mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-12 07:59:36 -05:00
Fixes
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
b08bf0356f
commit
2993b459f0
@ -4,13 +4,16 @@ Date: Thu, 5 Jan 2023 19:42:40 -0500
|
|||||||
Subject: [PATCH] Always add Briar and Tor Browser to Orbot's lockdown
|
Subject: [PATCH] Always add Briar and Tor Browser to Orbot's lockdown
|
||||||
allowlist
|
allowlist
|
||||||
|
|
||||||
|
[tad@spotco.us]: fixup arraylist handling, add logging, ignore missing package
|
||||||
|
lockdownAllowlist can be either null or immutable, the latter case wasn't handled
|
||||||
|
|
||||||
Change-Id: I62c2553c8877b946d7e7e1ca4ef113f963d3f8eb
|
Change-Id: I62c2553c8877b946d7e7e1ca4ef113f963d3f8eb
|
||||||
---
|
---
|
||||||
.../com/android/server/connectivity/Vpn.java | 35 +++++++++++++++++++
|
.../com/android/server/connectivity/Vpn.java | 40 +++++++++++++++++++
|
||||||
1 file changed, 35 insertions(+)
|
1 file changed, 40 insertions(+)
|
||||||
|
|
||||||
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
|
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
|
||||||
index 8510de4ef201..3e5724d36f44 100644
|
index 8510de4ef201..2cc66fbb871c 100644
|
||||||
--- a/services/core/java/com/android/server/connectivity/Vpn.java
|
--- a/services/core/java/com/android/server/connectivity/Vpn.java
|
||||||
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
|
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
|
||||||
@@ -47,9 +47,11 @@ import android.content.Intent;
|
@@ -47,9 +47,11 @@ import android.content.Intent;
|
||||||
@ -41,7 +44,7 @@ index 8510de4ef201..3e5724d36f44 100644
|
|||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.FileDescriptor;
|
import java.io.FileDescriptor;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
@@ -891,6 +895,37 @@ public class Vpn {
|
@@ -891,6 +895,42 @@ public class Vpn {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -49,7 +52,10 @@ index 8510de4ef201..3e5724d36f44 100644
|
|||||||
+ if (ORBOT_PACKAGE_NAME.equals(packageName)) {
|
+ if (ORBOT_PACKAGE_NAME.equals(packageName)) {
|
||||||
+ if (lockdownAllowlist == null) {
|
+ if (lockdownAllowlist == null) {
|
||||||
+ lockdownAllowlist = new ArrayList<>();
|
+ lockdownAllowlist = new ArrayList<>();
|
||||||
+
|
+ Log.i(TAG, "lockdown allowlist was null, created");
|
||||||
|
+ } else {
|
||||||
|
+ lockdownAllowlist = new ArrayList<>(lockdownAllowlist);
|
||||||
|
+ Log.i(TAG, "lockdown allowlist existed, recreated");
|
||||||
+ }
|
+ }
|
||||||
+ final Set<Pair<String, String>> ORBOT_LOCKDOWN_ALLOWLIST = Set.of(
|
+ final Set<Pair<String, String>> ORBOT_LOCKDOWN_ALLOWLIST = Set.of(
|
||||||
+ new Pair<>("org.torproject.torbrowser
|
+ new Pair<>("org.torproject.torbrowser
|
||||||
@ -64,13 +70,15 @@ index 8510de4ef201..3e5724d36f44 100644
|
|||||||
+ for (Signature signature : packageInfo.signingInfo.getApkContentsSigners()) {
|
+ for (Signature signature : packageInfo.signingInfo.getApkContentsSigners()) {
|
||||||
+ outputStream.write(signature.toByteArray());
|
+ outputStream.write(signature.toByteArray());
|
||||||
+ }
|
+ }
|
||||||
+ if (!Signature.areEffectiveMatch(new Signature(outputStream.toByteArray()), new Signature(pair.second))) {
|
+ if (Signature.areEffectiveMatch(new Signature(outputStream.toByteArray()), new Signature(pair.second))) {
|
||||||
+ throw new SecurityException(pair.first + " signature does not match allowlisted signature");
|
+ if (!lockdownAllowlist.contains(pair.first)) {
|
||||||
|
+ lockdownAllowlist.add(pair.first);
|
||||||
|
+ Log.i(TAG, "Added " + pair.first + " to lockdown allowlist");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ Log.w(TAG, "Not adding " + pair.first + " to lockdown allowlist due to signature mismatch");
|
||||||
+ }
|
+ }
|
||||||
+ if (!lockdownAllowlist.contains(pair.first)) {
|
+ } catch (NameNotFoundException ignore) { } catch (Exception e) {
|
||||||
+ lockdownAllowlist.add(pair.first);
|
|
||||||
+ }
|
|
||||||
+ } catch (NameNotFoundException | IOException | CertificateException e) {
|
|
||||||
+ Log.w(TAG, "Failed to add " + pair.first + " to lockdown allowlist", e);
|
+ Log.w(TAG, "Failed to add " + pair.first + " to lockdown allowlist", e);
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
|
@ -181,7 +181,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0030-agnss.goog_override.patch"
|
|||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-1.patch"; #Revert "Null safe package name in AppOps writeState" (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-1.patch"; #Revert "Null safe package name in AppOps writeState" (GrapheneOS)
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-2.patch"; #appops: skip ops for invalid null package during state serialization (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-2.patch"; #appops: skip ops for invalid null package during state serialization (GrapheneOS)
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0032-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0032-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
|
||||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/0033-Ugly_Orbot_Workaround.patch"; #Always add Briar and Tor Browser to Orbot's lockdown allowlist (CalyxOS) XXX: BREAKS BOOT
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0033-Ugly_Orbot_Workaround.patch"; #Always add Briar and Tor Browser to Orbot's lockdown allowlist (CalyxOS)
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0034-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0034-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
|
||||||
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
|
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
|
||||||
sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)
|
sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)
|
||||||
@ -307,6 +307,10 @@ if enterAndClear "packages/apps/SetupWizard"; then
|
|||||||
applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove analytics (DivestOS)
|
applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove analytics (DivestOS)
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
|
if enterAndClear "packages/apps/ThemePicker"; then
|
||||||
|
git revert --no-edit fcf658d2005dc557a95d5a7fb89cb90d06b31d33; #grant permission by default, to prevent crashes, missing previews, and confusion
|
||||||
|
fi;
|
||||||
|
|
||||||
if enterAndClear "packages/apps/Trebuchet"; then
|
if enterAndClear "packages/apps/Trebuchet"; then
|
||||||
cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed
|
cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed
|
||||||
fi;
|
fi;
|
||||||
|
Loading…
Reference in New Issue
Block a user