mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 23:19:31 -05:00
16.0+: Relaxed fix for DNS leaks with app based VPNs from GrapheneOS
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
parent
5fb3319508
commit
72ff1b1a4d
@ -0,0 +1,24 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||||
|
Date: Thu, 9 May 2024 23:02:17 +0300
|
||||||
|
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
|
||||||
|
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index ecb4ceed..0229ffb8 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -191,8 +191,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
uint32_t NetworkController::getNetworkForDns(unsigned* netId, uid_t uid) const {
|
||||||
|
android::RWLock::AutoRLock lock(mRWLock);
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = true;
|
||||||
|
- fwmark.permission = PERMISSION_SYSTEM;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
if (checkUserNetworkAccessLocked(uid, *netId) == 0) {
|
||||||
|
// If a non-zero NetId was explicitly specified, and the user has permission for that
|
||||||
|
// network, use that network's DNS servers. Do not fall through to the default network even
|
@ -0,0 +1,42 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Micay <daniel.micay@grapheneos.org>
|
||||||
|
Date: Wed, 31 Jul 2024 02:44:05 -0400
|
||||||
|
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
|
||||||
|
|
||||||
|
This avoids attempting to fix the leaks for VPN apps causing leaks
|
||||||
|
through not configuring DNS. This can be reliably fixed from the VPN
|
||||||
|
app's side.
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index e2467709..fbf136ce 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -192,7 +192,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.protectedFromVpn = true;
|
||||||
|
fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
|
||||||
|
@@ -204,6 +204,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
*netId = mDefaultNetId;
|
||||||
|
fwmark.netId = *netId;
|
||||||
|
fwmark.explicitlySelected = true;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
return fwmark.intValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -221,6 +222,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
if (network && network->getType() == Network::VIRTUAL &&
|
||||||
|
!static_cast<VirtualNetwork *>(network)->getHasDns()) {
|
||||||
|
*netId = mDefaultNetId;
|
||||||
|
+ } else {
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers
|
@ -0,0 +1,24 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||||
|
Date: Thu, 9 May 2024 23:02:17 +0300
|
||||||
|
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
|
||||||
|
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index 20ae44b2..93ccf202 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -204,8 +204,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = true;
|
||||||
|
- fwmark.permission = PERMISSION_SYSTEM;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
|
||||||
|
// Therefore, it is safe to set the explicit bit on this query and skip all the complex logic
|
@ -0,0 +1,42 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Micay <daniel.micay@grapheneos.org>
|
||||||
|
Date: Wed, 31 Jul 2024 02:44:05 -0400
|
||||||
|
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
|
||||||
|
|
||||||
|
This avoids attempting to fix the leaks for VPN apps causing leaks
|
||||||
|
through not configuring DNS. This can be reliably fixed from the VPN
|
||||||
|
app's side.
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index 13921e92..4c424dc0 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -189,7 +189,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.protectedFromVpn = true;
|
||||||
|
fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
|
||||||
|
@@ -201,6 +201,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
*netId = mDefaultNetId;
|
||||||
|
fwmark.netId = *netId;
|
||||||
|
fwmark.explicitlySelected = true;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
return fwmark.intValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -217,6 +218,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
if (network && network->getType() == Network::VIRTUAL &&
|
||||||
|
!RESOLV_STUB.resolv_has_nameservers(*netId)) {
|
||||||
|
*netId = mDefaultNetId;
|
||||||
|
+ } else {
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers
|
@ -0,0 +1,24 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||||
|
Date: Thu, 9 May 2024 23:02:17 +0300
|
||||||
|
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
|
||||||
|
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index 20ae44b2..93ccf202 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -204,8 +204,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = true;
|
||||||
|
- fwmark.permission = PERMISSION_SYSTEM;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
|
||||||
|
// Therefore, it is safe to set the explicit bit on this query and skip all the complex logic
|
@ -0,0 +1,42 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Micay <daniel.micay@grapheneos.org>
|
||||||
|
Date: Wed, 31 Jul 2024 02:44:05 -0400
|
||||||
|
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
|
||||||
|
|
||||||
|
This avoids attempting to fix the leaks for VPN apps causing leaks
|
||||||
|
through not configuring DNS. This can be reliably fixed from the VPN
|
||||||
|
app's side.
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index 93ccf202..c7a8a132 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -204,7 +204,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.protectedFromVpn = true;
|
||||||
|
fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
|
||||||
|
@@ -216,6 +216,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
*netId = mDefaultNetId;
|
||||||
|
fwmark.netId = *netId;
|
||||||
|
fwmark.explicitlySelected = true;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
return fwmark.intValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -231,6 +232,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
Network *network = getNetworkLocked(*netId);
|
||||||
|
if (network && network->getType() == Network::VIRTUAL && !resolv_has_nameservers(*netId)) {
|
||||||
|
*netId = mDefaultNetId;
|
||||||
|
+ } else {
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers
|
@ -0,0 +1,24 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||||
|
Date: Thu, 9 May 2024 23:02:17 +0300
|
||||||
|
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
|
||||||
|
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index 20ae44b2..93ccf202 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -204,8 +204,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = true;
|
||||||
|
- fwmark.permission = PERMISSION_SYSTEM;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
|
||||||
|
// Therefore, it is safe to set the explicit bit on this query and skip all the complex logic
|
@ -0,0 +1,42 @@
|
|||||||
|
From a1e9fbcf977b0c8598c618aa3677913b19407cda Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Micay <daniel.micay@grapheneos.org>
|
||||||
|
Date: Wed, 31 Jul 2024 02:44:05 -0400
|
||||||
|
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
|
||||||
|
|
||||||
|
This avoids attempting to fix the leaks for VPN apps causing leaks
|
||||||
|
through not configuring DNS. This can be reliably fixed from the VPN
|
||||||
|
app's side.
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index a45d8556a..be4f7c19d 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -209,7 +209,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.protectedFromVpn = true;
|
||||||
|
fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
Network* appDefaultNetwork = getPhysicalOrUnreachableNetworkForUserLocked(uid);
|
||||||
|
@@ -224,6 +224,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
*netId = defaultNetId;
|
||||||
|
fwmark.netId = *netId;
|
||||||
|
fwmark.explicitlySelected = true;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
return fwmark.intValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -239,6 +240,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
Network *network = getNetworkLocked(*netId);
|
||||||
|
if (network && network->isVirtual() && !resolv_has_nameservers(*netId)) {
|
||||||
|
*netId = defaultNetId;
|
||||||
|
+ } else {
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers
|
@ -0,0 +1,24 @@
|
|||||||
|
From ab1a83dc36e17c4ec61def8cc7386f908e054add Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||||
|
Date: Thu, 9 May 2024 23:02:17 +0300
|
||||||
|
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
|
||||||
|
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index 0b0e061a8..a45d8556a 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -209,8 +209,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = true;
|
||||||
|
- fwmark.permission = PERMISSION_SYSTEM;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
Network* appDefaultNetwork = getPhysicalOrUnreachableNetworkForUserLocked(uid);
|
||||||
|
unsigned defaultNetId = appDefaultNetwork ? appDefaultNetwork->getNetId() : mDefaultNetId;
|
@ -0,0 +1,42 @@
|
|||||||
|
From a1e9fbcf977b0c8598c618aa3677913b19407cda Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Micay <daniel.micay@grapheneos.org>
|
||||||
|
Date: Wed, 31 Jul 2024 02:44:05 -0400
|
||||||
|
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
|
||||||
|
|
||||||
|
This avoids attempting to fix the leaks for VPN apps causing leaks
|
||||||
|
through not configuring DNS. This can be reliably fixed from the VPN
|
||||||
|
app's side.
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index a45d8556a..be4f7c19d 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -209,7 +209,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.protectedFromVpn = true;
|
||||||
|
fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
Network* appDefaultNetwork = getPhysicalOrUnreachableNetworkForUserLocked(uid);
|
||||||
|
@@ -224,6 +224,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
*netId = defaultNetId;
|
||||||
|
fwmark.netId = *netId;
|
||||||
|
fwmark.explicitlySelected = true;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
return fwmark.intValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -239,6 +240,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
||||||
|
Network *network = getNetworkLocked(*netId);
|
||||||
|
if (network && network->isVirtual() && !resolv_has_nameservers(*netId)) {
|
||||||
|
*netId = defaultNetId;
|
||||||
|
+ } else {
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers
|
@ -0,0 +1,24 @@
|
|||||||
|
From ab1a83dc36e17c4ec61def8cc7386f908e054add Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||||
|
Date: Thu, 9 May 2024 23:02:17 +0300
|
||||||
|
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
|
||||||
|
|
||||||
|
---
|
||||||
|
server/NetworkController.cpp | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
||||||
|
index 0b0e061a8..a45d8556a 100644
|
||||||
|
--- a/server/NetworkController.cpp
|
||||||
|
+++ b/server/NetworkController.cpp
|
||||||
|
@@ -209,8 +209,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
||||||
|
|
||||||
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
||||||
|
Fwmark fwmark;
|
||||||
|
- fwmark.protectedFromVpn = true;
|
||||||
|
- fwmark.permission = PERMISSION_SYSTEM;
|
||||||
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
||||||
|
+ fwmark.permission = getPermissionForUserLocked(uid);
|
||||||
|
|
||||||
|
Network* appDefaultNetwork = getPhysicalOrUnreachableNetworkForUserLocked(uid);
|
||||||
|
unsigned defaultNetId = appDefaultNetwork ? appDefaultNetwork->getNetId() : mDefaultNetId;
|
@ -558,6 +558,7 @@ fi;
|
|||||||
|
|
||||||
if enterAndClear "system/netd"; then
|
if enterAndClear "system/netd"; then
|
||||||
applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run #XXX
|
applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run #XXX
|
||||||
|
#applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS) #XXX can break apps without relaxed variant backport
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "system/nfc"; then
|
if enterAndClear "system/nfc"; then
|
||||||
|
@ -686,6 +686,8 @@ fi;
|
|||||||
|
|
||||||
if enterAndClear "system/netd"; then
|
if enterAndClear "system/netd"; then
|
||||||
applyPatch "$DOS_PATCHES/android_system_netd/378480.patch"; #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
|
applyPatch "$DOS_PATCHES/android_system_netd/378480.patch"; #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "system/nfc"; then
|
if enterAndClear "system/nfc"; then
|
||||||
|
@ -661,6 +661,8 @@ applyPatch "$DOS_PATCHES/android_system_netd/376607.patch"; #Q_asb_2023-11 Fix u
|
|||||||
applyPatch "$DOS_PATCHES/android_system_netd/378074.patch"; #Q_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
|
applyPatch "$DOS_PATCHES/android_system_netd/378074.patch"; #Q_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
|
||||||
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||||
applyPatch "$DOS_PATCHES/android_system_netd/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS)
|
applyPatch "$DOS_PATCHES/android_system_netd/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0003-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0003-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "system/nfc"; then
|
if enterAndClear "system/nfc"; then
|
||||||
|
@ -453,6 +453,8 @@ fi;
|
|||||||
|
|
||||||
if enterAndClear "system/netd"; then
|
if enterAndClear "system/netd"; then
|
||||||
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0002-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0002-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "system/sepolicy"; then
|
if enterAndClear "system/sepolicy"; then
|
||||||
|
@ -409,6 +409,8 @@ fi;
|
|||||||
|
|
||||||
if enterAndClear "system/netd"; then
|
if enterAndClear "system/netd"; then
|
||||||
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0002-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0002-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "system/sepolicy"; then
|
if enterAndClear "system/sepolicy"; then
|
||||||
|
@ -410,6 +410,11 @@ if enterAndClear "system/extras"; then
|
|||||||
applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
|
if enterAndClear "system/netd"; then
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
|
||||||
|
fi;
|
||||||
|
|
||||||
if enterAndClear "system/sepolicy"; then
|
if enterAndClear "system/sepolicy"; then
|
||||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS)
|
||||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
|
||||||
|
Loading…
Reference in New Issue
Block a user