Configurable clipboard auto-clear timeout

[secrecyflag]

solves: GrapheneOS/os-issue-tracker#2012

[secrecyflag]

will rebase today.

[secrecyflag]

re-based successfully. the feature should be ready now.

[muhomorr]

There's no need to declare this as a separate constant in a separate file.
It's better to use TimeUnit.HOURS.toMillis(1) in CLIPBOARD_AUTO_CLEAR_TIMEOUT definition (default value can likely be reduced to several minutes) and to remove constant com.android.server.clipboard.ClipboardService.DEFAULT_CLIPBOARD_TIMEOUT_MILLIS to make sure it's not used elsewhere.

[secrecyflag]

This is just following the convention from com.android.server.clipboard.ClipboardService.DEFAULT_CLIPBOARD_TIMEOUT_MILLIS for making it easier to port to other versions of AOSP.

[secrecyflag]

This also includes changing CTS as this value is used there. Depends if you don't mind.

[muhomorr]

If constant is removed, build will fail if it's used elsewhere in a new AOSP version. This is more reliable than assuming that search for usages of this constant will be performed each time new AOSP version comes out.

[muhomorr]

Another option is to write to DeviceConfig setting directly instead of replacing it with a new setting.

[secrecyflag]

How would we make it per-user? The current implementation doesn't allow per-user configuration because it uses DeviceConfig.

[muhomorr]

I don't think this setting needs to be per-user.

[secrecyflag]

It adds better isolation, and even security (no leaks between user profiles).

[muhomorr]

DeviceConfig settings are unreadable by unprivileged apps.

I've thought some more about this feature, and I think that it's better to just reduce this timeout to 10 or 5 minutes instead of adding one more setting. There's a large number of privacy-sensitive timeouts and flags in AOSP, making them configurable is not a right approach in most cases in my opinion.

[secrecyflag]

I believe it's still a good feature to add. People can copy passwords (for some reason) or other sensitive information from other apps and not worry about it existing for a long time and some app stealing it. It's also a pretty small change. Just a "setting" file and copying two constants. Can be easily added.

[muhomorr]

I stand by what I wrote previously in the review:

I think that it's better to just reduce this timeout to 10 or 5 minutes instead of adding one more setting. There's a large number of privacy-sensitive timeouts and flags in AOSP, making them configurable is not a right approach in most cases in my opinion.

[secrecyflag]

If so, we should use a small timeout like one minute. An enhancement would be resetting the timeout every time the user pastes the same clipboard.

[muhomorr]

I think one minute is way too short.

Another approach would be to deny read access to clipboard for all apps (except IME) by default, and show a notification when an app tries to access it.

Basically, an off-by-default per-app toggle for clipboard access.

[secrecyflag]

Yeah one minute is short that's why I thought every time the user pastes the clipboard it would reset. But a clipboard access permission is also possible and also be easily implemented. I think both (one minute timeout or more, and...) of the approaches are good enhancements.

[muhomorr]

I think that one minute is too short even for the first paste.

[secrecyflag]

Right it doesn't have to be one minute, I'm only clarifying that both of the approaches are good. It could be even five minutes.