Strict versionCode checks for system apps from GrapheneOS

Signed-off-by: Tad <tad@spotco.us>

Misc/Features/GrapheneOS.txt

@@ -56,6 +56,10 @@ nojit
 9  https://github.com/GrapheneOS/platform_build/commit/5b9927197e63593b9220d1a9280021252ef205e9
 9  https://github.com/GrapheneOS/platform_build/commit/e36c7aefaa78a1ed5b94c7f51d29277008eea232
 
+[implemented] reject system app updates of same versioncode
+13 https://github.com/GrapheneOS/platform_frameworks_base/commit/9a42266d62406e781148a720836962197157e71f
+13 https://github.com/GrapheneOS/platform_frameworks_base/commit/69dc926f33cec82434fe0d6aa78f83340298d6de
+
 [implemented] lte only mode
 13 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/b215ac3cd5e5062113f7b6f98825c524ed01d63d
 13 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/039ea5640897b7a95999010c9e0f025f1c1e66e7

Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-1.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Tue, 27 Dec 2022 11:40:14 +0200
+Subject: [PATCH] don't allow updating system packages to the same versionCode
+
+versionCode of many system packages, including privileged ones, is set to the current SDK version
+and is thus not incremented during non-major OS upgrades.
+This allowed to downgrade them to the older version that had the same versionCode.
+---
+ .../java/com/android/server/pm/InstallPackageHelper.java   | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
+index 7da5f51bcbc2..0f3802ac794b 100644
+--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
++++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
+@@ -2466,6 +2466,13 @@ final class InstallPackageHelper {
+                     }
+                 }
+             }
++
++            if (!Build.isDebuggable() && dataOwnerPkg != null && dataOwnerPkg.isSystem()) {
++                if (dataOwnerPkg.getLongVersionCode() == pkgLite.getLongVersionCode()) {
++                    return Pair.create(INSTALL_FAILED_SESSION_INVALID,
++                            "Not allowed to update system package to the same versionCode");
++                }
++            }
+         }
+         return Pair.create(PackageManager.INSTALL_SUCCEEDED, null);
+     }

Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-2.patch

@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Tue, 27 Dec 2022 11:21:28 +0200
+Subject: [PATCH] prefer package from OS image over equal version of upgraded
+ system package
+
+Previously, system package that was upgraded on the previous OS version was used by the OS even
+after OS upgrade that included the same version of this package in OS image.
+This weakened verified boot and wasted storage space.
+---
+ .../com/android/server/pm/InstallPackageHelper.java  | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
+index 0f3802ac794b..9a4dbb0a0a12 100644
+--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
++++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
+@@ -3842,10 +3842,10 @@ final class InstallPackageHelper {
+ 
+         final boolean newPkgChangedPaths = pkgAlreadyExists
+                 && !pkgSetting.getPathString().equals(parsedPackage.getPath());
+-        final boolean newPkgVersionGreater = pkgAlreadyExists
+-                && parsedPackage.getLongVersionCode() > pkgSetting.getVersionCode();
++        final boolean newPkgVersionGreaterOrEqual = pkgAlreadyExists
++                && parsedPackage.getLongVersionCode() >= pkgSetting.getVersionCode();
+         final boolean isSystemPkgBetter = scanSystemPartition && isSystemPkgUpdated
+-                && newPkgChangedPaths && newPkgVersionGreater;
++                && newPkgChangedPaths && newPkgVersionGreaterOrEqual;
+         if (isSystemPkgBetter) {
+             // The version of the application on /system is greater than the version on
+             // /data. Switch back to the application on /system.
+@@ -3873,8 +3873,8 @@ final class InstallPackageHelper {
+             }
+         }
+ 
+-        // The version of the application on the /system partition is less than or
+-        // equal to the version on the /data partition. Throw an exception and use
++        // The version of the application on the /system partition is less than
++        // the version on the /data partition. Throw an exception and use
+         // the application already installed on the /data partition.
+         if (scanSystemPartition && isSystemPkgUpdated && !isSystemPkgBetter) {
+             // In the case of a skipped package, commitReconciledScanResultLocked is not called to
+@@ -3938,7 +3938,7 @@ final class InstallPackageHelper {
+                     deletePackageHelper.deletePackageLIF(parsedPackage.getPackageName(), null, true,
+                             mPm.mUserManager.getUserIds(), 0, null, false);
+                 }
+-            } else if (newPkgVersionGreater) {
++            } else if (newPkgVersionGreaterOrEqual) {
+                 // The application on /system is newer than the application on /data.
+                 // Simply remove the application on /data [keeping application data]
+                 // and replace it with the version on /system.

Scripts/LineageOS-18.1/Functions.sh

@@ -115,7 +115,6 @@ patchWorkspace() {
 	#repopick -i 314453; #TaskViewTouchController: Null check current animation on drag
 	#repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default
 	repopick -it R_tzdb2022f;
-	repopick -it R_asb_2023-01;
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

Scripts/LineageOS-19.1/Functions.sh

@@ -80,7 +80,6 @@ patchWorkspace() {
 	#repopick -ift twelve-bt-sbc-hd-dualchannel;
 	#repopick -it twelve-colors;
 	repopick -it S_tzdb2022f;
-	repopick -it S_asb_2023-01;
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

Scripts/LineageOS-20.0/Patch.sh

@@ -177,6 +177,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0024-Burnin_Protection.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0026-Crash_Details.patch"; #Add an option to show the details of an application error to the user (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0027-Installer_Glitch.patch"; #Make sure PackageInstaller UI returns a result (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch"; #Don't leak device-wide package list to apps when work profile is present (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Strict_versionCode_Checks-1.patch"; #Don't allow updating system packages to the same versionCode (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Strict_versionCode_Checks-2.patch"; #Prefer package from OS image over equal version of upgraded system package (GrapheneOS)
 hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
 changeDefaultDNS; #Change the default DNS servers
 sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)

Scripts/WebView_Update_Repo.sh

@@ -16,7 +16,7 @@
 umask 0022;
 set -uo pipefail;
 
-export version="108.0.5359.128-1";
+export version="109.0.5414.86-1";
 export PATH=$PATH:$HOME/Android/Sdk/build-tools/33.0.0;
 export webviewARM32="/mnt/dos/Repos/DivestOS_WebView/prebuilt/arm/webview.apk";
 export webviewARM64="/mnt/dos/Repos/DivestOS_WebView/prebuilt/arm64/webview.apk";