11.0: More work

This commit is contained in:
Tad 2018-07-10 08:29:08 -04:00
parent 5716c58485
commit 966f4a5baf
6 changed files with 159 additions and 17 deletions

View File

@ -0,0 +1,27 @@
From de55e0158ad3a6f89718c1d9fb19d336dea34937 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 10 Jul 2018 08:09:29 -0400
Subject: [PATCH] Enable secure_delete by default
Change-Id: Iad6cea9f6489759faee04926213163a56dab1b9b
---
dist/Android.mk | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/dist/Android.mk b/dist/Android.mk
index 96e3035..4692f3f 100644
--- a/dist/Android.mk
+++ b/dist/Android.mk
@@ -28,7 +28,8 @@ common_sqlite_flags := \
-DSQLITE_OMIT_COMPILEOPTION_DIAGS \
-DSQLITE_OMIT_LOAD_EXTENSION \
-DSQLITE_DEFAULT_FILE_PERMISSIONS=0600 \
- -Dfdatasync=fdatasync
+ -Dfdatasync=fdatasync \
+ -DSQLITE_SECURE_DELETE
common_src_files := sqlite3.c
--
2.18.0

View File

@ -0,0 +1,66 @@
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index e6da288..66684d3 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -447,10 +447,23 @@ public class PackageParser {
}
}
if ((flags&PackageManager.GET_SIGNATURES) != 0) {
- int N = (p.mSignatures != null) ? p.mSignatures.length : 0;
- if (N > 0) {
- pi.signatures = new Signature[N];
- System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N);
+ boolean handledFakeSignature = false;
+ try {
+ if (p.requestedPermissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") && p.mAppMetaData != null
+ && p.mAppMetaData.get("fake-signature") instanceof String) {
+ pi.signatures = new Signature[] {new Signature(p.mAppMetaData.getString("fake-signature"))};
+ handledFakeSignature = true;
+ }
+ } catch (Throwable t) {
+ // We should never die because of any failures, this is system code!
+ Log.w("PackageParser.FAKE_PACKAGE_SIGNATURE", t);
+ }
+ if (!handledFakeSignature) {
+ int N = (p.mSignatures != null) ? p.mSignatures.length : 0;
+ if (N > 0) {
+ pi.signatures = new Signature[N];
+ System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N);
+ }
}
}
return pi;
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 558a475..4e7aa65 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1562,6 +1562,13 @@
android:label="@string/permlab_getPackageSize"
android:description="@string/permdesc_getPackageSize" />
+ <!-- Allows an application to change the package signature as seen by applications -->
+ <permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
+ android:permissionGroup="android.permission-group.SYSTEM_TOOLS"
+ android:protectionLevel="dangerous"
+ android:label="@string/permlab_fakePackageSignature"
+ android:description="@string/permdesc_fakePackageSignature" />
+
<!-- @deprecated No longer useful, see
{@link android.content.pm.PackageManager#addPackageToPreferred}
for details. -->
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 790e166..8e66470 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -1135,6 +1135,11 @@
<string name="permdesc_getPackageSize">Allows the app to retrieve its code, data, and cache sizes</string>
<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permlab_fakePackageSignature">mimic package signature</string>
+ <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permdesc_fakePackageSignature">Allows the app to use mimic another app\'s package signature.</string>
+
+ <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permlab_installPackages">directly install apps</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permdesc_installPackages">Allows the app to install new or updated

View File

@ -0,0 +1,26 @@
From 79c65fa6741cecda0b38a4881a07ec54a4896b69 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 10 Jul 2018 08:13:23 -0400
Subject: [PATCH] Harden signature spoofing
Change-Id: Iad362df358cb9cdf6e2ce9d511f09ee6b77a90e2
---
core/res/AndroidManifest.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 1e5a7ad1f9..224fea23c8 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1598,7 +1598,7 @@
<!-- Allows an application to change the package signature as seen by applications -->
<permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
android:permissionGroup="android.permission-group.SYSTEM_TOOLS"
- android:protectionLevel="dangerous"
+ android:protectionLevel="signature"
android:label="@string/permlab_fakePackageSignature"
android:description="@string/permdesc_fakePackageSignature" />
--
2.18.0

View File

@ -0,0 +1,30 @@
From f19ab3bce2115c6ddf24528885305c3ba038f29b Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 10 Jul 2018 08:22:08 -0400
Subject: [PATCH] Harden mounts
Change-Id: I2db94882224672cac3e54f7d8422d1e036828378
---
init/init.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/init/init.c b/init/init.c
index 53e0dae1..d022253b 100644
--- a/init/init.c
+++ b/init/init.c
@@ -1136,9 +1136,9 @@ int main(int argc, char **argv)
mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");
mkdir("/dev/pts", 0755);
mkdir("/dev/socket", 0755);
- mount("devpts", "/dev/pts", "devpts", 0, NULL);
- mount("proc", "/proc", "proc", 0, NULL);
- mount("sysfs", "/sys", "sysfs", 0, NULL);
+ mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL);
+ mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL);
+ mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL);
/* indicate that booting is in progress to background fw loaders, etc */
close(open("/dev/.booting", O_WRONLY | O_CREAT, 0000));
--
2.18.0

View File

@ -252,7 +252,7 @@ changeDefaultDNS() {
echo "You must first set a preset via the DEFAULT_DNS_PRESET variable in init.sh!"; echo "You must first set a preset via the DEFAULT_DNS_PRESET variable in init.sh!";
fi; fi;
files="core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java"; files="core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java services/java/com/android/server/connectivity/Tethering.java";
sed -i "s/8\.8\.8\.8/$dnsPrimary/" $files &>/dev/null || true; sed -i "s/8\.8\.8\.8/$dnsPrimary/" $files &>/dev/null || true;
sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/" $files &>/dev/null || true; sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/" $files &>/dev/null || true;
sed -i "s/8\.8\.4\.4/$dnsSecondary/" $files &>/dev/null || true; sed -i "s/8\.8\.4\.4/$dnsSecondary/" $files &>/dev/null || true;

View File

@ -60,9 +60,6 @@ echo -e "\n84831b9409646a918e30573bab4c9c91346d8abd" > "$ANDROID_HOME/licenses/a
cp -r "$DOS_PREBUILT_APPS""Fennec_DOS-Shim" "$DOS_BUILD_BASE""packages/apps/"; #Add a shim to install Fennec DOS without actually including the large APK cp -r "$DOS_PREBUILT_APPS""Fennec_DOS-Shim" "$DOS_BUILD_BASE""packages/apps/"; #Add a shim to install Fennec DOS without actually including the large APK
cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps
enterAndClear "bootable/recovery";
#patch -p1 < "$DOS_PATCHES/android_bootable_recovery/0001-Squash_Menus.patch"; #What's a back button? #TODO
enterAndClear "build"; enterAndClear "build";
#patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) #TODO #patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) #TODO
#sed -i 's/Mms/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence #sed -i 's/Mms/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
@ -70,15 +67,15 @@ sed -i 's/ro.secure=0/ro.secure=1/' core/main.mk;
#sed -i 's/ro.adb.secure=0/ro.adb.secure=1/' core/main.mk; #sed -i 's/ro.adb.secure=0/ro.adb.secure=1/' core/main.mk;
enterAndClear "external/sqlite"; enterAndClear "external/sqlite";
#patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0) #TODO patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0)
enterAndClear "frameworks/base"; enterAndClear "frameworks/base";
#sed -i 's/com.android.mms/org.smssecure.smssecure/' core/res/res/values/config.xml; #Change default SMS app to Silence #sed -i 's/com.android.mms/org.smssecure.smssecure/' core/res/res/values/config.xml; #Change default SMS app to Silence
sed -i 's|db_default_journal_mode">PERSIST|db_default_journal_mode">TRUNCATE|' core/res/res/values/config.xml; #Mirror SQLite secure_delete sed -i 's|db_default_journal_mode">PERSIST|db_default_journal_mode">TRUNCATE|' core/res/res/values/config.xml; #Mirror SQLite secure_delete
#if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG) #TODO if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0001-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
#if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key #TODO if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
if [ "$DOS_MICROG_INCLUDED" = "NLP" ]; then sed -i '/<item>com.android.location.fused<\/item>/a \ \ \ \ \ \ \ \ <item>org.microg.nlp</item>' core/res/res/values/config.xml; fi; #Add UnifiedNLP to location providers if [ "$DOS_MICROG_INCLUDED" = "NLP" ]; then sed -i '/<item>com.android.location.fused<\/item>/a \ \ \ \ \ \ \ \ <item>org.microg.nlp</item>' core/res/res/values/config.xml; fi; #Add UnifiedNLP to location providers
changeDefaultDNS; #TODO changeDefaultDNS;
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries #TODO #patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries #TODO
rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig; rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig;
@ -123,17 +120,14 @@ enterAndClear "packages/apps/Trebuchet";
#cp -r "$DOS_PATCHES_COMMON/android_packages_apps_Trebuchet/default_workspace/." "res/xml/"; #TODO #cp -r "$DOS_PATCHES_COMMON/android_packages_apps_Trebuchet/default_workspace/." "res/xml/"; #TODO
sed -i 's/mCropView.setTouchEnabled(touchEnabled);/mCropView.setTouchEnabled(true);/' WallpaperPicker/src/com/android/launcher3/WallpaperCropActivity.java; sed -i 's/mCropView.setTouchEnabled(touchEnabled);/mCropView.setTouchEnabled(true);/' WallpaperPicker/src/com/android/launcher3/WallpaperCropActivity.java;
enterAndClear "packages/inputmethods/LatinIME";
#patch -p1 < "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voice.patch"; #Remove voice input key #TODO
enterAndClear "system/core"; enterAndClear "system/core";
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
#patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0) #TODO patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)
enterAndClear "vendor/cm"; enterAndClear "vendor/cm";
rm -rf terminal; rm -rf terminal;
awk -i inplace '!/50-cm.sh/' config/common.mk; #Make sure our hosts is always used awk -i inplace '!/50-cm.sh/' config/common.mk; #Make sure our hosts is always used
#sed -i '3iinclude vendor/cm/config/sce.mk' config/common.mk; #Include extra apps #TODO #sed -i '3iinclude vendor/cm/config/sce.mk' config/common.mk; #Include extra apps
if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then
awk -i inplace '!/DSPManager/' config/common.mk; awk -i inplace '!/DSPManager/' config/common.mk;
fi; fi;
@ -159,24 +153,23 @@ patch -p1 < "$DOS_PATCHES/android_device_zte_nex/0001-Fixes.patch"; #Build fixes
sed -i 's/ro.sf.lcd_density=240/ro.sf.lcd_density=180/' system.prop; sed -i 's/ro.sf.lcd_density=240/ro.sf.lcd_density=180/' system.prop;
mv cm.mk lineage.mk; mv cm.mk lineage.mk;
sed -i 's/cm_/lineage_/' lineage.mk vendorsetup.sh; sed -i 's/cm_/lineage_/' lineage.mk vendorsetup.sh;
awk -i inplace '!/WCNSS_qcom_wlan_nv_2.bin/' proprietary-files.txt;
#In nex-vendor-blobs.mk #In nex-vendor-blobs.mk
# "system/lib/libtime_genoff.so" -> "obj/lib/libtime_genoff.so" # "system/lib/libtime_genoff.so" -> "obj/lib/libtime_genoff.so"
# Remove "WCNSS_qcom_wlan_nv_2.bin"
enter "kernel/zte/msm8930" enterAndClear "kernel/zte/msm8930"
patch -p1 < $patches"android_kernel_zte_msm8930/0001-MDP-Fix.patch"; patch -p1 < $patches"android_kernel_zte_msm8930/0001-MDP-Fix.patch";
#Make changes to all devices #Make changes to all devices
cd "$DOS_BUILD_BASE"; cd "$DOS_BUILD_BASE";
find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enhanceLocation "$0"' {} \; find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enhanceLocation "$0"' {} \;
find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableForcedEncryption "$0"' {} \; find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableForcedEncryption "$0"' {} \;
#if [ "$STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableStrongEncryption "$0"' {} \; fi;
find "kernel" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenDefconfig "$0"' {} \; find "kernel" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenDefconfig "$0"' {} \;
cd "$DOS_BUILD_BASE"; cd "$DOS_BUILD_BASE";
#Fixes #Fixes
#Fix broken options enabled by hardenDefconfig() #Fix broken options enabled by hardenDefconfig()
sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile #sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
# #
#END OF DEVICE CHANGES #END OF DEVICE CHANGES
# #