21: more work

- drop support for Internet & Sensors permissions
- always enable OpenEUICC
- fixup autovarinit kernel enablement

Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-12-10 17:43:57 -05:00
parent d8b3ba8334
commit 4d29cbe162
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
36 changed files with 76 additions and 3186 deletions

View File

@ -0,0 +1,22 @@
From 919a61dedb0458ebd52291cb6d4948446fad4b44 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Wed, 8 Apr 2020 11:10:43 -0400
Subject: [PATCH] enable -ftrivial-auto-var-init=zero
---
Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Makefile b/Makefile
index 79e2a78a7e92..abc66c11c84a 100644
--- a/Makefile
+++ b/Makefile
@@ -770,6 +770,8 @@ KBUILD_CFLAGS += -fomit-frame-pointer
endif
endif
+KBUILD_CFLAGS += -ftrivial-auto-var-init=zero
+
KBUILD_CFLAGS += $(call cc-option, -fno-var-tracking-assignments)
ifdef CONFIG_DEBUG_INFO

View File

@ -1,137 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: inthewaves <inthewaves@pm.me>
Date: Sat, 12 Sep 2020 22:28:34 +0300
Subject: [PATCH] support new special runtime permissions
Ported from 12: b294a2ce1d0d185dbc438ac3c06c90386d5f5949
---
.../PermissionManagerServiceImpl.java | 39 ++++++++++++++-----
1 file changed, 30 insertions(+), 9 deletions(-)
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
index cd1d7996fbac..162d6ba1cd0b 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
@@ -1415,7 +1415,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
// their permissions as always granted runtime ones since we need
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
- if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M && bp.isRuntime()) {
+ if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M && bp.isRuntime() &&
+ !isSpecialRuntimePermission(permName)) {
return;
}
@@ -1458,7 +1459,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
+ " for package " + packageName);
}
- if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M) {
+ if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M &&
+ !isSpecialRuntimePermission(permName)) {
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
return;
}
@@ -1602,7 +1604,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
// their permissions as always granted runtime ones since we need
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
- if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M && bp.isRuntime()) {
+ if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M && bp.isRuntime() &&
+ !isSpecialRuntimePermission(permName)) {
return;
}
@@ -1812,7 +1815,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
// permission as requiring a review as this is the initial state.
final int uid = mPackageManagerInt.getPackageUid(packageName, 0, userId);
final int targetSdk = mPackageManagerInt.getUidTargetSdkVersion(uid);
- final int flags = (targetSdk < Build.VERSION_CODES.M && isRuntimePermission)
+ final int flags = (targetSdk < Build.VERSION_CODES.M && isRuntimePermission
+ && !isSpecialRuntimePermission(permName))
? FLAG_PERMISSION_REVIEW_REQUIRED | FLAG_PERMISSION_REVOKED_COMPAT
: 0;
@@ -1832,7 +1836,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
// If this permission was granted by default or role, make sure it is.
if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
- || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0) {
+ || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0
+ || isSpecialRuntimePermission(permName)) {
// PermissionPolicyService will handle the app op for runtime permissions later.
grantRuntimePermissionInternal(packageName, permName, false,
Process.SYSTEM_UID, userId, delayingPermCallback);
@@ -2481,6 +2486,10 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
}
}
+ public static boolean isSpecialRuntimePermission(final String permission) {
+ return false;
+ }
+
/**
* Restore the permission state for a package.
*
@@ -2603,6 +2612,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
synchronized (mLock) {
for (final int userId : userIds) {
final UserPermissionState userState = mState.getOrCreateUserState(userId);
+ // "replace" parameter is set to true even when the app is first installed
+ final boolean uidStateWasPresent = userState.getUidState(ps.getAppId()) != null;
final UidPermissionState uidState = userState.getOrCreateUidState(ps.getAppId());
if (uidState.isMissing()) {
@@ -2619,7 +2630,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT,
FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT);
}
- if (uidTargetSdkVersion < Build.VERSION_CODES.M) {
+ if (uidTargetSdkVersion < Build.VERSION_CODES.M && !isSpecialRuntimePermission(permissionName)) {
uidState.updatePermissionFlags(permission,
PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED
| PackageManager.FLAG_PERMISSION_REVOKED_COMPAT,
@@ -2813,7 +2824,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
boolean restrictionApplied = (origState.getPermissionFlags(
bp.getName()) & FLAG_PERMISSION_APPLY_RESTRICTION) != 0;
- if (appSupportsRuntimePermissions) {
+ if (appSupportsRuntimePermissions || isSpecialRuntimePermission(bp.getName())) {
// If hard restricted we don't allow holding it
if (permissionPolicyInitialized && hardRestricted) {
if (!restrictionExempt) {
@@ -2866,6 +2877,16 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
}
}
}
+
+ if (isSpecialRuntimePermission(permName) &&
+ origPermState == null &&
+ // don't grant special runtime permission after update,
+ // unless app comes from the system image
+ (!uidStateWasPresent || ps.isSystem())) {
+ if (uidState.grantPermission(bp)) {
+ wasChanged = true;
+ }
+ }
} else {
if (origPermState == null) {
// New permission
@@ -2900,7 +2921,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
if (restrictionApplied) {
flags &= ~FLAG_PERMISSION_APPLY_RESTRICTION;
// Dropping restriction on a legacy app implies a review
- if (!appSupportsRuntimePermissions) {
+ if (!appSupportsRuntimePermissions && !isSpecialRuntimePermission(bp.getName())) {
flags |= FLAG_PERMISSION_REVIEW_REQUIRED;
}
wasChanged = true;
@@ -3618,7 +3639,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
final int flags = getPermissionFlagsInternal(pkg.getPackageName(), permission,
myUid, userId);
if (shouldGrantRuntimePermission) {
- if (supportsRuntimePermissions) {
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(permission)) {
// Installer cannot change immutable permissions.
if ((flags & immutableFlags) == 0) {
grantRuntimePermissionInternal(pkg.getPackageName(), permission, false,

View File

@ -1,25 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Fri, 7 Oct 2022 20:12:26 +0300
Subject: [PATCH] srt permissions: don't auto-grant denied ones when
permissions are reset
---
.../server/pm/permission/PermissionManagerServiceImpl.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
index 39384823f2cb..b3522775ce8a 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
@@ -1837,7 +1837,9 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
// If this permission was granted by default or role, make sure it is.
if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
|| (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0
- || isSpecialRuntimePermission(permName)) {
+ || (isSpecialRuntimePermission(permName)
+ && checkPermission(packageName, permName, userId) == PERMISSION_GRANTED)
+ ) {
// PermissionPolicyService will handle the app op for runtime permissions later.
grantRuntimePermissionInternal(packageName, permName, false,
Process.SYSTEM_UID, userId, delayingPermCallback);

View File

@ -1,81 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 17 Mar 2019 17:59:15 +0200
Subject: [PATCH] make INTERNET into a special runtime permission
Ported from 12: a980a4c3d6b6906eb0ee5fb07ca4cf0bae052d00
---
core/api/current.txt | 1 +
core/res/AndroidManifest.xml | 10 +++++++++-
core/res/res/values/strings.xml | 5 +++++
.../pm/permission/PermissionManagerServiceImpl.java | 2 +-
4 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/core/api/current.txt b/core/api/current.txt
index 62980ed5bd69..a08bc5ee1887 100644
--- a/core/api/current.txt
+++ b/core/api/current.txt
@@ -345,6 +345,7 @@ package android {
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
field public static final String NEARBY_DEVICES = "android.permission-group.NEARBY_DEVICES";
+ field public static final String NETWORK = "android.permission-group.NETWORK";
field public static final String NOTIFICATIONS = "android.permission-group.NOTIFICATIONS";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String READ_MEDIA_AURAL = "android.permission-group.READ_MEDIA_AURAL";
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index abe4b2942ca2..63e4fca51d80 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -2083,13 +2083,21 @@
<!-- ======================================= -->
<eat-comment />
+ <!-- Network access -->
+ <permission-group android:name="android.permission-group.NETWORK"
+ android:icon="@drawable/perm_group_network"
+ android:label="@string/permgrouplab_network"
+ android:description="@string/permgroupdesc_network"
+ android:priority="900" />
+
<!-- Allows applications to open network sockets.
<p>Protection level: normal
-->
<permission android:name="android.permission.INTERNET"
+ android:permissionGroup="android.permission-group.UNDEFINED"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
- android:protectionLevel="normal|instant" />
+ android:protectionLevel="dangerous|instant" />
<!-- Allows applications to access information about networks.
<p>Protection level: normal
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 59066eb83f1c..a967af7720a2 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -967,6 +967,11 @@
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. [CHAR LIMIT=NONE]-->
<string name="permgroupdesc_notifications">show notifications</string>
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_network">Network</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_network">access the network</string>
+
<!-- Title for the capability of an accessibility service to retrieve window content. -->
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
<!-- Description for the capability of an accessibility service to retrieve window content. -->
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
index 162d6ba1cd0b..ea7e13f20a17 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
@@ -2487,7 +2487,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return false;
+ return Manifest.permission.INTERNET.equals(permission);
}
/**

View File

@ -1,113 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 22:54:42 +0300
Subject: [PATCH] add special runtime permission for other sensors
Ported from 12: 9d5a62ed573bc3c7be8b19445b372fed13533d0e
---
core/api/current.txt | 2 ++
.../internal/pm/pkg/parsing/ParsingPackageUtils.java | 2 ++
core/res/AndroidManifest.xml | 12 ++++++++++++
core/res/res/values/strings.xml | 12 ++++++++++++
.../pm/permission/PermissionManagerServiceImpl.java | 2 +-
5 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/core/api/current.txt b/core/api/current.txt
index a08bc5ee1887..ad2059849b57 100644
--- a/core/api/current.txt
+++ b/core/api/current.txt
@@ -231,6 +231,7 @@ package android {
field public static final String NFC = "android.permission.NFC";
field public static final String NFC_PREFERRED_PAYMENT_INFO = "android.permission.NFC_PREFERRED_PAYMENT_INFO";
field public static final String NFC_TRANSACTION_EVENT = "android.permission.NFC_TRANSACTION_EVENT";
+ field public static final String OTHER_SENSORS = "android.permission.OTHER_SENSORS";
field public static final String OVERRIDE_WIFI_CONFIG = "android.permission.OVERRIDE_WIFI_CONFIG";
field public static final String PACKAGE_USAGE_STATS = "android.permission.PACKAGE_USAGE_STATS";
field @Deprecated public static final String PERSISTENT_ACTIVITY = "android.permission.PERSISTENT_ACTIVITY";
@@ -347,6 +348,7 @@ package android {
field public static final String NEARBY_DEVICES = "android.permission-group.NEARBY_DEVICES";
field public static final String NETWORK = "android.permission-group.NETWORK";
field public static final String NOTIFICATIONS = "android.permission-group.NOTIFICATIONS";
+ field public static final String OTHER_SENSORS = "android.permission-group.OTHER_SENSORS";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String READ_MEDIA_AURAL = "android.permission-group.READ_MEDIA_AURAL";
field public static final String READ_MEDIA_VISUAL = "android.permission-group.READ_MEDIA_VISUAL";
diff --git a/core/java/com/android/internal/pm/pkg/parsing/ParsingPackageUtils.java b/core/java/com/android/internal/pm/pkg/parsing/ParsingPackageUtils.java
index 95ecd47e3037..1e9c18a0b4ff 100644
--- a/core/java/com/android/internal/pm/pkg/parsing/ParsingPackageUtils.java
+++ b/core/java/com/android/internal/pm/pkg/parsing/ParsingPackageUtils.java
@@ -2310,6 +2310,8 @@ public class ParsingPackageUtils {
setSupportsSizeChanges(pkg);
pkg.setHasDomainUrls(hasDomainURLs(pkg));
+
+ pkg.addUsesPermission(new ParsedUsesPermissionImpl(android.Manifest.permission.OTHER_SENSORS, 0));
}
/**
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 63e4fca51d80..5c7dc3e9a622 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1844,6 +1844,18 @@
android:protectionLevel="dangerous|instant" />
<uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+ <permission-group android:name="android.permission-group.OTHER_SENSORS"
+ android:icon="@drawable/perm_group_location"
+ android:label="@string/permgrouplab_otherSensors"
+ android:description="@string/permgroupdesc_otherSensors"
+ android:priority="1000" />
+
+ <permission android:name="android.permission.OTHER_SENSORS"
+ android:permissionGroup="android.permission-group.UNDEFINED"
+ android:label="@string/permlab_otherSensors"
+ android:description="@string/permdesc_otherSensors"
+ android:protectionLevel="dangerous" />
+
<!-- ====================================================================== -->
<!-- REMOVED PERMISSIONS -->
<!-- ====================================================================== -->
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index a967af7720a2..09af484a7941 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -967,6 +967,11 @@
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. [CHAR LIMIT=NONE]-->
<string name="permgroupdesc_notifications">show notifications</string>
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_otherSensors">Sensors</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_otherSensors">access sensor data about orientation, movement, etc.</string>
+
<!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permgrouplab_network">Network</string>
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
@@ -1393,6 +1398,13 @@
<!-- Description of the background body sensors permission, listed so the user can decide whether to allow the application to access data from body sensors in the background. [CHAR LIMIT=NONE] -->
<string name="permdesc_bodySensors_background" product="default">Allows the app to access body sensor data, such as heart rate, temperature, and blood oxygen percentage, while the app is in the background.</string>
+ <!-- Title of the sensors permission, listed so the user can decide whether to allow the application to access sensor data. [CHAR LIMIT=80] -->
+ <string name="permlab_otherSensors">access sensors (like the compass)
+ </string>
+ <!-- Description of the sensors permission, listed so the user can decide whether to allow the application to access data from sensors. [CHAR LIMIT=NONE] -->
+ <string name="permdesc_otherSensors" product="default">Allows the app to access data from sensors
+ monitoring orientation, movement, vibration (including low frequency sound) and environmental data</string>
+
<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permlab_readCalendar">Read calendar events and details</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
index ea7e13f20a17..39384823f2cb 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
@@ -2487,7 +2487,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return Manifest.permission.INTERNET.equals(permission);
+ return Manifest.permission.INTERNET.equals(permission) || Manifest.permission.OTHER_SENSORS.equals(permission);
}
/**

View File

@ -1,119 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Sun, 31 Jul 2022 18:24:34 +0300
Subject: [PATCH] infrastructure for spoofing self permission checks
---
.../app/ApplicationPackageManager.java | 13 ++++++++-
core/java/android/app/ContextImpl.java | 18 ++++++++++--
.../content/pm/AppPermissionUtils.java | 29 +++++++++++++++++++
3 files changed, 57 insertions(+), 3 deletions(-)
create mode 100644 core/java/android/content/pm/AppPermissionUtils.java
diff --git a/core/java/android/app/ApplicationPackageManager.java b/core/java/android/app/ApplicationPackageManager.java
index 4950c0fdbaf8..94509e313be2 100644
--- a/core/java/android/app/ApplicationPackageManager.java
+++ b/core/java/android/app/ApplicationPackageManager.java
@@ -47,6 +47,7 @@ import android.content.IntentFilter;
import android.content.IntentSender;
import android.content.pm.ActivityInfo;
import android.content.pm.ApkChecksum;
+import android.content.pm.AppPermissionUtils;
import android.content.pm.ApplicationInfo;
import android.content.pm.ArchivedPackageInfo;
import android.content.pm.ChangedPackages;
@@ -849,8 +850,18 @@ public class ApplicationPackageManager extends PackageManager {
@Override
public int checkPermission(String permName, String pkgName) {
- return getPermissionManager().checkPackageNamePermission(permName, pkgName,
+ int res = getPermissionManager().checkPackageNamePermission(permName, pkgName,
mContext.getDeviceId(), getUserId());
+
+ if (res != PERMISSION_GRANTED) {
+ if (pkgName.equals(ActivityThread.currentPackageName())
+ && AppPermissionUtils.shouldSpoofSelfCheck(permName))
+ {
+ return PERMISSION_GRANTED;
+ }
+ }
+
+ return res;
}
@Override
diff --git a/core/java/android/app/ContextImpl.java b/core/java/android/app/ContextImpl.java
index af56cb4d55b2..2e66b88ff674 100644
--- a/core/java/android/app/ContextImpl.java
+++ b/core/java/android/app/ContextImpl.java
@@ -48,6 +48,7 @@ import android.content.ReceiverCallNotAllowedException;
import android.content.ServiceConnection;
import android.content.SharedPreferences;
import android.content.pm.ActivityInfo;
+import android.content.pm.AppPermissionUtils;
import android.content.pm.ApplicationInfo;
import android.content.pm.IPackageManager;
import android.content.pm.PackageManager;
@@ -2258,12 +2259,25 @@ class ContextImpl extends Context {
if (permission == null) {
throw new IllegalArgumentException("permission is null");
}
+
+ final boolean selfCheck = pid == android.os.Process.myPid() && uid == android.os.Process.myUid();
+
if (mParams.isRenouncedPermission(permission)
- && pid == android.os.Process.myPid() && uid == android.os.Process.myUid()) {
+ && selfCheck) {
Log.v(TAG, "Treating renounced permission " + permission + " as denied");
return PERMISSION_DENIED;
}
- return PermissionManager.checkPermission(permission, pid, uid, getDeviceId());
+ int res = PermissionManager.checkPermission(permission, pid, uid, getDeviceId());
+
+ if (res != PERMISSION_GRANTED) {
+ if (selfCheck) {
+ if (AppPermissionUtils.shouldSpoofSelfCheck(permission)) {
+ return PERMISSION_GRANTED;
+ }
+ }
+ }
+
+ return res;
}
/** @hide */
diff --git a/core/java/android/content/pm/AppPermissionUtils.java b/core/java/android/content/pm/AppPermissionUtils.java
new file mode 100644
index 000000000000..7dc20eec8485
--- /dev/null
+++ b/core/java/android/content/pm/AppPermissionUtils.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2022 GrapheneOS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.content.pm;
+
+import android.Manifest;
+
+/** @hide */
+public class AppPermissionUtils {
+
+ // android.app.ApplicationPackageManager#checkPermission(String permName, String pkgName)
+ // android.app.ContextImpl#checkPermission(String permission, int pid, int uid)
+ public static boolean shouldSpoofSelfCheck(String permName) {
+ return false;
+ }
+}

View File

@ -1,191 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Sun, 31 Jul 2022 18:10:28 +0300
Subject: [PATCH] app-side infrastructure for special runtime permissions
---
core/api/system-current.txt | 3 ++
.../android/content/pm/IPackageManager.aidl | 2 +
.../pm/SpecialRuntimePermAppUtils.java | 54 +++++++++++++++++++
.../server/pm/PackageManagerService.java | 19 +++++++
.../permission/SpecialRuntimePermUtils.java | 46 ++++++++++++++++
5 files changed, 124 insertions(+)
create mode 100644 core/java/android/content/pm/SpecialRuntimePermAppUtils.java
create mode 100644 services/core/java/com/android/server/pm/permission/SpecialRuntimePermUtils.java
diff --git a/core/api/system-current.txt b/core/api/system-current.txt
index 5aa89b98353f..373f48e937dd 100644
--- a/core/api/system-current.txt
+++ b/core/api/system-current.txt
@@ -4412,6 +4412,9 @@ package android.content.pm {
field @NonNull public static final android.os.Parcelable.Creator<android.content.pm.ShortcutManager.ShareShortcutInfo> CREATOR;
}
+ public class SpecialRuntimePermAppUtils {
+ }
+
public final class SuspendDialogInfo implements android.os.Parcelable {
method public int describeContents();
method public void writeToParcel(android.os.Parcel, int);
diff --git a/core/java/android/content/pm/IPackageManager.aidl b/core/java/android/content/pm/IPackageManager.aidl
index bff90f1d2298..fc6b097c5e19 100644
--- a/core/java/android/content/pm/IPackageManager.aidl
+++ b/core/java/android/content/pm/IPackageManager.aidl
@@ -832,6 +832,8 @@ interface IPackageManager {
boolean[] canPackageQuery(String sourcePackageName, in String[] targetPackageNames, int userId);
+ int getSpecialRuntimePermissionFlags(String packageName);
+
boolean waitForHandler(long timeoutMillis, boolean forBackgroundHandler);
void registerPackageMonitorCallback(IRemoteCallback callback, int userId);
diff --git a/core/java/android/content/pm/SpecialRuntimePermAppUtils.java b/core/java/android/content/pm/SpecialRuntimePermAppUtils.java
new file mode 100644
index 000000000000..efd48cb49aa3
--- /dev/null
+++ b/core/java/android/content/pm/SpecialRuntimePermAppUtils.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2022 GrapheneOS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.content.pm;
+
+import android.Manifest;
+import android.annotation.SystemApi;
+import android.app.AppGlobals;
+import android.os.Binder;
+import android.os.Process;
+import android.os.RemoteException;
+import android.permission.PermissionManager;
+
+/** @hide */
+@SystemApi
+public class SpecialRuntimePermAppUtils {
+ private static final int FLAG_INITED = 1;
+
+ private static volatile int cachedFlags;
+
+ private static int getFlags() {
+ int cache = cachedFlags;
+ if (cache != 0) {
+ return cache;
+ }
+
+ IPackageManager pm = AppGlobals.getPackageManager();
+ String pkgName = AppGlobals.getInitialPackage();
+
+ final long token = Binder.clearCallingIdentity(); // in case this method is called in the system_server
+ try {
+ return (cachedFlags = pm.getSpecialRuntimePermissionFlags(pkgName) | FLAG_INITED);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ } finally {
+ Binder.restoreCallingIdentity(token);
+ }
+ }
+
+ private SpecialRuntimePermAppUtils() {}
+}
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 09abae640bc5..f41bcf3b7c28 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -233,6 +233,7 @@ import com.android.server.pm.permission.LegacyPermissionManagerService;
import com.android.server.pm.permission.LegacyPermissionSettings;
import com.android.server.pm.permission.PermissionManagerService;
import com.android.server.pm.permission.PermissionManagerServiceInternal;
+import com.android.server.pm.permission.SpecialRuntimePermUtils;
import com.android.server.pm.pkg.AndroidPackage;
import com.android.server.pm.pkg.ArchiveState;
import com.android.server.pm.pkg.PackageState;
@@ -6644,6 +6645,24 @@ public class PackageManagerService implements PackageSender, TestUtilityService
getPerUidReadTimeouts(snapshot), mSnapshotStatistics
).doDump(snapshot, fd, pw, args);
}
+
+ @Override
+ public int getSpecialRuntimePermissionFlags(String packageName) {
+ final int callingUid = Binder.getCallingUid();
+
+ synchronized (mLock) {
+ AndroidPackage pkg = mPackages.get(packageName);
+ if (pkg == null) {
+ throw new IllegalStateException();
+ }
+
+ if (UserHandle.getAppId(callingUid) != pkg.getUid()) { // getUid() confusingly returns appId
+ throw new SecurityException();
+ }
+
+ return SpecialRuntimePermUtils.getFlags(pkg);
+ }
+ }
}
private class PackageManagerInternalImpl extends PackageManagerInternalBase {
diff --git a/services/core/java/com/android/server/pm/permission/SpecialRuntimePermUtils.java b/services/core/java/com/android/server/pm/permission/SpecialRuntimePermUtils.java
new file mode 100644
index 000000000000..fe946ff5d5ca
--- /dev/null
+++ b/services/core/java/com/android/server/pm/permission/SpecialRuntimePermUtils.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2022 GrapheneOS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.pm.permission;
+
+import android.Manifest;
+import android.os.Bundle;
+
+import com.android.internal.annotations.GuardedBy;
+import com.android.server.pm.parsing.pkg.AndroidPackage;
+import com.android.server.pm.pkg.component.ParsedUsesPermission;
+
+import static android.content.pm.SpecialRuntimePermAppUtils.*;
+
+public class SpecialRuntimePermUtils {
+
+ @GuardedBy("PackageManagerService.mLock")
+ public static int getFlags(AndroidPackage pkg) {
+ int flags = 0;
+
+ for (ParsedUsesPermission perm : pkg.getUsesPermissions()) {
+ String name = perm.getName();
+ switch (name) {
+ default:
+ continue;
+ }
+ }
+
+ return flags;
+ }
+
+ private SpecialRuntimePermUtils() {}
+}

View File

@ -1,165 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Sun, 31 Jul 2022 18:00:35 +0300
Subject: [PATCH] improve compatibility of INTERNET special runtime permission
There are apps that refuse to work when they detect that INTERNET is revoked, usually because of
a library check that reminds the app developer to add INTERNET uses-permission element to app's
AndroidManifest.
Always report that INTERNET is granted unless the app has
<meta-data android:name="android.permission.INTERNET.mode" android:value="runtime" />
declaration inside <application> element in its AndroidManifest, or is a system app.
---
core/api/system-current.txt | 5 +++++
core/java/android/app/DownloadManager.java | 13 ++++++++++++
.../content/pm/AppPermissionUtils.java | 7 +++++++
.../pm/SpecialRuntimePermAppUtils.java | 20 +++++++++++++++++++
.../permission/SpecialRuntimePermUtils.java | 17 ++++++++++++++++
5 files changed, 62 insertions(+)
diff --git a/core/api/system-current.txt b/core/api/system-current.txt
index 373f48e937dd..bbbac378487b 100644
--- a/core/api/system-current.txt
+++ b/core/api/system-current.txt
@@ -4413,6 +4413,11 @@ package android.content.pm {
}
public class SpecialRuntimePermAppUtils {
+ method public static boolean awareOfRuntimeInternetPermission();
+ method public static boolean isInternetCompatEnabled();
+ method public static boolean requestsInternetPermission();
+ field public static final int FLAG_AWARE_OF_RUNTIME_INTERNET_PERMISSION = 4; // 0x4
+ field public static final int FLAG_REQUESTS_INTERNET_PERMISSION = 2; // 0x2
}
public final class SuspendDialogInfo implements android.os.Parcelable {
diff --git a/core/java/android/app/DownloadManager.java b/core/java/android/app/DownloadManager.java
index de0244f3934f..6285f4745c37 100644
--- a/core/java/android/app/DownloadManager.java
+++ b/core/java/android/app/DownloadManager.java
@@ -34,6 +34,7 @@ import android.content.Context;
import android.database.Cursor;
import android.database.CursorWrapper;
import android.database.DatabaseUtils;
+import android.database.MatrixCursor;
import android.net.ConnectivityManager;
import android.net.NetworkPolicyManager;
import android.net.Uri;
@@ -53,6 +54,8 @@ import android.util.LongSparseArray;
import android.util.Pair;
import android.webkit.MimeTypeMap;
+import android.content.pm.SpecialRuntimePermAppUtils;
+
import java.io.File;
import java.io.FileNotFoundException;
import java.util.ArrayList;
@@ -1124,6 +1127,11 @@ public class DownloadManager {
* future calls related to this download. Returns -1 if the operation fails.
*/
public long enqueue(Request request) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ // invalid id (DownloadProvider uses SQLite and returns a row id)
+ return -1;
+ }
+
ContentValues values = request.toContentValues(mPackageName);
Uri downloadUri = mResolver.insert(Downloads.Impl.CONTENT_URI, values);
if (downloadUri == null) {
@@ -1176,6 +1184,11 @@ public class DownloadManager {
/** @hide */
public Cursor query(Query query, String[] projection) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ // underlying provider is protected by the INTERNET permission
+ return new MatrixCursor(projection);
+ }
+
Cursor underlyingCursor = query.runQuery(mResolver, projection, mBaseUri);
if (underlyingCursor == null) {
return null;
diff --git a/core/java/android/content/pm/AppPermissionUtils.java b/core/java/android/content/pm/AppPermissionUtils.java
index 7dc20eec8485..6a96f70dcfcf 100644
--- a/core/java/android/content/pm/AppPermissionUtils.java
+++ b/core/java/android/content/pm/AppPermissionUtils.java
@@ -24,6 +24,13 @@ public class AppPermissionUtils {
// android.app.ApplicationPackageManager#checkPermission(String permName, String pkgName)
// android.app.ContextImpl#checkPermission(String permission, int pid, int uid)
public static boolean shouldSpoofSelfCheck(String permName) {
+ if (Manifest.permission.INTERNET.equals(permName)
+ && SpecialRuntimePermAppUtils.requestsInternetPermission()
+ && !SpecialRuntimePermAppUtils.awareOfRuntimeInternetPermission())
+ {
+ return true;
+ }
+
return false;
}
}
diff --git a/core/java/android/content/pm/SpecialRuntimePermAppUtils.java b/core/java/android/content/pm/SpecialRuntimePermAppUtils.java
index efd48cb49aa3..2f973a585d5c 100644
--- a/core/java/android/content/pm/SpecialRuntimePermAppUtils.java
+++ b/core/java/android/content/pm/SpecialRuntimePermAppUtils.java
@@ -28,9 +28,29 @@ import android.permission.PermissionManager;
@SystemApi
public class SpecialRuntimePermAppUtils {
private static final int FLAG_INITED = 1;
+ public static final int FLAG_REQUESTS_INTERNET_PERMISSION = 1 << 1;
+ public static final int FLAG_AWARE_OF_RUNTIME_INTERNET_PERMISSION = 1 << 2;
private static volatile int cachedFlags;
+ private static boolean hasInternetPermission() {
+ // checkSelfPermission() is spoofed, query the underlying API directly
+ return PermissionManager.checkPermission(Manifest.permission.INTERNET, Process.myPid(), Process.myUid())
+ == PackageManager.PERMISSION_GRANTED;
+ }
+
+ public static boolean requestsInternetPermission() {
+ return (getFlags() & FLAG_REQUESTS_INTERNET_PERMISSION) != 0;
+ }
+
+ public static boolean awareOfRuntimeInternetPermission() {
+ return (getFlags() & FLAG_AWARE_OF_RUNTIME_INTERNET_PERMISSION) != 0;
+ }
+
+ public static boolean isInternetCompatEnabled() {
+ return !hasInternetPermission() && requestsInternetPermission() && !awareOfRuntimeInternetPermission();
+ }
+
private static int getFlags() {
int cache = cachedFlags;
if (cache != 0) {
diff --git a/services/core/java/com/android/server/pm/permission/SpecialRuntimePermUtils.java b/services/core/java/com/android/server/pm/permission/SpecialRuntimePermUtils.java
index fe946ff5d5ca..6f5cabb8a8fc 100644
--- a/services/core/java/com/android/server/pm/permission/SpecialRuntimePermUtils.java
+++ b/services/core/java/com/android/server/pm/permission/SpecialRuntimePermUtils.java
@@ -34,11 +34,28 @@ public class SpecialRuntimePermUtils {
for (ParsedUsesPermission perm : pkg.getUsesPermissions()) {
String name = perm.getName();
switch (name) {
+ case Manifest.permission.INTERNET:
+ flags |= FLAG_REQUESTS_INTERNET_PERMISSION;
+ continue;
default:
continue;
}
}
+ if ((flags & FLAG_REQUESTS_INTERNET_PERMISSION) != 0) {
+ if (pkg.isSystem()) {
+ flags |= FLAG_AWARE_OF_RUNTIME_INTERNET_PERMISSION;
+ } else {
+ Bundle metadata = pkg.getMetaData();
+ if (metadata != null) {
+ String key = Manifest.permission.INTERNET + ".mode";
+ if ("runtime".equals(metadata.getString(key))) {
+ flags |= FLAG_AWARE_OF_RUNTIME_INTERNET_PERMISSION;
+ }
+ }
+ }
+ }
+
return flags;
}

View File

@ -1,48 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Wed, 17 Aug 2022 10:12:42 +0300
Subject: [PATCH] mark UserHandle#get{Uid, UserId} as module SystemApi
Needed by packages_modules_Connectivity ->
"enforce INTERNET permission per-uid instead of per-appId".
---
core/api/module-lib-current.txt | 5 +++++
core/java/android/os/UserHandle.java | 2 ++
2 files changed, 7 insertions(+)
diff --git a/core/api/module-lib-current.txt b/core/api/module-lib-current.txt
index 99abdce29c3c..434f7c5b2fbc 100644
--- a/core/api/module-lib-current.txt
+++ b/core/api/module-lib-current.txt
@@ -458,6 +458,11 @@ package android.os {
field public static final long TRACE_TAG_NETWORK = 2097152L; // 0x200000L
}
+ public final class UserHandle implements android.os.Parcelable {
+ method public static int getUid(int, int);
+ method public static int getUserId(int);
+ }
+
}
package android.os.storage {
diff --git a/core/java/android/os/UserHandle.java b/core/java/android/os/UserHandle.java
index 0644ef1c788f..2804035aef7b 100644
--- a/core/java/android/os/UserHandle.java
+++ b/core/java/android/os/UserHandle.java
@@ -281,6 +281,7 @@ public final class UserHandle implements Parcelable {
* Returns the user id for a given uid.
* @hide
*/
+ @SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
@UnsupportedAppUsage
@TestApi
public static @UserIdInt int getUserId(int uid) {
@@ -371,6 +372,7 @@ public final class UserHandle implements Parcelable {
* Returns the uid that is composed from the userId and the appId.
* @hide
*/
+ @SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
@UnsupportedAppUsage
@TestApi
public static int getUid(@UserIdInt int userId, @AppIdInt int appId) {

View File

@ -1,38 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 30 Aug 2022 12:37:03 +0300
Subject: [PATCH] improve compatibility with revoked INTERNET in
DownloadManager
---
core/java/android/app/DownloadManager.java | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/core/java/android/app/DownloadManager.java b/core/java/android/app/DownloadManager.java
index 6285f4745c37..ffc722279da1 100644
--- a/core/java/android/app/DownloadManager.java
+++ b/core/java/android/app/DownloadManager.java
@@ -1169,6 +1169,11 @@ public class DownloadManager {
* @return the number of downloads actually removed
*/
public int remove(long... ids) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ // underlying provider is protected by the INTERNET permission
+ return 0;
+ }
+
return markRowDeleted(ids);
}
@@ -1595,6 +1600,11 @@ public class DownloadManager {
throw new IllegalArgumentException(" invalid value for param: totalBytes");
}
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ // underlying provider is protected by the INTERNET permission
+ return -1;
+ }
+
// if there is already an entry with the given path name in downloads.db, return its id
Request request;
if (uri != null) {

View File

@ -1,36 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Thu, 15 Sep 2022 13:58:34 +0300
Subject: [PATCH] ignore pid when spoofing permission checks
Permissions are enforced per-uid, checking pid may break spoofing for multi-process apps.
---
core/java/android/app/ContextImpl.java | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/core/java/android/app/ContextImpl.java b/core/java/android/app/ContextImpl.java
index 2e66b88ff674..c68d4135ada1 100644
--- a/core/java/android/app/ContextImpl.java
+++ b/core/java/android/app/ContextImpl.java
@@ -2259,18 +2259,16 @@ class ContextImpl extends Context {
if (permission == null) {
throw new IllegalArgumentException("permission is null");
}
-
- final boolean selfCheck = pid == android.os.Process.myPid() && uid == android.os.Process.myUid();
-
if (mParams.isRenouncedPermission(permission)
- && selfCheck) {
+ && pid == android.os.Process.myPid() && uid == android.os.Process.myUid()) {
Log.v(TAG, "Treating renounced permission " + permission + " as denied");
return PERMISSION_DENIED;
}
+
int res = PermissionManager.checkPermission(permission, pid, uid, getDeviceId());
if (res != PERMISSION_GRANTED) {
- if (selfCheck) {
+ if (uid == android.os.Process.myUid()) {
if (AppPermissionUtils.shouldSpoofSelfCheck(permission)) {
return PERMISSION_GRANTED;
}

View File

@ -1,28 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 14 May 2019 14:28:27 -0400
Subject: [PATCH] disable OpenGL preloading for exec spawning
---
core/java/com/android/internal/os/ZygoteInit.java | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/android/internal/os/ZygoteInit.java
index 87d393d97d14..f30e17183fca 100644
--- a/core/java/com/android/internal/os/ZygoteInit.java
+++ b/core/java/com/android/internal/os/ZygoteInit.java
@@ -139,9 +139,11 @@ public class ZygoteInit {
Trace.traceBegin(Trace.TRACE_TAG_DALVIK, "PreloadAppProcessHALs");
nativePreloadAppProcessHALs();
Trace.traceEnd(Trace.TRACE_TAG_DALVIK);
- Trace.traceBegin(Trace.TRACE_TAG_DALVIK, "PreloadGraphicsDriver");
- maybePreloadGraphicsDriver();
- Trace.traceEnd(Trace.TRACE_TAG_DALVIK);
+ if (fullPreload) {
+ Trace.traceBegin(Trace.TRACE_TAG_DALVIK, "PreloadGraphicsDriver");
+ maybePreloadGraphicsDriver();
+ Trace.traceEnd(Trace.TRACE_TAG_DALVIK);
+ }
preloadSharedLibraries();
preloadTextResources();
// Ask the WebViewFactory to do any initialization that must run in the zygote process,

View File

@ -1,355 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Mon, 8 Aug 2022 19:03:37 +0300
Subject: [PATCH] add an option to show the details of an application error to
the user
Adds a "Show details" item to crash and ANR (app not responding) dialogs that takes the user to a
SystemUI activity which shows the error details and allows to copy them to the clipboard or to
export them via the standard sharing UI.
---
.../android/app/ApplicationErrorReport.java | 14 +-
core/res/res/layout/app_anr_dialog.xml | 4 +-
core/res/res/layout/app_error_dialog.xml | 4 +-
core/res/res/values/strings.xml | 3 +
core/res/res/values/symbols.xml | 3 +
packages/SystemUI/AndroidManifest.xml | 12 ++
packages/SystemUI/res/values/strings.xml | 5 +
.../android/systemui/ErrorReportActivity.kt | 159 ++++++++++++++++++
.../java/com/android/server/am/AppErrors.java | 1 +
9 files changed, 199 insertions(+), 6 deletions(-)
create mode 100644 packages/SystemUI/src/com/android/systemui/ErrorReportActivity.kt
diff --git a/core/java/android/app/ApplicationErrorReport.java b/core/java/android/app/ApplicationErrorReport.java
index 9cea5e8ef4cf..e9f28d80b6ed 100644
--- a/core/java/android/app/ApplicationErrorReport.java
+++ b/core/java/android/app/ApplicationErrorReport.java
@@ -98,6 +98,9 @@ public class ApplicationErrorReport implements Parcelable {
*/
public String packageName;
+ /** @hide */
+ public long packageVersion;
+
/**
* Package name of the application which installed the application this
* report pertains to.
@@ -162,13 +165,18 @@ public class ApplicationErrorReport implements Parcelable {
String packageName, int appFlags) {
// check if error reporting is enabled in secure settings
int enabled = Settings.Global.getInt(context.getContentResolver(),
- Settings.Global.SEND_ACTION_APP_ERROR, 0);
+ Settings.Global.SEND_ACTION_APP_ERROR, 1);
if (enabled == 0) {
return null;
}
PackageManager pm = context.getPackageManager();
+ ComponentName systemUiReceiver = getErrorReportReceiver(pm, packageName, "com.android.systemui");
+ if (systemUiReceiver != null) {
+ return systemUiReceiver;
+ }
+
// look for receiver in the installer package
String candidate = null;
ComponentName result = null;
@@ -233,6 +241,7 @@ public class ApplicationErrorReport implements Parcelable {
public void writeToParcel(Parcel dest, int flags) {
dest.writeInt(type);
dest.writeString(packageName);
+ dest.writeLong(packageVersion);
dest.writeString(installerPackageName);
dest.writeString(processName);
dest.writeLong(time);
@@ -260,6 +269,7 @@ public class ApplicationErrorReport implements Parcelable {
public void readFromParcel(Parcel in) {
type = in.readInt();
packageName = in.readString();
+ packageVersion = in.readLong();
installerPackageName = in.readString();
processName = in.readString();
time = in.readLong();
@@ -704,7 +714,7 @@ public class ApplicationErrorReport implements Parcelable {
*/
public void dump(Printer pw, String prefix) {
pw.println(prefix + "type: " + type);
- pw.println(prefix + "packageName: " + packageName);
+ pw.println(prefix + "packageName: " + packageName + ":" + packageVersion);
pw.println(prefix + "installerPackageName: " + installerPackageName);
pw.println(prefix + "processName: " + processName);
pw.println(prefix + "time: " + time);
diff --git a/core/res/res/layout/app_anr_dialog.xml b/core/res/res/layout/app_anr_dialog.xml
index 5ad0f4c0f6cc..ad3a2d2991de 100644
--- a/core/res/res/layout/app_anr_dialog.xml
+++ b/core/res/res/layout/app_anr_dialog.xml
@@ -41,8 +41,8 @@
android:id="@+id/aerr_report"
android:layout_width="match_parent"
android:layout_height="wrap_content"
- android:text="@string/aerr_report"
- android:drawableStart="@drawable/ic_feedback"
+ android:text="@string/aerr_show_details"
+ android:drawableStart="@drawable/ic_info_outline_24"
style="@style/aerr_list_item" />
</LinearLayout>
diff --git a/core/res/res/layout/app_error_dialog.xml b/core/res/res/layout/app_error_dialog.xml
index c3b149a1e295..a47b82018377 100644
--- a/core/res/res/layout/app_error_dialog.xml
+++ b/core/res/res/layout/app_error_dialog.xml
@@ -52,8 +52,8 @@
android:id="@+id/aerr_report"
android:layout_width="match_parent"
android:layout_height="wrap_content"
- android:text="@string/aerr_report"
- android:drawableStart="@drawable/ic_feedback"
+ android:text="@string/aerr_show_details"
+ android:drawableStart="@drawable/ic_info_outline_24"
style="@style/aerr_list_item" />
<Button
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 59066eb83f1c..d422e6f2aca6 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -6337,6 +6337,9 @@ ul.</string>
<!-- Title for preference of the system default locale. [CHAR LIMIT=50]-->
<string name="system_locale_title">System default</string>
+ <!-- Button that opens the screen with details of an application error -->
+ <string name="aerr_show_details">Show details</string>
+
<!-- Display content to tell the user the sim card name and number-->
<string name="default_card_name">CARD <xliff:g id="cardNumber" example="1">%d</xliff:g></string>
diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml
index a1804672da73..07d3924d8d39 100644
--- a/core/res/res/values/symbols.xml
+++ b/core/res/res/values/symbols.xml
@@ -5174,6 +5174,9 @@
<java-symbol type="id" name="language_picker_item" />
<java-symbol type="id" name="language_picker_header" />
+ <!-- Button that opens the screen with details of an application error -->
+ <java-symbol type="string" name="aerr_show_details" />
+
<java-symbol type="dimen" name="status_bar_height_default" />
<java-symbol type="string" name="default_card_name"/>
diff --git a/packages/SystemUI/AndroidManifest.xml b/packages/SystemUI/AndroidManifest.xml
index 00604a316019..6f003b4ec257 100644
--- a/packages/SystemUI/AndroidManifest.xml
+++ b/packages/SystemUI/AndroidManifest.xml
@@ -1069,6 +1069,18 @@
android:exported="false">
</activity>
+ <activity
+ android:name=".ErrorReportActivity"
+ android:exported="true"
+ android:theme="@android:style/Theme.DeviceDefault.DayNight"
+ android:documentLaunchMode="always"
+ android:process=":ui"
+ >
+ <intent-filter>
+ <action android:name="android.intent.action.APP_ERROR" />
+ </intent-filter>
+ </activity>
+
<provider
android:authorities="com.android.systemui.customization"
android:name="com.android.systemui.keyguard.CustomizationProvider"
diff --git a/packages/SystemUI/res/values/strings.xml b/packages/SystemUI/res/values/strings.xml
index d2b186d9af2c..48a08ff2b7e9 100644
--- a/packages/SystemUI/res/values/strings.xml
+++ b/packages/SystemUI/res/values/strings.xml
@@ -3159,6 +3159,11 @@
<!-- Time format for the Dream Time Complication for 24-hour time format [CHAR LIMIT=NONE] -->
<string name="dream_time_complication_24_hr_time_format">kk:mm</string>
+ <string name="error_report_title">Error in %1$s</string>
+ <string name="copy_to_clipboard">Copy to clipboard</string>
+ <string name="copied_to_clipboard">Copied to clipboard</string>
+ <string name="error_share">Share</string>
+
<!-- Title for the log access confirmation dialog. [CHAR LIMIT=NONE] -->
<string name="log_access_confirmation_title">Allow <xliff:g id="log_access_app_name" example="Example App">%s</xliff:g> to access all device logs?</string>
<!-- Label for the allow button on the log access confirmation dialog. [CHAR LIMIT=40] -->
diff --git a/packages/SystemUI/src/com/android/systemui/ErrorReportActivity.kt b/packages/SystemUI/src/com/android/systemui/ErrorReportActivity.kt
new file mode 100644
index 000000000000..94630b044fbe
--- /dev/null
+++ b/packages/SystemUI/src/com/android/systemui/ErrorReportActivity.kt
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2022 GrapheneOS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.systemui
+
+import android.app.Activity
+import android.app.ApplicationErrorReport
+import android.content.ClipData
+import android.content.ClipDescription
+import android.content.ClipboardManager
+import android.content.Intent
+import android.graphics.Typeface
+import android.os.Build
+import android.os.Bundle
+import android.util.StringBuilderPrinter
+import android.util.TypedValue
+import android.view.Gravity
+import android.view.View
+import android.widget.Button
+import android.widget.LinearLayout
+import android.widget.LinearLayout.LayoutParams
+import android.widget.ScrollView
+import android.widget.TextView
+import android.widget.Toast
+
+class ErrorReportActivity : Activity() {
+
+ override fun onCreate(savedInstanceState: Bundle?) {
+ super.onCreate(savedInstanceState)
+
+ val title: String
+ val reportText: String
+ try {
+ val report = intent.getParcelableExtra<ApplicationErrorReport>(Intent.EXTRA_BUG_REPORT)!!
+ val pm = packageManager
+ val ai = pm.getApplicationInfo(report.packageName, 0)
+ title = getString(R.string.error_report_title, ai.loadLabel(pm))
+
+ reportText = errorReportToText(report)
+ } catch (e: Exception) {
+ e.printStackTrace()
+ finishAndRemoveTask()
+ return
+ }
+
+ setTitle(title)
+
+ val textView = TextView(this).apply {
+ typeface = Typeface.MONOSPACE
+ text = reportText
+ textSize = 12f
+ setTextIsSelectable(true)
+ // default color is too light
+ val color = if (resources.configuration.isNightModeActive) 0xff_d0_d0_d0 else 0xff_00_00_00
+ setTextColor(color.toInt())
+ }
+
+ val scroller = ScrollView(this).apply {
+ isScrollbarFadingEnabled = false
+ scrollBarStyle = View.SCROLLBARS_INSIDE_INSET
+ addView(textView)
+ }
+
+ val formattedReportText = "```\n" + reportText + "\n```"
+ val clipData = ClipData.newPlainText(title, formattedReportText)
+
+ val btnCopy = Button(this).apply {
+ setText(R.string.copy_to_clipboard)
+ setOnClickListener { _ ->
+ val cm = getSystemService(ClipboardManager::class.java)
+ cm.setPrimaryClip(clipData)
+ Toast.makeText(this@ErrorReportActivity, R.string.copied_to_clipboard, Toast.LENGTH_SHORT).show()
+ }
+ }
+
+ val btnShare = Button(this).apply {
+ setText(R.string.error_share)
+ setOnClickListener { _ ->
+ val i = Intent(Intent.ACTION_SEND)
+ i.clipData = clipData
+ i.type = ClipDescription.MIMETYPE_TEXT_PLAIN
+ i.putExtra(Intent.EXTRA_SUBJECT, title)
+ i.putExtra(Intent.EXTRA_TEXT, formattedReportText)
+ startActivity(Intent.createChooser(i, title))
+ }
+ }
+
+ val buttonLayout = LinearLayout(this).apply {
+ orientation = LinearLayout.HORIZONTAL
+ gravity = Gravity.CENTER
+ addView(btnCopy)
+ addView(btnShare)
+ }
+
+ val pad = px(16)
+
+ val layout = LinearLayout(this).apply {
+ orientation = LinearLayout.VERTICAL
+ addView(scroller, LayoutParams(LayoutParams.MATCH_PARENT, 0, 1f))
+ addView(buttonLayout)
+ setPadding(pad, pad, pad, pad)
+ }
+
+ setContentView(layout)
+ }
+
+ fun px(dp: Int) = TypedValue.applyDimension(
+ TypedValue.COMPLEX_UNIT_PX, dp.toFloat(), resources.displayMetrics).toInt()
+
+ fun errorReportToText(r: ApplicationErrorReport) =
+
+"""type: ${reportTypeToString(r.type)}
+osVersion: ${Build.FINGERPRINT}
+package: ${r.packageName}:${r.packageVersion}
+process: ${r.processName}
+
+${reportInfoToString(r)}"""
+
+ fun reportInfoToString(r: ApplicationErrorReport): String {
+ if (r.type == ApplicationErrorReport.TYPE_CRASH) {
+ return r.crashInfo.stackTrace
+ }
+
+ val sb = StringBuilder()
+ val printer = StringBuilderPrinter(sb)
+
+ when (r.type) {
+ ApplicationErrorReport.TYPE_ANR ->
+ r.anrInfo.dump(printer, "")
+ ApplicationErrorReport.TYPE_BATTERY ->
+ r.batteryInfo.dump(printer, "")
+ ApplicationErrorReport.TYPE_RUNNING_SERVICE ->
+ r.runningServiceInfo.dump(printer, "")
+ }
+
+ return sb.toString()
+ }
+
+ fun reportTypeToString(type: Int) = when (type) {
+ ApplicationErrorReport.TYPE_CRASH -> "crash"
+ ApplicationErrorReport.TYPE_ANR -> "ANR"
+ ApplicationErrorReport.TYPE_BATTERY -> "battery"
+ ApplicationErrorReport.TYPE_RUNNING_SERVICE -> "running_service"
+ else -> "unknown ($type)"
+ }
+}
diff --git a/services/core/java/com/android/server/am/AppErrors.java b/services/core/java/com/android/server/am/AppErrors.java
index 061bcd740f6b..937b0eacff66 100644
--- a/services/core/java/com/android/server/am/AppErrors.java
+++ b/services/core/java/com/android/server/am/AppErrors.java
@@ -838,6 +838,7 @@ class AppErrors {
ApplicationErrorReport report = new ApplicationErrorReport();
report.packageName = r.info.packageName;
+ report.packageVersion = r.info.longVersionCode;
report.installerPackageName = errState.getErrorReportReceiver().getPackageName();
report.processName = r.processName;
report.time = timeMillis;

View File

@ -1,31 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Mon, 30 Jan 2023 19:04:30 +0200
Subject: [PATCH] disable package parser cache
This is needed for properly verifying updates of system packages.
---
.../java/com/android/server/pm/PackageManagerServiceUtils.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java b/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java
index d7e0fca87059..70aae56d7a3a 100644
--- a/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java
+++ b/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java
@@ -211,7 +211,7 @@ public class PackageManagerServiceUtils {
/**
* The initial enabled state of the cache before other checks are done.
*/
- private static final boolean DEFAULT_PACKAGE_PARSER_CACHE_ENABLED = true;
+ private static final boolean DEFAULT_PACKAGE_PARSER_CACHE_ENABLED = false;
/**
* Whether to skip all other checks and force the cache to be enabled.
@@ -1451,6 +1451,7 @@ public class PackageManagerServiceUtils {
boolean isUserDebugBuild, String incrementalVersion) {
if (!FORCE_PACKAGE_PARSED_CACHE_ENABLED) {
if (!DEFAULT_PACKAGE_PARSER_CACHE_ENABLED) {
+ FileUtils.deleteContentsAndDir(Environment.getPackageCacheDirectory());
return null;
}

View File

@ -1,195 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 31 Jan 2023 17:55:11 +0200
Subject: [PATCH] perform additional boot-time checks on system package updates
---
.../server/pm/InstallPackageHelper.java | 7 +
.../android/server/pm/PackageVerityExt.java | 160 ++++++++++++++++++
2 files changed, 167 insertions(+)
create mode 100644 services/core/java/com/android/server/pm/PackageVerityExt.java
diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
index e27e8cf9e02d..cbfb2b07e97e 100644
--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
@@ -4009,6 +4009,13 @@ final class InstallPackageHelper {
@Nullable UserHandle user) throws PackageManagerException {
final boolean scanSystemPartition =
(parseFlags & ParsingPackageUtils.PARSE_IS_SYSTEM_DIR) != 0;
+ if ((scanFlags & SCAN_BOOTING) != 0) {
+ if (scanSystemPartition) {
+ PackageVerityExt.addSystemPackage(parsedPackage);
+ } else {
+ PackageVerityExt.checkSystemPackageUpdate(parsedPackage);
+ }
+ }
final ScanRequest initialScanRequest = prepareInitialScanRequest(parsedPackage, parseFlags,
scanFlags, user, null);
final PackageSetting installedPkgSetting = initialScanRequest.mPkgSetting;
diff --git a/services/core/java/com/android/server/pm/PackageVerityExt.java b/services/core/java/com/android/server/pm/PackageVerityExt.java
new file mode 100644
index 000000000000..955eefcdae64
--- /dev/null
+++ b/services/core/java/com/android/server/pm/PackageVerityExt.java
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2022 GrapheneOS
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package com.android.server.pm;
+
+import android.annotation.Nullable;
+import android.content.pm.SigningDetails;
+import android.content.pm.parsing.result.ParseResult;
+import android.content.pm.parsing.result.ParseTypeImpl;
+import android.os.Build;
+import android.os.SystemProperties;
+import android.util.ArrayMap;
+import android.util.Slog;
+
+import com.android.internal.pm.parsing.pkg.ParsedPackage;
+import com.android.internal.pm.pkg.parsing.ParsingPackageUtils;
+import com.android.internal.security.VerityUtils;
+import com.android.server.pm.pkg.AndroidPackage;
+import com.android.server.pm.pkg.AndroidPackageSplit;
+
+import static android.content.pm.PackageManager.INSTALL_FAILED_BAD_SIGNATURE;
+import static android.content.pm.PackageManager.INSTALL_FAILED_INVALID_APK;
+import static android.content.pm.PackageManager.INSTALL_FAILED_UPDATE_INCOMPATIBLE;
+
+// Performs additional checks on system package updates
+public class PackageVerityExt {
+ private static final String TAG = PackageVerityExt.class.getSimpleName();
+
+ // Parsed packages from immutable partitions. Static shared libraries are handled separately
+ // due to a different policy that OS uses for their replacement
+ private static final ArrayMap<String, AndroidPackage> packages = new ArrayMap<>();
+ private static final ArrayMap<String, AndroidPackage> staticSharedLibraries = new ArrayMap<>();
+
+ // Called when PackageManager scans a package from immutable system image partition during OS boot.
+ // All packages from immutable partitions are scanned before any packages from mutable partitions.
+ public static void addSystemPackage(AndroidPackage pkg) {
+ if (pkg.isStaticSharedLibrary()) {
+ String name = pkg.getStaticSharedLibraryName();
+ AndroidPackage prev;
+ synchronized (staticSharedLibraries) {
+ prev = staticSharedLibraries.put(name, pkg);
+ }
+ if (prev != null) {
+ Slog.w(TAG, "duplicate static shared lib " + name
+ + ": prev " + prev.getPath() + " -> new " + pkg.getPath());
+ }
+ } else {
+ String name = pkg.getManifestPackageName();
+ AndroidPackage prev;
+ synchronized (packages) {
+ prev = packages.put(name, pkg);
+ }
+ if (prev != null) {
+ Slog.w(TAG, "duplicate system package " + name + ": prev " + prev.getPath() +
+ " -> new " + pkg.getPath());
+ }
+ }
+ }
+
+ // If pkg is a system package update, returns its matching system image package
+ @Nullable public static AndroidPackage getSystemPackage(AndroidPackage pkg) {
+ if (pkg.isStaticSharedLibrary()) {
+ String name = pkg.getStaticSharedLibraryName();
+ synchronized (staticSharedLibraries) {
+ return staticSharedLibraries.get(name);
+ }
+ } else {
+ String name = pkg.getManifestPackageName();
+ synchronized (packages) {
+ return packages.get(name);
+ }
+ }
+ }
+
+ // Called when PackageManager scans a package from mutable partition (ie /data) during OS boot.
+ // PackageManagerException thrown from here will prevent this package from replacing its system
+ // image version.
+ public static void checkSystemPackageUpdate(AndroidPackage maybeSystemPackageUpdate) throws PackageManagerException {
+ final AndroidPackage systemPkg = getSystemPackage(maybeSystemPackageUpdate);
+
+ if (systemPkg == null) {
+ // not a system package update
+ return;
+ }
+
+ final AndroidPackage systemPkgUpdate = maybeSystemPackageUpdate;
+
+ Slog.d(TAG, "Performing verification of system package update "
+ + systemPkgUpdate.getManifestPackageName());
+
+ if (systemPkg.getLongVersionCode() >= systemPkgUpdate.getLongVersionCode()) {
+ throw new PackageManagerException(INSTALL_FAILED_UPDATE_INCOMPATIBLE,
+ "versionCode of system image package (" + systemPkg.getLongVersionCode()
+ + ") is >= versionCode of system package update ("
+ + systemPkgUpdate.getLongVersionCode() + ")");
+ }
+
+ boolean checkFsVerity = true;
+ if (Build.IS_DEBUGGABLE) {
+ if (SystemProperties.getBoolean("persist.disable_boot_time_fsverity_check", false)) {
+ checkFsVerity = false;
+ }
+ }
+
+ if (checkFsVerity) {
+ checkFsVerity(systemPkgUpdate);
+ }
+
+ final SigningDetails updatePkgSigningDetails = parseSigningDetails(systemPkgUpdate,
+ // verify APK against its signature
+ false);
+
+ final SigningDetails systemPkgSigningDetails = parseSigningDetails(systemPkg,
+ // skip signature verification, system image APKs are protected by verified boot
+ true);
+
+ final boolean valid = updatePkgSigningDetails.checkCapability(systemPkgSigningDetails,
+ SigningDetails.CertCapabilities.INSTALLED_DATA)
+ || systemPkgSigningDetails.checkCapability(updatePkgSigningDetails,
+ SigningDetails.CertCapabilities.ROLLBACK);
+
+ if (!valid) {
+ String msg = "System package update " + systemPkgUpdate.getManifestPackageName()
+ + " signature doesn't match the signature of system image package";
+ throw new PackageManagerException(INSTALL_FAILED_BAD_SIGNATURE, msg);
+ }
+ }
+
+ public static void checkFsVerity(AndroidPackage pkg) throws PackageManagerException {
+ // base APK is considered to be a split too
+ for (AndroidPackageSplit split : pkg.getSplits()) {
+ String apkPath = split.getPath();
+ if (!VerityUtils.hasFsverity(apkPath)) {
+ throw new PackageManagerException(INSTALL_FAILED_BAD_SIGNATURE,
+ "APK doesn't have fs-verity: " + apkPath);
+ }
+ }
+ }
+
+ private static SigningDetails parseSigningDetails(AndroidPackage pkg, boolean skipVerify) throws PackageManagerException {
+ final ParseTypeImpl input = ParseTypeImpl.forDefaultParsing();
+ final ParseResult<SigningDetails> result = ParsingPackageUtils.getSigningDetails(
+ input, (ParsedPackage) pkg, skipVerify);
+
+ if (result.isError()) {
+ throw new PackageManagerException(
+ result.getErrorCode(), result.getErrorMessage(), result.getException());
+ }
+
+ final SigningDetails sd = result.getResult();
+ if (sd == null) {
+ throw new PackageManagerException(INSTALL_FAILED_INVALID_APK,
+ "Null signing details of package " + pkg.getManifestPackageName());
+ }
+
+ return sd;
+ }
+}

View File

@ -1,30 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Renlord <me@renlord.com>
Date: Tue, 30 Jun 2020 11:52:43 +1000
Subject: [PATCH] dont ping server when nitz time update is toggled off
Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
---
core/java/android/util/NtpTrustedTime.java | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/core/java/android/util/NtpTrustedTime.java b/core/java/android/util/NtpTrustedTime.java
index 3adbd686cd2c..a3d1bd6a2a2e 100644
--- a/core/java/android/util/NtpTrustedTime.java
+++ b/core/java/android/util/NtpTrustedTime.java
@@ -272,6 +272,15 @@ public abstract class NtpTrustedTime implements TrustedTime {
@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
public boolean forceRefresh() {
synchronized (mRefreshLock) {
+ final ContentResolver resolver = getContext().getContentResolver();
+
+ final boolean networkPollTime = Settings.Global.getInt(resolver,
+ Settings.Global.AUTO_TIME, 1) != 0;
+ if (!networkPollTime) {
+ Log.d(TAG, "forceRefresh: nitzTimeUpdate disabled bailing early");
+ return false;
+ }
+
Network network = getDefaultNetwork();
if (network == null) {
if (LOGD) Log.d(TAG, "forceRefresh: no network available");

View File

@ -1,197 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Mon, 27 Mar 2023 16:00:00 +0300
Subject: [PATCH] add hooks for modifying PackageManagerService behavior
---
.../server/ext/PackageManagerHooks.java | 90 +++++++++++++++++++
.../com/android/server/pm/AppsFilterBase.java | 6 ++
.../java/com/android/server/pm/Settings.java | 8 +-
.../PermissionManagerServiceImpl.java | 13 +++
4 files changed, 115 insertions(+), 2 deletions(-)
create mode 100644 services/core/java/com/android/server/ext/PackageManagerHooks.java
diff --git a/services/core/java/com/android/server/ext/PackageManagerHooks.java b/services/core/java/com/android/server/ext/PackageManagerHooks.java
new file mode 100644
index 000000000000..007b65349e55
--- /dev/null
+++ b/services/core/java/com/android/server/ext/PackageManagerHooks.java
@@ -0,0 +1,90 @@
+package com.android.server.ext;
+
+import android.Manifest;
+import android.annotation.Nullable;
+import android.annotation.UserIdInt;
+import android.content.pm.PackageManager;
+import android.content.pm.PackageManagerInternal;
+import android.os.Build;
+import android.os.UserHandle;
+import android.util.ArraySet;
+
+import com.android.server.pm.parsing.pkg.AndroidPackage;
+import com.android.server.pm.permission.Permission;
+import com.android.server.pm.pkg.PackageStateInternal;
+import com.android.server.pm.pkg.parsing.ParsingPackage;
+
+public class PackageManagerHooks {
+
+ // Called when package enabled setting is deserialized from storage
+ @Nullable
+ public static Integer maybeOverridePackageEnabledSetting(String pkgName, @UserIdInt int userId) {
+ switch (pkgName) {
+ default:
+ return null;
+ }
+ }
+
+ // Called when package parsing is completed
+ public static void amendParsedPackage(ParsingPackage pkg) {
+ String pkgName = pkg.getPackageName();
+
+ switch (pkgName) {
+ default:
+ return;
+ }
+ }
+
+ public static void removeUsesPermissions(ParsingPackage pkg, String... perms) {
+ var set = new ArraySet<>(perms);
+ pkg.getRequestedPermissions().removeAll(set);
+ pkg.getUsesPermissions().removeIf(p -> set.contains(p.getName()));
+ }
+
+ public static boolean shouldBlockGrantRuntimePermission(
+ PackageManagerInternal pm, String permName, String packageName, int userId)
+ {
+ return false;
+ }
+
+ public static boolean shouldForciblyGrantPermission(AndroidPackage pkg, Permission perm) {
+ if (!Build.IS_DEBUGGABLE) {
+ return false;
+ }
+
+ String permName = perm.getName();
+
+ switch (pkg.getPackageName()) {
+ default:
+ return false;
+ }
+ }
+
+ // Called when AppsFilter decides whether to restrict package visibility
+ public static boolean shouldFilterAccess(@Nullable PackageStateInternal callingPkgSetting,
+ ArraySet<PackageStateInternal> callingSharedPkgSettings,
+ PackageStateInternal targetPkgSetting) {
+ if (callingPkgSetting != null && restrictedVisibilityPackages.contains(callingPkgSetting.getPackageName())) {
+ if (!targetPkgSetting.isSystem()) {
+ return true;
+ }
+ }
+
+ if (restrictedVisibilityPackages.contains(targetPkgSetting.getPackageName())) {
+ if (callingPkgSetting != null) {
+ return !callingPkgSetting.isSystem();
+ } else {
+ for (int i = callingSharedPkgSettings.size() - 1; i >= 0; i--) {
+ if (!callingSharedPkgSettings.valueAt(i).isSystem()) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
+
+ // Packages in this array are restricted from interacting with and being interacted by non-system apps
+ private static final ArraySet<String> restrictedVisibilityPackages = new ArraySet<>(new String[] {
+ });
+}
diff --git a/services/core/java/com/android/server/pm/AppsFilterBase.java b/services/core/java/com/android/server/pm/AppsFilterBase.java
index 28942cd262d6..cf8da62167e5 100644
--- a/services/core/java/com/android/server/pm/AppsFilterBase.java
+++ b/services/core/java/com/android/server/pm/AppsFilterBase.java
@@ -40,6 +40,7 @@ import android.util.SparseArray;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.util.ArrayUtils;
import com.android.internal.util.function.QuadFunction;
+import com.android.server.ext.PackageManagerHooks;
import com.android.server.om.OverlayReferenceMapper;
import com.android.server.pm.pkg.AndroidPackage;
import com.android.server.pm.pkg.PackageStateInternal;
@@ -457,6 +458,11 @@ public abstract class AppsFilterBase implements AppsFilterSnapshot {
Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
}
+ if (PackageManagerHooks.shouldFilterAccess(callingPkgSetting, callingSharedPkgSettings,
+ targetPkgSetting)) {
+ return true;
+ }
+
if (callingPkgSetting != null) {
if (callingPkgSetting.getPkg() != null
&& !mFeatureConfig.packageIsEnabled(callingPkgSetting.getPkg())) {
diff --git a/services/core/java/com/android/server/pm/Settings.java b/services/core/java/com/android/server/pm/Settings.java
index 475859fbc2e5..0ad5485ee643 100644
--- a/services/core/java/com/android/server/pm/Settings.java
+++ b/services/core/java/com/android/server/pm/Settings.java
@@ -107,6 +107,7 @@ import com.android.permission.persistence.RuntimePermissionsPersistence;
import com.android.permission.persistence.RuntimePermissionsState;
import com.android.server.LocalServices;
import com.android.server.backup.PreferredActivityBackupHelper;
+import com.android.server.ext.PackageManagerHooks;
import com.android.server.pm.Installer.InstallerException;
import com.android.server.pm.parsing.PackageInfoUtils;
import com.android.server.pm.permission.LegacyPermissionDataProvider;
@@ -1913,8 +1914,11 @@ public final class Settings implements Watchable, Snappable, ResilientAtomicFile
parser.getAttributeBoolean(null, ATTR_INSTANT_APP, false);
final boolean virtualPreload =
parser.getAttributeBoolean(null, ATTR_VIRTUAL_PRELOAD, false);
- final int enabled = parser.getAttributeInt(null, ATTR_ENABLED,
- COMPONENT_ENABLED_STATE_DEFAULT);
+ final Integer enabledOverride =
+ PackageManagerHooks.maybeOverridePackageEnabledSetting(name, userId);
+ final int enabled = (enabledOverride != null) ?
+ enabledOverride.intValue() :
+ parser.getAttributeInt(null, ATTR_ENABLED, COMPONENT_ENABLED_STATE_DEFAULT);
final String enabledCaller = parser.getAttributeValue(null,
ATTR_ENABLED_CALLER);
final String harmfulAppWarning =
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
index cd1d7996fbac..f7dcd5c20975 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
@@ -135,6 +135,7 @@ import com.android.server.PermissionThread;
import com.android.server.ServiceThread;
import com.android.server.SystemConfig;
import com.android.server.Watchdog;
+import com.android.server.ext.PackageManagerHooks;
import com.android.server.pm.ApexManager;
import com.android.server.pm.KnownPackages;
import com.android.server.pm.PackageInstallerService;
@@ -1369,6 +1370,13 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
isRolePermission = permission.isRole();
isSoftRestrictedPermission = permission.isSoftRestricted();
}
+
+ if (PackageManagerHooks.shouldBlockGrantRuntimePermission(mPackageManagerInt, permName, packageName, userId)) {
+ // this method is called from within system_server and from critical system processes,
+ // do not throw an exception, just return
+ return;
+ }
+
final boolean mayGrantRolePermission = isRolePermission
&& mayManageRolePermission(callingUid);
final boolean mayGrantSoftRestrictedPermission = isSoftRestrictedPermission
@@ -2918,6 +2926,11 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
Slog.wtf(LOG_TAG, "Unknown permission protection " + bp.getProtection()
+ " for permission " + bp.getName());
}
+
+ if (Build.IS_DEBUGGABLE && PackageManagerHooks.shouldForciblyGrantPermission(pkg, bp)) {
+ uidState.grantPermission(bp);
+ Slog.d(TAG, "forcibly granted " + bp.getName() + " to " + pkg.getPackageName());
+ }
}
if ((installPermissionsChangedForUser || replace)

View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tavi <tavi@divested.dev>
Date: Tue, 10 Dec 2024 17:35:35 -0500
Subject: [PATCH] OpenEUICC integration
Change-Id: I3c290582e70cda3ab37ea116fbd5e2574b48104d
Signed-off-by: Tavi <tavi@divested.dev>
---
data/etc/preinstalled-packages-platform.xml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/data/etc/preinstalled-packages-platform.xml b/data/etc/preinstalled-packages-platform.xml
index 782327713fdc..0367799ee15c 100644
--- a/data/etc/preinstalled-packages-platform.xml
+++ b/data/etc/preinstalled-packages-platform.xml
@@ -134,4 +134,11 @@ to pre-existing users, but cannot uninstall pre-existing system packages from pr
<install-in-user-type package="com.android.avatarpicker">
<install-in user-type="FULL" />
</install-in-user-type>
+
+ <install-in-user-type package="com.google.euiccpixel">
+ <install-in user-type="SYSTEM" />
+ </install-in-user-type>
+ <install-in-user-type package="im.angry.openeuicc">
+ <install-in user-type="SYSTEM" />
+ </install-in-user-type>
</config>

View File

@ -1,101 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Mon, 27 Mar 2023 16:29:13 +0300
Subject: [PATCH] integrate Google's EuiccSupportPixel package
Depends on commit: "don't crash apps that depend on missing Gservices provider"
[tad@spotco.us]: handle OpenEUICC toggling here too
Change-Id: I49e3ff6f2ce8d74383da1c4dfd42913c713016c6
---
data/etc/preinstalled-packages-platform.xml | 7 ++++-
.../server/ext/PackageManagerHooks.java | 31 +++++++++++++++++++
2 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/data/etc/preinstalled-packages-platform.xml b/data/etc/preinstalled-packages-platform.xml
index 782327713fdc..b1d803b0d905 100644
--- a/data/etc/preinstalled-packages-platform.xml
+++ b/data/etc/preinstalled-packages-platform.xml
@@ -129,9 +129,14 @@ to pre-existing users, but cannot uninstall pre-existing system packages from pr
<install-in-user-type package="com.android.wallpaperbackup">
<install-in user-type="FULL" />
</install-in-user-type>
-
<!-- AvatarPicker (AvatarPicker app)-->
<install-in-user-type package="com.android.avatarpicker">
<install-in user-type="FULL" />
+
+ <install-in-user-type package="com.google.euiccpixel">
+ <install-in user-type="SYSTEM" />
+ </install-in-user-type>
+ <install-in-user-type package="im.angry.openeuicc">
+ <install-in user-type="SYSTEM" />
</install-in-user-type>
</config>
diff --git a/services/core/java/com/android/server/ext/PackageManagerHooks.java b/services/core/java/com/android/server/ext/PackageManagerHooks.java
index 007b65349e55..3c38b9e73049 100644
--- a/services/core/java/com/android/server/ext/PackageManagerHooks.java
+++ b/services/core/java/com/android/server/ext/PackageManagerHooks.java
@@ -6,6 +6,7 @@ import android.annotation.UserIdInt;
import android.content.pm.PackageManager;
import android.content.pm.PackageManagerInternal;
import android.os.Build;
+import android.os.SystemProperties;
import android.os.UserHandle;
import android.util.ArraySet;
@@ -16,10 +17,29 @@ import com.android.server.pm.pkg.parsing.ParsingPackage;
public class PackageManagerHooks {
+ public static final String OPENEUICC_PKG_NAME = "im.angry.openeuicc";
+ public static final String OPENEUICC_TOGGLE = "persist.security.openeuicc";
+ public static final String EUICC_SUPPORT_PIXEL_PKG_NAME = "com.google.euiccpixel";
+
// Called when package enabled setting is deserialized from storage
@Nullable
public static Integer maybeOverridePackageEnabledSetting(String pkgName, @UserIdInt int userId) {
switch (pkgName) {
+ case OPENEUICC_PKG_NAME:
+ if (userId == UserHandle.USER_SYSTEM && SystemProperties.getBoolean(OPENEUICC_TOGGLE, false)) {
+ return PackageManager.COMPONENT_ENABLED_STATE_DEFAULT;
+ } else {
+ return PackageManager.COMPONENT_ENABLED_STATE_DISABLED;
+ }
+ case EUICC_SUPPORT_PIXEL_PKG_NAME:
+ if (userId == UserHandle.USER_SYSTEM) {
+ // EuiccSupportPixel handles firmware updates and should always be enabled.
+ // It was previously unconditionally disabled after reboot.
+ return PackageManager.COMPONENT_ENABLED_STATE_DEFAULT;
+ } else {
+ // one of the previous OS versions enabled EuiccSupportPixel in all users
+ return PackageManager.COMPONENT_ENABLED_STATE_DISABLED;
+ }
default:
return null;
}
@@ -30,6 +50,16 @@ public class PackageManagerHooks {
String pkgName = pkg.getPackageName();
switch (pkgName) {
+ case EUICC_SUPPORT_PIXEL_PKG_NAME:
+ // EuiccSupportPixel uses INTERNET perm only as part of its dev mode
+ removeUsesPermissions(pkg, Manifest.permission.INTERNET);
+ return;
+ case OPENEUICC_PKG_NAME:
+ // this is the same as android:enabled="false" in <application> AndroidManifest tag,
+ // it makes the package disabled by default on first boot, when there's no
+ // serialized package state
+ pkg.setEnabled(SystemProperties.getBoolean(OPENEUICC_TOGGLE, false));
+ return;
default:
return;
}
@@ -86,5 +116,6 @@ public class PackageManagerHooks {
// Packages in this array are restricted from interacting with and being interacted by non-system apps
private static final ArraySet<String> restrictedVisibilityPackages = new ArraySet<>(new String[] {
+ EUICC_SUPPORT_PIXEL_PKG_NAME,
});
}

View File

@ -1,22 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 16:28:57 -0400
Subject: [PATCH] require OTHER_SENSORS permission for sensors
Ported from 10: ff005a6b6a38baef95c4a01d7e1fc75aac651a58
---
libs/sensor/Sensor.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/libs/sensor/Sensor.cpp b/libs/sensor/Sensor.cpp
index a1549ea385..526e59ccfe 100644
--- a/libs/sensor/Sensor.cpp
+++ b/libs/sensor/Sensor.cpp
@@ -59,6 +59,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
mMinDelay = hwSensor.minDelay;
mFlags = 0;
mUuid = uuid;
+ mRequiredPermission = "android.permission.OTHER_SENSORS";
// Set fifo event count zero for older devices which do not support batching. Fused
// sensors also have their fifo counts set to zero.

View File

@ -1,54 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Sun, 24 Jul 2022 13:07:00 +0300
Subject: [PATCH] protect step sensors with OTHER_SENSORS permission for
targetSdk<29 apps
---
services/sensorservice/SensorService.cpp | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index e1c43c6fec..76cf6082ba 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -2292,17 +2292,9 @@ bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
}
const int32_t opCode = sensor.getRequiredAppOp();
- int targetSdkVersion = getTargetSdkVersion(opPackageName);
bool canAccess = false;
- if (targetSdkVersion > 0 && targetSdkVersion <= __ANDROID_API_P__ &&
- (sensor.getType() == SENSOR_TYPE_STEP_COUNTER ||
- sensor.getType() == SENSOR_TYPE_STEP_DETECTOR)) {
- // Allow access to step sensors if the application targets pre-Q, which is before the
- // requirement to hold the AR permission to access Step Counter and Step Detector events
- // was introduced.
- canAccess = true;
- } else if (hasPermissionForSensor(sensor)) {
+ if (hasPermissionForSensor(sensor)) {
// Ensure that the AppOp is allowed, or that there is no necessary app op for the sensor
if (opCode >= 0) {
const int32_t appOpMode = sAppOpsManager.checkOp(opCode,
@@ -2311,6 +2303,20 @@ bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
} else {
canAccess = true;
}
+ } else {
+ int targetSdkVersion = getTargetSdkVersion(opPackageName);
+ if (targetSdkVersion > 0 && targetSdkVersion <= __ANDROID_API_P__ &&
+ (sensor.getType() == SENSOR_TYPE_STEP_COUNTER ||
+ sensor.getType() == SENSOR_TYPE_STEP_DETECTOR)) {
+
+ // upstream allows access to these sensors without the ACTIVITY_RECOGNITION permission
+ // for targetSdk < 29 apps, enforce the OTHER_SENSORS permission instead
+ const String16 requiredPermission("android.permission.OTHER_SENSORS");
+
+ // copied from hasPermissionForSensor() below
+ canAccess = checkPermission(requiredPermission,
+ IPCThreadState::self()->getCallingPid(), IPCThreadState::self()->getCallingUid());
+ }
}
if (!canAccess) {

View File

@ -1,31 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 26 Dec 2023 21:59:58 +0200
Subject: [PATCH] exempt system processes from OTHER_SENSORS permission
enforcement
---
services/sensorservice/SensorService.cpp | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index 76cf6082ba..7245b3fa78 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -2304,6 +2304,16 @@ bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
canAccess = true;
}
} else {
+ if (sensor.getRequiredPermission() == "android.permission.OTHER_SENSORS") {
+ if (IPCThreadState::self()->getCallingUid() < AID_APP_START) {
+ // System processes do not expect that sensors that are protected by OTHER_SENSORS
+ // on GrapheneOS require a permission.
+ //
+ // The lack of this check led to crashes of the closed-source gpsd daemon.
+ return true;
+ }
+ }
+
int targetSdkVersion = getTargetSdkVersion(opPackageName);
if (targetSdkVersion > 0 && targetSdkVersion <= __ANDROID_API_P__ &&
(sensor.getType() == SENSOR_TYPE_STEP_COUNTER ||

View File

@ -1,32 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 14 Dec 2021 21:10:51 +0200
Subject: [PATCH] don't throw SecurityException when INTERNET permission is
revoked
---
ojluni/src/main/java/java/net/Inet6AddressImpl.java | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/ojluni/src/main/java/java/net/Inet6AddressImpl.java b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
index 84bcf17edae..fda9674e08e 100644
--- a/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+++ b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
@@ -141,16 +141,7 @@ class Inet6AddressImpl implements InetAddressImpl {
addressCache.put(host, netId, addresses);
return addresses;
} catch (GaiException gaiException) {
- // If the failure appears to have been a lack of INTERNET permission, throw a clear
- // SecurityException to aid in debugging this common mistake.
- // http://code.google.com/p/android/issues/detail?id=15722
- if (gaiException.getCause() instanceof ErrnoException) {
- int errno = ((ErrnoException) gaiException.getCause()).errno;
- if (errno == EACCES || errno == EPERM) {
- throw new SecurityException("Permission denied (missing INTERNET permission?)", gaiException);
- }
- }
- // Otherwise, throw an UnknownHostException.
+ // Throw an UnknownHostException.
String detailMessage = "Unable to resolve host \"" + host + "\": " + Libcore.os.gai_strerror(gaiException.error);
addressCache.putUnknownHost(host, netId, detailMessage);
throw gaiException.rethrowAsUnknownHostException(detailMessage);

View File

@ -1,172 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 20 Apr 2022 01:04:27 -0400
Subject: [PATCH] Add a toggle for OpenEUICC enablement
Copy and pasted from the GrapheneOS exec spawning toggle patch
Change-Id: Ibea6ea9bed1c2ae3491f403d9e5c17c1d1c403f1
Signed-off-by: Tad <tad@spotco.us>
---
res/values/strings.xml | 3 +
res/xml/security_dashboard_settings.xml | 6 +
.../OpenEuiccPreferenceController.java | 106 ++++++++++++++++++
.../settings/security/SecuritySettings.java | 1 +
4 files changed, 116 insertions(+)
create mode 100644 src/com/android/settings/security/OpenEuiccPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 5d99076843f..44aacacb5a7 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -677,6 +677,9 @@
<string name="sig_spoof_title">Unprivileged microG enablement</string>
<string name="sig_spoof_summary">Allows official builds of microG apps to function. Not supported, not recommended. May break apps and/or degrade their security model. Notes: 1) microG connects directly to Google, 2) apps talking to microG do so using proprietary Google libraries, 3) microG can download/execute proprietary code from Google.</string>
+ <string name="openeuicc_title">Enable eUICC management</string>
+ <string name="openeuicc_summary">Enables the OpenEUICC app to allow management of virtual (eSIM) and physical eUICC cards. Reboot required after toggling.</string>
+
<!-- Text shown for summary of owner info setting (if none set) [CHAR LIMIT=40]-->
<string name="owner_info_settings_summary">None</string>
<!-- Hint text shown in owner info edit text [CHAR LIMIT=50] -->
diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
index 604e8720e6f..de90cec5bcc 100644
--- a/res/xml/security_dashboard_settings.xml
+++ b/res/xml/security_dashboard_settings.xml
@@ -92,6 +92,12 @@
android:title="@string/sig_spoof_title"
android:summary="@string/sig_spoof_summary"
android:persistent="false" />
+
+ <SwitchPreference
+ android:key="openeuicc"
+ android:title="@string/openeuicc_title"
+ android:summary="@string/openeuicc_summary"
+ android:persistent="false" />
</PreferenceCategory>
<Preference
diff --git a/src/com/android/settings/security/OpenEuiccPreferenceController.java b/src/com/android/settings/security/OpenEuiccPreferenceController.java
new file mode 100644
index 00000000000..9ecfa96bfd5
--- /dev/null
+++ b/src/com/android/settings/security/OpenEuiccPreferenceController.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package com.android.settings.security;
+
+import android.content.Context;
+
+import android.os.UserHandle;
+import android.os.UserManager;
+import android.os.SystemProperties;
+
+import android.provider.Settings;
+
+import androidx.preference.Preference;
+import androidx.preference.PreferenceCategory;
+import androidx.preference.PreferenceGroup;
+import androidx.preference.PreferenceScreen;
+import androidx.preference.TwoStatePreference;
+import androidx.preference.SwitchPreference;
+
+import com.android.internal.widget.LockPatternUtils;
+import com.android.settings.core.PreferenceControllerMixin;
+import com.android.settingslib.core.AbstractPreferenceController;
+import com.android.settingslib.core.lifecycle.events.OnResume;
+
+public class OpenEuiccPreferenceController extends AbstractPreferenceController
+ implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener {
+
+ private static final String SYS_KEY_OPENEUICC_ENABLE = "persist.security.openeuicc";
+ private static final String PREF_KEY_OPENEUICC_ENABLE = "openeuicc";
+ private static final String PREF_KEY_SECURITY_CATEGORY = "security_category";
+
+ private PreferenceCategory mSecurityCategory;
+ private SwitchPreference mOpenEuiccEnable;
+ private boolean mIsAdmin;
+ private UserManager mUm;
+
+ public OpenEuiccPreferenceController(Context context) {
+ super(context);
+ mUm = UserManager.get(context);
+ }
+
+ @Override
+ public void displayPreference(PreferenceScreen screen) {
+ super.displayPreference(screen);
+ mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY);
+ updatePreferenceState();
+ }
+
+ @Override
+ public boolean isAvailable() {
+ mIsAdmin = mUm.isAdminUser();
+ return mIsAdmin;
+ }
+
+ @Override
+ public String getPreferenceKey() {
+ return PREF_KEY_OPENEUICC_ENABLE;
+ }
+
+ // TODO: should we use onCreatePreferences() instead?
+ private void updatePreferenceState() {
+ if (mSecurityCategory == null) {
+ return;
+ }
+
+ if (mIsAdmin) {
+ mOpenEuiccEnable = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_OPENEUICC_ENABLE);
+ mOpenEuiccEnable.setChecked(SystemProperties.getInt(SYS_KEY_OPENEUICC_ENABLE, 0) == 1);
+ } else {
+ mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_OPENEUICC_ENABLE));
+ }
+ }
+
+ @Override
+ public void onResume() {
+ updatePreferenceState();
+ if (mOpenEuiccEnable != null) {
+ boolean mode = mOpenEuiccEnable.isChecked();
+ SystemProperties.set(SYS_KEY_OPENEUICC_ENABLE, mode ? "1" : "0");
+ }
+ }
+
+ @Override
+ public boolean onPreferenceChange(Preference preference, Object value) {
+ final String key = preference.getKey();
+ if (PREF_KEY_OPENEUICC_ENABLE.equals(key)) {
+ final boolean mode = !mOpenEuiccEnable.isChecked();
+ SystemProperties.set(SYS_KEY_OPENEUICC_ENABLE, mode ? "1" : "0");
+ }
+ return true;
+ }
+}
diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
index f009703ed24..ee9acc01f6b 100644
--- a/src/com/android/settings/security/SecuritySettings.java
+++ b/src/com/android/settings/security/SecuritySettings.java
@@ -110,6 +110,7 @@ public class SecuritySettings extends DashboardFragment {
securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
securityPreferenceControllers.add(new HostsPreferenceController(context));
securityPreferenceControllers.add(new SigSpoofPreferenceController(context));
+ securityPreferenceControllers.add(new OpenEuiccPreferenceController(context));
controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
.setChildren(securityPreferenceControllers));
controllers.addAll(securityPreferenceControllers);

View File

@ -17,12 +17,12 @@ Signed-off-by: Tad <tad@spotco.us>
create mode 100644 src/com/android/settings/security/CarrierConfig2PreferenceController.java create mode 100644 src/com/android/settings/security/CarrierConfig2PreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml
index 44aacacb5a7..4766f048364 100644 index 5d99076843f..c713758a2cb 100644
--- a/res/values/strings.xml --- a/res/values/strings.xml
+++ b/res/values/strings.xml +++ b/res/values/strings.xml
@@ -680,6 +680,9 @@ @@ -677,6 +677,9 @@
<string name="openeuicc_title">Enable eUICC management</string> <string name="sig_spoof_title">Unprivileged microG enablement</string>
<string name="openeuicc_summary">Enables the OpenEUICC app to allow management of virtual (eSIM) and physical eUICC cards. Reboot required after toggling.</string> <string name="sig_spoof_summary">Allows official builds of microG apps to function. Not supported, not recommended. May break apps and/or degrade their security model. Notes: 1) microG connects directly to Google, 2) apps talking to microG do so using proprietary Google libraries, 3) microG can download/execute proprietary code from Google.</string>
+ <string name="carrierconfig2_title">Enable CarrierConfig2</string> + <string name="carrierconfig2_title">Enable CarrierConfig2</string>
+ <string name="carrierconfig2_summary">Use a larger Google database instead of the AOSP database for carrier specific configurations. May improve cellular network compatibility &amp; functionality. Requires reboot.</string> + <string name="carrierconfig2_summary">Use a larger Google database instead of the AOSP database for carrier specific configurations. May improve cellular network compatibility &amp; functionality. Requires reboot.</string>
@ -31,12 +31,12 @@ index 44aacacb5a7..4766f048364 100644
<string name="owner_info_settings_summary">None</string> <string name="owner_info_settings_summary">None</string>
<!-- Hint text shown in owner info edit text [CHAR LIMIT=50] --> <!-- Hint text shown in owner info edit text [CHAR LIMIT=50] -->
diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
index de90cec5bcc..d8766ab41a3 100644 index 604e8720e6f..441231e2b7c 100644
--- a/res/xml/security_dashboard_settings.xml --- a/res/xml/security_dashboard_settings.xml
+++ b/res/xml/security_dashboard_settings.xml +++ b/res/xml/security_dashboard_settings.xml
@@ -98,6 +98,12 @@ @@ -92,6 +92,12 @@
android:title="@string/openeuicc_title" android:title="@string/sig_spoof_title"
android:summary="@string/openeuicc_summary" android:summary="@string/sig_spoof_summary"
android:persistent="false" /> android:persistent="false" />
+ +
+ <SwitchPreference + <SwitchPreference
@ -160,13 +160,13 @@ index 00000000000..a3e5aa17591
+ } + }
+} +}
diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
index ee9acc01f6b..c52bb957697 100644 index f009703ed24..2e1f2765614 100644
--- a/src/com/android/settings/security/SecuritySettings.java --- a/src/com/android/settings/security/SecuritySettings.java
+++ b/src/com/android/settings/security/SecuritySettings.java +++ b/src/com/android/settings/security/SecuritySettings.java
@@ -111,6 +111,7 @@ public class SecuritySettings extends DashboardFragment { @@ -110,6 +110,7 @@ public class SecuritySettings extends DashboardFragment {
securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
securityPreferenceControllers.add(new HostsPreferenceController(context)); securityPreferenceControllers.add(new HostsPreferenceController(context));
securityPreferenceControllers.add(new SigSpoofPreferenceController(context)); securityPreferenceControllers.add(new SigSpoofPreferenceController(context));
securityPreferenceControllers.add(new OpenEuiccPreferenceController(context));
+ securityPreferenceControllers.add(new CarrierConfig2PreferenceController(context)); + securityPreferenceControllers.add(new CarrierConfig2PreferenceController(context));
controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY) controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
.setChildren(securityPreferenceControllers)); .setChildren(securityPreferenceControllers));

View File

@ -1,209 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Wed, 6 Oct 2021 03:05:49 +0300
Subject: [PATCH] enforce INTERNET permission per-uid instead of per-appId
13: 0a4c2f9719
---
bpf_progs/netd.c | 10 +--
.../connectivity/PermissionMonitor.java | 63 ++++++++++++++-----
2 files changed, 48 insertions(+), 25 deletions(-)
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 0fad7ecb6e..9542ab8a03 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -664,14 +664,8 @@ DEFINE_XTBPF_PROG("skfilter/denylist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_den
}
static __always_inline inline uint8_t get_app_permissions(uint32_t uid) {
- /*
- * A given app is guaranteed to have the same app ID in all the profiles in
- * which it is installed, and install permission is granted to app for all
- * user at install time so we only check the appId part of a request uid at
- * run time. See UserHandle#isSameApp for detail.
- */
- uint32_t appId = uid % AID_USER_OFFSET; // == PER_USER_RANGE == 100000
- uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
+ uint32_t uid = (gid_uid & 0xffffffff);
+ uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&uid);
// if UID not in map, then default to just INTERNET permission.
return permissions ? *permissions : BPF_PERMISSION_INTERNET;
}
diff --git a/service/src/com/android/server/connectivity/PermissionMonitor.java b/service/src/com/android/server/connectivity/PermissionMonitor.java
index b5c8f184df..5a9caf1e25 100755
--- a/service/src/com/android/server/connectivity/PermissionMonitor.java
+++ b/service/src/com/android/server/connectivity/PermissionMonitor.java
@@ -426,6 +426,11 @@ public class PermissionMonitor {
userAllContext.registerReceiver(
mIntentReceiver, intentFilter, null /* broadcastPermission */, handler);
+ mPackageManager.addOnPermissionsChangeListener(uid -> {
+ // traffic permissions are INTERNET and UPDATE_DEVICE_STATS
+ handler.post(() -> sendPackagePermissionsForUid(uid, getTrafficPermissionForUid(uid)));
+ });
+
// Listen to EXTERNAL_APPLICATIONS_AVAILABLE is that an app becoming available means it may
// need to gain a permission. But an app that becomes unavailable can neither gain nor lose
// permissions on that account, it just can no longer run. Thus, doesn't need to listen to
@@ -600,7 +605,7 @@ public class PermissionMonitor {
mUsersTrafficPermissions.put(user, addedUserAppIds);
// Generate appIds from all users and send result to netd.
final SparseIntArray appIds = makeAppIdsTrafficPermForAllUsers();
- sendAppIdsTrafficPermission(appIds);
+ sendUidsTrafficPermission(user.getIdentifier(), appIds);
// Log user added
mPermissionUpdateLogs.log("New user(" + user.getIdentifier() + ") added: nPerm uids="
@@ -649,7 +654,7 @@ public class PermissionMonitor {
appIds.put(appId, PERMISSION_UNINSTALLED);
}
}
- sendAppIdsTrafficPermission(appIds);
+ sendUidsTrafficPermission(user.getIdentifier(), appIds);
// Log user removed
mPermissionUpdateLogs.log("User(" + user.getIdentifier() + ") removed: nPerm uids="
@@ -773,16 +778,25 @@ public class PermissionMonitor {
}
}
- private synchronized int getAppIdTrafficPermission(int appId) {
+ private synchronized int getUidTrafficPermission(final int uid) {
+ final int userId = UserHandle.getUserId(uid);
+
int permission = PERMISSION_NONE;
boolean installed = false;
+
for (UserHandle user : mUsersTrafficPermissions.keySet()) {
+ if (user.getIdentifier() != userId) {
+ continue;
+ }
+
final SparseIntArray userApps = mUsersTrafficPermissions.get(user);
+ final int appId = UserHandle.getAppId(uid);
final int appIdx = userApps.indexOfKey(appId);
if (appIdx >= 0) {
permission |= userApps.valueAt(appIdx);
installed = true;
}
+ break;
}
return installed ? permission : PERMISSION_UNINSTALLED;
}
@@ -801,8 +815,8 @@ public class PermissionMonitor {
updateAppIdTrafficPermission(uid);
// Get the appId permission from all users then send the latest permission to netd.
final int appId = UserHandle.getAppId(uid);
- final int appIdTrafficPerm = getAppIdTrafficPermission(appId);
- sendPackagePermissionsForAppId(appId, appIdTrafficPerm);
+ final int uidTrafficPerm = getUidTrafficPermission(uid);
+ sendPackagePermissionsForUid(uid, uidTrafficPerm);
final int currentPermission = mUidToNetworkPerm.get(uid, PERMISSION_NONE);
final int permission = highestPermissionForUid(uid, currentPermission, packageName);
@@ -832,7 +846,7 @@ public class PermissionMonitor {
mPermissionUpdateLogs.log("Package add: uid=" + uid
+ ", nPerm=(" + permissionToString(permission) + "/"
+ permissionToString(currentPermission) + ")"
- + ", tPerm=" + permissionToString(appIdTrafficPerm));
+ + ", tPerm=" + permissionToString(uidTrafficPerm));
}
private int highestUidNetworkPermission(int uid) {
@@ -865,8 +879,8 @@ public class PermissionMonitor {
updateAppIdTrafficPermission(uid);
// Get the appId permission from all users then send the latest permission to netd.
final int appId = UserHandle.getAppId(uid);
- final int appIdTrafficPerm = getAppIdTrafficPermission(appId);
- sendPackagePermissionsForAppId(appId, appIdTrafficPerm);
+ final int uidTrafficPerm = getUidTrafficPermission(uid);
+ sendPackagePermissionsForUid(uid, uidTrafficPerm);
// If the newly-removed package falls within some VPN's uid range, update Netd with it.
// This needs to happen before the mUidToNetworkPerm update below, since
@@ -886,7 +900,7 @@ public class PermissionMonitor {
mPermissionUpdateLogs.log("Package remove: uid=" + uid
+ ", nPerm=(" + permissionToString(permission) + "/"
+ permissionToString(currentPermission) + ")"
- + ", tPerm=" + permissionToString(appIdTrafficPerm));
+ + ", tPerm=" + permissionToString(uidTrafficPerm));
if (permission != currentPermission) {
final SparseIntArray apps = new SparseIntArray();
@@ -1170,14 +1184,17 @@ public class PermissionMonitor {
* @hide
*/
@VisibleForTesting
- void sendPackagePermissionsForAppId(int appId, int permissions) {
+ void sendPackagePermissionsForUid(int uid, int permissions) {
+ int userId = UserHandle.getUserId(uid);
+ int appId = UserHandle.getAppId(uid);
+
SparseIntArray netdPermissionsAppIds = new SparseIntArray();
netdPermissionsAppIds.put(appId, permissions);
if (hasSdkSandbox(appId)) {
int sdkSandboxAppId = sProcessShim.toSdkSandboxUid(appId);
netdPermissionsAppIds.put(sdkSandboxAppId, permissions);
}
- sendAppIdsTrafficPermission(netdPermissionsAppIds);
+ sendUidsTrafficPermission(userId, netdPermissionsAppIds);
}
/**
@@ -1189,7 +1206,7 @@ public class PermissionMonitor {
* @hide
*/
@VisibleForTesting
- void sendAppIdsTrafficPermission(SparseIntArray netdPermissionsAppIds) {
+ void sendUidsTrafficPermission(final int userId, SparseIntArray netdPermissionsAppIds) {
ensureRunningOnHandlerThread();
final ArrayList<Integer> allPermissionAppIds = new ArrayList<>();
final ArrayList<Integer> internetPermissionAppIds = new ArrayList<>();
@@ -1224,29 +1241,41 @@ public class PermissionMonitor {
if (allPermissionAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(
PERMISSION_INTERNET | PERMISSION_UPDATE_DEVICE_STATS,
- toIntArray(allPermissionAppIds));
+ appIdListToUidArray(userId, allPermissionAppIds));
}
if (internetPermissionAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(PERMISSION_INTERNET,
- toIntArray(internetPermissionAppIds));
+ appIdListToUidArray(userId, internetPermissionAppIds));
}
if (updateStatsPermissionAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(PERMISSION_UPDATE_DEVICE_STATS,
- toIntArray(updateStatsPermissionAppIds));
+ appIdListToUidArray(userId, updateStatsPermissionAppIds));
}
if (noPermissionAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(PERMISSION_NONE,
- toIntArray(noPermissionAppIds));
+ appIdListToUidArray(userId, noPermissionAppIds));
}
if (uninstalledAppIds.size() != 0) {
mBpfNetMaps.setNetPermForUids(PERMISSION_UNINSTALLED,
- toIntArray(uninstalledAppIds));
+ appIdListToUidArray(userId, uninstalledAppIds));
}
} catch (RemoteException | ServiceSpecificException e) {
Log.e(TAG, "Pass appId list of special permission failed." + e);
}
}
+ private static int[] appIdListToUidArray(int userId, ArrayList<Integer> appIds) {
+ final int cnt = appIds.size();
+ int[] array = new int[cnt];
+
+ for (int i = 0; i < cnt; ++i) {
+ int appId = appIds.get(i).intValue();
+ array[i] = UserHandle.getUid(userId, appId);
+ }
+
+ return array;
+ }
+
private synchronized void onSettingChanged() {
// Step1. Update uids allowed to use restricted networks and compute the set of uids to
// update.

View File

@ -1,59 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 30 Aug 2022 12:27:52 +0300
Subject: [PATCH] don't crash INTERNET-unaware apps that try to access
NsdManager
---
.../src/android/net/nsd/NsdManager.java | 38 ++++++++++++++++---
1 file changed, 33 insertions(+), 5 deletions(-)
diff --git a/framework-t/src/android/net/nsd/NsdManager.java b/framework-t/src/android/net/nsd/NsdManager.java
index 1001423732..d3110e49d9 100644
--- a/framework-t/src/android/net/nsd/NsdManager.java
+++ b/framework-t/src/android/net/nsd/NsdManager.java
@@ -723,11 +723,39 @@ public final class NsdManager {
// Instead of launching separate threads to handle tasks from the various instances.
mHandler = new ServiceHandler(ConnectivityThread.getInstanceLooper());
- try {
- mService = service.connect(new NsdCallbackImpl(mHandler), CompatChanges.isChangeEnabled(
- ENABLE_PLATFORM_MDNS_BACKEND));
- } catch (RemoteException e) {
- throw new RuntimeException("Failed to connect to NsdService");
+ if (android.content.pm.SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ // INsdManager#connect() enforces INTERNET permission
+ mService = new INsdServiceConnector() {
+ final NsdCallbackImpl callback = new NsdCallbackImpl(mHandler);
+
+ @Override public void registerService(int listenerKey, NsdServiceInfo serviceInfo) {
+ callback.onRegisterServiceFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void unregisterService(int listenerKey) {
+ callback.onUnregisterServiceFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void discoverServices(int listenerKey, NsdServiceInfo serviceInfo) {
+ callback.onDiscoverServicesFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void stopDiscovery(int listenerKey) {
+ callback.onStopDiscoveryFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void resolveService(int listenerKey, NsdServiceInfo serviceInfo) {
+ callback.onResolveServiceFailed(listenerKey, FAILURE_INTERNAL_ERROR);
+ }
+ @Override public void startDaemon() {}
+ @Override public void stopResolution(int listenerKey) {}
+ @Override public void registerServiceInfoCallback(int listenerKey, NsdServiceInfo serviceInfo) {}
+ @Override public void unregisterServiceInfoCallback(int listenerKey) {}
+ @Override public android.os.IBinder asBinder() { return null; }
+ };
+ } else {
+ try {
+ mService = service.connect(new NsdCallbackImpl(mHandler), CompatChanges.isChangeEnabled(
+ ENABLE_PLATFORM_MDNS_BACKEND));
+ } catch (RemoteException e) {
+ throw new RuntimeException("Failed to connect to NsdService");
+ }
}
// Only proactively start the daemon if the target SDK < S AND platform < V, For target

View File

@ -1,374 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Thu, 5 Oct 2023 09:39:18 +0300
Subject: [PATCH] ConnectivityManager: pretend that network is down to
INTERNET-unaware callers
---
.../src/android/net/ConnectivityManager.java | 129 ++++++++++++++++++
1 file changed, 129 insertions(+)
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index 915ec52e77..08651038df 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -43,6 +43,7 @@ import android.compat.annotation.UnsupportedAppUsage;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.SpecialRuntimePermAppUtils;
import android.net.ConnectivityDiagnosticsManager.DataStallReport.DetectionMethod;
import android.net.IpSecManager.UdpEncapsulationSocket;
import android.net.SocketKeepalive.Callback;
@@ -1383,6 +1384,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@Nullable
public NetworkInfo getActiveNetworkInfo() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return null;
+ }
+
try {
return mService.getActiveNetworkInfo();
} catch (RemoteException e) {
@@ -1404,6 +1409,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@Nullable
public Network getActiveNetwork() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return null;
+ }
+
try {
return mService.getActiveNetwork();
} catch (RemoteException e) {
@@ -1637,6 +1646,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@Nullable
public NetworkInfo getNetworkInfo(int networkType) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return null;
+ }
+
try {
return mService.getNetworkInfo(networkType);
} catch (RemoteException e) {
@@ -1658,6 +1671,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@Nullable
public NetworkInfo getNetworkInfo(@Nullable Network network) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return null;
+ }
+
return getNetworkInfoForUid(network, Process.myUid(), false);
}
@@ -1684,6 +1701,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@NonNull
public NetworkInfo[] getAllNetworkInfo() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return new NetworkInfo[0];
+ }
+
try {
return mService.getAllNetworkInfo();
} catch (RemoteException e) {
@@ -1723,6 +1744,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@UnsupportedAppUsage
public Network getNetworkForType(int networkType) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return null;
+ }
+
try {
return mService.getNetworkForType(networkType);
} catch (RemoteException e) {
@@ -1746,6 +1771,10 @@ public class ConnectivityManager {
@NonNull
@Deprecated
public Network[] getAllNetworks() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return new Network[0];
+ }
+
try {
return mService.getAllNetworks();
} catch (RemoteException e) {
@@ -1784,6 +1813,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.P, trackingBug = 109783091)
public LinkProperties getActiveLinkProperties() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return null;
+ }
+
try {
return mService.getActiveLinkProperties();
} catch (RemoteException e) {
@@ -1809,6 +1842,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.P, trackingBug = 130143562)
public LinkProperties getLinkProperties(int networkType) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return null;
+ }
+
try {
return mService.getLinkPropertiesForType(networkType);
} catch (RemoteException e) {
@@ -1826,6 +1863,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@Nullable
public LinkProperties getLinkProperties(@Nullable Network network) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return null;
+ }
+
try {
return mService.getLinkProperties(network);
} catch (RemoteException e) {
@@ -1880,6 +1921,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@Nullable
public NetworkCapabilities getNetworkCapabilities(@Nullable Network network) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return null;
+ }
+
try {
return mService.getNetworkCapabilities(
network, mContext.getOpPackageName(), getAttributionTag());
@@ -2892,6 +2937,10 @@ public class ConnectivityManager {
@UnsupportedAppUsage
@Deprecated
public String[] getTetherableIfaces() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return new String[0];
+ }
+
return getTetheringManager().getTetherableIfaces();
}
@@ -2907,6 +2956,10 @@ public class ConnectivityManager {
@UnsupportedAppUsage
@Deprecated
public String[] getTetheredIfaces() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return new String[0];
+ }
+
return getTetheringManager().getTetheredIfaces();
}
@@ -2928,6 +2981,10 @@ public class ConnectivityManager {
@UnsupportedAppUsage
@Deprecated
public String[] getTetheringErroredIfaces() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return new String[0];
+ }
+
return getTetheringManager().getTetheringErroredIfaces();
}
@@ -3234,6 +3291,10 @@ public class ConnectivityManager {
@UnsupportedAppUsage
@Deprecated
public String[] getTetherableUsbRegexs() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return new String[0];
+ }
+
return getTetheringManager().getTetherableUsbRegexs();
}
@@ -3252,6 +3313,10 @@ public class ConnectivityManager {
@UnsupportedAppUsage
@Deprecated
public String[] getTetherableWifiRegexs() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return new String[0];
+ }
+
return getTetheringManager().getTetherableWifiRegexs();
}
@@ -3271,6 +3336,10 @@ public class ConnectivityManager {
@UnsupportedAppUsage
@Deprecated
public String[] getTetherableBluetoothRegexs() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return new String[0];
+ }
+
return getTetheringManager().getTetherableBluetoothRegexs();
}
@@ -3411,6 +3480,10 @@ public class ConnectivityManager {
@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
@Deprecated
public int getLastTetherError(String iface) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return TetheringManager.TETHER_ERROR_UNKNOWN_IFACE;
+ }
+
int error = getTetheringManager().getLastTetherError(iface);
if (error == TetheringManager.TETHER_ERROR_UNKNOWN_TYPE) {
// TETHER_ERROR_UNKNOWN_TYPE was introduced with TetheringManager and has never been
@@ -3553,6 +3626,10 @@ public class ConnectivityManager {
* Internet using {@code network} or {@code false} if not.
*/
public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
printStackTrace();
try {
mService.reportNetworkConnectivity(network, hasConnectivity);
@@ -3659,6 +3736,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.P, trackingBug = 130143562)
public boolean isNetworkSupported(int networkType) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return false;
+ }
+
try {
return mService.isNetworkSupported(networkType);
} catch (RemoteException e) {
@@ -3679,6 +3760,10 @@ public class ConnectivityManager {
*/
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
public boolean isActiveNetworkMetered() {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return false;
+ }
+
try {
return mService.isActiveNetworkMetered();
} catch (RemoteException e) {
@@ -4746,6 +4831,10 @@ public class ConnectivityManager {
* corresponding NetworkRequest you'd like to remove. Cannot be null.
*/
public void releaseNetworkRequest(@NonNull PendingIntent operation) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
printStackTrace();
checkPendingIntentNotNull(operation);
try {
@@ -4793,6 +4882,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
public void registerNetworkCallback(@NonNull NetworkRequest request,
@NonNull NetworkCallback networkCallback) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
registerNetworkCallback(request, networkCallback, getDefaultHandler());
}
@@ -4821,6 +4914,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
public void registerNetworkCallback(@NonNull NetworkRequest request,
@NonNull NetworkCallback networkCallback, @NonNull Handler handler) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
CallbackHandler cbHandler = new CallbackHandler(handler);
NetworkCapabilities nc = request.networkCapabilities;
sendRequestForNetwork(nc, networkCallback, 0, LISTEN, TYPE_NONE, cbHandler);
@@ -4869,6 +4966,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
public void registerNetworkCallback(@NonNull NetworkRequest request,
@NonNull PendingIntent operation) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
printStackTrace();
checkPendingIntentNotNull(operation);
try {
@@ -4904,6 +5005,10 @@ public class ConnectivityManager {
*/
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
public void registerDefaultNetworkCallback(@NonNull NetworkCallback networkCallback) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
registerDefaultNetworkCallback(networkCallback, getDefaultHandler());
}
@@ -4930,6 +5035,10 @@ public class ConnectivityManager {
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
public void registerDefaultNetworkCallback(@NonNull NetworkCallback networkCallback,
@NonNull Handler handler) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
registerDefaultNetworkCallbackForUid(Process.INVALID_UID, networkCallback, handler);
}
@@ -5035,6 +5144,10 @@ public class ConnectivityManager {
@SuppressLint("ExecutorRegistration")
public void registerBestMatchingNetworkCallback(@NonNull NetworkRequest request,
@NonNull NetworkCallback networkCallback, @NonNull Handler handler) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
final NetworkCapabilities nc = request.networkCapabilities;
final CallbackHandler cbHandler = new CallbackHandler(handler);
sendRequestForNetwork(nc, networkCallback, 0, LISTEN_FOR_BEST, TYPE_NONE, cbHandler);
@@ -5053,6 +5166,10 @@ public class ConnectivityManager {
* @return {@code true} on success, {@code false} if the {@link Network} is no longer valid.
*/
public boolean requestBandwidthUpdate(@NonNull Network network) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return false;
+ }
+
try {
return mService.requestBandwidthUpdate(network);
} catch (RemoteException e) {
@@ -5073,6 +5190,10 @@ public class ConnectivityManager {
* @param networkCallback The {@link NetworkCallback} used when making the request.
*/
public void unregisterNetworkCallback(@NonNull NetworkCallback networkCallback) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
printStackTrace();
checkCallbackNotNull(networkCallback);
final List<NetworkRequest> reqs = new ArrayList<>();
@@ -5115,6 +5236,10 @@ public class ConnectivityManager {
* Cannot be null.
*/
public void unregisterNetworkCallback(@NonNull PendingIntent operation) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return;
+ }
+
releaseNetworkRequest(operation);
}
@@ -5334,6 +5459,10 @@ public class ConnectivityManager {
*/
@RequiresPermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
public @MultipathPreference int getMultipathPreference(@Nullable Network network) {
+ if (SpecialRuntimePermAppUtils.isInternetCompatEnabled()) {
+ return 0;
+ }
+
try {
return mService.getMultipathPreference(network);
} catch (RemoteException e) {

View File

@ -1,31 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 5 Mar 2024 17:11:53 +0200
Subject: [PATCH] fixup! don't crash INTERNET-unaware apps that try to access
NsdManager
---
framework-t/src/android/net/nsd/NsdManager.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/framework-t/src/android/net/nsd/NsdManager.java b/framework-t/src/android/net/nsd/NsdManager.java
index d3110e49d9..9d8ac37a84 100644
--- a/framework-t/src/android/net/nsd/NsdManager.java
+++ b/framework-t/src/android/net/nsd/NsdManager.java
@@ -38,6 +38,7 @@ import android.net.ConnectivityManager.NetworkCallback;
import android.net.ConnectivityThread;
import android.net.Network;
import android.net.NetworkRequest;
+import android.net.nsd.IOffloadEngine;
import android.os.Handler;
import android.os.Looper;
import android.os.Message;
@@ -747,6 +748,8 @@ public final class NsdManager {
@Override public void stopResolution(int listenerKey) {}
@Override public void registerServiceInfoCallback(int listenerKey, NsdServiceInfo serviceInfo) {}
@Override public void unregisterServiceInfoCallback(int listenerKey) {}
+ @Override public void registerOffloadEngine(String ifaceName, IOffloadEngine cb, long offloadCapabilities, long offloadType) {}
+ @Override public void unregisterOffloadEngine(IOffloadEngine cb) {}
@Override public android.os.IBinder asBinder() { return null; }
};
} else {

View File

@ -1,190 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 23 Jul 2017 04:43:50 +0300
Subject: [PATCH] add special handling for INTERNET/OTHER_SENSORS
13: 6d4b86e01
---
.../data/HibernationSettingStateLiveData.kt | 3 ++-
.../permission/model/AppPermissionGroup.java | 5 ++--
.../permission/model/Permission.java | 4 ++-
.../service/AutoRevokePermissions.kt | 4 +--
.../permission/utils/KotlinUtils.kt | 3 +++
.../permission/utils/PermissionMapping.kt | 25 +++++++++++++++++++
6 files changed, 38 insertions(+), 6 deletions(-)
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/data/HibernationSettingStateLiveData.kt b/PermissionController/src/com/android/permissioncontroller/permission/data/HibernationSettingStateLiveData.kt
index 75d965d02..5d2d95916 100644
--- a/PermissionController/src/com/android/permissioncontroller/permission/data/HibernationSettingStateLiveData.kt
+++ b/PermissionController/src/com/android/permissioncontroller/permission/data/HibernationSettingStateLiveData.kt
@@ -35,6 +35,7 @@ import com.android.permissioncontroller.hibernation.isPackageHibernationExemptBy
import com.android.permissioncontroller.permission.data.PackagePermissionsLiveData.Companion.NON_RUNTIME_NORMAL_PERMS
import com.android.permissioncontroller.permission.model.livedatatypes.HibernationSettingState
import com.android.permissioncontroller.permission.service.AUTO_REVOKE_EXEMPT_PERMISSIONS
+import com.android.permissioncontroller.permission.utils.PermissionMapping.isSpecialRuntimePermissionGroup
import kotlinx.coroutines.Job
/**
@@ -120,7 +121,7 @@ private constructor(
permName in AUTO_REVOKE_EXEMPT_PERMISSIONS
}
?: false
- if (!default && !allExempt) {
+ if (!default && !allExempt && !isSpecialRuntimePermissionGroup(groupName)) {
revocableGroups.add(groupName)
}
}
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java b/PermissionController/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
index 3b2cc7ee0..75da346ed 100644
--- a/PermissionController/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
+++ b/PermissionController/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
@@ -26,6 +26,7 @@ import static android.app.AppOpsManager.OPSTR_LEGACY_STORAGE;
import static android.content.pm.PackageManager.PERMISSION_GRANTED;
import static android.health.connect.HealthPermissions.HEALTH_PERMISSION_GROUP;
+import static com.android.permissioncontroller.permission.utils.PermissionMapping.isSpecialRuntimePermission;
import static com.android.permissioncontroller.permission.utils.Utils.isHealthPermissionUiEnabled;
import android.Manifest;
@@ -948,7 +949,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
permission.getName(),
mPackageInfo.applicationInfo.targetSdkVersion);
- if (mAppSupportsRuntimePermissions && !isPermissionSplitFromNonRuntime) {
+ if ((mAppSupportsRuntimePermissions && !isPermissionSplitFromNonRuntime) || isSpecialRuntimePermission(permission.getName())) {
// Do not touch permissions fixed by the system.
if (permission.isSystemFixed()) {
wasAllGranted = false;
@@ -1144,7 +1145,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
permission.getName(),
mPackageInfo.applicationInfo.targetSdkVersion);
- if (mAppSupportsRuntimePermissions && !isPermissionSplitFromNonRuntime) {
+ if ((mAppSupportsRuntimePermissions && !isPermissionSplitFromNonRuntime) || isSpecialRuntimePermission(permission.getName())) {
// Revoke the permission if needed.
if (permission.isGranted()) {
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/model/Permission.java b/PermissionController/src/com/android/permissioncontroller/permission/model/Permission.java
index 4daaeaec8..8962a0b81 100644
--- a/PermissionController/src/com/android/permissioncontroller/permission/model/Permission.java
+++ b/PermissionController/src/com/android/permissioncontroller/permission/model/Permission.java
@@ -24,6 +24,8 @@ import androidx.annotation.NonNull;
import java.util.ArrayList;
import java.util.Objects;
+import static com.android.permissioncontroller.permission.utils.PermissionMapping.isSpecialRuntimePermission;
+
/**
* A permission and it's properties.
*
@@ -137,7 +139,7 @@ public final class Permission {
* @return {@code true} if the permission (and the app-op) is granted.
*/
public boolean isGrantedIncludingAppOp() {
- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && !isReviewRequired();
+ return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || isSpecialRuntimePermission(mName));
}
public boolean isReviewRequired() {
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt b/PermissionController/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt
index 8e1721219..6690c9cd7 100644
--- a/PermissionController/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt
+++ b/PermissionController/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt
@@ -40,6 +40,7 @@ import com.android.permissioncontroller.permission.model.livedatatypes.LightAppP
import com.android.permissioncontroller.permission.model.livedatatypes.LightPackageInfo
import com.android.permissioncontroller.permission.utils.KotlinUtils
import com.android.permissioncontroller.permission.utils.PermissionMapping
+import com.android.permissioncontroller.permission.utils.PermissionMapping.isSpecialRuntimePermissionGroup
import com.android.permissioncontroller.permission.utils.application
import com.android.permissioncontroller.permission.utils.forEachInParallel
import com.android.permissioncontroller.permission.utils.updatePermissionFlags
@@ -139,8 +140,7 @@ suspend fun revokeAppPermissions(
!group.isGrantedByDefault &&
!group.isGrantedByRole &&
!group.isRevokeWhenRequested &&
- group.isUserSensitive
- ) {
+ group.isUserSensitive && !isSpecialRuntimePermissionGroup(groupName)) {
revocableGroups.add(groupName)
}
}
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt b/PermissionController/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt
index 16c6d5aa9..3ebec4fd4 100644
--- a/PermissionController/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt
+++ b/PermissionController/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt
@@ -91,6 +91,7 @@ import com.android.permissioncontroller.permission.model.livedatatypes.LightPerm
import com.android.permissioncontroller.permission.model.livedatatypes.PermState
import com.android.permissioncontroller.permission.service.LocationAccessCheck
import com.android.permissioncontroller.permission.ui.handheld.SettingsWithLargeHeader
+import com.android.permissioncontroller.permission.utils.PermissionMapping.isSpecialRuntimePermission
import com.android.safetycenter.resources.SafetyCenterResourcesApk
import java.time.Duration
import java.util.concurrent.atomic.AtomicReference
@@ -954,6 +955,7 @@ object KotlinUtils {
val user = UserHandle.getUserHandleForUid(pkgInfo.uid)
val deviceId = group.deviceId
val supportsRuntime = pkgInfo.targetSdkVersion >= Build.VERSION_CODES.M
+ || isSpecialRuntimePermission(perm.name)
val isGrantingAllowed =
(!pkgInfo.isInstantApp || perm.isInstantPerm) &&
(supportsRuntime || !perm.isRuntimeOnly)
@@ -1285,6 +1287,7 @@ object KotlinUtils {
val deviceId = group.deviceId
var isGranted = perm.isGrantedIncludingAppOp
val supportsRuntime = group.packageInfo.targetSdkVersion >= Build.VERSION_CODES.M
+ || isSpecialRuntimePermission(perm.name)
var shouldKill = false
val affectsAppOp = permissionToOp(perm.name) != null || perm.isBackgroundPermission
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt b/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt
index 840a033c3..14ca4d36a 100644
--- a/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt
+++ b/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt
@@ -64,6 +64,9 @@ object PermissionMapping {
/** Mapping group -> permissions for all dangerous platform permissions */
private val PLATFORM_PERMISSION_GROUPS: MutableMap<String, MutableList<String>> = mutableMapOf()
+ private val SPECIAL_RUNTIME_PERMISSIONS: MutableMap<String, String> = mutableMapOf()
+ private val SPECIAL_RUNTIME_PERMISSION_GROUPS: MutableMap<String, MutableList<String>> = mutableMapOf()
+
/** Set of groups that will be able to receive one-time grant */
private val ONE_TIME_PERMISSION_GROUPS: MutableSet<String> = mutableSetOf()
@@ -183,10 +186,22 @@ object PermissionMapping {
Manifest.permission_group.SENSORS
}
+ PLATFORM_PERMISSIONS[Manifest.permission.INTERNET] = Manifest.permission_group.NETWORK
+ PLATFORM_PERMISSIONS[Manifest.permission.OTHER_SENSORS] = Manifest.permission_group.OTHER_SENSORS
+
+ SPECIAL_RUNTIME_PERMISSIONS[Manifest.permission.INTERNET] =
+ Manifest.permission_group.NETWORK
+ SPECIAL_RUNTIME_PERMISSIONS[Manifest.permission.OTHER_SENSORS] =
+ Manifest.permission_group.OTHER_SENSORS
+
for ((permission, permissionGroup) in PLATFORM_PERMISSIONS) {
PLATFORM_PERMISSION_GROUPS.getOrPut(permissionGroup) { mutableListOf() }.add(permission)
}
+ for ((permission, permissionGroup) in SPECIAL_RUNTIME_PERMISSIONS) {
+ SPECIAL_RUNTIME_PERMISSION_GROUPS.getOrPut(permissionGroup) { mutableListOf() }.add(permission)
+ }
+
ONE_TIME_PERMISSION_GROUPS.add(Manifest.permission_group.LOCATION)
ONE_TIME_PERMISSION_GROUPS.add(Manifest.permission_group.CAMERA)
ONE_TIME_PERMISSION_GROUPS.add(Manifest.permission_group.MICROPHONE)
@@ -405,4 +420,14 @@ object PermissionMapping {
return PERMISSION_GROUPS_TO_DATA_CATEGORIES.containsKey(permissionGroupName)
}
+
+ @JvmStatic
+ fun isSpecialRuntimePermission(permission: String): Boolean {
+ return SPECIAL_RUNTIME_PERMISSIONS.containsKey(permission)
+ }
+
+ @JvmStatic
+ fun isSpecialRuntimePermissionGroup(permissionGroup: String): Boolean {
+ return SPECIAL_RUNTIME_PERMISSION_GROUPS.containsKey(permissionGroup)
+ }
}

View File

@ -1,43 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Mon, 18 Oct 2021 10:23:42 +0300
Subject: [PATCH] fix usage UI summary for Network/Sensors
13: 9f1fd4ea8
---
PermissionController/res/values/strings.xml | 3 +++
.../ui/model/v31/PermissionUsageControlPreferenceUtils.kt | 7 ++++++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/PermissionController/res/values/strings.xml b/PermissionController/res/values/strings.xml
index 6e8005ad0..bc4739e44 100644
--- a/PermissionController/res/values/strings.xml
+++ b/PermissionController/res/values/strings.xml
@@ -1950,6 +1950,9 @@ Allow <xliff:g id="app_name" example="Gmail">%4$s</xliff:g> to upload a bug repo
<!-- Safety Label Change Notifications End -->
+ <!-- Summary text if tracking permission usage is not supported [CHAR LIMIT=60] -->
+ <string name="permission_usage_preference_summary_not_supported">Tracking usage not yet supported</string>
+
<!-- Summary for showing the last access text for today for Wear [CHAR LIMIT=50] -->
<string name="wear_app_perms_24h_access">Accessed <xliff:g id="time_date" example="12:42 PM">%1$s</xliff:g></string>
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/ui/model/v31/PermissionUsageControlPreferenceUtils.kt b/PermissionController/src/com/android/permissioncontroller/permission/ui/model/v31/PermissionUsageControlPreferenceUtils.kt
index 7d299fdda..fbc8022bb 100644
--- a/PermissionController/src/com/android/permissioncontroller/permission/ui/model/v31/PermissionUsageControlPreferenceUtils.kt
+++ b/PermissionController/src/com/android/permissioncontroller/permission/ui/model/v31/PermissionUsageControlPreferenceUtils.kt
@@ -75,7 +75,12 @@ object PermissionUsageControlPreferenceUtils {
if (count == 0) {
isEnabled = false
val permissionUsageSummaryNotUsed =
- if (show7Days) {
+ if (
+ groupName == Manifest.permission_group.NETWORK
+ || groupName == Manifest.permission_group.OTHER_SENSORS)
+ {
+ context.getString(R.string.permission_usage_preference_summary_not_supported)
+ } else if (show7Days) {
StringUtils.getIcuPluralsString(
context,
R.string.permission_usage_preference_summary_not_used_in_past_n_days,

View File

@ -1,21 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 6 Aug 2017 08:19:36 -0400
Subject: [PATCH] remove legacy NETWORK permission group reference
---
AndroidManifest.xml | 1 -
1 file changed, 1 deletion(-)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 336b2505..a6e61a4f 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -29,7 +29,6 @@
<!-- Allows to queue downloads without a notification shown while the download runs. -->
<permission android:name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION"
- android:permissionGroup="android.permission-group.NETWORK"
android:label="@string/permlab_downloadWithoutNotification"
android:description="@string/permdesc_downloadWithoutNotification"
android:protectionLevel="normal"/>

View File

@ -678,20 +678,29 @@ enableAutoVarInit() {
local DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'samsung/exynos9810' 'samsung/universal9810' 'sony/sdm660' 'sony/sdm845' 'xiaomi/msm8937' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/vayu' 'xiaomi/sm8250' 'zuk/msm8996'); local DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'samsung/exynos9810' 'samsung/universal9810' 'sony/sdm660' 'sony/sdm845' 'xiaomi/msm8937' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/vayu' 'xiaomi/sm8250' 'zuk/msm8996');
cd "$DOS_BUILD_BASE"; cd "$DOS_BUILD_BASE";
echo "auto-var-init: Starting!"; echo "auto-var-init: Starting!";
if [[ "$DOS_VERSION" == "LineageOS-21.0" ]]; then
local patch_suffix="-modern";
else
local patch_suffix="-deprecated";
fi;
for kernel in "${DOS_AUTOVARINIT_KERNELS[@]}" for kernel in "${DOS_AUTOVARINIT_KERNELS[@]}"
do do
if [ -d "$DOS_BUILD_BASE/kernel/$kernel" ]; then if [ -d "$DOS_BUILD_BASE/kernel/$kernel" ]; then
cd "$DOS_BUILD_BASE/kernel/$kernel"; cd "$DOS_BUILD_BASE/kernel/$kernel";
if git apply --check "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init.patch" &> /dev/null; then if git apply --check "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init$patch_suffix.patch" &> /dev/null; then
if git apply "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init.patch" &> /dev/null; then #(GrapheneOS) if git apply "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init$patch_suffix.patch" &> /dev/null; then #(GrapheneOS)
echo "auto-var-init: Enabled for $kernel"; echo "auto-var-init: Enabled for $kernel";
else else
echo "auto-var-init: Failed to enable for $kernel"; echo "auto-var-init: Failed to enable for $kernel";
fi; fi;
elif git apply --check --reverse "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init.patch" &> /dev/null; then elif git apply --check --reverse "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init$patch_suffix.patch" &> /dev/null; then
echo "auto-var-init: Already enabled for $kernel"; echo "auto-var-init: Already enabled for $kernel";
elif grep -q "trivial-auto-var-init=pattern" Makefile; then elif grep -q "trivial-auto-var-init=pattern" Makefile; then
if [[ "$DOS_VERSION" == "LineageOS-21.0" ]]; then
sed -i 's/ftrivial-auto-var-init=pattern/ftrivial-auto-var-init=zero/' Makefile; #(GrapheneOS)
else
sed -i 's/ftrivial-auto-var-init=pattern/ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang/' Makefile; #(GrapheneOS) sed -i 's/ftrivial-auto-var-init=pattern/ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang/' Makefile; #(GrapheneOS)
fi;
grep -q "trivial-auto-var-init=pattern" Makefile; grep -q "trivial-auto-var-init=pattern" Makefile;
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "auto-var-init: Failed to switch from pattern to zero on $kernel"; echo "auto-var-init: Failed to switch from pattern to zero on $kernel";

View File

@ -140,16 +140,6 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don'
applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0005-User_Logout.patch"; #Enable secondary user logout support by default (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0005-User_Logout.patch"; #Enable secondary user logout support by default (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0005-User_Logout-a1.patch"; #Fix DevicePolicyManager#logoutUser() never succeeding (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0005-User_Logout-a1.patch"; #Fix DevicePolicyManager#logoutUser() never succeeding (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-1.patch"; #Support new special runtime permissions (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-2.patch"; #Make INTERNET into a special runtime permission (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-3.patch"; #Add special runtime permission for other sensors (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-4.patch"; #Infrastructure for spoofing self permission checks (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-5.patch"; #App-side infrastructure for special runtime permissions (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-6.patch"; #Improve compatibility of INTERNET special runtime permission (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-7.patch"; #Mark UserHandle#get{Uid, UserId} as module SystemApi (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-8.patch"; #Improve compatibility with revoked INTERNET in DownloadManager (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-9.patch"; #Ignore pid when spoofing permission checks (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-10.patch"; #srt permissions: don't auto-grant denied ones when permissions are reset (GrapheneOS) #TODO: 21REBASE
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0015-System_Server_Extensions.patch"; #Timeout for Bluetooth (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0015-System_Server_Extensions.patch"; #Timeout for Bluetooth (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0015-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0015-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS)
@ -160,7 +150,6 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-1.patc
applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-2.patch"; #Disable exec spawning when using debugging options (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-2.patch"; #Disable exec spawning when using debugging options (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-3.patch"; #Add parameter for avoiding full preload with exec (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-3.patch"; #Add parameter for avoiding full preload with exec (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-4.patch"; #Pass through fullPreload to libcore (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-4.patch"; #Pass through fullPreload to libcore (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-5.patch"; #Disable OpenGL preloading for exec spawning (GrapheneOS) XXX: reverted upstream
applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-6.patch"; #Disable resource preloading for exec spawning (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-6.patch"; #Disable resource preloading for exec spawning (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-7.patch"; #Disable class preloading for exec spawning (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-7.patch"; #Disable class preloading for exec spawning (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-8.patch"; #Disable WebView reservation for exec spawning (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-8.patch"; #Disable WebView reservation for exec spawning (GrapheneOS)
@ -174,24 +163,17 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-15.pat
sed -i 's/sys.spawn.exec/persist.security.exec_spawn_new/' core/java/com/android/internal/os/ZygoteConnection.java; sed -i 's/sys.spawn.exec/persist.security.exec_spawn_new/' core/java/com/android/internal/os/ZygoteConnection.java;
applyPatch "$DOS_PATCHES/android_frameworks_base/0020-Location_Indicators.patch"; #SystemUI: Use new privacy indicators for location (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0020-Location_Indicators.patch"; #SystemUI: Use new privacy indicators for location (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0022-Ignore_StatementService_ANR.patch"; #Don't report statementservice crashes (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0022-Ignore_StatementService_ANR.patch"; #Don't report statementservice crashes (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/326692.patch"; #Skip screen on animation when wake and unlock via biometrics (jesec) #TODO: 20REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0023-Skip_Screen_Animation.patch"; #SystemUI: Skip screen-on animation in all scenarios (kdrag0n) #XXX: breaks notification backdrop #TODO: 20REBASE
applyPatch "$DOS_PATCHES/android_frameworks_base/0024-Burnin_Protection.patch"; #SystemUI: add burnIn protection (arter97) applyPatch "$DOS_PATCHES/android_frameworks_base/0024-Burnin_Protection.patch"; #SystemUI: add burnIn protection (arter97)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0026-Crash_Details.patch"; #Add an option to show the details of an application error to the user (GrapheneOS) #TODO: 21REBASE
applyPatch "$DOS_PATCHES/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch"; #Don't leak device-wide package list to apps when work profile is present (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch"; #Don't leak device-wide package list to apps when work profile is present (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Strict_Package_Checks-1.patch"; #Disable package parser cache (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Strict_Package_Checks-2.patch"; #Perform additional boot-time checks on system package updates (GrapheneOS) #TODO: 21REBASE
applyPatch "$DOS_PATCHES/android_frameworks_base/0030-agnss.goog_override.patch"; #Replace agnss.goog with the Broadcom PSDS server (heavily based off of a GrapheneOS patch) applyPatch "$DOS_PATCHES/android_frameworks_base/0030-agnss.goog_override.patch"; #Replace agnss.goog with the Broadcom PSDS server (heavily based off of a GrapheneOS patch)
applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-1.patch"; #Revert "Null safe package name in AppOps writeState" (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-1.patch"; #Revert "Null safe package name in AppOps writeState" (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-2.patch"; #appops: skip ops for invalid null package during state serialization (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-2.patch"; #appops: skip ops for invalid null package during state serialization (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0032-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0032-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0033-Ugly_Orbot_Workaround.patch"; #Always add Briar and Tor Browser to Orbot's lockdown allowlist (CalyxOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0033-Ugly_Orbot_Workaround.patch"; #Always add Briar and Tor Browser to Orbot's lockdown allowlist (CalyxOS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0034-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS) #TODO: 21REBASE
applyPatch "$DOS_PATCHES/android_frameworks_base/0036-Unprivileged_microG_Handling.patch"; #Unprivileged microG handling (heavily based off of a CalyxOS patch) applyPatch "$DOS_PATCHES/android_frameworks_base/0036-Unprivileged_microG_Handling.patch"; #Unprivileged microG handling (heavily based off of a CalyxOS patch)
applyPatch "$DOS_PATCHES/android_frameworks_base/0037-filter-gms.patch"; #Filter select package queries for GMS (CalyxOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0037-filter-gms.patch"; #Filter select package queries for GMS (CalyxOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0038-no-camera-lpad.patch"; #Do not auto-grant Camera permission to the eUICC LPA UI app (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0038-no-camera-lpad.patch"; #Do not auto-grant Camera permission to the eUICC LPA UI app (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0039-package_hooks.patch"; #Add hooks for modifying PackageManagerService behavior (GrapheneOS) #TODO: 21REBASE applyPatch "$DOS_PATCHES/android_frameworks_base/0040-euicc-integration.patch"; #Integrate Google's EuiccSupportPixel package (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0040-euicc-restrictions.patch"; #Integrate Google's EuiccSupportPixel package (GrapheneOS) #TODO: 21REBASE
applyPatch "$DOS_PATCHES/android_frameworks_base/0041-tile_restrictions.patch"; #SystemUI: Require unlocking to use sensitive QS tiles (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0041-tile_restrictions.patch"; #SystemUI: Require unlocking to use sensitive QS tiles (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0042-minimal_screenshot_exif.patch"; #Put bare minimum metadata in screenshots (CalyxOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0042-minimal_screenshot_exif.patch"; #Put bare minimum metadata in screenshots (CalyxOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
@ -210,12 +192,6 @@ if enterAndClear "frameworks/libs/systemui"; then
applyPatch "$DOS_PATCHES/android_frameworks_libs_systemui/0001-Icon_Cache.patch"; #Invalidate icon cache between OS releases (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_libs_systemui/0001-Icon_Cache.patch"; #Invalidate icon cache between OS releases (GrapheneOS)
fi; fi;
#if enterAndClear "frameworks/native"; then
#applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors_Permission-1.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors_Permission-2.patch"; #Protect step sensors with OTHER_SENSORS permission for targetSdk<29 apps (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors_Permission-3.patch"; #Exempt system processes from OTHER_SENSORS permission enforcement (GrapheneOS) #TODO: 21REBASE
#fi;
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
if enterAndClear "frameworks/opt/net/ims"; then if enterAndClear "frameworks/opt/net/ims"; then
applyPatch "$DOS_PATCHES/android_frameworks_opt_net_ims/0001-Fix_Calling.patch"; #Fix calling when IMS is removed (DivestOS) applyPatch "$DOS_PATCHES/android_frameworks_opt_net_ims/0001-Fix_Calling.patch"; #Fix calling when IMS is removed (DivestOS)
@ -255,7 +231,6 @@ applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-sm8350.patch";
fi; fi;
if enterAndClear "libcore"; then if enterAndClear "libcore"; then
#applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; #Don't throw SecurityException when INTERNET permission is revoked (GrapheneOS) #TODO: 21REBASE
applyPatch "$DOS_PATCHES/android_libcore/0002-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS) applyPatch "$DOS_PATCHES/android_libcore/0002-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS)
applyPatch "$DOS_PATCHES/android_libcore/0003-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS) applyPatch "$DOS_PATCHES/android_libcore/0003-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS)
applyPatch "$DOS_PATCHES/android_libcore/0003-Exec_Based_Spawning-2.patch"; applyPatch "$DOS_PATCHES/android_libcore/0003-Exec_Based_Spawning-2.patch";
@ -303,13 +278,11 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; #Add native debugging setting (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; #Add native debugging setting (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-exec_spawning_toggle.patch"; #Add exec spawning toggle (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-exec_spawning_toggle.patch"; #Add exec spawning toggle (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC.patch"; #Add option to always randomize MAC (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC.patch"; #Add option to always randomize MAC (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-Install_Restrictions.patch"; #UserManager app installation restrictions (GrapheneOS) #TODO: 21REBASE
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (heavily based off of a GrapheneOS patch) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (heavily based off of a GrapheneOS patch)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-LTE_Only_Mode.patch"; #LTE Only Mode (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-LTE_Only_Mode.patch"; #LTE Only Mode (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0015-SUPL_Toggle.patch"; #Add a toggle for forcibly disabling SUPL (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0015-SUPL_Toggle.patch"; #Add a toggle for forcibly disabling SUPL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0016-microG_Toggle.patch"; #Add a toggle for microG enablement (heavily based off of a GrapheneOS patch) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0016-microG_Toggle.patch"; #Add a toggle for microG enablement (heavily based off of a GrapheneOS patch)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0017-OpenEUICC_Toggle.patch"; #Add a toggle for OpenEUICC enablement (heavily based off of a GrapheneOS patch)
if [ -d "$DOS_BUILD_BASE"/vendor/divested-carriersettings ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0018-CC2_Toggle.patch"; fi; #Add a toggle for CarrierConfig2 enablement (heavily based off of a GrapheneOS patch) if [ -d "$DOS_BUILD_BASE"/vendor/divested-carriersettings ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0018-CC2_Toggle.patch"; fi; #Add a toggle for CarrierConfig2 enablement (heavily based off of a GrapheneOS patch)
fi; fi;
@ -334,13 +307,6 @@ applyPatch "$DOS_PATCHES/android_packages_inputmethods_LatinIME/0001-Voice.patch
applyPatch "$DOS_PATCHES/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
fi; fi;
#if enterAndClear "packages/modules/Connectivity"; then
#applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-1.patch"; #Enforce INTERNET permission per-uid instead of per-appId (GrapheneOS) #XXX: PROBABLY BROKEN #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-2.patch"; #Don't crash INTERNET-unaware apps that try to access NsdManager (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-3.patch"; #ConnectivityManager: pretend that network is down to INTERNET-unaware callers (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-4.patch"; #Fixup! don't crash INTERNET-unaware apps that try to access NsdManager (GrapheneOS) #TODO: 21REBASE
#fi;
if enterAndClear "packages/modules/DnsResolver"; then if enterAndClear "packages/modules/DnsResolver"; then
applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0001-Hosts_Cache.patch"; #DnsResolver: Sort and cache hosts file data for fast lookup (tdm) applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0001-Hosts_Cache.patch"; #DnsResolver: Sort and cache hosts file data for fast lookup (tdm)
applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0001-Hosts_Wildcards.patch"; #DnsResolver: Support wildcards in cached hosts file (tdm) applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0001-Hosts_Wildcards.patch"; #DnsResolver: Support wildcards in cached hosts file (tdm)
@ -353,8 +319,6 @@ applyPatch "$DOS_PATCHES/android_packages_modules_NetworkStack/0001-Random_MAC.p
fi; fi;
if enterAndClear "packages/modules/Permission"; then if enterAndClear "packages/modules/Permission"; then
#applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0004-Special_Permissions-1.patch"; #Add special handling for INTERNET/OTHER_SENSORS (GrapheneOS) #TODO: 21REBASE
#applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0004-Special_Permissions-2.patch"; #Fix usage UI summary for Network/Sensors (GrapheneOS) #TODO: 21REBASE
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0005-Browser_No_Location.patch"; #Stop auto-granting location to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0005-Browser_No_Location.patch"; #Stop auto-granting location to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0006-Location_Indicators.patch"; #SystemUI: Use new privacy indicators for location (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0006-Location_Indicators.patch"; #SystemUI: Use new privacy indicators for location (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0007-No_safety_center.patch"; #Disable Safety Center (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0007-No_safety_center.patch"; #Disable Safety Center (GrapheneOS)
@ -364,10 +328,6 @@ if enterAndClear "packages/modules/Wifi"; then
applyPatch "$DOS_PATCHES/android_packages_modules_Wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_modules_Wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
fi; fi;
#if enterAndClear "packages/providers/DownloadProvider"; then
#applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) #TODO: 21REBASE
#fi;
if enterAndClear "packages/services/Telephony"; then if enterAndClear "packages/services/Telephony"; then
if [ -d "$DOS_BUILD_BASE"/vendor/divested-carriersettings ]; then applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-CC2.patch"; fi; #Runtime control of platform carrier config package (DivestOS) if [ -d "$DOS_BUILD_BASE"/vendor/divested-carriersettings ]; then applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-CC2.patch"; fi; #Runtime control of platform carrier config package (DivestOS)
fi; fi;
@ -475,7 +435,7 @@ cd "$DOS_BUILD_BASE";
deblobAudio; deblobAudio;
removeBuildFingerprints; removeBuildFingerprints;
hardenLocationSerials || true; hardenLocationSerials || true;
#enableAutoVarInit || true; #TODO: 21REBASE: has been deprecated and will be ignored enableAutoVarInit || true;
changeDefaultDNS; #Change the default DNS servers changeDefaultDNS; #Change the default DNS servers
fixupCarrierConfigs || true; #Remove silly carrier restrictions fixupCarrierConfigs || true; #Remove silly carrier restrictions
removeUntrustedCerts || true; removeUntrustedCerts || true;

View File

@ -175,7 +175,7 @@ export TZ=:/etc/localtime;
export LC_ALL=C; export LC_ALL=C;
export LANG=C.UTF-8; export LANG=C.UTF-8;
if [[ "$DOS_VERSION" != "LineageOS-20.0" ]]; then export DOS_DEBLOBBER_REMOVE_EUICC_FULL=true; fi; if [[ "$DOS_VERSION" != "LineageOS-20.0" ]] && [[ "$DOS_VERSION" != "LineageOS-21.0" ]]; then export DOS_DEBLOBBER_REMOVE_EUICC_FULL=true; fi;
#START OF VERIFICATION #START OF VERIFICATION
gpgVerifyGitHead "$DOS_WORKSPACE_ROOT"; gpgVerifyGitHead "$DOS_WORKSPACE_ROOT";