mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-26 23:27:08 -05:00
Two hardening patches from @MSe1969
+ a backport of browser location restriction patch to 14.1 and 15.1 by @syphyr
This commit is contained in:
parent
163fdb1f68
commit
bb72bccbeb
@ -0,0 +1,35 @@
|
||||
From eb1485e1ad5c6683e949006dd62e02cec70ca382 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Mon, 24 Jul 2017 22:59:05 +0200
|
||||
Subject: [PATCH] stop granting location to Browser app by default
|
||||
|
||||
It works fine without it and requests it after the user grants
|
||||
location access to a site.
|
||||
|
||||
Change-Id: Ifabc3f1ae4acf008abf1467fc928eeb90613feff
|
||||
---
|
||||
.../com/android/server/pm/DefaultPermissionGrantPolicy.java | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java b/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java
|
||||
index 5016ec0d4be0..027cd05bf9e9 100644
|
||||
--- a/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java
|
||||
+++ b/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java
|
||||
@@ -539,7 +539,7 @@ private void grantDefaultSystemHandlerPermissions(int userId) {
|
||||
}
|
||||
if (browserPackage != null
|
||||
&& doesPackageSupportRuntimePermissions(browserPackage)) {
|
||||
- grantRuntimePermissionsLPw(browserPackage, LOCATION_PERMISSIONS, userId);
|
||||
+ //grantRuntimePermissionsLPw(browserPackage, LOCATION_PERMISSIONS, userId);
|
||||
}
|
||||
|
||||
// Voice interaction
|
||||
@@ -785,7 +785,7 @@ public void grantDefaultPermissionsToDefaultBrowserLPr(String packageName, int u
|
||||
PackageParser.Package browserPackage = getSystemPackageLPr(packageName);
|
||||
if (browserPackage != null
|
||||
&& doesPackageSupportRuntimePermissions(browserPackage)) {
|
||||
- grantRuntimePermissionsLPw(browserPackage, LOCATION_PERMISSIONS, false, false, userId);
|
||||
+ //grantRuntimePermissionsLPw(browserPackage, LOCATION_PERMISSIONS, false, false, userId);
|
||||
}
|
||||
}
|
||||
|
@ -0,0 +1,44 @@
|
||||
From 20a90f9fcf1bfd3da10210cc06f1428edbe92389 Mon Sep 17 00:00:00 2001
|
||||
From: MSe1969 <mse1969@posteo.de>
|
||||
Date: Thu, 20 Dec 2018 22:12:35 +0100
|
||||
Subject: [PATCH] AppOps: Default GET_USAGE_STATS to MODE_IGNORED
|
||||
|
||||
The AppOp OP_GET_USAGE_STATS is defaulted with MODE_DEFAULT and this is
|
||||
resolved to default to ALLOW, if the permission PACKAGE_USAGE_STATS is
|
||||
requested. This can be switched off in a specific settings menu, hence
|
||||
an opt-out is implemented in AOSP.
|
||||
|
||||
Letting 3rd parties analyze the behavior does not really add any value
|
||||
for the device holder, hence an opt-in makes more sense. Usage stats
|
||||
collection is now disabled by default for apps requesting that permission.
|
||||
|
||||
If the user wants to allow stats collection, he can enter the respective
|
||||
menu in settings and allow the app to collect usage data.
|
||||
|
||||
Change-Id: I9e08822851cf660277e45f3023aa80d8918f45ae
|
||||
---
|
||||
core/java/android/app/AppOpsManager.java | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
|
||||
index e13947335d2a..19287b3c13a4 100644
|
||||
--- a/core/java/android/app/AppOpsManager.java
|
||||
+++ b/core/java/android/app/AppOpsManager.java
|
||||
@@ -930,7 +930,7 @@
|
||||
AppOpsManager.MODE_ALLOWED,
|
||||
AppOpsManager.MODE_ALLOWED,
|
||||
AppOpsManager.MODE_ALLOWED,
|
||||
- AppOpsManager.MODE_DEFAULT, // OP_GET_USAGE_STATS
|
||||
+ AppOpsManager.MODE_IGNORED, // OP_GET_USAGE_STATS
|
||||
AppOpsManager.MODE_ALLOWED,
|
||||
AppOpsManager.MODE_ALLOWED,
|
||||
AppOpsManager.MODE_IGNORED, // OP_PROJECT_MEDIA
|
||||
@@ -1007,7 +1007,7 @@
|
||||
AppOpsManager.MODE_ALLOWED, // OP_WAKE_LOCK
|
||||
AppOpsManager.MODE_ALLOWED, // OP_MONITOR_LOCATION
|
||||
AppOpsManager.MODE_ASK, // OP_MONITOR_HIGH_POWER_LOCATION
|
||||
- AppOpsManager.MODE_DEFAULT, // OP_GET_USAGE_STATS
|
||||
+ AppOpsManager.MODE_IGNORED, // OP_GET_USAGE_STATS
|
||||
AppOpsManager.MODE_ALLOWED, // OP_MUTE_MICROPHONE
|
||||
AppOpsManager.MODE_ALLOWED, // OP_TOAST_WINDOW
|
||||
AppOpsManager.MODE_IGNORED, // OP_PROJECT_MEDIA
|
@ -0,0 +1,35 @@
|
||||
From 6bdd1bbcea89fc1494e87948d1147402e9d89042 Mon Sep 17 00:00:00 2001
|
||||
From: MSe1969 <mse1969@posteo.de>
|
||||
Date: Mon, 29 Oct 2018 12:14:17 +0100
|
||||
Subject: [PATCH] SUPL: Don't send IMSI / Phone number to SUPL server
|
||||
|
||||
Change-Id: I5ccc4d61e52ac11ef33f44618d0e610089885b87
|
||||
---
|
||||
.../com/android/server/location/GnssLocationProvider.java | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/location/GnssLocationProvider.java b/services/core/java/com/android/server/location/GnssLocationProvider.java
|
||||
index 2c11a01c7851..44163ece2c22 100644
|
||||
--- a/services/core/java/com/android/server/location/GnssLocationProvider.java
|
||||
+++ b/services/core/java/com/android/server/location/GnssLocationProvider.java
|
||||
@@ -2053,6 +2053,11 @@ private void requestSetID(int flags) {
|
||||
int type = AGPS_SETID_TYPE_NONE;
|
||||
String data = "";
|
||||
|
||||
+ /*
|
||||
+ * We don't want to tell Google our IMSI or phone number to spy on us!
|
||||
+ * As devices w/o SIM card also have working GPS, providing this data does
|
||||
+ * not seem to add a lot of value, at least not for the device holder
|
||||
+ *
|
||||
if ((flags & AGPS_RIL_REQUEST_SETID_IMSI) == AGPS_RIL_REQUEST_SETID_IMSI) {
|
||||
String data_temp = phone.getSubscriberId();
|
||||
if (data_temp == null) {
|
||||
@@ -2072,7 +2077,7 @@ else if ((flags & AGPS_RIL_REQUEST_SETID_MSISDN) == AGPS_RIL_REQUEST_SETID_MSISD
|
||||
data = data_temp;
|
||||
type = AGPS_SETID_TYPE_MSISDN;
|
||||
}
|
||||
- }
|
||||
+ } */
|
||||
native_agps_set_id(type, data);
|
||||
}
|
||||
|
@ -93,6 +93,9 @@ if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_f
|
||||
changeDefaultDNS;
|
||||
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Connectivity.patch"; #Change connectivity check URLs to ours
|
||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #don't grant location permission to system browsers
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0002-Disable_usage_stats.patch"; #don't grant usage stats permission to apps by default
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
|
||||
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
||||
|
||||
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
|
||||
|
@ -97,6 +97,9 @@ if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_f
|
||||
changeDefaultDNS;
|
||||
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Connectivity.patch"; #Change connectivity check URLs to ours
|
||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #don't grant location permission to system browsers
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0002-Disable_usage_stats.patch"; #don't grant usage stats permission to apps by default
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
|
||||
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
||||
|
||||
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
|
||||
|
@ -100,6 +100,8 @@ changeDefaultDNS;
|
||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #always restrict access to Build.SERIAL
|
||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #don't grant location permission to system browsers
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0002-Disable_usage_stats.patch"; #don't grant usage stats permission to apps by default
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
|
||||
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
||||
|
||||
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
|
||||
|
Loading…
x
Reference in New Issue
Block a user