Small updates + Picks

Signed-off-by: Tad <tad@spotco.us>
2024-09-27 19:56:32 +00:00 · 2022-12-07 12:37:13 -05:00 · 2022-12-07 12:37:13 -05:00 · ce47fdae34
commit ce47fdae34
parent a62922e72d
8 changed files with 110 additions and 62 deletions
--- a/Patches/LineageOS-20.0/android_frameworks_base/0029-NetSDKSandboxCrash.patch
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0029-NetSDKSandboxCrash.patch
@ -1,56 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Tad <tad@spotco.us>
-Date: Sat, 3 Dec 2022 23:00:52 -0500
-Subject: [PATCH] Don't crash system when adding SDK sandbox rules
-
-This is an ugly hack to prevent bailing and help debug.
-
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: NetworkPolicy.uid
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 103
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.util.SparseIntArray.keyAt(SparseIntArray.java:183)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService.addSdkSandboxUidsIfNeeded(NetworkPolicyManagerService.java:5982)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService.setUidFirewallRulesUL(NetworkPolicyManagerService.java:6002)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService.updateRestrictedModeAllowlistUL(NetworkPolicyManagerService.java:4454)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService$12.onAvailable(NetworkPolicyManagerService.java:1449)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.net.ConnectivityManager$NetworkCallback.onAvailable(ConnectivityManager.java:3801)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.net.ConnectivityManager$NetworkCallback.onAvailable(ConnectivityManager.java:3783)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.net.ConnectivityManager$CallbackHandler.handleMessage(ConnectivityManager.java:4107)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:106)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.Looper.loopOnce(Looper.java:201)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:288)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.HandlerThread.run(HandlerThread.java:67)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.ServiceThread.run(ServiceThread.java:44)
-12-03 17:15:29.396  1406  1737 I am_crash: [1406,0,system_server,-1,java.lang.ArrayIndexOutOfBoundsException,Array index out of range: 103,SparseIntArray.java,183]
-
-Change-Id: I97fead6014ba47e107a90c57e12584b656a8e220
-Signed-off-by: Tad <tad@spotco.us>
---
- .../server/net/NetworkPolicyManagerService.java    | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
-index 44f8e76c4dd0..030d4f23b11d 100644
--- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
-+++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
-@@ -5978,12 +5978,16 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
-     private void addSdkSandboxUidsIfNeeded(SparseIntArray uidRules) {
-         final int size = uidRules.size();
-         final SparseIntArray sdkSandboxUids = new SparseIntArray();
-        for (int index = 0; index < size; index++) {
-            final int uid = uidRules.keyAt(index);
-            final int rule = uidRules.valueAt(index);
-            if (Process.isApplicationUid(uid)) {
-                sdkSandboxUids.put(Process.toSdkSandboxUid(uid), rule);
-+        try {
-+            for (int index = 0; index < size; index++) {
-+                final int uid = uidRules.keyAt(index);
-+                final int rule = uidRules.valueAt(index);
-+                if (Process.isApplicationUid(uid)) {
-+                    sdkSandboxUids.put(Process.toSdkSandboxUid(uid), rule);
-+                }
-             }
-+        } catch (Exception e) {
-+            Log.e(TAG, "problem setting sandbox uid rules, size: " + size, e);
-         }
- 
-         for (int index = 0; index < sdkSandboxUids.size(); index++) {
--- a/Patches/LineageOS-20.0/android_frameworks_base/0029-Split_Tunnel_Fixes.patch
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0029-Split_Tunnel_Fixes.patch
@ -0,0 +1,101 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tommy Webb <tommy@calyxinstitute.org>
+Date: Mon, 5 Dec 2022 14:42:38 +0100
+Subject: [PATCH] Reland "Fix network leaks with split-tunnel VPNs"
+
+This does two things:
+1. Revert the portion of I48e08f34 "fw/b: Add support for allowing
+   /disallowing apps on cellular, vpn and wifi networks" that was
+   previously responsible for updating the restricted mode allowlist
+   based on changes to the default network.
+2. Bring in Ib4bcf5ae "Fix network leaks with split-tunnel VPNs", which
+   meets the same goal of updating the allowlist, but in a wider range
+   of conditions. Retaining the prior implementation led to a race
+   condition which caused crashes and soft reboots, because the calls
+   to `updateRestrictedModeAllowlistUL()` were not being appropriately
+   guarded by `mUidRulesFirstLock`.
+
+Ultimately, this patch should probably be squashed into I48e08f34.
+
+Co-authored-by: Oliver Scott <olivercscott@gmail.com>
+Issue: calyxos#1081
+Change-Id: I84c7667824cc840724a07e7d0435f5ec59a67986
+---
+ .../net/NetworkPolicyManagerService.java      | 43 ++++++-------------
+ 1 file changed, 12 insertions(+), 31 deletions(-)
+
+diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
+index 8102d892c2d7..7addf69a28af 100644
+--- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
+++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
+@@ -1105,14 +1105,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
+                     ACTION_CARRIER_CONFIG_CHANGED);
+             mContext.registerReceiver(mCarrierConfigReceiver, carrierConfigFilter, null, mHandler);
+ 
+-            for (UserInfo userInfo : mUserManager.getAliveUsers()) {
+-                mConnManager.registerDefaultNetworkCallbackForUid(
+-                        UserHandle.getUid(userInfo.id, Process.myUid()),
+-                        mDefaultNetworkCallback,
+-                        mUidEventHandler
+-                );
+-            }
+-
+             // listen for meteredness changes
+             mConnManager.registerNetworkCallback(
+                     new NetworkRequest.Builder().build(), mNetworkCallback);
+@@ -1303,11 +1295,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
+                                 ConnectivitySettingsManager.getUidsAllowedOnRestrictedNetworks(
+                                         mContext);
+                         if (action == ACTION_USER_ADDED) {
+-                            mConnManager.registerDefaultNetworkCallbackForUid(
+-                                    UserHandle.getUid(userId, Process.myUid()),
+-                                    mDefaultNetworkCallback,
+-                                    mUidEventHandler
+-                            );
+                             // Add apps that are allowed by default.
+                             addDefaultRestrictBackgroundAllowlistUidsUL(userId);
+                             try {
+@@ -1443,24 +1430,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
+         return changed;
+     }
+ 
+-    private final NetworkCallback mDefaultNetworkCallback = new NetworkCallback() {
+-        @Override
+-        public void onAvailable(@NonNull Network network) {
+-            updateRestrictedModeAllowlistUL();
+-        }
+-
+-        @Override
+-        public void onCapabilitiesChanged(@NonNull Network network,
+-                @NonNull NetworkCapabilities networkCapabilities) {
+-            final int[] newTransports = networkCapabilities.getTransportTypes();
+-            final boolean transportsChanged = updateTransportChange(
+-                    mNetworkTransports, newTransports, network);
+-            if (transportsChanged) {
+-                updateRestrictedModeAllowlistUL();
+-            }
+-        }
+-    };
+-
+     private final NetworkCallback mNetworkCallback = new NetworkCallback() {
+         @Override
+         public void onCapabilitiesChanged(@NonNull Network network,
+@@ -1888,6 +1857,18 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
+         updateSubscriptions();
+ 
+         synchronized (mUidRulesFirstLock) {
+            /* With split-tunnel VPNs (those that only include specific apps),
+             * the usual NetworkCallback handlers are never called, because the call to
+             * registerDefaultNetworkCallbackForUid only detects changes that affect this
+             * process; if this process is not covered by the VPN, it won't get callbacks.
+             * Ordinarily, updateRestrictedModeAllowlistUL() would be called from those.
+             * Firewall restrictions for apps will not be updated properly on VPN connect
+             * or disconnect if we don't call it from somewhere else, like here. */
+            // TODO: Come up with an appropriate callback that runs more promptly.
+            // updateNetworksInternal runs later than NetworkCallback handlers run, so
+            // this may present a window of opportunity for unauthorized network access.
+            updateRestrictedModeAllowlistUL();
+
+             synchronized (mNetworkPoliciesSecondLock) {
+                 ensureActiveCarrierPolicyAL();
+                 normalizePoliciesNL();
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@ -55,10 +55,6 @@ gpgVerifyDirectory "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/packa
 cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps
 cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/divested/"; #Add our vendor files

-if enterAndClear "art"; then
-applyPatch "$DOS_PATCHES_COMMON/android_art/0001-mmap_fix.patch"; #Workaround for mmap error when building (AOSP)
-fi;
-
 if enterAndClear "bionic"; then
 applyPatch "$DOS_PATCHES_COMMON/android_bionic/0001-Wildcard_Hosts.patch"; #Support wildcards in cached hosts file (backport from 16.0+) (tdm)
 #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS)
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -56,7 +56,6 @@ cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BAS
 cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/divested/"; #Add our vendor files

 if enterAndClear "art"; then
-applyPatch "$DOS_PATCHES_COMMON/android_art/0001-mmap_fix.patch"; #Workaround for mmap error when building (AOSP)
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_art/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;

--- a/Scripts/LineageOS-17.1/Functions.sh
+++ b/Scripts/LineageOS-17.1/Functions.sh
@ -84,6 +84,7 @@ patchWorkspace() {
 	#source build/envsetup.sh;
 	#repopick -it ten-firewall;
 	repopick -it Q_tzdb2022f;
+	repopick -it Q_asb_2022-12;

 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
--- a/Scripts/LineageOS-18.1/Functions.sh
+++ b/Scripts/LineageOS-18.1/Functions.sh
@ -115,6 +115,7 @@ patchWorkspace() {
 	#repopick -i 314453; #TaskViewTouchController: Null check current animation on drag
 	#repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default
 	repopick -it R_tzdb2022f;
+	repopick -it R_asb_2022-12;

 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
--- a/Scripts/LineageOS-18.1/Patch.sh
+++ b/Scripts/LineageOS-18.1/Patch.sh
@ -183,6 +183,11 @@ if enterAndClear "frameworks/ex"; then
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_ex/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;

+if enterAndClear "frameworks/minikin"; then
+git fetch https://github.com/LineageOS/android_frameworks_minikin refs/changes/50/345450/1 && git cherry-pick FETCH_HEAD; #R_asb_2022-12
+git fetch https://github.com/LineageOS/android_frameworks_minikin refs/changes/51/345451/1 && git cherry-pick FETCH_HEAD;
+fi;
+
 if enterAndClear "frameworks/native"; then
 applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_native/0002-fix-uaf.patch"; #Fix use-after-free in adbd_auth (GrapheneOS)
--- a/Scripts/LineageOS-20.0/Patch.sh
+++ b/Scripts/LineageOS-20.0/Patch.sh
@ -128,6 +128,7 @@ sed -i '11iLOCAL_OVERRIDES_PACKAGES := Aperture Camera Camera2 LegacyCamera Snap
 fi;

 if enterAndClear "frameworks/base"; then
+git revert --no-edit 70cc90b9298ac0b18fe79a4f8f9251c01b8f96d3; #causes soft reboots due to race
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@ -177,7 +178,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0023-Skip_Screen_Animation.patc
 applyPatch "$DOS_PATCHES/android_frameworks_base/0026-Crash_Details.patch"; #Add an option to show the details of an application error to the user (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0027-Installer_Glitch.patch"; #Make sure PackageInstaller UI returns a result (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch"; #Don't leak device-wide package list to apps when work profile is present (GrapheneOS)
-applyPatch "$DOS_PATCHES/android_frameworks_base/0029-NetSDKSandboxCrash.patch"; #Don't crash system when adding SDK sandbox rules (DivestOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Split_Tunnel_Fixes.patch"; #Reland "Fix network leaks with split-tunnel VPNs" (CalyxOS)
 hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
 changeDefaultDNS; #Change the default DNS servers
 sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)