diff --git a/Misc/Features/GrapheneOS.txt b/Misc/Features/GrapheneOS.txt index c4d753e1..00145bd9 100644 --- a/Misc/Features/GrapheneOS.txt +++ b/Misc/Features/GrapheneOS.txt @@ -136,9 +136,6 @@ https://github.com/GrapheneOS/platform_frameworks_base/commit/54c07c79905dbaf2b8 https://github.com/GrapheneOS/platform_frameworks_base/commit/0f7cd0e2288a76f49154e8342036cea3e536e94c https://github.com/GrapheneOS/platform_frameworks_base/commit/e41b3e0da93dfda0e16c82767863b0610a8576cc https://github.com/GrapheneOS/platform_frameworks_base/commit/7208688690f8f4a4b904f1498123c8302cb74b69 -https://github.com/GrapheneOS/platform_frameworks_base/commit/35d517569aed194010fda7f19182acd5bf265024 -https://github.com/GrapheneOS/platform_frameworks_base/commit/44bece55f469254587d74b4327c9746e393d91fa -https://github.com/GrapheneOS/platform_frameworks_base/commit/de207d6020c459bc07b3c0c7ffc00e7c9cc90c95 [implemented] special permissions 13xhttps://github.com/GrapheneOS/platform_frameworks_base/commit/2bea9ac7ded28ad2cc08ac0d4794a5cbe54e142a diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-11.patch b/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-11.patch deleted file mode 100644 index f9feaacd..00000000 --- a/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-11.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Dmitry Muhomor -Date: Fri, 7 Oct 2022 20:15:14 +0300 -Subject: [PATCH] srt permissions: fix auto granting after package install - -Previous approach to auto-granting is not compatible with ability to disable auto-grants: -special runtime permissions were auto-granted for all users, including those that didn't have -the package installed. ---- - .../server/pm/InstallPackageHelper.java | 10 +++-- - .../PermissionManagerServiceImpl.java | 43 +++++++++++++------ - .../PermissionManagerServiceInternal.java | 20 ++++++++- - 3 files changed, 55 insertions(+), 18 deletions(-) - -diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java -index 7da5f51bcbc2..f7fa93bce4cb 100644 ---- a/services/core/java/com/android/server/pm/InstallPackageHelper.java -+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java -@@ -599,6 +599,7 @@ final class InstallPackageHelper { - permissionParamsBuilder.setAllowlistedRestrictedPermissions( - pkgSetting.getPkg().getRequestedPermissions()); - } -+ permissionParamsBuilder.setNewlyInstalledInUserId(userId); - mPm.mPermissionManager.onPackageInstalled(pkgSetting.getPkg(), - Process.INVALID_UID /* previousAppId */, - permissionParamsBuilder.build(), userId); -@@ -2118,6 +2119,10 @@ final class InstallPackageHelper { - } - } - -+ final PermissionManagerServiceInternal.PackageInstalledParams.Builder -+ permissionParamsBuilder = -+ new PermissionManagerServiceInternal.PackageInstalledParams.Builder(); -+ - // Set install reason for users that are having the package newly installed. - final int[] allUsersList = mPm.mUserManager.getUserIds(); - if (userId == UserHandle.USER_ALL) { -@@ -2125,10 +2130,12 @@ final class InstallPackageHelper { - if (!previousUserIds.contains(currentUserId) - && ps.getInstalled(currentUserId)) { - ps.setInstallReason(installReason, currentUserId); -+ permissionParamsBuilder.setNewlyInstalledInUserId(currentUserId); - } - } - } else if (!previousUserIds.contains(userId)) { - ps.setInstallReason(installReason, userId); -+ permissionParamsBuilder.setNewlyInstalledInUserId(userId); - } - - // TODO(b/169721400): generalize Incremental States and create a Callback object -@@ -2149,9 +2156,6 @@ final class InstallPackageHelper { - - mPm.mSettings.writeKernelMappingLPr(ps); - -- final PermissionManagerServiceInternal.PackageInstalledParams.Builder -- permissionParamsBuilder = -- new PermissionManagerServiceInternal.PackageInstalledParams.Builder(); - final boolean grantPermissions = (installArgs.mInstallFlags - & PackageManager.INSTALL_GRANT_RUNTIME_PERMISSIONS) != 0; - if (grantPermissions) { -diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java -index 2204ad6721c8..0fcd067142f5 100644 ---- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java -+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java -@@ -136,6 +136,7 @@ import com.android.server.pm.parsing.pkg.AndroidPackage; - import com.android.server.pm.parsing.pkg.AndroidPackageUtils; - import com.android.server.pm.pkg.AndroidPackageApi; - import com.android.server.pm.pkg.PackageStateInternal; -+import com.android.server.pm.pkg.PackageUserStateUtils; - import com.android.server.pm.pkg.component.ComponentMutateUtils; - import com.android.server.pm.pkg.component.ParsedPermission; - import com.android.server.pm.pkg.component.ParsedPermissionGroup; -@@ -2611,9 +2612,10 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt - - synchronized (mLock) { - for (final int userId : userIds) { -+ final boolean isNotInstalledUserApp = !ps.isSystem() -+ && !PackageUserStateUtils.isAvailable(ps.getUserStateOrDefault(userId), 0); -+ - final UserPermissionState userState = mState.getOrCreateUserState(userId); -- // "replace" parameter is set to true even when the app is first installed -- final boolean uidStateWasPresent = userState.getUidState(ps.getAppId()) != null; - final UidPermissionState uidState = userState.getOrCreateUidState(ps.getAppId()); - - if (uidState.isMissing()) { -@@ -2891,13 +2893,23 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt - } - } - -- if (isSpecialRuntimePermission(permName) && -- origPermState == null && -- // don't grant special runtime permission after update, -- // unless app comes from the system image -- (!uidStateWasPresent || ps.isSystem())) { -- if (uidState.grantPermission(bp)) { -- wasChanged = true; -+ if (isSpecialRuntimePermission(permName)) { -+ if (origPermState == null && ps.isSystem()) { -+ // always grant special runtime permissions to system packages -+ if (uidState.grantPermission(bp)) { -+ wasChanged = true; -+ } -+ } -+ -+ if (isNotInstalledUserApp) { -+ // Previously, special runtime permissions were granted in users -+ // that didn't have the package installed, which breaks the code -+ // that allows to skip granting these permissions at install time. -+ // (if UidPermissionState is already present at install time, it's -+ // reused as is). -+ if (uidState.revokePermission(bp)) { -+ wasChanged = true; -+ } - } - } - } else { -@@ -3639,7 +3651,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt - } - - private void grantRequestedRuntimePermissionsInternal(@NonNull AndroidPackage pkg, -- @Nullable List permissions, int userId) { -+ @Nullable List permissions, int userId, boolean newlyInstalled) { - final int immutableFlags = PackageManager.FLAG_PERMISSION_SYSTEM_FIXED - | PackageManager.FLAG_PERMISSION_POLICY_FIXED; - -@@ -3654,6 +3666,9 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt - final int myUid = Process.myUid(); - - for (String permission : pkg.getRequestedPermissions()) { -+ final boolean isPregrantedSpecialRuntimePermission = newlyInstalled && -+ SpecialRuntimePermUtils.shouldAutoGrant(pkg.getPackageName(), userId, permission); -+ - final boolean shouldGrantPermission; - synchronized (mLock) { - final Permission bp = mRegistry.getPermission(permission); -@@ -3662,10 +3677,11 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt - && (supportsRuntimePermissions || !bp.isRuntimeOnly()) - && (permissions == null || permissions.contains(permission)); - } -- if (shouldGrantPermission) { -+ -+ if (shouldGrantPermission || isPregrantedSpecialRuntimePermission) { - final int flags = getPermissionFlagsInternal(pkg.getPackageName(), permission, - myUid, userId); -- if (supportsRuntimePermissions || isSpecialRuntimePermission(permission)) { -+ if (supportsRuntimePermissions || isPregrantedSpecialRuntimePermission) { - // Installer cannot change immutable permissions. - if ((flags & immutableFlags) == 0) { - grantRuntimePermissionInternal(pkg.getPackageName(), permission, false, -@@ -5016,7 +5032,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt - addAllowlistedRestrictedPermissionsInternal(pkg, - params.getAllowlistedRestrictedPermissions(), - FLAG_PERMISSION_WHITELIST_INSTALLER, userId); -- grantRequestedRuntimePermissionsInternal(pkg, params.getGrantedPermissions(), userId); -+ grantRequestedRuntimePermissionsInternal(pkg, params.getGrantedPermissions(), userId, -+ params.isNewlyInstalledInUserId(userId)); - } - } - -diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java -index 95badb31f324..d17c0697ff7a 100644 ---- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java -+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java -@@ -22,6 +22,7 @@ import android.annotation.UserIdInt; - import android.app.AppOpsManager; - import android.content.pm.PermissionInfo; - import android.permission.PermissionManagerInternal; -+import android.util.SparseBooleanArray; - - import com.android.server.pm.parsing.pkg.AndroidPackage; - -@@ -322,13 +323,17 @@ public interface PermissionManagerServiceInternal extends PermissionManagerInter - private final List mAllowlistedRestrictedPermissions; - @NonNull - private final int mAutoRevokePermissionsMode; -+ @NonNull -+ private final SparseBooleanArray mNewlyInstalledInUserIds; - - private PackageInstalledParams(@NonNull List grantedPermissions, - @NonNull List allowlistedRestrictedPermissions, -- int autoRevokePermissionsMode) { -+ int autoRevokePermissionsMode, -+ SparseBooleanArray newlyInstalledInUserIds) { - mGrantedPermissions = grantedPermissions; - mAllowlistedRestrictedPermissions = allowlistedRestrictedPermissions; - mAutoRevokePermissionsMode = autoRevokePermissionsMode; -+ mNewlyInstalledInUserIds = newlyInstalledInUserIds; - } - - /** -@@ -360,6 +365,10 @@ public interface PermissionManagerServiceInternal extends PermissionManagerInter - return mAutoRevokePermissionsMode; - } - -+ public boolean isNewlyInstalledInUserId(int userId) { -+ return mNewlyInstalledInUserIds.get(userId, false); -+ } -+ - /** - * Builder class for {@link PackageInstalledParams}. - */ -@@ -370,6 +379,8 @@ public interface PermissionManagerServiceInternal extends PermissionManagerInter - private List mAllowlistedRestrictedPermissions = Collections.emptyList(); - @NonNull - private int mAutoRevokePermissionsMode = AppOpsManager.MODE_DEFAULT; -+ @NonNull -+ private final SparseBooleanArray mNewlyInstalledInUserIds = new SparseBooleanArray(); - - /** - * Set the permissions to be granted. -@@ -419,6 +430,10 @@ public interface PermissionManagerServiceInternal extends PermissionManagerInter - mAutoRevokePermissionsMode = autoRevokePermissionsMode; - } - -+ public void setNewlyInstalledInUserId(int userId) { -+ mNewlyInstalledInUserIds.put(userId, true); -+ } -+ - /** - * Build a new instance of {@link PackageInstalledParams}. - * -@@ -427,7 +442,8 @@ public interface PermissionManagerServiceInternal extends PermissionManagerInter - @NonNull - public PackageInstalledParams build() { - return new PackageInstalledParams(mGrantedPermissions, -- mAllowlistedRestrictedPermissions, mAutoRevokePermissionsMode); -+ mAllowlistedRestrictedPermissions, mAutoRevokePermissionsMode, -+ mNewlyInstalledInUserIds); - } - } - } diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-12.patch b/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-12.patch deleted file mode 100644 index d4f7e127..00000000 --- a/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-12.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Dmitry Muhomor -Date: Sun, 16 Oct 2022 17:13:03 +0300 -Subject: [PATCH] srt permissions: don't auto-revoke from "hidden" packages - -Special runtime permissions are auto-revoked in users that don't have the package installed, as a -workaround to a bug in previous OS versions that granted these permissions automatically in all -user profiles, including the ones that don't have this package installed, which interfered with -configurable auto-grants. - -PackageUserStateUtils.isAvailable() is not the right check for this, it returns false for apps -which are "hidden" with DevicePolicyManager#setApplicationHidden(). This method is used by work -profile managers (in particular, Shelter) to implement "app freezing" functionality. - -This led to special runtime permission being auto-revoked from "hidden" packages after OS reboot -and in a few other cases. ---- - .../server/pm/permission/PermissionManagerServiceImpl.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java -index 0fcd067142f5..d546ee0db05f 100644 ---- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java -+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java -@@ -2613,7 +2613,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt - synchronized (mLock) { - for (final int userId : userIds) { - final boolean isNotInstalledUserApp = !ps.isSystem() -- && !PackageUserStateUtils.isAvailable(ps.getUserStateOrDefault(userId), 0); -+ && !ps.getUserStateOrDefault(userId).isInstalled(); - - final UserPermissionState userState = mState.getOrCreateUserState(userId); - final UidPermissionState uidState = userState.getOrCreateUidState(ps.getAppId()); diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-13.patch b/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-13.patch deleted file mode 100644 index 89951fc4..00000000 --- a/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-13.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Dmitry Muhomor -Date: Fri, 7 Oct 2022 20:47:48 +0300 -Subject: [PATCH] PackageInstallerUI: an option to skip auto-grant of INTERNET - permission - ---- - .../res/layout/install_content_view.xml | 25 ++++++++++--- - .../PackageInstaller/res/values/strings.xml | 2 ++ - .../PackageInstallerActivity.java | 35 +++++++++++++++++++ - 3 files changed, 58 insertions(+), 4 deletions(-) - -diff --git a/packages/PackageInstaller/res/layout/install_content_view.xml b/packages/PackageInstaller/res/layout/install_content_view.xml -index 2ecd2d55ac71..4db24fffd7ea 100644 ---- a/packages/PackageInstaller/res/layout/install_content_view.xml -+++ b/packages/PackageInstaller/res/layout/install_content_view.xml -@@ -70,13 +70,30 @@ - - - -- -+ android:orientation="vertical" -+ android:visibility="invisible"> -+ -+ -+ -+ -+ -+ - - - Successfully installed \u201c%1$s\u201d -+ -+ Allow Network permission - -diff --git a/packages/PackageInstaller/src/com/android/packageinstaller/PackageInstallerActivity.java b/packages/PackageInstaller/src/com/android/packageinstaller/PackageInstallerActivity.java -index 10eefebadeff..7ecd02e47852 100644 ---- a/packages/PackageInstaller/src/com/android/packageinstaller/PackageInstallerActivity.java -+++ b/packages/PackageInstaller/src/com/android/packageinstaller/PackageInstallerActivity.java -@@ -44,16 +44,19 @@ import android.content.pm.PackageManager.NameNotFoundException; - import android.net.Uri; - import android.os.Bundle; - import android.os.Process; -+import android.os.RemoteException; - import android.os.UserManager; - import android.provider.Settings; - import android.util.Log; - import android.view.View; - import android.widget.Button; -+import android.widget.CheckBox; - - import com.android.internal.app.AlertActivity; - - import java.io.File; - import java.util.ArrayList; -+import java.util.Arrays; - import java.util.List; - - /** -@@ -132,6 +135,8 @@ public class PackageInstallerActivity extends AlertActivity { - private boolean mPermissionResultWasSet; - private boolean mAllowNextOnPause; - -+ private CheckBox mGrantInternetPermission; -+ - private void startInstallConfirm() { - View viewToEnable; - -@@ -141,6 +146,14 @@ public class PackageInstallerActivity extends AlertActivity { - } else { - // This is a new application with no permissions. - viewToEnable = requireViewById(R.id.install_confirm_question); -+ -+ if (mPkgInfo != null) { -+ String[] perms = mPkgInfo.requestedPermissions; -+ if (perms != null && Arrays.asList(perms).contains(Manifest.permission.INTERNET)) { -+ mGrantInternetPermission = requireViewById(R.id.install_allow_INTERNET_permission); -+ mGrantInternetPermission.setVisibility(View.VISIBLE); -+ } -+ } - } - - viewToEnable.setVisibility(View.VISIBLE); -@@ -438,6 +451,8 @@ public class PackageInstallerActivity extends AlertActivity { - mAlert.setButton(DialogInterface.BUTTON_POSITIVE, getString(R.string.install), - (ignored, ignored2) -> { - if (mOk.isEnabled()) { -+ handleSpecialRuntimePermissionAutoGrants(); -+ - if (mSessionId != -1) { - mInstaller.setPermissionsResult(mSessionId, true); - mPermissionResultWasSet = true; -@@ -894,4 +909,24 @@ public class PackageInstallerActivity extends AlertActivity { - getActivity().finish(); - } - } -+ -+ void handleSpecialRuntimePermissionAutoGrants() { -+ var skipPermissionAutoGrants = new ArrayList(); -+ -+ if (mGrantInternetPermission != null) { -+ if (!mGrantInternetPermission.isChecked()) { -+ skipPermissionAutoGrants.add(Manifest.permission.INTERNET); -+ } -+ } -+ -+ var pm = AppGlobals.getPackageManager(); -+ var pkgName = mPkgInfo.packageName; -+ int userId = getUserId(); -+ try { -+ pm.skipSpecialRuntimePermissionAutoGrantsForPackage(pkgName, -+ userId, skipPermissionAutoGrants); -+ } catch (RemoteException e) { -+ throw e.rethrowFromSystemServer(); -+ } -+ } - } diff --git a/Scripts/LineageOS-20.0/Patch.sh b/Scripts/LineageOS-20.0/Patch.sh index 8c3be6c3..baac84a0 100644 --- a/Scripts/LineageOS-20.0/Patch.sh +++ b/Scripts/LineageOS-20.0/Patch.sh @@ -145,10 +145,6 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-7.patc applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-8.patch"; #Improve compatibility with revoked INTERNET in DownloadManager (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-9.patch"; #Ignore pid when spoofing permission checks (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-10.patch"; #srt permissions: don't auto-grant denied ones when permissions are reset (GrapheneOS) -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-11.patch"; #srt permissions: fix auto granting after package install (GrapheneOS) -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-12.patch"; #srt permissions: don't auto-revoke from "hidden" packages (GrapheneOS) -applyPatch "$DOS_PATCHES/android_frameworks_base/0027-Installer_Glitch.patch"; #Make sure PackageInstaller UI returns a result (GrapheneOS) -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions-13.patch"; #PackageInstallerUI: an option to skip auto-grant of INTERNET permission (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0015-System_Server_Extensions.patch"; #Timeout for Bluetooth (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0015-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS) @@ -179,6 +175,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0023-Skip_Screen_Animation.patc #applyPatch "$DOS_PATCHES/android_frameworks_base/0024-Burnin_Protection.patch"; #SystemUI: add burnIn protection (arter97) #TODO: 20REBASE applyPatch "$DOS_PATCHES/android_frameworks_base/0025-Monet_Toggle.patch"; #Make monet based theming user configurable (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0026-Crash_Details.patch"; #Add an option to show the details of an application error to the user (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0027-Installer_Glitch.patch"; #Make sure PackageInstaller UI returns a result (GrapheneOS) hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config changeDefaultDNS; #Change the default DNS servers sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)