Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update cherrypicks and small tweaks

Browse Source
This commit is contained in:
Tad 2021-03-05 12:54:34 -05:00
parent 60070a19bd
commit a3fbed9da5
22 changed files with 12 additions and 717 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Patches/Common/android_vendor_divested/packages.mk
View File

@ -21,7 +21,7 @@ PRODUCT_PACKAGES += \
VanillaMusic
# Notes
# - Available (via PrebuiltApps submodule): K9Mail, OpenKeychain, Orbot, Shelter, TalkBack, TorBrowser
# - Available (via PrebuiltApps submodule): K9Mail, OpenKeychain, Orbot, Shelter, TalkBack
# - Camera Choices: None (Camera2/Snap), OpenCamera
# - Gallery Choices: None (AOSP/Lineage), SimpleGallery
# - OpenKeychain inclusion is undecided yet

134
Patches/LineageOS-14.1/android_system_netd/244387.patch
View File

@ -1,134 +0,0 @@
From 0cd7a28a999b9be67251989f8d434dde172157bd Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 30 Mar 2017 02:50:09 +0900
Subject: [PATCH] Really always allow networking on loopback.
https://android-review.googlesource.com/#/c/294359/ attempted to
allow networking on loopback, but actually does not do anything
because no packet has both -i lo and -o lo: loopback packets have
-i lo in INPUT and -o lo in OUTPUT.
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: loopback traffic is matched by new "-i lo" and "-o lo" rules
Test: originated and received traffic is not matched by new rules
Bug: 34444781
Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1
---
server/FirewallController.cpp | 3 ++-
server/FirewallControllerTest.cpp | 15 ++++++++++-----
tests/binder_test.cpp | 16 ++++++++--------
3 files changed, 20 insertions(+), 14 deletions(-)
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index 826cf758..ffc99e16 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -301,7 +301,8 @@ std::string FirewallController::makeUidRules(IptablesTarget target, const char *
StringAppendF(&commands, "*filter\n:%s -\n", name);
// Always allow networking on loopback.
- StringAppendF(&commands, "-A %s -i lo -o lo -j RETURN\n", name);
+ StringAppendF(&commands, "-A %s -i lo -j RETURN\n", name);
+ StringAppendF(&commands, "-A %s -o lo -j RETURN\n", name);
// Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network
// access. Both incoming and outgoing RSTs are allowed.
diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp
index 7d96c61c..ba449db0 100644
--- a/server/FirewallControllerTest.cpp
+++ b/server/FirewallControllerTest.cpp
@@ -56,7 +56,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
std::vector<std::string> expectedRestore4 = {
"*filter",
":fw_whitelist -",
- "-A fw_whitelist -i lo -o lo -j RETURN",
+ "-A fw_whitelist -i lo -j RETURN",
+ "-A fw_whitelist -o lo -j RETURN",
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
"-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
"-A fw_whitelist -j DROP",
@@ -65,7 +66,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
std::vector<std::string> expectedRestore6 = {
"*filter",
":fw_whitelist -",
- "-A fw_whitelist -i lo -o lo -j RETURN",
+ "-A fw_whitelist -i lo -j RETURN",
+ "-A fw_whitelist -o lo -j RETURN",
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
"-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN",
"-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN",
@@ -95,7 +97,8 @@ TEST_F(FirewallControllerTest, TestCreateBlacklistChain) {
std::vector<std::string> expectedRestore = {
"*filter",
":fw_blacklist -",
- "-A fw_blacklist -i lo -o lo -j RETURN",
+ "-A fw_blacklist -i lo -j RETURN",
+ "-A fw_blacklist -o lo -j RETURN",
"-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN",
"COMMIT\n\x04"
};
@@ -141,7 +144,8 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) {
std::string expected =
"*filter\n"
":FW_whitechain -\n"
- "-A FW_whitechain -i lo -o lo -j RETURN\n"
+ "-A FW_whitechain -i lo -j RETURN\n"
+ "-A FW_whitechain -o lo -j RETURN\n"
"-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"
"-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n"
"-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n"
@@ -168,7 +172,8 @@ TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) {
std::string expected =
"*filter\n"
":FW_blackchain -\n"
- "-A FW_blackchain -i lo -o lo -j RETURN\n"
+ "-A FW_blackchain -i lo -j RETURN\n"
+ "-A FW_blackchain -o lo -j RETURN\n"
"-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n"
"-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n"
"-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n"
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index 5395f1d2..dcaf2302 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -176,31 +176,31 @@ TEST_F(BinderTest, TestFirewallReplaceUidChain) {
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), true, uids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ((int) uids.size() + 6, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ((int) uids.size() + 12, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 7, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 13, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
{
TimedOperation op("Clearing whitelist chain");
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
{
TimedOperation op(StringPrintf("Programming %d-UID blacklist chain", kNumUids));
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, uids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
{
TimedOperation op("Clearing blacklist chain");
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
// Check that the call fails if iptables returns an error.
std::string veryLongStringName = "netd_binder_test_UnacceptablyLongIptablesChainName";

52
Patches/LineageOS-14.1/android_system_netd/244388.patch
View File

@ -1,52 +0,0 @@
From 297e6f85ac174825505970e62b4a1f39f84ef3ac Mon Sep 17 00:00:00 2001
From: Joel Scherpelz <jscherpelz@google.com>
Date: Wed, 14 Jun 2017 10:27:47 +0900
Subject: [PATCH] BACKPORT: Avoid netlink socket address conflict
NetlinkManager previously bound all netlink sockets with nl_pid =
getpid(). Unfortunately only the first such socket is allowed to claim
nl_pid = getpid(). The kernel is happy to assign this value
automatically if nl_pid = 0. For more information on nl_pid see "man 7
netlink".
When NFLogListener was added, it created a socket with a kernel assigned
nl_pid, unfortunately the kernel assigns getpid() to the first such
socket and listener was initialized earlier in the startup process than
NetlinkManager.
This change alters NetlinkManager to request a kernel assigned nl_pid and
defensively moves the initialization of NFLogListener later in the
startup sequence to favor proper operation of existing code in
NetlinkManager. Error logging is also slightly improved.
Test: as follows
- built
- flashed
- booted
- "runtest -x .../netd_unit_test.cpp" passes
- "cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t
android.os.cts.StrictModeTest" passes
Bug: 62353125
[syphyr: Removed NFLogListener changes]
Signed-off-by: L.W. Reek <syphyr@gmail.com>
Change-Id: I9c1c76e5769de75ff624bf43634ac4061c447a72
---
server/NetlinkManager.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/server/NetlinkManager.cpp b/server/NetlinkManager.cpp
index 769a80ae..5e6eaba8 100644
--- a/server/NetlinkManager.cpp
+++ b/server/NetlinkManager.cpp
@@ -73,7 +73,8 @@ NetlinkHandler *NetlinkManager::setupSocket(int *sock, int netlinkFamily,
memset(&nladdr, 0, sizeof(nladdr));
nladdr.nl_family = AF_NETLINK;
- nladdr.nl_pid = getpid();
+ // Kernel will assign a unique nl_pid if set to zero.
+ nladdr.nl_pid = 0;
nladdr.nl_groups = groups;
if ((*sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, netlinkFamily)) < 0) {

68
Patches/LineageOS-14.1/android_system_netd/245690.patch
View File

@ -1,68 +0,0 @@
From af314f68701a4d6c06ac1b9a09feddcff5e7eb73 Mon Sep 17 00:00:00 2001
From: Sehee Park <sehee32.park@samsung.com>
Date: Wed, 26 Dec 2018 07:28:23 +0900
Subject: [PATCH] Fix fortify_fatal issue during DNSServiceProcessResult()
fd was checked at beginnig of DNSServiceProcessResult()
but fd was changed to -1. So, fortify_fatal was occured
when FD_SET() was called.
Abort message: 'FORTIFY: FD_SET: file descriptor -1 < 0'
Test: Build
Bug: 120910016
Bug: 121327565
Change-Id: Ib4c8dcc08223578fb53647637b44a20a4c221050
Merged-In: Ib4c8dcc08223578fb53647637b44a20a4c221050
Signed-off-by: Sehee Park <sehee32.park@samsung.com>
(cherry picked from commit 3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b)
---
server/MDnsSdListener.cpp | 10 +++++++++-
server/MDnsSdListener.h | 1 +
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index 883fe815..e3fd66a0 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -146,7 +146,7 @@ void MDnsSdListener::Handler::stop(SocketClient *cli, int argc, char **argv, con
return;
}
if (VDBG) ALOGD("Stopping %s with ref %p", str, ref);
- DNSServiceRefDeallocate(*ref);
+ mMonitor->deallocateServiceRef(ref);
mMonitor->freeServiceRef(requestId);
char *msg;
asprintf(&msg, "%s stopped", str);
@@ -617,7 +617,9 @@ void MDnsSdListener::Monitor::run() {
ALOGD("Monitor found [%d].revents = %d - calling ProcessResults",
i, mPollFds[i].revents);
}
+ pthread_mutex_lock(&mHeadMutex);
DNSServiceProcessResult(*(mPollRefs[i]));
+ pthread_mutex_unlock(&mHeadMutex);
mPollFds[i].revents = 0;
}
}
@@ -769,3 +771,9 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
}
pthread_mutex_unlock(&mHeadMutex);
}
+
+void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
+ pthread_mutex_lock(&mHeadMutex);
+ DNSServiceRefDeallocate(*ref);
+ pthread_mutex_unlock(&mHeadMutex);
+}
\ No newline at end of file
diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
index e9c6066a..a107d3b8 100644
--- a/server/MDnsSdListener.h
+++ b/server/MDnsSdListener.h
@@ -76,6 +76,7 @@ class MDnsSdListener : public FrameworkListener {
static void *threadStart(void *handler);
int startService();
int stopService();
+ void deallocateServiceRef(DNSServiceRef* ref);
private:
void run();
int rescan(); // returns the number of elements in the poll

32
Patches/LineageOS-14.1/android_system_netd/245691.patch
View File

@ -1,32 +0,0 @@
From 5f01e7f21f155a6b13a5ce659bac1fc03735a5e9 Mon Sep 17 00:00:00 2001
From: Ken Chen <cken@google.com>
Date: Sat, 26 Jan 2019 19:17:00 +0800
Subject: [PATCH] Clear Element.mRef immediately after deallocating it
DNSServiceRefDeallocate() and pointer dereferencing in request handler
thread are protected by two separate lock/unlock pairs on mHeadMutex.
If rescan() runs between these, it could dereference mRef, causing
a heap-use-after-free bug.
Solution: set mRef to null immediately after freeing it.
Bug: 121327565
Test: build
Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7
(cherry picked from commit 9762bc1964a37ec56091ee2b6070e19c5206f615)
---
server/MDnsSdListener.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index e3fd66a0..563e0207 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -775,5 +775,6 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
pthread_mutex_lock(&mHeadMutex);
DNSServiceRefDeallocate(*ref);
+ *ref = nullptr;
pthread_mutex_unlock(&mHeadMutex);
}
\ No newline at end of file

129
Patches/LineageOS-14.1/android_system_netd/264479.patch
View File

@ -1,129 +0,0 @@
From 73e902f57aae15f4d79ed57f46326fb5a0136c94 Mon Sep 17 00:00:00 2001
From: Erik Kline <ek@google.com>
Date: Thu, 24 Nov 2016 08:30:34 +0900
Subject: [PATCH] Cache flushing no longer occurs updating DNS for a single
netid
Test: runtest netd_integration_test.cpp
Bug: 32517984
Change-Id: I6a82824ab423a07797291e7b4701350c88809117
---
tests/netd_test.cpp | 102 ++++++++++++++++++++++----------------------
1 file changed, 51 insertions(+), 51 deletions(-)
diff --git a/tests/netd_test.cpp b/tests/netd_test.cpp
index a958cd90..97a96b9a 100644
--- a/tests/netd_test.cpp
+++ b/tests/netd_test.cpp
@@ -386,60 +386,60 @@ TEST_F(ResolverTest, GetAddrInfo) {
dns2.addMapping(host_name, ns_type::ns_t_aaaa, "::1.2.3.4");
ASSERT_TRUE(dns2.startServer());
- for (size_t i = 0 ; i < 1000 ; ++i) {
- std::vector<std::string> servers = { listen_addr };
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
- dns.clearQueries();
- dns2.clearQueries();
-
- EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
- size_t found = GetNumQueries(dns, host_name);
- EXPECT_LE(1U, found);
- // Could be A or AAAA
- std::string result_str = ToString(result);
- EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
- << ", result_str='" << result_str << "'";
- // TODO: Use ScopedAddrinfo or similar once it is available in a common header file.
- if (result) {
- freeaddrinfo(result);
- result = nullptr;
- }
- // Verify that the name is cached.
- size_t old_found = found;
- EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
- found = GetNumQueries(dns, host_name);
- EXPECT_LE(1U, found);
- EXPECT_EQ(old_found, found);
- result_str = ToString(result);
- EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
- << result_str;
- if (result) {
- freeaddrinfo(result);
- result = nullptr;
- }
+ std::vector<std::string> servers = { listen_addr };
+ ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ dns.clearQueries();
+ dns2.clearQueries();
+
+ EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
+ size_t found = GetNumQueries(dns, host_name);
+ EXPECT_LE(1U, found);
+ // Could be A or AAAA
+ std::string result_str = ToString(result);
+ EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
+ << ", result_str='" << result_str << "'";
+ // TODO: Use ScopedAddrinfo or similar once it is available in a common header file.
+ if (result) {
+ freeaddrinfo(result);
+ result = nullptr;
+ }
- // Change the DNS resolver, ensure that queries are no longer cached.
- servers = { listen_addr2 };
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
- dns.clearQueries();
- dns2.clearQueries();
-
- EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
- found = GetNumQueries(dns, host_name);
- size_t found2 = GetNumQueries(dns2, host_name);
- EXPECT_EQ(0U, found);
- EXPECT_LE(1U, found2);
-
- // Could be A or AAAA
- result_str = ToString(result);
- EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
- << ", result_str='" << result_str << "'";
- if (result) {
- freeaddrinfo(result);
- result = nullptr;
- }
+ // Verify that the name is cached.
+ size_t old_found = found;
+ EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
+ found = GetNumQueries(dns, host_name);
+ EXPECT_LE(1U, found);
+ EXPECT_EQ(old_found, found);
+ result_str = ToString(result);
+ EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
+ << result_str;
+ if (result) {
+ freeaddrinfo(result);
+ result = nullptr;
}
+
+ // Change the DNS resolver, ensure that queries are still cached.
+ servers = { listen_addr2 };
+ ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ dns.clearQueries();
+ dns2.clearQueries();
+
+ EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
+ found = GetNumQueries(dns, host_name);
+ size_t found2 = GetNumQueries(dns2, host_name);
+ EXPECT_EQ(0U, found);
+ EXPECT_LE(0U, found2);
+
+ // Could be A or AAAA
+ result_str = ToString(result);
+ EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
+ << ", result_str='" << result_str << "'";
+ if (result) {
+ freeaddrinfo(result);
+ result = nullptr;
+ }
+
dns.stopServer();
dns2.stopServer();
}

28
Patches/LineageOS-14.1/android_system_netd/264480.patch
View File

@ -1,28 +0,0 @@
From 7aee5e85160c025a6d3f0460f4482aadb985c0f3 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 19 Nov 2016 09:09:16 -0800
Subject: [PATCH] TetherController.cpp: add O_CLOEXEC
Don't leak open file descriptors across execs to netd's children. This
can occur in the unlikely but theoretically possible event that one
thread is in writeToFile() and another thread happens to call exec().
Test: device boots with no obvious problems.
Change-Id: Iabd8eee46bf94d70894ca46e58484ccb8241513a
---
server/TetherController.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/TetherController.cpp b/server/TetherController.cpp
index 3cc46368..65c88ede 100644
--- a/server/TetherController.cpp
+++ b/server/TetherController.cpp
@@ -46,7 +46,7 @@ const char IPV6_FORWARDING_PROC_FILE[] = "/proc/sys/net/ipv6/conf/all/forwarding
const char SEPARATOR[] = "|";
bool writeToFile(const char* filename, const char* value) {
- int fd = open(filename, O_WRONLY);
+ int fd = open(filename, O_WRONLY | O_CLOEXEC);
if (fd < 0) {
ALOGE("Failed to open %s: %s", filename, strerror(errno));
return false;

30
Patches/LineageOS-14.1/android_system_netd/264481.patch
View File

@ -1,30 +0,0 @@
From bea94d341f8c3da6611e959b4732accbb079cab1 Mon Sep 17 00:00:00 2001
From: Manoj Gupta <manojgupta@google.com>
Date: Tue, 22 Nov 2016 21:15:59 -0800
Subject: [PATCH] Fix clang static analyzer warnings.
system/netd/server/NetlinkHandler.cpp:218:12: warning: Dereference of
null pointer (loaded from variable 'gateway')
Test: Warning no longer appears
Change-Id: Idaa08940c990f7d572e855e77982ffd57a032dd4
---
server/NetlinkHandler.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/NetlinkHandler.cpp b/server/NetlinkHandler.cpp
index 19de240a..e9a11bab 100644
--- a/server/NetlinkHandler.cpp
+++ b/server/NetlinkHandler.cpp
@@ -215,9 +215,9 @@ void NetlinkHandler::notifyRouteChange(NetlinkEvent::Action action, const char *
"Route %s %s%s%s%s%s",
(action == NetlinkEvent::Action::kRouteUpdated) ? kUpdated : kRemoved,
route,
- *gateway ? " via " : "",
+ (gateway && *gateway) ? " via " : "",
gateway,
- *iface ? " dev " : "",
+ (iface && *iface) ? " dev " : "",
iface);
}

40
Patches/LineageOS-14.1/android_system_netd/264482.patch
View File

@ -1,40 +0,0 @@
From 147d0470f98c5f5f938892bbc5bb640e115fdb98 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 20 Dec 2016 08:40:35 -0800
Subject: [PATCH] SockDiag.cpp: Add O_CLOEXEC to tcpdiag sockets
Add O_CLOEXEC to NETLINK_INET_DIAG sockets. This ensures that the file
descriptors associated with these sockets do not leak across an exec()
boundary. Please see "man 2 open" for a description of why this is
desirable.
Addresses the following SELinux denial:
avc: denied { read write } for comm="clatd" path="socket:[902062]"
dev="sockfs" ino=902062 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0
tclass=netlink_tcpdiag_socket permissive=0
which occurs when netd executes clatd and inadvertantly leaks the file
descriptors to that process.
Test: Android compiles and boots, and no obvious errors
Change-Id: Ic5662fa8df6884e7002a0ec89839fe90abe05574
---
server/SockDiag.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/SockDiag.cpp b/server/SockDiag.cpp
index 11711afa..630e379d 100644
--- a/server/SockDiag.cpp
+++ b/server/SockDiag.cpp
@@ -73,8 +73,8 @@ bool SockDiag::open() {
return false;
}
- mSock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_INET_DIAG);
- mWriteSock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_INET_DIAG);
+ mSock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_INET_DIAG);
+ mWriteSock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_INET_DIAG);
if (!hasSocks()) {
closeSocks();
return false;

41
Patches/LineageOS-14.1/android_system_netd/264483.patch
View File

@ -1,41 +0,0 @@
From 3c272f5a65fa8ebabb22bd344ff65c14be47183c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 20 Dec 2016 06:51:32 -0800
Subject: [PATCH] FwMarkServer.cpp: Add O_CLOEXEC to received FDs
Add O_CLOEXEC to file descriptors received via the fwmark service. This
prevents netd's file descriptors from leaking across an exec() boundary,
and may address the following non-reproducible SELinux denials:
avc: denied { use } for comm="clatd" path="socket:[860297]" dev="sockfs"
ino=860297 scontext=u:r:clatd:s0 tcontext=u:r:untrusted_app:s0:c512,c768
tclass=fd permissive=0
avc: denied { read write } for comm="clatd" path="socket:[1414454]"
dev="sockfs" ino=1414454 scontext=u:r:clatd:s0
tcontext=u:r:system_server:s0 tclass=tcp_socket permissive=0
avc: denied { use } for comm="clatd" path="socket:[681600]" dev="sockfs"
ino=681600 scontext=u:r:clatd:s0 tcontext=u:r:priv_app:s0:c512,c768
tclass=fd permissive=0
Test: Device boots and no obvious problems
Test: /data/nativetest/netd_integration_test/netd_integration_test passed
Change-Id: I866b1ee0693516b46269c7106e7fc1f85b017639
---
server/FwmarkServer.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/FwmarkServer.cpp b/server/FwmarkServer.cpp
index 80df03f4..38a116d6 100644
--- a/server/FwmarkServer.cpp
+++ b/server/FwmarkServer.cpp
@@ -74,7 +74,7 @@ int FwmarkServer::processClient(SocketClient* client, int* socketFd) {
message.msg_control = cmsgu.cmsg;
message.msg_controllen = sizeof(cmsgu.cmsg);
- int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, 0));
+ int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, MSG_CMSG_CLOEXEC));
if (messageLength <= 0) {
return -errno;
}

54
Patches/LineageOS-14.1/android_system_netd/264484.patch
View File

@ -1,54 +0,0 @@
From 2b418c7cdced80f2ecd0e31b357970d51d9e4b25 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Sat, 21 Jan 2017 15:00:36 +0900
Subject: [PATCH] Log the time it takes netd to start up.
Currently on, bullhead-eng, I see:
01-21 14:59:26.174 21421 21421 I Netd : Netd started in 2432ms
Test: restarted netd and observed log message.
Bug: 32323979
Bug: 33279878
Change-Id: I7195d06d7ed1a09858185555f60b07e5bfe306ed
---
server/main.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/server/main.cpp b/server/main.cpp
index ae3a71a3..aab15d66 100644
--- a/server/main.cpp
+++ b/server/main.cpp
@@ -18,6 +18,7 @@
#include <stdlib.h>
#include <signal.h>
#include <errno.h>
+#include <math.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -40,6 +41,7 @@
#include "NetdConstants.h"
#include "NetdNativeService.h"
#include "NetlinkManager.h"
+#include "Stopwatch.h"
#include "DnsProxyListener.h"
#include "MDnsSdListener.h"
#include "FwmarkServer.h"
@@ -63,6 +65,7 @@ android::RWLock android::net::gBigNetdLock;
int main() {
using android::net::gCtls;
+ Stopwatch s;
ALOGI("Netd 1.0 starting");
remove_pid_file();
@@ -122,6 +125,8 @@ int main() {
write_pid_file();
+ ALOGI("Netd started in %dms", static_cast<int>(s.timeTaken()));
+
IPCThreadState::self()->joinThreadPool();
ALOGI("Netd exiting");

24
Patches/LineageOS-14.1/android_system_netd/264572.patch
View File

@ -1,24 +0,0 @@
From 0dfec203ee3b024ab9ff3d7d5c40c2cdf2db81e2 Mon Sep 17 00:00:00 2001
From: Chih-Hung Hsieh <chh@google.com>
Date: Fri, 6 May 2016 10:36:13 -0700
Subject: [PATCH] Fix google-explicit-constructor warnings.
Bug: 28341362
Change-Id: Idadc9ad22fdd9d014c8fe0522c89b6ec9d05ae98
---
tests/binder_test.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index dcaf2302..1018e00e 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -105,7 +105,7 @@ char BinderTest::sDstStr[INET6_ADDRSTRLEN];
class TimedOperation : public Stopwatch {
public:
- TimedOperation(std::string name): mName(name) {}
+ explicit TimedOperation(const std::string &name): mName(name) {}
virtual ~TimedOperation() {
fprintf(stderr, " %s: %6.1f ms\n", mName.c_str(), timeTaken());
}

46
Patches/LineageOS-14.1/android_system_netd/264573.patch
View File

@ -1,46 +0,0 @@
From b5c3fe8fac846e9e586f2c0454c1036099adaf27 Mon Sep 17 00:00:00 2001
From: Thurston Hou Yeen Dang <thurston@google.com>
Date: Wed, 1 Jun 2016 11:02:29 -0700
Subject: [PATCH] Unsigned integer overflow sanitization for netd/server
Enable unsigned-integer-overflow sanitization for netd/server
(libnetdaidl, netd, ndc).
This does not cause any aborts on CtsNetTestCases (includes
android.net.cts.VpnServiceTest), CtsNetTestCasesLegacyApi22, and
CtsNetTestCasesLegacyPermission22.
(Some tests are finicky and need to be re-run individually to pass; there is similar behavior on the unsanitized build.)
Change-Id: I021bae3cf20df7669822977d3221a44f207614a8
---
server/Android.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/server/Android.mk b/server/Android.mk
index 04b626f0..0c848e54 100644
--- a/server/Android.mk
+++ b/server/Android.mk
@@ -21,6 +21,7 @@ include $(CLEAR_VARS)
LOCAL_CFLAGS := -Wall -Werror
LOCAL_CLANG := true
+LOCAL_SANITIZE := unsigned-integer-overflow
LOCAL_MODULE := libnetdaidl
LOCAL_SHARED_LIBRARIES := \
libbinder \
@@ -47,6 +48,7 @@ LOCAL_C_INCLUDES := \
LOCAL_CLANG := true
LOCAL_CPPFLAGS := -std=c++11 -Wall -Werror
+LOCAL_SANITIZE := unsigned-integer-overflow
LOCAL_MODULE := netd
LOCAL_INIT_RC := netd.rc
@@ -134,6 +136,7 @@ include $(BUILD_EXECUTABLE)
include $(CLEAR_VARS)
LOCAL_CFLAGS := -Wall -Werror
+LOCAL_SANITIZE := unsigned-integer-overflow
LOCAL_CLANG := true
LOCAL_MODULE := ndc
LOCAL_SHARED_LIBRARIES := libcutils

2
PrebuiltApps

@ -1 +1 @@
Subproject commit 6a941364ec6493da24247389bbf0745fb090b7d3
Subproject commit fb703e0dadecfe2681f5ebf3c43ca74a0bfa34e4

2
Scripts/LineageOS-14.1/Functions.sh
View File

@ -124,8 +124,6 @@ patchWorkspace() {
source build/envsetup.sh;
repopick -it n_asb_09-2018-qcom; #TODO: move in tree
#repopick -it bt-sbc-hd-dualchannel-nougat;
repopick -it tzdb2021a_N;
repopick -it n-asb-2021-03;
export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails

5
Scripts/LineageOS-14.1/Patch.sh
View File

@ -77,7 +77,7 @@ patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/248649.patch"; #msm_irqba
patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/0001-Camera_Fix.patch"; #Fix camera on user builds XXX: REMOVE THIS TRASH
enterAndClear "external/chromium-webview";
git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/30/304330/1; #update webview
git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/88/305088/1; #update webview
enterAndClear "external/sqlite";
patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (AndroidHardening-13.0)
@ -206,9 +206,6 @@ git revert --no-edit 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f50
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
enterAndClear "system/netd";
git am $DOS_PATCHES/android_system_netd/*.patch; #n-netd
enterAndClear "system/sepolicy";
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/248600.patch"; #restrict access to timing information in /proc
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices

3
Scripts/LineageOS-15.1/Functions.sh
View File

@ -115,8 +115,7 @@ export -f buildAll;
patchWorkspace() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
source build/envsetup.sh;
repopick -it O_asb_2021-03;
#source build/envsetup.sh;
export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails

5
Scripts/LineageOS-15.1/Patch.sh
View File

@ -79,10 +79,7 @@ enterAndClear "device/qcom/sepolicy";
patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/0001-Camera_Fix.patch"; #Fix camera on -user builds XXX: REMOVE THIS TRASH
enterAndClear "external/chromium-webview";
git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/30/304330/1; #update webview
enterAndClear "external/dnsmasq";
git pull "https://github.com/LineageOS/android_external_dnsmasq" refs/changes/10/305010/1; #O_asb_2021-03
git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/88/305088/1; #update webview
enterAndClear "external/svox";
git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles

3
Scripts/LineageOS-16.0/Functions.sh
View File

@ -132,9 +132,8 @@ export -f buildAll;
patchWorkspace() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
source build/envsetup.sh;
#source build/envsetup.sh;
#repopick -it pie-firewall;
repopick -it P_asb_2021-03;
source "$DOS_SCRIPTS/Patch.sh";
source "$DOS_SCRIPTS_COMMON/Copy_Keys.sh";

8
Scripts/LineageOS-16.0/Patch.sh
View File

@ -78,10 +78,7 @@ patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy-legacy/0001-Camera_Fix.pa
echo "SELINUX_IGNORE_NEVERALLOWS := true" >> sepolicy.mk; #necessary for -user builds of legacy devices
enterAndClear "external/chromium-webview";
git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/30/304330/1; #update webview
enterAndClear "external/dnsmasq";
git pull "https://github.com/LineageOS/android_external_dnsmasq" refs/changes/00/305000/1; #P_asb_2021-03
git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/88/305088/1; #update webview
enterAndClear "external/svox";
git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
@ -189,9 +186,6 @@ git revert --no-edit 99564aaf0417c9ddf7d6aeb10d326e5b24fa8f55;
patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch";
patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
enterAndClear "system/connectivity/wificond";
git pull "https://github.com/LineageOS/android_system_connectivity_wificond" refs/changes/08/305008/1; #P_asb_2021-03
enterAndClear "system/core";
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert --no-edit b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update recovery

3
Scripts/LineageOS-17.1/Functions.sh
View File

@ -130,9 +130,8 @@ export -f buildAll;
patchWorkspace() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
source build/envsetup.sh;
#source build/envsetup.sh;
#repopick -it ten-firewall;
repopick -it Q_asb_2021-03;
source "$DOS_SCRIPTS/Patch.sh";
source "$DOS_SCRIPTS_COMMON/Copy_Keys.sh";

18
Scripts/LineageOS-17.1/Patch.sh
View File

@ -76,10 +76,7 @@ patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy-legacy/0001-Camera_Fix.pa
echo "SELINUX_IGNORE_NEVERALLOWS := true" >> sepolicy.mk; #necessary for -user builds of legacy devices
enterAndClear "external/chromium-webview";
git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/30/304330/1; #update webview
enterAndClear "external/dnsmasq";
git pull "https://github.com/LineageOS/android_external_dnsmasq" refs/changes/66/304966/1; #Q_asb_2021-03
git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/88/305088/1; #update webview
enterAndClear "external/svox";
git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
@ -87,10 +84,6 @@ sed -i '12iLOCAL_SDK_VERSION := current' pico/Android.mk; #Fix build under Pie
sed -i 's/about to delete/unable to delete/' pico/src/com/svox/pico/LangPackUninstaller.java;
awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.java;
enterAndClear "external/v8";
git pull "https://github.com/LineageOS/android_external_v8" refs/changes/70/304970/1; #Q_asb_2021-03
git pull "https://github.com/LineageOS/android_external_v8" refs/changes/71/304971/1;
enterAndClear "frameworks/av";
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_av/0001-HM_A2DP_Fix.patch"; fi; #(GrapheneOS)
@ -193,9 +186,6 @@ patch -p1 < "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voi
#patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #XXX 17REBASE
#patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch"; #XXX 17REBASE
enterAndClear "system/connectivity/wificond";
git pull "https://github.com/LineageOS/android_system_connectivity_wificond" refs/changes/75/304975/1; #Q_asb_2021-03
enterAndClear "system/core";
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert --no-edit 3032c7aa5ce90c0ae9c08fe271052c6e0304a1e7 01266f589e6deaef30b782531ae14435cdd2f18e; #insanity
@ -214,9 +204,6 @@ patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --direct
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/26.0";
awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignoring neverallows under -user
enterAndClear "system/tools/hidl";
git pull "https://github.com/LineageOS/android_system_tools_hidl" refs/changes/76/304976/1; #Q_asb_2021-03
enterAndClear "system/update_engine";
git revert --no-edit c68499e3ff10f2a31f913e14f66aafb4ed94d42d; #Do not skip payload signature verification
@ -334,6 +321,9 @@ echo "allow hal_gnss_default ssr_device:chr_file { open read };" >> sepolicy/com
enterAndClear "device/zuk/msm8996-common";
awk -i inplace '!/WfdCommon/' msm8996.mk; #fix breakage
enterAndClear "kernel/essential/msm8998";
awk -i inplace '!/SECTOR_SIZE 512/' drivers/md/dm-req-crypt.c; #fixup 4.4.0258-0259.patch
enterAndClear "kernel/google/marlin";
git revert --no-edit dd4a454f080f60cc7c4f5cc281a48cba80947baf; #Resurrect dm-verity