mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-16 01:47:07 -05:00
15.1: June ASB work
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
parent
7e6c6ad5e5
commit
203e27bc0c
43
Patches/LineageOS-15.1/android_frameworks_base/394878.patch
Normal file
43
Patches/LineageOS-15.1/android_frameworks_base/394878.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 2d2a31353a07daf096aa9e2ca09e18ad2773b1ba Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Dementyev <dementyev@google.com>
|
||||
Date: Tue, 26 Mar 2024 10:31:44 -0700
|
||||
Subject: [PATCH] Add more checkKeyIntent checks to AccountManagerService.
|
||||
|
||||
Another verification is needed after Bundle modification.
|
||||
Bug: 321941232
|
||||
Test: manual
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f)
|
||||
Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297
|
||||
Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297
|
||||
---
|
||||
.../android/server/accounts/AccountManagerService.java | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||
index 4e4c261d0cc46..19e1a4c55120a 100644
|
||||
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||
@@ -3453,6 +3453,11 @@ public void onResult(Bundle result) {
|
||||
|
||||
// Strip auth token from result.
|
||||
result.remove(AccountManager.KEY_AUTHTOKEN);
|
||||
+ if (!checkKeyIntent(Binder.getCallingUid(), result)) {
|
||||
+ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
|
||||
+ "invalid intent in bundle returned");
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
if (Log.isLoggable(TAG, Log.VERBOSE)) {
|
||||
Log.v(TAG,
|
||||
@@ -5039,6 +5044,11 @@ public void onResult(Bundle result) {
|
||||
} else {
|
||||
if (mStripAuthTokenFromResult) {
|
||||
result.remove(AccountManager.KEY_AUTHTOKEN);
|
||||
+ if (!checkKeyIntent(Binder.getCallingUid(), result)) {
|
||||
+ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
|
||||
+ "invalid intent in bundle returned");
|
||||
+ return;
|
||||
+ }
|
||||
}
|
||||
if (Log.isLoggable(TAG, Log.VERBOSE)) {
|
||||
Log.v(TAG, getClass().getSimpleName()
|
53
Patches/LineageOS-15.1/android_frameworks_base/394879.patch
Normal file
53
Patches/LineageOS-15.1/android_frameworks_base/394879.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From a568a9144f1a804e4ac136522dfcd1f8aaae81a3 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Wailes <chriswailes@google.com>
|
||||
Date: Thu, 18 Apr 2019 18:25:57 -0700
|
||||
Subject: [PATCH] Adds additional sanitization for Zygote command arguments.
|
||||
|
||||
Previously we were only insuring that the arguments provided to the
|
||||
Zygote didn't contain any newlines. This adds additional checks for
|
||||
carriage returns and standalone integer arguments to protect against
|
||||
malicious argument and packet injection respectively.
|
||||
|
||||
Bug: 130164289
|
||||
Test: m & flash & boot & check logs
|
||||
Change-Id: I4055c50d52db0047c02c11096710fd07b429660c
|
||||
Merged-In: I4055c50d52db0047c02c11096710fd07b429660c
|
||||
(cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a)
|
||||
---
|
||||
core/java/android/os/ZygoteProcess.java | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
|
||||
index 6994033a963a8..904ec46859fa4 100644
|
||||
--- a/core/java/android/os/ZygoteProcess.java
|
||||
+++ b/core/java/android/os/ZygoteProcess.java
|
||||
@@ -16,6 +16,7 @@
|
||||
|
||||
package android.os;
|
||||
|
||||
+import android.annotation.NonNull;
|
||||
import android.net.LocalSocket;
|
||||
import android.net.LocalSocketAddress;
|
||||
import android.util.Log;
|
||||
@@ -278,15 +279,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr
|
||||
*/
|
||||
@GuardedBy("mLock")
|
||||
private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
|
||||
- ZygoteState zygoteState, ArrayList<String> args)
|
||||
+ ZygoteState zygoteState, @NonNull ArrayList<String> args)
|
||||
throws ZygoteStartFailedEx {
|
||||
try {
|
||||
// Throw early if any of the arguments are malformed. This means we can
|
||||
// avoid writing a partial response to the zygote.
|
||||
int sz = args.size();
|
||||
for (int i = 0; i < sz; i++) {
|
||||
+ // Making two indexOf calls here is faster than running a manually fused loop due
|
||||
+ // to the fact that indexOf is a optimized intrinsic.
|
||||
if (args.get(i).indexOf('\n') >= 0) {
|
||||
- throw new ZygoteStartFailedEx("embedded newlines not allowed");
|
||||
+ throw new ZygoteStartFailedEx("Embedded newlines not allowed");
|
||||
+ } else if (args.get(i).indexOf('\r') >= 0) {
|
||||
+ throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
|
||||
}
|
||||
}
|
||||
|
32
Patches/LineageOS-15.1/android_frameworks_base/394880.patch
Normal file
32
Patches/LineageOS-15.1/android_frameworks_base/394880.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 00ff56bb646c525192f06cbeed96c3dc78d45795 Mon Sep 17 00:00:00 2001
|
||||
From: Hans Boehm <hboehm@google.com>
|
||||
Date: Tue, 2 Jan 2024 16:53:13 -0800
|
||||
Subject: [PATCH] Check hidden API exemptions
|
||||
|
||||
Refuse to deal with newlines and null characters in
|
||||
HiddenApiSettings.update(). Also disallow nulls in process start
|
||||
arguments.
|
||||
|
||||
Bug: 316153291
|
||||
Test: Treehugger for now
|
||||
(cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8)
|
||||
Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
|
||||
Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
|
||||
---
|
||||
core/java/android/os/ZygoteProcess.java | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
|
||||
index 904ec46859fa4..aab1d9d578031 100644
|
||||
--- a/core/java/android/os/ZygoteProcess.java
|
||||
+++ b/core/java/android/os/ZygoteProcess.java
|
||||
@@ -292,6 +292,8 @@ private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
|
||||
throw new ZygoteStartFailedEx("Embedded newlines not allowed");
|
||||
} else if (args.get(i).indexOf('\r') >= 0) {
|
||||
throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
|
||||
+ } else if (args.get(i).indexOf('\u0000') >= 0) {
|
||||
+ throw new ZygoteStartFailedEx("Embedded nulls not allowed");
|
||||
}
|
||||
}
|
||||
|
@ -0,0 +1,60 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Ameer Armaly <aarmaly@google.com>
|
||||
Date: Fri, 8 Mar 2024 19:41:06 +0000
|
||||
Subject: [PATCH] AccessibilityManagerService: remove uninstalled services from
|
||||
enabled list after service update.
|
||||
|
||||
Bug: 326485767
|
||||
Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5405514a23edcba0cf30e6ec78189e3f4e7d95cf)
|
||||
Merged-In: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
|
||||
Change-Id: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
|
||||
---
|
||||
.../AccessibilityManagerService.java | 23 +++++++++++++++++++
|
||||
1 file changed, 23 insertions(+)
|
||||
|
||||
diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
|
||||
index 1e07aa5d4376..99f997220c40 100644
|
||||
--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
|
||||
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
|
||||
@@ -1548,10 +1548,13 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
|
||||
boolean isUnlockingOrUnlocked = LocalServices.getService(UserManagerInternal.class)
|
||||
.isUserUnlockingOrUnlocked(userState.mUserId);
|
||||
|
||||
+ // Store the list of installed services.
|
||||
+ mTempComponentNameSet.clear();
|
||||
for (int i = 0, count = userState.mInstalledServices.size(); i < count; i++) {
|
||||
AccessibilityServiceInfo installedService = userState.mInstalledServices.get(i);
|
||||
ComponentName componentName = ComponentName.unflattenFromString(
|
||||
installedService.getId());
|
||||
+ mTempComponentNameSet.add(componentName);
|
||||
|
||||
Service service = componentNameToServiceMap.get(componentName);
|
||||
|
||||
@@ -1594,6 +1597,26 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
|
||||
if (audioManager != null) {
|
||||
audioManager.setAccessibilityServiceUids(mTempIntArray);
|
||||
}
|
||||
+
|
||||
+ // If any services have been removed, remove them from the enabled list and the touch
|
||||
+ // exploration granted list.
|
||||
+ boolean anyServiceRemoved =
|
||||
+ userState.mEnabledServices.removeIf((comp) -> !mTempComponentNameSet.contains(comp))
|
||||
+ || userState.mTouchExplorationGrantedServices.removeIf(
|
||||
+ (comp) -> !mTempComponentNameSet.contains(comp));
|
||||
+ if (anyServiceRemoved) {
|
||||
+ // Update the enabled services setting.
|
||||
+ persistComponentNamesToSettingLocked(
|
||||
+ Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
|
||||
+ userState.mEnabledServices,
|
||||
+ userState.mUserId);
|
||||
+ // Update the touch exploration granted services setting.
|
||||
+ persistComponentNamesToSettingLocked(
|
||||
+ Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
|
||||
+ userState.mTouchExplorationGrantedServices,
|
||||
+ userState.mUserId);
|
||||
+ }
|
||||
+ mTempComponentNameSet.clear();
|
||||
updateAccessibilityEnabledSetting(userState);
|
||||
}
|
||||
|
40
Patches/LineageOS-15.1/android_frameworks_base/394882.patch
Normal file
40
Patches/LineageOS-15.1/android_frameworks_base/394882.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 538cc6c384985f272dc7ab6c7cc7222a59b4c341 Mon Sep 17 00:00:00 2001
|
||||
From: Guojing Yuan <guojing@google.com>
|
||||
Date: Thu, 14 Dec 2023 19:30:04 +0000
|
||||
Subject: [PATCH] [BACKPORT] Check permissions for CDM shell commands
|
||||
|
||||
Override handleShellCommand instead of onShellCommand because
|
||||
Binder.onShellCommand checks the necessary permissions of the caller.
|
||||
|
||||
Backport by mse1969@posteo.de:
|
||||
In Pie, method handleShellCommand does not exist, only Binder.onShellCommand, in which
|
||||
the caller uid check isn't yet implemented. Backport: Take over the uid check from A11
|
||||
and implement it in the method override.
|
||||
|
||||
Bug: 313428840
|
||||
|
||||
Test: manually tested CDM shell commands
|
||||
(cherry picked from commit 1761a0fee9c2cd9787bbb7fbdbe30b4c2b03396e)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d008c61451dba86aa9f14c6bcd661db2cea4856)
|
||||
Merged-In: I5539b3594feb5544c458c0fd1061b51a0a808900
|
||||
Change-Id: I5539b3594feb5544c458c0fd1061b51a0a808900
|
||||
---
|
||||
.../server/companion/CompanionDeviceManagerService.java | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
|
||||
index 087fe8560fc80..8ffb53f8a3b9d 100644
|
||||
--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
|
||||
+++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
|
||||
@@ -345,6 +345,11 @@ private void checkUsesFeature(String pkg, int userId) {
|
||||
public void onShellCommand(FileDescriptor in, FileDescriptor out, FileDescriptor err,
|
||||
String[] args, ShellCallback callback, ResultReceiver resultReceiver)
|
||||
throws RemoteException {
|
||||
+ final int callingUid = Binder.getCallingUid();
|
||||
+ if (callingUid != Process.ROOT_UID && callingUid != Process.SHELL_UID) {
|
||||
+ resultReceiver.send(-1, null);
|
||||
+ throw new RemoteException("Shell commands are only callable by ADB");
|
||||
+ }
|
||||
new ShellCmd().exec(this, in, out, err, args, callback, resultReceiver);
|
||||
}
|
||||
}
|
@ -76,7 +76,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
|
||||
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
|
||||
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||
sed -i 's/2021-10-05/2024-05-05/' core/version_defaults.mk; #Bump Security String #XXX
|
||||
sed -i 's/2021-10-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -258,6 +258,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 R
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 Disallow system apps to be installed/updated as instant.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/389014-backport.patch"; #S_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/394878.patch"; #P_asb_2024-06 Add more checkKeyIntent checks to AccountManagerService.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 Adds additional sanitization for Zygote command arguments.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/394881-backport.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
|
||||
|
Loading…
Reference in New Issue
Block a user