mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 15:09:34 -05:00
Further harden signature spoofing with targetSdk and versionCode checks
- Also fix compile for 17.1, rest should be fine Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
f2c8005853
commit
b7d37053c3
@ -5,6 +5,7 @@ Subject: [PATCH] Hardened signature spoofing
|
||||
|
||||
- Must be enabled by user
|
||||
- Must match microG package ID
|
||||
- Must meet minimum respective targetSdk and versionCode
|
||||
- Must match official microG build signing key
|
||||
- Only spoofs the Google package signature
|
||||
|
||||
@ -18,14 +19,14 @@ Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
|
||||
---
|
||||
.../android/content/pm/PackageParser.java | 32 +++++++++++++++
|
||||
core/res/res/values/config.xml | 2 +
|
||||
.../server/pm/PackageManagerService.java | 40 ++++++++++++++++++-
|
||||
3 files changed, 72 insertions(+), 2 deletions(-)
|
||||
.../server/pm/PackageManagerService.java | 39 ++++++++++++++++++-
|
||||
3 files changed, 71 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
|
||||
index 7f728febe5d9..119603e6c266 100644
|
||||
index f9f3ead23fb8..1da73e46f81d 100644
|
||||
--- a/core/java/android/content/pm/PackageParser.java
|
||||
+++ b/core/java/android/content/pm/PackageParser.java
|
||||
@@ -6346,6 +6346,38 @@ public class PackageParser {
|
||||
@@ -6348,6 +6348,38 @@ public class PackageParser {
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -65,7 +66,7 @@ index 7f728febe5d9..119603e6c266 100644
|
||||
public boolean signaturesMatchExactly(SigningDetails other) {
|
||||
return Signature.areExactMatch(this.signatures, other.signatures);
|
||||
diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
|
||||
index a84d23b624bf..89754ba11ef2 100644
|
||||
index a84d23b624bf..1ab293758ee7 100644
|
||||
--- a/core/res/res/values/config.xml
|
||||
+++ b/core/res/res/values/config.xml
|
||||
@@ -1875,6 +1875,8 @@
|
||||
@ -78,32 +79,33 @@ index a84d23b624bf..89754ba11ef2 100644
|
||||
|
||||
<!-- This string array can be overriden to enable test location providers initially. -->
|
||||
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
index 1bd1396c6d45..1831c3770f51 100644
|
||||
index 9483f266b1fa..7e5a46cfd72f 100644
|
||||
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
@@ -4203,8 +4203,19 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
@@ -4203,8 +4203,20 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
});
|
||||
}
|
||||
|
||||
- PackageInfo packageInfo = PackageParser.generatePackageInfo(p, gids, flags,
|
||||
- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId);
|
||||
+ // Allow microG GmsCore and FakeStore to spoof signature
|
||||
+ final boolean isMicroG = ArrayUtils.contains(MICROG_FAKE_SIGNATURE_PACKAGES,
|
||||
+ p.getPackageName());
|
||||
+ final boolean isValidGmsCore = p.packageName.equals("com.google.android.gms") && p.applicationInfo.targetSdkVersion >= 29 && p.versionCode >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.packageName.equals("com.android.vending") && p.applicationInfo.targetSdkVersion >= 24 && p.versionCode >= 30;
|
||||
+ final boolean isMicroG = isValidGmsCore || isValidFakeStore;
|
||||
+ PackageInfo packageInfo;
|
||||
+ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
|
||||
+ packageInfo = fakeSignature(p, PackageParser.generatePackageInfo(p, gids, flags,
|
||||
+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
|
||||
+ userId, ps), permissions);
|
||||
+ userId), permissions);
|
||||
+ } else {
|
||||
+ packageInfo =PackageParser.generatePackageInfo(p, gids, flags,
|
||||
+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
|
||||
+ userId, ps);
|
||||
+ userId);
|
||||
+ }
|
||||
|
||||
if (packageInfo == null) {
|
||||
return null;
|
||||
@@ -4240,6 +4251,31 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
@@ -4240,6 +4252,29 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
}
|
||||
}
|
||||
|
||||
@ -113,14 +115,12 @@ index 1bd1396c6d45..1831c3770f51 100644
|
||||
+ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
|
||||
+ // The signing key hash of official microG builds.
|
||||
+ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
|
||||
+ // List of packages which require signature spoofing.
|
||||
+ private static final String[] MICROG_FAKE_SIGNATURE_PACKAGES = new String[] { "com.google.android.gms", "com.android.vending" };
|
||||
+
|
||||
+ private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi,
|
||||
+ private PackageInfo fakeSignature(PackageParser.Package p, PackageInfo pi,
|
||||
+ Set<String> permissions) {
|
||||
+ String hash = p.getSigningDetails().getSha256Certificate();
|
||||
+ String hash = p.mSigningDetails.getSha256Certificate();
|
||||
+ try {
|
||||
+ if (hash.equals(MICROG_HASH)) {
|
||||
+ if (hash.equals(MICROG_HASH) && p.applicationInfo.targetSdkVersion >= 24) {
|
||||
+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
|
||||
+ if (DEBUG_PACKAGE_INFO) {
|
||||
+ Log.v(TAG, "Spoofing signature for microG");
|
||||
|
@ -55,7 +55,7 @@ index b983f467df..5813bb18db 100644
|
||||
<item msgid="6490061470416867723">Small</item>
|
||||
<item msgid="3579015730662088893">Default</item>
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index 2180ea45f6..eeee1c039f 100644
|
||||
index f6e3b0f62d..8f4a3c6115 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -810,6 +810,9 @@
|
||||
|
@ -67,7 +67,7 @@ index 5813bb18db..40d01907a4 100644
|
||||
<string-array name="screen_timeout_entries">
|
||||
<item>15 seconds</item>
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index eeee1c039f..c5287c4489 100644
|
||||
index 8f4a3c6115..ef517e8503 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -25,6 +25,25 @@
|
||||
|
@ -67,7 +67,7 @@ index 40d01907a4..0a9a9a31e8 100644
|
||||
<string-array name="screen_timeout_entries">
|
||||
<item>15 seconds</item>
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index c5287c4489..0f254706ff 100644
|
||||
index ef517e8503..228d9570dd 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -44,6 +44,25 @@
|
||||
|
@ -12,7 +12,7 @@ Subject: [PATCH] add native debugging setting
|
||||
create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java
|
||||
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index 0f254706ff..fcac812417 100644
|
||||
index 228d9570dd..d965a63b0d 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -11316,6 +11316,9 @@
|
||||
|
@ -12,7 +12,7 @@ Subject: [PATCH] add exec spawning toggle
|
||||
create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java
|
||||
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index fcac812417..197882d66e 100644
|
||||
index d965a63b0d..e7dcf62ddc 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -11316,6 +11316,8 @@
|
||||
|
@ -106,7 +106,7 @@ index 6d95bcc58b..072004e447 100644
|
||||
<item>"18"</item>
|
||||
<item>"1"</item>
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index 197882d66e..88bd100122 100644
|
||||
index e7dcf62ddc..fedb9f3fde 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -10942,6 +10942,8 @@
|
||||
|
@ -16,7 +16,7 @@ Change-Id: Ic01a142722372d9d57f52947025cd9db23e58ef4
|
||||
create mode 100644 src/com/android/settings/security/HostsPreferenceController.java
|
||||
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index 88bd100122..a64940d793 100644
|
||||
index fedb9f3fde..b5dbdc7d81 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -11327,6 +11327,9 @@
|
||||
|
@ -16,7 +16,7 @@ Signed-off-by: Tad <tad@spotco.us>
|
||||
create mode 100644 src/com/android/settings/security/SigSpoofPreferenceController.java
|
||||
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index a64940d793..a0149bc124 100644
|
||||
index a5aab8e5d0..eb346bd8eb 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -11330,6 +11330,9 @@
|
||||
|
@ -5,6 +5,7 @@ Subject: [PATCH] Hardened signature spoofing
|
||||
|
||||
- Must be enabled by user
|
||||
- Must match microG package ID
|
||||
- Must meet minimum respective targetSdk and versionCode
|
||||
- Must match official microG build signing key
|
||||
- Only spoofs the Google package signature
|
||||
|
||||
@ -18,8 +19,8 @@ Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
|
||||
---
|
||||
.../android/content/pm/PackageParser.java | 32 +++++++++++++++
|
||||
core/res/res/values/config.xml | 2 +
|
||||
.../server/pm/PackageManagerService.java | 40 ++++++++++++++++++-
|
||||
3 files changed, 72 insertions(+), 2 deletions(-)
|
||||
.../server/pm/PackageManagerService.java | 39 ++++++++++++++++++-
|
||||
3 files changed, 71 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
|
||||
index 57f8a713ec13..ec2cf1ace99f 100644
|
||||
@ -65,7 +66,7 @@ index 57f8a713ec13..ec2cf1ace99f 100644
|
||||
public boolean signaturesMatchExactly(SigningDetails other) {
|
||||
return Signature.areExactMatch(this.signatures, other.signatures);
|
||||
diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
|
||||
index f4efcc7e4eec..6ff71f0e6d2e 100644
|
||||
index f4efcc7e4eec..584b3011b0c6 100644
|
||||
--- a/core/res/res/values/config.xml
|
||||
+++ b/core/res/res/values/config.xml
|
||||
@@ -1654,6 +1654,8 @@
|
||||
@ -78,18 +79,19 @@ index f4efcc7e4eec..6ff71f0e6d2e 100644
|
||||
|
||||
<!-- This string array can be overriden to enable test location providers initially. -->
|
||||
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
index 9611b381942c..900ba7ba68d2 100644
|
||||
index 9611b381942c..f8f8b29d1798 100644
|
||||
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
@@ -4465,8 +4465,19 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
@@ -4465,8 +4465,20 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
});
|
||||
}
|
||||
|
||||
- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
|
||||
- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
|
||||
+ // Allow microG GmsCore and FakeStore to spoof signature
|
||||
+ final boolean isMicroG = ArrayUtils.contains(MICROG_FAKE_SIGNATURE_PACKAGES,
|
||||
+ p.getPackageName());
|
||||
+ final boolean isValidGmsCore = p.getPackageName().equals("com.google.android.gms") && p.getTargetSdkVersion() >= 29 && p.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.getPackageName().equals("com.android.vending") && p.getTargetSdkVersion() >= 24 && p.getVersionCode() >= 30;
|
||||
+ final boolean isMicroG = isValidGmsCore || isValidFakeStore;
|
||||
+ PackageInfo packageInfo;
|
||||
+ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
|
||||
+ packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
|
||||
@ -103,7 +105,7 @@ index 9611b381942c..900ba7ba68d2 100644
|
||||
|
||||
if (packageInfo == null) {
|
||||
return null;
|
||||
@@ -4502,6 +4513,31 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
@@ -4502,6 +4514,29 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
}
|
||||
}
|
||||
|
||||
@ -113,14 +115,12 @@ index 9611b381942c..900ba7ba68d2 100644
|
||||
+ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
|
||||
+ // The signing key hash of official microG builds.
|
||||
+ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
|
||||
+ // List of packages which require signature spoofing.
|
||||
+ private static final String[] MICROG_FAKE_SIGNATURE_PACKAGES = new String[] { "com.google.android.gms", "com.android.vending" };
|
||||
+
|
||||
+ private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi,
|
||||
+ Set<String> permissions) {
|
||||
+ String hash = p.getSigningDetails().getSha256Certificate();
|
||||
+ try {
|
||||
+ if (hash.equals(MICROG_HASH)) {
|
||||
+ if (hash.equals(MICROG_HASH) && p.getTargetSdkVersion() >= 24) {
|
||||
+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
|
||||
+ if (DEBUG_PACKAGE_INFO) {
|
||||
+ Log.v(TAG, "Spoofing signature for microG");
|
||||
|
@ -5,6 +5,7 @@ Subject: [PATCH] Hardened signature spoofing
|
||||
|
||||
- Must be enabled by user
|
||||
- Must match microG package ID
|
||||
- Must meet minimum respective targetSdk and versionCode
|
||||
- Must match official microG build signing key
|
||||
- Only spoofs the Google package signature
|
||||
|
||||
@ -18,8 +19,8 @@ Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
|
||||
---
|
||||
.../android/content/pm/PackageParser.java | 32 +++++++++++++++
|
||||
core/res/res/values/config.xml | 2 +
|
||||
.../server/pm/PackageManagerService.java | 40 ++++++++++++++++++-
|
||||
3 files changed, 72 insertions(+), 2 deletions(-)
|
||||
.../server/pm/PackageManagerService.java | 39 ++++++++++++++++++-
|
||||
3 files changed, 71 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
|
||||
index f92c2951fdef..052d7db60379 100644
|
||||
@ -65,7 +66,7 @@ index f92c2951fdef..052d7db60379 100644
|
||||
public boolean signaturesMatchExactly(SigningDetails other) {
|
||||
return Signature.areExactMatch(this.signatures, other.signatures);
|
||||
diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
|
||||
index a7d55479d2c3..c3616d28dd66 100644
|
||||
index a7d55479d2c3..d295fc5df234 100644
|
||||
--- a/core/res/res/values/config.xml
|
||||
+++ b/core/res/res/values/config.xml
|
||||
@@ -1804,6 +1804,8 @@
|
||||
@ -78,18 +79,19 @@ index a7d55479d2c3..c3616d28dd66 100644
|
||||
|
||||
<!-- Package name(s) of Advanced Driver Assistance applications. These packages have additional
|
||||
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
index 5bbde18f7e9e..fee7dc331558 100644
|
||||
index 5bbde18f7e9e..eca352c6c7f6 100644
|
||||
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
@@ -3362,8 +3362,19 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
@@ -3362,8 +3362,20 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
|| ArrayUtils.isEmpty(p.getRequestedPermissions())) ? Collections.emptySet()
|
||||
: mPermissionManager.getGrantedPermissions(ps.name, userId);
|
||||
|
||||
- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
|
||||
- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
|
||||
+ // Allow microG GmsCore and FakeStore to spoof signature
|
||||
+ final boolean isMicroG = ArrayUtils.contains(MICROG_FAKE_SIGNATURE_PACKAGES,
|
||||
+ p.getPackageName());
|
||||
+ final boolean isValidGmsCore = p.getPackageName().equals("com.google.android.gms") && p.getTargetSdkVersion() >= 29 && p.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.getPackageName().equals("com.android.vending") && p.getTargetSdkVersion() >= 24 && p.getVersionCode() >= 30;
|
||||
+ final boolean isMicroG = isValidGmsCore || isValidFakeStore;
|
||||
+ PackageInfo packageInfo;
|
||||
+ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
|
||||
+ packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
|
||||
@ -103,7 +105,7 @@ index 5bbde18f7e9e..fee7dc331558 100644
|
||||
|
||||
if (packageInfo == null) {
|
||||
return null;
|
||||
@@ -3400,6 +3411,31 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
@@ -3400,6 +3412,29 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
}
|
||||
}
|
||||
|
||||
@ -113,14 +115,12 @@ index 5bbde18f7e9e..fee7dc331558 100644
|
||||
+ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
|
||||
+ // The signing key hash of official microG builds.
|
||||
+ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
|
||||
+ // List of packages which require signature spoofing.
|
||||
+ private static final String[] MICROG_FAKE_SIGNATURE_PACKAGES = new String[] { "com.google.android.gms", "com.android.vending" };
|
||||
+
|
||||
+ private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi,
|
||||
+ Set<String> permissions) {
|
||||
+ String hash = p.getSigningDetails().getSha256Certificate();
|
||||
+ try {
|
||||
+ if (hash.equals(MICROG_HASH)) {
|
||||
+ if (hash.equals(MICROG_HASH) && p.getTargetSdkVersion() >= 24) {
|
||||
+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
|
||||
+ if (DEBUG_PACKAGE_INFO) {
|
||||
+ Log.v(TAG, "Spoofing signature for microG");
|
||||
|
@ -5,6 +5,7 @@ Subject: [PATCH] Hardened signature spoofing
|
||||
|
||||
- Must be enabled by user
|
||||
- Must match microG package ID
|
||||
- Must meet minimum respective targetSdk and versionCode
|
||||
- Must match official microG build signing key
|
||||
- Only spoofs the Google package signature
|
||||
|
||||
@ -18,8 +19,8 @@ Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
|
||||
---
|
||||
.../android/content/pm/SigningDetails.java | 36 +++++++++++++++-
|
||||
core/res/res/values/config.xml | 2 +
|
||||
.../com/android/server/pm/ComputerEngine.java | 43 +++++++++++++++++--
|
||||
3 files changed, 76 insertions(+), 5 deletions(-)
|
||||
.../com/android/server/pm/ComputerEngine.java | 42 +++++++++++++++++--
|
||||
3 files changed, 75 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/pm/SigningDetails.java b/core/java/android/content/pm/SigningDetails.java
|
||||
index 1e659b74db77..00d669ab24e7 100644
|
||||
@ -78,7 +79,7 @@ index 1e659b74db77..00d669ab24e7 100644
|
||||
private void __metadata() {}
|
||||
|
||||
diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
|
||||
index a01ec67630de..0b9ab8c1166c 100644
|
||||
index a01ec67630de..20ab9e79ae79 100644
|
||||
--- a/core/res/res/values/config.xml
|
||||
+++ b/core/res/res/values/config.xml
|
||||
@@ -2011,6 +2011,8 @@
|
||||
@ -91,7 +92,7 @@ index a01ec67630de..0b9ab8c1166c 100644
|
||||
|
||||
<!-- Package name(s) of Advanced Driver Assistance applications. These packages have additional
|
||||
diff --git a/services/core/java/com/android/server/pm/ComputerEngine.java b/services/core/java/com/android/server/pm/ComputerEngine.java
|
||||
index 58448bfefdaf..dea76becbe05 100644
|
||||
index 58448bfefdaf..a01995c536a9 100644
|
||||
--- a/services/core/java/com/android/server/pm/ComputerEngine.java
|
||||
+++ b/services/core/java/com/android/server/pm/ComputerEngine.java
|
||||
@@ -99,6 +99,7 @@ import android.os.IBinder;
|
||||
@ -102,7 +103,7 @@ index 58448bfefdaf..dea76becbe05 100644
|
||||
import android.os.Trace;
|
||||
import android.os.UserHandle;
|
||||
import android.os.UserManager;
|
||||
@@ -1636,9 +1637,20 @@ public class ComputerEngine implements Computer {
|
||||
@@ -1636,9 +1637,21 @@ public class ComputerEngine implements Computer {
|
||||
|| ArrayUtils.isEmpty(p.getRequestedPermissions())) ? Collections.emptySet()
|
||||
: mPermissionManager.getGrantedPermissions(ps.getPackageName(), userId);
|
||||
|
||||
@ -111,8 +112,9 @@ index 58448bfefdaf..dea76becbe05 100644
|
||||
- ps);
|
||||
+
|
||||
+ // Allow microG GmsCore and FakeStore to spoof signature
|
||||
+ final boolean isMicroG = ArrayUtils.contains(MICROG_FAKE_SIGNATURE_PACKAGES,
|
||||
+ p.getPackageName());
|
||||
+ final boolean isValidGmsCore = p.getPackageName().equals("com.google.android.gms") && p.getTargetSdkVersion() >= 29 && p.getVersionCode() >= 231657056;
|
||||
+ final boolean isValidFakeStore = p.getPackageName().equals("com.android.vending") && p.getTargetSdkVersion() >= 24 && p.getVersionCode() >= 30;
|
||||
+ final boolean isMicroG = isValidGmsCore || isValidFakeStore;
|
||||
+ PackageInfo packageInfo;
|
||||
+ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
|
||||
+ packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
|
||||
@ -126,7 +128,7 @@ index 58448bfefdaf..dea76becbe05 100644
|
||||
|
||||
if (packageInfo == null) {
|
||||
return null;
|
||||
@@ -1679,6 +1691,31 @@ public class ComputerEngine implements Computer {
|
||||
@@ -1679,6 +1692,29 @@ public class ComputerEngine implements Computer {
|
||||
}
|
||||
}
|
||||
|
||||
@ -136,14 +138,12 @@ index 58448bfefdaf..dea76becbe05 100644
|
||||
+ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
|
||||
+ // The signing key hash of official microG builds.
|
||||
+ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
|
||||
+ // List of packages which require signature spoofing.
|
||||
+ private static final String[] MICROG_FAKE_SIGNATURE_PACKAGES = new String[] { "com.google.android.gms", "com.android.vending" };
|
||||
+
|
||||
+ private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi,
|
||||
+ Set<String> permissions) {
|
||||
+ String hash = p.getSigningDetails().getSha256Certificate();
|
||||
+ try {
|
||||
+ if (hash.equals(MICROG_HASH)) {
|
||||
+ if (hash.equals(MICROG_HASH) && p.getTargetSdkVersion() >= 24) {
|
||||
+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
|
||||
+ if (DEBUG_PACKAGE_INFO) {
|
||||
+ Log.v(TAG, "Spoofing signature for microG");
|
||||
|
@ -65,7 +65,7 @@ export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory all
|
||||
export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1+19.1+20.0
|
||||
export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
|
||||
export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be in the format "127.0.0.1 bad.domain.tld"
|
||||
export DOS_MICROG_SUPPORT=false; #Opt-in unprivileged microG support on 20.0
|
||||
export DOS_MICROG_SUPPORT=false; #Opt-in unprivileged microG support on 17.1+18.1+19.1+20.0
|
||||
export DOS_SENSORS_PERM=false; #Set true to provide a per-app sensors permission for 14.1/15.1 #XXX: can break things like camera
|
||||
export DOS_STRONG_ENCRYPTION_ENABLED=false; #Set true to enable AES 256-bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS!
|
||||
export DOS_WEBVIEW_LFS=true; #Whether to `git lfs pull` in the WebView repository
|
||||
|
Loading…
Reference in New Issue
Block a user