Small updates + Picks

Signed-off-by: Tad <tad@spotco.us>
2025-01-11 23:49:34 -05:00 · 2022-12-07 12:37:13 -05:00 · 2022-12-07 12:37:13 -05:00 · ce47fdae34
commit ce47fdae34
parent a62922e72d
8 changed files with 110 additions and 62 deletions
--- a/Patches/LineageOS-20.0/android_frameworks_base/0029-NetSDKSandboxCrash.patch
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0029-NetSDKSandboxCrash.patch
@ -1,56 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Tad <tad@spotco.us>
 Date: Sat, 3 Dec 2022 23:00:52 -0500
 Subject: [PATCH] Don't crash system when adding SDK sandbox rules
 This is an ugly hack to prevent bailing and help debug.
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: NetworkPolicy.uid
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 103
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.util.SparseIntArray.keyAt(SparseIntArray.java:183)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService.addSdkSandboxUidsIfNeeded(NetworkPolicyManagerService.java:5982)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService.setUidFirewallRulesUL(NetworkPolicyManagerService.java:6002)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService.updateRestrictedModeAllowlistUL(NetworkPolicyManagerService.java:4454)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService$12.onAvailable(NetworkPolicyManagerService.java:1449)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.net.ConnectivityManager$NetworkCallback.onAvailable(ConnectivityManager.java:3801)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.net.ConnectivityManager$NetworkCallback.onAvailable(ConnectivityManager.java:3783)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.net.ConnectivityManager$CallbackHandler.handleMessage(ConnectivityManager.java:4107)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:106)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.Looper.loopOnce(Looper.java:201)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:288)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.HandlerThread.run(HandlerThread.java:67)
 12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.ServiceThread.run(ServiceThread.java:44)
 12-03 17:15:29.396  1406  1737 I am_crash: [1406,0,system_server,-1,java.lang.ArrayIndexOutOfBoundsException,Array index out of range: 103,SparseIntArray.java,183]
 Change-Id: I97fead6014ba47e107a90c57e12584b656a8e220
 Signed-off-by: Tad <tad@spotco.us>
 ---
 .../server/net/NetworkPolicyManagerService.java    | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
 diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
 index 44f8e76c4dd0..030d4f23b11d 100644
 --- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
 +++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
@@ -5978,12 +5978,16 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
     private void addSdkSandboxUidsIfNeeded(SparseIntArray uidRules) {
         final int size = uidRules.size();
         final SparseIntArray sdkSandboxUids = new SparseIntArray();
 -        for (int index = 0; index < size; index++) {
 -            final int uid = uidRules.keyAt(index);
 -            final int rule = uidRules.valueAt(index);
 -            if (Process.isApplicationUid(uid)) {
 -                sdkSandboxUids.put(Process.toSdkSandboxUid(uid), rule);
 +        try {
 +            for (int index = 0; index < size; index++) {
 +                final int uid = uidRules.keyAt(index);
 +                final int rule = uidRules.valueAt(index);
 +                if (Process.isApplicationUid(uid)) {
 +                    sdkSandboxUids.put(Process.toSdkSandboxUid(uid), rule);
 +                }
             }
 +        } catch (Exception e) {
 +            Log.e(TAG, "problem setting sandbox uid rules, size: " + size, e);
         }
         for (int index = 0; index < sdkSandboxUids.size(); index++) {
--- a/Patches/LineageOS-20.0/android_frameworks_base/0029-Split_Tunnel_Fixes.patch
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0029-Split_Tunnel_Fixes.patch
@ -0,0 +1,101 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Tommy Webb <tommy@calyxinstitute.org>
 Date: Mon, 5 Dec 2022 14:42:38 +0100
 Subject: [PATCH] Reland "Fix network leaks with split-tunnel VPNs"
 This does two things:
 1. Revert the portion of I48e08f34 "fw/b: Add support for allowing
   /disallowing apps on cellular, vpn and wifi networks" that was
   previously responsible for updating the restricted mode allowlist
   based on changes to the default network.
 2. Bring in Ib4bcf5ae "Fix network leaks with split-tunnel VPNs", which
   meets the same goal of updating the allowlist, but in a wider range
   of conditions. Retaining the prior implementation led to a race
   condition which caused crashes and soft reboots, because the calls
   to `updateRestrictedModeAllowlistUL()` were not being appropriately
   guarded by `mUidRulesFirstLock`.
 Ultimately, this patch should probably be squashed into I48e08f34.
 Co-authored-by: Oliver Scott <olivercscott@gmail.com>
 Issue: calyxos#1081
 Change-Id: I84c7667824cc840724a07e7d0435f5ec59a67986
 ---
 .../net/NetworkPolicyManagerService.java      | 43 ++++++-------------
 1 file changed, 12 insertions(+), 31 deletions(-)
 diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
 index 8102d892c2d7..7addf69a28af 100644
 --- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
 +++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
@@ -1105,14 +1105,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
                     ACTION_CARRIER_CONFIG_CHANGED);
             mContext.registerReceiver(mCarrierConfigReceiver, carrierConfigFilter, null, mHandler);
 -            for (UserInfo userInfo : mUserManager.getAliveUsers()) {
 -                mConnManager.registerDefaultNetworkCallbackForUid(
 -                        UserHandle.getUid(userInfo.id, Process.myUid()),
 -                        mDefaultNetworkCallback,
 -                        mUidEventHandler
 -                );
 -            }
 -
             // listen for meteredness changes
             mConnManager.registerNetworkCallback(
                     new NetworkRequest.Builder().build(), mNetworkCallback);
@@ -1303,11 +1295,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
                                 ConnectivitySettingsManager.getUidsAllowedOnRestrictedNetworks(
                                         mContext);
                         if (action == ACTION_USER_ADDED) {
 -                            mConnManager.registerDefaultNetworkCallbackForUid(
 -                                    UserHandle.getUid(userId, Process.myUid()),
 -                                    mDefaultNetworkCallback,
 -                                    mUidEventHandler
 -                            );
                             // Add apps that are allowed by default.
                             addDefaultRestrictBackgroundAllowlistUidsUL(userId);
                             try {
@@ -1443,24 +1430,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
         return changed;
     }
 -    private final NetworkCallback mDefaultNetworkCallback = new NetworkCallback() {
 -        @Override
 -        public void onAvailable(@NonNull Network network) {
 -            updateRestrictedModeAllowlistUL();
 -        }
 -
 -        @Override
 -        public void onCapabilitiesChanged(@NonNull Network network,
 -                @NonNull NetworkCapabilities networkCapabilities) {
 -            final int[] newTransports = networkCapabilities.getTransportTypes();
 -            final boolean transportsChanged = updateTransportChange(
 -                    mNetworkTransports, newTransports, network);
 -            if (transportsChanged) {
 -                updateRestrictedModeAllowlistUL();
 -            }
 -        }
 -    };
 -
     private final NetworkCallback mNetworkCallback = new NetworkCallback() {
         @Override
         public void onCapabilitiesChanged(@NonNull Network network,
@@ -1888,6 +1857,18 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
         updateSubscriptions();
         synchronized (mUidRulesFirstLock) {
 +            /* With split-tunnel VPNs (those that only include specific apps),
 +             * the usual NetworkCallback handlers are never called, because the call to
 +             * registerDefaultNetworkCallbackForUid only detects changes that affect this
 +             * process; if this process is not covered by the VPN, it won't get callbacks.
 +             * Ordinarily, updateRestrictedModeAllowlistUL() would be called from those.
 +             * Firewall restrictions for apps will not be updated properly on VPN connect
 +             * or disconnect if we don't call it from somewhere else, like here. */
 +            // TODO: Come up with an appropriate callback that runs more promptly.
 +            // updateNetworksInternal runs later than NetworkCallback handlers run, so
 +            // this may present a window of opportunity for unauthorized network access.
 +            updateRestrictedModeAllowlistUL();
 +
             synchronized (mNetworkPoliciesSecondLock) {
                 ensureActiveCarrierPolicyAL();
                 normalizePoliciesNL();
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@ -55,10 +55,6 @@ gpgVerifyDirectory "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/packa
 cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps
 cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/divested/"; #Add our vendor files
 if enterAndClear "art"; then
 applyPatch "$DOS_PATCHES_COMMON/android_art/0001-mmap_fix.patch"; #Workaround for mmap error when building (AOSP)
 fi;
 if enterAndClear "bionic"; then
 applyPatch "$DOS_PATCHES_COMMON/android_bionic/0001-Wildcard_Hosts.patch"; #Support wildcards in cached hosts file (backport from 16.0+) (tdm)
 #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS)
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -56,7 +56,6 @@ cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BAS
 cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/divested/"; #Add our vendor files
 if enterAndClear "art"; then
 applyPatch "$DOS_PATCHES_COMMON/android_art/0001-mmap_fix.patch"; #Workaround for mmap error when building (AOSP)
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_art/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
--- a/Scripts/LineageOS-17.1/Functions.sh
+++ b/Scripts/LineageOS-17.1/Functions.sh
@ -84,6 +84,7 @@ patchWorkspace() {
 	#source build/envsetup.sh;
 	#repopick -it ten-firewall;
 	repopick -it Q_tzdb2022f;
 	repopick -it Q_asb_2022-12;
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
--- a/Scripts/LineageOS-18.1/Functions.sh
+++ b/Scripts/LineageOS-18.1/Functions.sh
@ -115,6 +115,7 @@ patchWorkspace() {
 	#repopick -i 314453; #TaskViewTouchController: Null check current animation on drag
 	#repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default
 	repopick -it R_tzdb2022f;
 	repopick -it R_asb_2022-12;
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
--- a/Scripts/LineageOS-18.1/Patch.sh
+++ b/Scripts/LineageOS-18.1/Patch.sh
@ -183,6 +183,11 @@ if enterAndClear "frameworks/ex"; then
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_ex/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 if enterAndClear "frameworks/minikin"; then
 git fetch https://github.com/LineageOS/android_frameworks_minikin refs/changes/50/345450/1 && git cherry-pick FETCH_HEAD; #R_asb_2022-12
 git fetch https://github.com/LineageOS/android_frameworks_minikin refs/changes/51/345451/1 && git cherry-pick FETCH_HEAD;
 fi;
 if enterAndClear "frameworks/native"; then
 applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_native/0002-fix-uaf.patch"; #Fix use-after-free in adbd_auth (GrapheneOS)
--- a/Scripts/LineageOS-20.0/Patch.sh
+++ b/Scripts/LineageOS-20.0/Patch.sh
@ -128,6 +128,7 @@ sed -i '11iLOCAL_OVERRIDES_PACKAGES := Aperture Camera Camera2 LegacyCamera Snap
 fi;
 if enterAndClear "frameworks/base"; then
 git revert --no-edit 70cc90b9298ac0b18fe79a4f8f9251c01b8f96d3; #causes soft reboots due to race
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@ -177,7 +178,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0023-Skip_Screen_Animation.patc
 applyPatch "$DOS_PATCHES/android_frameworks_base/0026-Crash_Details.patch"; #Add an option to show the details of an application error to the user (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0027-Installer_Glitch.patch"; #Make sure PackageInstaller UI returns a result (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch"; #Don't leak device-wide package list to apps when work profile is present (GrapheneOS)
-applyPatch "$DOS_PATCHES/android_frameworks_base/0029-NetSDKSandboxCrash.patch"; #Don't crash system when adding SDK sandbox rules (DivestOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Split_Tunnel_Fixes.patch"; #Reland "Fix network leaks with split-tunnel VPNs" (CalyxOS)
 hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
 changeDefaultDNS; #Change the default DNS servers
 sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)