Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity

Misc hardening from GrapheneOS

Browse Source 
11 62f81c237b

11 1f05db99ab

11 f242089d3f
10 abcf485dcf
9x c5db5a9f9e

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-03-15 14:38:08 -04:00
parent 844227a4f4
commit ad579b6681
6 changed files with 206 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Patches/Common/android_system_bt/0001-alloc_size.patch Normal file
View File

@ -0,0 +1,25 @@
From abcf485dcff6c7b06b0f241b4729fc8e2cf1d74f Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 1 Jul 2017 13:21:18 -0400
Subject: [PATCH] add alloc_size attributes to the allocator
This results in expanded _FORTIFY_SOURCE coverage.
---
osi/include/allocator.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/osi/include/allocator.h b/osi/include/allocator.h
index 3a4141f384..4fa059eb14 100644
--- a/osi/include/allocator.h
+++ b/osi/include/allocator.h
@@ -37,8 +37,8 @@ extern const allocator_t allocator_calloc;
char* osi_strdup(const char* str);
char* osi_strndup(const char* str, size_t len);
-void* osi_malloc(size_t size);
-void* osi_calloc(size_t size);
+void* osi_malloc(size_t size) __attribute__((alloc_size(1)));
+void* osi_calloc(size_t size) __attribute__((alloc_size(1)));
void osi_free(void* ptr);
// Free a buffer that was previously allocated with function |osi_malloc|

30
Patches/LineageOS-18.1/android_frameworks_native/0002-fix-uaf.patch Normal file
View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 2 Jan 2021 20:17:35 -0500
Subject: [PATCH] fix use-after-free in adbd_auth
The writev call is using references to data from the packet after it's
popped from the queue. This was discovered in GrapheneOS due to using
zero-on-free by default. It ends up resulting in adb being unable to
persistently whitelist keys.
Change-Id: Ibd9c1c4170bfe632b598b7666d09e4ce939a9e95
---
libs/adbd_auth/adbd_auth.cpp | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libs/adbd_auth/adbd_auth.cpp b/libs/adbd_auth/adbd_auth.cpp
index dae6eebaa5..15bd5c3913 100644
--- a/libs/adbd_auth/adbd_auth.cpp
+++ b/libs/adbd_auth/adbd_auth.cpp
@@ -282,9 +282,8 @@ public:
LOG(FATAL) << "adbd_auth: unhandled packet type?";
}
- output_queue_.pop_front();
-
ssize_t rc = writev(framework_fd_.get(), iovs, iovcnt);
+ output_queue_.pop_front();
if (rc == -1 && errno != EAGAIN && errno != EWOULDBLOCK) {
PLOG(ERROR) << "adbd_auth: failed to write to framework fd";
ReplaceFrameworkFd(unique_fd());

140
Patches/LineageOS-18.1/android_packages_apps_Settings/0009-Install_Restrictions.patch Normal file
View File

@ -0,0 +1,140 @@
From 62f81c237b7f4a33fbb13752def9cbf3f5c9e0d4 Mon Sep 17 00:00:00 2001
From: flawedworld <flawedworld@flawed.world>
Date: Wed, 1 Sep 2021 20:36:10 +0000
Subject: [PATCH] UserManager app installation restrictions
---
res/values/strings.xml | 2 +
res/xml/user_details_settings.xml | 4 ++
.../settings/users/UserDetailsSettings.java | 43 ++++++++++++++++---
3 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/res/values/strings.xml b/res/values/strings.xml
index bd1076547f2..eee095c3053 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -7087,6 +7087,8 @@
<string name="user_enable_calling">Turn on phone calls</string>
<!-- Title of preference to enable calling and SMS [CHAR LIMIT=45] -->
<string name="user_enable_calling_sms">Turn on phone calls &amp; SMS</string>
+ <!-- Title of preference to disallow installing apps [CHAR LIMIT=45] -->
+ <string name="user_disallow_install_apps">Disallow installing apps</string>
<!-- Title of preference to remove the user [CHAR LIMIT=35] -->
<string name="user_remove_user">Delete user</string>
<!-- Title for confirmation of turning on calls [CHAR LIMIT=40] -->
diff --git a/res/xml/user_details_settings.xml b/res/xml/user_details_settings.xml
index 9280ff11632..d0a055fae29 100644
--- a/res/xml/user_details_settings.xml
+++ b/res/xml/user_details_settings.xml
@@ -29,6 +29,10 @@
android:key="app_and_content_access"
android:icon="@drawable/ic_lock_closed"
android:title="@string/user_restrictions_title" />
+ <SwitchPreference
+ android:icon="@drawable/ic_settings_install"
+ android:key="disallow_install_apps"
+ android:title="@string/user_disallow_install_apps" />
<com.android.settingslib.RestrictedPreference
android:key="remove_user"
android:icon="@drawable/ic_delete"
diff --git a/src/com/android/settings/users/UserDetailsSettings.java b/src/com/android/settings/users/UserDetailsSettings.java
index 897b3c7b83a..dc5dfb1dcca 100644
--- a/src/com/android/settings/users/UserDetailsSettings.java
+++ b/src/com/android/settings/users/UserDetailsSettings.java
@@ -59,6 +59,7 @@
private static final String KEY_ENABLE_TELEPHONY = "enable_calling";
private static final String KEY_REMOVE_USER = "remove_user";
private static final String KEY_APP_AND_CONTENT_ACCESS = "app_and_content_access";
+ private static final String KEY_DISALLOW_INSTALL_APPS = "disallow_install_apps";
/** Integer extra containing the userId to manage */
static final String EXTRA_USER_ID = "user_id";
@@ -78,6 +79,7 @@
Preference mAppAndContentAccessPref;
@VisibleForTesting
Preference mRemoveUserPref;
+ private SwitchPreference mInstallAppsPref;
@VisibleForTesting
UserInfo mUserInfo;
@@ -131,12 +133,37 @@ public boolean onPreferenceClick(Preference preference) {
@Override
public boolean onPreferenceChange(Preference preference, Object newValue) {
- if (Boolean.TRUE.equals(newValue)) {
- showDialog(mUserInfo.isGuest() ? DIALOG_CONFIRM_ENABLE_CALLING
- : DIALOG_CONFIRM_ENABLE_CALLING_AND_SMS);
- return false;
+ if (preference == mPhonePref) {
+ if (Boolean.TRUE.equals(newValue)) {
+ showDialog(mUserInfo.isGuest() ? DIALOG_CONFIRM_ENABLE_CALLING
+ : DIALOG_CONFIRM_ENABLE_CALLING_AND_SMS);
+ return false;
+ }
+ enableCallsAndSms(false);
+ } else if (preference == mInstallAppsPref) {
+ if (mUserInfo.isGuest()) {
+ mDefaultGuestRestrictions.putBoolean(UserManager.DISALLOW_INSTALL_APPS, (Boolean) newValue);
+ mUserManager.setDefaultGuestRestrictions(mDefaultGuestRestrictions);
+
+ // Update the guest's restrictions, if there is a guest
+ // TODO: Maybe setDefaultGuestRestrictions() can internally just set the restrictions
+ // on any existing guest rather than do it here with multiple Binder calls.
+ List<UserInfo> users = mUserManager.getUsers(true);
+ for (UserInfo user: users) {
+ if (user.isGuest()) {
+ UserHandle userHandle = UserHandle.of(user.id);
+ for (String key : mDefaultGuestRestrictions.keySet()) {
+ mUserManager.setUserRestriction(
+ key, mDefaultGuestRestrictions.getBoolean(key), userHandle);
+ }
+ }
+ }
+ } else {
+ UserHandle userHandle = UserHandle.of(mUserInfo.id);
+ mUserManager.setUserRestriction(UserManager.DISALLOW_INSTALL_APPS, (Boolean) newValue,
+ userHandle);
+ }
}
- enableCallsAndSms(false);
return true;
}
@@ -203,6 +230,7 @@ void initialize(Context context, Bundle arguments) {
mPhonePref = findPreference(KEY_ENABLE_TELEPHONY);
mRemoveUserPref = findPreference(KEY_REMOVE_USER);
mAppAndContentAccessPref = findPreference(KEY_APP_AND_CONTENT_ACCESS);
+ mInstallAppsPref = findPreference(KEY_DISALLOW_INSTALL_APPS);
mSwitchUserPref.setTitle(
context.getString(com.android.settingslib.R.string.user_switch_to_user,
@@ -220,6 +248,7 @@ void initialize(Context context, Bundle arguments) {
removePreference(KEY_ENABLE_TELEPHONY);
removePreference(KEY_REMOVE_USER);
removePreference(KEY_APP_AND_CONTENT_ACCESS);
+ removePreference(KEY_DISALLOW_INSTALL_APPS);
} else {
if (!Utils.isVoiceCapable(context)) { // no telephony
removePreference(KEY_ENABLE_TELEPHONY);
@@ -244,10 +273,13 @@ void initialize(Context context, Bundle arguments) {
mPhonePref.setChecked(
!mDefaultGuestRestrictions.getBoolean(UserManager.DISALLOW_OUTGOING_CALLS));
mRemoveUserPref.setTitle(R.string.user_exit_guest_title);
+ removePreference(KEY_DISALLOW_INSTALL_APPS);
} else {
mPhonePref.setChecked(!mUserManager.hasUserRestriction(
UserManager.DISALLOW_OUTGOING_CALLS, new UserHandle(userId)));
mRemoveUserPref.setTitle(R.string.user_remove_user);
+ mInstallAppsPref.setChecked(mUserManager.hasUserRestriction(
+ UserManager.DISALLOW_INSTALL_APPS, new UserHandle(userId)));
}
if (RestrictedLockUtilsInternal.hasBaseUserRestriction(context,
UserManager.DISALLOW_REMOVE_USER, UserHandle.myUserId())) {
@@ -257,6 +289,7 @@ void initialize(Context context, Bundle arguments) {
mRemoveUserPref.setOnPreferenceClickListener(this);
mPhonePref.setOnPreferenceChangeListener(this);
mAppAndContentAccessPref.setOnPreferenceClickListener(this);
+ mInstallAppsPref.setOnPreferenceChangeListener(this);
}
}

4
Scripts/LineageOS-16.0/Patch.sh
View File

@ -260,6 +260,10 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
fi;
#if enterAndClear "system/bt"; then
#applyPatch "$DOS_PATCHES_COMMON/android_system_core/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
#fi;
if enterAndClear "system/core"; then
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert --no-edit b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update recovery

4
Scripts/LineageOS-17.1/Patch.sh
View File

@ -261,6 +261,10 @@ fi;
#applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch"; #XXX 17REBASE
#fi;
if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES_COMMON/android_system_core/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
fi;
if enterAndClear "system/core"; then
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert --no-edit 3032c7aa5ce90c0ae9c08fe271052c6e0304a1e7 01266f589e6deaef30b782531ae14435cdd2f18e; #insanity

3
Scripts/LineageOS-18.1/Patch.sh
View File

@ -126,6 +126,7 @@ fi;
if enterAndClear "frameworks/native"; then
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
applyPatch "$DOS_PATCHES/android_frameworks_native/0002-fix-uaf.patch"; #Fix use-after-free in adbd_auth (GrapheneOS)
fi;
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
@ -226,6 +227,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.pa
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-Install_Restrictions.patch"; #UserManager app installation restrictions (GrapheneOS)
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/backup/PrivacySettingsUtils.java; fi; #microG doesn't support Backup, hide the options
fi;
@ -266,6 +268,7 @@ fi;
if enterAndClear "system/bt"; then
git am "$DOS_PATCHES/android_system_bt/a2dp-master-fixes.patch"; #topic
applyPatch "$DOS_PATCHES_COMMON/android_system_core/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
fi;
if enterAndClear "system/core"; then