Enable the NETWORK permission patchset for 16.0 too

Likely has issues with secondary users. As in the permission affects all copies of the same app. Signed-off-by: Tad <tad@spotco.us>
2024-06-26 14:42:13 +00:00 · 2022-02-26 14:45:25 -05:00 · 2022-02-26 14:45:25 -05:00 · 0d59c18c85
commit 0d59c18c85
parent bbdfcdc2a2
7 changed files with 49 additions and 29 deletions
--- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch
@ -1,4 +1,4 @@
-From 09632b10185b9133949a431e27089f72b5cfeefa Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Fri, 21 Jul 2017 08:42:55 -0400
 Subject: [PATCH] support new special runtime permissions
@ -11,10 +11,10 @@ need to be granted by default for all apps to maintain compatibility.
 2 files changed, 25 insertions(+), 8 deletions(-)

 diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
-index c414abac12a7..46f02259e741 100644
+index dc44fe17722d..e9fd656478dc 100644
 --- a/services/core/java/com/android/server/pm/PackageManagerService.java
 +++ b/services/core/java/com/android/server/pm/PackageManagerService.java
-@@ -19462,7 +19462,8 @@ private void resetUserChangesToRuntimePermissionsAndFlagsLPw(
+@@ -19704,7 +19704,8 @@ public class PackageManagerService extends IPackageManager.Stub
             }
 
             // If this permission was granted by default, make sure it is.
@ -25,10 +25,10 @@ index c414abac12a7..46f02259e741 100644
                         != PERMISSION_OPERATION_FAILURE) {
                     writeRuntimePermissions = true;
 diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
-index c51a72406b53..cb8facb31020 100644
+index 79b2636481b3..9f1fe8a6414a 100644
 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
 +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
-@@ -659,6 +659,10 @@ private void removeDynamicPermission(
+@@ -730,6 +730,10 @@ public class PermissionManagerService {
         }
     }
 
@ -39,7 +39,7 @@ index c51a72406b53..cb8facb31020 100644
     private void grantPermissions(PackageParser.Package pkg, boolean replace,
             String packageOfInterest, PermissionCallback callback) {
         // IMPORTANT: There are two types of permissions: install and runtime.
-@@ -767,7 +771,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
+@@ -838,7 +842,8 @@ public class PermissionManagerService {
                     // their permissions as always granted runtime ones since we need
                     // to keep the review required permission flag per user while an
                     // install permission's state is shared across all users.
@ -49,7 +49,7 @@ index c51a72406b53..cb8facb31020 100644
                         // For legacy apps dangerous permissions are install time ones.
                         grant = GRANT_INSTALL;
                     } else if (origPermissions.hasInstallPermission(bp.getName())) {
-@@ -877,7 +882,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
+@@ -948,7 +953,8 @@ public class PermissionManagerService {
                                                 updatedUserIds, userId);
                                     }
                                 } else if (mSettings.mPermissionReviewRequired
@ -59,7 +59,7 @@ index c51a72406b53..cb8facb31020 100644
                                     // For legacy apps that need a permission review, every new
                                     // runtime permission is granted but it is pending a review.
                                     // We also need to review only platform defined runtime
-@@ -898,7 +904,15 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
+@@ -969,7 +975,15 @@ public class PermissionManagerService {
                                         updatedUserIds = ArrayUtils.appendInt(
                                                 updatedUserIds, userId);
                                     }
@ -76,7 +76,7 @@ index c51a72406b53..cb8facb31020 100644
                                 // Propagate the permission flags.
                                 permissionsState.updatePermissionFlags(bp, userId, flags, flags);
                             }
-@@ -1350,7 +1364,7 @@ private void grantRequestedRuntimePermissionsForUser(PackageParser.Package pkg,
+@@ -1421,7 +1435,7 @@ public class PermissionManagerService {
                     && (grantedPermissions == null
                            || ArrayUtils.contains(grantedPermissions, permission))) {
                 final int flags = permissionsState.getPermissionFlags(permission, userId);
@ -85,7 +85,7 @@ index c51a72406b53..cb8facb31020 100644
                     // Installer cannot change immutable permissions.
                     if ((flags & immutableFlags) == 0) {
                         grantRuntimePermission(permission, pkg.packageName, false, callingUid,
-@@ -1409,7 +1423,7 @@ private void grantRuntimePermission(String permName, String packageName, boolean
+@@ -1480,7 +1494,7 @@ public class PermissionManagerService {
         // install permission's state is shared across all users.
         if (mSettings.mPermissionReviewRequired
                 && pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
@ -94,7 +94,7 @@ index c51a72406b53..cb8facb31020 100644
             return;
         }
 
-@@ -1445,7 +1459,8 @@ private void grantRuntimePermission(String permName, String packageName, boolean
+@@ -1516,7 +1530,8 @@ public class PermissionManagerService {
                     + permName + " for package " + packageName);
         }
 
@ -104,7 +104,7 @@ index c51a72406b53..cb8facb31020 100644
             Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
             return;
         }
-@@ -1530,7 +1545,8 @@ private void revokeRuntimePermission(String permName, String packageName,
+@@ -1601,7 +1616,8 @@ public class PermissionManagerService {
         // install permission's state is shared across all users.
         if (mSettings.mPermissionReviewRequired
                 && pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
--- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-2.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-2.patch
@ -1,4 +1,4 @@
-From 2dd00723364fcf10e6c9e6c2e022e31524fda92d Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Sun, 17 Mar 2019 11:59:15 -0400
 Subject: [PATCH] make INTERNET into a special runtime permission
@ -9,10 +9,10 @@ Subject: [PATCH] make INTERNET into a special runtime permission
 2 files changed, 2 insertions(+), 2 deletions(-)

 diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
-index d0ae9dbc55ae..d0449dfc4f57 100644
+index af1a6fa9e3c5..873162098247 100644
 --- a/core/res/AndroidManifest.xml
 +++ b/core/res/AndroidManifest.xml
-@@ -1348,7 +1348,7 @@
+@@ -1361,7 +1361,7 @@
     <permission android:name="android.permission.INTERNET"
         android:description="@string/permdesc_createNetworkSockets"
         android:label="@string/permlab_createNetworkSockets"
@ -22,10 +22,10 @@ index d0ae9dbc55ae..d0449dfc4f57 100644
     <!-- Allows applications to access information about networks.
          <p>Protection level: normal
 diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
-index cb8facb31020..9b11c8e0ffd7 100644
+index 9f1fe8a6414a..f16f671a51dd 100644
 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
 +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
-@@ -660,7 +660,7 @@ private void removeDynamicPermission(
+@@ -731,7 +731,7 @@ public class PermissionManagerService {
     }
 
     public static boolean isSpecialRuntimePermission(final String permission) {
--- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch
@ -1,4 +1,4 @@
-From 6ef61fd6f745b9709269d3612a3a4eea2250ebec Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Fri, 21 Jul 2017 11:23:07 -0400
 Subject: [PATCH] add a NETWORK permission group for INTERNET
@ -9,10 +9,10 @@ Subject: [PATCH] add a NETWORK permission group for INTERNET
 2 files changed, 15 insertions(+)

 diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
-index d0449dfc4f57..822cf1166539 100644
+index 873162098247..8efe5474dfea 100644
 --- a/core/res/AndroidManifest.xml
 +++ b/core/res/AndroidManifest.xml
-@@ -1342,10 +1342,20 @@
+@@ -1355,10 +1355,20 @@
     <!-- ======================================= -->
     <eat-comment />
 
@ -34,7 +34,7 @@ index d0449dfc4f57..822cf1166539 100644
         android:label="@string/permlab_createNetworkSockets"
         android:protectionLevel="dangerous|instant" />
 diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
-index f6600462ea74..a79fa8e95b6e 100644
+index 29af7d71914f..fd30d719b996 100644
 --- a/core/res/res/values/strings.xml
 +++ b/core/res/res/values/strings.xml
@@ -747,6 +747,11 @@
--- a/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch
@ -1,4 +1,4 @@
-From 880011e7af233249e1b70177daa3cd786574bc85 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Sat, 22 Jul 2017 21:43:50 -0400
 Subject: [PATCH] always treat INTERNET as a runtime permission
@ -11,7 +11,7 @@ diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGrou
 index aafce8df5..e6087de4c 100644
 --- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
 +++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
-@@ -26,6 +26,7 @@
+@@ -26,6 +26,7 @@ import android.content.pm.PackageItemInfo;
 import android.content.pm.PackageManager;
 import android.content.pm.PermissionGroupInfo;
 import android.content.pm.PermissionInfo;
@ -19,7 +19,7 @@ index aafce8df5..e6087de4c 100644
 import android.os.Build;
 import android.os.Process;
 import android.os.UserHandle;
-@@ -338,7 +339,7 @@ public boolean areRuntimePermissionsGranted(String[] filterPermissions) {
+@@ -338,7 +339,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
                     && !ArrayUtils.contains(filterPermissions, permission.getName())) {
                 continue;
             }
@ -28,7 +28,7 @@ index aafce8df5..e6087de4c 100644
                 if (permission.isGranted()) {
                     return true;
                 }
-@@ -371,7 +372,7 @@ public boolean grantRuntimePermissions(boolean fixedByTheUser, String[] filterPe
+@@ -371,7 +372,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
                 continue;
             }
 
@ -37,7 +37,7 @@ index aafce8df5..e6087de4c 100644
                 // Do not touch permissions fixed by the system.
                 if (permission.isSystemFixed()) {
                     return false;
-@@ -473,7 +474,7 @@ public boolean revokeRuntimePermissions(boolean fixedByTheUser, String[] filterP
+@@ -473,7 +474,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
                 continue;
             }
 
--- a/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch
@ -1,4 +1,4 @@
-From c3c6a3206c1753cac7a8db72e2f05ddcf4c66d99 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Fri, 21 Jul 2017 10:29:15 -0400
 Subject: [PATCH] add NETWORK permission group
@ -11,7 +11,7 @@ diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/
 index 85a102831..423b319ee 100644
 --- a/src/com/android/packageinstaller/permission/utils/Utils.java
 +++ b/src/com/android/packageinstaller/permission/utils/Utils.java
-@@ -51,7 +51,8 @@
+@@ -51,7 +51,8 @@ public final class Utils {
             Manifest.permission_group.SMS,
             Manifest.permission_group.PHONE,
             Manifest.permission_group.MICROPHONE,
--- a/Patches/LineageOS-16.0/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
+++ b/Patches/LineageOS-16.0/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
@ -8,7 +8,7 @@ Subject: [PATCH] remove legacy NETWORK permission group reference
 1 file changed, 1 deletion(-)

 diff --git a/AndroidManifest.xml b/AndroidManifest.xml
-index 302a58e5..65f38e86 100644
+index 067bc937..930a3b6f 100644
 --- a/AndroidManifest.xml
 +++ b/AndroidManifest.xml
@@ -29,7 +29,6 @@
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -117,6 +117,11 @@ applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS)
 if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch";
+fi;
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
 sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox internal logging service
@ -183,6 +188,10 @@ if enterAndClear "hardware/qcom/display-caf/msm8998"; then
 applyPatch "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8998.patch";
 fi;

+if enterAndClear "libcore"; then
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
+fi;
+
 if enterAndClear "lineage-sdk"; then
 awk -i inplace '!/LineageWeatherManagerService/' lineage/res/res/values/config.xml; #Disable Weather
 if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAudioService/' lineage/res/res/values/config.xml; fi; #Remove AudioFX
@ -201,6 +210,13 @@ rm -rf src/org/lineageos/lineageparts/lineagestats/ res/xml/anonymous_stats.xml
 applyPatch "$DOS_PATCHES/android_packages_apps_LineageParts/0001-Remove_Analytics.patch"; #Remove analytics
 fi;

+if enterAndClear "packages/apps/PackageInstaller"; then
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
+applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch";
+fi;
+fi;
+
 if enterAndClear "packages/apps/Settings"; then
 git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@ -234,6 +250,10 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic
 applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
 fi;

+if enterAndClear "packages/providers/DownloadProvider"; then
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
+fi;
+
 if enterAndClear "packages/services/Telephony"; then
 git revert --no-edit 99564aaf0417c9ddf7d6aeb10d326e5b24fa8f55;
 applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch";