From 207bdd24069b53367bfb40c46e518e48cdbfe86a Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 10 Jan 2023 16:53:50 -0500 Subject: [PATCH] Strict versionCode checks for system apps from GrapheneOS Signed-off-by: Tad --- Misc/Features/GrapheneOS.txt | 4 ++ .../0029-Strict_versionCode_Checks-1.patch | 30 +++++++++++ .../0029-Strict_versionCode_Checks-2.patch | 51 +++++++++++++++++++ Scripts/LineageOS-18.1/Functions.sh | 1 - Scripts/LineageOS-19.1/Functions.sh | 1 - Scripts/LineageOS-20.0/Patch.sh | 2 + Scripts/WebView_Update_Repo.sh | 2 +- 7 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-1.patch create mode 100644 Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-2.patch diff --git a/Misc/Features/GrapheneOS.txt b/Misc/Features/GrapheneOS.txt index 4a117c52..4fc645cd 100644 --- a/Misc/Features/GrapheneOS.txt +++ b/Misc/Features/GrapheneOS.txt @@ -56,6 +56,10 @@ nojit 9 https://github.com/GrapheneOS/platform_build/commit/5b9927197e63593b9220d1a9280021252ef205e9 9 https://github.com/GrapheneOS/platform_build/commit/e36c7aefaa78a1ed5b94c7f51d29277008eea232 +[implemented] reject system app updates of same versioncode +13 https://github.com/GrapheneOS/platform_frameworks_base/commit/9a42266d62406e781148a720836962197157e71f +13 https://github.com/GrapheneOS/platform_frameworks_base/commit/69dc926f33cec82434fe0d6aa78f83340298d6de + [implemented] lte only mode 13 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/b215ac3cd5e5062113f7b6f98825c524ed01d63d 13 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/039ea5640897b7a95999010c9e0f025f1c1e66e7 diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-1.patch b/Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-1.patch new file mode 100644 index 00000000..515e9cf7 --- /dev/null +++ b/Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-1.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Muhomor +Date: Tue, 27 Dec 2022 11:40:14 +0200 +Subject: [PATCH] don't allow updating system packages to the same versionCode + +versionCode of many system packages, including privileged ones, is set to the current SDK version +and is thus not incremented during non-major OS upgrades. +This allowed to downgrade them to the older version that had the same versionCode. +--- + .../java/com/android/server/pm/InstallPackageHelper.java | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java +index 7da5f51bcbc2..0f3802ac794b 100644 +--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java ++++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java +@@ -2466,6 +2466,13 @@ final class InstallPackageHelper { + } + } + } ++ ++ if (!Build.isDebuggable() && dataOwnerPkg != null && dataOwnerPkg.isSystem()) { ++ if (dataOwnerPkg.getLongVersionCode() == pkgLite.getLongVersionCode()) { ++ return Pair.create(INSTALL_FAILED_SESSION_INVALID, ++ "Not allowed to update system package to the same versionCode"); ++ } ++ } + } + return Pair.create(PackageManager.INSTALL_SUCCEEDED, null); + } diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-2.patch b/Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-2.patch new file mode 100644 index 00000000..058c4dd0 --- /dev/null +++ b/Patches/LineageOS-20.0/android_frameworks_base/0029-Strict_versionCode_Checks-2.patch @@ -0,0 +1,51 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Muhomor +Date: Tue, 27 Dec 2022 11:21:28 +0200 +Subject: [PATCH] prefer package from OS image over equal version of upgraded + system package + +Previously, system package that was upgraded on the previous OS version was used by the OS even +after OS upgrade that included the same version of this package in OS image. +This weakened verified boot and wasted storage space. +--- + .../com/android/server/pm/InstallPackageHelper.java | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java +index 0f3802ac794b..9a4dbb0a0a12 100644 +--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java ++++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java +@@ -3842,10 +3842,10 @@ final class InstallPackageHelper { + + final boolean newPkgChangedPaths = pkgAlreadyExists + && !pkgSetting.getPathString().equals(parsedPackage.getPath()); +- final boolean newPkgVersionGreater = pkgAlreadyExists +- && parsedPackage.getLongVersionCode() > pkgSetting.getVersionCode(); ++ final boolean newPkgVersionGreaterOrEqual = pkgAlreadyExists ++ && parsedPackage.getLongVersionCode() >= pkgSetting.getVersionCode(); + final boolean isSystemPkgBetter = scanSystemPartition && isSystemPkgUpdated +- && newPkgChangedPaths && newPkgVersionGreater; ++ && newPkgChangedPaths && newPkgVersionGreaterOrEqual; + if (isSystemPkgBetter) { + // The version of the application on /system is greater than the version on + // /data. Switch back to the application on /system. +@@ -3873,8 +3873,8 @@ final class InstallPackageHelper { + } + } + +- // The version of the application on the /system partition is less than or +- // equal to the version on the /data partition. Throw an exception and use ++ // The version of the application on the /system partition is less than ++ // the version on the /data partition. Throw an exception and use + // the application already installed on the /data partition. + if (scanSystemPartition && isSystemPkgUpdated && !isSystemPkgBetter) { + // In the case of a skipped package, commitReconciledScanResultLocked is not called to +@@ -3938,7 +3938,7 @@ final class InstallPackageHelper { + deletePackageHelper.deletePackageLIF(parsedPackage.getPackageName(), null, true, + mPm.mUserManager.getUserIds(), 0, null, false); + } +- } else if (newPkgVersionGreater) { ++ } else if (newPkgVersionGreaterOrEqual) { + // The application on /system is newer than the application on /data. + // Simply remove the application on /data [keeping application data] + // and replace it with the version on /system. diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh index 105c6e17..cd5319fc 100644 --- a/Scripts/LineageOS-18.1/Functions.sh +++ b/Scripts/LineageOS-18.1/Functions.sh @@ -115,7 +115,6 @@ patchWorkspace() { #repopick -i 314453; #TaskViewTouchController: Null check current animation on drag #repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default repopick -it R_tzdb2022f; - repopick -it R_asb_2023-01; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh index 4cc76c96..9869e1fb 100644 --- a/Scripts/LineageOS-19.1/Functions.sh +++ b/Scripts/LineageOS-19.1/Functions.sh @@ -80,7 +80,6 @@ patchWorkspace() { #repopick -ift twelve-bt-sbc-hd-dualchannel; #repopick -it twelve-colors; repopick -it S_tzdb2022f; - repopick -it S_asb_2023-01; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-20.0/Patch.sh b/Scripts/LineageOS-20.0/Patch.sh index 864efe59..f8d31822 100644 --- a/Scripts/LineageOS-20.0/Patch.sh +++ b/Scripts/LineageOS-20.0/Patch.sh @@ -177,6 +177,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0024-Burnin_Protection.patch"; applyPatch "$DOS_PATCHES/android_frameworks_base/0026-Crash_Details.patch"; #Add an option to show the details of an application error to the user (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0027-Installer_Glitch.patch"; #Make sure PackageInstaller UI returns a result (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch"; #Don't leak device-wide package list to apps when work profile is present (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Strict_versionCode_Checks-1.patch"; #Don't allow updating system packages to the same versionCode (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Strict_versionCode_Checks-2.patch"; #Prefer package from OS image over equal version of upgraded system package (GrapheneOS) hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config changeDefaultDNS; #Change the default DNS servers sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS) diff --git a/Scripts/WebView_Update_Repo.sh b/Scripts/WebView_Update_Repo.sh index d20333c8..912cbe23 100644 --- a/Scripts/WebView_Update_Repo.sh +++ b/Scripts/WebView_Update_Repo.sh @@ -16,7 +16,7 @@ umask 0022; set -uo pipefail; -export version="108.0.5359.128-1"; +export version="109.0.5414.86-1"; export PATH=$PATH:$HOME/Android/Sdk/build-tools/33.0.0; export webviewARM32="/mnt/dos/Repos/DivestOS_WebView/prebuilt/arm/webview.apk"; export webviewARM64="/mnt/dos/Repos/DivestOS_WebView/prebuilt/arm64/webview.apk";