Fixup the sensors permission patches on 7, 8, and 9.

Switch these patches to MODE_ALLOWED from MODE_ASK to fix breakage of system services. Also remove some code that adds a likely security issue. Will need some extra regression testing. Signed-off-by: Tad <tad@spotco.us>
2025-01-11 23:49:34 -05:00 · 2021-11-04 09:44:00 -04:00 · 2021-11-04 09:44:00 -04:00 · 621441349e
commit 621441349e
parent f7295a0f74
11 changed files with 27 additions and 184 deletions
--- a/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P2.patch
+++ b/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P2.patch
@ -1,46 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: MSe <mse1969@posteo.de>
 Date: Wed, 25 Apr 2018 23:07:47 +0200
 Subject: [PATCH] AppOpsService: Default mode 'allowed' for systemUID and
 platform signed
 To avoid severe issues when setting selected Ops to 'ASK', the default
 mode for systemui, apps with uid 1000 (system) and apps signed with the
 platform key will always get the 'allowed' mode as default.
 Change-Id: I71d9618d5b900241b99c060d43bc4270da05305b
 ---
 .../com/android/server/AppOpsService.java     | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)
 diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java
 index a9e350570508..de31ba177ca2 100644
 --- a/services/core/java/com/android/server/AppOpsService.java
 +++ b/services/core/java/com/android/server/AppOpsService.java
@@ -2576,6 +2576,26 @@ public class AppOpsService extends IAppOpsService.Stub {
     }
     private int getDefaultMode(int code, int uid, String packageName) {
 +        // To allow setting 'MODE_ASK' for own Ops, some precautions to
 +        // avoid privileged apps to trigger the toggle are needed:
 +        
 +        // 1st check: Skip uid 1000 and systemui
 +        if (uid == android.os.Process.SYSTEM_UID || "com.android.systemui".equals(packageName)) {
 +            return AppOpsManager.MODE_ALLOWED;
 +        }
 +        // 2nd check: Skip apps signed with platform key, except for the 'root' Op
 +        if (code != AppOpsManager.OP_SU) {
 +            try {
 +                int match = AppGlobals.getPackageManager().checkSignatures("android", packageName);        
 +                if (match >= PackageManager.SIGNATURE_MATCH) {
 +                    return AppOpsManager.MODE_ALLOWED;
 +                }
 +            } catch (RemoteException re) {            
 +                Log.e(TAG, "AppOps getDefaultMode: Can't talk to PM f. Sig.Check", re);
 +            }
 +        }
 +        // end
 +        
         int mode = AppOpsManager.opToDefaultMode(code,
                 isStrict(code, uid, packageName));
         if (AppOpsManager.isStrictOp(code) && mPolicy != null) {
--- a/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P3.patch
+++ b/Patches/LineageOS-14.1/android_frameworks_base/0009-Sensors-P3.patch
@ -1,32 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: MSe <mse1969@posteo.de>
 Date: Wed, 25 Apr 2018 23:12:20 +0200
 Subject: [PATCH] AppOps: Default MODE_ASK for OP_MOTION_SENSORS
 Change-Id: I4e8380c21b5c8a9e90c99d52e35d825ef0db6d98
 ---
 core/java/android/app/AppOpsManager.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
 index a9a00a60f0e5..84b196a2375b 100644
 --- a/core/java/android/app/AppOpsManager.java
 +++ b/core/java/android/app/AppOpsManager.java
@@ -977,7 +977,7 @@ public class AppOpsManager {
             AppOpsManager.MODE_ALLOWED, // OP_NFC_CHANGE
             AppOpsManager.MODE_ALLOWED,
             AppOpsManager.MODE_ASK,     // OP_SU
 -            AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
             AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
     };
@@ -1056,7 +1056,7 @@ public class AppOpsManager {
             AppOpsManager.MODE_ASK,     // OP_NFC_CHANGE
             AppOpsManager.MODE_ASK,     // OP_DATA_CONNECT_CHANGE
             AppOpsManager.MODE_ASK,     // OP_SU
 -            AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
             AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
     };
--- a/Patches/LineageOS-15.1/android_frameworks_base/0007-Sensors.patch
+++ b/Patches/LineageOS-15.1/android_frameworks_base/0007-Sensors.patch
@ -4,25 +4,20 @@ Date: Sun, 17 Jun 2018 10:49:09 +0200
 Subject: [PATCH] - AppOps/PrivacyGuard: New Sensor checks [base]
 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)
 To avoid severe issues when setting selected Ops to 'ASK', the default
 mode for systemui, apps with uid 1000 (system) and apps signed with the
 platform key will always get the 'allowed' mode as default.
 Change-Id: Id12b91720f1e02ea5ca606ecefb30121d19b92bb
 ---
- core/java/android/app/AppOpsManager.java      | 34 +++++++++++++++++--
+ core/java/android/app/AppOpsManager.java | 34 +++++++++++++++++++++---
- core/res/res/values-de/cm_strings.xml         |  2 ++
+ core/res/res/values-de/cm_strings.xml    |  2 ++
- core/res/res/values-fr/cm_strings.xml         |  2 ++
+ core/res/res/values-fr/cm_strings.xml    |  2 ++
- core/res/res/values/cm_strings.xml            |  2 ++
+ core/res/res/values/cm_strings.xml       |  2 ++
- core/res/res/values/lineage_arrays.xml        |  4 +++
+ core/res/res/values/lineage_arrays.xml   |  4 +++
- .../com/android/server/AppOpsService.java     | 20 +++++++++++
+ 5 files changed, 41 insertions(+), 3 deletions(-)
 6 files changed, 61 insertions(+), 3 deletions(-)
 diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
-index 2db36c8f4e02..d2587f2009df 100644
+index 2db36c8f4e02..e59869c11e90 100644
 --- a/core/java/android/app/AppOpsManager.java
 +++ b/core/java/android/app/AppOpsManager.java
@@ -280,8 +280,12 @@ public class AppOpsManager {
@ -112,7 +107,7 @@ index 2db36c8f4e02..d2587f2009df 100644
             AppOpsManager.MODE_ALLOWED,
 -            AppOpsManager.MODE_ASK, // OP_SU
 +            AppOpsManager.MODE_ASK,     // OP_SU
-+            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
+            AppOpsManager.MODE_ALLOWED,     // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
     };
@ -121,7 +116,7 @@ index 2db36c8f4e02..d2587f2009df 100644
             AppOpsManager.MODE_ASK,     // OP_NFC_CHANGE
             AppOpsManager.MODE_ASK,     // OP_DATA_CONNECT_CHANGE
             AppOpsManager.MODE_ASK,     // OP_SU
-+            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
+            AppOpsManager.MODE_ALLOWED,     // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
     };
@ -201,34 +196,3 @@ index 65149d2a9e54..5cb3120dbc47 100644
     </string-array>
 </resources>
 diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java
 index 8dc8272303e3..0a74101de471 100644
 --- a/services/core/java/com/android/server/AppOpsService.java
 +++ b/services/core/java/com/android/server/AppOpsService.java
@@ -2841,6 +2841,26 @@ public class AppOpsService extends IAppOpsService.Stub {
     }
     private int getDefaultMode(int code, int uid, String packageName) {
 +        // To allow setting 'MODE_ASK' for own Ops, some precautions to
 +        // avoid privileged apps to trigger the toggle are needed:
 +        
 +        // 1st check: Skip uid 1000 and systemui
 +        if (uid == android.os.Process.SYSTEM_UID || "com.android.systemui".equals(packageName)) {
 +            return AppOpsManager.MODE_ALLOWED;
 +        }
 +        // 2nd check: Skip apps signed with platform key, except for the 'root' Op
 +        if (code != AppOpsManager.OP_SU) {
 +            try {
 +                int match = AppGlobals.getPackageManager().checkSignatures("android", packageName);        
 +                if (match >= PackageManager.SIGNATURE_MATCH) {
 +                    return AppOpsManager.MODE_ALLOWED;
 +                }
 +            } catch (RemoteException re) {            
 +                Log.e(TAG, "AppOps getDefaultMode: Can't talk to PM f. Sig.Check", re);
 +            }
 +        }
 +        // end
 +        
         int mode = AppOpsManager.opToDefaultMode(code,
                 isStrict(code, uid, packageName));
         if (AppOpsManager.isStrictOp(code) && mPolicy != null) {
--- a/Patches/LineageOS-15.1/android_frameworks_native/0001-Sensors.patch
+++ b/Patches/LineageOS-15.1/android_frameworks_native/0001-Sensors.patch
@ -4,7 +4,7 @@ Date: Sun, 17 Jun 2018 11:33:33 +0200
 Subject: [PATCH] - AppOps/PrivacyGuard: New Sensor checks [native]
 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)
 This change updated the AppOPs binder for the newly defined Ops,
--- a/Patches/LineageOS-15.1/android_packages_apps_Settings/0005-Sensors-P1.patch
+++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/0005-Sensors-P1.patch
@ -4,7 +4,7 @@ Date: Sun, 17 Jun 2018 13:03:27 +0200
 Subject: [PATCH] - AppOps/PrivacyGuard: New Sensor checks [Settings]
 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)
 Add new Sensor template, relocate BODY_SENSORS into it
--- a/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch
@ -4,25 +4,20 @@ Date: Fri, 15 Mar 2019 22:05:36 +0100
 Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [base]
 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)
 To avoid severe issues when setting selected Ops to 'ASK', the default
 mode for apps with uid 1000 (system) will always get the 'allowed' mode
 as default, same as com.android.systemui
 Change-Id: Id12b91720f1e02ea5ca606ecefb30121d19b92bb
 ---
- core/java/android/app/AppOpsManager.java      | 35 +++++++++++++++++--
+ core/java/android/app/AppOpsManager.java | 35 ++++++++++++++++++++++--
- core/res/res/values-de/cm_strings.xml         |  2 ++
+ core/res/res/values-de/cm_strings.xml    |  2 ++
- core/res/res/values-fr/cm_strings.xml         |  2 ++
+ core/res/res/values-fr/cm_strings.xml    |  2 ++
- core/res/res/values/cm_strings.xml            |  2 ++
+ core/res/res/values/cm_strings.xml       |  2 ++
- core/res/res/values/lineage_arrays.xml        |  4 +++
+ core/res/res/values/lineage_arrays.xml   |  4 +++
- .../com/android/server/AppOpsService.java     | 19 +++++++++-
+ 5 files changed, 43 insertions(+), 2 deletions(-)
 6 files changed, 61 insertions(+), 3 deletions(-)
 diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
-index 5b763e50c38f..bd9f9224f325 100644
+index 5b763e50c38f..fef17859af8c 100644
 --- a/core/java/android/app/AppOpsManager.java
 +++ b/core/java/android/app/AppOpsManager.java
@@ -371,8 +371,12 @@ public class AppOpsManager {
@ -120,7 +115,7 @@ index 5b763e50c38f..bd9f9224f325 100644
             AppOpsManager.MODE_ALLOWED,  // OP_NFC_CHANGE
             AppOpsManager.MODE_ALLOWED,  // OP_DATA_CONNECT_CHANGE
             AppOpsManager.MODE_ASK,      // OP_SU
-+            AppOpsManager.MODE_ASK,      // OP_MOTION_SENSORS
+            AppOpsManager.MODE_ALLOWED,      // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ALLOWED,  // OP_OTHER_SENSORS
     };
@ -129,7 +124,7 @@ index 5b763e50c38f..bd9f9224f325 100644
             AppOpsManager.MODE_ASK,     // OP_NFC_CHANGE
             AppOpsManager.MODE_ASK,     // OP_DATA_CONNECT_CHANGE
             AppOpsManager.MODE_ASK,     // OP_SU
-+            AppOpsManager.MODE_ASK,     // OP_MOTION_SENSORS
+            AppOpsManager.MODE_ALLOWED,     // OP_MOTION_SENSORS
 +            AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
     };
@ -209,40 +204,3 @@ index 58567d1c8bd1..11a7d99b8d48 100644
     </string-array>
 </resources>
 diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java
 index 95ba50246db0..a6cf19f9be8a 100644
 --- a/services/core/java/com/android/server/AppOpsService.java
 +++ b/services/core/java/com/android/server/AppOpsService.java
@@ -1822,6 +1822,15 @@ public class AppOpsService extends IAppOpsService.Stub {
                     op.rejectTime[uidState.state] = System.currentTimeMillis();
                     op.ignoredCount++;
                     return mode;
 +                } else if (uid == Process.SYSTEM_UID || packageName == "com.android.systemui") {
 +                    /*
 +                     *  To avoid a deadlock situation in case of system/privileged apps having
 +                     *  'MODE_ASK'as default in case of own AppOps (e.g. OP_MOTION_SENSORS),
 +                     *  we need to grant always access to such privileged system apps.
 +                     *
 +                     *  This 'blind' condition causes the PermissionDialog req not to be
 +                     *  initialised, hence the `if (req == null)` condition below applies.
 +                     */
                 } else if (mode == AppOpsManager.MODE_ASK) {
                     if (Looper.myLooper() == mLooper || Thread.holdsLock(mActivityManagerService)) {
                         Slog.e(TAG, "noteOperation: this method will deadlock if called" +
@@ -2000,7 +2009,15 @@ public class AppOpsService extends IAppOpsService.Stub {
                 op.rejectTime[uidState.state] = System.currentTimeMillis();
                 op.ignoredCount++;
                 return mode;
 -            } else if (mode == AppOpsManager.MODE_ALLOWED) {
 +            } else if ((mode == AppOpsManager.MODE_ALLOWED) ||
 +                    /*
 +                     * To avoid a deadlock situation in case of system/privileged apps having
 +                     * 'MODE_ASK'as default in case of own AppOps (e.g. OP_MOTION_SENSORS),
 +                     * we need to grant always access to such privileged system apps
 +                     */
 +                    ((uid == Process.SYSTEM_UID || packageName == "com.android.systemui") &&
 +                    (mode == AppOpsManager.MODE_ASK))) {
 +
                 if (DEBUG) Slog.d(TAG, "startOperation: allowing code " + code + " uid " + uid
                         + " package " + resolvedPackageName);
                 if (op.startNesting == 0) {
--- a/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch
@ -4,7 +4,7 @@ Date: Fri, 15 Mar 2019 22:14:54 +0100
 Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [native]
 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)
 This change updated the AppOPs binder for the newly defined Ops,
--- a/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch
@ -4,7 +4,7 @@ Date: Fri, 15 Mar 2019 22:29:43 +0100
 Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [Settings]
 Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: ask, strict)
+- OP_MOTION_SENSORS (default: allow, strict)
 - OP_OTHER_SENSORS  (default: allow)
 Add new Sensor template, relocate BODY_SENSORS into it
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@ -105,8 +105,6 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch";
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-Sensors-P1.patch"; #Permission for sensors access (MSe1969)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-Sensors-P2.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-Sensors-P3.patch";
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0003-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0005-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
 hardenLocationFWB "$DOS_BUILD_BASE"; #Harden the default GPS config
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@ -291,9 +291,9 @@ if enterAndClear "device/lge/msm8996-common"; then
 sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te;
 fi;
-if enterAndClear "device/moto/shamu"; then
+#if enterAndClear "device/moto/shamu"; then
 #git revert --no-edit 05fb49518049440f90423341ff25d4f75f10bc0c; #restore releasetools #TODO
-fi;
+#fi;
 if enterAndClear "device/oneplus/oneplus2"; then
 sed -i 's|etc/permissions/qti_libpermissions.xml|vendor/etc/permissions/qti_libpermissions.xml|' proprietary-files.txt; #Fix outdated path
--- a/Scripts/LineageOS-18.1/Functions.sh
+++ b/Scripts/LineageOS-18.1/Functions.sh
@ -133,6 +133,7 @@ patchWorkspace() {
 	#source build/envsetup.sh;
 	#repopick -it eleven-firewall;
 	#repopick -it R_tzdb2021a1;
 	#repopick -it R_asb_2021-11; #TODO: needs cherrypicks too
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";