Fixup the sensors permission patches on 7, 8, and 9.

Switch these patches to MODE_ALLOWED from MODE_ASK to fix breakage of system services. Also remove some code that adds a likely security issue. Will need some extra regression testing. Signed-off-by: Tad <tad@spotco.us>
2024-06-26 14:42:13 +00:00 · 2021-11-04 09:44:00 -04:00 · 2021-11-04 09:44:00 -04:00 · 621441349e
commit 621441349e
parent f7295a0f74
11 changed files with 27 additions and 184 deletions
--- a/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P2.patch
+++ b/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P2.patch
@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: MSe <mse1969@posteo.de>
-Date: Wed, 25 Apr 2018 23:07:47 +0200
-Subject: [PATCH] AppOpsService: Default mode 'allowed' for systemUID and
- platform signed
-
-To avoid severe issues when setting selected Ops to 'ASK', the default
-mode for systemui, apps with uid 1000 (system) and apps signed with the
-platform key will always get the 'allowed' mode as default.
-
-Change-Id: I71d9618d5b900241b99c060d43bc4270da05305b
---
- .../com/android/server/AppOpsService.java     | 20 +++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java
-index a9e350570508..de31ba177ca2 100644
--- a/services/core/java/com/android/server/AppOpsService.java
-+++ b/services/core/java/com/android/server/AppOpsService.java
-@@ -2576,6 +2576,26 @@ public class AppOpsService extends IAppOpsService.Stub {
-     }
- 
-     private int getDefaultMode(int code, int uid, String packageName) {
-+        // To allow setting 'MODE_ASK' for own Ops, some precautions to
-+        // avoid privileged apps to trigger the toggle are needed:
-+        
-+        // 1st check: Skip uid 1000 and systemui
-+        if (uid == android.os.Process.SYSTEM_UID || "com.android.systemui".equals(packageName)) {
-+            return AppOpsManager.MODE_ALLOWED;
-+        }
-+        // 2nd check: Skip apps signed with platform key, except for the 'root' Op
-+        if (code != AppOpsManager.OP_SU) {
-+            try {
-+                int match = AppGlobals.getPackageManager().checkSignatures("android", packageName);        
-+                if (match >= PackageManager.SIGNATURE_MATCH) {
-+                    return AppOpsManager.MODE_ALLOWED;
-+                }
-+            } catch (RemoteException re) {            
-+                Log.e(TAG, "AppOps getDefaultMode: Can't talk to PM f. Sig.Check", re);
-+            }
-+        }
-+        // end
-+        
-         int mode = AppOpsManager.opToDefaultMode(code,
-                 isStrict(code, uid, packageName));
-         if (AppOpsManager.isStrictOp(code) && mPolicy != null) {
--- a/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P3.patch
+++ b/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P3.patch
@ -1,32 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: MSe <mse1969@posteo.de>
-Date: Wed, 25 Apr 2018 23:12:20 +0200
-Subject: [PATCH] AppOps: Default MODE_ASK for OP_MOTION_SENSORS
-
-Change-Id: I4e8380c21b5c8a9e90c99d52e35d825ef0db6d98
---
- core/java/android/app/AppOpsManager.java | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
-index a9a00a60f0e5..84b196a2375b 100644
--- a/core/java/android/app/AppOpsManager.java
-+++ b/core/java/android/app/AppOpsManager.java
-@@ -977,7 +977,7 @@ public class AppOpsManager {
-             AppOpsManager.MODE_ALLOWED, // OP_NFC_CHANGE
-             AppOpsManager.MODE_ALLOWED,
-             AppOpsManager.MODE_ASK,     // OP_SU
-            AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS
-+            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
-             AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
-     };
- 
-@@ -1056,7 +1056,7 @@ public class AppOpsManager {
-             AppOpsManager.MODE_ASK,     // OP_NFC_CHANGE
-             AppOpsManager.MODE_ASK,     // OP_DATA_CONNECT_CHANGE
-             AppOpsManager.MODE_ASK,     // OP_SU
-            AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS
-+            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
-             AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
-     };
- 
--- a/Patches/LineageOS-15.1/android_frameworks_base/0007-Sensors.patch
+++ b/Patches/LineageOS-15.1/android_frameworks_base/0007-Sensors.patch
@ -4,25 +4,20 @@ Date: Sun, 17 Jun 2018 10:49:09 +0200
 Subject: [PATCH] - AppOps/PrivacyGuard: New Sensor checks [base]

 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)

-To avoid severe issues when setting selected Ops to 'ASK', the default
-mode for systemui, apps with uid 1000 (system) and apps signed with the
-platform key will always get the 'allowed' mode as default.
-
 Change-Id: Id12b91720f1e02ea5ca606ecefb30121d19b92bb
 ---
- core/java/android/app/AppOpsManager.java      | 34 +++++++++++++++++--
- core/res/res/values-de/cm_strings.xml         |  2 ++
- core/res/res/values-fr/cm_strings.xml         |  2 ++
- core/res/res/values/cm_strings.xml            |  2 ++
- core/res/res/values/lineage_arrays.xml        |  4 +++
- .../com/android/server/AppOpsService.java     | 20 +++++++++++
- 6 files changed, 61 insertions(+), 3 deletions(-)
+ core/java/android/app/AppOpsManager.java | 34 +++++++++++++++++++++---
+ core/res/res/values-de/cm_strings.xml    |  2 ++
+ core/res/res/values-fr/cm_strings.xml    |  2 ++
+ core/res/res/values/cm_strings.xml       |  2 ++
+ core/res/res/values/lineage_arrays.xml   |  4 +++
+ 5 files changed, 41 insertions(+), 3 deletions(-)

 diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
-index 2db36c8f4e02..d2587f2009df 100644
+index 2db36c8f4e02..e59869c11e90 100644
 --- a/core/java/android/app/AppOpsManager.java
 +++ b/core/java/android/app/AppOpsManager.java
@@ -280,8 +280,12 @@ public class AppOpsManager {
@ -112,7 +107,7 @@ index 2db36c8f4e02..d2587f2009df 100644
             AppOpsManager.MODE_ALLOWED,
 -            AppOpsManager.MODE_ASK, // OP_SU
 +            AppOpsManager.MODE_ASK,     // OP_SU
-+            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
+            AppOpsManager.MODE_ALLOWED,     // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
     };
 
@ -121,7 +116,7 @@ index 2db36c8f4e02..d2587f2009df 100644
             AppOpsManager.MODE_ASK,     // OP_NFC_CHANGE
             AppOpsManager.MODE_ASK,     // OP_DATA_CONNECT_CHANGE
             AppOpsManager.MODE_ASK,     // OP_SU
-+            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
+            AppOpsManager.MODE_ALLOWED,     // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
     };
 
@ -201,34 +196,3 @@ index 65149d2a9e54..5cb3120dbc47 100644
     </string-array>
 
 </resources>
-diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java
-index 8dc8272303e3..0a74101de471 100644
--- a/services/core/java/com/android/server/AppOpsService.java
-+++ b/services/core/java/com/android/server/AppOpsService.java
-@@ -2841,6 +2841,26 @@ public class AppOpsService extends IAppOpsService.Stub {
-     }
- 
-     private int getDefaultMode(int code, int uid, String packageName) {
-+        // To allow setting 'MODE_ASK' for own Ops, some precautions to
-+        // avoid privileged apps to trigger the toggle are needed:
-+        
-+        // 1st check: Skip uid 1000 and systemui
-+        if (uid == android.os.Process.SYSTEM_UID || "com.android.systemui".equals(packageName)) {
-+            return AppOpsManager.MODE_ALLOWED;
-+        }
-+        // 2nd check: Skip apps signed with platform key, except for the 'root' Op
-+        if (code != AppOpsManager.OP_SU) {
-+            try {
-+                int match = AppGlobals.getPackageManager().checkSignatures("android", packageName);        
-+                if (match >= PackageManager.SIGNATURE_MATCH) {
-+                    return AppOpsManager.MODE_ALLOWED;
-+                }
-+            } catch (RemoteException re) {            
-+                Log.e(TAG, "AppOps getDefaultMode: Can't talk to PM f. Sig.Check", re);
-+            }
-+        }
-+        // end
-+        
-         int mode = AppOpsManager.opToDefaultMode(code,
-                 isStrict(code, uid, packageName));
-         if (AppOpsManager.isStrictOp(code) && mPolicy != null) {
--- a/Patches/LineageOS-15.1/android_frameworks_native/0001-Sensors.patch
+++ b/Patches/LineageOS-15.1/android_frameworks_native/0001-Sensors.patch
@ -4,7 +4,7 @@ Date: Sun, 17 Jun 2018 11:33:33 +0200
 Subject: [PATCH] - AppOps/PrivacyGuard: New Sensor checks [native]

 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)

 This change updated the AppOPs binder for the newly defined Ops,
--- a/Patches/LineageOS-15.1/android_packages_apps_Settings/0005-Sensors-P1.patch
+++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/0005-Sensors-P1.patch
@ -4,7 +4,7 @@ Date: Sun, 17 Jun 2018 13:03:27 +0200
 Subject: [PATCH] - AppOps/PrivacyGuard: New Sensor checks [Settings]

 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)

 Add new Sensor template, relocate BODY_SENSORS into it
--- a/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch
@ -4,25 +4,20 @@ Date: Fri, 15 Mar 2019 22:05:36 +0100
 Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [base]

 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)

-To avoid severe issues when setting selected Ops to 'ASK', the default
-mode for apps with uid 1000 (system) will always get the 'allowed' mode
-as default, same as com.android.systemui
-
 Change-Id: Id12b91720f1e02ea5ca606ecefb30121d19b92bb
 ---
- core/java/android/app/AppOpsManager.java      | 35 +++++++++++++++++--
- core/res/res/values-de/cm_strings.xml         |  2 ++
- core/res/res/values-fr/cm_strings.xml         |  2 ++
- core/res/res/values/cm_strings.xml            |  2 ++
- core/res/res/values/lineage_arrays.xml        |  4 +++
- .../com/android/server/AppOpsService.java     | 19 +++++++++-
- 6 files changed, 61 insertions(+), 3 deletions(-)
+ core/java/android/app/AppOpsManager.java | 35 ++++++++++++++++++++++--
+ core/res/res/values-de/cm_strings.xml    |  2 ++
+ core/res/res/values-fr/cm_strings.xml    |  2 ++
+ core/res/res/values/cm_strings.xml       |  2 ++
+ core/res/res/values/lineage_arrays.xml   |  4 +++
+ 5 files changed, 43 insertions(+), 2 deletions(-)

 diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
-index 5b763e50c38f..bd9f9224f325 100644
+index 5b763e50c38f..fef17859af8c 100644
 --- a/core/java/android/app/AppOpsManager.java
 +++ b/core/java/android/app/AppOpsManager.java
@@ -371,8 +371,12 @@ public class AppOpsManager {
@ -120,7 +115,7 @@ index 5b763e50c38f..bd9f9224f325 100644
             AppOpsManager.MODE_ALLOWED,  // OP_NFC_CHANGE
             AppOpsManager.MODE_ALLOWED,  // OP_DATA_CONNECT_CHANGE
             AppOpsManager.MODE_ASK,      // OP_SU
-+            AppOpsManager.MODE_ASK,      // OP_MOTION_SENSORS
+            AppOpsManager.MODE_ALLOWED,      // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ALLOWED,  // OP_OTHER_SENSORS
     };
 
@ -129,7 +124,7 @@ index 5b763e50c38f..bd9f9224f325 100644
             AppOpsManager.MODE_ASK,     // OP_NFC_CHANGE
             AppOpsManager.MODE_ASK,     // OP_DATA_CONNECT_CHANGE
             AppOpsManager.MODE_ASK,     // OP_SU
-+            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
+            AppOpsManager.MODE_ALLOWED,     // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
     };
 
@ -209,40 +204,3 @@ index 58567d1c8bd1..11a7d99b8d48 100644
     </string-array>
 
 </resources>
-diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java
-index 95ba50246db0..a6cf19f9be8a 100644
--- a/services/core/java/com/android/server/AppOpsService.java
-+++ b/services/core/java/com/android/server/AppOpsService.java
-@@ -1822,6 +1822,15 @@ public class AppOpsService extends IAppOpsService.Stub {
-                     op.rejectTime[uidState.state] = System.currentTimeMillis();
-                     op.ignoredCount++;
-                     return mode;
-+                } else if (uid == Process.SYSTEM_UID || packageName == "com.android.systemui") {
-+                    /*
-+                     *  To avoid a deadlock situation in case of system/privileged apps having
-+                     *  'MODE_ASK'as default in case of own AppOps (e.g. OP_MOTION_SENSORS),
-+                     *  we need to grant always access to such privileged system apps.
-+                     *
-+                     *  This 'blind' condition causes the PermissionDialog req not to be
-+                     *  initialised, hence the `if (req == null)` condition below applies.
-+                     */
-                 } else if (mode == AppOpsManager.MODE_ASK) {
-                     if (Looper.myLooper() == mLooper || Thread.holdsLock(mActivityManagerService)) {
-                         Slog.e(TAG, "noteOperation: this method will deadlock if called" +
-@@ -2000,7 +2009,15 @@ public class AppOpsService extends IAppOpsService.Stub {
-                 op.rejectTime[uidState.state] = System.currentTimeMillis();
-                 op.ignoredCount++;
-                 return mode;
-            } else if (mode == AppOpsManager.MODE_ALLOWED) {
-+            } else if ((mode == AppOpsManager.MODE_ALLOWED) ||
-+                    /*
-+                     * To avoid a deadlock situation in case of system/privileged apps having
-+                     * 'MODE_ASK'as default in case of own AppOps (e.g. OP_MOTION_SENSORS),
-+                     * we need to grant always access to such privileged system apps
-+                     */
-+                    ((uid == Process.SYSTEM_UID || packageName == "com.android.systemui") &&
-+                    (mode == AppOpsManager.MODE_ASK))) {
-+
-                 if (DEBUG) Slog.d(TAG, "startOperation: allowing code " + code + " uid " + uid
-                         + " package " + resolvedPackageName);
-                 if (op.startNesting == 0) {
--- a/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch
@ -4,7 +4,7 @@ Date: Fri, 15 Mar 2019 22:14:54 +0100
 Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [native]

 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)

 This change updated the AppOPs binder for the newly defined Ops,
--- a/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch
@ -4,7 +4,7 @@ Date: Fri, 15 Mar 2019 22:29:43 +0100
 Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [Settings]

 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)

 Add new Sensor template, relocate BODY_SENSORS into it
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@ -105,8 +105,6 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch";
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-Sensors-P1.patch"; #Permission for sensors access (MSe1969)
-applyPatch "$DOS_PATCHES/android_frameworks_base/0009-Sensors-P2.patch";
-applyPatch "$DOS_PATCHES/android_frameworks_base/0009-Sensors-P3.patch";
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0003-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0005-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
 hardenLocationFWB "$DOS_BUILD_BASE"; #Harden the default GPS config
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@ -291,9 +291,9 @@ if enterAndClear "device/lge/msm8996-common"; then
 sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te;
 fi;

-if enterAndClear "device/moto/shamu"; then
+#if enterAndClear "device/moto/shamu"; then
 #git revert --no-edit 05fb49518049440f90423341ff25d4f75f10bc0c; #restore releasetools #TODO
-fi;
+#fi;

 if enterAndClear "device/oneplus/oneplus2"; then
 sed -i 's|etc/permissions/qti_libpermissions.xml|vendor/etc/permissions/qti_libpermissions.xml|' proprietary-files.txt; #Fix outdated path
--- a/Scripts/LineageOS-18.1/Functions.sh
+++ b/Scripts/LineageOS-18.1/Functions.sh
@ -133,6 +133,7 @@ patchWorkspace() {
 	#source build/envsetup.sh;
 	#repopick -it eleven-firewall;
 	#repopick -it R_tzdb2021a1;
+	#repopick -it R_asb_2021-11; #TODO: needs cherrypicks too

 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";