Port the GrapheneOS NETWORK permission to 17.1 and 18.1

Some patches were ported from 12 to 10/11 Some patches from 11 were ported to 10 This 10/11 port should be very close to 12 BOUNS: 16.0 patches, disabled Signed-off-by: Tad <tad@spotco.us>
2024-10-01 01:35:54 -04:00 · 2022-02-25 13:38:36 -05:00 · 2022-02-25 13:38:36 -05:00 · 5e1521700f
commit 5e1521700f
parent f4fbe65756
39 changed files with 2098 additions and 2 deletions
--- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch
@ -0,0 +1,116 @@
+From 09632b10185b9133949a431e27089f72b5cfeefa Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 08:42:55 -0400
+Subject: [PATCH] support new special runtime permissions
+
+These are treated as a runtime permission even for legacy apps. They
+need to be granted by default for all apps to maintain compatibility.
+---
+ .../server/pm/PackageManagerService.java      |  3 +-
+ .../permission/PermissionManagerService.java  | 30 ++++++++++++++-----
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index c414abac12a7..46f02259e741 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -19462,7 +19462,8 @@ private void resetUserChangesToRuntimePermissionsAndFlagsLPw(
+             }
+ 
+             // If this permission was granted by default, make sure it is.
+-            if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) {
+            if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
+                    || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) {
+                 if (permissionsState.grantRuntimePermission(bp, userId)
+                         != PERMISSION_OPERATION_FAILURE) {
+                     writeRuntimePermissions = true;
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index c51a72406b53..cb8facb31020 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -659,6 +659,10 @@ private void removeDynamicPermission(
+         }
+     }
+ 
+    public static boolean isSpecialRuntimePermission(final String permission) {
+        return false;
+    }
+
+     private void grantPermissions(PackageParser.Package pkg, boolean replace,
+             String packageOfInterest, PermissionCallback callback) {
+         // IMPORTANT: There are two types of permissions: install and runtime.
+@@ -767,7 +771,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
+                     // their permissions as always granted runtime ones since we need
+                     // to keep the review required permission flag per user while an
+                     // install permission's state is shared across all users.
+-                    if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired) {
+                    if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired &&
+                            !isSpecialRuntimePermission(bp.getName())) {
+                         // For legacy apps dangerous permissions are install time ones.
+                         grant = GRANT_INSTALL;
+                     } else if (origPermissions.hasInstallPermission(bp.getName())) {
+@@ -877,7 +882,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
+                                                 updatedUserIds, userId);
+                                     }
+                                 } else if (mSettings.mPermissionReviewRequired
+-                                        && !appSupportsRuntimePermissions) {
+                                        && !appSupportsRuntimePermissions
+                                        && !isSpecialRuntimePermission(bp.getName())) {
+                                     // For legacy apps that need a permission review, every new
+                                     // runtime permission is granted but it is pending a review.
+                                     // We also need to review only platform defined runtime
+@@ -898,7 +904,15 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
+                                         updatedUserIds = ArrayUtils.appendInt(
+                                                 updatedUserIds, userId);
+                                     }
+-                                }
+				} else if (isSpecialRuntimePermission(bp.name) &&
+					origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
+                                    if (permissionsState.grantRuntimePermission(bp, userId)
+                                            != PermissionsState.PERMISSION_OPERATION_FAILURE) {
+                                        // We changed the permission, hence have to write.
+                                        updatedUserIds = ArrayUtils.appendInt(
+                                                updatedUserIds, userId);
+                                    }
+				}
+                                 // Propagate the permission flags.
+                                 permissionsState.updatePermissionFlags(bp, userId, flags, flags);
+                             }
+@@ -1350,7 +1364,7 @@ private void grantRequestedRuntimePermissionsForUser(PackageParser.Package pkg,
+                     && (grantedPermissions == null
+                            || ArrayUtils.contains(grantedPermissions, permission))) {
+                 final int flags = permissionsState.getPermissionFlags(permission, userId);
+-                if (supportsRuntimePermissions) {
+                if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
+                     // Installer cannot change immutable permissions.
+                     if ((flags & immutableFlags) == 0) {
+                         grantRuntimePermission(permission, pkg.packageName, false, callingUid,
+@@ -1409,7 +1423,7 @@ private void grantRuntimePermission(String permName, String packageName, boolean
+         // install permission's state is shared across all users.
+         if (mSettings.mPermissionReviewRequired
+                 && pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+-                && bp.isRuntime()) {
+                && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
+             return;
+         }
+ 
+@@ -1445,7 +1459,8 @@ private void grantRuntimePermission(String permName, String packageName, boolean
+                     + permName + " for package " + packageName);
+         }
+ 
+-        if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) {
+        if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+                && !isSpecialRuntimePermission(permName)) {
+             Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
+             return;
+         }
+@@ -1530,7 +1545,8 @@ private void revokeRuntimePermission(String permName, String packageName,
+         // install permission's state is shared across all users.
+         if (mSettings.mPermissionReviewRequired
+                 && pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+-                && bp.isRuntime()) {
+                && bp.isRuntime()
+                && !isSpecialRuntimePermission(permName)) {
+             return;
+         }
+ 
--- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-2.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-2.patch
@ -0,0 +1,36 @@
+From 2dd00723364fcf10e6c9e6c2e022e31524fda92d Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sun, 17 Mar 2019 11:59:15 -0400
+Subject: [PATCH] make INTERNET into a special runtime permission
+
+---
+ core/res/AndroidManifest.xml                                    | 2 +-
+ .../android/server/pm/permission/PermissionManagerService.java  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index d0ae9dbc55ae..d0449dfc4f57 100644
+--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
+@@ -1348,7 +1348,7 @@
+     <permission android:name="android.permission.INTERNET"
+         android:description="@string/permdesc_createNetworkSockets"
+         android:label="@string/permlab_createNetworkSockets"
+-        android:protectionLevel="normal|instant" />
+        android:protectionLevel="dangerous|instant" />
+ 
+     <!-- Allows applications to access information about networks.
+          <p>Protection level: normal
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index cb8facb31020..9b11c8e0ffd7 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -660,7 +660,7 @@ private void removeDynamicPermission(
+     }
+ 
+     public static boolean isSpecialRuntimePermission(final String permission) {
+-        return false;
+        return Manifest.permission.INTERNET.equals(permission);
+     }
+ 
+     private void grantPermissions(PackageParser.Package pkg, boolean replace,
--- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch
@ -0,0 +1,51 @@
+From 6ef61fd6f745b9709269d3612a3a4eea2250ebec Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 11:23:07 -0400
+Subject: [PATCH] add a NETWORK permission group for INTERNET
+
+---
+ core/res/AndroidManifest.xml    | 10 ++++++++++
+ core/res/res/values/strings.xml |  5 +++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index d0449dfc4f57..822cf1166539 100644
+--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
+@@ -1342,10 +1342,20 @@
+     <!-- ======================================= -->
+     <eat-comment />
+ 
+    <!-- Network access
+         @hide
+    -->
+    <permission-group android:name="android.permission-group.NETWORK"
+        android:icon="@drawable/perm_group_network"
+        android:label="@string/permgrouplab_network"
+        android:description="@string/permgroupdesc_network"
+        android:priority="900" />
+
+     <!-- Allows applications to open network sockets.
+          <p>Protection level: normal
+     -->
+     <permission android:name="android.permission.INTERNET"
+        android:permissionGroup="android.permission-group.NETWORK"
+         android:description="@string/permdesc_createNetworkSockets"
+         android:label="@string/permlab_createNetworkSockets"
+         android:protectionLevel="dangerous|instant" />
+diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
+index f6600462ea74..a79fa8e95b6e 100644
+--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
+@@ -747,6 +747,11 @@
+     <string name="permgrouprequest_sensors">Allow
+         &lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to access sensor data about your vital signs?</string>
+ 
+    <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permgrouplab_network">Network</string>
+    <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permgroupdesc_network">network access</string>
+
+     <!-- Title for the capability of an accessibility service to retrieve window content. -->
+     <string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
+     <!-- Description for the capability of an accessibility service to retrieve window content. -->
--- a/Patches/LineageOS-16.0/android_libcore/0001-Network_Permission.patch
+++ b/Patches/LineageOS-16.0/android_libcore/0001-Network_Permission.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Tue, 14 Dec 2021 21:10:51 +0200
+Subject: [PATCH] don't throw SecurityException when INTERNET permission is
+ revoked
+
+---
+ ojluni/src/main/java/java/net/Inet6AddressImpl.java | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/ojluni/src/main/java/java/net/Inet6AddressImpl.java b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+index 1edfe344ce..2176973b44 100644
+--- a/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+++ b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+@@ -143,15 +143,7 @@ class Inet6AddressImpl implements InetAddressImpl {
+             addressCache.put(host, netId, addresses);
+             return addresses;
+         } catch (GaiException gaiException) {
+-            // If the failure appears to have been a lack of INTERNET permission, throw a clear
+-            // SecurityException to aid in debugging this common mistake.
+-            // http://code.google.com/p/android/issues/detail?id=15722
+-            if (gaiException.getCause() instanceof ErrnoException) {
+-                if (((ErrnoException) gaiException.getCause()).errno == EACCES) {
+-                    throw new SecurityException("Permission denied (missing INTERNET permission?)", gaiException);
+-                }
+-            }
+-            // Otherwise, throw an UnknownHostException.
+            // Throw an UnknownHostException.
+             String detailMessage = "Unable to resolve host \"" + host + "\": " + Libcore.os.gai_strerror(gaiException.error);
+             addressCache.putUnknownHost(host, netId, detailMessage);
+             throw gaiException.rethrowAsUnknownHostException(detailMessage);
--- a/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch
@ -0,0 +1,48 @@
+From 880011e7af233249e1b70177daa3cd786574bc85 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sat, 22 Jul 2017 21:43:50 -0400
+Subject: [PATCH] always treat INTERNET as a runtime permission
+
+---
+ .../permission/model/AppPermissionGroup.java               | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+index aafce8df5..e6087de4c 100644
+--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+@@ -26,6 +26,7 @@
+ import android.content.pm.PackageManager;
+ import android.content.pm.PermissionGroupInfo;
+ import android.content.pm.PermissionInfo;
+import android.Manifest;
+ import android.os.Build;
+ import android.os.Process;
+ import android.os.UserHandle;
+@@ -338,7 +339,7 @@ public boolean areRuntimePermissionsGranted(String[] filterPermissions) {
+                     && !ArrayUtils.contains(filterPermissions, permission.getName())) {
+                 continue;
+             }
+-            if (mAppSupportsRuntimePermissions) {
+            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 if (permission.isGranted()) {
+                     return true;
+                 }
+@@ -371,7 +372,7 @@ public boolean grantRuntimePermissions(boolean fixedByTheUser, String[] filterPe
+                 continue;
+             }
+ 
+-            if (mAppSupportsRuntimePermissions) {
+            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 // Do not touch permissions fixed by the system.
+                 if (permission.isSystemFixed()) {
+                     return false;
+@@ -473,7 +474,7 @@ public boolean revokeRuntimePermissions(boolean fixedByTheUser, String[] filterP
+                 continue;
+             }
+ 
+-            if (mAppSupportsRuntimePermissions) {
+            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 // Do not touch permissions fixed by the system.
+                 if (permission.isSystemFixed()) {
+                     return false;
--- a/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch
@ -0,0 +1,23 @@
+From c3c6a3206c1753cac7a8db72e2f05ddcf4c66d99 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 10:29:15 -0400
+Subject: [PATCH] add NETWORK permission group
+
+---
+ src/com/android/packageinstaller/permission/utils/Utils.java | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java
+index 85a102831..423b319ee 100644
+--- a/src/com/android/packageinstaller/permission/utils/Utils.java
+++ b/src/com/android/packageinstaller/permission/utils/Utils.java
+@@ -51,7 +51,8 @@
+             Manifest.permission_group.SMS,
+             Manifest.permission_group.PHONE,
+             Manifest.permission_group.MICROPHONE,
+-            Manifest.permission_group.STORAGE
+            Manifest.permission_group.STORAGE,
+            Manifest.permission_group.NETWORK
+     };
+ 
+     private static final Intent LAUNCHER_INTENT = new Intent(Intent.ACTION_MAIN, null)
--- a/Patches/LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
@ -26,7 +26,7 @@ Change-Id: Ibbffdb5f3930df74ca8b4ba93d451f7fad086989
 create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialogHost.java

 diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml
-index 53dca0e6e7..dee07db2b4 100644
+index e78bbea120..54e2864c9a 100644
 --- a/res/values-de/cm_strings.xml
 +++ b/res/values-de/cm_strings.xml
@@ -308,4 +308,7 @@
--- a/Patches/LineageOS-16.0/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
+++ b/Patches/LineageOS-16.0/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sun, 6 Aug 2017 08:19:36 -0400
+Subject: [PATCH] remove legacy NETWORK permission group reference
+
+---
+ AndroidManifest.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/AndroidManifest.xml b/AndroidManifest.xml
+index 302a58e5..65f38e86 100644
+--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
+@@ -29,7 +29,6 @@
+ 
+     <!-- Allows to queue downloads without a notification shown while the download runs. -->
+     <permission android:name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION"
+-        android:permissionGroup="android.permission-group.NETWORK"
+         android:label="@string/permlab_downloadWithoutNotification"
+         android:description="@string/permdesc_downloadWithoutNotification"
+         android:protectionLevel="normal"/>
--- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch
@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 08:42:55 -0400
+Subject: [PATCH] support new special runtime permissions
+
+These are treated as a runtime permission even for legacy apps. They
+need to be granted by default for all apps to maintain compatibility.
+---
+ .../server/pm/PackageManagerService.java      |  3 ++-
+ .../permission/PermissionManagerService.java  | 23 +++++++++++++++----
+ 2 files changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index edaa60f4b09e..834a6b0d5260 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -20162,7 +20162,8 @@ public class PackageManagerService extends IPackageManager.Stub
+             }
+ 
+             // If this permission was granted by default, make sure it is.
+-            if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) {
+            if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
+                    || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) {
+                 mPermissionManager.grantRuntimePermission(permName, packageName, false,
+                         Process.SYSTEM_UID, userId, delayingPermCallback);
+                 // Allow app op later as we are holding mPackages
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index 82f963e1df2a..293bdc7ba197 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -984,6 +984,10 @@ public class PermissionManagerService {
+         }
+     }
+ 
+    public static boolean isSpecialRuntimePermission(final String permission) {
+        return false;
+    }
+
+     /**
+      * Restore the permission state for a package.
+      *
+@@ -1277,6 +1281,14 @@ public class PermissionManagerService {
+                                             }
+                                         }
+                                     }
+
+                                    if (isSpecialRuntimePermission(bp.name) &&
+                                            origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
+                                        if (permissionsState.grantRuntimePermission(bp, userId)
+                                                != PERMISSION_OPERATION_FAILURE) {
+                                            wasChanged = true;
+                                        }
+                                    }
+                                 } else {
+                                     if (permState == null) {
+                                         // New permission
+@@ -1410,7 +1422,7 @@ public class PermissionManagerService {
+                                              wasChanged = true;
+                                         }
+                                     }
+-                                } else {
+				} else {
+                                     if (!permissionsState.hasRuntimePermission(bp.name, userId)
+                                             && permissionsState.grantRuntimePermission(bp,
+                                                     userId) != PERMISSION_OPERATION_FAILURE) {
+@@ -2183,7 +2195,7 @@ public class PermissionManagerService {
+                     && (grantedPermissions == null
+                            || ArrayUtils.contains(grantedPermissions, permission))) {
+                 final int flags = permissionsState.getPermissionFlags(permission, userId);
+-                if (supportsRuntimePermissions) {
+                if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
+                     // Installer cannot change immutable permissions.
+                     if ((flags & immutableFlags) == 0) {
+                         grantRuntimePermission(permission, pkg.packageName, false, callingUid,
+@@ -2242,7 +2254,7 @@ public class PermissionManagerService {
+         // to keep the review required permission flag per user while an
+         // install permission's state is shared across all users.
+         if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+-                && bp.isRuntime()) {
+                && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
+             return;
+         }
+ 
+@@ -2294,7 +2306,8 @@ public class PermissionManagerService {
+                     + permName + " for package " + packageName);
+         }
+ 
+-        if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) {
+        if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+                && !isSpecialRuntimePermission(permName)) {
+             Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
+             return;
+         }
+@@ -2381,7 +2394,7 @@ public class PermissionManagerService {
+         // to keep the review required permission flag per user while an
+         // install permission's state is shared across all users.
+         if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+-                && bp.isRuntime()) {
+                && bp.isRuntime() && !isSpecialRuntimePermission(permName)) {
+             return;
+         }
+ 
--- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-2.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-2.patch
@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sun, 17 Mar 2019 11:59:15 -0400
+Subject: [PATCH] make INTERNET into a special runtime permission
+
+---
+ core/res/AndroidManifest.xml                                    | 2 +-
+ .../android/server/pm/permission/PermissionManagerService.java  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index 7bcd7a048db4..571099f059c8 100644
+--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
+@@ -1539,7 +1539,7 @@
+     <permission android:name="android.permission.INTERNET"
+         android:description="@string/permdesc_createNetworkSockets"
+         android:label="@string/permlab_createNetworkSockets"
+-        android:protectionLevel="normal|instant" />
+        android:protectionLevel="dangerous|instant" />
+ 
+     <!-- Allows applications to access information about networks.
+          <p>Protection level: normal
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index 293bdc7ba197..3a71bc8d015b 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -985,7 +985,7 @@ public class PermissionManagerService {
+     }
+ 
+     public static boolean isSpecialRuntimePermission(final String permission) {
+-        return false;
+        return Manifest.permission.INTERNET.equals(permission);
+     }
+ 
+     /**
--- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-3.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-3.patch
@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 11:23:07 -0400
+Subject: [PATCH] add a NETWORK permission group for INTERNET
+
+---
+ api/current.txt                 | 1 +
+ core/res/AndroidManifest.xml    | 8 ++++++++
+ core/res/res/values/strings.xml | 5 +++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/api/current.txt b/api/current.txt
+index cd78602d9cd9..b99634c11742 100644
+--- a/api/current.txt
+++ b/api/current.txt
+@@ -176,6 +176,7 @@ package android {
+     field public static final String CONTACTS = "android.permission-group.CONTACTS";
+     field public static final String LOCATION = "android.permission-group.LOCATION";
+     field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
+    field public static final String NETWORK = "android.permission-group.NETWORK";
+     field public static final String PHONE = "android.permission-group.PHONE";
+     field public static final String SENSORS = "android.permission-group.SENSORS";
+     field public static final String SMS = "android.permission-group.SMS";
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index 571099f059c8..b51e4f21454b 100644
+--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
+@@ -1533,10 +1533,18 @@
+     <!-- ======================================= -->
+     <eat-comment />
+ 
+    <!-- Network access -->
+    <permission-group android:name="android.permission-group.NETWORK"
+        android:icon="@drawable/perm_group_network"
+        android:label="@string/permgrouplab_network"
+        android:description="@string/permgroupdesc_network"
+        android:priority="900" />
+
+     <!-- Allows applications to open network sockets.
+          <p>Protection level: normal
+     -->
+     <permission android:name="android.permission.INTERNET"
+        android:permissionGroup="android.permission-group.UNDEFINED"
+         android:description="@string/permdesc_createNetworkSockets"
+         android:label="@string/permlab_createNetworkSockets"
+         android:protectionLevel="dangerous|instant" />
+diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
+index e2afd1e1e0cc..2cf2b923ef90 100644
+--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
+@@ -792,6 +792,11 @@
+     <string name="permgrouprequest_sensors">Allow
+         &lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to access sensor data about your vital signs?</string>
+ 
+    <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permgrouplab_network">Network</string>
+    <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permgroupdesc_network">access the network</string>
+
+     <!-- Title for the capability of an accessibility service to retrieve window content. -->
+     <string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
+     <!-- Description for the capability of an accessibility service to retrieve window content. -->
--- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-4.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-4.patch
@ -0,0 +1,111 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zoraver Kang <zkang@wpi.edu>
+Date: Mon, 16 Sep 2019 16:41:30 -0400
+Subject: [PATCH] Enforce INTERNET as a runtime permission.
+
+---
+ .../connectivity/PermissionMonitor.java       | 59 ++++++++++++-------
+ 1 file changed, 39 insertions(+), 20 deletions(-)
+
+diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+index 56f4959a9714..0b2012fa759a 100644
+--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID;
+ import static android.os.Process.SYSTEM_UID;
+ 
+ import android.annotation.NonNull;
+import android.annotation.UserIdInt;
+ import android.content.Context;
+ import android.content.pm.ApplicationInfo;
+ import android.content.pm.PackageInfo;
+@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils;
+ import com.android.internal.util.IndentingPrintWriter;
+ import com.android.server.LocalServices;
+ import com.android.server.SystemConfig;
+import com.android.server.pm.permission.PermissionManagerServiceInternal;
+ 
+ import java.util.ArrayList;
+ import java.util.Collection;
+@@ -80,6 +82,7 @@ public class PermissionMonitor {
+     private static final int VERSION_Q = Build.VERSION_CODES.Q;
+ 
+     private final PackageManager mPackageManager;
+    private final PackageManagerInternal mPackageManagerInternal;
+     private final UserManager mUserManager;
+     private final INetd mNetd;
+ 
+@@ -104,26 +107,6 @@ public class PermissionMonitor {
+ 
+     private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
+ 
+-        private int getPermissionForUid(int uid) {
+-            int permission = 0;
+-            // Check all the packages for this UID. The UID has the permission if any of the
+-            // packages in it has the permission.
+-            String[] packages = mPackageManager.getPackagesForUid(uid);
+-            if (packages != null && packages.length > 0) {
+-                for (String name : packages) {
+-                    final PackageInfo app = getPackageInfo(name);
+-                    if (app != null && app.requestedPermissions != null) {
+-                        permission |= getNetdPermissionMask(app.requestedPermissions,
+-                              app.requestedPermissionsFlags);
+-                    }
+-                }
+-            } else {
+-                // The last package of this uid is removed from device. Clean the package up.
+-                permission = INetd.PERMISSION_UNINSTALLED;
+-            }
+-            return permission;
+-        }
+-
+         @Override
+         public void onPackageAdded(String packageName, int uid) {
+             sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+@@ -140,10 +123,46 @@ public class PermissionMonitor {
+         }
+     }
+ 
+    private int getPermissionForUid(int uid) {
+        int permission = 0;
+        // Check all the packages for this UID. The UID has the permission if any of the
+        // packages in it has the permission.
+        String[] packages = mPackageManager.getPackagesForUid(uid);
+        if (packages != null && packages.length > 0) {
+            for (String name : packages) {
+                final PackageInfo app = getPackageInfo(name);
+                if (app != null && app.requestedPermissions != null) {
+                    permission |= getNetdPermissionMask(app.requestedPermissions,
+                          app.requestedPermissionsFlags);
+                }
+            }
+        } else {
+            // The last package of this uid is removed from device. Clean the package up.
+            permission = INetd.PERMISSION_UNINSTALLED;
+        }
+        return permission;
+    }
+
+    // implements OnRuntimePermissionStateChangedListener
+    private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
+            @UserIdInt int userId) {
+        // userId is _not_ uid
+        int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+        sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+    }
+
+     public PermissionMonitor(Context context, INetd netd) {
+         mPackageManager = context.getPackageManager();
+         mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
+         mNetd = netd;
+
+        mPackageManagerInternal = LocalServices.getService(
+                PackageManagerInternal.class);
+
+        final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService(
+                PermissionManagerServiceInternal.class);
+        permManagerInternal.addOnRuntimePermissionStateChangedListener(
+                this::enforceINTERNETAsRuntimePermission);
+     }
+ 
+     // Intended to be called only once at startup, after the system is ready. Installs a broadcast
--- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-5.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-5.patch
@ -0,0 +1,82 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: pratyush <codelab@pratyush.dev>
+Date: Sun, 25 Apr 2021 07:04:03 +0530
+Subject: [PATCH] fix INTERNET enforcement for secondary users
+
+This code was not specifying the profile for the app so it wasn't
+working properly with INTERNET as a runtime permission.
+---
+ .../connectivity/PermissionMonitor.java       | 20 +++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+index 0b2012fa759a..827dd3a3493d 100644
+--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+@@ -130,7 +130,8 @@ public class PermissionMonitor {
+         String[] packages = mPackageManager.getPackagesForUid(uid);
+         if (packages != null && packages.length > 0) {
+             for (String name : packages) {
+-                final PackageInfo app = getPackageInfo(name);
+                int userId = UserHandle.getUserId(uid);
+                final PackageInfo app = getPackageInfo(name, userId);
+                 if (app != null && app.requestedPermissions != null) {
+                     permission |= getNetdPermissionMask(app.requestedPermissions,
+                           app.requestedPermissionsFlags);
+@@ -147,7 +148,7 @@ public class PermissionMonitor {
+     private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
+             @UserIdInt int userId) {
+         // userId is _not_ uid
+-        int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+        int uid = mPackageManagerInternal.getPackageUidInternal( packageName, GET_PERMISSIONS, userId);
+         sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+     }
+ 
+@@ -363,12 +364,13 @@ public class PermissionMonitor {
+     }
+ 
+     @VisibleForTesting
+-    protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
+    protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) {
+         if (currentPermission == SYSTEM) {
+             return currentPermission;
+         }
+         try {
+-            final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
+            final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS,
+                    UserHandle.getUserId(uid));
+             final boolean isNetwork = hasNetworkPermission(app);
+             final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+             if (isNetwork || hasRestrictedPermission) {
+@@ -392,7 +394,7 @@ public class PermissionMonitor {
+     public synchronized void onPackageAdded(String packageName, int uid) {
+         // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+         // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+-        final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName);
+        final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid);
+         if (permission != mApps.get(uid)) {
+             mApps.put(uid, permission);
+ 
+@@ -444,7 +446,7 @@ public class PermissionMonitor {
+         String[] packages = mPackageManager.getPackagesForUid(uid);
+         if (packages != null && packages.length > 0) {
+             for (String name : packages) {
+-                permission = highestPermissionForUid(permission, name);
+                permission = highestPermissionForUid(permission, name, uid);
+                 if (permission == SYSTEM) {
+                     // An app with this UID still has the SYSTEM permission.
+                     // Therefore, this UID must already have the SYSTEM permission.
+@@ -484,11 +486,9 @@ public class PermissionMonitor {
+         return permissions;
+     }
+ 
+-    private PackageInfo getPackageInfo(String packageName) {
+    private PackageInfo getPackageInfo(String packageName, int userId) {
+         try {
+-            PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
+-                    | MATCH_ANY_USER);
+-            return app;
+            return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId);
+         } catch (NameNotFoundException e) {
+             return null;
+         }
--- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-6.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-6.patch
@ -0,0 +1,125 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pratyush <codelab@pratyush.dev>
+Date: Thu, 12 Aug 2021 03:44:41 +0530
+Subject: [PATCH] send uid for each user instead of just owner/admin user
+
+---
+ .../connectivity/PermissionMonitor.java       | 83 +++++++++++--------
+ 1 file changed, 49 insertions(+), 34 deletions(-)
+
+diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+index 827dd3a3493d..6fa9ea20a481 100644
+--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+@@ -132,7 +132,7 @@ public class PermissionMonitor {
+             for (String name : packages) {
+                 int userId = UserHandle.getUserId(uid);
+                 final PackageInfo app = getPackageInfo(name, userId);
+-                if (app != null && app.requestedPermissions != null) {
+                if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) {
+                     permission |= getNetdPermissionMask(app.requestedPermissions,
+                           app.requestedPermissionsFlags);
+                 }
+@@ -177,44 +177,45 @@ public class PermissionMonitor {
+         } else {
+             loge("failed to get the PackageManagerInternal service");
+         }
+-        List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
+-                | MATCH_ANY_USER);
+-        if (apps == null) {
+-            loge("No apps");
+-            return;
+-        }
+ 
+         SparseIntArray netdPermsUids = new SparseIntArray();
+ 
+-        for (PackageInfo app : apps) {
+-            int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
+-            if (uid < 0) {
+-                continue;
+-            }
+-            mAllApps.add(UserHandle.getAppId(uid));
+-
+-            boolean isNetwork = hasNetworkPermission(app);
+-            boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+-
+-            if (isNetwork || hasRestrictedPermission) {
+-                Boolean permission = mApps.get(uid);
+-                // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+-                // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+-                if (permission == null || permission == NETWORK) {
+-                    mApps.put(uid, hasRestrictedPermission);
+-                }
+-            }
+-
+-            //TODO: unify the management of the permissions into one codepath.
+-            int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
+-                    app.requestedPermissionsFlags);
+-            netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
+-        }
+-
+         List<UserInfo> users = mUserManager.getUsers(true);  // exclude dying users
+         if (users != null) {
+             for (UserInfo user : users) {
+                 mUsers.add(user.id);
+
+                List<PackageInfo> apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id);
+                if (apps == null) {
+                    loge("No apps");
+                    continue;
+                }
+
+                for (PackageInfo app : apps) {
+                    int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
+                    if (uid < 0) {
+                        continue;
+                    }
+                    mAllApps.add(UserHandle.getAppId(uid));
+
+                    boolean isNetwork = hasNetworkPermission(app);
+                    boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+
+                    if (isNetwork || hasRestrictedPermission) {
+                        Boolean permission = mApps.get(uid);
+                        // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+                        // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+                        if (permission == null || permission == NETWORK) {
+                            mApps.put(uid, hasRestrictedPermission);
+                        }
+                    }
+
+                    //TODO: unify the management of the permissions into one codepath.
+                    int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
+                            app.requestedPermissionsFlags);
+                    netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
+                }
+
+             }
+         }
+ 
+@@ -307,9 +308,23 @@ public class PermissionMonitor {
+         List<Integer> network = new ArrayList<>();
+         List<Integer> system = new ArrayList<>();
+         for (Entry<Integer, Boolean> app : apps.entrySet()) {
+-            List<Integer> list = app.getValue() ? system : network;
+             for (int user : users) {
+-                list.add(UserHandle.getUid(user, app.getKey()));
+                int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey()));
+                if (uid < 0) continue;
+                String[] packages = mPackageManager.getPackagesForUid(uid);
+                if (packages == null) continue;
+                for (String pkg : packages) {
+                    PackageInfo info = getPackageInfo(pkg, user);
+                    if (info != null && info.applicationInfo.uid == uid) {
+                        boolean isNetwork = hasNetworkPermission(info);
+                        boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info);
+
+                        if (isNetwork || hasRestrictedPermission) {
+                            List<Integer> list = hasRestrictedPermission ? system : network;
+                            list.add(UserHandle.getUid(user, app.getKey()));
+                        }
+                    }
+                }
+             }
+         }
+         try {
--- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-7.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-7.patch
@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Tue, 14 Dec 2021 18:17:11 +0200
+Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
+
+---
+ core/java/android/net/ConnectivityManager.java | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
+index 12102a140947..21661609ff72 100644
+--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
+@@ -17,6 +17,7 @@ package android.net;
+ 
+ import static android.net.IpSecManager.INVALID_RESOURCE_ID;
+ 
+import android.Manifest;
+ import android.annotation.CallbackExecutor;
+ import android.annotation.IntDef;
+ import android.annotation.NonNull;
+@@ -31,6 +32,7 @@ import android.annotation.UnsupportedAppUsage;
+ import android.app.PendingIntent;
+ import android.content.Context;
+ import android.content.Intent;
+import android.content.pm.PackageManager;
+ import android.net.IpSecManager.UdpEncapsulationSocket;
+ import android.net.SocketKeepalive.Callback;
+ import android.os.Binder;
+@@ -3054,6 +3056,12 @@ public class ConnectivityManager {
+      */
+     public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
+         printStackTrace();
+        if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
+            // ConnectivityService enforces this by throwing an unexpected SecurityException,
+            // which puts GMS into a crash loop. Also useful for other apps that don't expect that
+            // INTERNET permission might get revoked.
+            return;
+        }
+         try {
+             mService.reportNetworkConnectivity(network, hasConnectivity);
+         } catch (RemoteException e) {
--- a/Patches/LineageOS-17.1/android_libcore/0003-Network_Permission.patch
+++ b/Patches/LineageOS-17.1/android_libcore/0003-Network_Permission.patch
@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Tue, 14 Dec 2021 21:10:51 +0200
+Subject: [PATCH] don't throw SecurityException when INTERNET permission is
+ revoked
+
+---
+ ojluni/src/main/java/java/net/Inet6AddressImpl.java | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/ojluni/src/main/java/java/net/Inet6AddressImpl.java b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+index bb722f3df2..212f8b50ef 100644
+--- a/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+++ b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+@@ -141,16 +141,7 @@ class Inet6AddressImpl implements InetAddressImpl {
+             addressCache.put(host, netId, addresses);
+             return addresses;
+         } catch (GaiException gaiException) {
+-            // If the failure appears to have been a lack of INTERNET permission, throw a clear
+-            // SecurityException to aid in debugging this common mistake.
+-            // http://code.google.com/p/android/issues/detail?id=15722
+-            if (gaiException.getCause() instanceof ErrnoException) {
+-                int errno = ((ErrnoException) gaiException.getCause()).errno;
+-                if (errno == EACCES || errno == EPERM) {
+-                    throw new SecurityException("Permission denied (missing INTERNET permission?)", gaiException);
+-                }
+-            }
+-            // Otherwise, throw an UnknownHostException.
+            // Throw an UnknownHostException.
+             String detailMessage = "Unable to resolve host \"" + host + "\": " + Libcore.os.gai_strerror(gaiException.error);
+             addressCache.putUnknownHost(host, netId, detailMessage);
+             throw gaiException.rethrowAsUnknownHostException(detailMessage);
--- a/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Network_Permission-1.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Network_Permission-1.patch
@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sat, 22 Jul 2017 21:43:50 -0400
+Subject: [PATCH] always treat INTERNET as a runtime permission
+
+---
+ .../permission/model/AppPermissionGroup.java                 | 5 +++--
+ .../packageinstaller/permission/model/Permission.java        | 3 ++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+index da5277777..c9fa2ca3e 100644
+--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+@@ -33,6 +33,7 @@ import android.content.pm.PackageManager;
+ import android.content.pm.PackageManager.NameNotFoundException;
+ import android.content.pm.PermissionGroupInfo;
+ import android.content.pm.PermissionInfo;
+import android.Manifest;
+ import android.os.Build;
+ import android.os.UserHandle;
+ import android.permission.PermissionManager;
+@@ -785,7 +786,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
+ 
+             boolean wasGranted = permission.isGrantedIncludingAppOp();
+ 
+-            if (mAppSupportsRuntimePermissions) {
+            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 // Do not touch permissions fixed by the system.
+                 if (permission.isSystemFixed()) {
+                     wasAllGranted = false;
+@@ -962,7 +963,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
+                 break;
+             }
+ 
+-            if (mAppSupportsRuntimePermissions) {
+            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 // Revoke the permission if needed.
+                 if (permission.isGranted()) {
+                     permission.setGranted(false);
+diff --git a/src/com/android/packageinstaller/permission/model/Permission.java b/src/com/android/packageinstaller/permission/model/Permission.java
+index 463c34795..c2ec88902 100644
+--- a/src/com/android/packageinstaller/permission/model/Permission.java
+++ b/src/com/android/packageinstaller/permission/model/Permission.java
+@@ -18,6 +18,7 @@ package com.android.packageinstaller.permission.model;
+ 
+ import android.content.pm.PackageManager;
+ import android.content.pm.PermissionInfo;
+import android.Manifest;
+ 
+ import androidx.annotation.NonNull;
+ 
+@@ -136,7 +137,7 @@ public final class Permission {
+      * @return {@code true} if the permission (and the app-op) is granted.
+      */
+     public boolean isGrantedIncludingAppOp() {
+-        return mGranted && (!affectsAppOp() || isAppOpAllowed()) && !isReviewRequired();
+        return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName));
+     }
+ 
+     public boolean isReviewRequired() {
--- a/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Network_Permission-2.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Network_Permission-2.patch
@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 10:29:15 -0400
+Subject: [PATCH] add INTERNET permission toggle
+
+---
+ src/com/android/packageinstaller/permission/utils/Utils.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java
+index b7be30dcc..162b15f37 100644
+--- a/src/com/android/packageinstaller/permission/utils/Utils.java
+++ b/src/com/android/packageinstaller/permission/utils/Utils.java
+@@ -24,6 +24,7 @@ import static android.Manifest.permission_group.CAMERA;
+ import static android.Manifest.permission_group.CONTACTS;
+ import static android.Manifest.permission_group.LOCATION;
+ import static android.Manifest.permission_group.MICROPHONE;
+import static android.Manifest.permission_group.NETWORK;
+ import static android.Manifest.permission_group.PHONE;
+ import static android.Manifest.permission_group.SENSORS;
+ import static android.Manifest.permission_group.SMS;
+@@ -173,6 +174,8 @@ public final class Utils {
+ 
+         PLATFORM_PERMISSIONS.put(Manifest.permission.BODY_SENSORS, SENSORS);
+ 
+        PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
+
+         PLATFORM_PERMISSION_GROUPS = new ArrayMap<>();
+         int numPlatformPermissions = PLATFORM_PERMISSIONS.size();
+         for (int i = 0; i < numPlatformPermissions; i++) {
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
@ -29,7 +29,7 @@ Change-Id: Ibbffdb5f3930df74ca8b4ba93d451f7fad086989
 create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialogHost.java

 diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml
-index ebb53e1237..970b7c9086 100644
+index d1ed0c6863..7ab4de0561 100644
 --- a/res/values-de/cm_strings.xml
 +++ b/res/values-de/cm_strings.xml
@@ -112,4 +112,7 @@
--- a/Patches/LineageOS-17.1/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
+++ b/Patches/LineageOS-17.1/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sun, 6 Aug 2017 08:19:36 -0400
+Subject: [PATCH] remove legacy NETWORK permission group reference
+
+---
+ AndroidManifest.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/AndroidManifest.xml b/AndroidManifest.xml
+index 302a58e5..65f38e86 100644
+--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
+@@ -29,7 +29,6 @@
+ 
+     <!-- Allows to queue downloads without a notification shown while the download runs. -->
+     <permission android:name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION"
+-        android:permissionGroup="android.permission-group.NETWORK"
+         android:label="@string/permlab_downloadWithoutNotification"
+         android:description="@string/permdesc_downloadWithoutNotification"
+         android:protectionLevel="normal"/>
--- a/Patches/LineageOS-17.1/android_system_netd/0001-Network_Permission.patch
+++ b/Patches/LineageOS-17.1/android_system_netd/0001-Network_Permission.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pratyush <codelab@pratyush.dev>
+Date: Thu, 12 Aug 2021 00:15:25 +0530
+Subject: [PATCH] use uid instead of app id for tracking INTERNET permission
+
+Change-Id: Ibec846480f3b440b5a323c86efa95c2fd1d81284
+---
+ bpf_progs/netd.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
+index 1362be25..69b618f8 100644
+--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
+@@ -74,14 +74,8 @@ DEFINE_BPF_MAP(uid_permission_map, HASH, uint32_t, uint8_t, UID_OWNER_MAP_SIZE)
+ SEC("cgroupsock/inet/create")
+ int inet_socket_create(struct bpf_sock* sk) {
+     uint64_t gid_uid = bpf_get_current_uid_gid();
+-    /*
+-     * A given app is guaranteed to have the same app ID in all the profiles in
+-     * which it is installed, and install permission is granted to app for all
+-     * user at install time so we only check the appId part of a request uid at
+-     * run time. See UserHandle#isSameApp for detail.
+-     */
+-    uint32_t appId = (gid_uid & 0xffffffff) % PER_USER_RANGE;
+-    uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
+    uint32_t uid = (gid_uid & 0xffffffff);
+    uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&uid);
+     if (!permissions) {
+         // UID not in map. Default to just INTERNET permission.
+         return 1;
--- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-1.patch
+++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-1.patch
@ -0,0 +1,95 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: inthewaves <inthewaves@pm.me>
+Date: Sat, 12 Sep 2020 12:28:34 -0700
+Subject: [PATCH] support new special runtime permissions
+
+These are treated as a runtime permission even for legacy apps. They
+need to be granted by default for all apps to maintain compatibility.
+
+Ported from 10: 4d5d82f4e2fb9ff68158bf30f3944591bb74dd04
+
+Changes from 10:
+- It seems like parts of PackageManagerService#resetUserChangesToRuntimePermissionsAndFlagsLPw
+were refactored into PermissionManagerService#resetRuntimePermissionsInternal.
+As a result, PackageManagerService is no longer modified.
+---
+ .../permission/PermissionManagerService.java  | 24 +++++++++++++++----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index 8d2363b6e831..26b959879084 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -1461,7 +1461,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+         // to keep the review required permission flag per user while an
+         // install permission's state is shared across all users.
+         if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
+-                && bp.isRuntime()) {
+                && bp.isRuntime() && !isSpecialRuntimePermission(permName)) {
+             return;
+         }
+ 
+@@ -1513,7 +1513,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+                     + permName + " for package " + packageName);
+         }
+ 
+-        if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M) {
+        if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
+                && !isSpecialRuntimePermission(permName)) {
+             Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
+             return;
+         }
+@@ -1623,7 +1624,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+         // to keep the review required permission flag per user while an
+         // install permission's state is shared across all users.
+         if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
+-                && bp.isRuntime()) {
+                && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
+             return;
+         }
+ 
+@@ -1847,7 +1848,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+ 
+             // If this permission was granted by default or role, make sure it is.
+             if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
+-                    || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0) {
+                    || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0
+                    || isSpecialRuntimePermission(bp.getName())) {
+                 // PermissionPolicyService will handle the app op for runtime permissions later.
+                 grantRuntimePermissionInternal(permName, packageName, false,
+                         Process.SYSTEM_UID, userId, delayingPermCallback);
+@@ -2606,6 +2608,10 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+         }
+     }
+ 
+    public static boolean isSpecialRuntimePermission(final String permission) {
+        return false;
+    }
+
+     /**
+      * Restore the permission state for a package.
+      *
+@@ -2952,6 +2958,14 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+                                             }
+                                         }
+                                     }
+
+                                    if (isSpecialRuntimePermission(bp.name) &&
+                                            origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
+                                        if (permissionsState.grantRuntimePermission(bp, userId)
+                                                != PERMISSION_OPERATION_FAILURE) {
+                                            wasChanged = true;
+                                        }
+                                    }
+                                 } else {
+                                     if (permState == null) {
+                                         // New permission
+@@ -3907,7 +3921,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+                     && (grantedPermissions == null
+                            || ArrayUtils.contains(grantedPermissions, permission))) {
+                 final int flags = permissionsState.getPermissionFlags(permission, userId);
+-                if (supportsRuntimePermissions) {
+                if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
+                     // Installer cannot change immutable permissions.
+                     if ((flags & immutableFlags) == 0) {
+                         grantRuntimePermissionInternal(permission, pkg.getPackageName(), false,
--- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-2.patch
+++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-2.patch
@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sun, 17 Mar 2019 11:59:15 -0400
+Subject: [PATCH] make INTERNET into a special runtime permission
+
+Ported from 10: 5e2898e9d21dd6802bb0b0139e7e496c41e1cd80
+---
+ core/res/AndroidManifest.xml                                    | 2 +-
+ .../android/server/pm/permission/PermissionManagerService.java  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index ee428371a016..0eff7ae9a0cd 100644
+--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
+@@ -1607,7 +1607,7 @@
+     <permission android:name="android.permission.INTERNET"
+         android:description="@string/permdesc_createNetworkSockets"
+         android:label="@string/permlab_createNetworkSockets"
+-        android:protectionLevel="normal|instant" />
+        android:protectionLevel="dangerous|instant" />
+ 
+     <!-- Allows applications to access information about networks.
+          <p>Protection level: normal
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index 26b959879084..9e6ecc739ffe 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -2609,7 +2609,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+     }
+ 
+     public static boolean isSpecialRuntimePermission(final String permission) {
+-        return false;
+        return Manifest.permission.INTERNET.equals(permission);
+     }
+ 
+     /**
--- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-3.patch
+++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-3.patch
@ -0,0 +1,81 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 11:23:07 -0400
+Subject: [PATCH] add a NETWORK permission group for INTERNET
+
+Ported from 10: b5c9f9407d5f5407686ea8c02fa67573ddc07824
+
+Changes from 10:
+- Needed to run `m api-stubs-docs-non-updatable-update-current-api`
+to fix the "You have tried to change the API from what has been
+previously approved" errors.
+---
+ api/current.txt                 | 1 +
+ core/res/AndroidManifest.xml    | 8 ++++++++
+ core/res/res/values/strings.xml | 5 +++++
+ non-updatable-api/current.txt   | 1 +
+ 4 files changed, 15 insertions(+)
+
+diff --git a/api/current.txt b/api/current.txt
+index 952ccdad992c..728c0e95ca6d 100644
+--- a/api/current.txt
+++ b/api/current.txt
+@@ -184,6 +184,7 @@ package android {
+     field public static final String CONTACTS = "android.permission-group.CONTACTS";
+     field public static final String LOCATION = "android.permission-group.LOCATION";
+     field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
+    field public static final String NETWORK = "android.permission-group.NETWORK";
+     field public static final String PHONE = "android.permission-group.PHONE";
+     field public static final String SENSORS = "android.permission-group.SENSORS";
+     field public static final String SMS = "android.permission-group.SMS";
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index 0eff7ae9a0cd..00351c340a1a 100644
+--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
+@@ -1601,10 +1601,18 @@
+     <!-- ======================================= -->
+     <eat-comment />
+ 
+    <!-- Network access -->
+    <permission-group android:name="android.permission-group.NETWORK"
+        android:icon="@drawable/perm_group_network"
+        android:label="@string/permgrouplab_network"
+        android:description="@string/permgroupdesc_network"
+        android:priority="900" />
+
+     <!-- Allows applications to open network sockets.
+          <p>Protection level: normal
+     -->
+     <permission android:name="android.permission.INTERNET"
+        android:permissionGroup="android.permission-group.UNDEFINED"
+         android:description="@string/permdesc_createNetworkSockets"
+         android:label="@string/permlab_createNetworkSockets"
+         android:protectionLevel="dangerous|instant" />
+diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
+index 5c659123b027..7f114cf9b6b4 100644
+--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
+@@ -804,6 +804,11 @@
+     <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+     <string name="permgroupdesc_sensors">access sensor data about your vital signs</string>
+ 
+    <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permgrouplab_network">Network</string>
+    <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permgroupdesc_network">access the network</string>
+
+     <!-- Title for the capability of an accessibility service to retrieve window content. -->
+     <string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
+     <!-- Description for the capability of an accessibility service to retrieve window content. -->
+diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt
+index 5f15216e8400..189544f98594 100644
+--- a/non-updatable-api/current.txt
+++ b/non-updatable-api/current.txt
+@@ -184,6 +184,7 @@ package android {
+     field public static final String CONTACTS = "android.permission-group.CONTACTS";
+     field public static final String LOCATION = "android.permission-group.LOCATION";
+     field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
+    field public static final String NETWORK = "android.permission-group.NETWORK";
+     field public static final String PHONE = "android.permission-group.PHONE";
+     field public static final String SENSORS = "android.permission-group.SENSORS";
+     field public static final String SMS = "android.permission-group.SMS";
--- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-4.patch
+++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-4.patch
@ -0,0 +1,112 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zoraver Kang <zkang@wpi.edu>
+Date: Mon, 16 Sep 2019 16:41:30 -0400
+Subject: [PATCH] Enforce INTERNET as a runtime permission.
+
+Ported from 10: 69f726bc4219a7acea0319ae8d4b5fda48cd9861
+---
+ .../connectivity/PermissionMonitor.java       | 59 ++++++++++++-------
+ 1 file changed, 39 insertions(+), 20 deletions(-)
+
+diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+index f0b7150dd84f..41c013b4b197 100644
+--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID;
+ import static android.os.Process.SYSTEM_UID;
+ 
+ import android.annotation.NonNull;
+import android.annotation.UserIdInt;
+ import android.content.Context;
+ import android.content.pm.ApplicationInfo;
+ import android.content.pm.PackageInfo;
+@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils;
+ import com.android.internal.util.IndentingPrintWriter;
+ import com.android.server.LocalServices;
+ import com.android.server.SystemConfig;
+import com.android.server.pm.permission.PermissionManagerServiceInternal;
+ 
+ import java.util.ArrayList;
+ import java.util.Collection;
+@@ -80,6 +82,7 @@ public class PermissionMonitor {
+     private static final int VERSION_Q = Build.VERSION_CODES.Q;
+ 
+     private final PackageManager mPackageManager;
+    private final PackageManagerInternal mPackageManagerInternal;
+     private final UserManager mUserManager;
+     private final INetd mNetd;
+ 
+@@ -104,26 +107,6 @@ public class PermissionMonitor {
+ 
+     private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
+ 
+-        private int getPermissionForUid(int uid) {
+-            int permission = 0;
+-            // Check all the packages for this UID. The UID has the permission if any of the
+-            // packages in it has the permission.
+-            String[] packages = mPackageManager.getPackagesForUid(uid);
+-            if (packages != null && packages.length > 0) {
+-                for (String name : packages) {
+-                    final PackageInfo app = getPackageInfo(name);
+-                    if (app != null && app.requestedPermissions != null) {
+-                        permission |= getNetdPermissionMask(app.requestedPermissions,
+-                              app.requestedPermissionsFlags);
+-                    }
+-                }
+-            } else {
+-                // The last package of this uid is removed from device. Clean the package up.
+-                permission = INetd.PERMISSION_UNINSTALLED;
+-            }
+-            return permission;
+-        }
+-
+         @Override
+         public void onPackageAdded(String packageName, int uid) {
+             sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+@@ -140,10 +123,46 @@ public class PermissionMonitor {
+         }
+     }
+ 
+    private int getPermissionForUid(int uid) {
+        int permission = 0;
+        // Check all the packages for this UID. The UID has the permission if any of the
+        // packages in it has the permission.
+        String[] packages = mPackageManager.getPackagesForUid(uid);
+        if (packages != null && packages.length > 0) {
+            for (String name : packages) {
+                final PackageInfo app = getPackageInfo(name);
+                if (app != null && app.requestedPermissions != null) {
+                    permission |= getNetdPermissionMask(app.requestedPermissions,
+                          app.requestedPermissionsFlags);
+                }
+            }
+        } else {
+            // The last package of this uid is removed from device. Clean the package up.
+            permission = INetd.PERMISSION_UNINSTALLED;
+        }
+        return permission;
+    }
+
+    // implements OnRuntimePermissionStateChangedListener
+    private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
+            @UserIdInt int userId) {
+        // userId is _not_ uid
+        int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+        sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+    }
+
+     public PermissionMonitor(Context context, INetd netd) {
+         mPackageManager = context.getPackageManager();
+         mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
+         mNetd = netd;
+
+        mPackageManagerInternal = LocalServices.getService(
+                PackageManagerInternal.class);
+
+        final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService(
+                PermissionManagerServiceInternal.class);
+        permManagerInternal.addOnRuntimePermissionStateChangedListener(
+                this::enforceINTERNETAsRuntimePermission);
+     }
+ 
+     // Intended to be called only once at startup, after the system is ready. Installs a broadcast
--- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-5.patch
+++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-5.patch
@ -0,0 +1,82 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: pratyush <codelab@pratyush.dev>
+Date: Sun, 25 Apr 2021 07:04:03 +0530
+Subject: [PATCH] fix INTERNET enforcement for secondary users
+
+This code was not specifying the profile for the app so it wasn't
+working properly with INTERNET as a runtime permission.
+---
+ .../connectivity/PermissionMonitor.java       | 20 +++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+index 41c013b4b197..09cd274cbb05 100644
+--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+@@ -130,7 +130,8 @@ public class PermissionMonitor {
+         String[] packages = mPackageManager.getPackagesForUid(uid);
+         if (packages != null && packages.length > 0) {
+             for (String name : packages) {
+-                final PackageInfo app = getPackageInfo(name);
+                int userId = UserHandle.getUserId(uid);
+                final PackageInfo app = getPackageInfo(name, userId);
+                 if (app != null && app.requestedPermissions != null) {
+                     permission |= getNetdPermissionMask(app.requestedPermissions,
+                           app.requestedPermissionsFlags);
+@@ -147,7 +148,7 @@ public class PermissionMonitor {
+     private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
+             @UserIdInt int userId) {
+         // userId is _not_ uid
+-        int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+        int uid = mPackageManagerInternal.getPackageUidInternal( packageName, GET_PERMISSIONS, userId);
+         sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+     }
+ 
+@@ -364,12 +365,13 @@ public class PermissionMonitor {
+     }
+ 
+     @VisibleForTesting
+-    protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
+    protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) {
+         if (currentPermission == SYSTEM) {
+             return currentPermission;
+         }
+         try {
+-            final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
+            final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS,
+                    UserHandle.getUserId(uid));
+             final boolean isNetwork = hasNetworkPermission(app);
+             final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+             if (isNetwork || hasRestrictedPermission) {
+@@ -393,7 +395,7 @@ public class PermissionMonitor {
+     public synchronized void onPackageAdded(String packageName, int uid) {
+         // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+         // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+-        final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName);
+        final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid);
+         if (permission != mApps.get(uid)) {
+             mApps.put(uid, permission);
+ 
+@@ -445,7 +447,7 @@ public class PermissionMonitor {
+         String[] packages = mPackageManager.getPackagesForUid(uid);
+         if (packages != null && packages.length > 0) {
+             for (String name : packages) {
+-                permission = highestPermissionForUid(permission, name);
+                permission = highestPermissionForUid(permission, name, uid);
+                 if (permission == SYSTEM) {
+                     // An app with this UID still has the SYSTEM permission.
+                     // Therefore, this UID must already have the SYSTEM permission.
+@@ -485,11 +487,9 @@ public class PermissionMonitor {
+         return permissions;
+     }
+ 
+-    private PackageInfo getPackageInfo(String packageName) {
+    private PackageInfo getPackageInfo(String packageName, int userId) {
+         try {
+-            PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
+-                    | MATCH_ANY_USER);
+-            return app;
+            return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId);
+         } catch (NameNotFoundException e) {
+             return null;
+         }
--- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-6.patch
+++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-6.patch
@ -0,0 +1,125 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pratyush <codelab@pratyush.dev>
+Date: Thu, 12 Aug 2021 03:44:41 +0530
+Subject: [PATCH] send uid for each user instead of just owner/admin user
+
+---
+ .../connectivity/PermissionMonitor.java       | 83 +++++++++++--------
+ 1 file changed, 49 insertions(+), 34 deletions(-)
+
+diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+index 09cd274cbb05..ee0c531ef13e 100644
+--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+@@ -132,7 +132,7 @@ public class PermissionMonitor {
+             for (String name : packages) {
+                 int userId = UserHandle.getUserId(uid);
+                 final PackageInfo app = getPackageInfo(name, userId);
+-                if (app != null && app.requestedPermissions != null) {
+                if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) {
+                     permission |= getNetdPermissionMask(app.requestedPermissions,
+                           app.requestedPermissionsFlags);
+                 }
+@@ -177,44 +177,45 @@ public class PermissionMonitor {
+         } else {
+             loge("failed to get the PackageManagerInternal service");
+         }
+-        List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
+-                | MATCH_ANY_USER);
+-        if (apps == null) {
+-            loge("No apps");
+-            return;
+-        }
+ 
+         SparseIntArray netdPermsUids = new SparseIntArray();
+ 
+-        for (PackageInfo app : apps) {
+-            int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
+-            if (uid < 0) {
+-                continue;
+-            }
+-            mAllApps.add(UserHandle.getAppId(uid));
+-
+-            boolean isNetwork = hasNetworkPermission(app);
+-            boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+-
+-            if (isNetwork || hasRestrictedPermission) {
+-                Boolean permission = mApps.get(uid);
+-                // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+-                // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+-                if (permission == null || permission == NETWORK) {
+-                    mApps.put(uid, hasRestrictedPermission);
+-                }
+-            }
+-
+-            //TODO: unify the management of the permissions into one codepath.
+-            int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
+-                    app.requestedPermissionsFlags);
+-            netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
+-        }
+-
+         List<UserInfo> users = mUserManager.getUsers(true);  // exclude dying users
+         if (users != null) {
+             for (UserInfo user : users) {
+                 mUsers.add(user.id);
+
+                List<PackageInfo> apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id);
+                if (apps == null) {
+                    loge("No apps");
+                    continue;
+                }
+
+                for (PackageInfo app : apps) {
+                    int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
+                    if (uid < 0) {
+                        continue;
+                    }
+                    mAllApps.add(UserHandle.getAppId(uid));
+
+                    boolean isNetwork = hasNetworkPermission(app);
+                    boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+
+                    if (isNetwork || hasRestrictedPermission) {
+                        Boolean permission = mApps.get(uid);
+                        // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+                        // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+                        if (permission == null || permission == NETWORK) {
+                            mApps.put(uid, hasRestrictedPermission);
+                        }
+                    }
+
+                    //TODO: unify the management of the permissions into one codepath.
+                    int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
+                            app.requestedPermissionsFlags);
+                    netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
+                }
+
+             }
+         }
+ 
+@@ -308,9 +309,23 @@ public class PermissionMonitor {
+         List<Integer> network = new ArrayList<>();
+         List<Integer> system = new ArrayList<>();
+         for (Entry<Integer, Boolean> app : apps.entrySet()) {
+-            List<Integer> list = app.getValue() ? system : network;
+             for (int user : users) {
+-                list.add(UserHandle.getUid(user, app.getKey()));
+                int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey()));
+                if (uid < 0) continue;
+                String[] packages = mPackageManager.getPackagesForUid(uid);
+                if (packages == null) continue;
+                for (String pkg : packages) {
+                    PackageInfo info = getPackageInfo(pkg, user);
+                    if (info != null && info.applicationInfo.uid == uid) {
+                        boolean isNetwork = hasNetworkPermission(info);
+                        boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info);
+
+                        if (isNetwork || hasRestrictedPermission) {
+                            List<Integer> list = hasRestrictedPermission ? system : network;
+                            list.add(UserHandle.getUid(user, app.getKey()));
+                        }
+                    }
+                }
+             }
+         }
+         try {
--- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-7.patch
+++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-7.patch
@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Tue, 14 Dec 2021 18:17:11 +0200
+Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
+
+---
+ core/java/android/net/ConnectivityManager.java | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
+index 7df32c10b16b..a2b04f3e9540 100644
+--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
+@@ -17,6 +17,7 @@ package android.net;
+ 
+ import static android.net.IpSecManager.INVALID_RESOURCE_ID;
+ 
+import android.Manifest;
+ import android.annotation.CallbackExecutor;
+ import android.annotation.IntDef;
+ import android.annotation.NonNull;
+@@ -31,6 +32,7 @@ import android.app.PendingIntent;
+ import android.compat.annotation.UnsupportedAppUsage;
+ import android.content.Context;
+ import android.content.Intent;
+import android.content.pm.PackageManager;
+ import android.net.IpSecManager.UdpEncapsulationSocket;
+ import android.net.SocketKeepalive.Callback;
+ import android.net.TetheringManager.StartTetheringCallback;
+@@ -3047,6 +3049,12 @@ public class ConnectivityManager {
+      */
+     public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
+         printStackTrace();
+        if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
+            // ConnectivityService enforces this by throwing an unexpected SecurityException,
+            // which puts GMS into a crash loop. Also useful for other apps that don't expect that
+            // INTERNET permission might get revoked.
+            return;
+        }
+         try {
+             mService.reportNetworkConnectivity(network, hasConnectivity);
+         } catch (RemoteException e) {
--- a/Patches/LineageOS-18.1/android_libcore/0001-Network_Permission.patch
+++ b/Patches/LineageOS-18.1/android_libcore/0001-Network_Permission.patch
@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Tue, 14 Dec 2021 21:10:51 +0200
+Subject: [PATCH] don't throw SecurityException when INTERNET permission is
+ revoked
+
+---
+ ojluni/src/main/java/java/net/Inet6AddressImpl.java | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/ojluni/src/main/java/java/net/Inet6AddressImpl.java b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+index 84bcf17eda..fda9674e08 100644
+--- a/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+++ b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+@@ -141,16 +141,7 @@ class Inet6AddressImpl implements InetAddressImpl {
+             addressCache.put(host, netId, addresses);
+             return addresses;
+         } catch (GaiException gaiException) {
+-            // If the failure appears to have been a lack of INTERNET permission, throw a clear
+-            // SecurityException to aid in debugging this common mistake.
+-            // http://code.google.com/p/android/issues/detail?id=15722
+-            if (gaiException.getCause() instanceof ErrnoException) {
+-                int errno = ((ErrnoException) gaiException.getCause()).errno;
+-                if (errno == EACCES || errno == EPERM) {
+-                    throw new SecurityException("Permission denied (missing INTERNET permission?)", gaiException);
+-                }
+-            }
+-            // Otherwise, throw an UnknownHostException.
+            // Throw an UnknownHostException.
+             String detailMessage = "Unable to resolve host \"" + host + "\": " + Libcore.os.gai_strerror(gaiException.error);
+             addressCache.putUnknownHost(host, netId, detailMessage);
+             throw gaiException.rethrowAsUnknownHostException(detailMessage);
--- a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-1.patch
+++ b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-1.patch
@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sat, 22 Jul 2017 21:43:50 -0400
+Subject: [PATCH] always treat INTERNET as a runtime permission
+
+ported from 10: 6c4f112dde47f21ce5a583f5bd8b217db6de5c02
+---
+ .../permission/model/AppPermissionGroup.java                 | 5 +++--
+ .../permissioncontroller/permission/model/Permission.java    | 3 ++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
+index aeb90811b..0399a1836 100644
+--- a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
+++ b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
+@@ -34,6 +34,7 @@ import android.content.pm.PackageManager;
+ import android.content.pm.PackageManager.NameNotFoundException;
+ import android.content.pm.PermissionGroupInfo;
+ import android.content.pm.PermissionInfo;
+import android.Manifest;
+ import android.os.Build;
+ import android.os.UserHandle;
+ import android.permission.PermissionManager;
+@@ -872,7 +873,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
+ 
+             boolean wasGranted = permission.isGrantedIncludingAppOp();
+ 
+-            if (mAppSupportsRuntimePermissions) {
+            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 // Do not touch permissions fixed by the system.
+                 if (permission.isSystemFixed()) {
+                     wasAllGranted = false;
+@@ -1057,7 +1058,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
+                 break;
+             }
+ 
+-            if (mAppSupportsRuntimePermissions) {
+            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 // Revoke the permission if needed.
+                 if (permission.isGranted()) {
+                     permission.setGranted(false);
+diff --git a/src/com/android/permissioncontroller/permission/model/Permission.java b/src/com/android/permissioncontroller/permission/model/Permission.java
+index 49381db2b..3af5241af 100644
+--- a/src/com/android/permissioncontroller/permission/model/Permission.java
+++ b/src/com/android/permissioncontroller/permission/model/Permission.java
+@@ -18,6 +18,7 @@ package com.android.permissioncontroller.permission.model;
+ 
+ import android.content.pm.PackageManager;
+ import android.content.pm.PermissionInfo;
+import android.Manifest;
+ 
+ import androidx.annotation.NonNull;
+ 
+@@ -137,7 +138,7 @@ public final class Permission {
+      * @return {@code true} if the permission (and the app-op) is granted.
+      */
+     public boolean isGrantedIncludingAppOp() {
+-        return mGranted && (!affectsAppOp() || isAppOpAllowed()) && !isReviewRequired();
+        return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName));
+     }
+ 
+     public boolean isReviewRequired() {
--- a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-2.patch
+++ b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-2.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 10:29:15 -0400
+Subject: [PATCH] add INTERNET permission toggle
+
+ported from 10: a07271ed7e45239369f2ca33496d939d2e9cbd08
+---
+ .../android/permissioncontroller/permission/utils/Utils.java   | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java
+index 65fdd590a..2f0dc3d21 100644
+--- a/src/com/android/permissioncontroller/permission/utils/Utils.java
+++ b/src/com/android/permissioncontroller/permission/utils/Utils.java
+@@ -25,6 +25,7 @@ import static android.Manifest.permission_group.CAMERA;
+ import static android.Manifest.permission_group.CONTACTS;
+ import static android.Manifest.permission_group.LOCATION;
+ import static android.Manifest.permission_group.MICROPHONE;
+import static android.Manifest.permission_group.NETWORK;
+ import static android.Manifest.permission_group.PHONE;
+ import static android.Manifest.permission_group.SENSORS;
+ import static android.Manifest.permission_group.SMS;
+@@ -209,6 +210,8 @@ public final class Utils {
+ 
+         PLATFORM_PERMISSIONS.put(Manifest.permission.BODY_SENSORS, SENSORS);
+ 
+        PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
+
+         PLATFORM_PERMISSION_GROUPS = new ArrayMap<>();
+         int numPlatformPermissions = PLATFORM_PERMISSIONS.size();
+         for (int i = 0; i < numPlatformPermissions; i++) {
--- a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-3.patch
+++ b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-3.patch
@ -0,0 +1,109 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: inthewaves <inthewaves@pm.me>
+Date: Sat, 12 Sep 2020 15:40:58 -0700
+Subject: [PATCH] refactor handling of special runtime permissions
+
+---
+ .../permission/model/AppPermissionGroup.java    |  5 ++---
+ .../permission/model/Permission.java            |  5 +++--
+ .../permission/utils/Utils.java                 | 17 +++++++++++++++++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
+index 0399a1836..cb4eab9f7 100644
+--- a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
+++ b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
+@@ -34,7 +34,6 @@ import android.content.pm.PackageManager;
+ import android.content.pm.PackageManager.NameNotFoundException;
+ import android.content.pm.PermissionGroupInfo;
+ import android.content.pm.PermissionInfo;
+-import android.Manifest;
+ import android.os.Build;
+ import android.os.UserHandle;
+ import android.permission.PermissionManager;
+@@ -873,7 +872,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
+ 
+             boolean wasGranted = permission.isGrantedIncludingAppOp();
+ 
+-            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+            if (mAppSupportsRuntimePermissions || Utils.isSpecialRuntimePermission(permission.getName())) {
+                 // Do not touch permissions fixed by the system.
+                 if (permission.isSystemFixed()) {
+                     wasAllGranted = false;
+@@ -1058,7 +1057,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
+                 break;
+             }
+ 
+-            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+            if (mAppSupportsRuntimePermissions || Utils.isSpecialRuntimePermission(permission.getName())) {
+                 // Revoke the permission if needed.
+                 if (permission.isGranted()) {
+                     permission.setGranted(false);
+diff --git a/src/com/android/permissioncontroller/permission/model/Permission.java b/src/com/android/permissioncontroller/permission/model/Permission.java
+index 3af5241af..3f17de882 100644
+--- a/src/com/android/permissioncontroller/permission/model/Permission.java
+++ b/src/com/android/permissioncontroller/permission/model/Permission.java
+@@ -18,10 +18,11 @@ package com.android.permissioncontroller.permission.model;
+ 
+ import android.content.pm.PackageManager;
+ import android.content.pm.PermissionInfo;
+-import android.Manifest;
+ 
+ import androidx.annotation.NonNull;
+ 
+import com.android.permissioncontroller.permission.utils.Utils;
+
+ import java.util.ArrayList;
+ import java.util.Objects;
+ 
+@@ -138,7 +139,7 @@ public final class Permission {
+      * @return {@code true} if the permission (and the app-op) is granted.
+      */
+     public boolean isGrantedIncludingAppOp() {
+-        return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName));
+        return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Utils.isSpecialRuntimePermission(mName));
+     }
+ 
+     public boolean isReviewRequired() {
+diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java
+index 2f0dc3d21..dab86e734 100644
+--- a/src/com/android/permissioncontroller/permission/utils/Utils.java
+++ b/src/com/android/permissioncontroller/permission/utils/Utils.java
+@@ -145,6 +145,9 @@ public final class Utils {
+      */
+     public static final long ONE_TIME_PERMISSIONS_TIMEOUT_MILLIS = 1 * 60 * 1000; // 1 minute
+ 
+    /** Mapping permission -> group for all special runtime permissions */
+    private static final ArrayMap<String, String> SPECIAL_RUNTIME_PERMISSIONS;
+
+     /** Mapping permission -> group for all dangerous platform permissions */
+     private static final ArrayMap<String, String> PLATFORM_PERMISSIONS;
+ 
+@@ -212,6 +215,9 @@ public final class Utils {
+ 
+         PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
+ 
+        SPECIAL_RUNTIME_PERMISSIONS = new ArrayMap<>();
+        SPECIAL_RUNTIME_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
+
+         PLATFORM_PERMISSION_GROUPS = new ArrayMap<>();
+         int numPlatformPermissions = PLATFORM_PERMISSIONS.size();
+         for (int i = 0; i < numPlatformPermissions; i++) {
+@@ -642,6 +648,17 @@ public final class Utils {
+         return PLATFORM_PERMISSIONS.containsKey(permission);
+     }
+ 
+    /**
+     * Is the permission a special runtime permission?
+     * These are treated as a runtime permission even for legacy apps. They
+     * need to be granted by default for all apps to maintain compatibility.
+     *
+     * @return whether the permission is a special runtime permission.
+     */
+    public static boolean isSpecialRuntimePermission(@NonNull String permission) {
+        return SPECIAL_RUNTIME_PERMISSIONS.containsKey(permission);
+    }
+
+     /**
+      * Should UI show this permission.
+      *
--- a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-4.patch
+++ b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-4.patch
@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: inthewaves <inthewaves@pm.me>
+Date: Wed, 16 Sep 2020 17:30:37 -0700
+Subject: [PATCH] don't auto revoke Network and Sensors
+
+These shouldn't be automatically removed since apps are currently
+granted these by default for compatibility. Users have to explicitly
+remove them rather than granting them. Apps would need to be aware of
+them and request them from the user to treat them like the standard
+permissions.
+---
+ .../permission/data/AutoRevokeStateLiveData.kt        |  3 ++-
+ .../permission/service/AutoRevokePermissions.kt       |  6 +++---
+ .../permissioncontroller/permission/utils/Utils.java  | 11 +++++++++++
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/src/com/android/permissioncontroller/permission/data/AutoRevokeStateLiveData.kt b/src/com/android/permissioncontroller/permission/data/AutoRevokeStateLiveData.kt
+index d84b7c9a3..0d74a8c2f 100644
+--- a/src/com/android/permissioncontroller/permission/data/AutoRevokeStateLiveData.kt
+++ b/src/com/android/permissioncontroller/permission/data/AutoRevokeStateLiveData.kt
+@@ -29,6 +29,7 @@ import com.android.permissioncontroller.permission.service.ExemptServicesLiveDat
+ import com.android.permissioncontroller.permission.service.isAutoRevokeEnabled
+ import com.android.permissioncontroller.permission.service.isPackageAutoRevokeExempt
+ import com.android.permissioncontroller.permission.service.isPackageAutoRevokePermanentlyExempt
+import com.android.permissioncontroller.permission.utils.Utils
+ import kotlinx.coroutines.Job
+ 
+ /**
+@@ -91,7 +92,7 @@ class AutoRevokeStateLiveData private constructor(
+                     permState.permFlags and (FLAG_PERMISSION_GRANTED_BY_DEFAULT or
+                             FLAG_PERMISSION_GRANTED_BY_ROLE) != 0
+                 } ?: false
+-                if (!default) {
+                if (!default && !Utils.isSpecialRuntimePermissionGroup(groupName)) {
+                     revocableGroups.add(groupName)
+                 }
+             }
+diff --git a/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt b/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt
+index 8dd8e8f77..d7f8f229f 100644
+--- a/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt
+++ b/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt
+@@ -239,8 +239,7 @@ class AutoRevokeOnBootReceiver : BroadcastReceiver() {
+ private suspend fun revokePermissionsOnUnusedApps(
+     context: Context,
+     sessionId: Long = INVALID_SESSION_ID
+-):
+-    List<Pair<String, UserHandle>> {
+): List<Pair<String, UserHandle>> {
+     if (!isAutoRevokeEnabled(context)) {
+         return emptyList()
+     }
+@@ -361,7 +360,8 @@ private suspend fun revokePermissionsOnUnusedApps(
+                     granted &&
+                     !group.isGrantedByDefault &&
+                     !group.isGrantedByRole &&
+-                    group.isUserSensitive) {
+                    group.isUserSensitive &&
+                    !Utils.isSpecialRuntimePermissionGroup(groupName)) {
+ 
+                     val revocablePermissions = group.permissions.keys.toList()
+ 
+diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java
+index dab86e734..4a7de5416 100644
+--- a/src/com/android/permissioncontroller/permission/utils/Utils.java
+++ b/src/com/android/permissioncontroller/permission/utils/Utils.java
+@@ -659,6 +659,17 @@ public final class Utils {
+         return SPECIAL_RUNTIME_PERMISSIONS.containsKey(permission);
+     }
+ 
+    /**
+     * Is the permission group a special runtime permission group?
+     * These are treated as a runtime permission even for legacy apps. They
+     * need to be granted by default for all apps to maintain compatibility.
+     *
+     * @return whether the permission group is a special runtime permission group.
+     */
+    public static boolean isSpecialRuntimePermissionGroup(@NonNull String permissionGroup) {
+        return SPECIAL_RUNTIME_PERMISSIONS.containsValue(permissionGroup);
+    }
+
+     /**
+      * Should UI show this permission.
+      *
--- a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-5.patch
+++ b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-5.patch
@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pratyush <codelab@pratyush.dev>
+Date: Sat, 24 Jul 2021 04:33:31 +0530
+Subject: [PATCH] ui fix for special runtime permission
+
+---
+ .../permissioncontroller/permission/utils/KotlinUtils.kt    | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt b/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt
+index 64068fe41..63348d72a 100644
+--- a/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt
+++ b/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt
+@@ -467,7 +467,7 @@ object KotlinUtils {
+         if (!perm.isGrantedIncludingAppOp) {
+             val affectsAppOp = permissionToOp(perm.name) != null || perm.isBackgroundPermission
+ 
+-            if (supportsRuntime) {
+            if (supportsRuntime || Utils.isSpecialRuntimePermission(perm.name)) {
+                 app.packageManager.grantRuntimePermission(group.packageInfo.packageName, perm.name,
+                     user)
+                 isGranted = true
+@@ -640,7 +640,7 @@ object KotlinUtils {
+         val affectsAppOp = permissionToOp(perm.name) != null || perm.isBackgroundPermission
+ 
+         if (perm.isGrantedIncludingAppOp) {
+-            if (supportsRuntime) {
+            if (supportsRuntime || Utils.isSpecialRuntimePermission(perm.name)) {
+                 // Revoke the permission if needed.
+                 app.packageManager.revokeRuntimePermission(group.packageInfo.packageName,
+                     perm.name, user)
+@@ -927,4 +927,4 @@ fun NavController.navigateSafe(destResId: Int, args: Bundle? = null) {
+             navigate(destResId, args)
+         }
+     }
+-}
+\ No newline at end of file
+}
--- a/Patches/LineageOS-18.1/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
+++ b/Patches/LineageOS-18.1/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sun, 6 Aug 2017 08:19:36 -0400
+Subject: [PATCH] remove legacy NETWORK permission group reference
+
+---
+ AndroidManifest.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/AndroidManifest.xml b/AndroidManifest.xml
+index 43cf258e..dfce071d 100644
+--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
+@@ -29,7 +29,6 @@
+ 
+     <!-- Allows to queue downloads without a notification shown while the download runs. -->
+     <permission android:name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION"
+-        android:permissionGroup="android.permission-group.NETWORK"
+         android:label="@string/permlab_downloadWithoutNotification"
+         android:description="@string/permdesc_downloadWithoutNotification"
+         android:protectionLevel="normal"/>
--- a/Patches/LineageOS-18.1/android_system_netd/0001-Network_Permission.patch
+++ b/Patches/LineageOS-18.1/android_system_netd/0001-Network_Permission.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pratyush <codelab@pratyush.dev>
+Date: Thu, 12 Aug 2021 00:15:25 +0530
+Subject: [PATCH] use uid instead of app id for tracking INTERNET permission
+
+Change-Id: Ibec846480f3b440b5a323c86efa95c2fd1d81284
+---
+ bpf_progs/netd.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
+index 5689c197..fb266a92 100644
+--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
+@@ -360,14 +360,8 @@ DEFINE_BPF_PROG_KVER("cgroupsock/inet/create", AID_ROOT, AID_ROOT, inet_socket_c
+                      KVER(4, 14, 0))
+ (struct bpf_sock* sk) {
+     uint64_t gid_uid = bpf_get_current_uid_gid();
+-    /*
+-     * A given app is guaranteed to have the same app ID in all the profiles in
+-     * which it is installed, and install permission is granted to app for all
+-     * user at install time so we only check the appId part of a request uid at
+-     * run time. See UserHandle#isSameApp for detail.
+-     */
+-    uint32_t appId = (gid_uid & 0xffffffff) % PER_USER_RANGE;
+-    uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
+    uint32_t uid = (gid_uid & 0xffffffff);
+    uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&uid);
+     if (!permissions) {
+         // UID not in map. Default to just INTERNET permission.
+         return 1;
--- a/Scripts/LineageOS-17.1/Patch.sh
+++ b/Scripts/LineageOS-17.1/Patch.sh
@ -112,6 +112,15 @@ applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch";
 if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Restore_SensorsOff.patch"; #Restore the Sensors Off tile
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
+applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-2.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-3.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-4.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-7.patch";
+fi;
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
 sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox internal logging service
@ -182,6 +191,7 @@ fi;
 if enterAndClear "libcore"; then
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Preload.patch"; fi; #Add exec-based spawning support (GrapheneOS)
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0002-Exec_Based_Spawning.patch"; fi;
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0003-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
 fi;

 if enterAndClear "lineage-sdk"; then
@ -203,6 +213,13 @@ rm -rf src/org/lineageos/lineageparts/lineagestats/ res/xml/anonymous_stats.xml
 applyPatch "$DOS_PATCHES/android_packages_apps_LineageParts/0001-Remove_Analytics.patch"; #Remove analytics
 fi;

+if enterAndClear "packages/apps/PermissionController"; then
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
+applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-2.patch";
+fi;
+fi;
+
 if enterAndClear "packages/apps/Settings"; then
 git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@ -234,6 +251,10 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic
 applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
 fi;

+if enterAndClear "packages/providers/DownloadProvider"; then
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
+fi;
+
 #if enterAndClear "packages/services/Telephony"; then
 #applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #XXX 17REBASE
 #applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch"; #XXX 17REBASE
@ -251,6 +272,10 @@ if enterAndClear "system/extras"; then
 applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
 fi;

+if enterAndClear "system/netd"; then
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
+fi;
+
 if enterAndClear "system/sepolicy"; then
 git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0";
--- a/Scripts/LineageOS-18.1/Patch.sh
+++ b/Scripts/LineageOS-18.1/Patch.sh
@ -94,6 +94,15 @@ applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch";
 if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Sensors.patch"; fi #Permission for sensors access (MSe1969)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Restore_SensorsOff.patch"; #Restore the Sensors Off tile
 applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch";
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-7.patch";
+fi;
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
 hardenLocationConf services/core/java/com/android/server/location/gps_debug.conf; #Harden the default GPS config
@ -168,6 +177,10 @@ if enterAndClear "hardware/qcom-caf/sm8250/audio"; then
 applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-sm8150.patch"; #audio_extn: Fix unused parameter warning in utils.c
 fi;

+if enterAndClear "libcore"; then
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
+fi;
+
 if enterAndClear "lineage-sdk"; then
 awk -i inplace '!/LineageWeatherManagerService/' lineage/res/res/values/config.xml; #Disable Weather
 if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAudioService/' lineage/res/res/values/config.xml; fi; #Remove AudioFX
@ -189,6 +202,13 @@ fi;

 if enterAndClear "packages/apps/PermissionController"; then
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
+applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-2.patch";
+applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-3.patch";
+applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-4.patch";
+applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-5.patch";
+fi;
 fi;

 if enterAndClear "packages/apps/Settings"; then
@ -220,6 +240,10 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic
 applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
 fi;

+if enterAndClear "packages/providers/DownloadProvider"; then
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
+fi;
+
 if enterAndClear "packages/providers/TelephonyProvider"; then
 applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/304614.patch"; #mcc/mnc fix
 applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/312102.patch"; #mnc fix
@ -244,6 +268,10 @@ if enterAndClear "system/extras"; then
 applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
 fi;

+if enterAndClear "system/netd"; then
+if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
+fi;
+
 if enterAndClear "system/sepolicy"; then
 git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/30.0";
--- a/Scripts/init.sh
+++ b/Scripts/init.sh
@ -59,6 +59,7 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv
 export DOS_GPS_GLONASS_FORCED=false; #Enables GLONASS on all devices
 export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1
 export DOS_GRAPHENE_EXEC=false; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1 XXX: broken (just on 17.1?)
+export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1
 export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
 export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: DNS66
 export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be in the format "127.0.0.1 bad.domain.tld"