mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-11 23:49:34 -05:00
Various
- Drop OpenCamera, it doesn't work on lock screens anymore?
- microG on 18.1+:
- set packages forceQueryable
- spoof some sources as Play Store
TODO: backport this to 17.1
- Remove camera extensions
- Churn
- Wording
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad
parent
e705bac150
commit
aa6bfad801
@ -28,8 +28,8 @@ PRODUCT_PROPERTY_OVERRIDES += \
|
||||
ro.lmk.kill_heaviest_task=false \
|
||||
config.disable_atlas=true \
|
||||
dalvik.vm.madvise-random=true \
|
||||
ro.statsd.enable=false \
|
||||
persist.traced.enable=0
|
||||
persist.traced.enable=0 \
|
||||
ro.statsd.enable=false
|
||||
|
||||
# set threshold to filter unused apps
|
||||
PRODUCT_PROPERTY_OVERRIDES += pm.dexopt.downgrade_after_inactive_days=10
|
||||
@ -52,11 +52,6 @@ PRODUCT_ALWAYS_PREOPT_EXTRACTED_APK := true
|
||||
PRODUCT_PROPERTY_OVERRIDES += \
|
||||
pm.dexopt.shared=quicken
|
||||
|
||||
# Default heap sizes. Allow up to 256m for large heaps to make sure a single app
|
||||
# doesn't take all of the RAM.
|
||||
#PRODUCT_PROPERTY_OVERRIDES += dalvik.vm.heapgrowthlimit=128m
|
||||
#PRODUCT_PROPERTY_OVERRIDES += dalvik.vm.heapsize=256m
|
||||
|
||||
# Do not generate libartd.
|
||||
PRODUCT_ART_TARGET_INCLUDE_DEBUG_BUILD := false
|
||||
|
||||
|
||||
@ -8,10 +8,10 @@ PRODUCT_PACKAGES += \
|
||||
FennecDOS \
|
||||
SimpleGallery
|
||||
|
||||
ifeq ($(findstring flox,$(TARGET_PRODUCT)),)
|
||||
PRODUCT_PACKAGES += \
|
||||
OpenCamera
|
||||
endif
|
||||
#ifeq ($(findstring flox,$(TARGET_PRODUCT)),)
|
||||
#PRODUCT_PACKAGES += \
|
||||
# OpenCamera
|
||||
#endif
|
||||
|
||||
# Extras
|
||||
PRODUCT_PACKAGES += \
|
||||
|
||||
@ -1,12 +1,13 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Mon, 3 Jul 2023 12:00:12 -0400
|
||||
Subject: [PATCH] Hardened signature spoofing
|
||||
Subject: [PATCH] Unprivileged microG handling
|
||||
|
||||
- Must be enabled by user
|
||||
- Must match microG package ID
|
||||
- Must meet minimum respective targetSdk and versionCode
|
||||
- Must match official microG build signing key
|
||||
|
||||
- Only spoofs the Google package signature
|
||||
|
||||
This is an effective merge + tweak of two existing patches, credits:
|
||||
@ -14,6 +15,7 @@ This is an effective merge + tweak of two existing patches, credits:
|
||||
https://github.com/dylangerdaly/platform_frameworks_base/commit/b58aa11631fadab3309a1d9268118bd9f2c2a79f
|
||||
Chirayu Desai of CalyxOS
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/76485abb36dc01b65506b010d0458e96e0116369
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/97765782f942d0975c383c90fde9140ef3ccf01b
|
||||
|
||||
Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
|
||||
---
|
||||
@ -120,7 +122,7 @@ index 9483f266b1fa..eb2b66d5ce03 100644
|
||||
+ Set<String> permissions) {
|
||||
+ String hash = p.mSigningDetails.getSha256Certificate();
|
||||
+ try {
|
||||
+ if (hash.equals(MICROG_HASH) && p.applicationInfo.targetSdkVersion >= 24) {
|
||||
+ if (hash.equals(MICROG_HASH) && p.applicationInfo.targetSdkVersion >= 24 && pi != null) {
|
||||
+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
|
||||
+ if (DEBUG_PACKAGE_INFO) {
|
||||
+ Log.v(TAG, "Spoofing signature for microG");
|
||||
@ -1,7 +1,7 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Wed, 20 Apr 2022 01:04:27 -0400
|
||||
Subject: [PATCH] Add a toggle to opt-in to restricted signature spoofing
|
||||
Subject: [PATCH] Add a toggle for microG enablement
|
||||
|
||||
Copy and pasted from the GrapheneOS exec spawning toggle patch
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 011adec1a494974102930bf65a8d2fdfa8b375b5 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Khaled Abdelmohsen <khelmy@google.com>
|
||||
Date: Mon, 24 Feb 2020 16:59:21 +0000
|
||||
Subject: [PATCH 1/2] Create source stamp verifier
|
||||
Subject: [PATCH] Create source stamp verifier
|
||||
|
||||
Bug: 148005911
|
||||
Test: gradlew test
|
||||
@ -13,10 +13,10 @@ Merged-In: I7008c9567ad5e8b63e7f6ba192d38b10c5c9a2dc
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java b/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java
|
||||
index 2330f6d..f15597b 100644
|
||||
index cc69af3..bc3ae48 100644
|
||||
--- a/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java
|
||||
+++ b/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java
|
||||
@@ -998,6 +998,20 @@ public class ApkSigningBlockUtils {
|
||||
@@ -1236,6 +1236,20 @@ public class ApkSigningBlockUtils {
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -37,7 +37,7 @@ index 2330f6d..f15597b 100644
|
||||
public void addError(ApkVerifier.Issue msg, Object... parameters) {
|
||||
mErrors.add(new ApkVerifier.IssueWithParams(msg, parameters));
|
||||
}
|
||||
@@ -1042,6 +1056,10 @@ public class ApkSigningBlockUtils {
|
||||
@@ -1280,6 +1294,10 @@ public class ApkSigningBlockUtils {
|
||||
return !mErrors.isEmpty();
|
||||
}
|
||||
|
||||
@ -48,6 +48,3 @@ index 2330f6d..f15597b 100644
|
||||
public List<ApkVerifier.IssueWithParams> getErrors() {
|
||||
return mErrors;
|
||||
}
|
||||
--
|
||||
2.30.2
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 9a80527425030dae7f962ab95eda500a720cde47 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Groover <mpgroover@google.com>
|
||||
Date: Fri, 31 Mar 2023 14:30:21 -0500
|
||||
Subject: [PATCH 2/2] Limit the number of supported v1 and v2 signers
|
||||
Subject: [PATCH] Limit the number of supported v1 and v2 signers
|
||||
|
||||
The v1 and v2 APK Signature Schemes support multiple signers; this
|
||||
was intended to allow multiple entities to sign an APK. Previously,
|
||||
@ -36,10 +36,10 @@ Change-Id: I604ce656e6dcd750e664adcb814c5c66f7b80ce1
|
||||
create mode 100644 src/test/resources/com/android/apksig/v2-only-11-signers.apk
|
||||
|
||||
diff --git a/src/main/java/com/android/apksig/ApkVerifier.java b/src/main/java/com/android/apksig/ApkVerifier.java
|
||||
index 5e458ef..62b132a 100644
|
||||
index 3e1e7da..cfbc8d2 100644
|
||||
--- a/src/main/java/com/android/apksig/ApkVerifier.java
|
||||
+++ b/src/main/java/com/android/apksig/ApkVerifier.java
|
||||
@@ -620,6 +620,15 @@ public class ApkVerifier {
|
||||
@@ -644,6 +644,15 @@ public class ApkVerifier {
|
||||
}
|
||||
|
||||
private void mergeFrom(ApkSigningBlockUtils.Result source) {
|
||||
@ -55,7 +55,7 @@ index 5e458ef..62b132a 100644
|
||||
switch (source.signatureSchemeVersion) {
|
||||
case ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2:
|
||||
mVerifiedUsingV2Scheme = source.verified;
|
||||
@@ -897,6 +906,16 @@ public class ApkVerifier {
|
||||
@@ -921,6 +930,16 @@ public class ApkVerifier {
|
||||
*/
|
||||
JAR_SIG_NO_SIGNATURES("No JAR signatures"),
|
||||
|
||||
@ -72,7 +72,7 @@ index 5e458ef..62b132a 100644
|
||||
/**
|
||||
* APK does not contain any entries covered by JAR signatures.
|
||||
*/
|
||||
@@ -1325,6 +1344,16 @@ public class ApkVerifier {
|
||||
@@ -1349,6 +1368,16 @@ public class ApkVerifier {
|
||||
"APK Signature Scheme v2 signature %1$s indicates the APK is signed using %2$s but "
|
||||
+ "no such signature was found. Signature stripped?"),
|
||||
|
||||
@ -111,7 +111,7 @@ index f900211..05721ed 100644
|
||||
generateManifestFile(
|
||||
jarEntryDigestAlgorithm, jarEntryDigests, sourceManifestBytes);
|
||||
diff --git a/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeVerifier.java b/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeVerifier.java
|
||||
index a828bcc..8e49dd3 100644
|
||||
index 47d5b01..d633514 100644
|
||||
--- a/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeVerifier.java
|
||||
+++ b/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeVerifier.java
|
||||
@@ -16,6 +16,7 @@
|
||||
@ -122,7 +122,7 @@ index a828bcc..8e49dd3 100644
|
||||
import com.android.apksig.ApkVerifier.Issue;
|
||||
import com.android.apksig.ApkVerifier.IssueWithParams;
|
||||
import com.android.apksig.apk.ApkFormatException;
|
||||
@@ -249,6 +250,7 @@ public abstract class V1SchemeVerifier {
|
||||
@@ -275,6 +276,7 @@ public abstract class V1SchemeVerifier {
|
||||
// * All JAR entries listed in JAR manifest are present in the APK.
|
||||
|
||||
// Identify signers
|
||||
@ -130,7 +130,7 @@ index a828bcc..8e49dd3 100644
|
||||
List<Signer> signers = new ArrayList<>(sigBlockEntries.size());
|
||||
for (CentralDirectoryRecord sigBlockEntry : sigBlockEntries) {
|
||||
String sigBlockEntryName = sigBlockEntry.getName();
|
||||
@@ -277,6 +279,11 @@ public abstract class V1SchemeVerifier {
|
||||
@@ -303,6 +305,11 @@ public abstract class V1SchemeVerifier {
|
||||
result.addError(Issue.JAR_SIG_NO_SIGNATURES);
|
||||
return;
|
||||
}
|
||||
@ -143,10 +143,10 @@ index a828bcc..8e49dd3 100644
|
||||
// Verify each signer's signature block file .(RSA|DSA|EC) against the corresponding
|
||||
// signature file .SF. Any error encountered for any signer terminates verification, to
|
||||
diff --git a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java
|
||||
index 6d001e7..375ff91 100644
|
||||
index d8e4723..a423bdd 100644
|
||||
--- a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java
|
||||
+++ b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java
|
||||
@@ -161,6 +161,12 @@ public abstract class V2SchemeSigner {
|
||||
@@ -162,6 +162,12 @@ public abstract class V2SchemeSigner {
|
||||
throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
|
||||
// FORMAT:
|
||||
// * length-prefixed sequence of length-prefixed signer blocks.
|
||||
@ -160,10 +160,10 @@ index 6d001e7..375ff91 100644
|
||||
List<byte[]> signerBlocks = new ArrayList<>(signerConfigs.size());
|
||||
int signerNumber = 0;
|
||||
diff --git a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeVerifier.java b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeVerifier.java
|
||||
index e1be06e..39b205b 100644
|
||||
index 51c40bd..e3e7e8d 100644
|
||||
--- a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeVerifier.java
|
||||
+++ b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeVerifier.java
|
||||
@@ -180,6 +180,7 @@ public abstract class V2SchemeVerifier {
|
||||
@@ -184,6 +184,7 @@ public abstract class V2SchemeVerifier {
|
||||
int maxSdkVersion,
|
||||
ApkSigningBlockUtils.Result result) throws NoSuchAlgorithmException {
|
||||
ByteBuffer signers;
|
||||
@ -171,7 +171,7 @@ index e1be06e..39b205b 100644
|
||||
try {
|
||||
signers = ApkSigningBlockUtils.getLengthPrefixedSlice(apkSignatureSchemeV2Block);
|
||||
} catch (ApkFormatException e) {
|
||||
@@ -221,6 +222,9 @@ public abstract class V2SchemeVerifier {
|
||||
@@ -225,6 +226,9 @@ public abstract class V2SchemeVerifier {
|
||||
return;
|
||||
}
|
||||
}
|
||||
@ -182,10 +182,10 @@ index e1be06e..39b205b 100644
|
||||
|
||||
/**
|
||||
diff --git a/src/test/java/com/android/apksig/ApkSignerTest.java b/src/test/java/com/android/apksig/ApkSignerTest.java
|
||||
index 80f35ba..ccdb02a 100644
|
||||
index 1434017..729d96f 100644
|
||||
--- a/src/test/java/com/android/apksig/ApkSignerTest.java
|
||||
+++ b/src/test/java/com/android/apksig/ApkSignerTest.java
|
||||
@@ -339,6 +339,106 @@ public class ApkSignerTest {
|
||||
@@ -635,6 +635,106 @@ public class ApkSignerTest {
|
||||
} catch (ApkFormatException expected) {}
|
||||
}
|
||||
|
||||
@ -293,7 +293,7 @@ index 80f35ba..ccdb02a 100644
|
||||
public void testWeirdZipCompressionMethod() throws Exception {
|
||||
// Any ZIP compression method other than STORED is treated as DEFLATED by Android.
|
||||
diff --git a/src/test/java/com/android/apksig/ApkVerifierTest.java b/src/test/java/com/android/apksig/ApkVerifierTest.java
|
||||
index 6f6c04d..0546f0f 100644
|
||||
index 351d0a8..2392b88 100644
|
||||
--- a/src/test/java/com/android/apksig/ApkVerifierTest.java
|
||||
+++ b/src/test/java/com/android/apksig/ApkVerifierTest.java
|
||||
@@ -239,6 +239,20 @@ public class ApkVerifierTest {
|
||||
@ -317,7 +317,7 @@ index 6f6c04d..0546f0f 100644
|
||||
@Test
|
||||
public void testV2StrippedRejected() throws Exception {
|
||||
// APK signed with v1 and v2 schemes, but v2 signature was stripped from the file (by using
|
||||
@@ -471,6 +485,23 @@ public class ApkVerifierTest {
|
||||
@@ -630,6 +644,23 @@ public class ApkVerifierTest {
|
||||
Issue.V2_SIG_NO_SUPPORTED_SIGNATURES);
|
||||
}
|
||||
|
||||
@ -1442,6 +1442,3 @@ Tg9RFHk9CIzHQe49++O|{heuzh
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
--
|
||||
2.30.2
|
||||
|
||||
|
||||
@ -1,26 +1,32 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Mon, 3 Jul 2023 12:00:12 -0400
|
||||
Subject: [PATCH] Hardened signature spoofing
|
||||
Subject: [PATCH] Unprivileged microG handling
|
||||
|
||||
- Must be enabled by user
|
||||
- Must match microG package ID
|
||||
- Must meet minimum respective targetSdk and versionCode
|
||||
- Must match official microG build signing key
|
||||
|
||||
- Only spoofs the Google package signature
|
||||
- Sets the packages forceQueryable
|
||||
- Spoofs apps installed via some sources as Play Store
|
||||
|
||||
This is an effective merge + tweak of two existing patches, credits:
|
||||
Dylanger Daly
|
||||
https://github.com/dylangerdaly/platform_frameworks_base/commit/b58aa11631fadab3309a1d9268118bd9f2c2a79f
|
||||
Chirayu Desai of CalyxOS
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/76485abb36dc01b65506b010d0458e96e0116369
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/97765782f942d0975c383c90fde9140ef3ccf01b
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/d81763383588e81353e24ad0a56ae2478752319c
|
||||
|
||||
Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
|
||||
---
|
||||
.../android/content/pm/PackageParser.java | 32 +++++++++++++++
|
||||
.../android/content/pm/PackageParser.java | 32 +++++++++++
|
||||
core/res/res/values/config.xml | 2 +
|
||||
.../server/pm/PackageManagerService.java | 39 ++++++++++++++++++-
|
||||
3 files changed, 71 insertions(+), 2 deletions(-)
|
||||
.../com/android/server/pm/AppsFilter.java | 19 +++++++
|
||||
.../server/pm/PackageManagerService.java | 57 ++++++++++++++++++-
|
||||
4 files changed, 108 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
|
||||
index c63fea6e3e0e..a9e49921efba 100644
|
||||
@ -78,8 +84,56 @@ index f4efcc7e4eec..584b3011b0c6 100644
|
||||
</string-array>
|
||||
|
||||
<!-- This string array can be overriden to enable test location providers initially. -->
|
||||
diff --git a/services/core/java/com/android/server/pm/AppsFilter.java b/services/core/java/com/android/server/pm/AppsFilter.java
|
||||
index 10f77144e022..eaa6bbb58679 100644
|
||||
--- a/services/core/java/com/android/server/pm/AppsFilter.java
|
||||
+++ b/services/core/java/com/android/server/pm/AppsFilter.java
|
||||
@@ -39,6 +39,7 @@ import android.os.Handler;
|
||||
import android.os.HandlerExecutor;
|
||||
import android.os.HandlerThread;
|
||||
import android.os.Process;
|
||||
+import android.os.SystemProperties;
|
||||
import android.os.Trace;
|
||||
import android.os.UserHandle;
|
||||
import android.provider.DeviceConfig;
|
||||
@@ -540,6 +541,15 @@ public class AppsFilter {
|
||||
}
|
||||
}
|
||||
|
||||
+ // Package IDs of apps
|
||||
+ private static final String PACKAGE_GMSCORE = "com.google.android.gms";
|
||||
+ private static final String PACKAGE_PLAY_STORE = "com.android.vending";
|
||||
+ private static final String PACKAGE_GSFPROXY = "com.google.android.gsf";
|
||||
+ // The setting to control microG enablement.
|
||||
+ private static final String MICROG_ENABLEMENT = "persist.security.sigspoof";
|
||||
+ // The signing key hash of official microG builds.
|
||||
+ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
|
||||
+
|
||||
private void addPackageInternal(PackageSetting newPkgSetting,
|
||||
ArrayMap<String, PackageSetting> existingSettings) {
|
||||
if (Objects.equals("android", newPkgSetting.name)) {
|
||||
@@ -564,10 +574,19 @@ public class AppsFilter {
|
||||
mQueriesViaComponentRequireRecompute = true;
|
||||
}
|
||||
|
||||
+ boolean isMicroG = false;
|
||||
+ if (SystemProperties.getBoolean(MICROG_ENABLEMENT, false)) {
|
||||
+ final boolean isValidGmsCore = newPkg.getPackageName().equals(PACKAGE_GMSCORE) && newPkg.getTargetSdkVersion() >= 29 && newPkg.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = newPkg.getPackageName().equals(PACKAGE_PLAY_STORE) && newPkg.getTargetSdkVersion() >= 24 && newPkg.getVersionCode() >= 30;
|
||||
+ final boolean isValidGsf = newPkg.getPackageName().equals(PACKAGE_GSFPROXY) && newPkg.getTargetSdkVersion() >= 24 && newPkg.getVersionCode() >= 8;
|
||||
+ isMicroG = (isValidGmsCore || isValidFakeStore || isValidGsf) && newPkg.getSigningDetails().getSha256Certificate().equals(MICROG_HASH);
|
||||
+ }
|
||||
+
|
||||
final boolean newIsForceQueryable =
|
||||
mForceQueryable.contains(newPkgSetting.appId)
|
||||
/* shared user that is already force queryable */
|
||||
|| newPkgSetting.forceQueryableOverride /* adb override */
|
||||
+ || isMicroG
|
||||
|| (newPkgSetting.isSystem() && (mSystemAppsQueryable
|
||||
|| newPkg.isForceQueryable()
|
||||
|| ArrayUtils.contains(mForceQueryableByDevicePackageNames,
|
||||
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
index 9611b381942c..f8f8b29d1798 100644
|
||||
index 9611b381942c..c286aa93130b 100644
|
||||
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
@@ -4465,8 +4465,20 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
@ -89,11 +143,11 @@ index 9611b381942c..f8f8b29d1798 100644
|
||||
- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
|
||||
- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
|
||||
+ // Allow microG GmsCore and FakeStore to spoof signature
|
||||
+ final boolean isValidGmsCore = p.getPackageName().equals("com.google.android.gms") && p.getTargetSdkVersion() >= 29 && p.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.getPackageName().equals("com.android.vending") && p.getTargetSdkVersion() >= 24 && p.getVersionCode() >= 30;
|
||||
+ final boolean isValidGmsCore = p.getPackageName().equals(PACKAGE_GMSCORE) && p.getTargetSdkVersion() >= 29 && p.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.getPackageName().equals(PACKAGE_PLAY_STORE) && p.getTargetSdkVersion() >= 24 && p.getVersionCode() >= 30;
|
||||
+ final boolean isMicroG = isValidGmsCore || isValidFakeStore;
|
||||
+ PackageInfo packageInfo;
|
||||
+ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
|
||||
+ if (isMicroG && SystemProperties.getBoolean(MICROG_ENABLEMENT, false)) {
|
||||
+ packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
|
||||
+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
|
||||
+ userId, ps), permissions);
|
||||
@ -105,12 +159,17 @@ index 9611b381942c..f8f8b29d1798 100644
|
||||
|
||||
if (packageInfo == null) {
|
||||
return null;
|
||||
@@ -4502,6 +4514,29 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
}
|
||||
@@ -4563,6 +4575,34 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
return false;
|
||||
}
|
||||
|
||||
+ // The setting to control spoofing enablement.
|
||||
+ private static final String SPOOF_CONTROL = "persist.security.sigspoof";
|
||||
+ // Package IDs of apps
|
||||
+ private static final String PACKAGE_GMSCORE = "com.google.android.gms";
|
||||
+ private static final String PACKAGE_PLAY_STORE = "com.android.vending";
|
||||
+ private static final String[] PACKAGES_SPOOF_INSTALLSOURCE =
|
||||
+ new String[] { "com.aurora.store", "dev.imranr.obtainium" };
|
||||
+ // The setting to control microG enablement.
|
||||
+ private static final String MICROG_ENABLEMENT = "persist.security.sigspoof";
|
||||
+ // The Google signature faked by microG.
|
||||
+ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
|
||||
+ // The signing key hash of official microG builds.
|
||||
@ -120,7 +179,7 @@ index 9611b381942c..f8f8b29d1798 100644
|
||||
+ Set<String> permissions) {
|
||||
+ String hash = p.getSigningDetails().getSha256Certificate();
|
||||
+ try {
|
||||
+ if (hash.equals(MICROG_HASH) && p.getTargetSdkVersion() >= 24) {
|
||||
+ if (hash.equals(MICROG_HASH) && p.getTargetSdkVersion() >= 24 && pi != null) {
|
||||
+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
|
||||
+ if (DEBUG_PACKAGE_INFO) {
|
||||
+ Log.v(TAG, "Spoofing signature for microG");
|
||||
@ -133,5 +192,25 @@ index 9611b381942c..f8f8b29d1798 100644
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public void checkPackageStartable(String packageName, int userId) {
|
||||
final int callingUid = Binder.getCallingUid();
|
||||
public PackageInfo getPackageInfo(String packageName, int flags, int userId) {
|
||||
return getPackageInfoInternal(packageName, PackageManager.VERSION_CODE_HIGHEST,
|
||||
@@ -21565,6 +21605,19 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
return null;
|
||||
}
|
||||
|
||||
+ if (SystemProperties.getBoolean(MICROG_ENABLEMENT, false)) {
|
||||
+ InstallSource installSource = ps.installSource;
|
||||
+ if (installSource != null && installSource.installerPackageName != null
|
||||
+ && mSettings.mPackages.get(PACKAGE_PLAY_STORE) != null
|
||||
+ && callingUid != Process.SYSTEM_UID
|
||||
+ && ArrayUtils.contains(PACKAGES_SPOOF_INSTALLSOURCE, installSource.installerPackageName)) {
|
||||
+ return InstallSource.create(PACKAGE_PLAY_STORE, PACKAGE_PLAY_STORE, PACKAGE_PLAY_STORE,
|
||||
+ ps.installSource.isOrphaned, false)
|
||||
+ .setInitiatingPackageSignatures(new PackageSignatures(
|
||||
+ mSettings.mPackages.get(PACKAGE_PLAY_STORE).getSigningDetails()));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return ps.installSource;
|
||||
}
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Wed, 20 Apr 2022 01:04:27 -0400
|
||||
Subject: [PATCH] Add a toggle to opt-in to restricted signature spoofing
|
||||
Subject: [PATCH] Add a toggle for microG enablement
|
||||
|
||||
Copy and pasted from the GrapheneOS exec spawning toggle patch
|
||||
|
||||
@ -1,26 +1,32 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Mon, 3 Jul 2023 12:00:12 -0400
|
||||
Subject: [PATCH] Hardened signature spoofing
|
||||
Subject: [PATCH] Unprivileged microG handling
|
||||
|
||||
- Must be enabled by user
|
||||
- Must match microG package ID
|
||||
- Must meet minimum respective targetSdk and versionCode
|
||||
- Must match official microG build signing key
|
||||
|
||||
- Only spoofs the Google package signature
|
||||
- Sets the packages forceQueryable
|
||||
- Spoofs apps installed via some sources as Play Store
|
||||
|
||||
This is an effective merge + tweak of two existing patches, credits:
|
||||
Dylanger Daly
|
||||
https://github.com/dylangerdaly/platform_frameworks_base/commit/b58aa11631fadab3309a1d9268118bd9f2c2a79f
|
||||
Chirayu Desai of CalyxOS
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/76485abb36dc01b65506b010d0458e96e0116369
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/97765782f942d0975c383c90fde9140ef3ccf01b
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/d81763383588e81353e24ad0a56ae2478752319c
|
||||
|
||||
Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
|
||||
---
|
||||
.../android/content/pm/PackageParser.java | 32 +++++++++++++++
|
||||
.../android/content/pm/PackageParser.java | 32 ++++++++++
|
||||
core/res/res/values/config.xml | 2 +
|
||||
.../server/pm/PackageManagerService.java | 39 ++++++++++++++++++-
|
||||
3 files changed, 71 insertions(+), 2 deletions(-)
|
||||
.../com/android/server/pm/AppsFilter.java | 18 ++++++
|
||||
.../server/pm/PackageManagerService.java | 58 ++++++++++++++++++-
|
||||
4 files changed, 108 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
|
||||
index 8f5df4672dc0..c326ed2eb09c 100644
|
||||
@ -78,22 +84,84 @@ index 35af82fb39a2..403680089a8d 100644
|
||||
</string-array>
|
||||
|
||||
<!-- Package name(s) of Advanced Driver Assistance applications. These packages have additional
|
||||
diff --git a/services/core/java/com/android/server/pm/AppsFilter.java b/services/core/java/com/android/server/pm/AppsFilter.java
|
||||
index ed9b539c05df..83cc7a251ebf 100644
|
||||
--- a/services/core/java/com/android/server/pm/AppsFilter.java
|
||||
+++ b/services/core/java/com/android/server/pm/AppsFilter.java
|
||||
@@ -37,6 +37,7 @@ import android.content.pm.parsing.component.ParsedMainComponent;
|
||||
import android.content.pm.parsing.component.ParsedProvider;
|
||||
import android.os.Binder;
|
||||
import android.os.Process;
|
||||
+import android.os.SystemProperties;
|
||||
import android.os.Trace;
|
||||
import android.os.UserHandle;
|
||||
import android.provider.DeviceConfig;
|
||||
@@ -712,6 +713,15 @@ public class AppsFilter implements Watchable, Snappable {
|
||||
}
|
||||
}
|
||||
|
||||
+ // Package IDs of apps
|
||||
+ private static final String PACKAGE_GMSCORE = "com.google.android.gms";
|
||||
+ private static final String PACKAGE_PLAY_STORE = "com.android.vending";
|
||||
+ private static final String PACKAGE_GSFPROXY = "com.google.android.gsf";
|
||||
+ // The setting to control microG enablement.
|
||||
+ private static final String MICROG_ENABLEMENT = "persist.security.sigspoof";
|
||||
+ // The signing key hash of official microG builds.
|
||||
+ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
|
||||
+
|
||||
/**
|
||||
* @return Additional packages that may have had their viewing visibility changed and may need
|
||||
* to be updated in the cache. Returns null if there are no additional packages.
|
||||
@@ -740,10 +750,18 @@ public class AppsFilter implements Watchable, Snappable {
|
||||
mQueriesViaComponentRequireRecompute = true;
|
||||
}
|
||||
|
||||
+ boolean isMicroG = false;
|
||||
+ if (SystemProperties.getBoolean(MICROG_ENABLEMENT, false)) {
|
||||
+ final boolean isValidGmsCore = newPkg.getPackageName().equals(PACKAGE_GMSCORE) && newPkg.getTargetSdkVersion() >= 29 && newPkg.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = newPkg.getPackageName().equals(PACKAGE_PLAY_STORE) && newPkg.getTargetSdkVersion() >= 24 && newPkg.getVersionCode() >= 30;
|
||||
+ final boolean isValidGsf = newPkg.getPackageName().equals(PACKAGE_GSFPROXY) && newPkg.getTargetSdkVersion() >= 24 && newPkg.getVersionCode() >= 8;
|
||||
+ isMicroG = (isValidGmsCore || isValidFakeStore || isValidGsf) && newPkg.getSigningDetails().getSha256Certificate().equals(MICROG_HASH);
|
||||
+ }
|
||||
final boolean newIsForceQueryable =
|
||||
mForceQueryable.contains(newPkgSetting.appId)
|
||||
/* shared user that is already force queryable */
|
||||
|| newPkgSetting.forceQueryableOverride /* adb override */
|
||||
+ || isMicroG
|
||||
|| (newPkgSetting.isSystem() && (mSystemAppsQueryable
|
||||
|| newPkg.isForceQueryable()
|
||||
|| ArrayUtils.contains(mForceQueryableByDevicePackageNames,
|
||||
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
index 5bbde18f7e9e..eca352c6c7f6 100644
|
||||
index 5bbde18f7e9e..5eda2166032c 100644
|
||||
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
@@ -3362,8 +3362,20 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
@@ -552,6 +552,14 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
|
||||
private static final String PRECOMPILE_LAYOUTS = "pm.precompile_layouts";
|
||||
|
||||
+ // Package IDs of apps
|
||||
+ private static final String PACKAGE_GMSCORE = "com.google.android.gms";
|
||||
+ private static final String PACKAGE_PLAY_STORE = "com.android.vending";
|
||||
+ private static final String[] PACKAGES_SPOOF_INSTALLSOURCE =
|
||||
+ new String[] { "com.aurora.store", "dev.imranr.obtainium" };
|
||||
+ // The setting to control microG enablement.
|
||||
+ private static final String MICROG_ENABLEMENT = "persist.security.sigspoof";
|
||||
+
|
||||
private static final int RADIO_UID = Process.PHONE_UID;
|
||||
private static final int LOG_UID = Process.LOG_UID;
|
||||
private static final int NFC_UID = Process.NFC_UID;
|
||||
@@ -3362,8 +3370,20 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
|| ArrayUtils.isEmpty(p.getRequestedPermissions())) ? Collections.emptySet()
|
||||
: mPermissionManager.getGrantedPermissions(ps.name, userId);
|
||||
|
||||
- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
|
||||
- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
|
||||
+ // Allow microG GmsCore and FakeStore to spoof signature
|
||||
+ final boolean isValidGmsCore = p.getPackageName().equals("com.google.android.gms") && p.getTargetSdkVersion() >= 29 && p.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.getPackageName().equals("com.android.vending") && p.getTargetSdkVersion() >= 24 && p.getVersionCode() >= 30;
|
||||
+ final boolean isValidGmsCore = p.getPackageName().equals(PACKAGE_GMSCORE) && p.getTargetSdkVersion() >= 29 && p.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.getPackageName().equals(PACKAGE_PLAY_STORE) && p.getTargetSdkVersion() >= 24 && p.getVersionCode() >= 30;
|
||||
+ final boolean isMicroG = isValidGmsCore || isValidFakeStore;
|
||||
+ PackageInfo packageInfo;
|
||||
+ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
|
||||
+ if (isMicroG && SystemProperties.getBoolean(MICROG_ENABLEMENT, false)) {
|
||||
+ packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
|
||||
+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
|
||||
+ userId, ps), permissions);
|
||||
@ -105,12 +173,10 @@ index 5bbde18f7e9e..eca352c6c7f6 100644
|
||||
|
||||
if (packageInfo == null) {
|
||||
return null;
|
||||
@@ -3400,6 +3412,29 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
@@ -3400,6 +3420,27 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
}
|
||||
}
|
||||
|
||||
+ // The setting to control spoofing enablement.
|
||||
+ private static final String SPOOF_CONTROL = "persist.security.sigspoof";
|
||||
+ // The Google signature faked by microG.
|
||||
+ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
|
||||
+ // The signing key hash of official microG builds.
|
||||
@ -120,7 +186,7 @@ index 5bbde18f7e9e..eca352c6c7f6 100644
|
||||
+ Set<String> permissions) {
|
||||
+ String hash = p.getSigningDetails().getSha256Certificate();
|
||||
+ try {
|
||||
+ if (hash.equals(MICROG_HASH) && p.getTargetSdkVersion() >= 24) {
|
||||
+ if (hash.equals(MICROG_HASH) && p.getTargetSdkVersion() >= 24 && pi != null) {
|
||||
+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
|
||||
+ if (DEBUG_PACKAGE_INFO) {
|
||||
+ Log.v(TAG, "Spoofing signature for microG");
|
||||
@ -135,3 +201,23 @@ index 5bbde18f7e9e..eca352c6c7f6 100644
|
||||
public final PackageInfo getPackageInfo(String packageName, int flags, int userId) {
|
||||
return getPackageInfoInternal(packageName, PackageManager.VERSION_CODE_HIGHEST,
|
||||
flags, Binder.getCallingUid(), userId);
|
||||
@@ -24561,6 +24602,19 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
return null;
|
||||
}
|
||||
|
||||
+ if (SystemProperties.getBoolean(MICROG_ENABLEMENT, false)) {
|
||||
+ InstallSource installSource = ps.installSource;
|
||||
+ if (installSource != null && installSource.installerPackageName != null
|
||||
+ && mSettings.getPackageLPr(PACKAGE_PLAY_STORE) != null
|
||||
+ && callingUid != Process.SYSTEM_UID
|
||||
+ && ArrayUtils.contains(PACKAGES_SPOOF_INSTALLSOURCE, installSource.installerPackageName)) {
|
||||
+ return InstallSource.create(PACKAGE_PLAY_STORE, PACKAGE_PLAY_STORE, PACKAGE_PLAY_STORE, null,
|
||||
+ ps.installSource.isOrphaned, false)
|
||||
+ .setInitiatingPackageSignatures(new PackageSignatures(
|
||||
+ mSettings.getPackageLPr(PACKAGE_PLAY_STORE).getSigningDetails()));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return ps.installSource;
|
||||
}
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Wed, 20 Apr 2022 01:04:27 -0400
|
||||
Subject: [PATCH] Add a toggle to opt-in to restricted signature spoofing
|
||||
Subject: [PATCH] Add a toggle for microG enablement
|
||||
|
||||
Copy and pasted from the GrapheneOS exec spawning toggle patch
|
||||
|
||||
@ -1,26 +1,32 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Mon, 3 Jul 2023 12:00:12 -0400
|
||||
Subject: [PATCH] Hardened signature spoofing
|
||||
Subject: [PATCH] Unprivileged microG handling
|
||||
|
||||
- Must be enabled by user
|
||||
- Must match microG package ID
|
||||
- Must meet minimum respective targetSdk and versionCode
|
||||
- Must match official microG build signing key
|
||||
|
||||
- Only spoofs the Google package signature
|
||||
- Sets the packages forceQueryable
|
||||
- Spoofs apps installed via some sources as Play Store
|
||||
|
||||
This is an effective merge + tweak of two existing patches, credits:
|
||||
Dylanger Daly
|
||||
https://github.com/dylangerdaly/platform_frameworks_base/commit/b58aa11631fadab3309a1d9268118bd9f2c2a79f
|
||||
Chirayu Desai of CalyxOS
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/76485abb36dc01b65506b010d0458e96e0116369
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/97765782f942d0975c383c90fde9140ef3ccf01b
|
||||
https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/d81763383588e81353e24ad0a56ae2478752319c
|
||||
|
||||
Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
|
||||
---
|
||||
.../android/content/pm/SigningDetails.java | 36 +++++++++++++++-
|
||||
.../android/content/pm/SigningDetails.java | 36 ++++++++++-
|
||||
core/res/res/values/config.xml | 2 +
|
||||
.../com/android/server/pm/ComputerEngine.java | 42 +++++++++++++++++--
|
||||
3 files changed, 75 insertions(+), 5 deletions(-)
|
||||
.../com/android/server/pm/AppsFilterImpl.java | 18 ++++++
|
||||
.../com/android/server/pm/ComputerEngine.java | 62 ++++++++++++++++++-
|
||||
4 files changed, 113 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/pm/SigningDetails.java b/core/java/android/content/pm/SigningDetails.java
|
||||
index 1e659b74db77..00d669ab24e7 100644
|
||||
@ -91,11 +97,65 @@ index a7eae9c60b46..dbd475b52f02 100644
|
||||
</string-array>
|
||||
|
||||
<!-- Package name(s) of Advanced Driver Assistance applications. These packages have additional
|
||||
diff --git a/services/core/java/com/android/server/pm/AppsFilterImpl.java b/services/core/java/com/android/server/pm/AppsFilterImpl.java
|
||||
index 181c39ee50b5..0f4ac178ea35 100644
|
||||
--- a/services/core/java/com/android/server/pm/AppsFilterImpl.java
|
||||
+++ b/services/core/java/com/android/server/pm/AppsFilterImpl.java
|
||||
@@ -37,6 +37,7 @@ import android.content.pm.SigningDetails;
|
||||
import android.content.pm.UserInfo;
|
||||
import android.os.Handler;
|
||||
import android.os.Trace;
|
||||
+import android.os.SystemProperties;
|
||||
import android.os.UserHandle;
|
||||
import android.provider.DeviceConfig;
|
||||
import android.util.ArrayMap;
|
||||
@@ -482,6 +483,15 @@ public final class AppsFilterImpl extends AppsFilterLocked implements Watchable,
|
||||
}
|
||||
}
|
||||
|
||||
+ // Package IDs of apps
|
||||
+ private static final String PACKAGE_GMSCORE = "com.google.android.gms";
|
||||
+ private static final String PACKAGE_PLAY_STORE = "com.android.vending";
|
||||
+ private static final String PACKAGE_GSFPROXY = "com.google.android.gsf";
|
||||
+ // The setting to control microG enablement.
|
||||
+ private static final String MICROG_ENABLEMENT = "persist.security.sigspoof";
|
||||
+ // The signing key hash of official microG builds.
|
||||
+ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
|
||||
+
|
||||
/**
|
||||
* @return Additional packages that may have had their viewing visibility changed and may need
|
||||
* to be updated in the cache. Returns null if there are no additional packages.
|
||||
@@ -519,9 +529,17 @@ public final class AppsFilterImpl extends AppsFilterLocked implements Watchable,
|
||||
|
||||
final boolean newIsForceQueryable;
|
||||
synchronized (mForceQueryableLock) {
|
||||
+ boolean isMicroG = false;
|
||||
+ if (SystemProperties.getBoolean(MICROG_ENABLEMENT, false)) {
|
||||
+ final boolean isValidGmsCore = newPkg.getPackageName().equals(PACKAGE_GMSCORE) && newPkg.getTargetSdkVersion() >= 29 && newPkgSetting.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = newPkg.getPackageName().equals(PACKAGE_PLAY_STORE) && newPkg.getTargetSdkVersion() >= 24 && newPkgSetting.getVersionCode() >= 30;
|
||||
+ final boolean isValidGsf = newPkg.getPackageName().equals(PACKAGE_GSFPROXY) && newPkg.getTargetSdkVersion() >= 24 && newPkgSetting.getVersionCode() >= 8;
|
||||
+ isMicroG = (isValidGmsCore || isValidFakeStore || isValidGsf) && newPkg.getSigningDetails().getSha256Certificate().equals(MICROG_HASH);
|
||||
+ }
|
||||
newIsForceQueryable = mForceQueryable.contains(newPkgSetting.getAppId())
|
||||
/* shared user that is already force queryable */
|
||||
|| newPkgSetting.isForceQueryableOverride() /* adb override */
|
||||
+ || isMicroG
|
||||
|| (newPkgSetting.isSystem() && (mSystemAppsQueryable
|
||||
|| newPkg.isForceQueryable()
|
||||
|| ArrayUtils.contains(mForceQueryableByDevicePackageNames,
|
||||
diff --git a/services/core/java/com/android/server/pm/ComputerEngine.java b/services/core/java/com/android/server/pm/ComputerEngine.java
|
||||
index 58448bfefdaf..6047737af2ab 100644
|
||||
index 58448bfefdaf..c2c82d27cf92 100644
|
||||
--- a/services/core/java/com/android/server/pm/ComputerEngine.java
|
||||
+++ b/services/core/java/com/android/server/pm/ComputerEngine.java
|
||||
@@ -99,6 +99,7 @@ import android.os.IBinder;
|
||||
@@ -80,6 +80,7 @@ import android.content.pm.InstantAppResolveInfo;
|
||||
import android.content.pm.InstrumentationInfo;
|
||||
import android.content.pm.KeySet;
|
||||
import android.content.pm.PackageInfo;
|
||||
+import android.content.pm.PackageInstaller;
|
||||
import android.content.pm.PackageManager;
|
||||
import android.content.pm.PackageManagerInternal;
|
||||
import android.content.pm.ParceledListSlice;
|
||||
@@ -99,6 +100,7 @@ import android.os.IBinder;
|
||||
import android.os.ParcelableException;
|
||||
import android.os.PatternMatcher;
|
||||
import android.os.Process;
|
||||
@ -103,7 +163,7 @@ index 58448bfefdaf..6047737af2ab 100644
|
||||
import android.os.Trace;
|
||||
import android.os.UserHandle;
|
||||
import android.os.UserManager;
|
||||
@@ -1636,9 +1637,21 @@ public class ComputerEngine implements Computer {
|
||||
@@ -1636,9 +1638,21 @@ public class ComputerEngine implements Computer {
|
||||
|| ArrayUtils.isEmpty(p.getRequestedPermissions())) ? Collections.emptySet()
|
||||
: mPermissionManager.getGrantedPermissions(ps.getPackageName(), userId);
|
||||
|
||||
@ -112,11 +172,11 @@ index 58448bfefdaf..6047737af2ab 100644
|
||||
- ps);
|
||||
+
|
||||
+ // Allow microG GmsCore and FakeStore to spoof signature
|
||||
+ final boolean isValidGmsCore = p.getPackageName().equals("com.google.android.gms") && p.getTargetSdkVersion() >= 29 && ps.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.getPackageName().equals("com.android.vending") && p.getTargetSdkVersion() >= 24 && ps.getVersionCode() >= 30;
|
||||
+ final boolean isValidGmsCore = p.getPackageName().equals(PACKAGE_GMSCORE) && p.getTargetSdkVersion() >= 29 && ps.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.getPackageName().equals(PACKAGE_PLAY_STORE) && p.getTargetSdkVersion() >= 24 && ps.getVersionCode() >= 30;
|
||||
+ final boolean isMicroG = isValidGmsCore || isValidFakeStore;
|
||||
+ PackageInfo packageInfo;
|
||||
+ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
|
||||
+ if (isMicroG && SystemProperties.getBoolean(MICROG_ENABLEMENT, false)) {
|
||||
+ packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
|
||||
+ state.getFirstInstallTime(), ps.getLastUpdateTime(), permissions, state,
|
||||
+ userId, ps), permissions);
|
||||
@ -128,12 +188,17 @@ index 58448bfefdaf..6047737af2ab 100644
|
||||
|
||||
if (packageInfo == null) {
|
||||
return null;
|
||||
@@ -1679,6 +1692,29 @@ public class ComputerEngine implements Computer {
|
||||
@@ -1679,6 +1693,34 @@ public class ComputerEngine implements Computer {
|
||||
}
|
||||
}
|
||||
|
||||
+ // The setting to control spoofing enablement.
|
||||
+ private static final String SPOOF_CONTROL = "persist.security.sigspoof";
|
||||
+ // Package IDs of apps
|
||||
+ private static final String PACKAGE_GMSCORE = "com.google.android.gms";
|
||||
+ private static final String PACKAGE_PLAY_STORE = "com.android.vending";
|
||||
+ private static final String[] PACKAGES_SPOOF_INSTALLSOURCE =
|
||||
+ new String[] { "com.aurora.store", "dev.imranr.obtainium" };
|
||||
+ // The setting to control microG enablement.
|
||||
+ private static final String MICROG_ENABLEMENT = "persist.security.sigspoof";
|
||||
+ // The Google signature faked by microG.
|
||||
+ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
|
||||
+ // The signing key hash of official microG builds.
|
||||
@ -143,7 +208,7 @@ index 58448bfefdaf..6047737af2ab 100644
|
||||
+ Set<String> permissions) {
|
||||
+ String hash = p.getSigningDetails().getSha256Certificate();
|
||||
+ try {
|
||||
+ if (hash.equals(MICROG_HASH) && p.getTargetSdkVersion() >= 24) {
|
||||
+ if (hash.equals(MICROG_HASH) && p.getTargetSdkVersion() >= 24 && pi != null) {
|
||||
+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
|
||||
+ if (DEBUG_PACKAGE_INFO) {
|
||||
+ Log.v(TAG, "Spoofing signature for microG");
|
||||
@ -158,3 +223,24 @@ index 58448bfefdaf..6047737af2ab 100644
|
||||
public final PackageInfo getPackageInfo(String packageName,
|
||||
@PackageManager.PackageInfoFlagsBits long flags, int userId) {
|
||||
return getPackageInfoInternal(packageName, PackageManager.VERSION_CODE_HIGHEST,
|
||||
@@ -5094,6 +5136,20 @@ public class ComputerEngine implements Computer {
|
||||
return null;
|
||||
}
|
||||
|
||||
+ if (SystemProperties.getBoolean(MICROG_ENABLEMENT, false)) {
|
||||
+ InstallSource installSource = ps.getInstallSource();
|
||||
+ if (installSource != null && installSource.installerPackageName != null
|
||||
+ && mSettings.getPackage(PACKAGE_PLAY_STORE) != null
|
||||
+ && callingUid != Process.SYSTEM_UID
|
||||
+ && ArrayUtils.contains(PACKAGES_SPOOF_INSTALLSOURCE, installSource.installerPackageName)) {
|
||||
+ return InstallSource.create(PACKAGE_PLAY_STORE, PACKAGE_PLAY_STORE, PACKAGE_PLAY_STORE, null,
|
||||
+ PackageInstaller.PACKAGE_SOURCE_STORE,
|
||||
+ ps.getInstallSource().isOrphaned, false)
|
||||
+ .setInitiatingPackageSignatures(new PackageSignatures(
|
||||
+ mSettings.getPackage(PACKAGE_PLAY_STORE).getSigningDetails()));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return ps.getInstallSource();
|
||||
}
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Wed, 20 Apr 2022 01:04:27 -0400
|
||||
Subject: [PATCH] Add a toggle to opt-in to restricted signature spoofing
|
||||
Subject: [PATCH] Add a toggle for microG enablement
|
||||
|
||||
Copy and pasted from the GrapheneOS exec spawning toggle patch
|
||||
|
||||
@ -1 +1 @@
|
||||
Subproject commit 19534732114f5cde187cc1b3af576800d24922d2
|
||||
Subproject commit 0f2fe873480406a6d83252ecefdb056dc9e166a0
|
||||
@ -1 +1 @@
|
||||
Subproject commit 088fe4f379e85f01e75b002c788e154703c03dda
|
||||
Subproject commit ef2c6cd5cf9ebf35f66422721262fde72e314085
|
||||
@ -290,9 +290,8 @@ echo "Deblobbing...";
|
||||
fi;
|
||||
|
||||
#Google Camera
|
||||
blobs=$blobs"|PixelCameraServices.*.apk";
|
||||
if [ "$DOS_DEBLOBBER_REMOVE_CAMEXT" = true ]; then
|
||||
blobs=$blobs"|com.google.android.camera.*";
|
||||
blobs=$blobs"|com.google.android.camera.*|PixelCameraServices.*.apk";
|
||||
fi;
|
||||
|
||||
#Google NFC
|
||||
|
||||
@ -194,7 +194,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0017-WiFi_Timeout.patch"; #Time
|
||||
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0018-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; #Add option of always randomizing MAC addresses (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0020-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0021-Hardened-signature-spoofing.patch"; fi; #Hardened signature spoofing ability (DivestOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0021-Unprivileged_microG_Handling.patch"; fi; #Unprivileged microG handling (DivestOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly (DivestOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
|
||||
@ -340,7 +340,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-Random_MAC-2.patch"
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-LTE_Only_Mode.patch"; #Add LTE-only option (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (heavily based off of a GrapheneOS patch)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-SUPL_Toggle.patch"; #Add a toggle for forcibly disabling SUPL (GrapheneOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-signature_spoofing_toggle.patch"; fi; #Add a toggle to opt-in to restricted signature spoofing (heavily based off of a GrapheneOS patch)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-microG_Toggle.patch"; fi; #Add a toggle for microG enablement (heavily based off of a GrapheneOS patch)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Settings/0001-disable_apps.patch"; #Add an ability to disable non-system apps from the "App info" screen (GrapheneOS)
|
||||
sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 64;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase default max password length to 64 (GrapheneOS)
|
||||
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
|
||||
@ -558,7 +558,7 @@ enableLowRam "device/motorola/osprey" "osprey";
|
||||
enableLowRam "device/motorola/surnia" "surnia";
|
||||
#Tweaks for <3GB RAM devices
|
||||
enableLowRam "device/cyanogen/msm8916-common" "msm8916-common";
|
||||
enableLowRam "device/motorola/clark";
|
||||
enableLowRam "device/motorola/clark" "clark";
|
||||
enableLowRam "device/wileyfox/crackling" "crackling";
|
||||
#Tweaks for 3GB/4GB RAM devices
|
||||
#enableLowRam "device/oneplus/oneplus2" "oneplus2";
|
||||
|
||||
@ -164,7 +164,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0020-Burnin_Protection.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0021-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0022-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0023-System_JobScheduler_Allowance.patch"; #DeviceIdleJobsController: don't ignore whitelisted system apps (GrapheneOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0024-Hardened-signature-spoofing.patch"; fi; #Hardened signature spoofing ability (DivestOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0024-Unprivileged_microG_Handling.patch"; fi; #Unprivileged microG handling (DivestOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly (DivestOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
|
||||
@ -328,7 +328,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-LTE_Only_Mode-1.pat
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-LTE_Only_Mode-2.patch"; #Show preferred network options no matter the carrier configuration (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-LTE_Only_Mode-3.patch"; #Add LTE only entry when carrier enables world mode (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-SUPL_Toggle.patch"; #Add a toggle for forcibly disabling SUPL (GrapheneOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0015-signature_spoofing_toggle.patch"; fi; #Add a toggle to opt-in to restricted signature spoofing (heavily based off of a GrapheneOS patch)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0015-microG_Toggle.patch"; fi; #Add a toggle for microG enablement (heavily based off of a GrapheneOS patch)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Settings/0001-disable_apps.patch"; #Add an ability to disable non-system apps from the "App info" screen (GrapheneOS)
|
||||
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
|
||||
fi;
|
||||
|
||||
@ -174,7 +174,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0027-appops_reset_fix-2.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0028-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0030-System_JobScheduler_Allowance.patch"; #DeviceIdleJobsController: don't ignore whitelisted system apps (GrapheneOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0031-Hardened-signature-spoofing.patch"; fi; #Hardened signature spoofing ability (DivestOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0031-Unprivileged_microG_Handling.patch"; fi; #Unprivileged microG handling (DivestOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
|
||||
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
|
||||
@ -304,7 +304,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-LTE_Only_Mode.patch"; #Add LTE only setting (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0015-SUPL_Toggle.patch"; #Add a toggle for forcibly disabling SUPL (GrapheneOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch"; fi; #Add a toggle to opt-in to restricted signature spoofing (heavily based off of a GrapheneOS patch)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0016-microG_Toggle.patch"; fi; #Add a toggle for microG enablement (heavily based off of a GrapheneOS patch)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Settings/0001-disable_apps.patch"; #Add an ability to disable non-system apps from the "App info" screen (GrapheneOS)
|
||||
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
|
||||
fi;
|
||||
@ -447,6 +447,7 @@ echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add
|
||||
echo "PRODUCT_PACKAGES += eSpeakNG" >> packages.mk; #PicoTTS needs work to compile on 18.1, use eSpeak-NG instead
|
||||
sed -i 's/OpenCamera/SecureCamera/' packages.mk #Use the GrapheneOS camera app
|
||||
awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices
|
||||
awk -i inplace '!/persist.traced.enable/' build/target/product/lowram.mk; #breaks compile due to duplicate
|
||||
sed -i 's/wifi,cell/internet/' overlay/common/frameworks/base/packages/SystemUI/res/values/config.xml; #Use the modern quick tile
|
||||
sed -i 's|system/etc|$(TARGET_COPY_OUT_PRODUCT)/etc|' divestos.mk;
|
||||
fi;
|
||||
|
||||
@ -182,7 +182,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0032-SUPL_Toggle.patch"; #Add a
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0033-Ugly_Orbot_Workaround.patch"; #Always add Briar and Tor Browser to Orbot's lockdown allowlist (CalyxOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0034-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0035-System_JobScheduler_Allowance.patch"; #DeviceIdleJobsController: don't ignore whitelisted system apps (GrapheneOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0036-Hardened-signature-spoofing.patch"; fi; #Hardened signature spoofing ability (DivestOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0036-Unprivileged_microG_Handling.patch"; fi; #Unprivileged microG handling (DivestOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
|
||||
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
|
||||
sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)
|
||||
@ -301,7 +301,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-Captive_Portal_Togg
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-LTE_Only_Mode-1.patch"; #LTE Only Mode (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-LTE_Only_Mode-2.patch"; #Fix LTE Only mode on World Mode (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0015-SUPL_Toggle.patch"; #Add a toggle for forcibly disabling SUPL (GrapheneOS)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch"; fi; #Add a toggle to opt-in to restricted signature spoofing (heavily based off of a GrapheneOS patch)
|
||||
if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0016-microG_Toggle.patch"; fi; #Add a toggle for microG enablement (heavily based off of a GrapheneOS patch)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Settings/0001-disable_apps.patch"; #Add an ability to disable non-system apps from the "App info" screen (GrapheneOS)
|
||||
fi;
|
||||
|
||||
|
||||
@ -42,7 +42,7 @@ export DOS_DEBLOBBER_REMOVE_ACCESSORIES=true; #Set false to allow use of externa
|
||||
export DOS_DEBLOBBER_REMOVE_ATFWD=true; #Set true to remove basic ATFWD blobs
|
||||
export DOS_DEBLOBBER_REMOVE_AUDIOFX=true; #Set true to remove AudioFX
|
||||
export DOS_DEBLOBBER_REMOVE_APTX=false; #Set true to remove aptX Bluetooth codec
|
||||
export DOS_DEBLOBBER_REMOVE_CAMEXT=false; #Set true to remove camera extensions
|
||||
export DOS_DEBLOBBER_REMOVE_CAMEXT=true; #Set true to remove camera extensions
|
||||
export DOS_DEBLOBBER_REMOVE_CNE=true; #Set true to remove all CNE blobs #XXX: Breaks Wi-Fi calling
|
||||
export DOS_DEBLOBBER_REMOVE_DPM=true; #Set true to remove all DPM blobs #XXX: Maybe breaks multi-sim and carrier aggregation (LTE+)
|
||||
export DOS_DEBLOBBER_REMOVE_DPP=false; #Set true to remove all Display Post Processing blobs #XXX: Breaks boot on select devices
|
||||
|
||||
Loading…
Reference in New Issue
Block a user