disallow privileged apps to bypass location restriction
0bc470593b6e : DO NOT MERGE. Add a permissions check to LocationManagerService.
dea51d3c8bc4 : Clear mInterface before calling resetIkeState()
83207c2168e7 : Make sure callingPackage belongs to callingUid when checking BG-FGS restrictions.
ad8f3bbb9b0a : Update ServiceState broadcast for location permissions
e1eea3177e06 : USB: Increase debounce time for DISCONNECT processing (revised)
c3e63b9ccdd3 : Log to EventLog on prepareUserStorage failure
518d5758120b : Ignore errors preparing user storage for existing users
f538b6acdafc : UserDataPreparer: reboot to recovery for system user only
b1bbdae50e53 : UserDataPreparer: reboot to recovery if preparing user storage fails
6edafce15eba : StorageManagerService: don't ignore failures to prepare user storage
11596b77e1c5 : DO NOT MERGE: WM: Call Transaction#sanitize
90b3efd54c81 : limit TelecomManager#registerPhoneAccount to 10; api doc update
44acf3376de1 : [scv2] RESTRICT AUTOMERGE Add finalizeWorkProfileProvisioning.
a45f792185a4 : Disallow too large display padding for wallpaper
b4f10ef2fe94 : Fix NPE
614f9606ac2c : Prevent exfiltration of system files via user image settings.
f11d5b6ed369 : Prevent non-admin users from deleting system apps.
fd60a6c1b73c : Fix security hole in GateKeeperResponse
1d1b6ba181a3 : Update GeofenceHardwareRequestParcelable to match parcel/unparcel format.
9a45cb333288 : Add an OEM configurable limit for zen rules
c89bd29d2ccc : Keyguard - Treat messsages to lock with priority
9bccb5d1b4ba : [Ongoing Call] Don't call #getIntent to avoid a security vulnerability.
77726fccd8a5 : Always restart apps if base.apk gets updated.
91d787c2cb51 : Verify caller before auto granting slice permission
0f3cf41c8ea8 : Replace BitmapRegionDecoder with ImageDecoder
d5704e471481 : [RESTRICT AUTOMERGE] Do not resume activity if behind a translucent task
b29c7026cf3e : Update permissions for ServiceState broadcast
642a09a7b7d0 : Filter notification APIs by user
2d8c78c75630 : Security fixes for PendingIntent related apis in LauncherApps
e015b279f07b : [RESTRICT AUTOMERGE] Add hide-non-system-overlay flag for HarmfulAppWarningActivity
8b97240bf981 : Restrict AdbManager broadcasts to apps with MANAGE_DEBUGGING permission.
14862d3b346d : Validate pid can be trusted
15d872673799 : Fix a mismatch in Bitmap_createFromParcel

936478d : Fix OOB crash for registerLocaleList
50f8ef0 : Fix OOB read for registerLocaleList

b7c81325ec : Add AppOps overload to be able to watch foreground changes.
be2a9ae608 : Fix for heap-use-after-free in GPUService.cpp
e6c90021aa : Allow sensors list to be empty
927725a823 : Add removeInstanceForPackageMethod to SensorManager
642d230200 : Remove some new memory leaks from SensorManager
a968087391 : Check for malformed Sensor Flattenable
09f4445ca5 : Mitigate the security vulnerability by sanitizing the transaction flags.
67d14d17dc : Allow windowhandles with NO_INPUT_CHANNEL - DO NOT MERGE
48b6681419 : Initialize DrawingState::trustedOverlay to false in constructor
f4eedabb92 : RESTRICT AUTOMERGE SurfaceFlinger: fix a potential race condition in stealReceiveChannel
7b6ab501f2 : DO NOT MERGE: SurfaceControl: Ensure unused fields are zeroed
1f38c7b272 : DO NOT MERGE: SurfaceFlinger: Add Transaction#sanitize

27b8c20ade : Enforce privileged phone state for getSubscriptionProperty(GROUP_UUID)

feac66fe4d : Keep track of DeathMonitor cookies
703d47656e : Add additional bounds checks to NNAPI FMQ deserialize utility functions
f0c49e1c4b : Fix array out of bound in audioTransportToHal.

b60312a : OOBR in AnalyzeMfcResp in NxpMfcReader.cc
ed590b4 : OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2
dddf476 : Revert "OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2"
8da1390 : OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2
14fe5b9 : Revert "OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2"
5df475b : OOBR in NxpMfcReader::SendIncDecRestoreCmdPart2
3295299 : OOBW in phNxpNciHal_write_unlocked()

1dab7ddf9 : Camera2: Do not pass location info for startActivity case

4cab383d6 : Convert argument to Intent in car settings AddAccountActivity.
9cdc8eed9 : [automerge] Convert argument to Intent in car settings account removal. 2p: a7a4b16b8f
8f3822923 : Extract app label from component name in notification access confirmation UI

2193d07f2 : No longer export CallSubjectDialog

10e7d4197 : No longer export CallSubjectDialog

463385bb : Removes unnecessary permission from the EmergencyInfo app.
4cf00d87 : Prevent exfiltration of system files via avatar picker.
066a5052 : Revert "Prevent exfiltration of system files via user image settings."
42b04c22 : Prevent exfiltration of system files via user image settings.

d2b0f9e : Encode authority part of uri before showing in UI

0b48cd0b6c : Fix permission bypass in legacy shortcut
cd47464acf : Fix permission issue in legacy shortcut
7df880c1cc : Prevent falling into OtherActivityInputConsumer when over lockscreen

e470df7d7 : Remove factory-reset logic from post-suw syncauth
726e5bf91 : [scv2] RESTRICT AUTOMERGE Use finalizeWorkProfileProvisioning.

a04dd0f5 : Possible deadlock on the NfcService object
a9296f52 : Ensure that SecureNFC setting cannot be bypassed
2af2b8c5 : OOB read in phNciNfc_RecvMfResp()
6788bd57 : Do not set default contactless application without user interaction

809ba7f3a4e : RESTRICT AUTOMERGE Restrict Settings Homepage prior to provisioning
78a8360e975 : Ignore fragment attr from ext authenticator resource
75ca173966b : Replace getCallingActivity() with getLaunchedFromPackage()
ccabd3d0e7e : Limit wifi item edit content's max length to 500
9d707ec6d10 : Validate ringtone URIs before setting
5b8c54c7dc0 : RESTRICT AUTOMERGE: Catch exceptions from setLockCredential()
50b0c8d0cb2 : [RESTRICT AUTOMERGE] Restrict ApnEditor settings
931304bc302 : DO NOT MERGE: Prevent non-system IME from becoming device admin
cf4420a5047 : Settings: don't try to allow NLSes with too-long component names
cb449a2de29 : Don't hide approved NLSes in Settings
afc0ffc654b : Fix: Bluetooth and Wifi scanning location MainSwitch page policy transparency.
6376a4f1275 : Don't show NLSes with excessively long component names
cb6e1d8e4af : Convert argument to intent in AddAccountSettings.
6c81f3bc6c4 : [DO NOT MERGE] Enforce INTERACT_ACROSS_USERS_FULL permission for NotificationAccessDetails
bf50f860665 : Only primary user is allowed to control secure nfc
d83753d64e9 : Add DISALLOW_APPS_CONTROL check into uninstall app for all users
3ba0bed404c : FRP bypass defense in the settings app
c1cbfa27a55 : Check Uri permission for FLAG_GRANT_READ/WRITE_URI_PERMISSION
b7f20c0ada8 : Allow 2-pane deep link to access unexported Activity
4e674cbb4b7 : Settings 2-pane deep link vulnerabilities
dffd89a4be7 : RESTRICT AUTOMERGE Make bluetooth switch not discoverable via SliceDeepLinkTrampoline
9b3570921f0 : Remove Intent selector from 2-pane deep link Intent
3c6ad102348 : [DO NOT MERGE] Add FLAG_SECURE for ChooseLockPassword and Pattern
445cc2e28de : [DO NOT MERGE] Make bluetooth not discoverable via large screen deep link flow
ea7692e3ea2 : [DO NOT MERGE] Fix can't change notification sound for work profile.
35c2ee8e11b : [DO NOT MERGE] Fix Settings crash when setting a null ringtone
c6036b888bb : Extract app label from component name in notification access confirmation UI
f52008b45e3 : RESTRICT AUTOMERGE Fix: policy enforcement for location wifi scanning
9ff50f623ff : Do not let guest user disable secuer nfc via SettingsSlice
d05d20278ba : RESTRICT AUTOMERGE Make bluetooth not discoverable via SliceDeepLinkTrampoline
b256e2e735e : Verify ringtone from ringtone picker is audio
2ac9c641624 : Fix LaunchAnyWhere in AppRestrictionsFragment
db3d2deddc7 : Hide non-system overlay window on ActivityPicker
ab020e22053 : Restrict secondary users to share Wi-Fi network
ea01af3dc66 : Change default USB configuration to a RestrictedPreference
21bf0e6616f : Hide private DNS settings UI in Guest mode
8551585b592 : Do not let guest user disable secure nfc

9c64b011 : Add DISALLOW_DEBUGGING_FEATURES check
f7ec4727 : Update Traceur to check admin user status

e3624c1c2 : Convert argument to intent in addAccount TvSettings.

354b399d : Fix use-after-free in DNS64 discovery thread

7270383c5 : Fix OOB Read in convertSubgraphFromHAL
a66a8b1f1 : Fix out of Bounds Read in convertSubgraphFromHAL in ShimConverter.cpp in libneuralnetworks_shim_static
c8526bf8b : Fix OOB read in parseInputs in ShimPreparedModel.cpp
eb8507507 : Fix OOB Read in setOperandValue
0586a1150 : Add additional bounds checks to NNAPI FMQ deserialize utility functions

0b70feb033 : RESTRICT AUTOMERGE Fix to restrict admin from granting permission to a sensor permission group
1cdbf14181 : Do not grant notification access for work apps.
e5b860cc5d : RESTRICT AUTOMERGE Finish ManagePermissionsActivity if device is not provisioned
2226224b47 : Add one-time flag to permission if group is currently one-time
ffc9dcebf3 : Hide overlays on ReviewPermissionsAtivity
39b3206029 : Fix incorrect auto grant for split permissions

7b09611f0 : [statsd] Make executor thread a class member of MultiConditionTrigger
23ae4f4b0 : [libstatssocket] Added validation for adding new data into StatsEvent
6ec0971d8 : Make log reader thread a class member

306072fecb : Update password check for WAPI
843c8592ac : Add pre-share key check for wapi
6fd11bdd9d : Limit the ServiceFriendlyNames and limit the number of Passpoint per App
7b2b81112c : Add size check on PPS#policy
a39058dba3 : Only handle saveToStore from the WifiNetworkSuggestionsManager
e240538a9d : Revert "Revert "[DO NOT MERGE] wifi: remove certificates for network factory reset""
b72619d74b : Revert "[DO NOT MERGE] wifi: remove certificates for network factory reset"
cf672cd916 : wifi: Reset to default SAP configuration when doing factory reset
55d5044b11 : [Passpoint] Add more check to limit the config size
9b9d3d61b1 : [DO NOT MERGE] passpoint: validate decorated identity prefix
389f41fe73 : Give the location mode exemption for emergency location service
0369224720 : [DO NOT MERGE] wifi: remove certificates for network factory reset

d25e43ad : Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host.

6f45c2c1 : enforce stricter CallLogProvider query
87c04e6b : DO NOT MERGE Add check that prevents file operations outside of Call Composer Dir

b2cc552f : DO NOT MERGE: Consolidate queryChildDocumentsXxx() implementations

cd6937591 : Prevent insertion in other users storage volumes
9ea1568b6 : Fix path traversal vulnerabilities in MediaProvider
bfd453aa1 : Canonicalize file path for insertion by legacy apps
8b397d918 : Remove invalid surrogates during bindSelection
ec2ee6238 : Canonicalise path before extracting relative path
571c32141 : isDataOrObbPath blocks access to Android/[data|obb] dirs only
b49faf9ca : DO NOT MERGE Avoid path traversal in MediaProvider delete call
dc1255a8b : Restrict legacy apps to insert files to other private app dirs

d8931386 : DO NOT MERGE Block access to sms/mms db from work profile.
0d6db921 : Update file permissions using canonical path
0231d47f : Check dir path before updating permissions.

dac6bc98d : Resolve cross-user image exploit for conference status hints
aaf5ff093 : Unbind CallScreeningService when timeout reached.
762b25f36 : DO NOT MERGE Unbind CS if connection is not created within 15 seconds.
74cf226b7 : Resolve account image icon profile boundary exploit.
d0ea37773 : Fix vulnerability in CallRedirectionService.
611096e39 : Resolve StatusHints image exploit across user.
63969c4e6 : Call Redirection: unbind service when onBind returns null
713ad14f1 : enforce stricter rules when registering phoneAccounts
d6397934a : DO NOT MERGE do not process content uri in call Intents
a0818f9e5 : Ensure service unbind when receiving a null call screening service in onBind.
d4b4ff7f2 : Fix security vulnerability when register phone accounts.
b58032b4c : Hide overlay windows when showing phone account enable/disable screen.
671411463 : Fix security vulnerability issue for multi user call redirections.
59933956c : switch TelecomManager List getters to ParceledListSlice
f5f4dec65 : limit TelecomManager#registerPhoneAccount to 10
ac1cc4d64 : Handle null bindings returned from ConnectionService.

986254847 : Fixed leak of cross user data in multiple settings.
2444b02a1 : DO NOT MERGE Grant carrier privileges if package has carrier config access.
d29380842 : prevent overlays on the phone settings

9a9770b : Remove E-Tugra certificates.
2a0ea48 : Drop TrustCor certificates

848c717 : Use sp<T>::make to create the sp pointer for EventLoopCallback

03b573b0d : Add seal if ashmem-dev is backed by memfd

74d7ce9 : Use the values of the ptrs that we check

fd5d292a : Fix Heap-use-after-free in MDnsSdListener::Monitor::run

14adc1dc : OOBW in rw_i93_send_to_upper()
226142fb : OOBW in nci_snd_set_routing_cmd()
c97e51c2 : The length of a packet should be non-zero
fb8ae8d3 : OOBR in nfc_ncif_proc_ee_discover_req()
f809ac23 : Double Free in ce_t4t_data_cback
dd6eb012 : Out of Bounds Read in nfa_dm_check_set_config

fa0ffa277 : RESTRICT AUTOMERGE Allow system_server to call IKeystoreMaintenance.deleteAllKeys()

8a0a837 : Limit the number of supported v1 and v2 signers