Fix SecurityException crash in work profiles for getPackagesForUid

In work profiles (e.g. Shelter), getPackagesForUid() throws
SecurityException for cross-user UIDs because the app lacks
INTERACT_ACROSS_USERS_FULL permission. This was already known and
handled in AdapterLog.java but NOT in the critical packet processing
path.

The unhandled exception in shouldTrackApp() propagates up through
blockKnownTracker() and log(), causing BOTH tracker blocking AND
traffic logging to silently fail for every packet - the exception
is caught by the outer handleMessage() try-catch and swallowed.

Fix: wrap getPackagesForUid() in try-catch SecurityException at all
three unprotected call sites in ServiceSinkhole:
- shouldTrackApp() (blocking + logging pipeline) - default to tracking
- prepareUidIPFilters() (lockdown check) - skip lockdown filter
- showNewInstallNotification() - skip notification gracefully

This is very likely the root cause of the reported work profile issue
where "tracker blocking and traffic log doesn't work in Shelter."

https://claude.ai/code/session_013NayXYhZViADqMfUXT4VuF

Author: claude

app/src/main/java/eu/faircode/netguard/ServiceSinkhole.java

@@ -1879,7 +1879,13 @@ private void prepareUidIPFilters(String dname) {
                 long ttl = (cursor.isNull(colTTL) ? 7 * 24 * 3600 * 1000L : cursor.getLong(colTTL));
 
                 if (isLockedDown(last_metered)) {
-                    String[] pkg = getPackageManager().getPackagesForUid(uid);
+                    String[] pkg;
+                    try {
+                        pkg = getPackageManager().getPackagesForUid(uid);
+                    } catch (SecurityException ignored) {
+                        // Work profile cross-user UID
+                        pkg = null;
+                    }
                     if (pkg != null && pkg.length > 0) {
                         if (!lockdown.getBoolean(pkg[0], false))
                             continue;
@@ -2230,7 +2236,16 @@ private Allowed isAddressAllowed(Packet packet) {
      * - It's a system app and manage_system is disabled
      */
     private boolean shouldTrackApp(int uid) {
-        String[] packages = getPackageManager().getPackagesForUid(uid);
+        String[] packages;
+        try {
+            packages = getPackageManager().getPackagesForUid(uid);
+        } catch (SecurityException ex) {
+            // In work profiles, getPackagesForUid throws SecurityException for
+            // cross-user UIDs (requires INTERACT_ACROSS_USERS_FULL permission).
+            // Default to tracking so blocking/logging still works.
+            Log.w(TAG, "SecurityException in shouldTrackApp for uid " + uid + ": " + ex.getMessage());
+            return true;
+        }
         if (packages == null || packages.length == 0) {
             return true; // Unknown UID, default to tracking
         }
@@ -2743,6 +2758,9 @@ public void notifyNewApplication(int uid, BroadcastReceiver br) {
 
         } catch (PackageManager.NameNotFoundException ex) {
             Log.e(TAG, ex.toString() + "\n" + Log.getStackTraceString(ex));
+        } catch (SecurityException ex) {
+            // Work profile cross-user UID
+            Log.w(TAG, "SecurityException showing install notification for uid " + uid + ": " + ex.getMessage());
         }
     }