16.0: June ASB picks

Signed-off-by: Tavi <tavi@divested.dev>
2025-01-12 16:09:36 -05:00 · 2024-06-19 16:11:38 -04:00 · 2024-06-19 16:11:38 -04:00 · 7e6c6ad5e5
commit 7e6c6ad5e5
parent 416482ff52
7 changed files with 363 additions and 1 deletions
--- a/Patches/LineageOS-16.0/android_frameworks_base/394877.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/394877.patch
@ -0,0 +1,128 @@
+From 361c828f654b646f968644dbadf8a1f5f8ad67d8 Mon Sep 17 00:00:00 2001
+From: Valentin Iftime <valiiftime@google.com>
+Date: Thu, 1 Feb 2024 13:58:49 +0100
+Subject: [PATCH] [BACKPORT] Verify URI permission for channel sound update
+ from NotificationListenerService
+
+ Check that a privileged NotificationListenerService (CDM) has the permission to access the sound URI
+  when updating a notification channel.
+
+Test: atest com.android.server.notification.NotificationManagerServiceTest#testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission
+Bug: 317357401
+(cherry picked from commit 9b7bbbf5ad542ecf9ecbf8cd819b468791b443c0)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f090c0538a27d8658d8a860046d5c5e931302341)
+Merged-In: Ic7d2e96e43565e98d2aa29b8f2ba35c142387ba9
+Change-Id: Ic7d2e96e43565e98d2aa29b8f2ba35c142387ba9
+---
+ .../NotificationManagerService.java           | 22 +++++++
+ .../NotificationManagerServiceTest.java       | 57 +++++++++++++++++++
+ 2 files changed, 79 insertions(+)
+
+diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
+index a1e8cd15fd7ee..e793dc024156a 100755
+--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
+@@ -3668,6 +3668,10 @@ public void updateNotificationChannelFromPrivilegedListener(INotificationListene
+             Preconditions.checkNotNull(user);
+ 
+             verifyPrivilegedListener(token, user);
+
+            final NotificationChannel originalChannel = mRankingHelper.getNotificationChannel(
+                    pkg, getUidForPackageAndUser(pkg, user), channel.getId(), true);
+            verifyPrivilegedListenerUriPermission(Binder.getCallingUid(), channel, originalChannel);
+             updateNotificationChannelInt(pkg, getUidForPackageAndUser(pkg, user), channel, true);
+         }
+ 
+@@ -3709,6 +3713,24 @@ private void verifyPrivilegedListener(INotificationListener token, UserHandle us
+             }
+         }
+ 
+        private void verifyPrivilegedListenerUriPermission(int sourceUid,
+                @NonNull NotificationChannel updateChannel,
+                @Nullable NotificationChannel originalChannel) {
+            // Check that the NLS has the required permissions to access the channel
+            final Uri soundUri = updateChannel.getSound();
+            final Uri originalSoundUri =
+                    (originalChannel != null) ? originalChannel.getSound() : null;
+            if (soundUri != null && !Objects.equals(originalSoundUri, soundUri)) {
+                Binder.withCleanCallingIdentity(() -> {
+                    mAm.checkGrantUriPermission(sourceUid, null,
+                            ContentProvider.getUriWithoutUserId(soundUri),
+                            Intent.FLAG_GRANT_READ_URI_PERMISSION,
+                            ContentProvider.getUserIdFromUri(soundUri,
+                            UserHandle.getUserId(sourceUid)));
+                });
+            }
+        }
+
+         private int getUidForPackageAndUser(String pkg, UserHandle user) throws RemoteException {
+             int uid = 0;
+             long identity = Binder.clearCallingIdentity();
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+index 379290bcf0ad0..db83d8f1a4f07 100644
+--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+@@ -1681,6 +1681,63 @@ public void testUpdateNotificationChannelFromPrivilegedListener_badUser() throws
+                 eq(NotificationListenerService.NOTIFICATION_CHANNEL_OR_GROUP_UPDATED));
+     }
+ 
+    @Test
+    public void testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission()
+            throws Exception {
+        mService.setPreferencesHelper(mPreferencesHelper);
+        List<String> associations = new ArrayList<>();
+        associations.add("a");
+        when(mCompanionMgr.getAssociations(PKG, UserHandle.getUserId(mUid)))
+                .thenReturn(associations);
+        when(mPreferencesHelper.getNotificationChannel(eq(PKG), anyInt(),
+                eq(mTestNotificationChannel.getId()), anyBoolean()))
+                .thenReturn(mTestNotificationChannel);
+        final Uri soundUri = Uri.parse("content://media/test/sound/uri");
+        final NotificationChannel updatedNotificationChannel = new NotificationChannel(
+                TEST_CHANNEL_ID, TEST_CHANNEL_ID, IMPORTANCE_DEFAULT);
+        updatedNotificationChannel.setSound(soundUri,
+                updatedNotificationChannel.getAudioAttributes());
+        doThrow(new SecurityException("no access")).when(mUgmInternal)
+                .checkGrantUriPermission(eq(Process.myUid()), any(), eq(soundUri),
+                anyInt(), eq(Process.myUserHandle().getIdentifier()));
+        assertThrows(SecurityException.class,
+                () -> mBinderService.updateNotificationChannelFromPrivilegedListener(null, PKG,
+                Process.myUserHandle(), updatedNotificationChannel));
+        verify(mPreferencesHelper, never()).updateNotificationChannel(
+                anyString(), anyInt(), any(), anyBoolean());
+        verify(mListeners, never()).notifyNotificationChannelChanged(eq(PKG),
+                eq(Process.myUserHandle()), eq(mTestNotificationChannel),
+                eq(NotificationListenerService.NOTIFICATION_CHANNEL_OR_GROUP_UPDATED));
+    }
+
+    @Test
+    public void testUpdateNotificationChannelFromPrivilegedListener_noSoundUriPermission_sameSound()
+            throws Exception {
+        mService.setPreferencesHelper(mPreferencesHelper);
+        List<String> associations = new ArrayList<>();
+        associations.add("a");
+        when(mCompanionMgr.getAssociations(PKG, UserHandle.getUserId(mUid)))
+                .thenReturn(associations);
+        when(mPreferencesHelper.getNotificationChannel(eq(PKG), anyInt(),
+                eq(mTestNotificationChannel.getId()), anyBoolean()))
+                .thenReturn(mTestNotificationChannel);
+        final Uri soundUri = Settings.System.DEFAULT_NOTIFICATION_URI;
+        final NotificationChannel updatedNotificationChannel = new NotificationChannel(
+                TEST_CHANNEL_ID, TEST_CHANNEL_ID, IMPORTANCE_DEFAULT);
+        updatedNotificationChannel.setSound(soundUri,
+                updatedNotificationChannel.getAudioAttributes());
+        doThrow(new SecurityException("no access")).when(mUgmInternal)
+                .checkGrantUriPermission(eq(Process.myUid()), any(), eq(soundUri),
+                    anyInt(), eq(Process.myUserHandle().getIdentifier()));
+        mBinderService.updateNotificationChannelFromPrivilegedListener(
+                null, PKG, Process.myUserHandle(), updatedNotificationChannel);
+        verify(mPreferencesHelper, times(1)).updateNotificationChannel(
+                anyString(), anyInt(), any(), anyBoolean());
+        verify(mListeners, never()).notifyNotificationChannelChanged(eq(PKG),
+                eq(Process.myUserHandle()), eq(mTestNotificationChannel),
+                eq(NotificationListenerService.NOTIFICATION_CHANNEL_OR_GROUP_UPDATED));
+    }
+
+     @Test
+     public void testGetNotificationChannelFromPrivilegedListener_success() throws Exception {
+         mService.setRankingHelper(mRankingHelper);
--- a/Patches/LineageOS-16.0/android_frameworks_base/394878.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/394878.patch
@ -0,0 +1,43 @@
+From 2d2a31353a07daf096aa9e2ca09e18ad2773b1ba Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 26 Mar 2024 10:31:44 -0700
+Subject: [PATCH] Add more checkKeyIntent checks to AccountManagerService.
+
+Another verification is needed after Bundle modification.
+Bug: 321941232
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f)
+Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297
+Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297
+---
+ .../android/server/accounts/AccountManagerService.java | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 4e4c261d0cc46..19e1a4c55120a 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -3453,6 +3453,11 @@ public void onResult(Bundle result) {
+ 
+             // Strip auth token from result.
+             result.remove(AccountManager.KEY_AUTHTOKEN);
+            if (!checkKeyIntent(Binder.getCallingUid(), result)) {
+                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                        "invalid intent in bundle returned");
+                return;
+            }
+ 
+             if (Log.isLoggable(TAG, Log.VERBOSE)) {
+                 Log.v(TAG,
+@@ -5039,6 +5044,11 @@ public void onResult(Bundle result) {
+                     } else {
+                         if (mStripAuthTokenFromResult) {
+                             result.remove(AccountManager.KEY_AUTHTOKEN);
+                            if (!checkKeyIntent(Binder.getCallingUid(), result)) {
+                                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                                        "invalid intent in bundle returned");
+                                return;
+                            }
+                         }
+                         if (Log.isLoggable(TAG, Log.VERBOSE)) {
+                             Log.v(TAG, getClass().getSimpleName()
--- a/Patches/LineageOS-16.0/android_frameworks_base/394879.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/394879.patch
@ -0,0 +1,53 @@
+From a568a9144f1a804e4ac136522dfcd1f8aaae81a3 Mon Sep 17 00:00:00 2001
+From: Chris Wailes <chriswailes@google.com>
+Date: Thu, 18 Apr 2019 18:25:57 -0700
+Subject: [PATCH] Adds additional sanitization for Zygote command arguments.
+
+Previously we were only insuring that the arguments provided to the
+Zygote didn't contain any newlines.  This adds additional checks for
+carriage returns and standalone integer arguments to protect against
+malicious argument and packet injection respectively.
+
+Bug: 130164289
+Test: m & flash & boot & check logs
+Change-Id: I4055c50d52db0047c02c11096710fd07b429660c
+Merged-In: I4055c50d52db0047c02c11096710fd07b429660c
+(cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a)
+---
+ core/java/android/os/ZygoteProcess.java | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
+index 6994033a963a8..904ec46859fa4 100644
+--- a/core/java/android/os/ZygoteProcess.java
+++ b/core/java/android/os/ZygoteProcess.java
+@@ -16,6 +16,7 @@
+ 
+ package android.os;
+ 
+import android.annotation.NonNull;
+ import android.net.LocalSocket;
+ import android.net.LocalSocketAddress;
+ import android.util.Log;
+@@ -278,15 +279,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr
+      */
+     @GuardedBy("mLock")
+     private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
+-            ZygoteState zygoteState, ArrayList<String> args)
+            ZygoteState zygoteState, @NonNull ArrayList<String> args)
+             throws ZygoteStartFailedEx {
+         try {
+             // Throw early if any of the arguments are malformed. This means we can
+             // avoid writing a partial response to the zygote.
+             int sz = args.size();
+             for (int i = 0; i < sz; i++) {
+                // Making two indexOf calls here is faster than running a manually fused loop due
+                // to the fact that indexOf is a optimized intrinsic.
+                 if (args.get(i).indexOf('\n') >= 0) {
+-                    throw new ZygoteStartFailedEx("embedded newlines not allowed");
+                    throw new ZygoteStartFailedEx("Embedded newlines not allowed");
+                } else if (args.get(i).indexOf('\r') >= 0) {
+                    throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
+                 }
+             }
+ 
--- a/Patches/LineageOS-16.0/android_frameworks_base/394880.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/394880.patch
@ -0,0 +1,32 @@
+From 00ff56bb646c525192f06cbeed96c3dc78d45795 Mon Sep 17 00:00:00 2001
+From: Hans Boehm <hboehm@google.com>
+Date: Tue, 2 Jan 2024 16:53:13 -0800
+Subject: [PATCH] Check hidden API exemptions
+
+Refuse to deal with newlines and null characters in
+HiddenApiSettings.update(). Also disallow nulls in process start
+arguments.
+
+Bug: 316153291
+Test: Treehugger for now
+(cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8)
+Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
+Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
+---
+ core/java/android/os/ZygoteProcess.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
+index 904ec46859fa4..aab1d9d578031 100644
+--- a/core/java/android/os/ZygoteProcess.java
+++ b/core/java/android/os/ZygoteProcess.java
+@@ -292,6 +292,8 @@ private static Process.ProcessStartResult zygoteSendArgsAndGetResult(
+                     throw new ZygoteStartFailedEx("Embedded newlines not allowed");
+                 } else if (args.get(i).indexOf('\r') >= 0) {
+                     throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
+                } else if (args.get(i).indexOf('\u0000') >= 0) {
+                    throw new ZygoteStartFailedEx("Embedded nulls not allowed");
+                 }
+             }
+ 
--- a/Patches/LineageOS-16.0/android_frameworks_base/394881.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/394881.patch
@ -0,0 +1,60 @@
+From a73947c4826f59babc2368754e478942eb9b28a1 Mon Sep 17 00:00:00 2001
+From: Ameer Armaly <aarmaly@google.com>
+Date: Fri, 8 Mar 2024 19:41:06 +0000
+Subject: [PATCH] AccessibilityManagerService: remove uninstalled services from
+ enabled list after service update.
+
+Bug: 326485767
+Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5405514a23edcba0cf30e6ec78189e3f4e7d95cf)
+Merged-In: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
+Change-Id: I5e59296fcad68e62b34c74ee5fd80b6ad6b46fa1
+---
+ .../AccessibilityManagerService.java          | 23 +++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+index fd87be3e5649f..39ac2f3c1bdbf 100644
+--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+@@ -1553,10 +1553,13 @@ private void updateServicesLocked(UserState userState) {
+         boolean isUnlockingOrUnlocked = LocalServices.getService(UserManagerInternal.class)
+                     .isUserUnlockingOrUnlocked(userState.mUserId);
+ 
+        // Store the list of installed services.
+        mTempComponentNameSet.clear();
+         for (int i = 0, count = userState.mInstalledServices.size(); i < count; i++) {
+             AccessibilityServiceInfo installedService = userState.mInstalledServices.get(i);
+             ComponentName componentName = ComponentName.unflattenFromString(
+                     installedService.getId());
+            mTempComponentNameSet.add(componentName);
+ 
+             AccessibilityServiceConnection service = componentNameToServiceMap.get(componentName);
+ 
+@@ -1602,6 +1605,26 @@ private void updateServicesLocked(UserState userState) {
+         if (audioManager != null) {
+             audioManager.setAccessibilityServiceUids(mTempIntArray);
+         }
+
+        // If any services have been removed, remove them from the enabled list and the touch
+        // exploration granted list.
+        boolean anyServiceRemoved =
+                userState.mEnabledServices.removeIf((comp) -> !mTempComponentNameSet.contains(comp))
+                        || userState.mTouchExplorationGrantedServices.removeIf(
+                                (comp) -> !mTempComponentNameSet.contains(comp));
+        if (anyServiceRemoved) {
+            // Update the enabled services setting.
+            persistComponentNamesToSettingLocked(
+                    Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
+                    userState.mEnabledServices,
+                    userState.mUserId);
+            // Update the touch exploration granted services setting.
+            persistComponentNamesToSettingLocked(
+                    Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
+                    userState.mTouchExplorationGrantedServices,
+                    userState.mUserId);
+        }
+        mTempComponentNameSet.clear();
+         updateAccessibilityEnabledSetting(userState);
+     }
+ 
--- a/Patches/LineageOS-16.0/android_frameworks_base/394882.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/394882.patch
@ -0,0 +1,40 @@
+From 538cc6c384985f272dc7ab6c7cc7222a59b4c341 Mon Sep 17 00:00:00 2001
+From: Guojing Yuan <guojing@google.com>
+Date: Thu, 14 Dec 2023 19:30:04 +0000
+Subject: [PATCH] [BACKPORT] Check permissions for CDM shell commands
+
+Override handleShellCommand instead of onShellCommand because
+Binder.onShellCommand checks the necessary permissions of the caller.
+
+Backport by mse1969@posteo.de:
+In Pie, method handleShellCommand does not exist, only Binder.onShellCommand, in which
+the caller uid check isn't yet implemented. Backport: Take over the uid check from A11
+and implement it in the method override.
+
+Bug: 313428840
+
+Test: manually tested CDM shell commands
+(cherry picked from commit 1761a0fee9c2cd9787bbb7fbdbe30b4c2b03396e)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d008c61451dba86aa9f14c6bcd661db2cea4856)
+Merged-In: I5539b3594feb5544c458c0fd1061b51a0a808900
+Change-Id: I5539b3594feb5544c458c0fd1061b51a0a808900
+---
+ .../server/companion/CompanionDeviceManagerService.java      | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+index 087fe8560fc80..8ffb53f8a3b9d 100644
+--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+@@ -345,6 +345,11 @@ private void checkUsesFeature(String pkg, int userId) {
+         public void onShellCommand(FileDescriptor in, FileDescriptor out, FileDescriptor err,
+                 String[] args, ShellCallback callback, ResultReceiver resultReceiver)
+                 throws RemoteException {
+            final int callingUid = Binder.getCallingUid();
+            if (callingUid != Process.ROOT_UID && callingUid != Process.SHELL_UID) {
+                resultReceiver.send(-1, null);
+                throw new RemoteException("Shell commands are only callable by ADB");
+            }
+             new ShellCmd().exec(this, in, out, err, args, callback, resultReceiver);
+         }
+     }
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2022-01-05/2024-05-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-04 #XXX
+sed -i 's/2022-01-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-06 #XXX
 fi;

 if enterAndClear "build/soong"; then
@ -320,6 +320,12 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 D
 applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout.
 applyPatch "$DOS_PATCHES/android_frameworks_base/389269.patch"; #P_asb_2024-04 isUserInLockDown can be true when there are other strong auth requirements
 applyPatch "$DOS_PATCHES/android_frameworks_base/389270.patch"; #P_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
+applyPatch "$DOS_PATCHES/android_frameworks_base/394877.patch"; #P_asb_2024-06 Verify URI permission for channel sound update from NotificationListenerService
+applyPatch "$DOS_PATCHES/android_frameworks_base/394878.patch"; #P_asb_2024-06 Add more checkKeyIntent checks to AccountManagerService.
+applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 Adds additional sanitization for Zygote command arguments.
+applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions
+applyPatch "$DOS_PATCHES/android_frameworks_base/394881.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
+applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)