Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-02-25 17:01:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

14.1: June ASB picks

Browse Source 
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-06-07 12:05:00 -04:00
parent 8383cd716d
commit c7b131ad60
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
5 changed files with 195 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
Patches/LineageOS-14.1/android_frameworks_base/393646.patch Normal file
View File

@ -0,0 +1,43 @@
From 2786005045df9d37fc4de14e5e4f60b9d5ec59b7 Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Tue, 26 Mar 2024 10:31:44 -0700
Subject: [PATCH] Add more checkKeyIntent checks to AccountManagerService.
Another verification is needed after Bundle modification.
Bug: 321941232
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f)
Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297
Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297
---
.../android/server/accounts/AccountManagerService.java | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 126955add01a9..6ae79ec2e4aaa 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -2971,6 +2971,11 @@ public void onResult(Bundle result) {
// Strip auth token from result.
result.remove(AccountManager.KEY_AUTHTOKEN);
+ if (!checkKeyIntent(Binder.getCallingUid(), result)) {
+ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+ "invalid intent in bundle returned");
+ return;
+ }
if (Log.isLoggable(TAG, Log.VERBOSE)) {
Log.v(TAG,
@@ -4402,6 +4407,11 @@ public void onResult(Bundle result) {
} else {
if (mStripAuthTokenFromResult) {
result.remove(AccountManager.KEY_AUTHTOKEN);
+ if (!checkKeyIntent(Binder.getCallingUid(), result)) {
+ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+ "invalid intent in bundle returned");
+ return;
+ }
}
if (Log.isLoggable(TAG, Log.VERBOSE)) {
Log.v(TAG, getClass().getSimpleName()

54
Patches/LineageOS-14.1/android_frameworks_base/393647.patch Normal file
View File

@ -0,0 +1,54 @@
From 1595b95840ad55128edacd32996afb954480aefd Mon Sep 17 00:00:00 2001
From: Chris Wailes <chriswailes@google.com>
Date: Thu, 18 Apr 2019 18:25:57 -0700
Subject: [PATCH] [BACKPORT] Adds additional sanitization for Zygote command
arguments.
Previously we were only insuring that the arguments provided to the
Zygote didn't contain any newlines. This adds additional checks for
carriage returns and standalone integer arguments to protect against
malicious argument and packet injection respectively.
Bug: 130164289
Test: m & flash & boot & check logs
Change-Id: I4055c50d52db0047c02c11096710fd07b429660c
Merged-In: I4055c50d52db0047c02c11096710fd07b429660c
(cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a)
---
core/java/android/os/Process.java | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java
index e1b7fdad25e7d..1e084529de6e5 100644
--- a/core/java/android/os/Process.java
+++ b/core/java/android/os/Process.java
@@ -16,6 +16,7 @@
package android.os;
+import android.annotation.NonNull;
import android.annotation.TestApi;
import android.net.LocalSocket;
import android.net.LocalSocketAddress;
@@ -564,15 +565,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr
* @throws ZygoteStartFailedEx if process start failed for any reason
*/
private static ProcessStartResult zygoteSendArgsAndGetResult(
- ZygoteState zygoteState, ArrayList<String> args)
+ ZygoteState zygoteState, @NonNull ArrayList<String> args)
throws ZygoteStartFailedEx {
try {
// Throw early if any of the arguments are malformed. This means we can
// avoid writing a partial response to the zygote.
int sz = args.size();
for (int i = 0; i < sz; i++) {
+ // Making two indexOf calls here is faster than running a manually fused loop due
+ // to the fact that indexOf is a optimized intrinsic.
if (args.get(i).indexOf('\n') >= 0) {
- throw new ZygoteStartFailedEx("embedded newlines not allowed");
+ throw new ZygoteStartFailedEx("Embedded newlines not allowed");
+ } else if (args.get(i).indexOf('\r') >= 0) {
+ throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
}
}

32
Patches/LineageOS-14.1/android_frameworks_base/393648.patch Normal file
View File

@ -0,0 +1,32 @@
From 556cc034e359fd1bb64a1b16ebe7a61f06810bcb Mon Sep 17 00:00:00 2001
From: Hans Boehm <hboehm@google.com>
Date: Tue, 2 Jan 2024 16:53:13 -0800
Subject: [PATCH] [BACKPORT] Check hidden API exemptions
Refuse to deal with newlines and null characters in
HiddenApiSettings.update(). Also disallow nulls in process start
arguments.
Bug: 316153291
Test: Treehugger for now
(cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8)
Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
---
core/java/android/os/Process.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java
index 1e084529de6e5..de8287baa828b 100644
--- a/core/java/android/os/Process.java
+++ b/core/java/android/os/Process.java
@@ -578,6 +578,8 @@ private static ProcessStartResult zygoteSendArgsAndGetResult(
throw new ZygoteStartFailedEx("Embedded newlines not allowed");
} else if (args.get(i).indexOf('\r') >= 0) {
throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
+ } else if (args.get(i).indexOf('\u0000') >= 0) {
+ throw new ZygoteStartFailedEx("Embedded nulls not allowed");
}
}

61
Patches/LineageOS-14.1/android_frameworks_base/393649.patch Normal file
View File

@ -0,0 +1,61 @@
From 53abf79f26084d26d2887d716137fa9cd4eeefc9 Mon Sep 17 00:00:00 2001
From: Ameer Armaly <aarmaly@google.com>
Date: Fri, 8 Mar 2024 19:41:06 +0000
Subject: [PATCH] [RESTRICT AUTOMERGE] AccessibilityManagerService: remove
uninstalled services from enabled list after service update.
Bug: 326485767
Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f6192d3a77520d40b6a93de8f45400e19f5ba29f)
Merged-In: Ia86857d58ebab925ec6e55f9e5fa64e265326ec0
Change-Id: Ia86857d58ebab925ec6e55f9e5fa64e265326ec0
Change-Id: I898044b388399bded66acb22dba55c5df26ccc9f
---
.../AccessibilityManagerService.java | 22 +++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
index 34ccb7b82c87c..38cf47a5d87b9 100644
--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
@@ -1294,10 +1294,13 @@ private void updateServicesLocked(UserState userState) {
boolean isUnlockingOrUnlocked = mContext.getSystemService(UserManager.class)
.isUserUnlockingOrUnlocked(userState.mUserId);
+ // Store the list of installed services.
+ mTempComponentNameSet.clear();
for (int i = 0, count = userState.mInstalledServices.size(); i < count; i++) {
AccessibilityServiceInfo installedService = userState.mInstalledServices.get(i);
ComponentName componentName = ComponentName.unflattenFromString(
installedService.getId());
+ mTempComponentNameSet.add(componentName);
Service service = componentNameToServiceMap.get(componentName);
@@ -1325,6 +1328,25 @@ private void updateServicesLocked(UserState userState) {
}
}
+ // If any services have been removed, remove them from the enabled list and the touch
+ // exploration granted list.
+ boolean anyServiceRemoved =
+ userState.mEnabledServices.removeIf((comp) -> !mTempComponentNameSet.contains(comp))
+ || userState.mTouchExplorationGrantedServices.removeIf(
+ (comp) -> !mTempComponentNameSet.contains(comp));
+ if (anyServiceRemoved) {
+ // Update the enabled services setting.
+ persistComponentNamesToSettingLocked(
+ Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
+ userState.mEnabledServices,
+ userState.mUserId);
+ // Update the touch exploration granted services setting.
+ persistComponentNamesToSettingLocked(
+ Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
+ userState.mTouchExplorationGrantedServices,
+ userState.mUserId);
+ }
+ mTempComponentNameSet.clear();
updateAccessibilityEnabledSetting(userState);
}

6
Scripts/LineageOS-14.1/Patch.sh
View File

@ -82,7 +82,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
awk -i inplace '!/Exchange2/' target/product/core.mk; awk -i inplace '!/Exchange2/' target/product/core.mk;
sed -i 's/2021-06-05/2024-05-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-05 #XXX sed -i 's/2021-06-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-06 #XXX
fi; fi;
if enterAndClear "device/qcom/sepolicy"; then if enterAndClear "device/qcom/sepolicy"; then
@ -282,6 +282,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/378956.patch"; #n-asb-2024-01 F
applyPatch "$DOS_PATCHES/android_frameworks_base/385241.patch"; #n-asb-2024-03 Resolve custom printer icon boundary exploit. applyPatch "$DOS_PATCHES/android_frameworks_base/385241.patch"; #n-asb-2024-03 Resolve custom printer icon boundary exploit.
applyPatch "$DOS_PATCHES/android_frameworks_base/385242.patch"; #n-asb-2024-03 Close AccountManagerService.session after timeout. applyPatch "$DOS_PATCHES/android_frameworks_base/385242.patch"; #n-asb-2024-03 Close AccountManagerService.session after timeout.
applyPatch "$DOS_PATCHES/android_frameworks_base/388831.patch"; #n-asb-2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long. applyPatch "$DOS_PATCHES/android_frameworks_base/388831.patch"; #n-asb-2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
applyPatch "$DOS_PATCHES/android_frameworks_base/393646.patch"; #n-asb-2024-05 Add more checkKeyIntent checks to AccountManagerService.
applyPatch "$DOS_PATCHES/android_frameworks_base/393647.patch"; #n-asb-2024-05 Adds additional sanitization for Zygote command arguments.
applyPatch "$DOS_PATCHES/android_frameworks_base/393648.patch"; #n-asb-2024-05 Check hidden API exemptions
applyPatch "$DOS_PATCHES/android_frameworks_base/393649.patch"; #n-asb-2024-05 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)