From 8cef97cb2bb8a728e5f70644accad1a3306c6d38 Mon Sep 17 00:00:00 2001
From: Eugene Susla <eugenesusla@google.com>
Date: Tue, 3 Nov 2020 14:22:42 -0800
Subject: [PATCH 1/3] RESTRICT AUTOMERGE Prevent non-system overlays from
 showing over notification listener consent dialog

Bug: 170731783
Test: use a visible overlay, ensure it's gone when notification consent is open
Change-Id: I58e017982f385ffc0d0ba2174512490b1d83dd36
(cherry picked from commit bfa7a755450776f26300a494a71aa6e244749f16)
---
 .../notification/NotificationAccessConfirmationActivity.java  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java
index 8677c0226da..a7d9f6889cd 100644
--- a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java
+++ b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java
@@ -17,6 +17,8 @@
 
 package com.android.settings.notification;
 
+import static android.view.WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS;
+
 import static com.android.internal.notification.NotificationAccessConfirmationActivityContract.EXTRA_COMPONENT_NAME;
 import static com.android.internal.notification.NotificationAccessConfirmationActivityContract.EXTRA_PACKAGE_TITLE;
 import static com.android.internal.notification.NotificationAccessConfirmationActivityContract.EXTRA_USER_ID;
@@ -55,6 +57,8 @@ public class NotificationAccessConfirmationActivity extends Activity
     protected void onCreate(@Nullable Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
 
+        getWindow().addSystemFlags(SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
+
         mNm = (NotificationManager) getSystemService(Context.NOTIFICATION_SERVICE);
 
         mComponentName = getIntent().getParcelableExtra(EXTRA_COMPONENT_NAME);

From 763a4d5967503fc46e0759d5e68cc8fbdc02325f Mon Sep 17 00:00:00 2001
From: Jakub Pawlowski <jpawlowski@google.com>
Date: Thu, 19 Nov 2020 13:31:08 +0100
Subject: [PATCH 2/3] Prevent overlay drawing on top of Bluetooth activity
 dialog

Bug: 168504491
Change-Id: I04ebe580db2b299af2bd5e44e0b0f20bd42f8535
(cherry picked from commit 4f7edf692f4e8a10521379aaae8c1d52ab275d72)
---
 .../settings/bluetooth/BluetoothPermissionActivity.java        | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java b/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
index 4dd9a4042ef..be383dc02ba 100644
--- a/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
+++ b/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
@@ -34,6 +34,8 @@ import com.android.internal.app.AlertActivity;
 import com.android.internal.app.AlertController;
 import com.android.settings.R;
 
+import static android.view.WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS;
+
 /**
  * BluetoothPermissionActivity shows a dialog for accepting incoming
  * profile connection request from untrusted devices.
@@ -76,6 +78,7 @@ public class BluetoothPermissionActivity extends AlertActivity implements
     protected void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
 
+        getWindow().addPrivateFlags(SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
         Intent i = getIntent();
         String action = i.getAction();
         if (!action.equals(BluetoothDevice.ACTION_CONNECTION_ACCESS_REQUEST)) {

From f065b8743377f62d6d0dc99da24ac034314dae1f Mon Sep 17 00:00:00 2001
From: Chris Manton <cmanton@google.com>
Date: Tue, 10 Nov 2020 16:45:44 -0800
Subject: [PATCH 3/3] Add bluetooth package to permission request intent

Limit the component that may resolve this intent to the
bluetooth package.

Bug: 158219161
Test: Security Fix
Tag: #security
Change-Id: If732f940a7aa256f5975349118e8eb6cf5584676
(cherry picked from commit 1951d27669b1e8eab96f4082cb00cb1d030602ec)
---
 .../android/settings/bluetooth/BluetoothPermissionRequest.java   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java b/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java
index c5f62b8b4d6..5fffa3a2356 100644
--- a/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java
+++ b/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java
@@ -131,6 +131,7 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver {
                 // "Clear All Notifications" button
 
                 Intent deleteIntent = new Intent(BluetoothDevice.ACTION_CONNECTION_ACCESS_REPLY);
+                deleteIntent.setPackage("com.android.bluetooth");
                 deleteIntent.putExtra(BluetoothDevice.EXTRA_DEVICE, mDevice);
                 deleteIntent.putExtra(BluetoothDevice.EXTRA_CONNECTION_ACCESS_RESULT,
                         BluetoothDevice.CONNECTION_ACCESS_NO);