Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity

15.1: June ASB work

Browse Source 
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-06-19 16:19:28 -04:00
parent 7e6c6ad5e5
commit 203e27bc0c
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
6 changed files with 234 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
Patches/LineageOS-15.1/android_frameworks_base/394878.patch Normal file
View File

@ -0,0 +1,43 @@
From 2d2a31353a07daf096aa9e2ca09e18ad2773b1ba Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Tue, 26 Mar 2024 10:31:44 -0700
Subject: [PATCH] Add more checkKeyIntent checks to AccountManagerService.
Another verification is needed after Bundle modification.
Bug: 321941232
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f)
Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297
Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297
---
.../android/server/accounts/AccountManagerService.java | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 4e4c261d0cc46..19e1a4c55120a 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -3453,6 +3453,11 @@ public void onResult(Bundle result) {
// Strip auth token from result.
result.remove(AccountManager.KEY_AUTHTOKEN);
+ if (!checkKeyIntent(Binder.getCallingUid(), result)) {
+ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+ "invalid intent in bundle returned");
+ return;
+ }
if (Log.isLoggable(TAG, Log.VERBOSE)) {
Log.v(TAG,
@@ -5039,6 +5044,11 @@ public void onResult(Bundle result) {
} else {
if (mStripAuthTokenFromResult) {
result.remove(AccountManager.KEY_AUTHTOKEN);
+ if (!checkKeyIntent(Binder.getCallingUid(), result)) {
+ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+ "invalid intent in bundle returned");
+ return;
+ }
}
if (Log.isLoggable(TAG, Log.VERBOSE)) {
Log.v(TAG, getClass().getSimpleName()

53
Patches/LineageOS-15.1/android_frameworks_base/394879.patch Normal file
View File

@ -0,0 +1,53 @@
From a568a9144f1a804e4ac136522dfcd1f8aaae81a3 Mon Sep 17 00:00:00 2001
From: Chris Wailes <chriswailes@google.com>
Date: Thu, 18 Apr 2019 18:25:57 -0700
Subject: [PATCH] Adds additional sanitization for Zygote command arguments.
Previously we were only insuring that the arguments provided to the
Zygote didn't contain any newlines. This adds additional checks for
carriage returns and standalone integer arguments to protect against
malicious argument and packet injection respectively.
Bug: 130164289
Test: m & flash & boot & check logs
Change-Id: I4055c50d52db0047c02c11096710fd07b429660c
Merged-In: I4055c50d52db0047c02c11096710fd07b429660c
(cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a)
---
core/java/android/os/ZygoteProcess.java | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
index 6994033a963a8..904ec46859fa4 100644
--- a/core/java/android/os/ZygoteProcess.java
+++ b/core/java/android/os/ZygoteProcess.java
@@ -16,6 +16,7 @@
package android.os;
+import android.annotation.NonNull;
import android.net.LocalSocket;
import android.net.LocalSocketAddress;
import android.util.Log;
@@ -278,15 +279,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr
*/
@GuardedBy("mLock")
private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
- ZygoteState zygoteState, ArrayList<String> args)
+ ZygoteState zygoteState, @NonNull ArrayList<String> args)
throws ZygoteStartFailedEx {
try {
// Throw early if any of the arguments are malformed. This means we can
// avoid writing a partial response to the zygote.
int sz = args.size();
for (int i = 0; i < sz; i++) {
+ // Making two indexOf calls here is faster than running a manually fused loop due
+ // to the fact that indexOf is a optimized intrinsic.
if (args.get(i).indexOf('\n') >= 0) {
- throw new ZygoteStartFailedEx("embedded newlines not allowed");
+ throw new ZygoteStartFailedEx("Embedded newlines not allowed");
+ } else if (args.get(i).indexOf('\r') >= 0) {
+ throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
}
}

32
Patches/LineageOS-15.1/android_frameworks_base/394880.patch Normal file
View File

@ -0,0 +1,32 @@
From 00ff56bb646c525192f06cbeed96c3dc78d45795 Mon Sep 17 00:00:00 2001
From: Hans Boehm <hboehm@google.com>
Date: Tue, 2 Jan 2024 16:53:13 -0800
Subject: [PATCH] Check hidden API exemptions
Refuse to deal with newlines and null characters in
HiddenApiSettings.update(). Also disallow nulls in process start
arguments.
Bug: 316153291
Test: Treehugger for now
(cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8)
Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
---
core/java/android/os/ZygoteProcess.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
index 904ec46859fa4..aab1d9d578031 100644
--- a/core/java/android/os/ZygoteProcess.java
+++ b/core/java/android/os/ZygoteProcess.java
@@ -292,6 +292,8 @@ private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
throw new ZygoteStartFailedEx("Embedded newlines not allowed");
} else if (args.get(i).indexOf('\r') >= 0) {
throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
+ } else if (args.get(i).indexOf('\u0000') >= 0) {
+ throw new ZygoteStartFailedEx("Embedded nulls not allowed");
}
}

60
Patches/LineageOS-15.1/android_frameworks_base/394881-backport.patch Normal file
View File

@ -0,0 +1,60 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ameer Armaly <aarmaly@google.com>
Date: Fri, 8 Mar 2024 19:41:06 +0000
Subject: [PATCH] AccessibilityManagerService: remove uninstalled services from
enabled list after service update.
Bug: 326485767
Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5405514a23edcba0cf30e6ec78189e3f4e7d95cf)
Merged-In: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
Change-Id: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
---
.../AccessibilityManagerService.java | 23 +++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
index 1e07aa5d4376..99f997220c40 100644
--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
@@ -1548,10 +1548,13 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
boolean isUnlockingOrUnlocked = LocalServices.getService(UserManagerInternal.class)
.isUserUnlockingOrUnlocked(userState.mUserId);
+ // Store the list of installed services.
+ mTempComponentNameSet.clear();
for (int i = 0, count = userState.mInstalledServices.size(); i < count; i++) {
AccessibilityServiceInfo installedService = userState.mInstalledServices.get(i);
ComponentName componentName = ComponentName.unflattenFromString(
installedService.getId());
+ mTempComponentNameSet.add(componentName);
Service service = componentNameToServiceMap.get(componentName);
@@ -1594,6 +1597,26 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
if (audioManager != null) {
audioManager.setAccessibilityServiceUids(mTempIntArray);
}
+
+ // If any services have been removed, remove them from the enabled list and the touch
+ // exploration granted list.
+ boolean anyServiceRemoved =
+ userState.mEnabledServices.removeIf((comp) -> !mTempComponentNameSet.contains(comp))
+ || userState.mTouchExplorationGrantedServices.removeIf(
+ (comp) -> !mTempComponentNameSet.contains(comp));
+ if (anyServiceRemoved) {
+ // Update the enabled services setting.
+ persistComponentNamesToSettingLocked(
+ Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
+ userState.mEnabledServices,
+ userState.mUserId);
+ // Update the touch exploration granted services setting.
+ persistComponentNamesToSettingLocked(
+ Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
+ userState.mTouchExplorationGrantedServices,
+ userState.mUserId);
+ }
+ mTempComponentNameSet.clear();
updateAccessibilityEnabledSetting(userState);
}

40
Patches/LineageOS-15.1/android_frameworks_base/394882.patch Normal file
View File

@ -0,0 +1,40 @@
From 538cc6c384985f272dc7ab6c7cc7222a59b4c341 Mon Sep 17 00:00:00 2001
From: Guojing Yuan <guojing@google.com>
Date: Thu, 14 Dec 2023 19:30:04 +0000
Subject: [PATCH] [BACKPORT] Check permissions for CDM shell commands
Override handleShellCommand instead of onShellCommand because
Binder.onShellCommand checks the necessary permissions of the caller.
Backport by mse1969@posteo.de:
In Pie, method handleShellCommand does not exist, only Binder.onShellCommand, in which
the caller uid check isn't yet implemented. Backport: Take over the uid check from A11
and implement it in the method override.
Bug: 313428840
Test: manually tested CDM shell commands
(cherry picked from commit 1761a0fee9c2cd9787bbb7fbdbe30b4c2b03396e)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d008c61451dba86aa9f14c6bcd661db2cea4856)
Merged-In: I5539b3594feb5544c458c0fd1061b51a0a808900
Change-Id: I5539b3594feb5544c458c0fd1061b51a0a808900
---
.../server/companion/CompanionDeviceManagerService.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
index 087fe8560fc80..8ffb53f8a3b9d 100644
--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
@@ -345,6 +345,11 @@ private void checkUsesFeature(String pkg, int userId) {
public void onShellCommand(FileDescriptor in, FileDescriptor out, FileDescriptor err,
String[] args, ShellCallback callback, ResultReceiver resultReceiver)
throws RemoteException {
+ final int callingUid = Binder.getCallingUid();
+ if (callingUid != Process.ROOT_UID && callingUid != Process.SHELL_UID) {
+ resultReceiver.send(-1, null);
+ throw new RemoteException("Shell commands are only callable by ADB");
+ }
new ShellCmd().exec(this, in, out, err, args, callback, resultReceiver);
}
}

7
Scripts/LineageOS-15.1/Patch.sh
View File

@ -76,7 +76,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2021-10-05/2024-05-05/' core/version_defaults.mk; #Bump Security String #XXX
sed -i 's/2021-10-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #XXX
fi;
if enterAndClear "build/soong"; then
@ -258,6 +258,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 R
applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 Disallow system apps to be installed/updated as instant.
applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout.
applyPatch "$DOS_PATCHES/android_frameworks_base/389014-backport.patch"; #S_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
applyPatch "$DOS_PATCHES/android_frameworks_base/394878.patch"; #P_asb_2024-06 Add more checkKeyIntent checks to AccountManagerService.
applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 Adds additional sanitization for Zygote command arguments.
applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions
applyPatch "$DOS_PATCHES/android_frameworks_base/394881-backport.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)