Broken EUICC handling

Signed-off-by: Tad <tad@spotco.us>
2024-09-27 19:56:32 +00:00 · 2023-08-05 15:42:58 -04:00 · 2023-08-05 15:42:58 -04:00 · 7ef5d9a9c4
commit 7ef5d9a9c4
parent 196dfddf63
8 changed files with 102 additions and 10 deletions
--- a/Manifests/Manifest_LAOS-20.0.xml
+++ b/Manifests/Manifest_LAOS-20.0.xml
@ -52,9 +52,9 @@
 	<!-- GrapheneOS -->
 	<project path="external/hardened_malloc" name="GrapheneOS/hardened_malloc" remote="github" revision="d3152b8e8ff5070f69e7c991d34f32a429e6a894" />

-	<!-- OpenEUICC -->
+	<!-- OpenEUICC
 	<project path="packages/apps/OpenEUICC" name="PeterCxy/OpenEUICC" remote="angry" revision="6add8c89ac141f177cd8d124a0a955232f4222f9" />
-	<project path="prebuilts/openeuicc-deps" name="PeterCxy/android_prebuilts_openeuicc-deps" remote="angry" revision="55f3e2c7ab26484f7478b26540fa14392d0c2cd7" />
+	<project path="prebuilts/openeuicc-deps" name="PeterCxy/android_prebuilts_openeuicc-deps" remote="angry" revision="55f3e2c7ab26484f7478b26540fa14392d0c2cd7" /> -->
 <!-- END OF ADDITIONAL REPOS -->

 <!-- START OF DEVICE REPOS -->
--- a/Patches/Common/android_vendor_divested/packages.mk
+++ b/Patches/Common/android_vendor_divested/packages.mk
@ -13,6 +13,11 @@ PRODUCT_PACKAGES += \
 #    OpenCamera
 #endif

+#ifneq ($(filter crosshatch blueline bonito sargo coral flame sunfish barbet redfin bluejay oriole raven panther cheetah FP4,$(TARGET_DEVICE)),)
+#PRODUCT_PACKAGES += \
+#    OpenEUICC
+#endif
+
 # Extras
 PRODUCT_PACKAGES += \
    TalkBack \
--- a/Patches/LineageOS-20.0/android_bootable_recovery/0001-No_SerialNum_Restrictions.patch
+++ b/Patches/LineageOS-20.0/android_bootable_recovery/0001-No_SerialNum_Restrictions.patch
@ -8,10 +8,10 @@ Subject: [PATCH] reject updates with serialno constraints
 1 file changed, 2 insertions(+), 14 deletions(-)

 diff --git a/install/install.cpp b/install/install.cpp
-index 61bab17b..e14cbf50 100644
+index 11a6b3ff..8dd647be 100644
 --- a/install/install.cpp
 +++ b/install/install.cpp
-@@ -221,22 +221,10 @@ bool CheckPackageMetadata(const std::map<std::string, std::string>& metadata, Ot
+@@ -223,22 +223,10 @@ bool CheckPackageMetadata(const std::map<std::string, std::string>& metadata, Ot
     return false;
   }
 
--- a/Patches/LineageOS-20.0/android_frameworks_base/0037-filter-gms.patch
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0037-filter-gms.patch
@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oliver Scott <olivercscott@gmail.com>
+Date: Wed, 17 May 2023 15:42:52 -0400
+Subject: [PATCH] Filter select package queries for GMS
+
+Bit of a hack to pretend that microG is not available,
+to make apps work
+
+[tad@spotco.us]: adjusted package list
+Change-Id: Ic5ddb78b1014ce567d1a5c57fc79f79edd1154c0
+
+Change-Id: I7969470baa125eef349e82808b0d6e643e344c8b
+---
+ .../java/com/android/server/pm/AppsFilterBase.java  | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/AppsFilterBase.java b/services/core/java/com/android/server/pm/AppsFilterBase.java
+index 01252c48081e..07746236320e 100644
+--- a/services/core/java/com/android/server/pm/AppsFilterBase.java
+++ b/services/core/java/com/android/server/pm/AppsFilterBase.java
+@@ -37,6 +37,7 @@ import android.util.Slog;
+ import android.util.SparseArray;
+ 
+ import com.android.internal.annotations.VisibleForTesting;
+import com.android.internal.util.ArrayUtils;
+ import com.android.internal.util.function.QuadFunction;
+ import com.android.server.om.OverlayReferenceMapper;
+ import com.android.server.pm.parsing.pkg.AndroidPackage;
+@@ -64,6 +65,9 @@ import java.util.concurrent.atomic.AtomicBoolean;
+ public abstract class AppsFilterBase implements AppsFilterSnapshot {
+     protected static final String TAG = "AppsFilter";
+ 
+    private static final String GMS = "com.google.android.gms";
+    private static final String[] GMS_HIDDEN_PACKAGES = { "com.google.euiccpixel" };
+
+     // Logs all filtering instead of enforcing
+     protected static final boolean DEBUG_ALLOW_ALL = false;
+     protected static final boolean DEBUG_LOGGING = false;
+@@ -496,6 +500,15 @@ public abstract class AppsFilterBase implements AppsFilterSnapshot {
+                     if (DEBUG_LOGGING) {
+                         log(callingSetting, targetPkgSetting, "force queryable");
+                     }
+                    if (GMS.equals(targetPkgSetting.getPackageName())
+                            && callingPkgSetting != null) {
+                        // HACK: Hide GMS from these packages
+                        // Breaks login but makes them work
+                        if (ArrayUtils.contains(GMS_HIDDEN_PACKAGES,
+                                callingPkgSetting.getPackageName())) {
+                            return true;
+                        }
+                    }
+                     return false;
+                 }
+             } finally {
--- a/Patches/LineageOS-20.0/android_frameworks_base/0038-no-camera-lpad.patch
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0038-no-camera-lpad.patch
@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Sun, 19 Mar 2023 17:57:26 +0200
+Subject: [PATCH] do not auto-grant Camera permission to the eUICC LPA UI app
+
+Google's LPA that is shipped on GrapheneOS handles requesting the Camera permission at runtime,
+which allows the user to give it a one-time grant.
+---
+ .../server/pm/permission/DefaultPermissionGrantPolicy.java      | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
+index 0443d19ba1d4..39608dcc9ccb 100644
+--- a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
+++ b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
+@@ -1060,8 +1060,6 @@ final class DefaultPermissionGrantPolicy {
+ 
+     public void grantDefaultPermissionsToActiveLuiApp(String packageName, int userId) {
+         Log.i(TAG, "Granting permissions to active LUI app for user:" + userId);
+-        grantSystemFixedPermissionsToSystemPackage(NO_PM_CACHE, packageName, userId,
+-                CAMERA_PERMISSIONS);
+     }
+ 
+     public void revokeDefaultPermissionsFromLuiApps(String[] packageNames, int userId) {
--- a/Scripts/Common/Deblob.sh
+++ b/Scripts/Common/Deblob.sh
@ -287,12 +287,14 @@ echo "Deblobbing...";
 	#eUICC (Virtual SIM) [Google]
 	if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ] || [ "$DOS_DEBLOBBER_REMOVE_EUICC" = true ]; then
 		blobs=$blobs"|EuiccGoogle.apk|EuiccGoogleOverlay.apk"; #Google LPAD
-		blobs=$blobs"|EuiccSupportPixel.apk|EuiccSupportPixelPermissions.apk"; #Hardware support
-		blobs=$blobs"|esim0.img|esim-v1.img|esim-full-v0.img|esim-a1.img|esim-a2.img"; #Firmware
-		blobs=$blobs"|com.google.euiccpixel.xml|com.google.euiccpixel.permissions.xml"; #Permissions
-		makes=$makes"|android.hardware.telephony.euicc.*"; #Manifests
 		makes=$makes"|GoogleParts"; #Disables apps if GMS is not available
 		#overlay=$overlay"|config_telephonyEuiccDeviceCapabilities"; #TODO handle multiple lines
+		if [ "$DOS_DEBLOBBER_REMOVE_EUICC_FULL" = true ]; then
+			blobs=$blobs"|EuiccSupportPixel.apk|EuiccSupportPixelPermissions.apk"; #Hardware support
+			blobs=$blobs"|esim0.img|esim-v1.img|esim-full-v0.img|esim-a1.img|esim-a2.img"; #Firmware
+			blobs=$blobs"|com.google.euiccpixel.xml|com.google.euiccpixel.permissions.xml"; #Permissions
+			makes=$makes"|android.hardware.telephony.euicc.*"; #Manifests
+		fi;
 	fi;

 	#Google Camera
--- a/Scripts/LineageOS-20.0/Patch.sh
+++ b/Scripts/LineageOS-20.0/Patch.sh
@ -182,7 +182,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0032-SUPL_Toggle.patch"; #Add a
 applyPatch "$DOS_PATCHES/android_frameworks_base/0033-Ugly_Orbot_Workaround.patch"; #Always add Briar and Tor Browser to Orbot's lockdown allowlist (CalyxOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0034-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0035-System_JobScheduler_Allowance.patch"; #DeviceIdleJobsController: don't ignore whitelisted system apps (GrapheneOS)
-if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0036-Unprivileged_microG_Handling.patch"; fi; #Unprivileged microG handling (heavily based off of a CalyxOS patch)
+if [ "$DOS_MICROG_SUPPORT" = true ]; then
+applyPatch "$DOS_PATCHES/android_frameworks_base/0036-Unprivileged_microG_Handling.patch"; #Unprivileged microG handling (heavily based off of a CalyxOS patch)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0037-filter-gms.patch"; #Filter select package queries for GMS (CalyxOS)
+fi;
+applyPatch "$DOS_PATCHES/android_frameworks_base/0038-no-camera-lpad.patch"; #Do not auto-grant Camera permission to the eUICC LPA UI app (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
 hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
 sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)
@ -427,6 +431,7 @@ sed -i 's/OpenCamera/Aperture/' packages.mk; #Use the LineageOS camera app
 awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices
 sed -i 's/wifi,cell/internet/' overlay/common/frameworks/base/packages/SystemUI/res/values/config.xml; #Use the modern quick tile
 sed -i 's|system/etc|$(TARGET_COPY_OUT_PRODUCT)/etc|' divestos.mk;
+if [ "$DOS_DEBLOBBER_REMOVE_EUICC_FULL" = true ]; then sed -i 's/OpenEUICC/OpenInvalidEUICC/' packages.mk; fi; #Handle OpenEUICC inclusion
 fi;
 #
 #END OF ROM CHANGES
@ -553,6 +558,7 @@ enableLowRam "device/xiaomi/Mi8937" "Mi8937";
 [[ -d kernel/samsung/exynos9810 ]] && sed -i "s/CONFIG_RANDOMIZE_BASE=y/# CONFIG_RANDOMIZE_BASE is not set/" kernel/samsung/exynos9810/arch/arm64/configs/*_defconfig; #Breaks on compile
 [[ -d kernel/xiaomi/msm8937 ]] && sed -i "s/CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY=y/# CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY is not set/" kernel/xiaomi/msm8937/arch/arm64/configs/*_defconfig; #Breaks on compile

+if [ "$DOS_DEBLOBBER_REMOVE_EUICC_FULL" = false ]; then sed -i '/<privapp-permissions/a\ \ \ \ \ \ \ \ <deny-permission name="android.permission.INTERNET" \/>' vendor/*/*/proprietary/*/etc/permissions/com.google.euiccpixel.xml; fi; #Remove network permission
 sed -i 's/^YYLTYPE yylloc;/extern YYLTYPE yylloc;/' kernel/*/*/scripts/dtc/dtc-lexer.l* || true; #Fix builds with GCC 10
 rm -v kernel/*/*/drivers/staging/greybus/tools/Android.mk || true;
 rm -v kernel/*/*/*/*/drivers/staging/greybus/tools/Android.mk || true;
--- a/Scripts/init.sh
+++ b/Scripts/init.sh
@ -47,7 +47,8 @@ export DOS_DEBLOBBER_REMOVE_DPM=true; #Set true to remove all DPM blobs #XXX: Ma
 export DOS_DEBLOBBER_REMOVE_DPP=false; #Set true to remove all Display Post Processing blobs #XXX: Breaks boot on select devices
 export DOS_DEBLOBBER_REMOVE_FP=false; #Set true to remove all fingerprint reader blobs
 export DOS_DEBLOBBER_REMOVE_GRAPHICS=false; #Set true to remove all graphics blobs and use SwiftShader CPU renderer #TODO: Needs work
-export DOS_DEBLOBBER_REMOVE_EUICC=true; #Set true to remove all eUICC blobs
+export DOS_DEBLOBBER_REMOVE_EUICC=true; #Set true to remove all Google eUICC blobs
+export DOS_DEBLOBBER_REMOVE_EUICC_FULL=true; #Set true to remove all hardware eUICC blobs #TODO: needs work
 export DOS_DEBLOBBER_REMOVE_IMS=false; #Set true to remove all IMS blobs #XXX: Carriers are phasing out 3G, making IMS mandatory for calls
 export DOS_DEBLOBBER_REMOVE_IPA=false; #Set true to remove all IPA blobs
 export DOS_DEBLOBBER_REMOVE_IR=false; #Set true to remove all IR blobs