diff --git a/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P2.patch b/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P2.patch deleted file mode 100644 index 5cafafa3..00000000 --- a/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P2.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe -Date: Wed, 25 Apr 2018 23:07:47 +0200 -Subject: [PATCH] AppOpsService: Default mode 'allowed' for systemUID and - platform signed - -To avoid severe issues when setting selected Ops to 'ASK', the default -mode for systemui, apps with uid 1000 (system) and apps signed with the -platform key will always get the 'allowed' mode as default. - -Change-Id: I71d9618d5b900241b99c060d43bc4270da05305b ---- - .../com/android/server/AppOpsService.java | 20 +++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java -index a9e350570508..de31ba177ca2 100644 ---- a/services/core/java/com/android/server/AppOpsService.java -+++ b/services/core/java/com/android/server/AppOpsService.java -@@ -2576,6 +2576,26 @@ public class AppOpsService extends IAppOpsService.Stub { - } - - private int getDefaultMode(int code, int uid, String packageName) { -+ // To allow setting 'MODE_ASK' for own Ops, some precautions to -+ // avoid privileged apps to trigger the toggle are needed: -+ -+ // 1st check: Skip uid 1000 and systemui -+ if (uid == android.os.Process.SYSTEM_UID || "com.android.systemui".equals(packageName)) { -+ return AppOpsManager.MODE_ALLOWED; -+ } -+ // 2nd check: Skip apps signed with platform key, except for the 'root' Op -+ if (code != AppOpsManager.OP_SU) { -+ try { -+ int match = AppGlobals.getPackageManager().checkSignatures("android", packageName); -+ if (match >= PackageManager.SIGNATURE_MATCH) { -+ return AppOpsManager.MODE_ALLOWED; -+ } -+ } catch (RemoteException re) { -+ Log.e(TAG, "AppOps getDefaultMode: Can't talk to PM f. Sig.Check", re); -+ } -+ } -+ // end -+ - int mode = AppOpsManager.opToDefaultMode(code, - isStrict(code, uid, packageName)); - if (AppOpsManager.isStrictOp(code) && mPolicy != null) { diff --git a/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P3.patch b/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P3.patch deleted file mode 100644 index e99ee06d..00000000 --- a/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P3.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe -Date: Wed, 25 Apr 2018 23:12:20 +0200 -Subject: [PATCH] AppOps: Default MODE_ASK for OP_MOTION_SENSORS - -Change-Id: I4e8380c21b5c8a9e90c99d52e35d825ef0db6d98 ---- - core/java/android/app/AppOpsManager.java | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java -index a9a00a60f0e5..84b196a2375b 100644 ---- a/core/java/android/app/AppOpsManager.java -+++ b/core/java/android/app/AppOpsManager.java -@@ -977,7 +977,7 @@ public class AppOpsManager { - AppOpsManager.MODE_ALLOWED, // OP_NFC_CHANGE - AppOpsManager.MODE_ALLOWED, - AppOpsManager.MODE_ASK, // OP_SU -- AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS -+ AppOpsManager.MODE_ASK, // OP_MOTION_SENSORS - AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS - }; - -@@ -1056,7 +1056,7 @@ public class AppOpsManager { - AppOpsManager.MODE_ASK, // OP_NFC_CHANGE - AppOpsManager.MODE_ASK, // OP_DATA_CONNECT_CHANGE - AppOpsManager.MODE_ASK, // OP_SU -- AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS -+ AppOpsManager.MODE_ASK, // OP_MOTION_SENSORS - AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS - }; - diff --git a/Patches/LineageOS-15.1/android_frameworks_base/0007-Sensors.patch b/Patches/LineageOS-15.1/android_frameworks_base/0007-Sensors.patch index 1349a058..c0df5845 100644 --- a/Patches/LineageOS-15.1/android_frameworks_base/0007-Sensors.patch +++ b/Patches/LineageOS-15.1/android_frameworks_base/0007-Sensors.patch @@ -4,25 +4,20 @@ Date: Sun, 17 Jun 2018 10:49:09 +0200 Subject: [PATCH] - AppOps/PrivacyGuard: New Sensor checks [base] Add two AppOps for sensor access: -- OP_MOTION_SENSORS (default: ask, strict) +- OP_MOTION_SENSORS (default: allow, strict) - OP_OTHER_SENSORS (default: allow) -To avoid severe issues when setting selected Ops to 'ASK', the default -mode for systemui, apps with uid 1000 (system) and apps signed with the -platform key will always get the 'allowed' mode as default. - Change-Id: Id12b91720f1e02ea5ca606ecefb30121d19b92bb --- - core/java/android/app/AppOpsManager.java | 34 +++++++++++++++++-- - core/res/res/values-de/cm_strings.xml | 2 ++ - core/res/res/values-fr/cm_strings.xml | 2 ++ - core/res/res/values/cm_strings.xml | 2 ++ - core/res/res/values/lineage_arrays.xml | 4 +++ - .../com/android/server/AppOpsService.java | 20 +++++++++++ - 6 files changed, 61 insertions(+), 3 deletions(-) + core/java/android/app/AppOpsManager.java | 34 +++++++++++++++++++++--- + core/res/res/values-de/cm_strings.xml | 2 ++ + core/res/res/values-fr/cm_strings.xml | 2 ++ + core/res/res/values/cm_strings.xml | 2 ++ + core/res/res/values/lineage_arrays.xml | 4 +++ + 5 files changed, 41 insertions(+), 3 deletions(-) diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java -index 2db36c8f4e02..d2587f2009df 100644 +index 2db36c8f4e02..e59869c11e90 100644 --- a/core/java/android/app/AppOpsManager.java +++ b/core/java/android/app/AppOpsManager.java @@ -280,8 +280,12 @@ public class AppOpsManager { @@ -112,7 +107,7 @@ index 2db36c8f4e02..d2587f2009df 100644 AppOpsManager.MODE_ALLOWED, - AppOpsManager.MODE_ASK, // OP_SU + AppOpsManager.MODE_ASK, // OP_SU -+ AppOpsManager.MODE_ASK, // OP_MOTION_SENSORS ++ AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS + AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS }; @@ -121,7 +116,7 @@ index 2db36c8f4e02..d2587f2009df 100644 AppOpsManager.MODE_ASK, // OP_NFC_CHANGE AppOpsManager.MODE_ASK, // OP_DATA_CONNECT_CHANGE AppOpsManager.MODE_ASK, // OP_SU -+ AppOpsManager.MODE_ASK, // OP_MOTION_SENSORS ++ AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS + AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS }; @@ -201,34 +196,3 @@ index 65149d2a9e54..5cb3120dbc47 100644 -diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java -index 8dc8272303e3..0a74101de471 100644 ---- a/services/core/java/com/android/server/AppOpsService.java -+++ b/services/core/java/com/android/server/AppOpsService.java -@@ -2841,6 +2841,26 @@ public class AppOpsService extends IAppOpsService.Stub { - } - - private int getDefaultMode(int code, int uid, String packageName) { -+ // To allow setting 'MODE_ASK' for own Ops, some precautions to -+ // avoid privileged apps to trigger the toggle are needed: -+ -+ // 1st check: Skip uid 1000 and systemui -+ if (uid == android.os.Process.SYSTEM_UID || "com.android.systemui".equals(packageName)) { -+ return AppOpsManager.MODE_ALLOWED; -+ } -+ // 2nd check: Skip apps signed with platform key, except for the 'root' Op -+ if (code != AppOpsManager.OP_SU) { -+ try { -+ int match = AppGlobals.getPackageManager().checkSignatures("android", packageName); -+ if (match >= PackageManager.SIGNATURE_MATCH) { -+ return AppOpsManager.MODE_ALLOWED; -+ } -+ } catch (RemoteException re) { -+ Log.e(TAG, "AppOps getDefaultMode: Can't talk to PM f. Sig.Check", re); -+ } -+ } -+ // end -+ - int mode = AppOpsManager.opToDefaultMode(code, - isStrict(code, uid, packageName)); - if (AppOpsManager.isStrictOp(code) && mPolicy != null) { diff --git a/Patches/LineageOS-15.1/android_frameworks_native/0001-Sensors.patch b/Patches/LineageOS-15.1/android_frameworks_native/0001-Sensors.patch index ebad8d41..a630c69f 100644 --- a/Patches/LineageOS-15.1/android_frameworks_native/0001-Sensors.patch +++ b/Patches/LineageOS-15.1/android_frameworks_native/0001-Sensors.patch @@ -4,7 +4,7 @@ Date: Sun, 17 Jun 2018 11:33:33 +0200 Subject: [PATCH] - AppOps/PrivacyGuard: New Sensor checks [native] Add two AppOps for sensor access: -- OP_MOTION_SENSORS (default: ask, strict) +- OP_MOTION_SENSORS (default: allow, strict) - OP_OTHER_SENSORS (default: allow) This change updated the AppOPs binder for the newly defined Ops, diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/0005-Sensors-P1.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/0005-Sensors-P1.patch index 51b38f58..5c4b79e0 100644 --- a/Patches/LineageOS-15.1/android_packages_apps_Settings/0005-Sensors-P1.patch +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/0005-Sensors-P1.patch @@ -4,7 +4,7 @@ Date: Sun, 17 Jun 2018 13:03:27 +0200 Subject: [PATCH] - AppOps/PrivacyGuard: New Sensor checks [Settings] Add two AppOps for sensor access: -- OP_MOTION_SENSORS (default: ask, strict) +- OP_MOTION_SENSORS (default: allow, strict) - OP_OTHER_SENSORS (default: allow) Add new Sensor template, relocate BODY_SENSORS into it diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch b/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch index 25c45a9b..0bbcaae2 100644 --- a/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch +++ b/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch @@ -4,25 +4,20 @@ Date: Fri, 15 Mar 2019 22:05:36 +0100 Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [base] Add two AppOps for sensor access: -- OP_MOTION_SENSORS (default: ask, strict) +- OP_MOTION_SENSORS (default: allow, strict) - OP_OTHER_SENSORS (default: allow) -To avoid severe issues when setting selected Ops to 'ASK', the default -mode for apps with uid 1000 (system) will always get the 'allowed' mode -as default, same as com.android.systemui - Change-Id: Id12b91720f1e02ea5ca606ecefb30121d19b92bb --- - core/java/android/app/AppOpsManager.java | 35 +++++++++++++++++-- - core/res/res/values-de/cm_strings.xml | 2 ++ - core/res/res/values-fr/cm_strings.xml | 2 ++ - core/res/res/values/cm_strings.xml | 2 ++ - core/res/res/values/lineage_arrays.xml | 4 +++ - .../com/android/server/AppOpsService.java | 19 +++++++++- - 6 files changed, 61 insertions(+), 3 deletions(-) + core/java/android/app/AppOpsManager.java | 35 ++++++++++++++++++++++-- + core/res/res/values-de/cm_strings.xml | 2 ++ + core/res/res/values-fr/cm_strings.xml | 2 ++ + core/res/res/values/cm_strings.xml | 2 ++ + core/res/res/values/lineage_arrays.xml | 4 +++ + 5 files changed, 43 insertions(+), 2 deletions(-) diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java -index 5b763e50c38f..bd9f9224f325 100644 +index 5b763e50c38f..fef17859af8c 100644 --- a/core/java/android/app/AppOpsManager.java +++ b/core/java/android/app/AppOpsManager.java @@ -371,8 +371,12 @@ public class AppOpsManager { @@ -120,7 +115,7 @@ index 5b763e50c38f..bd9f9224f325 100644 AppOpsManager.MODE_ALLOWED, // OP_NFC_CHANGE AppOpsManager.MODE_ALLOWED, // OP_DATA_CONNECT_CHANGE AppOpsManager.MODE_ASK, // OP_SU -+ AppOpsManager.MODE_ASK, // OP_MOTION_SENSORS ++ AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS + AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS }; @@ -129,7 +124,7 @@ index 5b763e50c38f..bd9f9224f325 100644 AppOpsManager.MODE_ASK, // OP_NFC_CHANGE AppOpsManager.MODE_ASK, // OP_DATA_CONNECT_CHANGE AppOpsManager.MODE_ASK, // OP_SU -+ AppOpsManager.MODE_ASK, // OP_MOTION_SENSORS ++ AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS + AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS }; @@ -209,40 +204,3 @@ index 58567d1c8bd1..11a7d99b8d48 100644 -diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java -index 95ba50246db0..a6cf19f9be8a 100644 ---- a/services/core/java/com/android/server/AppOpsService.java -+++ b/services/core/java/com/android/server/AppOpsService.java -@@ -1822,6 +1822,15 @@ public class AppOpsService extends IAppOpsService.Stub { - op.rejectTime[uidState.state] = System.currentTimeMillis(); - op.ignoredCount++; - return mode; -+ } else if (uid == Process.SYSTEM_UID || packageName == "com.android.systemui") { -+ /* -+ * To avoid a deadlock situation in case of system/privileged apps having -+ * 'MODE_ASK'as default in case of own AppOps (e.g. OP_MOTION_SENSORS), -+ * we need to grant always access to such privileged system apps. -+ * -+ * This 'blind' condition causes the PermissionDialog req not to be -+ * initialised, hence the `if (req == null)` condition below applies. -+ */ - } else if (mode == AppOpsManager.MODE_ASK) { - if (Looper.myLooper() == mLooper || Thread.holdsLock(mActivityManagerService)) { - Slog.e(TAG, "noteOperation: this method will deadlock if called" + -@@ -2000,7 +2009,15 @@ public class AppOpsService extends IAppOpsService.Stub { - op.rejectTime[uidState.state] = System.currentTimeMillis(); - op.ignoredCount++; - return mode; -- } else if (mode == AppOpsManager.MODE_ALLOWED) { -+ } else if ((mode == AppOpsManager.MODE_ALLOWED) || -+ /* -+ * To avoid a deadlock situation in case of system/privileged apps having -+ * 'MODE_ASK'as default in case of own AppOps (e.g. OP_MOTION_SENSORS), -+ * we need to grant always access to such privileged system apps -+ */ -+ ((uid == Process.SYSTEM_UID || packageName == "com.android.systemui") && -+ (mode == AppOpsManager.MODE_ASK))) { -+ - if (DEBUG) Slog.d(TAG, "startOperation: allowing code " + code + " uid " + uid - + " package " + resolvedPackageName); - if (op.startNesting == 0) { diff --git a/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch b/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch index a1d9b6a2..5db9936b 100644 --- a/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch +++ b/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch @@ -4,7 +4,7 @@ Date: Fri, 15 Mar 2019 22:14:54 +0100 Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [native] Add two AppOps for sensor access: -- OP_MOTION_SENSORS (default: ask, strict) +- OP_MOTION_SENSORS (default: allow, strict) - OP_OTHER_SENSORS (default: allow) This change updated the AppOPs binder for the newly defined Ops, diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch index e815a2b5..fe3e89d8 100644 --- a/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch @@ -4,7 +4,7 @@ Date: Fri, 15 Mar 2019 22:29:43 +0100 Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [Settings] Add two AppOps for sensor access: -- OP_MOTION_SENSORS (default: ask, strict) +- OP_MOTION_SENSORS (default: allow, strict) - OP_OTHER_SENSORS (default: allow) Add new Sensor template, relocate BODY_SENSORS into it diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index f20e09b4..18cdc0a2 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -105,8 +105,6 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-Sensors-P1.patch"; #Permission for sensors access (MSe1969) -applyPatch "$DOS_PATCHES/android_frameworks_base/0009-Sensors-P2.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0009-Sensors-P3.patch"; if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0003-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG) if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0005-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key hardenLocationFWB "$DOS_BUILD_BASE"; #Harden the default GPS config diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 7ccf71cb..d80ccbf1 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -291,9 +291,9 @@ if enterAndClear "device/lge/msm8996-common"; then sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te; fi; -if enterAndClear "device/moto/shamu"; then +#if enterAndClear "device/moto/shamu"; then #git revert --no-edit 05fb49518049440f90423341ff25d4f75f10bc0c; #restore releasetools #TODO -fi; +#fi; if enterAndClear "device/oneplus/oneplus2"; then sed -i 's|etc/permissions/qti_libpermissions.xml|vendor/etc/permissions/qti_libpermissions.xml|' proprietary-files.txt; #Fix outdated path diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh index 6a676e7d..2d035ba1 100644 --- a/Scripts/LineageOS-18.1/Functions.sh +++ b/Scripts/LineageOS-18.1/Functions.sh @@ -133,6 +133,7 @@ patchWorkspace() { #source build/envsetup.sh; #repopick -it eleven-firewall; #repopick -it R_tzdb2021a1; + #repopick -it R_asb_2021-11; #TODO: needs cherrypicks too sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";