From 969d9ba886095e09b6612fdb136a97cd06cadab0 Mon Sep 17 00:00:00 2001
From: "Alam, Sahibex" <sahibex.alam@intel.com>
Date: Tue, 20 Aug 2024 08:48:12 +0000
Subject: [PATCH] ASB-SEP 2024 Security Patches integration

Integrating Google Android Security Bulletin Patches

Test done: STS r30 TCs Passed.

Tracked-On: OAM-123594
Signed-off-by: Alam, Sahibex <sahibex.alam@intel.com>
---
 ...4-Update-security_patch_level-string.patch |   2 +-
 ...check-HDR10-info-param-size.bulletin.patch |  37 ++
 ...ore-Sanitized-uri-scheme-by-removing.patch |  85 +++++
 ...GE-Delete-keystore-keys-from-Recover.patch | 141 ++++++++
 ...ypasses-to-multiple-methods.bulletin.patch |  90 +++++
 ...content-s-max-length-to-500.bulletin.patch |  31 ++
 ...ith-getLaunchedFromPackage-.bulletin.patch | 175 +++++++++
 ...-ext-authenticator-resource.bulletin.patch | 114 ++++++
 ...Homepage-prior-to-provision.bulletin.patch |  44 +++
 ...rvice-when-timeout-reached-.bulletin.patch |  46 +++
 ...checking-security-downgrade.bulletin.patch | 331 ++++++++++++++++++
 ...ecure-Connections-downgrade.bulletin.patch |  63 ++++
 ...t-with-key-length-downgrade.bulletin.patch |  57 +++
 ...r-to-call-IKeystoreMaintena.bulletin.patch |  55 +++
 14 files changed, 1270 insertions(+), 1 deletion(-)
 create mode 100644 aosp_diff/base_aaos/frameworks/av/43_0043-omx-check-HDR10-info-param-size.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/frameworks/base/99_0293-DO-NOT-MERGE-Ignore-Sanitized-uri-scheme-by-removing.patch
 create mode 100644 aosp_diff/base_aaos/frameworks/base/99_0294-RESTRICT-AUTOMERGE-Delete-keystore-keys-from-Recover.patch
 create mode 100644 aosp_diff/base_aaos/packages/apps/Bluetooth/08_0008-Fix-permission-bypasses-to-multiple-methods.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/packages/apps/Settings/38_0038-Limit-wifi-item-edit-content-s-max-length-to-500.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/packages/apps/Settings/39_0039-Replace-getCallingActivity-with-getLaunchedFromPackage-.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/packages/apps/Settings/40_0040-Ignore-fragment-attr-from-ext-authenticator-resource.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/packages/apps/Settings/41_0041-RESTRICT-AUTOMERGE-Restrict-Settings-Homepage-prior-to-provision.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/packages/services/Telecomm/15_0015-Unbind-CallScreeningService-when-timeout-reached-.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/system/bt/64_0064-Add-support-for-checking-security-downgrade.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/system/bt/65_0065-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/system/bt/66_0066-Disallow-connect-with-key-length-downgrade.bulletin.patch
 create mode 100644 aosp_diff/base_aaos/system/sepolicy/13_0013-RESTRICT-AUTOMERGE-Allow-system_server-to-call-IKeystoreMaintena.bulletin.patch

diff --git a/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch b/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch
index 4b52a6dd96..4b313d239e 100644
--- a/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch
+++ b/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch
@@ -20,7 +20,7 @@ index 0daae6bdcb..d14bd65167 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -    PLATFORM_SECURITY_PATCH := 2022-07-05
-+    PLATFORM_SECURITY_PATCH := 2024-08-01
++    PLATFORM_SECURITY_PATCH := 2024-09-01
  endif
  .KATI_READONLY := PLATFORM_SECURITY_PATCH
  
diff --git a/aosp_diff/base_aaos/frameworks/av/43_0043-omx-check-HDR10-info-param-size.bulletin.patch b/aosp_diff/base_aaos/frameworks/av/43_0043-omx-check-HDR10-info-param-size.bulletin.patch
new file mode 100644
index 0000000000..a362ee7e17
--- /dev/null
+++ b/aosp_diff/base_aaos/frameworks/av/43_0043-omx-check-HDR10-info-param-size.bulletin.patch
@@ -0,0 +1,37 @@
+From 326c584ebafe625723ae5ddae597add1de4c1b33 Mon Sep 17 00:00:00 2001
+From: Wonsik Kim <wonsik@google.com>
+Date: Fri, 28 Jun 2024 00:33:51 +0000
+Subject: [PATCH] omx: check HDR10+ info param size
+
+Bug: 329641908
+Test: presubmit
+Flag: EXEMPT security fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53298956ba6bb8f147a632d7aaed8566dfc203ee)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f816148a719d2a3bbf432f11da98b3d5fa7de74f)
+Merged-In: I72523e1de61e5f947174272b732e170e1c2964df
+Change-Id: I72523e1de61e5f947174272b732e170e1c2964df
+---
+ media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
+index 418302389d..4ab5d10609 100644
+--- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
++++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
+@@ -619,6 +619,13 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig(
+                 if (!isValidOMXParam(outParams)) {
+                     return OMX_ErrorBadParameter;
+                 }
++                if (offsetof(DescribeHDR10PlusInfoParams, nValue) + outParams->nParamSize >
++                    outParams->nSize) {
++                    ALOGE("b/329641908: too large param size; nParamSize=%u nSize=%u",
++                          outParams->nParamSize, outParams->nSize);
++                    android_errorWriteLog(0x534e4554, "329641908");
++                    return OMX_ErrorBadParameter;
++                }
+ 
+                 outParams->nParamSizeUsed = info->size();
+ 
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/frameworks/base/99_0293-DO-NOT-MERGE-Ignore-Sanitized-uri-scheme-by-removing.patch b/aosp_diff/base_aaos/frameworks/base/99_0293-DO-NOT-MERGE-Ignore-Sanitized-uri-scheme-by-removing.patch
new file mode 100644
index 0000000000..13a14436dc
--- /dev/null
+++ b/aosp_diff/base_aaos/frameworks/base/99_0293-DO-NOT-MERGE-Ignore-Sanitized-uri-scheme-by-removing.patch
@@ -0,0 +1,85 @@
+From 8cb85afd554e0171a174d79aacc4e2200860cfb9 Mon Sep 17 00:00:00 2001
+From: Kiran Ramachandra <kiranmr@google.com>
+Date: Thu, 30 May 2024 21:21:12 +0000
+Subject: [PATCH] DO NOT MERGE Ignore - Sanitized uri scheme by removing scheme
+ delimiter
+
+Initially considered removing unsupported characters as per IANA guidelines, but this could break applications that use custom schemes with asterisks. Instead, opted to remove only the "://" to minimize disruption
+
+Bug: 261721900
+Test: atest FrameworksCoreTests:android.net.UriTest
+
+No-Typo-Check: The unit test is specifically written to test few cases, string "http://https://" is not a typo
+
+NOTE FOR REVIEWERS - original patch and result patch are not identical.
+PLEASE REVIEW CAREFULLY.
+Diffs between the patches:
+     @AsbSecurityTest(cveBugId = 261721900)
+> +    @SmallTest
+> +    public void testSchemeSanitization() {
+> +        Uri uri = new Uri.Builder()
+> +                .scheme("http://https://evil.com:/te:st/")
+> +                .authority("google.com").path("one/way").build();
+> +        assertEquals("httphttpsevil.com:/te:st/", uri.getScheme());
+> +        assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString());
+> +    }
+> +
+
+Original patch:
+ diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
+old mode 100644
+new mode 100644
+---
+ core/java/android/net/Uri.java                    |  6 +++++-
+ core/tests/coretests/src/android/net/UriTest.java | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
+index d71faee4cc8d..ed6705c8fa23 100644
+--- a/core/java/android/net/Uri.java
++++ b/core/java/android/net/Uri.java
+@@ -1391,7 +1391,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
+          * @param scheme name or {@code null} if this is a relative Uri
+          */
+         public Builder scheme(String scheme) {
+-            this.scheme = scheme;
++            if (scheme != null) {
++                this.scheme = scheme.replace("://", "");
++            } else {
++                this.scheme = null;
++            }
+             return this;
+         }
+ 
+diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java
+index 3733bfa586d1..35641285e3c5 100644
+--- a/core/tests/coretests/src/android/net/UriTest.java
++++ b/core/tests/coretests/src/android/net/UriTest.java
+@@ -18,6 +18,7 @@ package android.net;
+ 
+ import android.content.ContentUris;
+ import android.os.Parcel;
++import android.platform.test.annotations.AsbSecurityTest;
+ 
+ import androidx.test.filters.SmallTest;
+ 
+@@ -88,6 +89,16 @@ public class UriTest extends TestCase {
+         assertNull(u.getHost());
+     }
+ 
++    @AsbSecurityTest(cveBugId = 261721900)
++    @SmallTest
++    public void testSchemeSanitization() {
++        Uri uri = new Uri.Builder()
++                .scheme("http://https://evil.com:/te:st/")
++                .authority("google.com").path("one/way").build();
++        assertEquals("httphttpsevil.com:/te:st/", uri.getScheme());
++        assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString());
++    }
++
+     @SmallTest
+     public void testStringUri() {
+         assertEquals("bob lee",
+-- 
+2.34.1
+
diff --git a/aosp_diff/base_aaos/frameworks/base/99_0294-RESTRICT-AUTOMERGE-Delete-keystore-keys-from-Recover.patch b/aosp_diff/base_aaos/frameworks/base/99_0294-RESTRICT-AUTOMERGE-Delete-keystore-keys-from-Recover.patch
new file mode 100644
index 0000000000..5bc3197948
--- /dev/null
+++ b/aosp_diff/base_aaos/frameworks/base/99_0294-RESTRICT-AUTOMERGE-Delete-keystore-keys-from-Recover.patch
@@ -0,0 +1,141 @@
+From b6f7fb547e85f729d9cd650b0544785e16b835de Mon Sep 17 00:00:00 2001
+From: Nikolay Elenkov <nikolayelenkov@google.com>
+Date: Sun, 30 Jun 2024 06:20:30 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Delete keystore keys from
+ RecoveryService.rebootRecoveryWithCommand()
+
+Adds deleteSecrets() to RecoverySystemService. This method is called
+from rebootRecoveryWithCommand () before the --wipe_data command is
+passed to recovery and the device is force-rebooted.
+
+deleteSecerts() calls IKeystoreMaintenance.deleteAllKeys() in order to
+quickly destroy the keys protecting the synthetic password blobs
+used to derive FBE encryption keys.
+
+The intent is to make FBE-encrypted data unrecoverable even if the full
+data wipe in recovery is interrupted or skipped.
+
+Bug: 324321147
+Test: Manual - System -> Reset options -> Erase all data.
+Test: Hold VolDown key to interrupt reboot and stop at bootloader
+screen.
+Test: fastboot oem bcd wipe command && fastboot oem bcd wipe recovery
+Test: fastboot reboot
+Test: Device reboots into recovery and prompts to factory reset:
+Test: 'Cannot load Android system. Your data may be corrupt. ...'
+(cherry picked from https://android-review.googlesource.com/q/commit:0d00031851e9f5d8ef93947205a7e8b5257f0d8d)
+Ignore-AOSP-First: Security fix backport
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdf9eae2e02a6c3651379c33c4655368b009d13)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1e81807b183f08c9b7a68d225afff8b9ffb60fbe)
+Merged-In: I5eb8e97f3ae1a18d5e7e7c2c7eca048ebff3440a
+Change-Id: I5eb8e97f3ae1a18d5e7e7c2c7eca048ebff3440a
+---
+ .../security/AndroidKeyStoreMaintenance.java  | 22 +++++++++++++++++++
+ .../recoverysystem/RecoverySystemService.java | 19 ++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/keystore/java/android/security/AndroidKeyStoreMaintenance.java b/keystore/java/android/security/AndroidKeyStoreMaintenance.java
+index 919a93b8f107..b2d1755bb860 100644
+--- a/keystore/java/android/security/AndroidKeyStoreMaintenance.java
++++ b/keystore/java/android/security/AndroidKeyStoreMaintenance.java
+@@ -18,8 +18,10 @@ package android.security;
+ 
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
++import android.os.RemoteException;
+ import android.os.ServiceManager;
+ import android.os.ServiceSpecificException;
++import android.os.StrictMode;
+ import android.security.maintenance.IKeystoreMaintenance;
+ import android.system.keystore2.Domain;
+ import android.system.keystore2.KeyDescriptor;
+@@ -183,4 +185,24 @@ public class AndroidKeyStoreMaintenance {
+             return SYSTEM_ERROR;
+         }
+     }
++
++    /**
++    * Deletes all keys in all KeyMint devices.
++    * Called by RecoverySystem before rebooting to recovery in order to delete all KeyMint keys,
++    * including synthetic password protector keys (used by LockSettingsService), as well as keys
++    * protecting DE and metadata encryption keys (used by vold). This ensures that FBE-encrypted
++    * data is unrecoverable even if the data wipe in recovery is interrupted or skipped.
++    */
++    public static void deleteAllKeys() throws KeyStoreException {
++        StrictMode.noteDiskWrite();
++        try {
++            getService().deleteAllKeys();
++        } catch (RemoteException | NullPointerException e) {
++            throw new KeyStoreException(SYSTEM_ERROR,
++                    "Failure to connect to Keystore while trying to delete all keys.");
++        } catch (ServiceSpecificException e) {
++            throw new KeyStoreException(e.errorCode,
++                    "Keystore error while trying to delete all keys.");
++        }
++    }
+ }
+diff --git a/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java b/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java
+index 13218731af70..23941bc338b8 100644
+--- a/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java
++++ b/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java
+@@ -52,6 +52,7 @@ import android.os.ShellCallback;
+ import android.os.SystemProperties;
+ import android.provider.DeviceConfig;
+ import android.sysprop.ApexProperties;
++import android.security.AndroidKeyStoreMaintenance;
+ import android.util.ArrayMap;
+ import android.util.ArraySet;
+ import android.util.FastImmutableArraySet;
+@@ -66,6 +67,7 @@ import com.android.internal.widget.RebootEscrowListener;
+ import com.android.server.LocalServices;
+ import com.android.server.SystemService;
+ import com.android.server.pm.ApexManager;
++import com.android.server.utils.Slogf;
+ 
+ import libcore.io.IoUtils;
+ 
+@@ -117,6 +119,8 @@ public class RecoverySystemService extends IRecoverySystem.Stub implements Reboo
+     static final String LSKF_CAPTURED_TIMESTAMP_PREF = "lskf_captured_timestamp";
+     static final String LSKF_CAPTURED_COUNT_PREF = "lskf_captured_count";
+ 
++    static final String RECOVERY_WIPE_DATA_COMMAND = "--wipe_data";
++
+     private final Injector mInjector;
+     private final Context mContext;
+ 
+@@ -511,17 +515,32 @@ public class RecoverySystemService extends IRecoverySystem.Stub implements Reboo
+     @Override // Binder call
+     public void rebootRecoveryWithCommand(String command) {
+         if (DEBUG) Slog.d(TAG, "rebootRecoveryWithCommand: [" + command + "]");
++
++        boolean isForcedWipe = command != null && command.contains(RECOVERY_WIPE_DATA_COMMAND);
+         synchronized (sRequestLock) {
+             if (!setupOrClearBcb(true, command)) {
+                 return;
+             }
+ 
++            if (isForcedWipe) {
++                deleteSecrets();
++            }
++
+             // Having set up the BCB, go ahead and reboot.
+             PowerManager pm = mInjector.getPowerManager();
+             pm.reboot(PowerManager.REBOOT_RECOVERY);
+         }
+     }
+ 
++    private static void deleteSecrets() {
++        Slogf.w(TAG, "deleteSecrets");
++        try {
++            AndroidKeyStoreMaintenance.deleteAllKeys();
++        } catch (android.security.KeyStoreException e) {
++            Log.wtf(TAG, "Failed to delete all keys from keystore.", e);
++        }
++    }
++
+     private void enforcePermissionForResumeOnReboot() {
+         if (mContext.checkCallingOrSelfPermission(android.Manifest.permission.RECOVERY)
+                 != PackageManager.PERMISSION_GRANTED
+-- 
+2.34.1
+
diff --git a/aosp_diff/base_aaos/packages/apps/Bluetooth/08_0008-Fix-permission-bypasses-to-multiple-methods.bulletin.patch b/aosp_diff/base_aaos/packages/apps/Bluetooth/08_0008-Fix-permission-bypasses-to-multiple-methods.bulletin.patch
new file mode 100644
index 0000000000..4cc76417a3
--- /dev/null
+++ b/aosp_diff/base_aaos/packages/apps/Bluetooth/08_0008-Fix-permission-bypasses-to-multiple-methods.bulletin.patch
@@ -0,0 +1,90 @@
+From a82c33e2e9e702214e932b25d27c25dcec448fc1 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 6 May 2024 17:49:09 +0000
+Subject: [PATCH] Fix permission bypasses to multiple methods
+
+Researcher reports that some BT calls across Binder are validating only
+BT's own permissions and not the calling app's permissions.  On
+investigation this seems to be due to a missing null check in several BT
+permissions checks, which allows a malicious app to pass in a null
+AttributionSource and therefore produce a stub AttributionSource chain
+which does not properly check for the caller's permissions.
+
+Add null checks.
+
+Bug: 242996380
+Test: atest UtilsTest
+Test: researcher POC
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:244e4734d1ed316e8725b0f33e18d8eb709554f1)
+Merged-In: I57d80cfa07bd6d3fd410a01764b3db2db9b41b81
+Change-Id: I57d80cfa07bd6d3fd410a01764b3db2db9b41b81
+---
+ src/com/android/bluetooth/Utils.java | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/src/com/android/bluetooth/Utils.java b/src/com/android/bluetooth/Utils.java
+index f1e8e0f10..ab30c3e55 100644
+--- a/src/com/android/bluetooth/Utils.java
++++ b/src/com/android/bluetooth/Utils.java
+@@ -79,6 +79,7 @@ import java.nio.charset.CharsetDecoder;
+ import java.time.Instant;
+ import java.time.ZoneId;
+ import java.time.format.DateTimeFormatter;
++import java.util.Objects;
+ import java.util.UUID;
+ import java.util.concurrent.TimeUnit;
+ 
+@@ -451,7 +452,8 @@ public final class Utils {
+         // attributionSource.enforceCallingUid();
+         final int result = PermissionChecker.checkPermissionForDataDeliveryFromDataSource(
+                 context, permission, PID_UNKNOWN,
+-                new AttributionSource(context.getAttributionSource(), attributionSource), message);
++                new AttributionSource(context.getAttributionSource(),
++                                      Objects.requireNonNull(attributionSource)), message);
+         if (result == PERMISSION_GRANTED) {
+             return true;
+         }
+@@ -693,7 +695,8 @@ public final class Utils {
+         // attributionSource.enforceCallingUid();
+         if (PermissionChecker.checkPermissionForDataDeliveryFromDataSource(
+                 context, ACCESS_COARSE_LOCATION, PID_UNKNOWN,
+-                new AttributionSource(context.getAttributionSource(), attributionSource),
++                new AttributionSource(context.getAttributionSource(),
++                                      Objects.requireNonNull(attributionSource)),
+                 "Bluetooth location check") == PERMISSION_GRANTED) {
+             return true;
+         }
+@@ -721,14 +724,16 @@ public final class Utils {
+         // attributionSource.enforceCallingUid();
+         if (PermissionChecker.checkPermissionForDataDeliveryFromDataSource(
+                 context, ACCESS_FINE_LOCATION, PID_UNKNOWN,
+-                new AttributionSource(context.getAttributionSource(), attributionSource),
++                new AttributionSource(context.getAttributionSource(),
++                                      Objects.requireNonNull(attributionSource)),
+                 "Bluetooth location check") == PERMISSION_GRANTED) {
+             return true;
+         }
+ 
+         if (PermissionChecker.checkPermissionForDataDeliveryFromDataSource(
+                 context, ACCESS_COARSE_LOCATION, PID_UNKNOWN,
+-                new AttributionSource(context.getAttributionSource(), attributionSource),
++                new AttributionSource(context.getAttributionSource(),
++                                      Objects.requireNonNull(attributionSource)),
+                 "Bluetooth location check") == PERMISSION_GRANTED) {
+             return true;
+         }
+@@ -755,7 +760,8 @@ public final class Utils {
+         // attributionSource.enforceCallingUid();
+         if (PermissionChecker.checkPermissionForDataDeliveryFromDataSource(
+                 context, ACCESS_FINE_LOCATION, PID_UNKNOWN,
+-                new AttributionSource(context.getAttributionSource(), attributionSource),
++                new AttributionSource(context.getAttributionSource(),
++                                      Objects.requireNonNull(attributionSource)),
+                 "Bluetooth location check") == PERMISSION_GRANTED) {
+             return true;
+         }
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/packages/apps/Settings/38_0038-Limit-wifi-item-edit-content-s-max-length-to-500.bulletin.patch b/aosp_diff/base_aaos/packages/apps/Settings/38_0038-Limit-wifi-item-edit-content-s-max-length-to-500.bulletin.patch
new file mode 100644
index 0000000000..c34b0edd3d
--- /dev/null
+++ b/aosp_diff/base_aaos/packages/apps/Settings/38_0038-Limit-wifi-item-edit-content-s-max-length-to-500.bulletin.patch
@@ -0,0 +1,31 @@
+From ccabd3d0e7e921941d54180970d5e7de260d32e9 Mon Sep 17 00:00:00 2001
+From: Chaohui Wang <chaohuiw@google.com>
+Date: Thu, 2 Nov 2023 11:43:00 +0800
+Subject: [PATCH] Limit wifi item edit content's max length to 500
+
+Bug: 293199910
+Test: manual - on "Add network"
+
+(cherry picked from commit 855053ca4124f2d515b21c469096f8c18bd4829d)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:092668676af741719d50ac0f121a8f8461aa21ad)
+Merged-In: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae
+Change-Id: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae
+---
+ res/values/styles.xml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/res/values/styles.xml b/res/values/styles.xml
+index 8402dec73c..9a9477bb5d 100644
+--- a/res/values/styles.xml
++++ b/res/values/styles.xml
+@@ -148,6 +148,7 @@
+         <item name="android:textAppearance">@android:style/TextAppearance.DeviceDefault.Medium</item>
+         <item name="android:textColorHint">?android:attr/textColorSecondary</item>
+         <item name="android:minHeight">@dimen/min_tap_target_size</item>
++        <item name="android:maxLength">500</item>
+     </style>
+ 
+     <style name="wifi_section">
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/packages/apps/Settings/39_0039-Replace-getCallingActivity-with-getLaunchedFromPackage-.bulletin.patch b/aosp_diff/base_aaos/packages/apps/Settings/39_0039-Replace-getCallingActivity-with-getLaunchedFromPackage-.bulletin.patch
new file mode 100644
index 0000000000..03a85b58e0
--- /dev/null
+++ b/aosp_diff/base_aaos/packages/apps/Settings/39_0039-Replace-getCallingActivity-with-getLaunchedFromPackage-.bulletin.patch
@@ -0,0 +1,175 @@
+From 75ca173966b0bd4c319d5a3486e6ef98125e6a9b Mon Sep 17 00:00:00 2001
+From: Jason Chiu <chiujason@google.com>
+Date: Wed, 31 Jan 2024 16:29:01 +0800
+Subject: [PATCH] Replace getCallingActivity() with getLaunchedFromPackage()
+
+getLaunchedFromPackage() reports who launched this Activity or built
+PendingIntent used to launch it, whereas getCallingActivity() reports
+who will get result of Activity.
+
+Bug: 316891059
+Test: robotest, manual
+(cherry picked from commit ddc11bc03ab48e885f652b89df5f92ff283bcd4a)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8bdbb580da847d82f16fb57883a01a5e65ffa696)
+Merged-In: If97018c2741caef622f0596bbfeaa42ef1788b78
+Change-Id: If97018c2741caef622f0596bbfeaa42ef1788b78
+---
+ .../settings/search/SearchFeatureProvider.java |  2 +-
+ .../search/SearchFeatureProviderImpl.java      | 18 ++++++++----------
+ .../search/SearchResultTrampoline.java         | 13 ++++++-------
+ .../search/SearchFeatureProviderImplTest.java  | 15 ++++++++-------
+ 4 files changed, 23 insertions(+), 25 deletions(-)
+
+diff --git a/src/com/android/settings/search/SearchFeatureProvider.java b/src/com/android/settings/search/SearchFeatureProvider.java
+index 1785361d3b..c4141e91f7 100644
+--- a/src/com/android/settings/search/SearchFeatureProvider.java
++++ b/src/com/android/settings/search/SearchFeatureProvider.java
+@@ -56,7 +56,7 @@ public interface SearchFeatureProvider {
+      * @throws IllegalArgumentException when caller is null
+      * @throws SecurityException        when caller is not allowed to launch search result page
+      */
+-    void verifyLaunchSearchResultPageCaller(Context context, @NonNull ComponentName caller)
++    void verifyLaunchSearchResultPageCaller(@NonNull Context context, @NonNull String callerPackage)
+             throws SecurityException, IllegalArgumentException;
+ 
+     /**
+diff --git a/src/com/android/settings/search/SearchFeatureProviderImpl.java b/src/com/android/settings/search/SearchFeatureProviderImpl.java
+index 6f90970905..3a62ddfb67 100644
+--- a/src/com/android/settings/search/SearchFeatureProviderImpl.java
++++ b/src/com/android/settings/search/SearchFeatureProviderImpl.java
+@@ -17,13 +17,14 @@
+ 
+ package com.android.settings.search;
+ 
+-import android.content.ComponentName;
+ import android.content.Context;
+ import android.content.Intent;
+ import android.net.Uri;
+ import android.provider.Settings;
+ import android.text.TextUtils;
+ 
++import androidx.annotation.NonNull;
++
+ import com.android.settingslib.search.SearchIndexableResources;
+ import com.android.settingslib.search.SearchIndexableResourcesMobile;
+ 
+@@ -32,21 +33,18 @@ import com.android.settingslib.search.SearchIndexableResourcesMobile;
+  */
+ public class SearchFeatureProviderImpl implements SearchFeatureProvider {
+ 
+-    private static final String TAG = "SearchFeatureProvider";
+-
+     private SearchIndexableResources mSearchIndexableResources;
+ 
+     @Override
+-    public void verifyLaunchSearchResultPageCaller(Context context, ComponentName caller) {
+-        if (caller == null) {
++    public void verifyLaunchSearchResultPageCaller(@NonNull Context context,
++            @NonNull String callerPackage) {
++        if (TextUtils.isEmpty(callerPackage)) {
+             throw new IllegalArgumentException("ExternalSettingsTrampoline intents "
+                     + "must be called with startActivityForResult");
+         }
+-        final String packageName = caller.getPackageName();
+-        final boolean isSettingsPackage = TextUtils.equals(packageName, context.getPackageName())
+-                || TextUtils.equals(getSettingsIntelligencePkgName(context), packageName);
+-        final boolean isAllowlistedPackage =
+-                isSignatureAllowlisted(context, caller.getPackageName());
++        final boolean isSettingsPackage = TextUtils.equals(callerPackage, context.getPackageName())
++                || TextUtils.equals(getSettingsIntelligencePkgName(context), callerPackage);
++        final boolean isAllowlistedPackage = isSignatureAllowlisted(context, callerPackage);
+         if (isSettingsPackage || isAllowlistedPackage) {
+             return;
+         }
+diff --git a/src/com/android/settings/search/SearchResultTrampoline.java b/src/com/android/settings/search/SearchResultTrampoline.java
+index 8b041b67f8..6580c682fa 100644
+--- a/src/com/android/settings/search/SearchResultTrampoline.java
++++ b/src/com/android/settings/search/SearchResultTrampoline.java
+@@ -20,7 +20,6 @@ import static com.android.settings.SettingsActivity.EXTRA_SHOW_FRAGMENT_ARGUMENT
+ import static com.android.settings.SettingsActivity.EXTRA_SHOW_FRAGMENT_TAB;
+ 
+ import android.app.Activity;
+-import android.content.ComponentName;
+ import android.content.Intent;
+ import android.os.Bundle;
+ import android.provider.Settings;
+@@ -48,11 +47,11 @@ public class SearchResultTrampoline extends Activity {
+     protected void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
+ 
+-        final ComponentName callingActivity = getCallingActivity();
++        final String callerPackage = getLaunchedFromPackage();
+         // First make sure caller has privilege to launch a search result page.
+         FeatureFactory.getFactory(this)
+                 .getSearchFeatureProvider()
+-                .verifyLaunchSearchResultPageCaller(this, callingActivity);
++                .verifyLaunchSearchResultPageCaller(this, callerPackage);
+         // Didn't crash, proceed and launch the result as a subsetting.
+         Intent intent = getIntent();
+         final String highlightMenuKey = intent.getStringExtra(
+@@ -96,7 +95,7 @@ public class SearchResultTrampoline extends Activity {
+ 
+         if (!ActivityEmbeddingUtils.isEmbeddingActivityEnabled(this)) {
+             startActivity(intent);
+-        } else if (isSettingsIntelligence(callingActivity)) {
++        } else if (isSettingsIntelligence(callerPackage)) {
+             // Register SplitPairRule for SubSettings, set clearTop false to prevent unexpected back
+             // navigation behavior.
+             ActivityEmbeddingRulesController.registerSubSettingsPairRule(this,
+@@ -122,9 +121,9 @@ public class SearchResultTrampoline extends Activity {
+         finish();
+     }
+ 
+-    private boolean isSettingsIntelligence(ComponentName callingActivity) {
+-        return callingActivity != null && TextUtils.equals(
+-                callingActivity.getPackageName(),
++    private boolean isSettingsIntelligence(String callerPackage) {
++        return TextUtils.equals(
++                callerPackage,
+                 FeatureFactory.getFactory(this).getSearchFeatureProvider()
+                         .getSettingsIntelligencePkgName(this));
+     }
+diff --git a/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java b/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java
+index 5de57b6c95..dec99028e8 100644
+--- a/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java
++++ b/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java
+@@ -20,7 +20,6 @@ package com.android.settings.search;
+ import static com.google.common.truth.Truth.assertThat;
+ 
+ import android.app.settings.SettingsEnums;
+-import android.content.ComponentName;
+ import android.content.Intent;
+ import android.content.pm.ActivityInfo;
+ import android.content.pm.ResolveInfo;
+@@ -127,20 +126,22 @@ public class SearchFeatureProviderImplTest {
+ 
+     @Test(expected = SecurityException.class)
+     public void verifyLaunchSearchResultPageCaller_badCaller_shouldCrash() {
+-        final ComponentName cn = new ComponentName("pkg", "class");
+-        mProvider.verifyLaunchSearchResultPageCaller(mActivity, cn);
++        final String packageName = "pkg";
++
++        mProvider.verifyLaunchSearchResultPageCaller(mActivity, packageName);
+     }
+ 
+     @Test
+     public void verifyLaunchSearchResultPageCaller_settingsCaller_shouldNotCrash() {
+-        final ComponentName cn = new ComponentName(mActivity.getPackageName(), "class");
+-        mProvider.verifyLaunchSearchResultPageCaller(mActivity, cn);
++        final String packageName = mActivity.getPackageName();
++
++        mProvider.verifyLaunchSearchResultPageCaller(mActivity, packageName);
+     }
+ 
+     @Test
+     public void verifyLaunchSearchResultPageCaller_settingsIntelligenceCaller_shouldNotCrash() {
+         final String packageName = mProvider.getSettingsIntelligencePkgName(mActivity);
+-        final ComponentName cn = new ComponentName(packageName, "class");
+-        mProvider.verifyLaunchSearchResultPageCaller(mActivity, cn);
++
++        mProvider.verifyLaunchSearchResultPageCaller(mActivity, packageName);
+     }
+ }
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/packages/apps/Settings/40_0040-Ignore-fragment-attr-from-ext-authenticator-resource.bulletin.patch b/aosp_diff/base_aaos/packages/apps/Settings/40_0040-Ignore-fragment-attr-from-ext-authenticator-resource.bulletin.patch
new file mode 100644
index 0000000000..f576b133b2
--- /dev/null
+++ b/aosp_diff/base_aaos/packages/apps/Settings/40_0040-Ignore-fragment-attr-from-ext-authenticator-resource.bulletin.patch
@@ -0,0 +1,114 @@
+From 78a8360e97597e51c04f1a74607151b00301f41c Mon Sep 17 00:00:00 2001
+From: Chris Antol <cantol@google.com>
+Date: Tue, 4 Jun 2024 17:00:46 +0000
+Subject: [PATCH] Ignore fragment attr from ext authenticator resource
+
+Bug: 341886134
+Test: Unit Test
+Test: Manual - see ticket for steps
+Flag: EXEMPT <security>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2cb9b10ed97b1b9b29661115789605a762f3c2ef)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e2dc98c21db7ac35137417bf72f33177a1b70b48)
+Merged-In: Id91c2b3b6d16ba3702ee2cd6723365a4db52863b
+Change-Id: Id91c2b3b6d16ba3702ee2cd6723365a4db52863b
+---
+ .../accounts/AccountTypePreferenceLoader.java | 55 +++++++++++++++++++
+ 1 file changed, 55 insertions(+)
+
+diff --git a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
+index 42bb34a0ee..73583ea859 100644
+--- a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
++++ b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
+@@ -32,6 +32,10 @@ import android.os.UserHandle;
+ import android.text.TextUtils;
+ import android.util.Log;
+ 
++import androidx.annotation.NonNull;
++import androidx.annotation.Nullable;
++import androidx.annotation.VisibleForTesting;
++import androidx.collection.ArraySet;
+ import androidx.preference.Preference;
+ import androidx.preference.Preference.OnPreferenceClickListener;
+ import androidx.preference.PreferenceFragmentCompat;
+@@ -45,6 +49,8 @@ import com.android.settings.utils.LocalClassLoaderContextThemeWrapper;
+ import com.android.settingslib.accounts.AuthenticatorHelper;
+ import com.android.settingslib.core.instrumentation.Instrumentable;
+ 
++import java.util.Set;
++
+ /**
+  * Class to load the preference screen to be added to the settings page for the specific account
+  * type as specified in the account-authenticator.
+@@ -82,6 +88,7 @@ public class AccountTypePreferenceLoader {
+             try {
+                 desc = mAuthenticatorHelper.getAccountTypeDescription(accountType);
+                 if (desc != null && desc.accountPreferencesId != 0) {
++                    Set<String> fragmentAllowList = generateFragmentAllowlist(parent);
+                     // Load the context of the target package, then apply the
+                     // base Settings theme (no references to local resources)
+                     // and create a context theme wrapper so that we get the
+@@ -97,6 +104,12 @@ public class AccountTypePreferenceLoader {
+                     themedCtx.getTheme().setTo(baseTheme);
+                     prefs = mFragment.getPreferenceManager().inflateFromResource(themedCtx,
+                             desc.accountPreferencesId, parent);
++                    // Ignore Fragments provided dynamically, as these are coming from external
++                    // applications which must not have access to internal Settings' fragments.
++                    // These preferences are rendered into Settings, so they also won't have access
++                    // to their own Fragments, meaning there is no acceptable usage of
++                    // android:fragment here.
++                    filterBlockedFragments(prefs, fragmentAllowList);
+                 }
+             } catch (PackageManager.NameNotFoundException e) {
+                 Log.w(TAG, "Couldn't load preferences.xml file from " + desc.packageName);
+@@ -181,6 +194,48 @@ public class AccountTypePreferenceLoader {
+         }
+     }
+ 
++    // Build allowlist from existing Fragments in PreferenceGroup
++    @VisibleForTesting
++    Set<String> generateFragmentAllowlist(@Nullable PreferenceGroup prefs) {
++        Set<String> fragmentAllowList = new ArraySet<>();
++        if (prefs == null) {
++            return fragmentAllowList;
++        }
++
++        for (int i = 0; i < prefs.getPreferenceCount(); i++) {
++            Preference pref = prefs.getPreference(i);
++            if (pref instanceof PreferenceGroup) {
++                fragmentAllowList.addAll(generateFragmentAllowlist((PreferenceGroup) pref));
++            }
++
++            String fragmentName = pref.getFragment();
++            if (!TextUtils.isEmpty(fragmentName)) {
++                fragmentAllowList.add(fragmentName);
++            }
++        }
++        return fragmentAllowList;
++    }
++
++    // Block clicks on any Preference with android:fragment that is not contained in the allowlist
++    @VisibleForTesting
++    void filterBlockedFragments(@Nullable PreferenceGroup prefs,
++            @NonNull Set<String> allowedFragments) {
++        if (prefs == null) {
++            return;
++        }
++        for (int i = 0; i < prefs.getPreferenceCount(); i++) {
++            Preference pref = prefs.getPreference(i);
++            if (pref instanceof PreferenceGroup) {
++                filterBlockedFragments((PreferenceGroup) pref, allowedFragments);
++            }
++
++            String fragmentName = pref.getFragment();
++            if (fragmentName != null && !allowedFragments.contains(fragmentName)) {
++                pref.setOnPreferenceClickListener(preference -> true);
++            }
++        }
++    }
++
+     /**
+      * Determines if the supplied Intent is safe. A safe intent is one that is
+      * will launch a exported=true activity or owned by the same uid as the
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/packages/apps/Settings/41_0041-RESTRICT-AUTOMERGE-Restrict-Settings-Homepage-prior-to-provision.bulletin.patch b/aosp_diff/base_aaos/packages/apps/Settings/41_0041-RESTRICT-AUTOMERGE-Restrict-Settings-Homepage-prior-to-provision.bulletin.patch
new file mode 100644
index 0000000000..90c3307ad3
--- /dev/null
+++ b/aosp_diff/base_aaos/packages/apps/Settings/41_0041-RESTRICT-AUTOMERGE-Restrict-Settings-Homepage-prior-to-provision.bulletin.patch
@@ -0,0 +1,44 @@
+From 809ba7f3a4e867b44d1f2d364c7c9fd162e2be3b Mon Sep 17 00:00:00 2001
+From: Chris Antol <cantol@google.com>
+Date: Mon, 25 Mar 2024 23:49:35 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Restrict Settings Homepage prior to
+ provisioning
+
+Bug: 327749022
+Test: manual test
+1. factory reset + launch Settings via ADB during Setup -> verify app closes
+2. factory reset + bypass Setup + tap Settings icon in launcher -> verify app closes
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70a5a0fd353cc6203d2926627de93786155ae5bc)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:477d4a8d6ba390ed0f9b150ca271966cd967820a)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2f0db305a6bb41d04ccab2ecd31a56bbff8e85fe)
+Merged-In: I8cbe38109ebf88a0f68f3917e95468a81c6463c1
+Change-Id: I8cbe38109ebf88a0f68f3917e95468a81c6463c1
+---
+ .../settings/homepage/SettingsHomepageActivity.java   | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/com/android/settings/homepage/SettingsHomepageActivity.java b/src/com/android/settings/homepage/SettingsHomepageActivity.java
+index 0311ea3fbe..81556ef81f 100644
+--- a/src/com/android/settings/homepage/SettingsHomepageActivity.java
++++ b/src/com/android/settings/homepage/SettingsHomepageActivity.java
+@@ -154,6 +154,17 @@ public class SettingsHomepageActivity extends FragmentActivity implements
+     @Override
+     protected void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
++
++        // Ensure device is provisioned in order to access Settings home
++        // TODO(b/331254029): This should later be replaced in favor of an allowlist
++        boolean unprovisioned = android.provider.Settings.Global.getInt(getContentResolver(),
++                android.provider.Settings.Global.DEVICE_PROVISIONED, 0) == 0;
++        if (unprovisioned) {
++            Log.e(TAG, "Device is not provisioned, exiting Settings");
++            finish();
++            return;
++        }
++
+         setContentView(R.layout.settings_homepage_container);
+         mIsEmbeddingActivityEnabled = ActivityEmbeddingUtils.isEmbeddingActivityEnabled(this);
+         mIsTwoPaneLastTime = ActivityEmbeddingUtils.isTwoPaneResolution(this);
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/packages/services/Telecomm/15_0015-Unbind-CallScreeningService-when-timeout-reached-.bulletin.patch b/aosp_diff/base_aaos/packages/services/Telecomm/15_0015-Unbind-CallScreeningService-when-timeout-reached-.bulletin.patch
new file mode 100644
index 0000000000..5c285de063
--- /dev/null
+++ b/aosp_diff/base_aaos/packages/services/Telecomm/15_0015-Unbind-CallScreeningService-when-timeout-reached-.bulletin.patch
@@ -0,0 +1,46 @@
+From aaf5ff09323caeeda9c3326c4076d0fd861851bd Mon Sep 17 00:00:00 2001
+From: Pranav Madapurmath <pmadapurmath@google.com>
+Date: Tue, 11 Jun 2024 15:51:39 +0000
+Subject: [PATCH] Unbind CallScreeningService when timeout reached.
+
+In a vulnerability, the exploiter showed that an app which implements a
+service with role holding ROLE_CALL_SCREENING can be used to keep a
+service alive. The assumption is that the CallScreeningService class
+uses MSG_SCREEN_CALL to screen the call and results in the service being
+unbound for outgoing calls once screening completes. However, a vanilla
+service which holds the ROLE_CALL_SCREENING role can still be used as
+the default call screening app which keeps the service alive.
+
+This CL ensures that after the timeout is reached that we try to unbind
+the service if possible.
+
+Bug: 300904123
+Test: Manual test to verify that onDestroy is called for the service
+after the timeout is reached.
+
+(cherry picked from commit 9d97cd5825066ac8e15bbf97f6755663c5341afb)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d57f25311acb7fb887fb0296364526345cc905bb)
+Merged-In: I30d276867c571ece113106d3b363fce99d64f441
+Change-Id: I30d276867c571ece113106d3b363fce99d64f441
+---
+ .../android/server/telecom/CallScreeningServiceHelper.java    | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/com/android/server/telecom/CallScreeningServiceHelper.java b/src/com/android/server/telecom/CallScreeningServiceHelper.java
+index 338aa197e..efd388087 100644
+--- a/src/com/android/server/telecom/CallScreeningServiceHelper.java
++++ b/src/com/android/server/telecom/CallScreeningServiceHelper.java
+@@ -176,6 +176,10 @@ public class CallScreeningServiceHelper {
+                             Log.w(TAG, "Cancelling call id process due to timeout");
+                         }
+                         mFuture.complete(null);
++                        mContext.unbindService(serviceConnection);
++                    } catch (IllegalArgumentException e) {
++                        Log.i(this, "Exception when unbinding service %s : %s", serviceConnection,
++                                e.getMessage());
+                     } finally {
+                         Log.endSession();
+                     }
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/system/bt/64_0064-Add-support-for-checking-security-downgrade.bulletin.patch b/aosp_diff/base_aaos/system/bt/64_0064-Add-support-for-checking-security-downgrade.bulletin.patch
new file mode 100644
index 0000000000..cef8a5d390
--- /dev/null
+++ b/aosp_diff/base_aaos/system/bt/64_0064-Add-support-for-checking-security-downgrade.bulletin.patch
@@ -0,0 +1,331 @@
+From 9479a513053d7b428a0d84eafa422d00322dbc1f Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Sat, 25 May 2024 00:28:41 +0000
+Subject: [PATCH] Add support for checking security downgrade
+
+As a guard against the BLUFFS attack, we will need to check the security
+parameters of incoming connections against cached values and disallow
+connection if these parameters are downgraded or changed from their
+cached values.
+
+Future CLs will add checks during connection.  This CL adds the
+functions that will be needed to perform those checks and the necessary
+mocks.
+Currently supported checks are : IO capabilities (must be an exact match),
+Secure Connections capability (must not be a downgrade), and session key
+length (must not be a downgrade).  Maximum session key length, which was
+previously not cached, has been added to the device security manager
+cache.
+
+To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/
+
+Bug: 314331379
+Test: m libbluetooth
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:82382a934cf4a11b979de286e3f9ada723a740a3)
+Merged-In: I8810c1bf9b3d3af1108cf621e2c51537e429c0f3
+Change-Id: I8810c1bf9b3d3af1108cf621e2c51537e429c0f3
+---
+ btif/src/btif_storage.cc               |  31 +++++++-
+ include/hardware/bluetooth.h           |  14 ++++
+ service/logging_helpers.cc             |   2 +
+ stack/btm/btm_sec.cc                   | 103 +++++++++++++++++++++++++
+ stack/btm/btm_sec.h                    |  23 ++++++
+ stack/include/sec_hci_link_interface.h |   3 +
+ test/mock/mock_stack_btm_sec.cc        |   8 ++
+ 7 files changed, 183 insertions(+), 1 deletion(-)
+
+diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc
+index 8a20518b5..570c024fe 100644
+--- a/btif/src/btif_storage.cc
++++ b/btif/src/btif_storage.cc
+@@ -80,10 +80,13 @@ using bluetooth::Uuid;
+ #define BTIF_STORAGE_KEY_ADAPTER_SCANMODE "ScanMode"
+ #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS "LocalIOCaps"
+ #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE"
++#define BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE "MaxSessionKeySize"
+ #define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout"
+ #define BTIF_STORAGE_KEY_GATT_CLIENT_SUPPORTED "GattClientSupportedFeatures"
+ #define BTIF_STORAGE_KEY_GATT_CLIENT_DB_HASH "GattClientDatabaseHash"
+ #define BTIF_STORAGE_KEY_GATT_SERVER_SUPPORTED "GattServerSupportedFeatures"
++#define BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED \
++  "SecureConnectionsSupported"
+ 
+ /* This is a local property to add a device found */
+ #define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF
+@@ -265,7 +268,14 @@ static int prop2cfg(const RawAddress* remote_bd_addr, bt_property_t* prop) {
+       btif_config_set_int(bdstr, BT_CONFIG_KEY_REMOTE_VER_SUBVER,
+                           info->sub_ver);
+     } break;
+-
++    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED:
++      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED,
++                          *(uint8_t*)prop->val);
++      break;
++    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE:
++      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,
++                          *(uint8_t*)prop->val);
++      break;
+     default:
+       BTIF_TRACE_ERROR("Unknown prop type:%d", prop->type);
+       return false;
+@@ -390,6 +400,25 @@ static int cfg2prop(const RawAddress* remote_bd_addr, bt_property_t* prop) {
+                                     &info->sub_ver);
+       }
+     } break;
++    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED: {
++      int val;
++
++      if (prop->len >= (int)sizeof(uint8_t)) {
++        ret = btif_config_get_int(
++            bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED, &val);
++        *(uint8_t*)prop->val = (uint8_t)val;
++      }
++    } break;
++
++    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE: {
++      int val;
++
++      if (prop->len >= (int)sizeof(uint8_t)) {
++        ret = btif_config_get_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,
++                                  &val);
++        *(uint8_t*)prop->val = (uint8_t)val;
++      }
++    } break;
+ 
+     default:
+       BTIF_TRACE_ERROR("Unknow prop type:%d", prop->type);
+diff --git a/include/hardware/bluetooth.h b/include/hardware/bluetooth.h
+index 63f47e265..54be23624 100644
+--- a/include/hardware/bluetooth.h
++++ b/include/hardware/bluetooth.h
+@@ -324,6 +324,20 @@ typedef enum {
+ 
+   BT_PROPERTY_DYNAMIC_AUDIO_BUFFER,
+ 
++  /**
++   * Description - Whether remote device supports Secure Connections mode
++   * Access mode - GET and SET.
++   * Data Type - uint8_t.
++   */
++  BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++
++  /**
++   * Description - Maximum observed session key for remote device
++   * Access mode - GET and SET.
++   * Data Type - uint8_t.
++   */
++  BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++
+   BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP = 0xFF,
+ } bt_property_type_t;
+ 
+diff --git a/service/logging_helpers.cc b/service/logging_helpers.cc
+index 03d9370b0..01e61aeff 100644
+--- a/service/logging_helpers.cc
++++ b/service/logging_helpers.cc
+@@ -117,6 +117,8 @@ const char* BtPropertyText(const bt_property_type_t prop) {
+     CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_VERSION_INFO);
+     CASE_RETURN_TEXT(BT_PROPERTY_LOCAL_LE_FEATURES);
+     CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP);
++    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED);
++    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE);
+     default:
+       return "Invalid property";
+   }
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index e53a91497..7808f86e7 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -203,6 +203,109 @@ static bool btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) {
+   return (false);
+ }
+ 
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_device_sc_downgrade
++ *
++ * Description      Check for a stored device record matching the candidate
++ *                  device, and return true if the stored device has reported
++ *                  that it supports Secure Connections mode and the candidate
++ *                  device reports that it does not.  Otherwise, return false.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++static bool btm_sec_is_device_sc_downgrade(uint16_t hci_handle,
++                                           bool secure_connections_supported) {
++  if (secure_connections_supported) return false;
++
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return false;
++
++  uint8_t property_val = 0;
++  bt_property_t property = {
++      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++      .len = sizeof(uint8_t),
++      .val = &property_val};
++
++  bt_status_t cached =
++      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);
++
++  if (cached == BT_STATUS_FAIL) return false;
++
++  return (bool)property_val;
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_store_device_sc_support
++ *
++ * Description      Save Secure Connections support for this device to file
++ *
++ ******************************************************************************/
++
++static void btm_sec_store_device_sc_support(uint16_t hci_handle,
++                                            bool secure_connections_supported) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  uint8_t property_val = (uint8_t)secure_connections_supported;
++  bt_property_t property = {
++      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++      .len = sizeof(uint8_t),
++      .val = &property_val};
++
++  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_session_key_size_downgrade
++ *
++ * Description      Check if there is a stored device record matching this
++ *                  handle, and return true if the stored record has a lower
++ *                  session key size than the candidate device.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return false;
++
++  uint8_t property_val = 0;
++  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++                            .len = sizeof(uint8_t),
++                            .val = &property_val};
++
++  bt_status_t cached =
++      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);
++
++  if (cached == BT_STATUS_FAIL) return false;
++
++  return property_val > key_size;
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_update_session_key_size
++ *
++ * Description      Store the max session key size to disk, if possible.
++ *
++ ******************************************************************************/
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  uint8_t property_val = key_size;
++  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++                            .len = sizeof(uint8_t),
++                            .val = &property_val};
++
++  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);
++}
++
+ /*******************************************************************************
+  *
+  * Function         access_secure_service_from_temp_bond
+diff --git a/stack/btm/btm_sec.h b/stack/btm/btm_sec.h
+index 5f32f09fc..41e0ac235 100644
+--- a/stack/btm/btm_sec.h
++++ b/stack/btm/btm_sec.h
+@@ -796,5 +796,28 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+ void btm_sec_cr_loc_oob_data_cback_event(const RawAddress& address,
+                                          tSMP_LOC_OOB_DATA loc_oob_data);
+ 
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_session_key_size_downgrade
++ *
++ * Description      Check if there is a stored device record matching this
++ *                  handle, and return true if the stored record has a lower
++ *                  session key size than the candidate device.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size);
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_update_session_key_size
++ *
++ * Description      Store the max session key size to disk, if possible.
++ *
++ ******************************************************************************/
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size);
++
+ // Return DEV_CLASS (uint8_t[3]) of bda. If record doesn't exist, create one.
+ const uint8_t* btm_get_dev_class(const RawAddress& bda);
+diff --git a/stack/include/sec_hci_link_interface.h b/stack/include/sec_hci_link_interface.h
+index f57c01266..5488807d5 100644
+--- a/stack/include/sec_hci_link_interface.h
++++ b/stack/include/sec_hci_link_interface.h
+@@ -38,6 +38,8 @@ void btm_sec_auth_complete(uint16_t handle, tHCI_STATUS status);
+ void btm_sec_disconnected(uint16_t handle, tHCI_STATUS reason);
+ void btm_sec_encrypt_change(uint16_t handle, tHCI_STATUS status,
+                             uint8_t encr_enable);
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size);
+ void btm_sec_link_key_notification(const RawAddress& p_bda,
+                                    const Octet16& link_key, uint8_t key_type);
+ void btm_sec_link_key_request(uint8_t* p_event);
+@@ -46,4 +48,5 @@ void btm_sec_rmt_host_support_feat_evt(uint8_t* p);
+ void btm_sec_rmt_name_request_complete(const RawAddress* bd_addr,
+                                        uint8_t* bd_name, tHCI_STATUS status);
+ void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset);
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size);
+ void btm_simple_pair_complete(uint8_t* p);
+diff --git a/test/mock/mock_stack_btm_sec.cc b/test/mock/mock_stack_btm_sec.cc
+index 27d76f8c9..ab2f8bf0b 100644
+--- a/test/mock/mock_stack_btm_sec.cc
++++ b/test/mock/mock_stack_btm_sec.cc
+@@ -116,6 +116,11 @@ bool btm_sec_is_a_bonded_dev(const RawAddress& bda) {
+   mock_function_count_map[__func__]++;
+   return false;
+ }
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size) {
++  mock_function_count_map[__func__]++;
++  return false;
++}
+ bool is_sec_state_equal(void* data, void* context) {
+   mock_function_count_map[__func__]++;
+   return false;
+@@ -295,6 +300,9 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+                                bool br_edr_supported, bool le_supported) {
+   mock_function_count_map[__func__]++;
+ }
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size) {
++  mock_function_count_map[__func__]++;
++}
+ void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset) {
+   mock_function_count_map[__func__]++;
+ }
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/system/bt/65_0065-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch b/aosp_diff/base_aaos/system/bt/65_0065-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch
new file mode 100644
index 0000000000..18172bef59
--- /dev/null
+++ b/aosp_diff/base_aaos/system/bt/65_0065-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch
@@ -0,0 +1,63 @@
+From d54aee522dd6fb58dd15bdb53978fd59f278a28e Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 31 May 2024 21:46:17 +0000
+Subject: [PATCH] Disallow connect with Secure Connections downgrade
+
+As a guard against the BLUFFS attack, check security parameters of
+incoming connections against cached values and disallow connection if
+these parameters are downgraded or changed from their cached values.
+
+This CL adds the connection-time check for Secure Connections mode.
+
+Bug: 314331379
+Test: m libbluetooth
+Test: manual
+
+To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.
+
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4da47591b9530849123c238b2747f5304058db2d)
+Merged-In: I7b9dd1a18f1c04df88aabe89d4790fef9112da7e
+Change-Id: I7b9dd1a18f1c04df88aabe89d4790fef9112da7e
+---
+ stack/btm/btm_sec.cc | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 7808f86e7..b150d69bf 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -3983,6 +3983,13 @@ void btm_sec_link_key_notification(const RawAddress& p_bda,
+     }
+   }
+ 
++  if (p_dev_rec->is_bond_type_persistent() &&
++      (p_dev_rec->is_device_type_br_edr() ||
++       p_dev_rec->is_device_type_dual_mode())) {
++    btm_sec_store_device_sc_support(p_dev_rec->get_br_edr_hci_handle(),
++                                    p_dev_rec->SupportsSecureConnections());
++  }
++
+   /* If name is not known at this point delay calling callback until the name is
+    */
+   /* resolved. Unless it is a HID Device and we really need to send all link
+@@ -5025,6 +5032,15 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
+   if (p_dev_rec == nullptr) return;
+ 
++  // Drop the connection here if the remote attempts to downgrade from Secure
++  // Connections mode.
++  if (btm_sec_is_device_sc_downgrade(hci_handle, sc_supported)) {
++    acl_set_disconnect_reason(HCI_ERR_HOST_REJECT_SECURITY);
++    btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE, hci_handle);
++    LOG_WARN("Remote attempted to downgrade from Secure Connections mode");
++    return;
++  }
++
+   p_dev_rec->remote_feature_received = true;
+   p_dev_rec->remote_supports_hci_role_switch = hci_role_switch_supported;
+ 
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/system/bt/66_0066-Disallow-connect-with-key-length-downgrade.bulletin.patch b/aosp_diff/base_aaos/system/bt/66_0066-Disallow-connect-with-key-length-downgrade.bulletin.patch
new file mode 100644
index 0000000000..434e4fcdbc
--- /dev/null
+++ b/aosp_diff/base_aaos/system/bt/66_0066-Disallow-connect-with-key-length-downgrade.bulletin.patch
@@ -0,0 +1,57 @@
+From 34699fece2bdf758cb1c4d7d7fabda728f0c59bb Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 31 May 2024 21:50:12 +0000
+Subject: [PATCH] Disallow connect with key length downgrade
+
+As a guard against the BLUFFS attack, check security parameters of
+incoming connections against cached values and disallow connection if
+these parameters are downgraded or changed from their cached values.
+
+This CL adds the connection-time check for session key length.
+
+To test, please validate that bonding can be established and
+reestablished against devices with session key lengths of 7 and 16 bits,
+that session key lengths of less than 7 bits are refused, and that basic
+LE bonding functionality still works.  If it is possible to configure a
+remote device to establish a bond with a session key length of 16 bits
+and then reduce that key length to <16 bits before reconnection, this
+should fail.
+
+Bug: 314331379
+Test: m libbluetooth
+Test: manual
+
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bd88324876a8664899bd23e926675d7c1b2bbfb2)
+Merged-In: I5b931ddb4876b529ed0c2e1138c02382291216ab
+Change-Id: I5b931ddb4876b529ed0c2e1138c02382291216ab
+---
+ stack/btu/btu_hcif.cc | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
+index b2a7869a3..9eab46768 100644
+--- a/stack/btu/btu_hcif.cc
++++ b/stack/btu/btu_hcif.cc
+@@ -1106,6 +1106,17 @@ static void read_encryption_key_size_complete_after_encryption_change(uint8_t st
+     return;
+   }
+ 
++  if (btm_sec_is_session_key_size_downgrade(handle, key_size)) {
++    LOG_ERROR(
++        "encryption key size lower than cached value, disconnecting. "
++        "handle: 0x%x attempted key size: %d",
++        handle, key_size);
++    acl_disconnect_from_handle(handle, HCI_ERR_HOST_REJECT_SECURITY);
++    return;
++  }
++
++  btm_sec_update_session_key_size(handle, key_size);
++
+   // good key size - succeed
+   btm_acl_encrypt_change(handle, static_cast<tHCI_STATUS>(status),
+                          1 /* enable */);
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/base_aaos/system/sepolicy/13_0013-RESTRICT-AUTOMERGE-Allow-system_server-to-call-IKeystoreMaintena.bulletin.patch b/aosp_diff/base_aaos/system/sepolicy/13_0013-RESTRICT-AUTOMERGE-Allow-system_server-to-call-IKeystoreMaintena.bulletin.patch
new file mode 100644
index 0000000000..1d4726e635
--- /dev/null
+++ b/aosp_diff/base_aaos/system/sepolicy/13_0013-RESTRICT-AUTOMERGE-Allow-system_server-to-call-IKeystoreMaintena.bulletin.patch
@@ -0,0 +1,55 @@
+From fa0ffa2779336948eb81c73d0dbe6b85aba39b38 Mon Sep 17 00:00:00 2001
+From: Nikolay Elenkov <nikolayelenkov@google.com>
+Date: Wed, 3 Jul 2024 03:06:41 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Allow system_server to call
+ IKeystoreMaintenance.deleteAllKeys()
+
+This allows RecoverySystem to destroy all synthetic blob protector keys
+and make FBE-encrypted data unrecoverable even if data wipe in recovery
+is interrupted or skipped.
+
+Bug: 324321147
+Test: Manual - System -> Reset options -> Erase all data.
+Test: Hold VolDown key to interrupt reboot and stop at bootloader
+screen.
+Test: fastboot oem bcd wipe command && fastboot oem bcd wipe recovery
+Test: fastboot reboot
+Test: Device reboots into recovery and prompts to factory reset:
+Test: 'Cannot load Android system. Your data may be corrupt. ...
+(cherry picked from https://android-review.googlesource.com/q/commit:3941b6874350fb1c8558fcd539ec0ec5038c1d7e)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:837b024352038cb552b7c2473bf0707345550b78)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:844c799e6091c23d1dec8dc1a57b1c5c0f9ff7da)
+Merged-In: I5be2f9e8314d36448994f4f14ff585ded7095c8c
+Change-Id: I5be2f9e8314d36448994f4f14ff585ded7095c8c
+---
+ prebuilts/api/32.0/private/system_server.te | 1 +
+ private/system_server.te                    | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/prebuilts/api/32.0/private/system_server.te b/prebuilts/api/32.0/private/system_server.te
+index 82b2a1f06..22623c45a 100644
+--- a/prebuilts/api/32.0/private/system_server.te
++++ b/prebuilts/api/32.0/private/system_server.te
+@@ -904,6 +904,7 @@ allow system_server keystore:keystore2 {
+ 	clear_ns
+ 	clear_uid
+ 	get_state
++	delete_all_keys
+ 	lock
+ 	pull_metrics
+ 	reset
+diff --git a/private/system_server.te b/private/system_server.te
+index 82b2a1f06..22623c45a 100644
+--- a/private/system_server.te
++++ b/private/system_server.te
+@@ -904,6 +904,7 @@ allow system_server keystore:keystore2 {
+ 	clear_ns
+ 	clear_uid
+ 	get_state
++	delete_all_keys
+ 	lock
+ 	pull_metrics
+ 	reset
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+