mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-27 15:47:10 -05:00
Two hardening patches from @MSe1969
+ a backport of browser location restriction patch to 14.1 and 15.1 by @syphyr
This commit is contained in:
Tad
parent
163fdb1f68
commit
bb72bccbeb
@ -0,0 +1,35 @@
|
|||||||
|
From eb1485e1ad5c6683e949006dd62e02cec70ca382 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Micay <danielmicay@gmail.com>
|
||||||
|
Date: Mon, 24 Jul 2017 22:59:05 +0200
|
||||||
|
Subject: [PATCH] stop granting location to Browser app by default
|
||||||
|
|
||||||
|
It works fine without it and requests it after the user grants
|
||||||
|
location access to a site.
|
||||||
|
|
||||||
|
Change-Id: Ifabc3f1ae4acf008abf1467fc928eeb90613feff
|
||||||
|
---
|
||||||
|
.../com/android/server/pm/DefaultPermissionGrantPolicy.java | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java b/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java
|
||||||
|
index 5016ec0d4be0..027cd05bf9e9 100644
|
||||||
|
--- a/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java
|
||||||
|
+++ b/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java
|
||||||
|
@@ -539,7 +539,7 @@ private void grantDefaultSystemHandlerPermissions(int userId) {
|
||||||
|
}
|
||||||
|
if (browserPackage != null
|
||||||
|
&& doesPackageSupportRuntimePermissions(browserPackage)) {
|
||||||
|
- grantRuntimePermissionsLPw(browserPackage, LOCATION_PERMISSIONS, userId);
|
||||||
|
+ //grantRuntimePermissionsLPw(browserPackage, LOCATION_PERMISSIONS, userId);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Voice interaction
|
||||||
|
@@ -785,7 +785,7 @@ public void grantDefaultPermissionsToDefaultBrowserLPr(String packageName, int u
|
||||||
|
PackageParser.Package browserPackage = getSystemPackageLPr(packageName);
|
||||||
|
if (browserPackage != null
|
||||||
|
&& doesPackageSupportRuntimePermissions(browserPackage)) {
|
||||||
|
- grantRuntimePermissionsLPw(browserPackage, LOCATION_PERMISSIONS, false, false, userId);
|
||||||
|
+ //grantRuntimePermissionsLPw(browserPackage, LOCATION_PERMISSIONS, false, false, userId);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@ -0,0 +1,44 @@
|
|||||||
|
From 20a90f9fcf1bfd3da10210cc06f1428edbe92389 Mon Sep 17 00:00:00 2001
|
||||||
|
From: MSe1969 <mse1969@posteo.de>
|
||||||
|
Date: Thu, 20 Dec 2018 22:12:35 +0100
|
||||||
|
Subject: [PATCH] AppOps: Default GET_USAGE_STATS to MODE_IGNORED
|
||||||
|
|
||||||
|
The AppOp OP_GET_USAGE_STATS is defaulted with MODE_DEFAULT and this is
|
||||||
|
resolved to default to ALLOW, if the permission PACKAGE_USAGE_STATS is
|
||||||
|
requested. This can be switched off in a specific settings menu, hence
|
||||||
|
an opt-out is implemented in AOSP.
|
||||||
|
|
||||||
|
Letting 3rd parties analyze the behavior does not really add any value
|
||||||
|
for the device holder, hence an opt-in makes more sense. Usage stats
|
||||||
|
collection is now disabled by default for apps requesting that permission.
|
||||||
|
|
||||||
|
If the user wants to allow stats collection, he can enter the respective
|
||||||
|
menu in settings and allow the app to collect usage data.
|
||||||
|
|
||||||
|
Change-Id: I9e08822851cf660277e45f3023aa80d8918f45ae
|
||||||
|
---
|
||||||
|
core/java/android/app/AppOpsManager.java | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
|
||||||
|
index e13947335d2a..19287b3c13a4 100644
|
||||||
|
--- a/core/java/android/app/AppOpsManager.java
|
||||||
|
+++ b/core/java/android/app/AppOpsManager.java
|
||||||
|
@@ -930,7 +930,7 @@
|
||||||
|
AppOpsManager.MODE_ALLOWED,
|
||||||
|
AppOpsManager.MODE_ALLOWED,
|
||||||
|
AppOpsManager.MODE_ALLOWED,
|
||||||
|
- AppOpsManager.MODE_DEFAULT, // OP_GET_USAGE_STATS
|
||||||
|
+ AppOpsManager.MODE_IGNORED, // OP_GET_USAGE_STATS
|
||||||
|
AppOpsManager.MODE_ALLOWED,
|
||||||
|
AppOpsManager.MODE_ALLOWED,
|
||||||
|
AppOpsManager.MODE_IGNORED, // OP_PROJECT_MEDIA
|
||||||
|
@@ -1007,7 +1007,7 @@
|
||||||
|
AppOpsManager.MODE_ALLOWED, // OP_WAKE_LOCK
|
||||||
|
AppOpsManager.MODE_ALLOWED, // OP_MONITOR_LOCATION
|
||||||
|
AppOpsManager.MODE_ASK, // OP_MONITOR_HIGH_POWER_LOCATION
|
||||||
|
- AppOpsManager.MODE_DEFAULT, // OP_GET_USAGE_STATS
|
||||||
|
+ AppOpsManager.MODE_IGNORED, // OP_GET_USAGE_STATS
|
||||||
|
AppOpsManager.MODE_ALLOWED, // OP_MUTE_MICROPHONE
|
||||||
|
AppOpsManager.MODE_ALLOWED, // OP_TOAST_WINDOW
|
||||||
|
AppOpsManager.MODE_IGNORED, // OP_PROJECT_MEDIA
|
||||||
@ -0,0 +1,35 @@
|
|||||||
|
From 6bdd1bbcea89fc1494e87948d1147402e9d89042 Mon Sep 17 00:00:00 2001
|
||||||
|
From: MSe1969 <mse1969@posteo.de>
|
||||||
|
Date: Mon, 29 Oct 2018 12:14:17 +0100
|
||||||
|
Subject: [PATCH] SUPL: Don't send IMSI / Phone number to SUPL server
|
||||||
|
|
||||||
|
Change-Id: I5ccc4d61e52ac11ef33f44618d0e610089885b87
|
||||||
|
---
|
||||||
|
.../com/android/server/location/GnssLocationProvider.java | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/services/core/java/com/android/server/location/GnssLocationProvider.java b/services/core/java/com/android/server/location/GnssLocationProvider.java
|
||||||
|
index 2c11a01c7851..44163ece2c22 100644
|
||||||
|
--- a/services/core/java/com/android/server/location/GnssLocationProvider.java
|
||||||
|
+++ b/services/core/java/com/android/server/location/GnssLocationProvider.java
|
||||||
|
@@ -2053,6 +2053,11 @@ private void requestSetID(int flags) {
|
||||||
|
int type = AGPS_SETID_TYPE_NONE;
|
||||||
|
String data = "";
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * We don't want to tell Google our IMSI or phone number to spy on us!
|
||||||
|
+ * As devices w/o SIM card also have working GPS, providing this data does
|
||||||
|
+ * not seem to add a lot of value, at least not for the device holder
|
||||||
|
+ *
|
||||||
|
if ((flags & AGPS_RIL_REQUEST_SETID_IMSI) == AGPS_RIL_REQUEST_SETID_IMSI) {
|
||||||
|
String data_temp = phone.getSubscriberId();
|
||||||
|
if (data_temp == null) {
|
||||||
|
@@ -2072,7 +2077,7 @@ else if ((flags & AGPS_RIL_REQUEST_SETID_MSISDN) == AGPS_RIL_REQUEST_SETID_MSISD
|
||||||
|
data = data_temp;
|
||||||
|
type = AGPS_SETID_TYPE_MSISDN;
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
+ } */
|
||||||
|
native_agps_set_id(type, data);
|
||||||
|
}
|
||||||
|
|
||||||
@ -93,6 +93,9 @@ if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_f
|
|||||||
changeDefaultDNS;
|
changeDefaultDNS;
|
||||||
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Connectivity.patch"; #Change connectivity check URLs to ours
|
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Connectivity.patch"; #Change connectivity check URLs to ours
|
||||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
||||||
|
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #don't grant location permission to system browsers
|
||||||
|
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0002-Disable_usage_stats.patch"; #don't grant usage stats permission to apps by default
|
||||||
|
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
|
||||||
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
||||||
|
|
||||||
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
|
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
|
||||||
|
|||||||
@ -97,6 +97,9 @@ if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_f
|
|||||||
changeDefaultDNS;
|
changeDefaultDNS;
|
||||||
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Connectivity.patch"; #Change connectivity check URLs to ours
|
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Connectivity.patch"; #Change connectivity check URLs to ours
|
||||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
||||||
|
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #don't grant location permission to system browsers
|
||||||
|
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0002-Disable_usage_stats.patch"; #don't grant usage stats permission to apps by default
|
||||||
|
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
|
||||||
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
||||||
|
|
||||||
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
|
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
|
||||||
|
|||||||
@ -100,6 +100,8 @@ changeDefaultDNS;
|
|||||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
||||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #always restrict access to Build.SERIAL
|
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #always restrict access to Build.SERIAL
|
||||||
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #don't grant location permission to system browsers
|
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #don't grant location permission to system browsers
|
||||||
|
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0002-Disable_usage_stats.patch"; #don't grant usage stats permission to apps by default
|
||||||
|
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
|
||||||
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
||||||
|
|
||||||
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
|
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user