mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-25 07:29:24 -05:00
14.1: cherrypicks
This commit is contained in:
parent
f90b62982b
commit
a8cc390c3d
@ -1,134 +0,0 @@
|
||||
From 5479a23bdb9fd2cbd92d7a1f35e5ecf193515d72 Mon Sep 17 00:00:00 2001
|
||||
From: Lorenzo Colitti <lorenzo@google.com>
|
||||
Date: Thu, 30 Mar 2017 02:50:09 +0900
|
||||
Subject: [PATCH] Really always allow networking on loopback.
|
||||
|
||||
https://android-review.googlesource.com/#/c/294359/ attempted to
|
||||
allow networking on loopback, but actually does not do anything
|
||||
because no packet has both -i lo and -o lo: loopback packets have
|
||||
-i lo in INPUT and -o lo in OUTPUT.
|
||||
|
||||
Test: bullhead builds, boots
|
||||
Test: netd_{unit,integration}_test pass
|
||||
Test: loopback traffic is matched by new "-i lo" and "-o lo" rules
|
||||
Test: originated and received traffic is not matched by new rules
|
||||
Bug: 34444781
|
||||
Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1
|
||||
---
|
||||
server/FirewallController.cpp | 3 ++-
|
||||
server/FirewallControllerTest.cpp | 15 ++++++++++-----
|
||||
tests/binder_test.cpp | 16 ++++++++--------
|
||||
3 files changed, 20 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
|
||||
index 826cf758..ffc99e16 100644
|
||||
--- a/server/FirewallController.cpp
|
||||
+++ b/server/FirewallController.cpp
|
||||
@@ -301,7 +301,8 @@ std::string FirewallController::makeUidRules(IptablesTarget target, const char *
|
||||
StringAppendF(&commands, "*filter\n:%s -\n", name);
|
||||
|
||||
// Always allow networking on loopback.
|
||||
- StringAppendF(&commands, "-A %s -i lo -o lo -j RETURN\n", name);
|
||||
+ StringAppendF(&commands, "-A %s -i lo -j RETURN\n", name);
|
||||
+ StringAppendF(&commands, "-A %s -o lo -j RETURN\n", name);
|
||||
|
||||
// Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network
|
||||
// access. Both incoming and outgoing RSTs are allowed.
|
||||
diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp
|
||||
index 7d96c61c..ba449db0 100644
|
||||
--- a/server/FirewallControllerTest.cpp
|
||||
+++ b/server/FirewallControllerTest.cpp
|
||||
@@ -56,7 +56,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
|
||||
std::vector<std::string> expectedRestore4 = {
|
||||
"*filter",
|
||||
":fw_whitelist -",
|
||||
- "-A fw_whitelist -i lo -o lo -j RETURN",
|
||||
+ "-A fw_whitelist -i lo -j RETURN",
|
||||
+ "-A fw_whitelist -o lo -j RETURN",
|
||||
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
|
||||
"-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
|
||||
"-A fw_whitelist -j DROP",
|
||||
@@ -65,7 +66,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
|
||||
std::vector<std::string> expectedRestore6 = {
|
||||
"*filter",
|
||||
":fw_whitelist -",
|
||||
- "-A fw_whitelist -i lo -o lo -j RETURN",
|
||||
+ "-A fw_whitelist -i lo -j RETURN",
|
||||
+ "-A fw_whitelist -o lo -j RETURN",
|
||||
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
|
||||
"-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN",
|
||||
"-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN",
|
||||
@@ -95,7 +97,8 @@ TEST_F(FirewallControllerTest, TestCreateBlacklistChain) {
|
||||
std::vector<std::string> expectedRestore = {
|
||||
"*filter",
|
||||
":fw_blacklist -",
|
||||
- "-A fw_blacklist -i lo -o lo -j RETURN",
|
||||
+ "-A fw_blacklist -i lo -j RETURN",
|
||||
+ "-A fw_blacklist -o lo -j RETURN",
|
||||
"-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN",
|
||||
"COMMIT\n\x04"
|
||||
};
|
||||
@@ -141,7 +144,8 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) {
|
||||
std::string expected =
|
||||
"*filter\n"
|
||||
":FW_whitechain -\n"
|
||||
- "-A FW_whitechain -i lo -o lo -j RETURN\n"
|
||||
+ "-A FW_whitechain -i lo -j RETURN\n"
|
||||
+ "-A FW_whitechain -o lo -j RETURN\n"
|
||||
"-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"
|
||||
"-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n"
|
||||
"-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n"
|
||||
@@ -168,7 +172,8 @@ TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) {
|
||||
std::string expected =
|
||||
"*filter\n"
|
||||
":FW_blackchain -\n"
|
||||
- "-A FW_blackchain -i lo -o lo -j RETURN\n"
|
||||
+ "-A FW_blackchain -i lo -j RETURN\n"
|
||||
+ "-A FW_blackchain -o lo -j RETURN\n"
|
||||
"-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n"
|
||||
"-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n"
|
||||
"-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n"
|
||||
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
|
||||
index 5395f1d2..dcaf2302 100644
|
||||
--- a/tests/binder_test.cpp
|
||||
+++ b/tests/binder_test.cpp
|
||||
@@ -176,31 +176,31 @@ TEST_F(BinderTest, TestFirewallReplaceUidChain) {
|
||||
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), true, uids, &ret);
|
||||
}
|
||||
EXPECT_EQ(true, ret);
|
||||
- EXPECT_EQ((int) uids.size() + 6, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
|
||||
- EXPECT_EQ((int) uids.size() + 12, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
|
||||
+ EXPECT_EQ((int) uids.size() + 7, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
|
||||
+ EXPECT_EQ((int) uids.size() + 13, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
|
||||
{
|
||||
TimedOperation op("Clearing whitelist chain");
|
||||
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
|
||||
}
|
||||
EXPECT_EQ(true, ret);
|
||||
- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
|
||||
- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
|
||||
+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
|
||||
+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
|
||||
|
||||
{
|
||||
TimedOperation op(StringPrintf("Programming %d-UID blacklist chain", kNumUids));
|
||||
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, uids, &ret);
|
||||
}
|
||||
EXPECT_EQ(true, ret);
|
||||
- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
|
||||
- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
|
||||
+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
|
||||
+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
|
||||
|
||||
{
|
||||
TimedOperation op("Clearing blacklist chain");
|
||||
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
|
||||
}
|
||||
EXPECT_EQ(true, ret);
|
||||
- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
|
||||
- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
|
||||
+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
|
||||
+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
|
||||
|
||||
// Check that the call fails if iptables returns an error.
|
||||
std::string veryLongStringName = "netd_binder_test_UnacceptablyLongIptablesChainName";
|
@ -1,52 +0,0 @@
|
||||
From 77894c5bfbafb8cacdefe9b60cff121e5fb88e3c Mon Sep 17 00:00:00 2001
|
||||
From: Joel Scherpelz <jscherpelz@google.com>
|
||||
Date: Wed, 14 Jun 2017 10:27:47 +0900
|
||||
Subject: [PATCH] BACKPORT: Avoid netlink socket address conflict
|
||||
|
||||
NetlinkManager previously bound all netlink sockets with nl_pid =
|
||||
getpid(). Unfortunately only the first such socket is allowed to claim
|
||||
nl_pid = getpid(). The kernel is happy to assign this value
|
||||
automatically if nl_pid = 0. For more information on nl_pid see "man 7
|
||||
netlink".
|
||||
|
||||
When NFLogListener was added, it created a socket with a kernel assigned
|
||||
nl_pid, unfortunately the kernel assigns getpid() to the first such
|
||||
socket and listener was initialized earlier in the startup process than
|
||||
NetlinkManager.
|
||||
|
||||
This change alters NetlinkManager to request a kernel assigned nl_pid and
|
||||
defensively moves the initialization of NFLogListener later in the
|
||||
startup sequence to favor proper operation of existing code in
|
||||
NetlinkManager. Error logging is also slightly improved.
|
||||
|
||||
Test: as follows
|
||||
- built
|
||||
- flashed
|
||||
- booted
|
||||
- "runtest -x .../netd_unit_test.cpp" passes
|
||||
- "cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t
|
||||
android.os.cts.StrictModeTest" passes
|
||||
Bug: 62353125
|
||||
|
||||
[syphyr: Removed NFLogListener changes]
|
||||
Signed-off-by: L.W. Reek <syphyr@gmail.com>
|
||||
|
||||
Change-Id: I9c1c76e5769de75ff624bf43634ac4061c447a72
|
||||
---
|
||||
server/NetlinkManager.cpp | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/server/NetlinkManager.cpp b/server/NetlinkManager.cpp
|
||||
index 769a80ae..5e6eaba8 100644
|
||||
--- a/server/NetlinkManager.cpp
|
||||
+++ b/server/NetlinkManager.cpp
|
||||
@@ -73,7 +73,8 @@ NetlinkHandler *NetlinkManager::setupSocket(int *sock, int netlinkFamily,
|
||||
|
||||
memset(&nladdr, 0, sizeof(nladdr));
|
||||
nladdr.nl_family = AF_NETLINK;
|
||||
- nladdr.nl_pid = getpid();
|
||||
+ // Kernel will assign a unique nl_pid if set to zero.
|
||||
+ nladdr.nl_pid = 0;
|
||||
nladdr.nl_groups = groups;
|
||||
|
||||
if ((*sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, netlinkFamily)) < 0) {
|
@ -1,68 +0,0 @@
|
||||
From d6f2d210fe3f1b8c2c798066bfb32e2c9ec96ef4 Mon Sep 17 00:00:00 2001
|
||||
From: Sehee Park <sehee32.park@samsung.com>
|
||||
Date: Wed, 26 Dec 2018 07:28:23 +0900
|
||||
Subject: [PATCH] Fix fortify_fatal issue during DNSServiceProcessResult()
|
||||
|
||||
fd was checked at beginnig of DNSServiceProcessResult()
|
||||
but fd was changed to -1. So, fortify_fatal was occured
|
||||
when FD_SET() was called.
|
||||
Abort message: 'FORTIFY: FD_SET: file descriptor -1 < 0'
|
||||
|
||||
Test: Build
|
||||
Bug: 120910016
|
||||
Bug: 121327565
|
||||
Change-Id: Ib4c8dcc08223578fb53647637b44a20a4c221050
|
||||
Merged-In: Ib4c8dcc08223578fb53647637b44a20a4c221050
|
||||
Signed-off-by: Sehee Park <sehee32.park@samsung.com>
|
||||
(cherry picked from commit 3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b)
|
||||
---
|
||||
server/MDnsSdListener.cpp | 10 +++++++++-
|
||||
server/MDnsSdListener.h | 1 +
|
||||
2 files changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
|
||||
index 883fe815..e3fd66a0 100644
|
||||
--- a/server/MDnsSdListener.cpp
|
||||
+++ b/server/MDnsSdListener.cpp
|
||||
@@ -146,7 +146,7 @@ void MDnsSdListener::Handler::stop(SocketClient *cli, int argc, char **argv, con
|
||||
return;
|
||||
}
|
||||
if (VDBG) ALOGD("Stopping %s with ref %p", str, ref);
|
||||
- DNSServiceRefDeallocate(*ref);
|
||||
+ mMonitor->deallocateServiceRef(ref);
|
||||
mMonitor->freeServiceRef(requestId);
|
||||
char *msg;
|
||||
asprintf(&msg, "%s stopped", str);
|
||||
@@ -617,7 +617,9 @@ void MDnsSdListener::Monitor::run() {
|
||||
ALOGD("Monitor found [%d].revents = %d - calling ProcessResults",
|
||||
i, mPollFds[i].revents);
|
||||
}
|
||||
+ pthread_mutex_lock(&mHeadMutex);
|
||||
DNSServiceProcessResult(*(mPollRefs[i]));
|
||||
+ pthread_mutex_unlock(&mHeadMutex);
|
||||
mPollFds[i].revents = 0;
|
||||
}
|
||||
}
|
||||
@@ -769,3 +771,9 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
|
||||
}
|
||||
pthread_mutex_unlock(&mHeadMutex);
|
||||
}
|
||||
+
|
||||
+void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
|
||||
+ pthread_mutex_lock(&mHeadMutex);
|
||||
+ DNSServiceRefDeallocate(*ref);
|
||||
+ pthread_mutex_unlock(&mHeadMutex);
|
||||
+}
|
||||
\ No newline at end of file
|
||||
diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
|
||||
index e9c6066a..a107d3b8 100644
|
||||
--- a/server/MDnsSdListener.h
|
||||
+++ b/server/MDnsSdListener.h
|
||||
@@ -76,6 +76,7 @@ class MDnsSdListener : public FrameworkListener {
|
||||
static void *threadStart(void *handler);
|
||||
int startService();
|
||||
int stopService();
|
||||
+ void deallocateServiceRef(DNSServiceRef* ref);
|
||||
private:
|
||||
void run();
|
||||
int rescan(); // returns the number of elements in the poll
|
@ -1,32 +0,0 @@
|
||||
From 728b7617dc0ec0b017740f9a78e7dcefff1afc86 Mon Sep 17 00:00:00 2001
|
||||
From: Ken Chen <cken@google.com>
|
||||
Date: Sat, 26 Jan 2019 19:17:00 +0800
|
||||
Subject: [PATCH] Clear Element.mRef immediately after deallocating it
|
||||
|
||||
DNSServiceRefDeallocate() and pointer dereferencing in request handler
|
||||
thread are protected by two separate lock/unlock pairs on mHeadMutex.
|
||||
If rescan() runs between these, it could dereference mRef, causing
|
||||
a heap-use-after-free bug.
|
||||
|
||||
Solution: set mRef to null immediately after freeing it.
|
||||
|
||||
Bug: 121327565
|
||||
Test: build
|
||||
Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7
|
||||
(cherry picked from commit 9762bc1964a37ec56091ee2b6070e19c5206f615)
|
||||
---
|
||||
server/MDnsSdListener.cpp | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
|
||||
index e3fd66a0..563e0207 100644
|
||||
--- a/server/MDnsSdListener.cpp
|
||||
+++ b/server/MDnsSdListener.cpp
|
||||
@@ -775,5 +775,6 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
|
||||
void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
|
||||
pthread_mutex_lock(&mHeadMutex);
|
||||
DNSServiceRefDeallocate(*ref);
|
||||
+ *ref = nullptr;
|
||||
pthread_mutex_unlock(&mHeadMutex);
|
||||
}
|
||||
\ No newline at end of file
|
@ -116,6 +116,9 @@ patchWorkspace() {
|
||||
#repopick 212799; #alt: 212827 flac extractor CVE-2017-0592
|
||||
#repopick 214125; #spellchecker: enable more wordlists
|
||||
repopick -it n_asb_09-2018-qcom;
|
||||
repopick -it ibss-mode-nougat;
|
||||
repopick -it n-unzip;
|
||||
repopick -it n-netd;
|
||||
|
||||
export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails
|
||||
|
||||
|
@ -176,14 +176,6 @@ git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f
|
||||
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
|
||||
|
||||
enterAndClear "system/netd";
|
||||
#loopback fixes
|
||||
patch -p1 < "$DOS_PATCHES/android_system_netd/244387.patch"; #Really always allow networking on loopback.
|
||||
patch -p1 < "$DOS_PATCHES/android_system_netd/244388.patch"; #Avoid netlink socket address conflict
|
||||
#CVE-2019-2033
|
||||
patch -p1 < "$DOS_PATCHES/android_system_netd/245690.patch"; #Fix fortify_fatal issue during DNSServiceProcessResult()
|
||||
patch -p1 < "$DOS_PATCHES/android_system_netd/245691.patch"; #Clear Element.mRef immediately after deallocating it
|
||||
|
||||
enterAndClear "system/sepolicy";
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/248600.patch"; #restrict access to timing information in /proc
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
|
||||
|
Loading…
Reference in New Issue
Block a user