Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-12-15 16:49:03 -05:00
Code Issues Projects Releases Packages Wiki Activity

20.0: Network & Sensors permission from GrapheneOS

Browse source 
This revokes the permissions to all user installed apps on update.
Likely an expected quirk of being on 20.0 without the permission.
19.1 upgrades and new 20.0 installs should be fine.

TODO: update 19.1 with the SpecialRuntimePermAppUtils too

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-10-18 17:13:17 -04:00
parent cdca2c032e
commit 0c4db149e1
No known key found for this signature in database
GPG key ID: B286E9F57A07424B
33 changed files with 2211 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

34
Patches/LineageOS-20.0/android_packages_modules_Connectivity/0001-Network_Permission-1.patch Normal file
View file

@ -0,0 +1,34 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 14 Dec 2021 18:17:11 +0200
Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
---
framework/src/android/net/ConnectivityManager.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index f741c2bb3..f5bac0613 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -41,6 +41,7 @@ import android.compat.annotation.UnsupportedAppUsage;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.SpecialRuntimePermAppUtils;
import android.net.ConnectivityDiagnosticsManager.DataStallReport.DetectionMethod;
import android.net.IpSecManager.UdpEncapsulationSocket;
import android.net.SocketKeepalive.Callback;
@@ -3358,6 +3359,12 @@ public class ConnectivityManager {
*/
public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
printStackTrace();
+
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ // caller doesn't have INTERNET, but expects to always have it
+ return;
+ }
+
try {
mService.reportNetworkConnectivity(network, hasConnectivity);
} catch (RemoteException e) {

208
Patches/LineageOS-20.0/android_packages_modules_Connectivity/0001-Network_Permission-2.patch Normal file
View file

@ -0,0 +1,208 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Wed, 6 Oct 2021 03:05:49 +0300
Subject: [PATCH] enforce INTERNET permission per-uid instead of per-appId
---
bpf_progs/netd.c | 10 +--
.../connectivity/PermissionMonitor.java | 63 ++++++++++++++-----
2 files changed, 48 insertions(+), 25 deletions(-)
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 24b3fed58..065f41fd8 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -429,14 +429,8 @@ DEFINE_BPF_PROG_EXT("cgroupsock/inet/create", AID_ROOT, AID_ROOT, inet_socket_cr
KVER(4, 14, 0), KVER_INF, false, "fs_bpf_netd_readonly", "")
(struct bpf_sock* sk) {
uint64_t gid_uid = bpf_get_current_uid_gid();
- /*
- * A given app is guaranteed to have the same app ID in all the profiles in
- * which it is installed, and install permission is granted to app for all
- * user at install time so we only check the appId part of a request uid at
- * run time. See UserHandle#isSameApp for detail.
- */
- uint32_t appId = (gid_uid & 0xffffffff) % AID_USER_OFFSET; // == PER_USER_RANGE == 100000
- uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
+ uint32_t uid = (gid_uid & 0xffffffff);
+ uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&uid);
if (!permissions) {
// UID not in map. Default to just INTERNET permission.
return 1;
diff --git a/service/src/com/android/server/connectivity/PermissionMonitor.java b/service/src/com/android/server/connectivity/PermissionMonitor.java
index 0e265f9ef..4509d9f3f 100755
--- a/service/src/com/android/server/connectivity/PermissionMonitor.java
+++ b/service/src/com/android/server/connectivity/PermissionMonitor.java
@@ -392,6 +392,11 @@ public class PermissionMonitor {
public synchronized void startMonitoring() {
log("Monitoring");
+ mPackageManager.addOnPermissionsChangeListener(uid -> {
+ // traffic permissions are INTERNET and UPDATE_DEVICE_STATS
+ sendPackagePermissionsForUid(uid, getTrafficPermissionForUid(uid));
+ });
+
final Context userAllContext = mContext.createContextAsUser(UserHandle.ALL, 0 /* flags */);
final IntentFilter intentFilter = new IntentFilter();
intentFilter.addAction(Intent.ACTION_PACKAGE_ADDED);
@@ -566,7 +571,7 @@ public class PermissionMonitor {
mUsersTrafficPermissions.put(user, addedUserAppIds);
// Generate appIds from all users and send result to netd.
final SparseIntArray appIds = makeAppIdsTrafficPermForAllUsers();
- sendAppIdsTrafficPermission(appIds);
+ sendUidsTrafficPermission(user.getIdentifier(), appIds);
// Log user added
mPermissionUpdateLogs.log("New user(" + user.getIdentifier() + ") added: nPerm uids="
@@ -614,7 +619,7 @@ public class PermissionMonitor {
appIds.put(appId, PERMISSION_UNINSTALLED);
}
}
- sendAppIdsTrafficPermission(appIds);
+ sendUidsTrafficPermission(user.getIdentifier(), appIds);
// Log user removed
mPermissionUpdateLogs.log("User(" + user.getIdentifier() + ") removed: nPerm uids="
@@ -734,16 +739,25 @@ public class PermissionMonitor {
}
}
- private synchronized int getAppIdTrafficPermission(int appId) {
+ private synchronized int getUidTrafficPermission(final int uid) {
+ final int userId = UserHandle.getUserId(uid);
+
int permission = PERMISSION_NONE;
boolean installed = false;
+
for (UserHandle user : mUsersTrafficPermissions.keySet()) {
+ if (user.getIdentifier() != userId) {
+ continue;
+ }
+
final SparseIntArray userApps = mUsersTrafficPermissions.get(user);
+ final int appId = UserHandle.getAppId(uid);
final int appIdx = userApps.indexOfKey(appId);
if (appIdx >= 0) {
permission |= userApps.valueAt(appIdx);
installed = true;
}
+ break;
}
return installed ? permission : PERMISSION_UNINSTALLED;
}
@@ -761,8 +775,8 @@ public class PermissionMonitor {
updateAppIdTrafficPermission(uid);
// Get the appId permission from all users then send the latest permission to netd.
final int appId = UserHandle.getAppId(uid);
- final int appIdTrafficPerm = getAppIdTrafficPermission(appId);
- sendPackagePermissionsForAppId(appId, appIdTrafficPerm);
+ final int uidTrafficPerm = getUidTrafficPermission(uid);
+ sendPackagePermissionsForUid(uid, uidTrafficPerm);
final int currentPermission = mUidToNetworkPerm.get(uid, PERMISSION_NONE);
final int permission = highestPermissionForUid(uid, currentPermission, packageName);
@@ -792,7 +806,7 @@ public class PermissionMonitor {
mPermissionUpdateLogs.log("Package add: name=" + packageName + ", uid=" + uid
+ ", nPerm=(" + permissionToString(permission) + "/"
+ permissionToString(currentPermission) + ")"
- + ", tPerm=" + permissionToString(appIdTrafficPerm));
+ + ", tPerm=" + permissionToString(uidTrafficPerm));
}
private int highestUidNetworkPermission(int uid) {
@@ -824,8 +838,8 @@ public class PermissionMonitor {
updateAppIdTrafficPermission(uid);
// Get the appId permission from all users then send the latest permission to netd.
final int appId = UserHandle.getAppId(uid);
- final int appIdTrafficPerm = getAppIdTrafficPermission(appId);
- sendPackagePermissionsForAppId(appId, appIdTrafficPerm);
+ final int uidTrafficPerm = getUidTrafficPermission(uid);
+ sendPackagePermissionsForUid(uid, uidTrafficPerm);
// If the newly-removed package falls within some VPN's uid range, update Netd with it.
// This needs to happen before the mUidToNetworkPerm update below, since
@@ -845,7 +859,7 @@ public class PermissionMonitor {
mPermissionUpdateLogs.log("Package remove: name=" + packageName + ", uid=" + uid
+ ", nPerm=(" + permissionToString(permission) + "/"
+ permissionToString(currentPermission) + ")"
- + ", tPerm=" + permissionToString(appIdTrafficPerm));
+ + ", tPerm=" + permissionToString(uidTrafficPerm));
if (permission != currentPermission) {
final SparseIntArray apps = new SparseIntArray();
@@ -1097,14 +1111,17 @@ public class PermissionMonitor {
* @hide
*/
@VisibleForTesting
- void sendPackagePermissionsForAppId(int appId, int permissions) {
+ void sendPackagePermissionsForUid(int uid, int permissions) {
+ int userId = UserHandle.getUserId(uid);
+ int appId = UserHandle.getAppId(uid);
+
SparseIntArray netdPermissionsAppIds = new SparseIntArray();
netdPermissionsAppIds.put(appId, permissions);
if (hasSdkSandbox(appId)) {
int sdkSandboxAppId = sProcessShim.toSdkSandboxUid(appId);
netdPermissionsAppIds.put(sdkSandboxAppId, permissions);
}
- sendAppIdsTrafficPermission(netdPermissionsAppIds);
+ sendUidsTrafficPermission(userId, netdPermissionsAppIds);
}
/**
@@ -1116,7 +1133,7 @@ public class PermissionMonitor {
* @hide
*/
@VisibleForTesting
- void sendAppIdsTrafficPermission(SparseIntArray netdPermissionsAppIds) {
+ void sendUidsTrafficPermission(final int userId, SparseIntArray netdPermissionsAppIds) {
final ArrayList<Integer> allPermissionAppIds = new ArrayList<>();
final ArrayList<Integer> internetPermissionAppIds = new ArrayList<>();
final ArrayList<Integer> updateStatsPermissionAppIds = new ArrayList<>();
@@ -1150,29 +1167,41 @@ public class PermissionMonitor {
if (allPermissionAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(
PERMISSION_INTERNET | PERMISSION_UPDATE_DEVICE_STATS,
- toIntArray(allPermissionAppIds));
+ appIdListToUidArray(userId, allPermissionAppIds));
}
if (internetPermissionAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(PERMISSION_INTERNET,
- toIntArray(internetPermissionAppIds));
+ appIdListToUidArray(userId, internetPermissionAppIds));
}
if (updateStatsPermissionAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(PERMISSION_UPDATE_DEVICE_STATS,
- toIntArray(updateStatsPermissionAppIds));
+ appIdListToUidArray(userId, updateStatsPermissionAppIds));
}
if (noPermissionAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(PERMISSION_NONE,
- toIntArray(noPermissionAppIds));
+ appIdListToUidArray(userId, noPermissionAppIds));
}
if (uninstalledAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(PERMISSION_UNINSTALLED,
- toIntArray(uninstalledAppIds));
+ appIdListToUidArray(userId, uninstalledAppIds));
}
} catch (RemoteException | ServiceSpecificException e) {
Log.e(TAG, "Pass appId list of special permission failed." + e);
}
}
+ private static int[] appIdListToUidArray(int userId, ArrayList<Integer> appIds) {
+ final int cnt = appIds.size();
+ int[] array = new int[cnt];
+
+ for (int i = 0; i < cnt; ++i) {
+ int appId = appIds.get(i).intValue();
+ array[i] = UserHandle.getUid(userId, appId);
+ }
+
+ return array;
+ }
+
/** Should only be used by unit tests */
@VisibleForTesting
public Set<UidRange> getVpnInterfaceUidRanges(String iface) {

54
Patches/LineageOS-20.0/android_packages_modules_Connectivity/0001-Network_Permission-3.patch Normal file
View file

@ -0,0 +1,54 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 30 Aug 2022 12:27:52 +0300
Subject: [PATCH] don't crash INTERNET-unaware apps that try to access
NsdManager
---
.../src/android/net/nsd/NsdManager.java | 33 ++++++++++++++++---
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/framework-t/src/android/net/nsd/NsdManager.java b/framework-t/src/android/net/nsd/NsdManager.java
index f19bf4a6f..ac0a9f6ab 100644
--- a/framework-t/src/android/net/nsd/NsdManager.java
+++ b/framework-t/src/android/net/nsd/NsdManager.java
@@ -498,10 +498,35 @@ public final class NsdManager {
t.start();
mHandler = new ServiceHandler(t.getLooper());
- try {
- mService = service.connect(new NsdCallbackImpl(mHandler));
- } catch (RemoteException e) {
- throw new RuntimeException("Failed to connect to NsdService");
+ if (android.content.pm.SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ // INsdManager#connect() enforces INTERNET permission
+ mService = new INsdServiceConnector() {
+ final NsdCallbackImpl callback = new NsdCallbackImpl(mHandler);
+
+ @Override public void registerService(int listenerKey, NsdServiceInfo serviceInfo) {
+ callback.onRegisterServiceFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void unregisterService(int listenerKey) {
+ callback.onUnregisterServiceFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void discoverServices(int listenerKey, NsdServiceInfo serviceInfo) {
+ callback.onDiscoverServicesFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void stopDiscovery(int listenerKey) {
+ callback.onStopDiscoveryFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void resolveService(int listenerKey, NsdServiceInfo serviceInfo) {
+ callback.onResolveServiceFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void startDaemon() {}
+ @Override public android.os.IBinder asBinder() { return null; }
+ };
+ } else {
+ try {
+ mService = service.connect(new NsdCallbackImpl(mHandler));
+ } catch (RemoteException e) {
+ throw new RuntimeException("Failed to connect to NsdService");
+ }
}
// Only proactively start the daemon if the target SDK < S, otherwise the internal service