diff --git a/Patches/LineageOS-15.1/android_frameworks_base/394878.patch b/Patches/LineageOS-15.1/android_frameworks_base/394878.patch new file mode 100644 index 00000000..1c3d988c --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/394878.patch @@ -0,0 +1,43 @@ +From 2d2a31353a07daf096aa9e2ca09e18ad2773b1ba Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Tue, 26 Mar 2024 10:31:44 -0700 +Subject: [PATCH] Add more checkKeyIntent checks to AccountManagerService. + +Another verification is needed after Bundle modification. +Bug: 321941232 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f) +Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297 +Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297 +--- + .../android/server/accounts/AccountManagerService.java | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 4e4c261d0cc46..19e1a4c55120a 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -3453,6 +3453,11 @@ public void onResult(Bundle result) { + + // Strip auth token from result. + result.remove(AccountManager.KEY_AUTHTOKEN); ++ if (!checkKeyIntent(Binder.getCallingUid(), result)) { ++ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, ++ "invalid intent in bundle returned"); ++ return; ++ } + + if (Log.isLoggable(TAG, Log.VERBOSE)) { + Log.v(TAG, +@@ -5039,6 +5044,11 @@ public void onResult(Bundle result) { + } else { + if (mStripAuthTokenFromResult) { + result.remove(AccountManager.KEY_AUTHTOKEN); ++ if (!checkKeyIntent(Binder.getCallingUid(), result)) { ++ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, ++ "invalid intent in bundle returned"); ++ return; ++ } + } + if (Log.isLoggable(TAG, Log.VERBOSE)) { + Log.v(TAG, getClass().getSimpleName() diff --git a/Patches/LineageOS-15.1/android_frameworks_base/394879.patch b/Patches/LineageOS-15.1/android_frameworks_base/394879.patch new file mode 100644 index 00000000..2f57b737 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/394879.patch @@ -0,0 +1,53 @@ +From a568a9144f1a804e4ac136522dfcd1f8aaae81a3 Mon Sep 17 00:00:00 2001 +From: Chris Wailes +Date: Thu, 18 Apr 2019 18:25:57 -0700 +Subject: [PATCH] Adds additional sanitization for Zygote command arguments. + +Previously we were only insuring that the arguments provided to the +Zygote didn't contain any newlines. This adds additional checks for +carriage returns and standalone integer arguments to protect against +malicious argument and packet injection respectively. + +Bug: 130164289 +Test: m & flash & boot & check logs +Change-Id: I4055c50d52db0047c02c11096710fd07b429660c +Merged-In: I4055c50d52db0047c02c11096710fd07b429660c +(cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a) +--- + core/java/android/os/ZygoteProcess.java | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java +index 6994033a963a8..904ec46859fa4 100644 +--- a/core/java/android/os/ZygoteProcess.java ++++ b/core/java/android/os/ZygoteProcess.java +@@ -16,6 +16,7 @@ + + package android.os; + ++import android.annotation.NonNull; + import android.net.LocalSocket; + import android.net.LocalSocketAddress; + import android.util.Log; +@@ -278,15 +279,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr + */ + @GuardedBy("mLock") + private static Process.ProcessStartResult zygoteSendArgsAndGetResult( +- ZygoteState zygoteState, ArrayList args) ++ ZygoteState zygoteState, @NonNull ArrayList args) + throws ZygoteStartFailedEx { + try { + // Throw early if any of the arguments are malformed. This means we can + // avoid writing a partial response to the zygote. + int sz = args.size(); + for (int i = 0; i < sz; i++) { ++ // Making two indexOf calls here is faster than running a manually fused loop due ++ // to the fact that indexOf is a optimized intrinsic. + if (args.get(i).indexOf('\n') >= 0) { +- throw new ZygoteStartFailedEx("embedded newlines not allowed"); ++ throw new ZygoteStartFailedEx("Embedded newlines not allowed"); ++ } else if (args.get(i).indexOf('\r') >= 0) { ++ throw new ZygoteStartFailedEx("Embedded carriage returns not allowed"); + } + } + diff --git a/Patches/LineageOS-15.1/android_frameworks_base/394880.patch b/Patches/LineageOS-15.1/android_frameworks_base/394880.patch new file mode 100644 index 00000000..888b1e6f --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/394880.patch @@ -0,0 +1,32 @@ +From 00ff56bb646c525192f06cbeed96c3dc78d45795 Mon Sep 17 00:00:00 2001 +From: Hans Boehm +Date: Tue, 2 Jan 2024 16:53:13 -0800 +Subject: [PATCH] Check hidden API exemptions + +Refuse to deal with newlines and null characters in +HiddenApiSettings.update(). Also disallow nulls in process start +arguments. + +Bug: 316153291 +Test: Treehugger for now +(cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8) +Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4 +Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4 +--- + core/java/android/os/ZygoteProcess.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java +index 904ec46859fa4..aab1d9d578031 100644 +--- a/core/java/android/os/ZygoteProcess.java ++++ b/core/java/android/os/ZygoteProcess.java +@@ -292,6 +292,8 @@ private static Process.ProcessStartResult zygoteSendArgsAndGetResult( + throw new ZygoteStartFailedEx("Embedded newlines not allowed"); + } else if (args.get(i).indexOf('\r') >= 0) { + throw new ZygoteStartFailedEx("Embedded carriage returns not allowed"); ++ } else if (args.get(i).indexOf('\u0000') >= 0) { ++ throw new ZygoteStartFailedEx("Embedded nulls not allowed"); + } + } + diff --git a/Patches/LineageOS-15.1/android_frameworks_base/394881-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/394881-backport.patch new file mode 100644 index 00000000..6559c73b --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/394881-backport.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ameer Armaly +Date: Fri, 8 Mar 2024 19:41:06 +0000 +Subject: [PATCH] AccessibilityManagerService: remove uninstalled services from + enabled list after service update. + +Bug: 326485767 +Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5405514a23edcba0cf30e6ec78189e3f4e7d95cf) +Merged-In: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1 +Change-Id: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1 +--- + .../AccessibilityManagerService.java | 23 +++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +index 1e07aa5d4376..99f997220c40 100644 +--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java ++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +@@ -1548,10 +1548,13 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub { + boolean isUnlockingOrUnlocked = LocalServices.getService(UserManagerInternal.class) + .isUserUnlockingOrUnlocked(userState.mUserId); + ++ // Store the list of installed services. ++ mTempComponentNameSet.clear(); + for (int i = 0, count = userState.mInstalledServices.size(); i < count; i++) { + AccessibilityServiceInfo installedService = userState.mInstalledServices.get(i); + ComponentName componentName = ComponentName.unflattenFromString( + installedService.getId()); ++ mTempComponentNameSet.add(componentName); + + Service service = componentNameToServiceMap.get(componentName); + +@@ -1594,6 +1597,26 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub { + if (audioManager != null) { + audioManager.setAccessibilityServiceUids(mTempIntArray); + } ++ ++ // If any services have been removed, remove them from the enabled list and the touch ++ // exploration granted list. ++ boolean anyServiceRemoved = ++ userState.mEnabledServices.removeIf((comp) -> !mTempComponentNameSet.contains(comp)) ++ || userState.mTouchExplorationGrantedServices.removeIf( ++ (comp) -> !mTempComponentNameSet.contains(comp)); ++ if (anyServiceRemoved) { ++ // Update the enabled services setting. ++ persistComponentNamesToSettingLocked( ++ Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES, ++ userState.mEnabledServices, ++ userState.mUserId); ++ // Update the touch exploration granted services setting. ++ persistComponentNamesToSettingLocked( ++ Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES, ++ userState.mTouchExplorationGrantedServices, ++ userState.mUserId); ++ } ++ mTempComponentNameSet.clear(); + updateAccessibilityEnabledSetting(userState); + } + diff --git a/Patches/LineageOS-15.1/android_frameworks_base/394882.patch b/Patches/LineageOS-15.1/android_frameworks_base/394882.patch new file mode 100644 index 00000000..87ddb70d --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/394882.patch @@ -0,0 +1,40 @@ +From 538cc6c384985f272dc7ab6c7cc7222a59b4c341 Mon Sep 17 00:00:00 2001 +From: Guojing Yuan +Date: Thu, 14 Dec 2023 19:30:04 +0000 +Subject: [PATCH] [BACKPORT] Check permissions for CDM shell commands + +Override handleShellCommand instead of onShellCommand because +Binder.onShellCommand checks the necessary permissions of the caller. + +Backport by mse1969@posteo.de: +In Pie, method handleShellCommand does not exist, only Binder.onShellCommand, in which +the caller uid check isn't yet implemented. Backport: Take over the uid check from A11 +and implement it in the method override. + +Bug: 313428840 + +Test: manually tested CDM shell commands +(cherry picked from commit 1761a0fee9c2cd9787bbb7fbdbe30b4c2b03396e) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d008c61451dba86aa9f14c6bcd661db2cea4856) +Merged-In: I5539b3594feb5544c458c0fd1061b51a0a808900 +Change-Id: I5539b3594feb5544c458c0fd1061b51a0a808900 +--- + .../server/companion/CompanionDeviceManagerService.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +index 087fe8560fc80..8ffb53f8a3b9d 100644 +--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java ++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +@@ -345,6 +345,11 @@ private void checkUsesFeature(String pkg, int userId) { + public void onShellCommand(FileDescriptor in, FileDescriptor out, FileDescriptor err, + String[] args, ShellCallback callback, ResultReceiver resultReceiver) + throws RemoteException { ++ final int callingUid = Binder.getCallingUid(); ++ if (callingUid != Process.ROOT_UID && callingUid != Process.SHELL_UID) { ++ resultReceiver.send(-1, null); ++ throw new RemoteException("Shell commands are only callable by ADB"); ++ } + new ShellCmd().exec(this, in, out, err, args, callback, resultReceiver); + } + } diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index b5127c54..0be493ef 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -76,7 +76,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2021-10-05/2024-05-05/' core/version_defaults.mk; #Bump Security String #XXX +sed -i 's/2021-10-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #XXX fi; if enterAndClear "build/soong"; then @@ -258,6 +258,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 R applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 Disallow system apps to be installed/updated as instant. applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout. applyPatch "$DOS_PATCHES/android_frameworks_base/389014-backport.patch"; #S_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long. +applyPatch "$DOS_PATCHES/android_frameworks_base/394878.patch"; #P_asb_2024-06 Add more checkKeyIntent checks to AccountManagerService. +applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 Adds additional sanitization for Zygote command arguments. +applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions +applyPatch "$DOS_PATCHES/android_frameworks_base/394881-backport.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update. +applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)