Add a toggle to allow screenshots through FLAG SECURE#313
Add a toggle to allow screenshots through FLAG SECURE#313BasedJellyfish11 wants to merge 699 commits into
Conversation
|
We only want to override disabling screenshots instead of the other parts of it. |
|
AFAIK flag secure is only used for screenshots (and casting, which seems like the same use case) https://developer.android.com/security/fraud-prevention/activities
Is the ask to decouple the setting from the casting functionality? Or just a double check |
|
It does change other things including it not generating thumbnails for recent apps. |
|
Sounds good, let me look into what needs to change |
9050256 to
2442a7a
Compare
2442a7a to
45f9e84
Compare
45f9e84 to
fd8002c
Compare
|
@thestinger do you have any other feedback I should incorporate into the PR? |
Squashed with 0a99fc2 by quh4gko8 <88831734+quh4gko8@users.noreply.github.com>
Package permission state is updated automatically for all packages after events that might impact it, e.g. after package install or uninstall, after storage volume mount, after OS update etc. On GrapheneOS, per-package permission policy can be changed via GosPackageState packageFlags. This new method is needed for updating the cached permission state manually after packageFlags change.
Squashed with 8320ef5 by Andrew Gunnerson <accounts+github@chiller3.com>
Notification is not shown if OTHER_SENSORS was explicitly denied by the user.
Apps sometimes misbehave when INTERNET permission is revoked and a job that they scheduled with a connectivity constraint is executed.
Change-Id: I0b65cac3c3d2fc495b339c34add742bd698b107c
Requires the corresponding changes to system/core and system/sepolicy.
…SELECTED Treat it same way other storage perms are treated for now.
If the device is protected with a password and a broken third-party keyboard is used then the device becomes non-unlockable.
The device might become non-unlockable if it's protected with a password and a broken third-party keyboard is used. The system keyboard is unconditionally used in safe mode. There's already an option to reboot to safe mode by pressing and holding the "Restart" button, but its discoverability is low.
Network location provider is disabled by default on GrapheneOS and is not as accurate as the GmsCore network location implementation. Upstream 16 QPR1 change: e149021
Some apps perform a weak security check by looking at the main thread stack trace.
AOSP uses the legacy keyguard slice infrastructure for showing the following info on the lockscreen and in always-on-display mode: - current date - next alarm - Do Not Disturb status - current media info (title and artist) The proprietary SystemUIGoogle on stock Pixel OS uses the modern smartspace infrastructure for displaying this info. The legacy keyguard slice infrastructure isn't being properly maintained upstream. It has numerous layout and animation issues. This change adds a smartspace implementation to avoid these issues by reusing the same infrastructure that is used by SystemUIGoogle. Original PR: GrapheneOS#317 Co-authored-by: Dmitry Muhomor <muhomor.dmitry@gmail.com>
CVE-Info: CVE-2026-0014 | Severity: High They should not be considered "system" app for the purposes of attribution tag vaildation Bug: 443742082 Test: atest AppOpsMemoryUsageTest Flag: EXEMPT CVE_FIX Change-Id: I0c4ac8eaa8966027ad01375dde58b05febec3ffb (cherry picked from commit 1bc6b14)
CVE-Info: CVE-2026-0015 | Severity: High Only trusted proxies should be allowed to specify tags. Also prevents startOperationDryRun from editing the know attribution tags, as the dry run should change no state. Bug: 445917646 Test: atest AttributionTest Flag: EXEMPT CVE_FIX Change-Id: I14ab1389384fd28009edd9cceceaacdb97fb96e5 (cherry picked from commit 110db0a)
CVE-Info: CVE-2026-0020 | Severity: High Bug: 453649815 Test: atest AppSecurityTests Flag: EXEMPT CVE_FIX Change-Id: I673ad83d05c9825177967e4f0a960e8841610b71 (cherry picked from commit 595cf99)
CVE-Info: CVE-2026-0017 | Severity: High If the new setting key is not set, we should use the value of the old ones as the default value. Bug: 444673089 Test: atest BiometricServiceTest Flag: EXEMPT BUGFIX Change-Id: I902c7fd9781037ba05b30821b4fa22aa1509f3fd (cherry picked from commit a3799e4)
CVE-Info: CVE-2025-48644 | Severity: High An IME's metadata can reference arbitrarily large strings (e.g., @string/large_text), which can lead to OOM or large Binder transactions during parsing. The previous check only validated the raw XML file size, failing to account for the size of these resolved string references. This patch hardens the InputMethodInfo constructor by enforcing a 200KB cumulative limit on all resolved metadata attributes. A new MetadataReadBytesTracker now sums the actual size of all read attributes, including the full length of any strings, and parsing is aborted if this 200KB limit is exceeded. Bug: 449416164 Bug: 449181366 Bug: 449393786 Bug: 449227003 Test: CtsInputMethodTestCases:{InputMethodRegistrationTest,InputMethodInfoTest} Test: InputMethodCoreTests:{InputMethodSubtypeArrayTest,InputMethodInfoTest} Flag: EXEMPT BUGFIX Change-Id: I43f7be8eb80abeb39863a3b01d3a606beb90120c (cherry picked from commit 7afc13f)
CVE-Info: CVE-2025-48644 | Severity: High IMM#getEnabledInputMethodSubtypeList() can return a large list of subtypes, which may cause a TransactionTooLargeException. This patch introduces InputMethodSubtypeSafeList to wrap the list as a byte array, avoiding the exception. This mirrors the existing InputMethodInfoSafeList pattern introduced in [1]. Additionally, this change extracts the common marshalling logic from InputMethodInfoSafeList into a new AbstractSafeList and refactors both SafeList classes to extend it. [1] I0a7667070fcdf17d34b248a5988c38064588718a DISABLE_TOPIC_PROTECTOR Bug: 449416164 Bug: 449181366 Bug: 449393786 Bug: 449227003 Test: CtsInputMethodTestCases:{InputMethodRegistrationTest,InputMethodInfoTest} Test: InputMethodCoreTests Flag: EXEMPT BUGFIX Change-Id: Ied64a9f018fd3e79cfc51ccd82d361b43e5f29dc (cherry picked from commit 1d68a10)
CVE-Info: CVE-2025-48645 | Severity: High loadDescription was potentially vulnerable to an attack which causes a DoS exploit by injecting a maliciously large string into the Receiver's label. Bug: 443062265 Test: manual Flag: EXEMPT BUGFIX Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:06a5b2327caa3aa8843496458e98b9bb070df6e5 Merged-In: Icab26c4b77e73f0fcb9a560e3211482ebe2f37bf Change-Id: Icab26c4b77e73f0fcb9a560e3211482ebe2f37bf
CVE-Info: CVE-2025-48646 | Severity: High Bug: 457742426 Test: atest ActivityStarterTests Test: Verified via test app Flag: EXEMPT CVE_FIX Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:3bb240273822e41f3c6911c60d15983a600308f7 Merged-In: Ic9637c56803b00acc9fca59f8092ed02dd46a4fb Change-Id: Ic9637c56803b00acc9fca59f8092ed02dd46a4fb
CVE-Info: CVE-2026-0023 | Severity: High If the flag is not explicitly unset, an app could set this flag, leading to unexpected behaviour if the install is not actually from a managed user or profile. Bug: 459461121 Test: atest PackageManagerShellCommandInstallTest#testSessionCreationWithManagedUserOrProfileFlag_notFromManagedProfile Flag: EXEMPT BUGFIX Change-Id: I21bbbf628e97244d469eb23ce0558dbf560b7618 Merged-In: I21bbbf628e97244d469eb23ce0558dbf560b7618
CVE-Info: CVE-2026-0025 | Severity: High Now with fewer class cast exceptions Test: ConversationNotification Test: NotificationManagerServiceTest Bug: 433746973 Flag: EXEMPT BUGFIX Change-Id: I3022e010de95f14dcd0d09d123684ee265101e0a (cherry picked from commit 71d4afa)
CVE-Info: CVE-2025-48654 | Severity: High Test: manually Bug: 442392902 Flag: EXEMPT bugfix Change-Id: I94b96d98608d6702e1d3a9581e135280149bf7e1
…r.notification CVE-Info: CVE-2026-0034 | Severity: High Bug: 428701593 Bug: 457836121 Test: All TreeHugger presubmit checks passed. Flag: EXEMPT FLAG_REMOVAL OFF_PEAK_PRESUBMIT: true Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:8a8be53d3516586e7e7273f85cece7db9e6bfec1 Merged-In: I13a67db9ccce195b7e7130e20bd2c387996a95c3 Change-Id: I13a67db9ccce195b7e7130e20bd2c387996a95c3
CVE-Info: CVE-2026-0011 | Severity: High When a system app is re-enabled after the update is uninstalled, when the system app has shared uid, the current code doesn't support directly reusing the disabled package setting. Instead, the preloaded version is re-scanned and installed as a new app, which can bring breaking behavior of changed UIDs when the manifest has sharedUserMaxSdkVersion. This change fixes the bug where registerExistingAppId fails when it comes to shared uid, therefore directly reuses the disabled package setting, consistent with the behavior for non-shared-uid system apps. FLAG: EXEMPT BUGFIX Test: manually with system-app-test.sh BUG: 454062218 Change-Id: I9187ee77bac2a00d679a1a3cc7de2df564f38684 Merged-In: I9187ee77bac2a00d679a1a3cc7de2df564f38684 (cherry picked from commit 6b5ea2f) Change-Id: I417cec27697a210416027e862a5e5d207d268b82
CVE-Info: CVE-2026-0047 | Severity: Critical The previous implementation did not check for permission and debuggability for `am dumpbitmaps`, which allows a malicious app to access bitmaps in memory of other processes. Detailed vulnerability and how a malicious app could make use of it are documented in b/465136263. This CL enforces both permission check (with the same permission as `am dumpheap`) and debuggability. Bug: 465136263 Bug: 475543853 Flag: EXEMPT BUGFIX Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:93b72e5a84815c09d5eac89fe8f974a44002c629 Merged-In: I10836ce46969f50d837f7f8bf6336f977e830f05 Change-Id: I10836ce46969f50d837f7f8bf6336f977e830f05 See: b/465136263#comment27
fd8002c to
1db51f5
Compare
|
Rebased this one too after the heads up in the settings one |
|
please change the target branch to 17 |

issue: GrapheneOS/os-issue-tracker#664
Adds a setting to developer options to disable flag secure globally. Actual setting is implemented in GrapheneOS/platform_packages_apps_Settings#411