mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
15.1: July 2024 ASB work
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
parent
105767c7a7
commit
3400a35eb1
@ -68,7 +68,7 @@ external/caliper 4a0d9aba0856d0aa965d5653bfa4c138f0e8a8ba
|
|||||||
external/cblas d063db8bdddfcde61e4bad3bfe65941fd73e8094
|
external/cblas d063db8bdddfcde61e4bad3bfe65941fd73e8094
|
||||||
external/chromium-libpac 0ac78251d11006d764ba1aad8cc0867827fafe5c
|
external/chromium-libpac 0ac78251d11006d764ba1aad8cc0867827fafe5c
|
||||||
external/chromium-trace 8b2c0074e71a8086dee98ca8730acfdc5eddf7a1
|
external/chromium-trace 8b2c0074e71a8086dee98ca8730acfdc5eddf7a1
|
||||||
external/chromium-webview 55628131e0608ae5877fd6934719369e5002b679
|
external/chromium-webview 170a4ad46bc61af284392a04dda7dc378a638976
|
||||||
external/clang 751a76679b0fb5798ea6cab75906df07edcab315
|
external/clang 751a76679b0fb5798ea6cab75906df07edcab315
|
||||||
external/cmockery 9199c7bfafefea32d1884182fa655b6e4578c1c4
|
external/cmockery 9199c7bfafefea32d1884182fa655b6e4578c1c4
|
||||||
external/compiler-rt 0c46c9e892a3f68420635032ef2f6152dabd197c
|
external/compiler-rt 0c46c9e892a3f68420635032ef2f6152dabd197c
|
||||||
|
48
Patches/LineageOS-15.1/android_frameworks_base/397594.patch
Normal file
48
Patches/LineageOS-15.1/android_frameworks_base/397594.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Martijn Coenen <maco@google.com>
|
||||||
|
Date: Thu, 29 Feb 2024 12:03:05 +0000
|
||||||
|
Subject: [PATCH] Verify UID of incoming Zygote connections.
|
||||||
|
|
||||||
|
Only the system UID should be allowed to connect to the Zygote. While
|
||||||
|
for generic Zygotes this is also covered by SELinux policy, this is not
|
||||||
|
true for App Zygotes: the preload code running in an app zygote could
|
||||||
|
connect to another app zygote socket, if it had access to its (random)
|
||||||
|
socket address.
|
||||||
|
|
||||||
|
On the Java layer, simply check the UID when the connection is made. In
|
||||||
|
the native layer, this check was already present, but it actually didn't
|
||||||
|
work in the case where we receive a new incoming connection on the
|
||||||
|
socket, and receive a 'non-fork' command: in that case, we will simply
|
||||||
|
exit the native loop, and let the Java layer handle the command, without
|
||||||
|
any further UID checking.
|
||||||
|
|
||||||
|
Modified the native logic to drop new connections with a mismatching
|
||||||
|
UID, and to keep serving the existing connection (if it was still
|
||||||
|
there).
|
||||||
|
|
||||||
|
[Backport: No native layer for ZygoteCommandBuffer present]
|
||||||
|
|
||||||
|
Bug: 319081336
|
||||||
|
Test: manual
|
||||||
|
(cherry picked from commit 2ffc7cb220e4220b7e108c4043a3f0f2a85b6508)
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e397fd3d20c3f409311e411387ec1524ccecf085)
|
||||||
|
Merged-In: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
|
||||||
|
Change-Id: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
|
||||||
|
---
|
||||||
|
core/java/com/android/internal/os/ZygoteConnection.java | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
|
||||||
|
index 9fa3239b60cf..6b11ed43f171 100644
|
||||||
|
--- a/core/java/com/android/internal/os/ZygoteConnection.java
|
||||||
|
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
|
||||||
|
@@ -98,6 +98,9 @@ class ZygoteConnection {
|
||||||
|
throw ex;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (peer.getUid() != Process.SYSTEM_UID) {
|
||||||
|
+ throw new ZygoteSecurityException("Only system UID is allowed to connect to Zygote.");
|
||||||
|
+ }
|
||||||
|
isEof = false;
|
||||||
|
}
|
||||||
|
|
63
Patches/LineageOS-15.1/android_system_bt/397596.patch
Normal file
63
Patches/LineageOS-15.1/android_system_bt/397596.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian Delwiche <delwiche@google.com>
|
||||||
|
Date: Mon, 22 Apr 2024 21:14:56 +0000
|
||||||
|
Subject: [PATCH] Fix an authentication bypass bug in SMP
|
||||||
|
|
||||||
|
When pairing with BLE legacy pairing initiated
|
||||||
|
from remote, authentication can be bypassed.
|
||||||
|
This change fixes it.
|
||||||
|
|
||||||
|
Bug: 251514170
|
||||||
|
Test: m com.android.btservices
|
||||||
|
Test: manual run against PoC
|
||||||
|
Ignore-AOSP-First: security
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)
|
||||||
|
Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
|
||||||
|
Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
|
||||||
|
---
|
||||||
|
stack/smp/smp_act.cc | 12 ++++++++++++
|
||||||
|
stack/smp/smp_int.h | 1 +
|
||||||
|
2 files changed, 13 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
|
||||||
|
index 7b6ae6f2c..db0617904 100644
|
||||||
|
--- a/stack/smp/smp_act.cc
|
||||||
|
+++ b/stack/smp/smp_act.cc
|
||||||
|
@@ -275,6 +275,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
|
||||||
|
void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
|
||||||
|
SMP_TRACE_DEBUG("%s", __func__);
|
||||||
|
smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
|
||||||
|
+ p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*******************************************************************************
|
||||||
|
@@ -631,6 +632,17 @@ void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
|
||||||
|
+ (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
|
||||||
|
+ !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
|
||||||
|
+ // in legacy pairing, the peer should send its rand after
|
||||||
|
+ // we send our confirm
|
||||||
|
+ tSMP_INT_DATA smp_int_data{};
|
||||||
|
+ smp_int_data.status = SMP_INVALID_PARAMETERS;
|
||||||
|
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* save the SRand for comparison */
|
||||||
|
STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
|
||||||
|
}
|
||||||
|
diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
|
||||||
|
index fc8717f7c..b3e13b3ee 100644
|
||||||
|
--- a/stack/smp/smp_int.h
|
||||||
|
+++ b/stack/smp/smp_int.h
|
||||||
|
@@ -239,6 +239,7 @@ typedef union {
|
||||||
|
(1 << 7) /* used to resolve race condition */
|
||||||
|
#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \
|
||||||
|
(1 << 8) /* used on slave to resolve race condition */
|
||||||
|
+#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)
|
||||||
|
|
||||||
|
/* check if authentication requirement need MITM protection */
|
||||||
|
#define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)
|
@ -76,7 +76,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
|
|||||||
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
|
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
|
||||||
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||||
sed -i 's/2021-10-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #XXX
|
sed -i 's/2021-10-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #XXX
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "build/soong"; then
|
if enterAndClear "build/soong"; then
|
||||||
@ -263,6 +263,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 A
|
|||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions
|
applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/394881-backport.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
|
applyPatch "$DOS_PATCHES/android_frameworks_base/394881-backport.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands
|
applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_base/397594.patch"; #P_asb_2024-07 Verify UID of incoming Zygote connections.
|
||||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
||||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
|
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
|
||||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
|
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
|
||||||
@ -539,6 +540,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an
|
|||||||
#applyPatch "$DOS_PATCHES/android_system_bt/385676-backport.patch"; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req #XXX: alternatively forward-port 385236 & 385237
|
#applyPatch "$DOS_PATCHES/android_system_bt/385676-backport.patch"; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req #XXX: alternatively forward-port 385236 & 385237
|
||||||
applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
|
applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
|
||||||
applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
|
applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_bt/397596.patch"; #P_asb_2024-07 Fix an authentication bypass bug in SMP
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "system/ca-certificates"; then
|
if enterAndClear "system/ca-certificates"; then
|
||||||
|
@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
|
|||||||
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||||
sed -i 's/2022-01-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-06 #XXX
|
sed -i 's/2022-01-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-07 #XXX
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "build/soong"; then
|
if enterAndClear "build/soong"; then
|
||||||
|
Loading…
Reference in New Issue
Block a user