mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-06-26 14:42:13 +00:00
Port the GrapheneOS NETWORK permission to 17.1 and 18.1
Some patches were ported from 12 to 10/11 Some patches from 11 were ported to 10 This 10/11 port should be very close to 12 BOUNS: 16.0 patches, disabled Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad
parent
f4fbe65756
commit
5e1521700f
|
|
@ -0,0 +1,116 @@
|
|||
From 09632b10185b9133949a431e27089f72b5cfeefa Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Fri, 21 Jul 2017 08:42:55 -0400
|
||||
Subject: [PATCH] support new special runtime permissions
|
||||
|
||||
These are treated as a runtime permission even for legacy apps. They
|
||||
need to be granted by default for all apps to maintain compatibility.
|
||||
---
|
||||
.../server/pm/PackageManagerService.java | 3 +-
|
||||
.../permission/PermissionManagerService.java | 30 ++++++++++++++-----
|
||||
2 files changed, 25 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
index c414abac12a7..46f02259e741 100644
|
||||
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
@@ -19462,7 +19462,8 @@ private void resetUserChangesToRuntimePermissionsAndFlagsLPw(
|
||||
}
|
||||
|
||||
// If this permission was granted by default, make sure it is.
|
||||
- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) {
|
||||
+ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
|
||||
+ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) {
|
||||
if (permissionsState.grantRuntimePermission(bp, userId)
|
||||
!= PERMISSION_OPERATION_FAILURE) {
|
||||
writeRuntimePermissions = true;
|
||||
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
index c51a72406b53..cb8facb31020 100644
|
||||
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
@@ -659,6 +659,10 @@ private void removeDynamicPermission(
|
||||
}
|
||||
}
|
||||
|
||||
+ public static boolean isSpecialRuntimePermission(final String permission) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
private void grantPermissions(PackageParser.Package pkg, boolean replace,
|
||||
String packageOfInterest, PermissionCallback callback) {
|
||||
// IMPORTANT: There are two types of permissions: install and runtime.
|
||||
@@ -767,7 +771,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
|
||||
// their permissions as always granted runtime ones since we need
|
||||
// to keep the review required permission flag per user while an
|
||||
// install permission's state is shared across all users.
|
||||
- if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired) {
|
||||
+ if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired &&
|
||||
+ !isSpecialRuntimePermission(bp.getName())) {
|
||||
// For legacy apps dangerous permissions are install time ones.
|
||||
grant = GRANT_INSTALL;
|
||||
} else if (origPermissions.hasInstallPermission(bp.getName())) {
|
||||
@@ -877,7 +882,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
|
||||
updatedUserIds, userId);
|
||||
}
|
||||
} else if (mSettings.mPermissionReviewRequired
|
||||
- && !appSupportsRuntimePermissions) {
|
||||
+ && !appSupportsRuntimePermissions
|
||||
+ && !isSpecialRuntimePermission(bp.getName())) {
|
||||
// For legacy apps that need a permission review, every new
|
||||
// runtime permission is granted but it is pending a review.
|
||||
// We also need to review only platform defined runtime
|
||||
@@ -898,7 +904,15 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
|
||||
updatedUserIds = ArrayUtils.appendInt(
|
||||
updatedUserIds, userId);
|
||||
}
|
||||
- }
|
||||
+ } else if (isSpecialRuntimePermission(bp.name) &&
|
||||
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
|
||||
+ if (permissionsState.grantRuntimePermission(bp, userId)
|
||||
+ != PermissionsState.PERMISSION_OPERATION_FAILURE) {
|
||||
+ // We changed the permission, hence have to write.
|
||||
+ updatedUserIds = ArrayUtils.appendInt(
|
||||
+ updatedUserIds, userId);
|
||||
+ }
|
||||
+ }
|
||||
// Propagate the permission flags.
|
||||
permissionsState.updatePermissionFlags(bp, userId, flags, flags);
|
||||
}
|
||||
@@ -1350,7 +1364,7 @@ private void grantRequestedRuntimePermissionsForUser(PackageParser.Package pkg,
|
||||
&& (grantedPermissions == null
|
||||
|| ArrayUtils.contains(grantedPermissions, permission))) {
|
||||
final int flags = permissionsState.getPermissionFlags(permission, userId);
|
||||
- if (supportsRuntimePermissions) {
|
||||
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
|
||||
// Installer cannot change immutable permissions.
|
||||
if ((flags & immutableFlags) == 0) {
|
||||
grantRuntimePermission(permission, pkg.packageName, false, callingUid,
|
||||
@@ -1409,7 +1423,7 @@ private void grantRuntimePermission(String permName, String packageName, boolean
|
||||
// install permission's state is shared across all users.
|
||||
if (mSettings.mPermissionReviewRequired
|
||||
&& pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
|
||||
- && bp.isRuntime()) {
|
||||
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1445,7 +1459,8 @@ private void grantRuntimePermission(String permName, String packageName, boolean
|
||||
+ permName + " for package " + packageName);
|
||||
}
|
||||
|
||||
- if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) {
|
||||
+ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
|
||||
+ && !isSpecialRuntimePermission(permName)) {
|
||||
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
|
||||
return;
|
||||
}
|
||||
@@ -1530,7 +1545,8 @@ private void revokeRuntimePermission(String permName, String packageName,
|
||||
// install permission's state is shared across all users.
|
||||
if (mSettings.mPermissionReviewRequired
|
||||
&& pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
|
||||
- && bp.isRuntime()) {
|
||||
+ && bp.isRuntime()
|
||||
+ && !isSpecialRuntimePermission(permName)) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
From 2dd00723364fcf10e6c9e6c2e022e31524fda92d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sun, 17 Mar 2019 11:59:15 -0400
|
||||
Subject: [PATCH] make INTERNET into a special runtime permission
|
||||
|
||||
---
|
||||
core/res/AndroidManifest.xml | 2 +-
|
||||
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index d0ae9dbc55ae..d0449dfc4f57 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -1348,7 +1348,7 @@
|
||||
<permission android:name="android.permission.INTERNET"
|
||||
android:description="@string/permdesc_createNetworkSockets"
|
||||
android:label="@string/permlab_createNetworkSockets"
|
||||
- android:protectionLevel="normal|instant" />
|
||||
+ android:protectionLevel="dangerous|instant" />
|
||||
|
||||
<!-- Allows applications to access information about networks.
|
||||
<p>Protection level: normal
|
||||
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
index cb8facb31020..9b11c8e0ffd7 100644
|
||||
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
@@ -660,7 +660,7 @@ private void removeDynamicPermission(
|
||||
}
|
||||
|
||||
public static boolean isSpecialRuntimePermission(final String permission) {
|
||||
- return false;
|
||||
+ return Manifest.permission.INTERNET.equals(permission);
|
||||
}
|
||||
|
||||
private void grantPermissions(PackageParser.Package pkg, boolean replace,
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
From 6ef61fd6f745b9709269d3612a3a4eea2250ebec Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Fri, 21 Jul 2017 11:23:07 -0400
|
||||
Subject: [PATCH] add a NETWORK permission group for INTERNET
|
||||
|
||||
---
|
||||
core/res/AndroidManifest.xml | 10 ++++++++++
|
||||
core/res/res/values/strings.xml | 5 +++++
|
||||
2 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index d0449dfc4f57..822cf1166539 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -1342,10 +1342,20 @@
|
||||
<!-- ======================================= -->
|
||||
<eat-comment />
|
||||
|
||||
+ <!-- Network access
|
||||
+ @hide
|
||||
+ -->
|
||||
+ <permission-group android:name="android.permission-group.NETWORK"
|
||||
+ android:icon="@drawable/perm_group_network"
|
||||
+ android:label="@string/permgrouplab_network"
|
||||
+ android:description="@string/permgroupdesc_network"
|
||||
+ android:priority="900" />
|
||||
+
|
||||
<!-- Allows applications to open network sockets.
|
||||
<p>Protection level: normal
|
||||
-->
|
||||
<permission android:name="android.permission.INTERNET"
|
||||
+ android:permissionGroup="android.permission-group.NETWORK"
|
||||
android:description="@string/permdesc_createNetworkSockets"
|
||||
android:label="@string/permlab_createNetworkSockets"
|
||||
android:protectionLevel="dangerous|instant" />
|
||||
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
|
||||
index f6600462ea74..a79fa8e95b6e 100644
|
||||
--- a/core/res/res/values/strings.xml
|
||||
+++ b/core/res/res/values/strings.xml
|
||||
@@ -747,6 +747,11 @@
|
||||
<string name="permgrouprequest_sensors">Allow
|
||||
<b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g></b> to access sensor data about your vital signs?</string>
|
||||
|
||||
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
|
||||
+ <string name="permgrouplab_network">Network</string>
|
||||
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
|
||||
+ <string name="permgroupdesc_network">network access</string>
|
||||
+
|
||||
<!-- Title for the capability of an accessibility service to retrieve window content. -->
|
||||
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
|
||||
<!-- Description for the capability of an accessibility service to retrieve window content. -->
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||
Date: Tue, 14 Dec 2021 21:10:51 +0200
|
||||
Subject: [PATCH] don't throw SecurityException when INTERNET permission is
|
||||
revoked
|
||||
|
||||
---
|
||||
ojluni/src/main/java/java/net/Inet6AddressImpl.java | 10 +---------
|
||||
1 file changed, 1 insertion(+), 9 deletions(-)
|
||||
|
||||
diff --git a/ojluni/src/main/java/java/net/Inet6AddressImpl.java b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
|
||||
index 1edfe344ce..2176973b44 100644
|
||||
--- a/ojluni/src/main/java/java/net/Inet6AddressImpl.java
|
||||
+++ b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
|
||||
@@ -143,15 +143,7 @@ class Inet6AddressImpl implements InetAddressImpl {
|
||||
addressCache.put(host, netId, addresses);
|
||||
return addresses;
|
||||
} catch (GaiException gaiException) {
|
||||
- // If the failure appears to have been a lack of INTERNET permission, throw a clear
|
||||
- // SecurityException to aid in debugging this common mistake.
|
||||
- // http://code.google.com/p/android/issues/detail?id=15722
|
||||
- if (gaiException.getCause() instanceof ErrnoException) {
|
||||
- if (((ErrnoException) gaiException.getCause()).errno == EACCES) {
|
||||
- throw new SecurityException("Permission denied (missing INTERNET permission?)", gaiException);
|
||||
- }
|
||||
- }
|
||||
- // Otherwise, throw an UnknownHostException.
|
||||
+ // Throw an UnknownHostException.
|
||||
String detailMessage = "Unable to resolve host \"" + host + "\": " + Libcore.os.gai_strerror(gaiException.error);
|
||||
addressCache.putUnknownHost(host, netId, detailMessage);
|
||||
throw gaiException.rethrowAsUnknownHostException(detailMessage);
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
From 880011e7af233249e1b70177daa3cd786574bc85 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sat, 22 Jul 2017 21:43:50 -0400
|
||||
Subject: [PATCH] always treat INTERNET as a runtime permission
|
||||
|
||||
---
|
||||
.../permission/model/AppPermissionGroup.java | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
|
||||
index aafce8df5..e6087de4c 100644
|
||||
--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
|
||||
+++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
|
||||
@@ -26,6 +26,7 @@
|
||||
import android.content.pm.PackageManager;
|
||||
import android.content.pm.PermissionGroupInfo;
|
||||
import android.content.pm.PermissionInfo;
|
||||
+import android.Manifest;
|
||||
import android.os.Build;
|
||||
import android.os.Process;
|
||||
import android.os.UserHandle;
|
||||
@@ -338,7 +339,7 @@ public boolean areRuntimePermissionsGranted(String[] filterPermissions) {
|
||||
&& !ArrayUtils.contains(filterPermissions, permission.getName())) {
|
||||
continue;
|
||||
}
|
||||
- if (mAppSupportsRuntimePermissions) {
|
||||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
|
||||
if (permission.isGranted()) {
|
||||
return true;
|
||||
}
|
||||
@@ -371,7 +372,7 @@ public boolean grantRuntimePermissions(boolean fixedByTheUser, String[] filterPe
|
||||
continue;
|
||||
}
|
||||
|
||||
- if (mAppSupportsRuntimePermissions) {
|
||||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
|
||||
// Do not touch permissions fixed by the system.
|
||||
if (permission.isSystemFixed()) {
|
||||
return false;
|
||||
@@ -473,7 +474,7 @@ public boolean revokeRuntimePermissions(boolean fixedByTheUser, String[] filterP
|
||||
continue;
|
||||
}
|
||||
|
||||
- if (mAppSupportsRuntimePermissions) {
|
||||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
|
||||
// Do not touch permissions fixed by the system.
|
||||
if (permission.isSystemFixed()) {
|
||||
return false;
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
From c3c6a3206c1753cac7a8db72e2f05ddcf4c66d99 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Fri, 21 Jul 2017 10:29:15 -0400
|
||||
Subject: [PATCH] add NETWORK permission group
|
||||
|
||||
---
|
||||
src/com/android/packageinstaller/permission/utils/Utils.java | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java
|
||||
index 85a102831..423b319ee 100644
|
||||
--- a/src/com/android/packageinstaller/permission/utils/Utils.java
|
||||
+++ b/src/com/android/packageinstaller/permission/utils/Utils.java
|
||||
@@ -51,7 +51,8 @@
|
||||
Manifest.permission_group.SMS,
|
||||
Manifest.permission_group.PHONE,
|
||||
Manifest.permission_group.MICROPHONE,
|
||||
- Manifest.permission_group.STORAGE
|
||||
+ Manifest.permission_group.STORAGE,
|
||||
+ Manifest.permission_group.NETWORK
|
||||
};
|
||||
|
||||
private static final Intent LAUNCHER_INTENT = new Intent(Intent.ACTION_MAIN, null)
|
||||
|
|
@ -26,7 +26,7 @@ Change-Id: Ibbffdb5f3930df74ca8b4ba93d451f7fad086989
|
|||
create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialogHost.java
|
||||
|
||||
diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml
|
||||
index 53dca0e6e7..dee07db2b4 100644
|
||||
index e78bbea120..54e2864c9a 100644
|
||||
--- a/res/values-de/cm_strings.xml
|
||||
+++ b/res/values-de/cm_strings.xml
|
||||
@@ -308,4 +308,7 @@
|
||||
|
|
|
|||
|
|
@ -0,0 +1,21 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sun, 6 Aug 2017 08:19:36 -0400
|
||||
Subject: [PATCH] remove legacy NETWORK permission group reference
|
||||
|
||||
---
|
||||
AndroidManifest.xml | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
|
||||
index 302a58e5..65f38e86 100644
|
||||
--- a/AndroidManifest.xml
|
||||
+++ b/AndroidManifest.xml
|
||||
@@ -29,7 +29,6 @@
|
||||
|
||||
<!-- Allows to queue downloads without a notification shown while the download runs. -->
|
||||
<permission android:name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION"
|
||||
- android:permissionGroup="android.permission-group.NETWORK"
|
||||
android:label="@string/permlab_downloadWithoutNotification"
|
||||
android:description="@string/permdesc_downloadWithoutNotification"
|
||||
android:protectionLevel="normal"/>
|
||||
|
|
@ -0,0 +1,102 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Fri, 21 Jul 2017 08:42:55 -0400
|
||||
Subject: [PATCH] support new special runtime permissions
|
||||
|
||||
These are treated as a runtime permission even for legacy apps. They
|
||||
need to be granted by default for all apps to maintain compatibility.
|
||||
---
|
||||
.../server/pm/PackageManagerService.java | 3 ++-
|
||||
.../permission/PermissionManagerService.java | 23 +++++++++++++++----
|
||||
2 files changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
index edaa60f4b09e..834a6b0d5260 100644
|
||||
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
@@ -20162,7 +20162,8 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
}
|
||||
|
||||
// If this permission was granted by default, make sure it is.
|
||||
- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) {
|
||||
+ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
|
||||
+ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) {
|
||||
mPermissionManager.grantRuntimePermission(permName, packageName, false,
|
||||
Process.SYSTEM_UID, userId, delayingPermCallback);
|
||||
// Allow app op later as we are holding mPackages
|
||||
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
index 82f963e1df2a..293bdc7ba197 100644
|
||||
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
@@ -984,6 +984,10 @@ public class PermissionManagerService {
|
||||
}
|
||||
}
|
||||
|
||||
+ public static boolean isSpecialRuntimePermission(final String permission) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Restore the permission state for a package.
|
||||
*
|
||||
@@ -1277,6 +1281,14 @@ public class PermissionManagerService {
|
||||
}
|
||||
}
|
||||
}
|
||||
+
|
||||
+ if (isSpecialRuntimePermission(bp.name) &&
|
||||
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
|
||||
+ if (permissionsState.grantRuntimePermission(bp, userId)
|
||||
+ != PERMISSION_OPERATION_FAILURE) {
|
||||
+ wasChanged = true;
|
||||
+ }
|
||||
+ }
|
||||
} else {
|
||||
if (permState == null) {
|
||||
// New permission
|
||||
@@ -1410,7 +1422,7 @@ public class PermissionManagerService {
|
||||
wasChanged = true;
|
||||
}
|
||||
}
|
||||
- } else {
|
||||
+ } else {
|
||||
if (!permissionsState.hasRuntimePermission(bp.name, userId)
|
||||
&& permissionsState.grantRuntimePermission(bp,
|
||||
userId) != PERMISSION_OPERATION_FAILURE) {
|
||||
@@ -2183,7 +2195,7 @@ public class PermissionManagerService {
|
||||
&& (grantedPermissions == null
|
||||
|| ArrayUtils.contains(grantedPermissions, permission))) {
|
||||
final int flags = permissionsState.getPermissionFlags(permission, userId);
|
||||
- if (supportsRuntimePermissions) {
|
||||
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
|
||||
// Installer cannot change immutable permissions.
|
||||
if ((flags & immutableFlags) == 0) {
|
||||
grantRuntimePermission(permission, pkg.packageName, false, callingUid,
|
||||
@@ -2242,7 +2254,7 @@ public class PermissionManagerService {
|
||||
// to keep the review required permission flag per user while an
|
||||
// install permission's state is shared across all users.
|
||||
if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
|
||||
- && bp.isRuntime()) {
|
||||
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -2294,7 +2306,8 @@ public class PermissionManagerService {
|
||||
+ permName + " for package " + packageName);
|
||||
}
|
||||
|
||||
- if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) {
|
||||
+ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
|
||||
+ && !isSpecialRuntimePermission(permName)) {
|
||||
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
|
||||
return;
|
||||
}
|
||||
@@ -2381,7 +2394,7 @@ public class PermissionManagerService {
|
||||
// to keep the review required permission flag per user while an
|
||||
// install permission's state is shared across all users.
|
||||
if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
|
||||
- && bp.isRuntime()) {
|
||||
+ && bp.isRuntime() && !isSpecialRuntimePermission(permName)) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sun, 17 Mar 2019 11:59:15 -0400
|
||||
Subject: [PATCH] make INTERNET into a special runtime permission
|
||||
|
||||
---
|
||||
core/res/AndroidManifest.xml | 2 +-
|
||||
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index 7bcd7a048db4..571099f059c8 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -1539,7 +1539,7 @@
|
||||
<permission android:name="android.permission.INTERNET"
|
||||
android:description="@string/permdesc_createNetworkSockets"
|
||||
android:label="@string/permlab_createNetworkSockets"
|
||||
- android:protectionLevel="normal|instant" />
|
||||
+ android:protectionLevel="dangerous|instant" />
|
||||
|
||||
<!-- Allows applications to access information about networks.
|
||||
<p>Protection level: normal
|
||||
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
index 293bdc7ba197..3a71bc8d015b 100644
|
||||
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
@@ -985,7 +985,7 @@ public class PermissionManagerService {
|
||||
}
|
||||
|
||||
public static boolean isSpecialRuntimePermission(final String permission) {
|
||||
- return false;
|
||||
+ return Manifest.permission.INTERNET.equals(permission);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Fri, 21 Jul 2017 11:23:07 -0400
|
||||
Subject: [PATCH] add a NETWORK permission group for INTERNET
|
||||
|
||||
---
|
||||
api/current.txt | 1 +
|
||||
core/res/AndroidManifest.xml | 8 ++++++++
|
||||
core/res/res/values/strings.xml | 5 +++++
|
||||
3 files changed, 14 insertions(+)
|
||||
|
||||
diff --git a/api/current.txt b/api/current.txt
|
||||
index cd78602d9cd9..b99634c11742 100644
|
||||
--- a/api/current.txt
|
||||
+++ b/api/current.txt
|
||||
@@ -176,6 +176,7 @@ package android {
|
||||
field public static final String CONTACTS = "android.permission-group.CONTACTS";
|
||||
field public static final String LOCATION = "android.permission-group.LOCATION";
|
||||
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
|
||||
+ field public static final String NETWORK = "android.permission-group.NETWORK";
|
||||
field public static final String PHONE = "android.permission-group.PHONE";
|
||||
field public static final String SENSORS = "android.permission-group.SENSORS";
|
||||
field public static final String SMS = "android.permission-group.SMS";
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index 571099f059c8..b51e4f21454b 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -1533,10 +1533,18 @@
|
||||
<!-- ======================================= -->
|
||||
<eat-comment />
|
||||
|
||||
+ <!-- Network access -->
|
||||
+ <permission-group android:name="android.permission-group.NETWORK"
|
||||
+ android:icon="@drawable/perm_group_network"
|
||||
+ android:label="@string/permgrouplab_network"
|
||||
+ android:description="@string/permgroupdesc_network"
|
||||
+ android:priority="900" />
|
||||
+
|
||||
<!-- Allows applications to open network sockets.
|
||||
<p>Protection level: normal
|
||||
-->
|
||||
<permission android:name="android.permission.INTERNET"
|
||||
+ android:permissionGroup="android.permission-group.UNDEFINED"
|
||||
android:description="@string/permdesc_createNetworkSockets"
|
||||
android:label="@string/permlab_createNetworkSockets"
|
||||
android:protectionLevel="dangerous|instant" />
|
||||
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
|
||||
index e2afd1e1e0cc..2cf2b923ef90 100644
|
||||
--- a/core/res/res/values/strings.xml
|
||||
+++ b/core/res/res/values/strings.xml
|
||||
@@ -792,6 +792,11 @@
|
||||
<string name="permgrouprequest_sensors">Allow
|
||||
<b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g></b> to access sensor data about your vital signs?</string>
|
||||
|
||||
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
|
||||
+ <string name="permgrouplab_network">Network</string>
|
||||
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
|
||||
+ <string name="permgroupdesc_network">access the network</string>
|
||||
+
|
||||
<!-- Title for the capability of an accessibility service to retrieve window content. -->
|
||||
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
|
||||
<!-- Description for the capability of an accessibility service to retrieve window content. -->
|
||||
|
|
@ -0,0 +1,111 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Zoraver Kang <zkang@wpi.edu>
|
||||
Date: Mon, 16 Sep 2019 16:41:30 -0400
|
||||
Subject: [PATCH] Enforce INTERNET as a runtime permission.
|
||||
|
||||
---
|
||||
.../connectivity/PermissionMonitor.java | 59 ++++++++++++-------
|
||||
1 file changed, 39 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
index 56f4959a9714..0b2012fa759a 100644
|
||||
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID;
|
||||
import static android.os.Process.SYSTEM_UID;
|
||||
|
||||
import android.annotation.NonNull;
|
||||
+import android.annotation.UserIdInt;
|
||||
import android.content.Context;
|
||||
import android.content.pm.ApplicationInfo;
|
||||
import android.content.pm.PackageInfo;
|
||||
@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils;
|
||||
import com.android.internal.util.IndentingPrintWriter;
|
||||
import com.android.server.LocalServices;
|
||||
import com.android.server.SystemConfig;
|
||||
+import com.android.server.pm.permission.PermissionManagerServiceInternal;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
@@ -80,6 +82,7 @@ public class PermissionMonitor {
|
||||
private static final int VERSION_Q = Build.VERSION_CODES.Q;
|
||||
|
||||
private final PackageManager mPackageManager;
|
||||
+ private final PackageManagerInternal mPackageManagerInternal;
|
||||
private final UserManager mUserManager;
|
||||
private final INetd mNetd;
|
||||
|
||||
@@ -104,26 +107,6 @@ public class PermissionMonitor {
|
||||
|
||||
private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
|
||||
|
||||
- private int getPermissionForUid(int uid) {
|
||||
- int permission = 0;
|
||||
- // Check all the packages for this UID. The UID has the permission if any of the
|
||||
- // packages in it has the permission.
|
||||
- String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
- if (packages != null && packages.length > 0) {
|
||||
- for (String name : packages) {
|
||||
- final PackageInfo app = getPackageInfo(name);
|
||||
- if (app != null && app.requestedPermissions != null) {
|
||||
- permission |= getNetdPermissionMask(app.requestedPermissions,
|
||||
- app.requestedPermissionsFlags);
|
||||
- }
|
||||
- }
|
||||
- } else {
|
||||
- // The last package of this uid is removed from device. Clean the package up.
|
||||
- permission = INetd.PERMISSION_UNINSTALLED;
|
||||
- }
|
||||
- return permission;
|
||||
- }
|
||||
-
|
||||
@Override
|
||||
public void onPackageAdded(String packageName, int uid) {
|
||||
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
|
||||
@@ -140,10 +123,46 @@ public class PermissionMonitor {
|
||||
}
|
||||
}
|
||||
|
||||
+ private int getPermissionForUid(int uid) {
|
||||
+ int permission = 0;
|
||||
+ // Check all the packages for this UID. The UID has the permission if any of the
|
||||
+ // packages in it has the permission.
|
||||
+ String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
+ if (packages != null && packages.length > 0) {
|
||||
+ for (String name : packages) {
|
||||
+ final PackageInfo app = getPackageInfo(name);
|
||||
+ if (app != null && app.requestedPermissions != null) {
|
||||
+ permission |= getNetdPermissionMask(app.requestedPermissions,
|
||||
+ app.requestedPermissionsFlags);
|
||||
+ }
|
||||
+ }
|
||||
+ } else {
|
||||
+ // The last package of this uid is removed from device. Clean the package up.
|
||||
+ permission = INetd.PERMISSION_UNINSTALLED;
|
||||
+ }
|
||||
+ return permission;
|
||||
+ }
|
||||
+
|
||||
+ // implements OnRuntimePermissionStateChangedListener
|
||||
+ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
|
||||
+ @UserIdInt int userId) {
|
||||
+ // userId is _not_ uid
|
||||
+ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
|
||||
+ sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
|
||||
+ }
|
||||
+
|
||||
public PermissionMonitor(Context context, INetd netd) {
|
||||
mPackageManager = context.getPackageManager();
|
||||
mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
|
||||
mNetd = netd;
|
||||
+
|
||||
+ mPackageManagerInternal = LocalServices.getService(
|
||||
+ PackageManagerInternal.class);
|
||||
+
|
||||
+ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService(
|
||||
+ PermissionManagerServiceInternal.class);
|
||||
+ permManagerInternal.addOnRuntimePermissionStateChangedListener(
|
||||
+ this::enforceINTERNETAsRuntimePermission);
|
||||
}
|
||||
|
||||
// Intended to be called only once at startup, after the system is ready. Installs a broadcast
|
||||
|
|
@ -0,0 +1,82 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: pratyush <codelab@pratyush.dev>
|
||||
Date: Sun, 25 Apr 2021 07:04:03 +0530
|
||||
Subject: [PATCH] fix INTERNET enforcement for secondary users
|
||||
|
||||
This code was not specifying the profile for the app so it wasn't
|
||||
working properly with INTERNET as a runtime permission.
|
||||
---
|
||||
.../connectivity/PermissionMonitor.java | 20 +++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
index 0b2012fa759a..827dd3a3493d 100644
|
||||
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
@@ -130,7 +130,8 @@ public class PermissionMonitor {
|
||||
String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
if (packages != null && packages.length > 0) {
|
||||
for (String name : packages) {
|
||||
- final PackageInfo app = getPackageInfo(name);
|
||||
+ int userId = UserHandle.getUserId(uid);
|
||||
+ final PackageInfo app = getPackageInfo(name, userId);
|
||||
if (app != null && app.requestedPermissions != null) {
|
||||
permission |= getNetdPermissionMask(app.requestedPermissions,
|
||||
app.requestedPermissionsFlags);
|
||||
@@ -147,7 +148,7 @@ public class PermissionMonitor {
|
||||
private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
|
||||
@UserIdInt int userId) {
|
||||
// userId is _not_ uid
|
||||
- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
|
||||
+ int uid = mPackageManagerInternal.getPackageUidInternal( packageName, GET_PERMISSIONS, userId);
|
||||
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
|
||||
}
|
||||
|
||||
@@ -363,12 +364,13 @@ public class PermissionMonitor {
|
||||
}
|
||||
|
||||
@VisibleForTesting
|
||||
- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
|
||||
+ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) {
|
||||
if (currentPermission == SYSTEM) {
|
||||
return currentPermission;
|
||||
}
|
||||
try {
|
||||
- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
|
||||
+ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS,
|
||||
+ UserHandle.getUserId(uid));
|
||||
final boolean isNetwork = hasNetworkPermission(app);
|
||||
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
|
||||
if (isNetwork || hasRestrictedPermission) {
|
||||
@@ -392,7 +394,7 @@ public class PermissionMonitor {
|
||||
public synchronized void onPackageAdded(String packageName, int uid) {
|
||||
// If multiple packages share a UID (cf: android:sharedUserId) and ask for different
|
||||
// permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
|
||||
- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName);
|
||||
+ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid);
|
||||
if (permission != mApps.get(uid)) {
|
||||
mApps.put(uid, permission);
|
||||
|
||||
@@ -444,7 +446,7 @@ public class PermissionMonitor {
|
||||
String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
if (packages != null && packages.length > 0) {
|
||||
for (String name : packages) {
|
||||
- permission = highestPermissionForUid(permission, name);
|
||||
+ permission = highestPermissionForUid(permission, name, uid);
|
||||
if (permission == SYSTEM) {
|
||||
// An app with this UID still has the SYSTEM permission.
|
||||
// Therefore, this UID must already have the SYSTEM permission.
|
||||
@@ -484,11 +486,9 @@ public class PermissionMonitor {
|
||||
return permissions;
|
||||
}
|
||||
|
||||
- private PackageInfo getPackageInfo(String packageName) {
|
||||
+ private PackageInfo getPackageInfo(String packageName, int userId) {
|
||||
try {
|
||||
- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
|
||||
- | MATCH_ANY_USER);
|
||||
- return app;
|
||||
+ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId);
|
||||
} catch (NameNotFoundException e) {
|
||||
return null;
|
||||
}
|
||||
|
|
@ -0,0 +1,125 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pratyush <codelab@pratyush.dev>
|
||||
Date: Thu, 12 Aug 2021 03:44:41 +0530
|
||||
Subject: [PATCH] send uid for each user instead of just owner/admin user
|
||||
|
||||
---
|
||||
.../connectivity/PermissionMonitor.java | 83 +++++++++++--------
|
||||
1 file changed, 49 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
index 827dd3a3493d..6fa9ea20a481 100644
|
||||
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
@@ -132,7 +132,7 @@ public class PermissionMonitor {
|
||||
for (String name : packages) {
|
||||
int userId = UserHandle.getUserId(uid);
|
||||
final PackageInfo app = getPackageInfo(name, userId);
|
||||
- if (app != null && app.requestedPermissions != null) {
|
||||
+ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) {
|
||||
permission |= getNetdPermissionMask(app.requestedPermissions,
|
||||
app.requestedPermissionsFlags);
|
||||
}
|
||||
@@ -177,44 +177,45 @@ public class PermissionMonitor {
|
||||
} else {
|
||||
loge("failed to get the PackageManagerInternal service");
|
||||
}
|
||||
- List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
|
||||
- | MATCH_ANY_USER);
|
||||
- if (apps == null) {
|
||||
- loge("No apps");
|
||||
- return;
|
||||
- }
|
||||
|
||||
SparseIntArray netdPermsUids = new SparseIntArray();
|
||||
|
||||
- for (PackageInfo app : apps) {
|
||||
- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
|
||||
- if (uid < 0) {
|
||||
- continue;
|
||||
- }
|
||||
- mAllApps.add(UserHandle.getAppId(uid));
|
||||
-
|
||||
- boolean isNetwork = hasNetworkPermission(app);
|
||||
- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
|
||||
-
|
||||
- if (isNetwork || hasRestrictedPermission) {
|
||||
- Boolean permission = mApps.get(uid);
|
||||
- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
|
||||
- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
|
||||
- if (permission == null || permission == NETWORK) {
|
||||
- mApps.put(uid, hasRestrictedPermission);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- //TODO: unify the management of the permissions into one codepath.
|
||||
- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
|
||||
- app.requestedPermissionsFlags);
|
||||
- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
|
||||
- }
|
||||
-
|
||||
List<UserInfo> users = mUserManager.getUsers(true); // exclude dying users
|
||||
if (users != null) {
|
||||
for (UserInfo user : users) {
|
||||
mUsers.add(user.id);
|
||||
+
|
||||
+ List<PackageInfo> apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id);
|
||||
+ if (apps == null) {
|
||||
+ loge("No apps");
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ for (PackageInfo app : apps) {
|
||||
+ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
|
||||
+ if (uid < 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ mAllApps.add(UserHandle.getAppId(uid));
|
||||
+
|
||||
+ boolean isNetwork = hasNetworkPermission(app);
|
||||
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
|
||||
+
|
||||
+ if (isNetwork || hasRestrictedPermission) {
|
||||
+ Boolean permission = mApps.get(uid);
|
||||
+ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
|
||||
+ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
|
||||
+ if (permission == null || permission == NETWORK) {
|
||||
+ mApps.put(uid, hasRestrictedPermission);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ //TODO: unify the management of the permissions into one codepath.
|
||||
+ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
|
||||
+ app.requestedPermissionsFlags);
|
||||
+ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
|
||||
+ }
|
||||
+
|
||||
}
|
||||
}
|
||||
|
||||
@@ -307,9 +308,23 @@ public class PermissionMonitor {
|
||||
List<Integer> network = new ArrayList<>();
|
||||
List<Integer> system = new ArrayList<>();
|
||||
for (Entry<Integer, Boolean> app : apps.entrySet()) {
|
||||
- List<Integer> list = app.getValue() ? system : network;
|
||||
for (int user : users) {
|
||||
- list.add(UserHandle.getUid(user, app.getKey()));
|
||||
+ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey()));
|
||||
+ if (uid < 0) continue;
|
||||
+ String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
+ if (packages == null) continue;
|
||||
+ for (String pkg : packages) {
|
||||
+ PackageInfo info = getPackageInfo(pkg, user);
|
||||
+ if (info != null && info.applicationInfo.uid == uid) {
|
||||
+ boolean isNetwork = hasNetworkPermission(info);
|
||||
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info);
|
||||
+
|
||||
+ if (isNetwork || hasRestrictedPermission) {
|
||||
+ List<Integer> list = hasRestrictedPermission ? system : network;
|
||||
+ list.add(UserHandle.getUid(user, app.getKey()));
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
}
|
||||
try {
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||
Date: Tue, 14 Dec 2021 18:17:11 +0200
|
||||
Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
|
||||
|
||||
---
|
||||
core/java/android/net/ConnectivityManager.java | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
|
||||
index 12102a140947..21661609ff72 100644
|
||||
--- a/core/java/android/net/ConnectivityManager.java
|
||||
+++ b/core/java/android/net/ConnectivityManager.java
|
||||
@@ -17,6 +17,7 @@ package android.net;
|
||||
|
||||
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
|
||||
|
||||
+import android.Manifest;
|
||||
import android.annotation.CallbackExecutor;
|
||||
import android.annotation.IntDef;
|
||||
import android.annotation.NonNull;
|
||||
@@ -31,6 +32,7 @@ import android.annotation.UnsupportedAppUsage;
|
||||
import android.app.PendingIntent;
|
||||
import android.content.Context;
|
||||
import android.content.Intent;
|
||||
+import android.content.pm.PackageManager;
|
||||
import android.net.IpSecManager.UdpEncapsulationSocket;
|
||||
import android.net.SocketKeepalive.Callback;
|
||||
import android.os.Binder;
|
||||
@@ -3054,6 +3056,12 @@ public class ConnectivityManager {
|
||||
*/
|
||||
public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
|
||||
printStackTrace();
|
||||
+ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
|
||||
+ // ConnectivityService enforces this by throwing an unexpected SecurityException,
|
||||
+ // which puts GMS into a crash loop. Also useful for other apps that don't expect that
|
||||
+ // INTERNET permission might get revoked.
|
||||
+ return;
|
||||
+ }
|
||||
try {
|
||||
mService.reportNetworkConnectivity(network, hasConnectivity);
|
||||
} catch (RemoteException e) {
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||
Date: Tue, 14 Dec 2021 21:10:51 +0200
|
||||
Subject: [PATCH] don't throw SecurityException when INTERNET permission is
|
||||
revoked
|
||||
|
||||
---
|
||||
ojluni/src/main/java/java/net/Inet6AddressImpl.java | 11 +----------
|
||||
1 file changed, 1 insertion(+), 10 deletions(-)
|
||||
|
||||
diff --git a/ojluni/src/main/java/java/net/Inet6AddressImpl.java b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
|
||||
index bb722f3df2..212f8b50ef 100644
|
||||
--- a/ojluni/src/main/java/java/net/Inet6AddressImpl.java
|
||||
+++ b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
|
||||
@@ -141,16 +141,7 @@ class Inet6AddressImpl implements InetAddressImpl {
|
||||
addressCache.put(host, netId, addresses);
|
||||
return addresses;
|
||||
} catch (GaiException gaiException) {
|
||||
- // If the failure appears to have been a lack of INTERNET permission, throw a clear
|
||||
- // SecurityException to aid in debugging this common mistake.
|
||||
- // http://code.google.com/p/android/issues/detail?id=15722
|
||||
- if (gaiException.getCause() instanceof ErrnoException) {
|
||||
- int errno = ((ErrnoException) gaiException.getCause()).errno;
|
||||
- if (errno == EACCES || errno == EPERM) {
|
||||
- throw new SecurityException("Permission denied (missing INTERNET permission?)", gaiException);
|
||||
- }
|
||||
- }
|
||||
- // Otherwise, throw an UnknownHostException.
|
||||
+ // Throw an UnknownHostException.
|
||||
String detailMessage = "Unable to resolve host \"" + host + "\": " + Libcore.os.gai_strerror(gaiException.error);
|
||||
addressCache.putUnknownHost(host, netId, detailMessage);
|
||||
throw gaiException.rethrowAsUnknownHostException(detailMessage);
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sat, 22 Jul 2017 21:43:50 -0400
|
||||
Subject: [PATCH] always treat INTERNET as a runtime permission
|
||||
|
||||
---
|
||||
.../permission/model/AppPermissionGroup.java | 5 +++--
|
||||
.../packageinstaller/permission/model/Permission.java | 3 ++-
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
|
||||
index da5277777..c9fa2ca3e 100644
|
||||
--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
|
||||
+++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
|
||||
@@ -33,6 +33,7 @@ import android.content.pm.PackageManager;
|
||||
import android.content.pm.PackageManager.NameNotFoundException;
|
||||
import android.content.pm.PermissionGroupInfo;
|
||||
import android.content.pm.PermissionInfo;
|
||||
+import android.Manifest;
|
||||
import android.os.Build;
|
||||
import android.os.UserHandle;
|
||||
import android.permission.PermissionManager;
|
||||
@@ -785,7 +786,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
|
||||
|
||||
boolean wasGranted = permission.isGrantedIncludingAppOp();
|
||||
|
||||
- if (mAppSupportsRuntimePermissions) {
|
||||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
|
||||
// Do not touch permissions fixed by the system.
|
||||
if (permission.isSystemFixed()) {
|
||||
wasAllGranted = false;
|
||||
@@ -962,7 +963,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
|
||||
break;
|
||||
}
|
||||
|
||||
- if (mAppSupportsRuntimePermissions) {
|
||||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
|
||||
// Revoke the permission if needed.
|
||||
if (permission.isGranted()) {
|
||||
permission.setGranted(false);
|
||||
diff --git a/src/com/android/packageinstaller/permission/model/Permission.java b/src/com/android/packageinstaller/permission/model/Permission.java
|
||||
index 463c34795..c2ec88902 100644
|
||||
--- a/src/com/android/packageinstaller/permission/model/Permission.java
|
||||
+++ b/src/com/android/packageinstaller/permission/model/Permission.java
|
||||
@@ -18,6 +18,7 @@ package com.android.packageinstaller.permission.model;
|
||||
|
||||
import android.content.pm.PackageManager;
|
||||
import android.content.pm.PermissionInfo;
|
||||
+import android.Manifest;
|
||||
|
||||
import androidx.annotation.NonNull;
|
||||
|
||||
@@ -136,7 +137,7 @@ public final class Permission {
|
||||
* @return {@code true} if the permission (and the app-op) is granted.
|
||||
*/
|
||||
public boolean isGrantedIncludingAppOp() {
|
||||
- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && !isReviewRequired();
|
||||
+ return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName));
|
||||
}
|
||||
|
||||
public boolean isReviewRequired() {
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Fri, 21 Jul 2017 10:29:15 -0400
|
||||
Subject: [PATCH] add INTERNET permission toggle
|
||||
|
||||
---
|
||||
src/com/android/packageinstaller/permission/utils/Utils.java | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java
|
||||
index b7be30dcc..162b15f37 100644
|
||||
--- a/src/com/android/packageinstaller/permission/utils/Utils.java
|
||||
+++ b/src/com/android/packageinstaller/permission/utils/Utils.java
|
||||
@@ -24,6 +24,7 @@ import static android.Manifest.permission_group.CAMERA;
|
||||
import static android.Manifest.permission_group.CONTACTS;
|
||||
import static android.Manifest.permission_group.LOCATION;
|
||||
import static android.Manifest.permission_group.MICROPHONE;
|
||||
+import static android.Manifest.permission_group.NETWORK;
|
||||
import static android.Manifest.permission_group.PHONE;
|
||||
import static android.Manifest.permission_group.SENSORS;
|
||||
import static android.Manifest.permission_group.SMS;
|
||||
@@ -173,6 +174,8 @@ public final class Utils {
|
||||
|
||||
PLATFORM_PERMISSIONS.put(Manifest.permission.BODY_SENSORS, SENSORS);
|
||||
|
||||
+ PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
|
||||
+
|
||||
PLATFORM_PERMISSION_GROUPS = new ArrayMap<>();
|
||||
int numPlatformPermissions = PLATFORM_PERMISSIONS.size();
|
||||
for (int i = 0; i < numPlatformPermissions; i++) {
|
||||
|
|
@ -29,7 +29,7 @@ Change-Id: Ibbffdb5f3930df74ca8b4ba93d451f7fad086989
|
|||
create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialogHost.java
|
||||
|
||||
diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml
|
||||
index ebb53e1237..970b7c9086 100644
|
||||
index d1ed0c6863..7ab4de0561 100644
|
||||
--- a/res/values-de/cm_strings.xml
|
||||
+++ b/res/values-de/cm_strings.xml
|
||||
@@ -112,4 +112,7 @@
|
||||
|
|
|
|||
|
|
@ -0,0 +1,21 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sun, 6 Aug 2017 08:19:36 -0400
|
||||
Subject: [PATCH] remove legacy NETWORK permission group reference
|
||||
|
||||
---
|
||||
AndroidManifest.xml | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
|
||||
index 302a58e5..65f38e86 100644
|
||||
--- a/AndroidManifest.xml
|
||||
+++ b/AndroidManifest.xml
|
||||
@@ -29,7 +29,6 @@
|
||||
|
||||
<!-- Allows to queue downloads without a notification shown while the download runs. -->
|
||||
<permission android:name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION"
|
||||
- android:permissionGroup="android.permission-group.NETWORK"
|
||||
android:label="@string/permlab_downloadWithoutNotification"
|
||||
android:description="@string/permdesc_downloadWithoutNotification"
|
||||
android:protectionLevel="normal"/>
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pratyush <codelab@pratyush.dev>
|
||||
Date: Thu, 12 Aug 2021 00:15:25 +0530
|
||||
Subject: [PATCH] use uid instead of app id for tracking INTERNET permission
|
||||
|
||||
Change-Id: Ibec846480f3b440b5a323c86efa95c2fd1d81284
|
||||
---
|
||||
bpf_progs/netd.c | 10 ++--------
|
||||
1 file changed, 2 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
|
||||
index 1362be25..69b618f8 100644
|
||||
--- a/bpf_progs/netd.c
|
||||
+++ b/bpf_progs/netd.c
|
||||
@@ -74,14 +74,8 @@ DEFINE_BPF_MAP(uid_permission_map, HASH, uint32_t, uint8_t, UID_OWNER_MAP_SIZE)
|
||||
SEC("cgroupsock/inet/create")
|
||||
int inet_socket_create(struct bpf_sock* sk) {
|
||||
uint64_t gid_uid = bpf_get_current_uid_gid();
|
||||
- /*
|
||||
- * A given app is guaranteed to have the same app ID in all the profiles in
|
||||
- * which it is installed, and install permission is granted to app for all
|
||||
- * user at install time so we only check the appId part of a request uid at
|
||||
- * run time. See UserHandle#isSameApp for detail.
|
||||
- */
|
||||
- uint32_t appId = (gid_uid & 0xffffffff) % PER_USER_RANGE;
|
||||
- uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
|
||||
+ uint32_t uid = (gid_uid & 0xffffffff);
|
||||
+ uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&uid);
|
||||
if (!permissions) {
|
||||
// UID not in map. Default to just INTERNET permission.
|
||||
return 1;
|
||||
|
|
@ -0,0 +1,95 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: inthewaves <inthewaves@pm.me>
|
||||
Date: Sat, 12 Sep 2020 12:28:34 -0700
|
||||
Subject: [PATCH] support new special runtime permissions
|
||||
|
||||
These are treated as a runtime permission even for legacy apps. They
|
||||
need to be granted by default for all apps to maintain compatibility.
|
||||
|
||||
Ported from 10: 4d5d82f4e2fb9ff68158bf30f3944591bb74dd04
|
||||
|
||||
Changes from 10:
|
||||
- It seems like parts of PackageManagerService#resetUserChangesToRuntimePermissionsAndFlagsLPw
|
||||
were refactored into PermissionManagerService#resetRuntimePermissionsInternal.
|
||||
As a result, PackageManagerService is no longer modified.
|
||||
---
|
||||
.../permission/PermissionManagerService.java | 24 +++++++++++++++----
|
||||
1 file changed, 19 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
index 8d2363b6e831..26b959879084 100644
|
||||
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
@@ -1461,7 +1461,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
|
||||
// to keep the review required permission flag per user while an
|
||||
// install permission's state is shared across all users.
|
||||
if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
|
||||
- && bp.isRuntime()) {
|
||||
+ && bp.isRuntime() && !isSpecialRuntimePermission(permName)) {
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1513,7 +1513,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
|
||||
+ permName + " for package " + packageName);
|
||||
}
|
||||
|
||||
- if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M) {
|
||||
+ if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
|
||||
+ && !isSpecialRuntimePermission(permName)) {
|
||||
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
|
||||
return;
|
||||
}
|
||||
@@ -1623,7 +1624,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
|
||||
// to keep the review required permission flag per user while an
|
||||
// install permission's state is shared across all users.
|
||||
if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
|
||||
- && bp.isRuntime()) {
|
||||
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1847,7 +1848,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
|
||||
|
||||
// If this permission was granted by default or role, make sure it is.
|
||||
if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
|
||||
- || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0) {
|
||||
+ || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0
|
||||
+ || isSpecialRuntimePermission(bp.getName())) {
|
||||
// PermissionPolicyService will handle the app op for runtime permissions later.
|
||||
grantRuntimePermissionInternal(permName, packageName, false,
|
||||
Process.SYSTEM_UID, userId, delayingPermCallback);
|
||||
@@ -2606,6 +2608,10 @@ public class PermissionManagerService extends IPermissionManager.Stub {
|
||||
}
|
||||
}
|
||||
|
||||
+ public static boolean isSpecialRuntimePermission(final String permission) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Restore the permission state for a package.
|
||||
*
|
||||
@@ -2952,6 +2958,14 @@ public class PermissionManagerService extends IPermissionManager.Stub {
|
||||
}
|
||||
}
|
||||
}
|
||||
+
|
||||
+ if (isSpecialRuntimePermission(bp.name) &&
|
||||
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
|
||||
+ if (permissionsState.grantRuntimePermission(bp, userId)
|
||||
+ != PERMISSION_OPERATION_FAILURE) {
|
||||
+ wasChanged = true;
|
||||
+ }
|
||||
+ }
|
||||
} else {
|
||||
if (permState == null) {
|
||||
// New permission
|
||||
@@ -3907,7 +3921,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
|
||||
&& (grantedPermissions == null
|
||||
|| ArrayUtils.contains(grantedPermissions, permission))) {
|
||||
final int flags = permissionsState.getPermissionFlags(permission, userId);
|
||||
- if (supportsRuntimePermissions) {
|
||||
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
|
||||
// Installer cannot change immutable permissions.
|
||||
if ((flags & immutableFlags) == 0) {
|
||||
grantRuntimePermissionInternal(permission, pkg.getPackageName(), false,
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sun, 17 Mar 2019 11:59:15 -0400
|
||||
Subject: [PATCH] make INTERNET into a special runtime permission
|
||||
|
||||
Ported from 10: 5e2898e9d21dd6802bb0b0139e7e496c41e1cd80
|
||||
---
|
||||
core/res/AndroidManifest.xml | 2 +-
|
||||
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index ee428371a016..0eff7ae9a0cd 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -1607,7 +1607,7 @@
|
||||
<permission android:name="android.permission.INTERNET"
|
||||
android:description="@string/permdesc_createNetworkSockets"
|
||||
android:label="@string/permlab_createNetworkSockets"
|
||||
- android:protectionLevel="normal|instant" />
|
||||
+ android:protectionLevel="dangerous|instant" />
|
||||
|
||||
<!-- Allows applications to access information about networks.
|
||||
<p>Protection level: normal
|
||||
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
index 26b959879084..9e6ecc739ffe 100644
|
||||
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
|
||||
@@ -2609,7 +2609,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
|
||||
}
|
||||
|
||||
public static boolean isSpecialRuntimePermission(final String permission) {
|
||||
- return false;
|
||||
+ return Manifest.permission.INTERNET.equals(permission);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -0,0 +1,81 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Fri, 21 Jul 2017 11:23:07 -0400
|
||||
Subject: [PATCH] add a NETWORK permission group for INTERNET
|
||||
|
||||
Ported from 10: b5c9f9407d5f5407686ea8c02fa67573ddc07824
|
||||
|
||||
Changes from 10:
|
||||
- Needed to run `m api-stubs-docs-non-updatable-update-current-api`
|
||||
to fix the "You have tried to change the API from what has been
|
||||
previously approved" errors.
|
||||
---
|
||||
api/current.txt | 1 +
|
||||
core/res/AndroidManifest.xml | 8 ++++++++
|
||||
core/res/res/values/strings.xml | 5 +++++
|
||||
non-updatable-api/current.txt | 1 +
|
||||
4 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/api/current.txt b/api/current.txt
|
||||
index 952ccdad992c..728c0e95ca6d 100644
|
||||
--- a/api/current.txt
|
||||
+++ b/api/current.txt
|
||||
@@ -184,6 +184,7 @@ package android {
|
||||
field public static final String CONTACTS = "android.permission-group.CONTACTS";
|
||||
field public static final String LOCATION = "android.permission-group.LOCATION";
|
||||
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
|
||||
+ field public static final String NETWORK = "android.permission-group.NETWORK";
|
||||
field public static final String PHONE = "android.permission-group.PHONE";
|
||||
field public static final String SENSORS = "android.permission-group.SENSORS";
|
||||
field public static final String SMS = "android.permission-group.SMS";
|
||||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||
index 0eff7ae9a0cd..00351c340a1a 100644
|
||||
--- a/core/res/AndroidManifest.xml
|
||||
+++ b/core/res/AndroidManifest.xml
|
||||
@@ -1601,10 +1601,18 @@
|
||||
<!-- ======================================= -->
|
||||
<eat-comment />
|
||||
|
||||
+ <!-- Network access -->
|
||||
+ <permission-group android:name="android.permission-group.NETWORK"
|
||||
+ android:icon="@drawable/perm_group_network"
|
||||
+ android:label="@string/permgrouplab_network"
|
||||
+ android:description="@string/permgroupdesc_network"
|
||||
+ android:priority="900" />
|
||||
+
|
||||
<!-- Allows applications to open network sockets.
|
||||
<p>Protection level: normal
|
||||
-->
|
||||
<permission android:name="android.permission.INTERNET"
|
||||
+ android:permissionGroup="android.permission-group.UNDEFINED"
|
||||
android:description="@string/permdesc_createNetworkSockets"
|
||||
android:label="@string/permlab_createNetworkSockets"
|
||||
android:protectionLevel="dangerous|instant" />
|
||||
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
|
||||
index 5c659123b027..7f114cf9b6b4 100644
|
||||
--- a/core/res/res/values/strings.xml
|
||||
+++ b/core/res/res/values/strings.xml
|
||||
@@ -804,6 +804,11 @@
|
||||
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
|
||||
<string name="permgroupdesc_sensors">access sensor data about your vital signs</string>
|
||||
|
||||
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
|
||||
+ <string name="permgrouplab_network">Network</string>
|
||||
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
|
||||
+ <string name="permgroupdesc_network">access the network</string>
|
||||
+
|
||||
<!-- Title for the capability of an accessibility service to retrieve window content. -->
|
||||
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
|
||||
<!-- Description for the capability of an accessibility service to retrieve window content. -->
|
||||
diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt
|
||||
index 5f15216e8400..189544f98594 100644
|
||||
--- a/non-updatable-api/current.txt
|
||||
+++ b/non-updatable-api/current.txt
|
||||
@@ -184,6 +184,7 @@ package android {
|
||||
field public static final String CONTACTS = "android.permission-group.CONTACTS";
|
||||
field public static final String LOCATION = "android.permission-group.LOCATION";
|
||||
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
|
||||
+ field public static final String NETWORK = "android.permission-group.NETWORK";
|
||||
field public static final String PHONE = "android.permission-group.PHONE";
|
||||
field public static final String SENSORS = "android.permission-group.SENSORS";
|
||||
field public static final String SMS = "android.permission-group.SMS";
|
||||
|
|
@ -0,0 +1,112 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Zoraver Kang <zkang@wpi.edu>
|
||||
Date: Mon, 16 Sep 2019 16:41:30 -0400
|
||||
Subject: [PATCH] Enforce INTERNET as a runtime permission.
|
||||
|
||||
Ported from 10: 69f726bc4219a7acea0319ae8d4b5fda48cd9861
|
||||
---
|
||||
.../connectivity/PermissionMonitor.java | 59 ++++++++++++-------
|
||||
1 file changed, 39 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
index f0b7150dd84f..41c013b4b197 100644
|
||||
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID;
|
||||
import static android.os.Process.SYSTEM_UID;
|
||||
|
||||
import android.annotation.NonNull;
|
||||
+import android.annotation.UserIdInt;
|
||||
import android.content.Context;
|
||||
import android.content.pm.ApplicationInfo;
|
||||
import android.content.pm.PackageInfo;
|
||||
@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils;
|
||||
import com.android.internal.util.IndentingPrintWriter;
|
||||
import com.android.server.LocalServices;
|
||||
import com.android.server.SystemConfig;
|
||||
+import com.android.server.pm.permission.PermissionManagerServiceInternal;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
@@ -80,6 +82,7 @@ public class PermissionMonitor {
|
||||
private static final int VERSION_Q = Build.VERSION_CODES.Q;
|
||||
|
||||
private final PackageManager mPackageManager;
|
||||
+ private final PackageManagerInternal mPackageManagerInternal;
|
||||
private final UserManager mUserManager;
|
||||
private final INetd mNetd;
|
||||
|
||||
@@ -104,26 +107,6 @@ public class PermissionMonitor {
|
||||
|
||||
private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
|
||||
|
||||
- private int getPermissionForUid(int uid) {
|
||||
- int permission = 0;
|
||||
- // Check all the packages for this UID. The UID has the permission if any of the
|
||||
- // packages in it has the permission.
|
||||
- String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
- if (packages != null && packages.length > 0) {
|
||||
- for (String name : packages) {
|
||||
- final PackageInfo app = getPackageInfo(name);
|
||||
- if (app != null && app.requestedPermissions != null) {
|
||||
- permission |= getNetdPermissionMask(app.requestedPermissions,
|
||||
- app.requestedPermissionsFlags);
|
||||
- }
|
||||
- }
|
||||
- } else {
|
||||
- // The last package of this uid is removed from device. Clean the package up.
|
||||
- permission = INetd.PERMISSION_UNINSTALLED;
|
||||
- }
|
||||
- return permission;
|
||||
- }
|
||||
-
|
||||
@Override
|
||||
public void onPackageAdded(String packageName, int uid) {
|
||||
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
|
||||
@@ -140,10 +123,46 @@ public class PermissionMonitor {
|
||||
}
|
||||
}
|
||||
|
||||
+ private int getPermissionForUid(int uid) {
|
||||
+ int permission = 0;
|
||||
+ // Check all the packages for this UID. The UID has the permission if any of the
|
||||
+ // packages in it has the permission.
|
||||
+ String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
+ if (packages != null && packages.length > 0) {
|
||||
+ for (String name : packages) {
|
||||
+ final PackageInfo app = getPackageInfo(name);
|
||||
+ if (app != null && app.requestedPermissions != null) {
|
||||
+ permission |= getNetdPermissionMask(app.requestedPermissions,
|
||||
+ app.requestedPermissionsFlags);
|
||||
+ }
|
||||
+ }
|
||||
+ } else {
|
||||
+ // The last package of this uid is removed from device. Clean the package up.
|
||||
+ permission = INetd.PERMISSION_UNINSTALLED;
|
||||
+ }
|
||||
+ return permission;
|
||||
+ }
|
||||
+
|
||||
+ // implements OnRuntimePermissionStateChangedListener
|
||||
+ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
|
||||
+ @UserIdInt int userId) {
|
||||
+ // userId is _not_ uid
|
||||
+ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
|
||||
+ sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
|
||||
+ }
|
||||
+
|
||||
public PermissionMonitor(Context context, INetd netd) {
|
||||
mPackageManager = context.getPackageManager();
|
||||
mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
|
||||
mNetd = netd;
|
||||
+
|
||||
+ mPackageManagerInternal = LocalServices.getService(
|
||||
+ PackageManagerInternal.class);
|
||||
+
|
||||
+ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService(
|
||||
+ PermissionManagerServiceInternal.class);
|
||||
+ permManagerInternal.addOnRuntimePermissionStateChangedListener(
|
||||
+ this::enforceINTERNETAsRuntimePermission);
|
||||
}
|
||||
|
||||
// Intended to be called only once at startup, after the system is ready. Installs a broadcast
|
||||
|
|
@ -0,0 +1,82 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: pratyush <codelab@pratyush.dev>
|
||||
Date: Sun, 25 Apr 2021 07:04:03 +0530
|
||||
Subject: [PATCH] fix INTERNET enforcement for secondary users
|
||||
|
||||
This code was not specifying the profile for the app so it wasn't
|
||||
working properly with INTERNET as a runtime permission.
|
||||
---
|
||||
.../connectivity/PermissionMonitor.java | 20 +++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
index 41c013b4b197..09cd274cbb05 100644
|
||||
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
@@ -130,7 +130,8 @@ public class PermissionMonitor {
|
||||
String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
if (packages != null && packages.length > 0) {
|
||||
for (String name : packages) {
|
||||
- final PackageInfo app = getPackageInfo(name);
|
||||
+ int userId = UserHandle.getUserId(uid);
|
||||
+ final PackageInfo app = getPackageInfo(name, userId);
|
||||
if (app != null && app.requestedPermissions != null) {
|
||||
permission |= getNetdPermissionMask(app.requestedPermissions,
|
||||
app.requestedPermissionsFlags);
|
||||
@@ -147,7 +148,7 @@ public class PermissionMonitor {
|
||||
private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
|
||||
@UserIdInt int userId) {
|
||||
// userId is _not_ uid
|
||||
- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
|
||||
+ int uid = mPackageManagerInternal.getPackageUidInternal( packageName, GET_PERMISSIONS, userId);
|
||||
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
|
||||
}
|
||||
|
||||
@@ -364,12 +365,13 @@ public class PermissionMonitor {
|
||||
}
|
||||
|
||||
@VisibleForTesting
|
||||
- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
|
||||
+ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) {
|
||||
if (currentPermission == SYSTEM) {
|
||||
return currentPermission;
|
||||
}
|
||||
try {
|
||||
- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
|
||||
+ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS,
|
||||
+ UserHandle.getUserId(uid));
|
||||
final boolean isNetwork = hasNetworkPermission(app);
|
||||
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
|
||||
if (isNetwork || hasRestrictedPermission) {
|
||||
@@ -393,7 +395,7 @@ public class PermissionMonitor {
|
||||
public synchronized void onPackageAdded(String packageName, int uid) {
|
||||
// If multiple packages share a UID (cf: android:sharedUserId) and ask for different
|
||||
// permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
|
||||
- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName);
|
||||
+ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid);
|
||||
if (permission != mApps.get(uid)) {
|
||||
mApps.put(uid, permission);
|
||||
|
||||
@@ -445,7 +447,7 @@ public class PermissionMonitor {
|
||||
String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
if (packages != null && packages.length > 0) {
|
||||
for (String name : packages) {
|
||||
- permission = highestPermissionForUid(permission, name);
|
||||
+ permission = highestPermissionForUid(permission, name, uid);
|
||||
if (permission == SYSTEM) {
|
||||
// An app with this UID still has the SYSTEM permission.
|
||||
// Therefore, this UID must already have the SYSTEM permission.
|
||||
@@ -485,11 +487,9 @@ public class PermissionMonitor {
|
||||
return permissions;
|
||||
}
|
||||
|
||||
- private PackageInfo getPackageInfo(String packageName) {
|
||||
+ private PackageInfo getPackageInfo(String packageName, int userId) {
|
||||
try {
|
||||
- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
|
||||
- | MATCH_ANY_USER);
|
||||
- return app;
|
||||
+ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId);
|
||||
} catch (NameNotFoundException e) {
|
||||
return null;
|
||||
}
|
||||
|
|
@ -0,0 +1,125 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pratyush <codelab@pratyush.dev>
|
||||
Date: Thu, 12 Aug 2021 03:44:41 +0530
|
||||
Subject: [PATCH] send uid for each user instead of just owner/admin user
|
||||
|
||||
---
|
||||
.../connectivity/PermissionMonitor.java | 83 +++++++++++--------
|
||||
1 file changed, 49 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
index 09cd274cbb05..ee0c531ef13e 100644
|
||||
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
|
||||
@@ -132,7 +132,7 @@ public class PermissionMonitor {
|
||||
for (String name : packages) {
|
||||
int userId = UserHandle.getUserId(uid);
|
||||
final PackageInfo app = getPackageInfo(name, userId);
|
||||
- if (app != null && app.requestedPermissions != null) {
|
||||
+ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) {
|
||||
permission |= getNetdPermissionMask(app.requestedPermissions,
|
||||
app.requestedPermissionsFlags);
|
||||
}
|
||||
@@ -177,44 +177,45 @@ public class PermissionMonitor {
|
||||
} else {
|
||||
loge("failed to get the PackageManagerInternal service");
|
||||
}
|
||||
- List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
|
||||
- | MATCH_ANY_USER);
|
||||
- if (apps == null) {
|
||||
- loge("No apps");
|
||||
- return;
|
||||
- }
|
||||
|
||||
SparseIntArray netdPermsUids = new SparseIntArray();
|
||||
|
||||
- for (PackageInfo app : apps) {
|
||||
- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
|
||||
- if (uid < 0) {
|
||||
- continue;
|
||||
- }
|
||||
- mAllApps.add(UserHandle.getAppId(uid));
|
||||
-
|
||||
- boolean isNetwork = hasNetworkPermission(app);
|
||||
- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
|
||||
-
|
||||
- if (isNetwork || hasRestrictedPermission) {
|
||||
- Boolean permission = mApps.get(uid);
|
||||
- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
|
||||
- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
|
||||
- if (permission == null || permission == NETWORK) {
|
||||
- mApps.put(uid, hasRestrictedPermission);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- //TODO: unify the management of the permissions into one codepath.
|
||||
- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
|
||||
- app.requestedPermissionsFlags);
|
||||
- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
|
||||
- }
|
||||
-
|
||||
List<UserInfo> users = mUserManager.getUsers(true); // exclude dying users
|
||||
if (users != null) {
|
||||
for (UserInfo user : users) {
|
||||
mUsers.add(user.id);
|
||||
+
|
||||
+ List<PackageInfo> apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id);
|
||||
+ if (apps == null) {
|
||||
+ loge("No apps");
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ for (PackageInfo app : apps) {
|
||||
+ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
|
||||
+ if (uid < 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ mAllApps.add(UserHandle.getAppId(uid));
|
||||
+
|
||||
+ boolean isNetwork = hasNetworkPermission(app);
|
||||
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
|
||||
+
|
||||
+ if (isNetwork || hasRestrictedPermission) {
|
||||
+ Boolean permission = mApps.get(uid);
|
||||
+ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
|
||||
+ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
|
||||
+ if (permission == null || permission == NETWORK) {
|
||||
+ mApps.put(uid, hasRestrictedPermission);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ //TODO: unify the management of the permissions into one codepath.
|
||||
+ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
|
||||
+ app.requestedPermissionsFlags);
|
||||
+ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
|
||||
+ }
|
||||
+
|
||||
}
|
||||
}
|
||||
|
||||
@@ -308,9 +309,23 @@ public class PermissionMonitor {
|
||||
List<Integer> network = new ArrayList<>();
|
||||
List<Integer> system = new ArrayList<>();
|
||||
for (Entry<Integer, Boolean> app : apps.entrySet()) {
|
||||
- List<Integer> list = app.getValue() ? system : network;
|
||||
for (int user : users) {
|
||||
- list.add(UserHandle.getUid(user, app.getKey()));
|
||||
+ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey()));
|
||||
+ if (uid < 0) continue;
|
||||
+ String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||
+ if (packages == null) continue;
|
||||
+ for (String pkg : packages) {
|
||||
+ PackageInfo info = getPackageInfo(pkg, user);
|
||||
+ if (info != null && info.applicationInfo.uid == uid) {
|
||||
+ boolean isNetwork = hasNetworkPermission(info);
|
||||
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info);
|
||||
+
|
||||
+ if (isNetwork || hasRestrictedPermission) {
|
||||
+ List<Integer> list = hasRestrictedPermission ? system : network;
|
||||
+ list.add(UserHandle.getUid(user, app.getKey()));
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
}
|
||||
try {
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||
Date: Tue, 14 Dec 2021 18:17:11 +0200
|
||||
Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
|
||||
|
||||
---
|
||||
core/java/android/net/ConnectivityManager.java | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
|
||||
index 7df32c10b16b..a2b04f3e9540 100644
|
||||
--- a/core/java/android/net/ConnectivityManager.java
|
||||
+++ b/core/java/android/net/ConnectivityManager.java
|
||||
@@ -17,6 +17,7 @@ package android.net;
|
||||
|
||||
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
|
||||
|
||||
+import android.Manifest;
|
||||
import android.annotation.CallbackExecutor;
|
||||
import android.annotation.IntDef;
|
||||
import android.annotation.NonNull;
|
||||
@@ -31,6 +32,7 @@ import android.app.PendingIntent;
|
||||
import android.compat.annotation.UnsupportedAppUsage;
|
||||
import android.content.Context;
|
||||
import android.content.Intent;
|
||||
+import android.content.pm.PackageManager;
|
||||
import android.net.IpSecManager.UdpEncapsulationSocket;
|
||||
import android.net.SocketKeepalive.Callback;
|
||||
import android.net.TetheringManager.StartTetheringCallback;
|
||||
@@ -3047,6 +3049,12 @@ public class ConnectivityManager {
|
||||
*/
|
||||
public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
|
||||
printStackTrace();
|
||||
+ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
|
||||
+ // ConnectivityService enforces this by throwing an unexpected SecurityException,
|
||||
+ // which puts GMS into a crash loop. Also useful for other apps that don't expect that
|
||||
+ // INTERNET permission might get revoked.
|
||||
+ return;
|
||||
+ }
|
||||
try {
|
||||
mService.reportNetworkConnectivity(network, hasConnectivity);
|
||||
} catch (RemoteException e) {
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||
Date: Tue, 14 Dec 2021 21:10:51 +0200
|
||||
Subject: [PATCH] don't throw SecurityException when INTERNET permission is
|
||||
revoked
|
||||
|
||||
---
|
||||
ojluni/src/main/java/java/net/Inet6AddressImpl.java | 11 +----------
|
||||
1 file changed, 1 insertion(+), 10 deletions(-)
|
||||
|
||||
diff --git a/ojluni/src/main/java/java/net/Inet6AddressImpl.java b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
|
||||
index 84bcf17eda..fda9674e08 100644
|
||||
--- a/ojluni/src/main/java/java/net/Inet6AddressImpl.java
|
||||
+++ b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
|
||||
@@ -141,16 +141,7 @@ class Inet6AddressImpl implements InetAddressImpl {
|
||||
addressCache.put(host, netId, addresses);
|
||||
return addresses;
|
||||
} catch (GaiException gaiException) {
|
||||
- // If the failure appears to have been a lack of INTERNET permission, throw a clear
|
||||
- // SecurityException to aid in debugging this common mistake.
|
||||
- // http://code.google.com/p/android/issues/detail?id=15722
|
||||
- if (gaiException.getCause() instanceof ErrnoException) {
|
||||
- int errno = ((ErrnoException) gaiException.getCause()).errno;
|
||||
- if (errno == EACCES || errno == EPERM) {
|
||||
- throw new SecurityException("Permission denied (missing INTERNET permission?)", gaiException);
|
||||
- }
|
||||
- }
|
||||
- // Otherwise, throw an UnknownHostException.
|
||||
+ // Throw an UnknownHostException.
|
||||
String detailMessage = "Unable to resolve host \"" + host + "\": " + Libcore.os.gai_strerror(gaiException.error);
|
||||
addressCache.putUnknownHost(host, netId, detailMessage);
|
||||
throw gaiException.rethrowAsUnknownHostException(detailMessage);
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sat, 22 Jul 2017 21:43:50 -0400
|
||||
Subject: [PATCH] always treat INTERNET as a runtime permission
|
||||
|
||||
ported from 10: 6c4f112dde47f21ce5a583f5bd8b217db6de5c02
|
||||
---
|
||||
.../permission/model/AppPermissionGroup.java | 5 +++--
|
||||
.../permissioncontroller/permission/model/Permission.java | 3 ++-
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
|
||||
index aeb90811b..0399a1836 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
|
||||
+++ b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
|
||||
@@ -34,6 +34,7 @@ import android.content.pm.PackageManager;
|
||||
import android.content.pm.PackageManager.NameNotFoundException;
|
||||
import android.content.pm.PermissionGroupInfo;
|
||||
import android.content.pm.PermissionInfo;
|
||||
+import android.Manifest;
|
||||
import android.os.Build;
|
||||
import android.os.UserHandle;
|
||||
import android.permission.PermissionManager;
|
||||
@@ -872,7 +873,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
|
||||
|
||||
boolean wasGranted = permission.isGrantedIncludingAppOp();
|
||||
|
||||
- if (mAppSupportsRuntimePermissions) {
|
||||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
|
||||
// Do not touch permissions fixed by the system.
|
||||
if (permission.isSystemFixed()) {
|
||||
wasAllGranted = false;
|
||||
@@ -1057,7 +1058,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
|
||||
break;
|
||||
}
|
||||
|
||||
- if (mAppSupportsRuntimePermissions) {
|
||||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
|
||||
// Revoke the permission if needed.
|
||||
if (permission.isGranted()) {
|
||||
permission.setGranted(false);
|
||||
diff --git a/src/com/android/permissioncontroller/permission/model/Permission.java b/src/com/android/permissioncontroller/permission/model/Permission.java
|
||||
index 49381db2b..3af5241af 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/model/Permission.java
|
||||
+++ b/src/com/android/permissioncontroller/permission/model/Permission.java
|
||||
@@ -18,6 +18,7 @@ package com.android.permissioncontroller.permission.model;
|
||||
|
||||
import android.content.pm.PackageManager;
|
||||
import android.content.pm.PermissionInfo;
|
||||
+import android.Manifest;
|
||||
|
||||
import androidx.annotation.NonNull;
|
||||
|
||||
@@ -137,7 +138,7 @@ public final class Permission {
|
||||
* @return {@code true} if the permission (and the app-op) is granted.
|
||||
*/
|
||||
public boolean isGrantedIncludingAppOp() {
|
||||
- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && !isReviewRequired();
|
||||
+ return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName));
|
||||
}
|
||||
|
||||
public boolean isReviewRequired() {
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Fri, 21 Jul 2017 10:29:15 -0400
|
||||
Subject: [PATCH] add INTERNET permission toggle
|
||||
|
||||
ported from 10: a07271ed7e45239369f2ca33496d939d2e9cbd08
|
||||
---
|
||||
.../android/permissioncontroller/permission/utils/Utils.java | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java
|
||||
index 65fdd590a..2f0dc3d21 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/utils/Utils.java
|
||||
+++ b/src/com/android/permissioncontroller/permission/utils/Utils.java
|
||||
@@ -25,6 +25,7 @@ import static android.Manifest.permission_group.CAMERA;
|
||||
import static android.Manifest.permission_group.CONTACTS;
|
||||
import static android.Manifest.permission_group.LOCATION;
|
||||
import static android.Manifest.permission_group.MICROPHONE;
|
||||
+import static android.Manifest.permission_group.NETWORK;
|
||||
import static android.Manifest.permission_group.PHONE;
|
||||
import static android.Manifest.permission_group.SENSORS;
|
||||
import static android.Manifest.permission_group.SMS;
|
||||
@@ -209,6 +210,8 @@ public final class Utils {
|
||||
|
||||
PLATFORM_PERMISSIONS.put(Manifest.permission.BODY_SENSORS, SENSORS);
|
||||
|
||||
+ PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
|
||||
+
|
||||
PLATFORM_PERMISSION_GROUPS = new ArrayMap<>();
|
||||
int numPlatformPermissions = PLATFORM_PERMISSIONS.size();
|
||||
for (int i = 0; i < numPlatformPermissions; i++) {
|
||||
|
|
@ -0,0 +1,109 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: inthewaves <inthewaves@pm.me>
|
||||
Date: Sat, 12 Sep 2020 15:40:58 -0700
|
||||
Subject: [PATCH] refactor handling of special runtime permissions
|
||||
|
||||
---
|
||||
.../permission/model/AppPermissionGroup.java | 5 ++---
|
||||
.../permission/model/Permission.java | 5 +++--
|
||||
.../permission/utils/Utils.java | 17 +++++++++++++++++
|
||||
3 files changed, 22 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
|
||||
index 0399a1836..cb4eab9f7 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
|
||||
+++ b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
|
||||
@@ -34,7 +34,6 @@ import android.content.pm.PackageManager;
|
||||
import android.content.pm.PackageManager.NameNotFoundException;
|
||||
import android.content.pm.PermissionGroupInfo;
|
||||
import android.content.pm.PermissionInfo;
|
||||
-import android.Manifest;
|
||||
import android.os.Build;
|
||||
import android.os.UserHandle;
|
||||
import android.permission.PermissionManager;
|
||||
@@ -873,7 +872,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
|
||||
|
||||
boolean wasGranted = permission.isGrantedIncludingAppOp();
|
||||
|
||||
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
|
||||
+ if (mAppSupportsRuntimePermissions || Utils.isSpecialRuntimePermission(permission.getName())) {
|
||||
// Do not touch permissions fixed by the system.
|
||||
if (permission.isSystemFixed()) {
|
||||
wasAllGranted = false;
|
||||
@@ -1058,7 +1057,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
|
||||
break;
|
||||
}
|
||||
|
||||
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
|
||||
+ if (mAppSupportsRuntimePermissions || Utils.isSpecialRuntimePermission(permission.getName())) {
|
||||
// Revoke the permission if needed.
|
||||
if (permission.isGranted()) {
|
||||
permission.setGranted(false);
|
||||
diff --git a/src/com/android/permissioncontroller/permission/model/Permission.java b/src/com/android/permissioncontroller/permission/model/Permission.java
|
||||
index 3af5241af..3f17de882 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/model/Permission.java
|
||||
+++ b/src/com/android/permissioncontroller/permission/model/Permission.java
|
||||
@@ -18,10 +18,11 @@ package com.android.permissioncontroller.permission.model;
|
||||
|
||||
import android.content.pm.PackageManager;
|
||||
import android.content.pm.PermissionInfo;
|
||||
-import android.Manifest;
|
||||
|
||||
import androidx.annotation.NonNull;
|
||||
|
||||
+import com.android.permissioncontroller.permission.utils.Utils;
|
||||
+
|
||||
import java.util.ArrayList;
|
||||
import java.util.Objects;
|
||||
|
||||
@@ -138,7 +139,7 @@ public final class Permission {
|
||||
* @return {@code true} if the permission (and the app-op) is granted.
|
||||
*/
|
||||
public boolean isGrantedIncludingAppOp() {
|
||||
- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName));
|
||||
+ return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Utils.isSpecialRuntimePermission(mName));
|
||||
}
|
||||
|
||||
public boolean isReviewRequired() {
|
||||
diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java
|
||||
index 2f0dc3d21..dab86e734 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/utils/Utils.java
|
||||
+++ b/src/com/android/permissioncontroller/permission/utils/Utils.java
|
||||
@@ -145,6 +145,9 @@ public final class Utils {
|
||||
*/
|
||||
public static final long ONE_TIME_PERMISSIONS_TIMEOUT_MILLIS = 1 * 60 * 1000; // 1 minute
|
||||
|
||||
+ /** Mapping permission -> group for all special runtime permissions */
|
||||
+ private static final ArrayMap<String, String> SPECIAL_RUNTIME_PERMISSIONS;
|
||||
+
|
||||
/** Mapping permission -> group for all dangerous platform permissions */
|
||||
private static final ArrayMap<String, String> PLATFORM_PERMISSIONS;
|
||||
|
||||
@@ -212,6 +215,9 @@ public final class Utils {
|
||||
|
||||
PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
|
||||
|
||||
+ SPECIAL_RUNTIME_PERMISSIONS = new ArrayMap<>();
|
||||
+ SPECIAL_RUNTIME_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
|
||||
+
|
||||
PLATFORM_PERMISSION_GROUPS = new ArrayMap<>();
|
||||
int numPlatformPermissions = PLATFORM_PERMISSIONS.size();
|
||||
for (int i = 0; i < numPlatformPermissions; i++) {
|
||||
@@ -642,6 +648,17 @@ public final class Utils {
|
||||
return PLATFORM_PERMISSIONS.containsKey(permission);
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Is the permission a special runtime permission?
|
||||
+ * These are treated as a runtime permission even for legacy apps. They
|
||||
+ * need to be granted by default for all apps to maintain compatibility.
|
||||
+ *
|
||||
+ * @return whether the permission is a special runtime permission.
|
||||
+ */
|
||||
+ public static boolean isSpecialRuntimePermission(@NonNull String permission) {
|
||||
+ return SPECIAL_RUNTIME_PERMISSIONS.containsKey(permission);
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Should UI show this permission.
|
||||
*
|
||||
|
|
@ -0,0 +1,83 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: inthewaves <inthewaves@pm.me>
|
||||
Date: Wed, 16 Sep 2020 17:30:37 -0700
|
||||
Subject: [PATCH] don't auto revoke Network and Sensors
|
||||
|
||||
These shouldn't be automatically removed since apps are currently
|
||||
granted these by default for compatibility. Users have to explicitly
|
||||
remove them rather than granting them. Apps would need to be aware of
|
||||
them and request them from the user to treat them like the standard
|
||||
permissions.
|
||||
---
|
||||
.../permission/data/AutoRevokeStateLiveData.kt | 3 ++-
|
||||
.../permission/service/AutoRevokePermissions.kt | 6 +++---
|
||||
.../permissioncontroller/permission/utils/Utils.java | 11 +++++++++++
|
||||
3 files changed, 16 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/permissioncontroller/permission/data/AutoRevokeStateLiveData.kt b/src/com/android/permissioncontroller/permission/data/AutoRevokeStateLiveData.kt
|
||||
index d84b7c9a3..0d74a8c2f 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/data/AutoRevokeStateLiveData.kt
|
||||
+++ b/src/com/android/permissioncontroller/permission/data/AutoRevokeStateLiveData.kt
|
||||
@@ -29,6 +29,7 @@ import com.android.permissioncontroller.permission.service.ExemptServicesLiveDat
|
||||
import com.android.permissioncontroller.permission.service.isAutoRevokeEnabled
|
||||
import com.android.permissioncontroller.permission.service.isPackageAutoRevokeExempt
|
||||
import com.android.permissioncontroller.permission.service.isPackageAutoRevokePermanentlyExempt
|
||||
+import com.android.permissioncontroller.permission.utils.Utils
|
||||
import kotlinx.coroutines.Job
|
||||
|
||||
/**
|
||||
@@ -91,7 +92,7 @@ class AutoRevokeStateLiveData private constructor(
|
||||
permState.permFlags and (FLAG_PERMISSION_GRANTED_BY_DEFAULT or
|
||||
FLAG_PERMISSION_GRANTED_BY_ROLE) != 0
|
||||
} ?: false
|
||||
- if (!default) {
|
||||
+ if (!default && !Utils.isSpecialRuntimePermissionGroup(groupName)) {
|
||||
revocableGroups.add(groupName)
|
||||
}
|
||||
}
|
||||
diff --git a/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt b/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt
|
||||
index 8dd8e8f77..d7f8f229f 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt
|
||||
+++ b/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt
|
||||
@@ -239,8 +239,7 @@ class AutoRevokeOnBootReceiver : BroadcastReceiver() {
|
||||
private suspend fun revokePermissionsOnUnusedApps(
|
||||
context: Context,
|
||||
sessionId: Long = INVALID_SESSION_ID
|
||||
-):
|
||||
- List<Pair<String, UserHandle>> {
|
||||
+): List<Pair<String, UserHandle>> {
|
||||
if (!isAutoRevokeEnabled(context)) {
|
||||
return emptyList()
|
||||
}
|
||||
@@ -361,7 +360,8 @@ private suspend fun revokePermissionsOnUnusedApps(
|
||||
granted &&
|
||||
!group.isGrantedByDefault &&
|
||||
!group.isGrantedByRole &&
|
||||
- group.isUserSensitive) {
|
||||
+ group.isUserSensitive &&
|
||||
+ !Utils.isSpecialRuntimePermissionGroup(groupName)) {
|
||||
|
||||
val revocablePermissions = group.permissions.keys.toList()
|
||||
|
||||
diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java
|
||||
index dab86e734..4a7de5416 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/utils/Utils.java
|
||||
+++ b/src/com/android/permissioncontroller/permission/utils/Utils.java
|
||||
@@ -659,6 +659,17 @@ public final class Utils {
|
||||
return SPECIAL_RUNTIME_PERMISSIONS.containsKey(permission);
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Is the permission group a special runtime permission group?
|
||||
+ * These are treated as a runtime permission even for legacy apps. They
|
||||
+ * need to be granted by default for all apps to maintain compatibility.
|
||||
+ *
|
||||
+ * @return whether the permission group is a special runtime permission group.
|
||||
+ */
|
||||
+ public static boolean isSpecialRuntimePermissionGroup(@NonNull String permissionGroup) {
|
||||
+ return SPECIAL_RUNTIME_PERMISSIONS.containsValue(permissionGroup);
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Should UI show this permission.
|
||||
*
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pratyush <codelab@pratyush.dev>
|
||||
Date: Sat, 24 Jul 2021 04:33:31 +0530
|
||||
Subject: [PATCH] ui fix for special runtime permission
|
||||
|
||||
---
|
||||
.../permissioncontroller/permission/utils/KotlinUtils.kt | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt b/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt
|
||||
index 64068fe41..63348d72a 100644
|
||||
--- a/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt
|
||||
+++ b/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt
|
||||
@@ -467,7 +467,7 @@ object KotlinUtils {
|
||||
if (!perm.isGrantedIncludingAppOp) {
|
||||
val affectsAppOp = permissionToOp(perm.name) != null || perm.isBackgroundPermission
|
||||
|
||||
- if (supportsRuntime) {
|
||||
+ if (supportsRuntime || Utils.isSpecialRuntimePermission(perm.name)) {
|
||||
app.packageManager.grantRuntimePermission(group.packageInfo.packageName, perm.name,
|
||||
user)
|
||||
isGranted = true
|
||||
@@ -640,7 +640,7 @@ object KotlinUtils {
|
||||
val affectsAppOp = permissionToOp(perm.name) != null || perm.isBackgroundPermission
|
||||
|
||||
if (perm.isGrantedIncludingAppOp) {
|
||||
- if (supportsRuntime) {
|
||||
+ if (supportsRuntime || Utils.isSpecialRuntimePermission(perm.name)) {
|
||||
// Revoke the permission if needed.
|
||||
app.packageManager.revokeRuntimePermission(group.packageInfo.packageName,
|
||||
perm.name, user)
|
||||
@@ -927,4 +927,4 @@ fun NavController.navigateSafe(destResId: Int, args: Bundle? = null) {
|
||||
navigate(destResId, args)
|
||||
}
|
||||
}
|
||||
-}
|
||||
\ No newline at end of file
|
||||
+}
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sun, 6 Aug 2017 08:19:36 -0400
|
||||
Subject: [PATCH] remove legacy NETWORK permission group reference
|
||||
|
||||
---
|
||||
AndroidManifest.xml | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
|
||||
index 43cf258e..dfce071d 100644
|
||||
--- a/AndroidManifest.xml
|
||||
+++ b/AndroidManifest.xml
|
||||
@@ -29,7 +29,6 @@
|
||||
|
||||
<!-- Allows to queue downloads without a notification shown while the download runs. -->
|
||||
<permission android:name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION"
|
||||
- android:permissionGroup="android.permission-group.NETWORK"
|
||||
android:label="@string/permlab_downloadWithoutNotification"
|
||||
android:description="@string/permdesc_downloadWithoutNotification"
|
||||
android:protectionLevel="normal"/>
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pratyush <codelab@pratyush.dev>
|
||||
Date: Thu, 12 Aug 2021 00:15:25 +0530
|
||||
Subject: [PATCH] use uid instead of app id for tracking INTERNET permission
|
||||
|
||||
Change-Id: Ibec846480f3b440b5a323c86efa95c2fd1d81284
|
||||
---
|
||||
bpf_progs/netd.c | 10 ++--------
|
||||
1 file changed, 2 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
|
||||
index 5689c197..fb266a92 100644
|
||||
--- a/bpf_progs/netd.c
|
||||
+++ b/bpf_progs/netd.c
|
||||
@@ -360,14 +360,8 @@ DEFINE_BPF_PROG_KVER("cgroupsock/inet/create", AID_ROOT, AID_ROOT, inet_socket_c
|
||||
KVER(4, 14, 0))
|
||||
(struct bpf_sock* sk) {
|
||||
uint64_t gid_uid = bpf_get_current_uid_gid();
|
||||
- /*
|
||||
- * A given app is guaranteed to have the same app ID in all the profiles in
|
||||
- * which it is installed, and install permission is granted to app for all
|
||||
- * user at install time so we only check the appId part of a request uid at
|
||||
- * run time. See UserHandle#isSameApp for detail.
|
||||
- */
|
||||
- uint32_t appId = (gid_uid & 0xffffffff) % PER_USER_RANGE;
|
||||
- uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
|
||||
+ uint32_t uid = (gid_uid & 0xffffffff);
|
||||
+ uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&uid);
|
||||
if (!permissions) {
|
||||
// UID not in map. Default to just INTERNET permission.
|
||||
return 1;
|
||||
|
|
@ -112,6 +112,15 @@ applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch";
|
|||
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Restore_SensorsOff.patch"; #Restore the Sensors Off tile
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-2.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-3.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-4.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-7.patch";
|
||||
fi;
|
||||
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
|
||||
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
|
||||
sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox internal logging service
|
||||
|
|
@ -182,6 +191,7 @@ fi;
|
|||
if enterAndClear "libcore"; then
|
||||
if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Preload.patch"; fi; #Add exec-based spawning support (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0002-Exec_Based_Spawning.patch"; fi;
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0003-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "lineage-sdk"; then
|
||||
|
|
@ -203,6 +213,13 @@ rm -rf src/org/lineageos/lineageparts/lineagestats/ res/xml/anonymous_stats.xml
|
|||
applyPatch "$DOS_PATCHES/android_packages_apps_LineageParts/0001-Remove_Analytics.patch"; #Remove analytics
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/apps/PermissionController"; then
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-2.patch";
|
||||
fi;
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/apps/Settings"; then
|
||||
git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
|
||||
|
|
@ -234,6 +251,10 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic
|
|||
applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/providers/DownloadProvider"; then
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
|
||||
fi;
|
||||
|
||||
#if enterAndClear "packages/services/Telephony"; then
|
||||
#applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #XXX 17REBASE
|
||||
#applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch"; #XXX 17REBASE
|
||||
|
|
@ -251,6 +272,10 @@ if enterAndClear "system/extras"; then
|
|||
applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/netd"; then
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/sepolicy"; then
|
||||
git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0";
|
||||
|
|
|
|||
|
|
@ -94,6 +94,15 @@ applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch";
|
|||
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Sensors.patch"; fi #Permission for sensors access (MSe1969)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Restore_SensorsOff.patch"; #Restore the Sensors Off tile
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-7.patch";
|
||||
fi;
|
||||
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
|
||||
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
|
||||
hardenLocationConf services/core/java/com/android/server/location/gps_debug.conf; #Harden the default GPS config
|
||||
|
|
@ -168,6 +177,10 @@ if enterAndClear "hardware/qcom-caf/sm8250/audio"; then
|
|||
applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-sm8150.patch"; #audio_extn: Fix unused parameter warning in utils.c
|
||||
fi;
|
||||
|
||||
if enterAndClear "libcore"; then
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "lineage-sdk"; then
|
||||
awk -i inplace '!/LineageWeatherManagerService/' lineage/res/res/values/config.xml; #Disable Weather
|
||||
if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAudioService/' lineage/res/res/values/config.xml; fi; #Remove AudioFX
|
||||
|
|
@ -189,6 +202,13 @@ fi;
|
|||
|
||||
if enterAndClear "packages/apps/PermissionController"; then
|
||||
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-2.patch";
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-3.patch";
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-4.patch";
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-5.patch";
|
||||
fi;
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/apps/Settings"; then
|
||||
|
|
@ -220,6 +240,10 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic
|
|||
applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/providers/DownloadProvider"; then
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/providers/TelephonyProvider"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/304614.patch"; #mcc/mnc fix
|
||||
applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/312102.patch"; #mnc fix
|
||||
|
|
@ -244,6 +268,10 @@ if enterAndClear "system/extras"; then
|
|||
applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/netd"; then
|
||||
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/sepolicy"; then
|
||||
git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/30.0";
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv
|
|||
export DOS_GPS_GLONASS_FORCED=false; #Enables GLONASS on all devices
|
||||
export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1
|
||||
export DOS_GRAPHENE_EXEC=false; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1 XXX: broken (just on 17.1?)
|
||||
export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1
|
||||
export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
|
||||
export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: DNS66
|
||||
export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be in the format "127.0.0.1 bad.domain.tld"
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user