diff --git a/Misc/Features/GrapheneOS.txt b/Misc/Features/GrapheneOS.txt index 94a79a39..9b3612b5 100644 --- a/Misc/Features/GrapheneOS.txt +++ b/Misc/Features/GrapheneOS.txt @@ -92,12 +92,30 @@ nojit 12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/f1898802c8fd7474f723f9a44a316142d940dfed 12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/58c9f58bbde6789f944daf41d86acdc7b3e205f2 12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/2d14a42f7bc285e141377018285dc4e3fd8f8f86 +11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/87837ab83af7ea8a9aa5e47c65e4361cd84479cf +11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/1aa3ca343e98d99d98fdc35fd3dd1d2e5a17fa7d +11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/a87929c2040dd4c36d72b52b211d281a74015dc2 +11 https://github.com/GrapheneOS/platform_frameworks_base/commit/8d68accb37299400bba65df9fce805fa5a98fc9a +10 https://github.com/GrapheneOS/platform_frameworks_base/commit/4d5d82f4e2fb9ff68158bf30f3944591bb74dd04 +9 https://github.com/GrapheneOS/platform_frameworks_base/commit/09632b10185b9133949a431e27089f72b5cfeefa [implemented] sensors permission 12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/452c474dfae9a312f6e01db5b28de308dbb14cc2 12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/daed8c4e3ff8bf94a2a9aa319d32ec2ff5653c8f 12 https://github.com/GrapheneOS/platform_frameworks_native/commit/dcef490d7cab7bb9f96f8bfe19a8779ac140b26d 12 https://github.com/GrapheneOS/platform_frameworks_base/commit/a949bd530bdbedf2078119a90a93d7c15bca6975 +11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/d18b364558ca86fe3d9bbb643f7dc79d1a57aa5d +11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/cc9b673157996228e8096f83b993cce33a717e14 +11 https://github.com/GrapheneOS/platform_frameworks_native/commit/6ff4e668467a79b610a003bd989bc0833ade0912 +11 https://github.com/GrapheneOS/platform_frameworks_base/commit/83e312089610419029b9e20272c3947edb7a9cc5 +10 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/a1204e6126189810018ff5540858536a1c58ac37 +10 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/fc8c816e07ce39583774db8fe668e0505b6aa504 +10 https://github.com/GrapheneOS/platform_frameworks_native/commit/ff005a6b6a38baef95c4a01d7e1fc75aac651a58 +10 https://github.com/GrapheneOS/platform_frameworks_base/commit/9ec9f7f521323552fa658b46862c8408f1a7b41b +9 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/af08eeff533855ea164e80a42e18280f7002b4ea +9 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/ae0f7cd347a92540b55175a44e3520c2f7145bc5 +9 https://github.com/GrapheneOS/platform_frameworks_native/commit/3e92487c4b0b4ff7b114640f7dcede2fe61bc6df +9 https://github.com/GrapheneOS/platform_frameworks_base/commit/899441075ddbfc945cff97e433c9e1c9d6bde7af [implemented] network permission 12 https://github.com/GrapheneOS/platform_frameworks_base/commit/947744f753638c82775186a3876f2b2ffd7c0244 @@ -114,6 +132,22 @@ nojit 12 https://github.com/GrapheneOS/platform_packages_modules_Connectivity/commit/dbf6ae4cd96450a21be0a4dd85fb5addeba67462 12 https://github.com/GrapheneOS/platform_packages_modules_Connectivity/commit/34cded990ebd8da8c47cab88f0b1ef523a05d122 12 https://github.com/GrapheneOS/platform_libcore/commit/7110daa77503720bbd2f233df53be90b742ce85a +11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/d4b073b2c17f382a4bc922c3f12dc3673e3d8472 +11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/7396a2da80a06f1405b34370a9e2883dca57ba79 +11 https://github.com/GrapheneOS/platform_frameworks_base/commit/2071543704d726333d77f934f73596c53d8f0595 +11 https://github.com/GrapheneOS/platform_frameworks_base/commit/811d25733eb627d0b1a97e9fe86009763ed58a20 +11 https://github.com/GrapheneOS/platform_frameworks_base/commit/826a021126b2d2592452205e8c37e5b26543809f +11 https://github.com/GrapheneOS/platform_frameworks_base/commit/ae1a600f3bb804df86a3652e3fae977107addaf3 +11 https://github.com/GrapheneOS/platform_frameworks_base/commit/1f69f6d5c07d1d883328f91e40e8011ba386fdf8 +10 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/6c4f112dde47f21ce5a583f5bd8b217db6de5c02 +10 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/a07271ed7e45239369f2ca33496d939d2e9cbd08 +10 https://github.com/GrapheneOS/platform_frameworks_base/commit/246e5450929137c7c773c30fdc75268d30a1eea5 +10 https://github.com/GrapheneOS/platform_frameworks_base/commit/b5c9f9407d5f5407686ea8c02fa67573ddc07824 +10 https://github.com/GrapheneOS/platform_frameworks_base/commit/f412994d2c974b08941646acb61f0aee6cdfed05 +9 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/880011e7af233249e1b70177daa3cd786574bc85 +9 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/c3c6a3206c1753cac7a8db72e2f05ddcf4c66d99 +9 https://github.com/GrapheneOS/platform_frameworks_base/commit/2dd00723364fcf10e6c9e6c2e022e31524fda92d +9 https://github.com/GrapheneOS/platform_frameworks_base/commit/6ef61fd6f745b9709269d3612a3a4eea2250ebec [implemented] protected fifo/regular 12 https://github.com/GrapheneOS/platform_system_core/commit/ddf48612c160b13552588af4d64bc7bb55571618 diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch b/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch deleted file mode 100644 index 0bbcaae2..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/0011-Sensors.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Fri, 15 Mar 2019 22:05:36 +0100 -Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [base] - -Add two AppOps for sensor access: -- OP_MOTION_SENSORS (default: allow, strict) -- OP_OTHER_SENSORS (default: allow) - -Change-Id: Id12b91720f1e02ea5ca606ecefb30121d19b92bb ---- - core/java/android/app/AppOpsManager.java | 35 ++++++++++++++++++++++-- - core/res/res/values-de/cm_strings.xml | 2 ++ - core/res/res/values-fr/cm_strings.xml | 2 ++ - core/res/res/values/cm_strings.xml | 2 ++ - core/res/res/values/lineage_arrays.xml | 4 +++ - 5 files changed, 43 insertions(+), 2 deletions(-) - -diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java -index 5b763e50c38f..fef17859af8c 100644 ---- a/core/java/android/app/AppOpsManager.java -+++ b/core/java/android/app/AppOpsManager.java -@@ -371,8 +371,12 @@ public class AppOpsManager { - public static final int OP_DATA_CONNECT_CHANGE = 81; - /** @hide SU access */ - public static final int OP_SU = 82; -+ /** @hide Motion Sensors */ -+ public static final int OP_MOTION_SENSORS = 83; -+ /** @hide Other Sensors */ -+ public static final int OP_OTHER_SENSORS = 84; - /** @hide */ -- public static final int _NUM_OP = 83; -+ public static final int _NUM_OP = 85; - - /** Access to coarse location information. */ - public static final String OPSTR_COARSE_LOCATION = "android:coarse_location"; -@@ -628,6 +632,11 @@ public class AppOpsManager { - /** @hide */ - public static final String OPSTR_SU = "android:su"; - -+ public static final String OPSTR_MOTION_SENSORS = -+ "android:motion_sensors"; -+ public static final String OPSTR_OTHER_SENSORS = -+ "android:other_sensors"; -+ - // Warning: If an permission is added here it also has to be added to - // com.android.packageinstaller.permission.utils.EventLogger - private static final int[] RUNTIME_AND_APPOP_PERMISSIONS_OPS = { -@@ -676,7 +685,9 @@ public class AppOpsManager { - OP_WRITE_SETTINGS, - OP_REQUEST_INSTALL_PACKAGES, - OP_START_FOREGROUND, -- OP_SU -+ OP_SU, -+ OP_MOTION_SENSORS, -+ OP_OTHER_SENSORS - }; - - /** -@@ -771,6 +782,8 @@ public class AppOpsManager { - OP_NFC_CHANGE, // NFC_CHANGE - OP_DATA_CONNECT_CHANGE, // DATA_CONNECT_CHANGE - OP_SU, // SU -+ OP_MOTION_SENSORS, // MOTION_SENSORS -+ OP_OTHER_SENSORS // OTHER_SENSORS - }; - - /** -@@ -860,6 +873,8 @@ public class AppOpsManager { - OPSTR_NFC_CHANGE, - OPSTR_DATA_CONNECT_CHANGE, - OPSTR_SU, -+ OPSTR_MOTION_SENSORS, -+ OPSTR_OTHER_SENSORS, - }; - - /** -@@ -950,6 +965,8 @@ public class AppOpsManager { - "NFC_CHANGE", - "DATA_CONNECT_CHANGE", - "SU", -+ "MOTION_SENSORS", -+ "OTHER_SENSORS", - }; - - /** -@@ -1040,6 +1057,8 @@ public class AppOpsManager { - Manifest.permission.NFC, - null, - null, // no permission for OP_SU -+ null, // no permission for OP_MOTION_SENSORS -+ null, // no permission for OP_OTHER_SENSORS - }; - - /** -@@ -1131,6 +1150,8 @@ public class AppOpsManager { - null, // NFC_CHANGE - null, // DATA_CONNECT_CHANGE - UserManager.DISALLOW_SU, // SU TODO: this should really be investigated. -+ null, //MOTION_SENSORS -+ null, //OTHER_SENSORS - }; - - /** -@@ -1221,6 +1242,8 @@ public class AppOpsManager { - true, // NFC_CHANGE - true, // DATA_CONNECT_CHANGE - false, // SU -+ false, //MOTION_SENSORS -+ false, //OTHER_SENSORS - }; - - /** -@@ -1310,6 +1333,8 @@ public class AppOpsManager { - AppOpsManager.MODE_ALLOWED, // OP_NFC_CHANGE - AppOpsManager.MODE_ALLOWED, // OP_DATA_CONNECT_CHANGE - AppOpsManager.MODE_ASK, // OP_SU -+ AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS -+ AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS - }; - - /** -@@ -1400,6 +1425,8 @@ public class AppOpsManager { - AppOpsManager.MODE_ASK, // OP_NFC_CHANGE - AppOpsManager.MODE_ASK, // OP_DATA_CONNECT_CHANGE - AppOpsManager.MODE_ASK, // OP_SU -+ AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS -+ AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS - }; - - /** -@@ -1489,6 +1516,8 @@ public class AppOpsManager { - true, // NFC_CHANGE - true, // DATA_CONNECT_CHANGE - true, // SU -+ true, // OP_MOTION_SENSORS -+ false, // OP_OTHER_SENSORS - }; - - /** -@@ -1582,6 +1611,8 @@ public class AppOpsManager { - false, // OP_NFC_CHANGE - false, // OP_DATA_CONNECT_CHANGE - false, // OP_SU -+ false, // OP_MOTION_SENSORS -+ false, // OP_OTHER_SENSORS - }; - - /** -diff --git a/core/res/res/values-de/cm_strings.xml b/core/res/res/values-de/cm_strings.xml -index 8248b4d50731..e0f1b79882f7 100644 ---- a/core/res/res/values-de/cm_strings.xml -+++ b/core/res/res/values-de/cm_strings.xml -@@ -51,7 +51,9 @@ - die Zwischenablage zu ändern - Kontakte zu ändern - Einstellungen zu ändern -+ Bewegungssensoren zu nutzen - das Mikrofon zu aktivieren/deaktivieren -+ sonstige Sensoren zu nutzen - Anrufe zu beantworten - Bild im Bild zu verwenden - Audio wiederzugeben -diff --git a/core/res/res/values-fr/cm_strings.xml b/core/res/res/values-fr/cm_strings.xml -index 38cfd54ec910..027f79c607c2 100644 ---- a/core/res/res/values-fr/cm_strings.xml -+++ b/core/res/res/values-fr/cm_strings.xml -@@ -51,7 +51,9 @@ - modifier le presse-papiers - mettre à jour vos contacts - mettre à jour les paramètres du système -+ utiliser les capteurs de mouvement - activer/désactiver le microphone -+ utiliser d\'autres capteurs - répondre aux appels téléphoniques - utiliser le mode Picture-in-Picture - lecture audio -diff --git a/core/res/res/values/cm_strings.xml b/core/res/res/values/cm_strings.xml -index 301131e2663d..5939cae77b8e 100644 ---- a/core/res/res/values/cm_strings.xml -+++ b/core/res/res/values/cm_strings.xml -@@ -57,7 +57,9 @@ - modify the clipboard - update your contacts - update system settings -+ use the motion sensors - mute/unmute the microphone -+ use other sensors - answer phone calls - use picture in picture - play audio -diff --git a/core/res/res/values/lineage_arrays.xml b/core/res/res/values/lineage_arrays.xml -index 58567d1c8bd1..11a7d99b8d48 100644 ---- a/core/res/res/values/lineage_arrays.xml -+++ b/core/res/res/values/lineage_arrays.xml -@@ -184,6 +184,10 @@ - @string/app_ops_toggle_mobile_data - - @string/app_ops_su -+ -+ @string/app_ops_motion_sensors -+ -+ @string/app_ops_other_sensors - - - diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch index 2fc60a99..c956627f 100644 --- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch +++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch @@ -1,116 +1,36 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Daniel Micay -Date: Fri, 21 Jul 2017 08:42:55 -0400 -Subject: [PATCH] support new special runtime permissions +Date: Sun, 17 Mar 2019 11:59:15 -0400 +Subject: [PATCH] make INTERNET into a special runtime permission -These are treated as a runtime permission even for legacy apps. They -need to be granted by default for all apps to maintain compatibility. --- - .../server/pm/PackageManagerService.java | 3 +- - .../permission/PermissionManagerService.java | 30 ++++++++++++++----- - 2 files changed, 25 insertions(+), 8 deletions(-) + core/res/AndroidManifest.xml | 2 +- + .../android/server/pm/permission/PermissionManagerService.java | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) -diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index dc44fe17722d..e9fd656478dc 100644 ---- a/services/core/java/com/android/server/pm/PackageManagerService.java -+++ b/services/core/java/com/android/server/pm/PackageManagerService.java -@@ -19704,7 +19704,8 @@ public class PackageManagerService extends IPackageManager.Stub - } +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index af1a6fa9e3c5..873162098247 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -1361,7 +1361,7 @@ + ++ android:protectionLevel="dangerous|instant" /> - // If this permission was granted by default, make sure it is. -- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) { -+ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0 -+ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) { - if (permissionsState.grantRuntimePermission(bp, userId) - != PERMISSION_OPERATION_FAILURE) { - writeRuntimePermissions = true; + + + ++ ++ ++ + -+ android:protectionLevel="dangerous|instant" /> + android:protectionLevel="dangerous|instant" /> +diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml +index 29af7d71914f..fd30d719b996 100644 +--- a/core/res/res/values/strings.xml ++++ b/core/res/res/values/strings.xml +@@ -747,6 +747,11 @@ + Allow + <b>%1$s</b> to access sensor data about your vital signs? - ++ Network ++ ++ network access ++ + + Retrieve window content + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch deleted file mode 100644 index 5433b11f..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Daniel Micay -Date: Fri, 21 Jul 2017 11:23:07 -0400 -Subject: [PATCH] add a NETWORK permission group for INTERNET - ---- - core/res/AndroidManifest.xml | 10 ++++++++++ - core/res/res/values/strings.xml | 5 +++++ - 2 files changed, 15 insertions(+) - -diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index 873162098247..8efe5474dfea 100644 ---- a/core/res/AndroidManifest.xml -+++ b/core/res/AndroidManifest.xml -@@ -1355,10 +1355,20 @@ - - - -+ -+ -+ - - -diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml -index 29af7d71914f..fd30d719b996 100644 ---- a/core/res/res/values/strings.xml -+++ b/core/res/res/values/strings.xml -@@ -747,6 +747,11 @@ - Allow - <b>%1$s</b> to access sensor data about your vital signs? - -+ -+ Network -+ -+ network access -+ - - Retrieve window content - diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Sensors_Permission.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Sensors_Permission.patch new file mode 100644 index 00000000..483271fa --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Sensors_Permission.patch @@ -0,0 +1,95 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sat, 7 Oct 2017 15:54:42 -0400 +Subject: [PATCH] add special runtime permission for other sensors + +This covers sensors not included in the existing runtime permission for +body sensors. +--- + core/java/android/content/pm/PackageParser.java | 2 ++ + core/res/AndroidManifest.xml | 14 ++++++++++++++ + core/res/res/values/strings.xml | 12 ++++++++++++ + .../pm/permission/PermissionManagerService.java | 2 +- + 4 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java +index e0c2d2dc6dde..b89c46132b26 100644 +--- a/core/java/android/content/pm/PackageParser.java ++++ b/core/java/android/content/pm/PackageParser.java +@@ -280,6 +280,8 @@ public class PackageParser { + */ + public static final PackageParser.NewPermissionInfo NEW_PERMISSIONS[] = + new PackageParser.NewPermissionInfo[] { ++ new PackageParser.NewPermissionInfo(android.Manifest.permission.OTHER_SENSORS, ++ android.os.Build.VERSION_CODES.CUR_DEVELOPMENT + 1, 0), + new PackageParser.NewPermissionInfo(android.Manifest.permission.WRITE_EXTERNAL_STORAGE, + android.os.Build.VERSION_CODES.DONUT, 0), + new PackageParser.NewPermissionInfo(android.Manifest.permission.READ_PHONE_STATE, +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index 8efe5474dfea..69ddf1d37a7f 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -1148,6 +1148,20 @@ + android:description="@string/permdesc_useBiometric" + android:protectionLevel="normal" /> + ++ ++ ++ ++ ++ ++ + + + +diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml +index fd30d719b996..1a64ae235456 100644 +--- a/core/res/res/values/strings.xml ++++ b/core/res/res/values/strings.xml +@@ -747,6 +747,11 @@ + Allow + <b>%1$s</b> to access sensor data about your vital signs? + ++ ++ Sensors ++ ++ access sensor data about orientation, movement, etc. ++ + + Network + +@@ -1061,6 +1066,13 @@ + Allows the app to access data from sensors + that monitor your physical condition, such as your heart rate. + ++ ++ access sensors (like the compass) ++ ++ ++ Allows the app to access data from sensors ++ monitoring orientation, movement, vibration (including low frequency sound) and environmental data ++ + + Read calendar events and details + +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index f16f671a51dd..4a60c12e9823 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -731,7 +731,7 @@ public class PermissionManagerService { + } + + public static boolean isSpecialRuntimePermission(final String permission) { +- return Manifest.permission.INTERNET.equals(permission); ++ return Manifest.permission.INTERNET.equals(permission) || Manifest.permission.OTHER_SENSORS.equals(permission); + } + + private void grantPermissions(PackageParser.Package pkg, boolean replace, diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch new file mode 100644 index 00000000..2fc60a99 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch @@ -0,0 +1,116 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Fri, 21 Jul 2017 08:42:55 -0400 +Subject: [PATCH] support new special runtime permissions + +These are treated as a runtime permission even for legacy apps. They +need to be granted by default for all apps to maintain compatibility. +--- + .../server/pm/PackageManagerService.java | 3 +- + .../permission/PermissionManagerService.java | 30 ++++++++++++++----- + 2 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index dc44fe17722d..e9fd656478dc 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -19704,7 +19704,8 @@ public class PackageManagerService extends IPackageManager.Stub + } + + // If this permission was granted by default, make sure it is. +- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) { ++ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0 ++ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) { + if (permissionsState.grantRuntimePermission(bp, userId) + != PERMISSION_OPERATION_FAILURE) { + writeRuntimePermissions = true; +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index 79b2636481b3..9f1fe8a6414a 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -730,6 +730,10 @@ public class PermissionManagerService { + } + } + ++ public static boolean isSpecialRuntimePermission(final String permission) { ++ return false; ++ } ++ + private void grantPermissions(PackageParser.Package pkg, boolean replace, + String packageOfInterest, PermissionCallback callback) { + // IMPORTANT: There are two types of permissions: install and runtime. +@@ -838,7 +842,8 @@ public class PermissionManagerService { + // their permissions as always granted runtime ones since we need + // to keep the review required permission flag per user while an + // install permission's state is shared across all users. +- if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired) { ++ if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired && ++ !isSpecialRuntimePermission(bp.getName())) { + // For legacy apps dangerous permissions are install time ones. + grant = GRANT_INSTALL; + } else if (origPermissions.hasInstallPermission(bp.getName())) { +@@ -948,7 +953,8 @@ public class PermissionManagerService { + updatedUserIds, userId); + } + } else if (mSettings.mPermissionReviewRequired +- && !appSupportsRuntimePermissions) { ++ && !appSupportsRuntimePermissions ++ && !isSpecialRuntimePermission(bp.getName())) { + // For legacy apps that need a permission review, every new + // runtime permission is granted but it is pending a review. + // We also need to review only platform defined runtime +@@ -969,7 +975,15 @@ public class PermissionManagerService { + updatedUserIds = ArrayUtils.appendInt( + updatedUserIds, userId); + } +- } ++ } else if (isSpecialRuntimePermission(bp.name) && ++ origPermissions.getRuntimePermissionState(bp.name, userId) == null) { ++ if (permissionsState.grantRuntimePermission(bp, userId) ++ != PermissionsState.PERMISSION_OPERATION_FAILURE) { ++ // We changed the permission, hence have to write. ++ updatedUserIds = ArrayUtils.appendInt( ++ updatedUserIds, userId); ++ } ++ } + // Propagate the permission flags. + permissionsState.updatePermissionFlags(bp, userId, flags, flags); + } +@@ -1421,7 +1435,7 @@ public class PermissionManagerService { + && (grantedPermissions == null + || ArrayUtils.contains(grantedPermissions, permission))) { + final int flags = permissionsState.getPermissionFlags(permission, userId); +- if (supportsRuntimePermissions) { ++ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) { + // Installer cannot change immutable permissions. + if ((flags & immutableFlags) == 0) { + grantRuntimePermission(permission, pkg.packageName, false, callingUid, +@@ -1480,7 +1494,7 @@ public class PermissionManagerService { + // install permission's state is shared across all users. + if (mSettings.mPermissionReviewRequired + && pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M +- && bp.isRuntime()) { ++ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) { + return; + } + +@@ -1516,7 +1530,8 @@ public class PermissionManagerService { + + permName + " for package " + packageName); + } + +- if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) { ++ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M ++ && !isSpecialRuntimePermission(permName)) { + Slog.w(TAG, "Cannot grant runtime permission to a legacy app"); + return; + } +@@ -1601,7 +1616,8 @@ public class PermissionManagerService { + // install permission's state is shared across all users. + if (mSettings.mPermissionReviewRequired + && pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M +- && bp.isRuntime()) { ++ && bp.isRuntime() ++ && !isSpecialRuntimePermission(permName)) { + return; + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch b/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch index 5db9936b..01cb78b8 100644 --- a/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch +++ b/Patches/LineageOS-16.0/android_frameworks_native/0001-Sensors.patch @@ -1,156 +1,21 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Fri, 15 Mar 2019 22:14:54 +0100 -Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [native] +From: Daniel Micay +Date: Sat, 7 Oct 2017 16:28:57 -0400 +Subject: [PATCH] require OTHER_SENSORS permission for sensors -Add two AppOps for sensor access: -- OP_MOTION_SENSORS (default: allow, strict) -- OP_OTHER_SENSORS (default: allow) - -This change updated the AppOPs binder for the newly defined Ops, -implements the logic for the sensors and adapts the logic for -checking the Ops, if an Op is not linked to a permission. - -Change-Id: Ic56e7bd48acda8790d6ab917a07cd7b747d4de87 --- - libs/binder/include/binder/AppOpsManager.h | 4 +++- - libs/sensor/Sensor.cpp | 10 +++++++++ - services/sensorservice/SensorService.cpp | 25 ++++++++++++---------- - 3 files changed, 27 insertions(+), 12 deletions(-) + libs/sensor/Sensor.cpp | 1 + + 1 file changed, 1 insertion(+) -diff --git a/libs/binder/include/binder/AppOpsManager.h b/libs/binder/include/binder/AppOpsManager.h -index fb682ecde7..83887787c9 100644 ---- a/libs/binder/include/binder/AppOpsManager.h -+++ b/libs/binder/include/binder/AppOpsManager.h -@@ -119,7 +119,9 @@ public: - OP_BOOT_COMPLETED = 79, - OP_NFC_CHANGE = 80, - OP_DATA_CONNECT_CHANGE = 81, -- OP_SU = 82 -+ OP_SU = 82, -+ OP_MOTION_SENSORS = 83, -+ OP_OTHER_SENSORS = 84 - }; - - AppOpsManager(); diff --git a/libs/sensor/Sensor.cpp b/libs/sensor/Sensor.cpp -index 2383516c95..835794b1bd 100644 +index 2383516c95..054596b83a 100644 --- a/libs/sensor/Sensor.cpp +++ b/libs/sensor/Sensor.cpp @@ -52,6 +52,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi mMinDelay = hwSensor.minDelay; mFlags = 0; mUuid = uuid; -+ mRequiredAppOp = AppOpsManager::OP_OTHER_SENSORS; //default, other values are explicitly set ++ mRequiredPermission = "android.permission.OTHER_SENSORS"; // Set fifo event count zero for older devices which do not support batching. Fused // sensors also have their fifo counts set to zero. -@@ -86,6 +87,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi - switch (mType) { - case SENSOR_TYPE_ACCELEROMETER: - mStringType = SENSOR_STRING_TYPE_ACCELEROMETER; -+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS; - mFlags |= SENSOR_FLAG_CONTINUOUS_MODE; - break; - case SENSOR_TYPE_AMBIENT_TEMPERATURE: -@@ -106,10 +108,12 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi - break; - case SENSOR_TYPE_GYROSCOPE: - mStringType = SENSOR_STRING_TYPE_GYROSCOPE; -+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS; - mFlags |= SENSOR_FLAG_CONTINUOUS_MODE; - break; - case SENSOR_TYPE_GYROSCOPE_UNCALIBRATED: - mStringType = SENSOR_STRING_TYPE_GYROSCOPE_UNCALIBRATED; -+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS; - mFlags |= SENSOR_FLAG_CONTINUOUS_MODE; - break; - case SENSOR_TYPE_HEART_RATE: { -@@ -125,6 +129,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi - break; - case SENSOR_TYPE_LINEAR_ACCELERATION: - mStringType = SENSOR_STRING_TYPE_LINEAR_ACCELERATION; -+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS; - mFlags |= SENSOR_FLAG_CONTINUOUS_MODE; - break; - case SENSOR_TYPE_MAGNETIC_FIELD: -@@ -160,6 +165,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi - break; - case SENSOR_TYPE_SIGNIFICANT_MOTION: - mStringType = SENSOR_STRING_TYPE_SIGNIFICANT_MOTION; -+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS; - mFlags |= SENSOR_FLAG_ONE_SHOT_MODE; - if (halVersion < SENSORS_DEVICE_API_VERSION_1_3) { - mFlags |= SENSOR_FLAG_WAKE_UP; -@@ -167,10 +173,12 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi - break; - case SENSOR_TYPE_STEP_COUNTER: - mStringType = SENSOR_STRING_TYPE_STEP_COUNTER; -+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS; - mFlags |= SENSOR_FLAG_ON_CHANGE_MODE; - break; - case SENSOR_TYPE_STEP_DETECTOR: - mStringType = SENSOR_STRING_TYPE_STEP_DETECTOR; -+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS; - mFlags |= SENSOR_FLAG_SPECIAL_REPORTING_MODE; - break; - case SENSOR_TYPE_TEMPERATURE: -@@ -236,6 +244,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi - break; - case SENSOR_TYPE_MOTION_DETECT: - mStringType = SENSOR_STRING_TYPE_MOTION_DETECT; -+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS; - mFlags |= SENSOR_FLAG_ONE_SHOT_MODE; - if (halVersion < SENSORS_DEVICE_API_VERSION_1_3) { - mFlags |= SENSOR_FLAG_WAKE_UP; -@@ -251,6 +260,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi - - case SENSOR_TYPE_ACCELEROMETER_UNCALIBRATED: - mStringType = SENSOR_STRING_TYPE_ACCELEROMETER_UNCALIBRATED; -+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS; - mFlags |= SENSOR_FLAG_CONTINUOUS_MODE; - break; - default: -diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp -index 1c3e943543..142c5a274e 100644 ---- a/services/sensorservice/SensorService.cpp -+++ b/services/sensorservice/SensorService.cpp -@@ -1545,6 +1545,20 @@ status_t SensorService::flushSensor(const sp& connection, - - bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation, - const String16& opPackageName) { -+ -+ // Due to the new SENSOR AppOps, which do not correspond to any permission, -+ // we need to check for the AppOp BEFORE checking any permission -+ const int32_t opCode = sensor.getRequiredAppOp(); -+ if (opCode >= 0) { -+ AppOpsManager appOps; -+ if (appOps.noteOp(opCode, IPCThreadState::self()->getCallingUid(), opPackageName) -+ != AppOpsManager::MODE_ALLOWED) { -+ ALOGE("%s a sensor (%s) without enabled required app op: %d", -+ operation, sensor.getName().string(), opCode); -+ return false; -+ } -+ } -+ - const String8& requiredPermission = sensor.getRequiredPermission(); - - if (requiredPermission.length() <= 0) { -@@ -1567,17 +1581,6 @@ bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation, - return false; - } - -- const int32_t opCode = sensor.getRequiredAppOp(); -- if (opCode >= 0) { -- AppOpsManager appOps; -- if (appOps.noteOp(opCode, IPCThreadState::self()->getCallingUid(), opPackageName) -- != AppOpsManager::MODE_ALLOWED) { -- ALOGE("%s a sensor (%s) without enabled required app op: %d", -- operation, sensor.getName().string(), opCode); -- return false; -- } -- } -- - return true; - } - diff --git a/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Sensors_Permission-1.patch b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Sensors_Permission-1.patch new file mode 100644 index 00000000..00d8ccb3 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Sensors_Permission-1.patch @@ -0,0 +1,23 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sat, 7 Oct 2017 15:56:35 -0400 +Subject: [PATCH] add OTHER_SENSORS permission group + +--- + src/com/android/packageinstaller/permission/utils/Utils.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java +index 423b319ee..d22a399bc 100644 +--- a/src/com/android/packageinstaller/permission/utils/Utils.java ++++ b/src/com/android/packageinstaller/permission/utils/Utils.java +@@ -52,7 +52,8 @@ public final class Utils { + Manifest.permission_group.PHONE, + Manifest.permission_group.MICROPHONE, + Manifest.permission_group.STORAGE, +- Manifest.permission_group.NETWORK ++ Manifest.permission_group.NETWORK, ++ Manifest.permission_group.OTHER_SENSORS + }; + + private static final Intent LAUNCHER_INTENT = new Intent(Intent.ACTION_MAIN, null) diff --git a/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Sensors_Permission-2.patch b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Sensors_Permission-2.patch new file mode 100644 index 00000000..b23b767b --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Sensors_Permission-2.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sat, 7 Oct 2017 15:55:58 -0400 +Subject: [PATCH] always treat OTHER_SENSORS as a runtime permission + +--- + .../permission/model/AppPermissionGroup.java | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java +index e6087de4c..617309963 100644 +--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java ++++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java +@@ -339,7 +339,7 @@ public final class AppPermissionGroup implements Comparable + && !ArrayUtils.contains(filterPermissions, permission.getName())) { + continue; + } +- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { ++ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) { + if (permission.isGranted()) { + return true; + } +@@ -372,7 +372,7 @@ public final class AppPermissionGroup implements Comparable + continue; + } + +- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { ++ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) { + // Do not touch permissions fixed by the system. + if (permission.isSystemFixed()) { + return false; +@@ -474,7 +474,7 @@ public final class AppPermissionGroup implements Comparable + continue; + } + +- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { ++ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) { + // Do not touch permissions fixed by the system. + if (permission.isSystemFixed()) { + return false; diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch deleted file mode 100644 index fe3e89d8..00000000 --- a/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P1.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Fri, 15 Mar 2019 22:29:43 +0100 -Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [Settings] - -Add two AppOps for sensor access: -- OP_MOTION_SENSORS (default: allow, strict) -- OP_OTHER_SENSORS (default: allow) - -Add new Sensor template, relocate BODY_SENSORS into it - -Change-Id: I9b51c47e27a330823ecb4472b9a7818718ef4209 ---- - res/values-de/cm_strings.xml | 5 +++++ - res/values-fr/cm_strings.xml | 5 +++++ - res/values/cm_strings.xml | 5 +++++ - res/values/lineage_arrays.xml | 9 +++++++++ - .../settings/applications/appops/AppOpsState.java | 13 ++++++++++--- - 5 files changed, 34 insertions(+), 3 deletions(-) - -diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml -index dee07db2b4..02cafb1b05 100644 ---- a/res/values-de/cm_strings.xml -+++ b/res/values-de/cm_strings.xml -@@ -39,6 +39,7 @@ - Gerät - Im Hintergrund ausführen - Systemstart -+ Sensoren - Root-Zugriff - Andere - Anrufeübergabe aus einer anderen App anzunehmen -@@ -76,8 +77,10 @@ - Einstellungen ändern - Standort mit hohem Stromverbrauch beobachten - Standort beobachten -+ Nutzung Bewegungssensoren - Mikrofon ein-/ausschalten - Benachbarte Netze -+ Sonstige Sensoren - Anrufe beantworten - Bild im Bild verwenden - Audio wiedergeben -@@ -162,8 +165,10 @@ - Einstellungen ändern - Standort mit hohem Stromverbrauch beobachten - Standort beobachten -+ Bewegungssensoren - Mikrofon ein-/ausschalten - Benachbarte Zellen -+ sonstige Sensoren - Anrufe beantworten - Bild im Bild verwenden - Audio wiedergeben -diff --git a/res/values-fr/cm_strings.xml b/res/values-fr/cm_strings.xml -index 523d87d673..3133e8d4bf 100644 ---- a/res/values-fr/cm_strings.xml -+++ b/res/values-fr/cm_strings.xml -@@ -39,6 +39,7 @@ - Appareil - Exécuter en arrière plan - Démarrage -+ Capteurs - Accès root - Autre - transférer un appel d\'une autre application -@@ -76,8 +77,10 @@ - modifier les paramètres - surveiller la position (à puissance élevée) - surveiller la position -+ utiliser les capteurs de mouvement - activer/désactiver le microphone - nœuds environnants -+ utiliser d\'autres capteurs - répondre aux appels téléphoniques - utiliser le mode Picture-in-Picture - lecture audio -@@ -162,8 +165,10 @@ - Modifier les paramètres - Surveiller la position (à puissance élevée) - Surveiller la position -+ Capteur de mouvement - Activer/désactiver le microphone - Noeuds environnants -+ autres Capteurs - Répondre aux appels téléphoniques - Utiliser le mode Picture-in-Picture - Lecture audio -diff --git a/res/values/cm_strings.xml b/res/values/cm_strings.xml -index c4a0aaa915..1150011970 100644 ---- a/res/values/cm_strings.xml -+++ b/res/values/cm_strings.xml -@@ -50,6 +50,7 @@ - Device - Run in background - Bootup -+ Sensors - Root access - Other - -@@ -89,7 +90,9 @@ - modify settings - monitor high power location - monitor location -+ Motion Sensor usage - mute/unmute microphone -+ Other Sensor usage - neighboring cells - answer phone calls - use picture in picture -@@ -177,8 +180,10 @@ - Modify settings - Monitor high power location - Monitor location -+ Motion Sensors - Mute/unmute microphone - Neighboring cells -+ Other Sensors - Answer phone calls - Use picture in picture - Play audio -diff --git a/res/values/lineage_arrays.xml b/res/values/lineage_arrays.xml -index 0145438148..40fea7be2d 100644 ---- a/res/values/lineage_arrays.xml -+++ b/res/values/lineage_arrays.xml -@@ -51,6 +51,7 @@ - @string/app_ops_categories_run_in_background - @string/app_ops_categories_bootup - @string/app_ops_categories_su -+ @string/app_ops_categories_sensors - @string/app_ops_categories_other - - -@@ -222,6 +223,10 @@ - @string/app_ops_summaries_toggle_mobile_data - - @string/app_ops_summaries_su -+ -+ @string/app_ops_summaries_motion_sensors -+ -+ @string/app_ops_summaries_other_sensors - - - -@@ -392,6 +397,10 @@ - @string/app_ops_labels_toggle_mobile_data - - @string/app_ops_labels_su -+ -+ @string/app_ops_labels_motion_sensors -+ -+ @string/app_ops_labels_other_sensors - - - -diff --git a/src/com/android/settings/applications/appops/AppOpsState.java b/src/com/android/settings/applications/appops/AppOpsState.java -index eeb1b2d302..8c8d2283ba 100644 ---- a/src/com/android/settings/applications/appops/AppOpsState.java -+++ b/src/com/android/settings/applications/appops/AppOpsState.java -@@ -236,6 +236,15 @@ public class AppOpsState { - new boolean[] { true } - ); - -+ public static final OpsTemplate SENSOR_TEMPLATE = new OpsTemplate( -+ new int[] { AppOpsManager.OP_BODY_SENSORS, -+ AppOpsManager.OP_MOTION_SENSORS, -+ AppOpsManager.OP_OTHER_SENSORS }, -+ new boolean[] { true, -+ false, -+ false } -+ ); -+ - public static final OpsTemplate SU_TEMPLATE = new OpsTemplate( - new int[] { AppOpsManager.OP_SU }, - new boolean[] { false } -@@ -252,7 +261,6 @@ public class AppOpsState { - AppOpsManager.OP_USE_SIP, - AppOpsManager.OP_PROCESS_OUTGOING_CALLS, - AppOpsManager.OP_USE_FINGERPRINT, -- AppOpsManager.OP_BODY_SENSORS, - AppOpsManager.OP_READ_CELL_BROADCASTS, - AppOpsManager.OP_MOCK_LOCATION, - AppOpsManager.OP_READ_EXTERNAL_STORAGE, -@@ -272,7 +280,6 @@ public class AppOpsState { - true, - true, - true, -- true, - true } - ); - -@@ -286,7 +293,7 @@ public class AppOpsState { - public static final OpsTemplate[] ALL_PERMS_TEMPLATES = new OpsTemplate[] { - LOCATION_TEMPLATE, PERSONAL_TEMPLATE, MESSAGING_TEMPLATE, - MEDIA_TEMPLATE, DEVICE_TEMPLATE, RUN_IN_BACKGROUND_TEMPLATE, -- BOOTUP_TEMPLATE, SU_TEMPLATE, REMAINING_TEMPLATE -+ BOOTUP_TEMPLATE, SU_TEMPLATE, SENSOR_TEMPLATE, REMAINING_TEMPLATE - }; - - /** diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P2.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P2.patch deleted file mode 100644 index fecf7c93..00000000 --- a/Patches/LineageOS-16.0/android_packages_apps_Settings/0002-Sensors-P2.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Tue, 19 Mar 2019 22:35:38 +0100 -Subject: [PATCH] AppOps details: Add permission icons for new Sensor AppOps - -Change-Id: Ifc337517818dcc929a406ed455fb76e6533507ab ---- - .../android/settings/applications/appops/AppOpsDetails.java | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/com/android/settings/applications/appops/AppOpsDetails.java b/src/com/android/settings/applications/appops/AppOpsDetails.java -index 2f210435e8..4f01ceabda 100644 ---- a/src/com/android/settings/applications/appops/AppOpsDetails.java -+++ b/src/com/android/settings/applications/appops/AppOpsDetails.java -@@ -115,6 +115,7 @@ public class AppOpsDetails extends SettingsPreferenceFragment { - OP_ICONS.put(AppOpsManager.OP_GPS, R.drawable.ic_perm_location); - OP_ICONS.put(AppOpsManager.OP_MUTE_MICROPHONE, R.drawable.ic_perm_microphone); - OP_ICONS.put(AppOpsManager.OP_NFC_CHANGE, R.drawable.ic_perm_nfc); -+ OP_ICONS.put(AppOpsManager.OP_OTHER_SENSORS, R.drawable.ic_phone_info); - OP_ICONS.put(AppOpsManager.OP_POST_NOTIFICATION, R.drawable.ic_perm_notifications); - OP_ICONS.put(AppOpsManager.OP_READ_CLIPBOARD, R.drawable.ic_perm_clipboard); - OP_ICONS.put(AppOpsManager.OP_RUN_IN_BACKGROUND, R.drawable.ic_perm_background); -@@ -213,6 +214,10 @@ public class AppOpsDetails extends SettingsPreferenceFragment { - if (icon == null && op != -1 && OP_ICONS.containsKey(op)) { - icon = getActivity().getDrawable(OP_ICONS.get(op)); - } -+ if (icon == null && op == AppOpsManager.OP_MOTION_SENSORS) { -+ icon = getIconByPermission(AppOpsManager.opToPermission( -+ AppOpsManager.OP_USE_FINGERPRINT)); -+ } - if (icon == null) { - Log.e(TAG, "Failed to retrieve icon for permission: " + perm); - } else { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0011-Sensors.patch b/Patches/LineageOS-17.1/android_frameworks_base/0011-Sensors.patch deleted file mode 100644 index 208c031b..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/0011-Sensors.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Sat, 14 Nov 2020 13:04:05 +0100 -Subject: [PATCH] AppOps: Add further Op for accessing Sensors - -Change-Id: Id7d84d910b849cc4f781aac2a6c21278e08bdeec ---- - core/java/android/app/AppOpsManager.java | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java -index 77875354d732..af535f62c10b 100644 ---- a/core/java/android/app/AppOpsManager.java -+++ b/core/java/android/app/AppOpsManager.java -@@ -836,10 +836,12 @@ public class AppOpsManager { - public static final int OP_READ_DEVICE_IDENTIFIERS = 89; - /** @hide Read location metadata from media */ - public static final int OP_ACCESS_MEDIA_LOCATION = 90; -+ /** @hide Access other Sensors */ -+ public static final int OP_OTHER_SENSORS = 91; - - /** @hide */ - @UnsupportedAppUsage -- public static final int _NUM_OP = 91; -+ public static final int _NUM_OP = 92; - - /** Access to coarse location information. */ - public static final String OPSTR_COARSE_LOCATION = "android:coarse_location"; -@@ -1119,6 +1121,10 @@ public class AppOpsManager { - /** @hide Read device identifiers */ - public static final String OPSTR_READ_DEVICE_IDENTIFIERS = "android:read_device_identifiers"; - -+ /** @hide Other Sensors */ -+ public static final String OPSTR_OTHER_SENSORS = "android:other_sensors"; -+ -+ - // Warning: If an permission is added here it also has to be added to - // com.android.packageinstaller.permission.utils.EventLogger - private static final int[] RUNTIME_AND_APPOP_PERMISSIONS_OPS = { -@@ -1281,6 +1287,7 @@ public class AppOpsManager { - OP_ACCESS_ACCESSIBILITY, // ACCESS_ACCESSIBILITY - OP_READ_DEVICE_IDENTIFIERS, // READ_DEVICE_IDENTIFIERS - OP_ACCESS_MEDIA_LOCATION, // ACCESS_MEDIA_LOCATION -+ OP_OTHER_SENSORS, // OTHER_SENSORS - }; - - /** -@@ -1378,6 +1385,7 @@ public class AppOpsManager { - OPSTR_ACCESS_ACCESSIBILITY, - OPSTR_READ_DEVICE_IDENTIFIERS, - OPSTR_ACCESS_MEDIA_LOCATION, -+ OPSTR_OTHER_SENSORS, - }; - - /** -@@ -1476,6 +1484,7 @@ public class AppOpsManager { - "ACCESS_ACCESSIBILITY", - "READ_DEVICE_IDENTIFIERS", - "ACCESS_MEDIA_LOCATION", -+ "OTHER_SENSORS", - }; - - /** -@@ -1575,6 +1584,7 @@ public class AppOpsManager { - null, // no permission for OP_ACCESS_ACCESSIBILITY - null, // no direct permission for OP_READ_DEVICE_IDENTIFIERS - Manifest.permission.ACCESS_MEDIA_LOCATION, -+ null, // no direct permission for OP_OTHER_SENSORS - }; - - /** -@@ -1674,6 +1684,7 @@ public class AppOpsManager { - null, // ACCESS_ACCESSIBILITY - null, // READ_DEVICE_IDENTIFIERS - null, // ACCESS_MEDIA_LOCATION -+ null, // OTHER_SENSORS - }; - - /** -@@ -1772,6 +1783,7 @@ public class AppOpsManager { - false, // ACCESS_ACCESSIBILITY - false, // READ_DEVICE_IDENTIFIERS - false, // ACCESS_MEDIA_LOCATION -+ false, // OTHER_SENSORS - }; - - /** -@@ -1869,6 +1881,7 @@ public class AppOpsManager { - AppOpsManager.MODE_ALLOWED, // ACCESS_ACCESSIBILITY - AppOpsManager.MODE_ERRORED, // READ_DEVICE_IDENTIFIERS - AppOpsManager.MODE_ALLOWED, // ALLOW_MEDIA_LOCATION -+ AppOpsManager.MODE_ALLOWED, // OTHER_SENSORS - }; - - /** -@@ -1970,6 +1983,7 @@ public class AppOpsManager { - false, // ACCESS_ACCESSIBILITY - false, // READ_DEVICE_IDENTIFIERS - false, // ACCESS_MEDIA_LOCATION -+ false, // OTHER_SENSORS - }; - - /** diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch index 39c439e6..689f69fc 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch @@ -1,102 +1,36 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Daniel Micay -Date: Fri, 21 Jul 2017 08:42:55 -0400 -Subject: [PATCH] support new special runtime permissions +Date: Sun, 17 Mar 2019 11:59:15 -0400 +Subject: [PATCH] make INTERNET into a special runtime permission -These are treated as a runtime permission even for legacy apps. They -need to be granted by default for all apps to maintain compatibility. --- - .../server/pm/PackageManagerService.java | 3 ++- - .../permission/PermissionManagerService.java | 23 +++++++++++++++---- - 2 files changed, 20 insertions(+), 6 deletions(-) + core/res/AndroidManifest.xml | 2 +- + .../android/server/pm/permission/PermissionManagerService.java | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) -diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index edaa60f4b09e..834a6b0d5260 100644 ---- a/services/core/java/com/android/server/pm/PackageManagerService.java -+++ b/services/core/java/com/android/server/pm/PackageManagerService.java -@@ -20162,7 +20162,8 @@ public class PackageManagerService extends IPackageManager.Stub - } +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index 7bcd7a048db4..571099f059c8 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -1539,7 +1539,7 @@ + ++ android:protectionLevel="dangerous|instant" /> - // If this permission was granted by default, make sure it is. -- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) { -+ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0 -+ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) { - mPermissionManager.grantRuntimePermission(permName, packageName, false, - Process.SYSTEM_UID, userId, delayingPermCallback); - // Allow app op later as we are holding mPackages + + + ++ ++ ++ + -+ android:protectionLevel="dangerous|instant" /> + android:protectionLevel="dangerous|instant" /> +diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml +index e2afd1e1e0cc..2cf2b923ef90 100644 +--- a/core/res/res/values/strings.xml ++++ b/core/res/res/values/strings.xml +@@ -792,6 +792,11 @@ + Allow + <b>%1$s</b> to access sensor data about your vital signs? - ++ Network ++ ++ access the network ++ + + Retrieve window content + diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-3.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-3.patch index db199b93..5a6dbc63 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-3.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-3.patch @@ -1,62 +1,111 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Daniel Micay -Date: Fri, 21 Jul 2017 11:23:07 -0400 -Subject: [PATCH] add a NETWORK permission group for INTERNET +From: Zoraver Kang +Date: Mon, 16 Sep 2019 16:41:30 -0400 +Subject: [PATCH] Enforce INTERNET as a runtime permission. --- - api/current.txt | 1 + - core/res/AndroidManifest.xml | 8 ++++++++ - core/res/res/values/strings.xml | 5 +++++ - 3 files changed, 14 insertions(+) + .../connectivity/PermissionMonitor.java | 59 ++++++++++++------- + 1 file changed, 39 insertions(+), 20 deletions(-) -diff --git a/api/current.txt b/api/current.txt -index cd78602d9cd9..b99634c11742 100644 ---- a/api/current.txt -+++ b/api/current.txt -@@ -176,6 +176,7 @@ package android { - field public static final String CONTACTS = "android.permission-group.CONTACTS"; - field public static final String LOCATION = "android.permission-group.LOCATION"; - field public static final String MICROPHONE = "android.permission-group.MICROPHONE"; -+ field public static final String NETWORK = "android.permission-group.NETWORK"; - field public static final String PHONE = "android.permission-group.PHONE"; - field public static final String SENSORS = "android.permission-group.SENSORS"; - field public static final String SMS = "android.permission-group.SMS"; -diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index 571099f059c8..b51e4f21454b 100644 ---- a/core/res/AndroidManifest.xml -+++ b/core/res/AndroidManifest.xml -@@ -1533,10 +1533,18 @@ - - +diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java +index 56f4959a9714..0b2012fa759a 100644 +--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java ++++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java +@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID; + import static android.os.Process.SYSTEM_UID; -+ -+ -+ - - -diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml -index e2afd1e1e0cc..2cf2b923ef90 100644 ---- a/core/res/res/values/strings.xml -+++ b/core/res/res/values/strings.xml -@@ -792,6 +792,11 @@ - Allow - <b>%1$s</b> to access sensor data about your vital signs? + import android.annotation.NonNull; ++import android.annotation.UserIdInt; + import android.content.Context; + import android.content.pm.ApplicationInfo; + import android.content.pm.PackageInfo; +@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils; + import com.android.internal.util.IndentingPrintWriter; + import com.android.server.LocalServices; + import com.android.server.SystemConfig; ++import com.android.server.pm.permission.PermissionManagerServiceInternal; -+ -+ Network -+ -+ access the network + import java.util.ArrayList; + import java.util.Collection; +@@ -80,6 +82,7 @@ public class PermissionMonitor { + private static final int VERSION_Q = Build.VERSION_CODES.Q; + + private final PackageManager mPackageManager; ++ private final PackageManagerInternal mPackageManagerInternal; + private final UserManager mUserManager; + private final INetd mNetd; + +@@ -104,26 +107,6 @@ public class PermissionMonitor { + + private class PackageListObserver implements PackageManagerInternal.PackageListObserver { + +- private int getPermissionForUid(int uid) { +- int permission = 0; +- // Check all the packages for this UID. The UID has the permission if any of the +- // packages in it has the permission. +- String[] packages = mPackageManager.getPackagesForUid(uid); +- if (packages != null && packages.length > 0) { +- for (String name : packages) { +- final PackageInfo app = getPackageInfo(name); +- if (app != null && app.requestedPermissions != null) { +- permission |= getNetdPermissionMask(app.requestedPermissions, +- app.requestedPermissionsFlags); +- } +- } +- } else { +- // The last package of this uid is removed from device. Clean the package up. +- permission = INetd.PERMISSION_UNINSTALLED; +- } +- return permission; +- } +- + @Override + public void onPackageAdded(String packageName, int uid) { + sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); +@@ -140,10 +123,46 @@ public class PermissionMonitor { + } + } + ++ private int getPermissionForUid(int uid) { ++ int permission = 0; ++ // Check all the packages for this UID. The UID has the permission if any of the ++ // packages in it has the permission. ++ String[] packages = mPackageManager.getPackagesForUid(uid); ++ if (packages != null && packages.length > 0) { ++ for (String name : packages) { ++ final PackageInfo app = getPackageInfo(name); ++ if (app != null && app.requestedPermissions != null) { ++ permission |= getNetdPermissionMask(app.requestedPermissions, ++ app.requestedPermissionsFlags); ++ } ++ } ++ } else { ++ // The last package of this uid is removed from device. Clean the package up. ++ permission = INetd.PERMISSION_UNINSTALLED; ++ } ++ return permission; ++ } + - - Retrieve window content - ++ // implements OnRuntimePermissionStateChangedListener ++ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName, ++ @UserIdInt int userId) { ++ // userId is _not_ uid ++ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId); ++ sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); ++ } ++ + public PermissionMonitor(Context context, INetd netd) { + mPackageManager = context.getPackageManager(); + mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE); + mNetd = netd; ++ ++ mPackageManagerInternal = LocalServices.getService( ++ PackageManagerInternal.class); ++ ++ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService( ++ PermissionManagerServiceInternal.class); ++ permManagerInternal.addOnRuntimePermissionStateChangedListener( ++ this::enforceINTERNETAsRuntimePermission); + } + + // Intended to be called only once at startup, after the system is ready. Installs a broadcast diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-4.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-4.patch index 5a6dbc63..d2f4ade4 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-4.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-4.patch @@ -1,111 +1,82 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Zoraver Kang -Date: Mon, 16 Sep 2019 16:41:30 -0400 -Subject: [PATCH] Enforce INTERNET as a runtime permission. +From: pratyush +Date: Sun, 25 Apr 2021 07:04:03 +0530 +Subject: [PATCH] fix INTERNET enforcement for secondary users +This code was not specifying the profile for the app so it wasn't +working properly with INTERNET as a runtime permission. --- - .../connectivity/PermissionMonitor.java | 59 ++++++++++++------- - 1 file changed, 39 insertions(+), 20 deletions(-) + .../connectivity/PermissionMonitor.java | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -index 56f4959a9714..0b2012fa759a 100644 +index 0b2012fa759a..3187d4ba1491 100644 --- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java +++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID; - import static android.os.Process.SYSTEM_UID; +@@ -130,7 +130,8 @@ public class PermissionMonitor { + String[] packages = mPackageManager.getPackagesForUid(uid); + if (packages != null && packages.length > 0) { + for (String name : packages) { +- final PackageInfo app = getPackageInfo(name); ++ int userId = UserHandle.getUserId(uid); ++ final PackageInfo app = getPackageInfo(name, userId); + if (app != null && app.requestedPermissions != null) { + permission |= getNetdPermissionMask(app.requestedPermissions, + app.requestedPermissionsFlags); +@@ -147,7 +148,7 @@ public class PermissionMonitor { + private void enforceINTERNETAsRuntimePermission(@NonNull String packageName, + @UserIdInt int userId) { + // userId is _not_ uid +- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId); ++ int uid = mPackageManagerInternal.getPackageUid( packageName, GET_PERMISSIONS, userId); + sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); + } - import android.annotation.NonNull; -+import android.annotation.UserIdInt; - import android.content.Context; - import android.content.pm.ApplicationInfo; - import android.content.pm.PackageInfo; -@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils; - import com.android.internal.util.IndentingPrintWriter; - import com.android.server.LocalServices; - import com.android.server.SystemConfig; -+import com.android.server.pm.permission.PermissionManagerServiceInternal; +@@ -363,12 +364,13 @@ public class PermissionMonitor { + } - import java.util.ArrayList; - import java.util.Collection; -@@ -80,6 +82,7 @@ public class PermissionMonitor { - private static final int VERSION_Q = Build.VERSION_CODES.Q; - - private final PackageManager mPackageManager; -+ private final PackageManagerInternal mPackageManagerInternal; - private final UserManager mUserManager; - private final INetd mNetd; - -@@ -104,26 +107,6 @@ public class PermissionMonitor { - - private class PackageListObserver implements PackageManagerInternal.PackageListObserver { - -- private int getPermissionForUid(int uid) { -- int permission = 0; -- // Check all the packages for this UID. The UID has the permission if any of the -- // packages in it has the permission. -- String[] packages = mPackageManager.getPackagesForUid(uid); -- if (packages != null && packages.length > 0) { -- for (String name : packages) { -- final PackageInfo app = getPackageInfo(name); -- if (app != null && app.requestedPermissions != null) { -- permission |= getNetdPermissionMask(app.requestedPermissions, -- app.requestedPermissionsFlags); -- } -- } -- } else { -- // The last package of this uid is removed from device. Clean the package up. -- permission = INetd.PERMISSION_UNINSTALLED; -- } -- return permission; -- } -- - @Override - public void onPackageAdded(String packageName, int uid) { - sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); -@@ -140,10 +123,46 @@ public class PermissionMonitor { + @VisibleForTesting +- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) { ++ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) { + if (currentPermission == SYSTEM) { + return currentPermission; } + try { +- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS); ++ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS, ++ UserHandle.getUserId(uid)); + final boolean isNetwork = hasNetworkPermission(app); + final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); + if (isNetwork || hasRestrictedPermission) { +@@ -392,7 +394,7 @@ public class PermissionMonitor { + public synchronized void onPackageAdded(String packageName, int uid) { + // If multiple packages share a UID (cf: android:sharedUserId) and ask for different + // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). +- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName); ++ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid); + if (permission != mApps.get(uid)) { + mApps.put(uid, permission); + +@@ -444,7 +446,7 @@ public class PermissionMonitor { + String[] packages = mPackageManager.getPackagesForUid(uid); + if (packages != null && packages.length > 0) { + for (String name : packages) { +- permission = highestPermissionForUid(permission, name); ++ permission = highestPermissionForUid(permission, name, uid); + if (permission == SYSTEM) { + // An app with this UID still has the SYSTEM permission. + // Therefore, this UID must already have the SYSTEM permission. +@@ -484,11 +486,9 @@ public class PermissionMonitor { + return permissions; } -+ private int getPermissionForUid(int uid) { -+ int permission = 0; -+ // Check all the packages for this UID. The UID has the permission if any of the -+ // packages in it has the permission. -+ String[] packages = mPackageManager.getPackagesForUid(uid); -+ if (packages != null && packages.length > 0) { -+ for (String name : packages) { -+ final PackageInfo app = getPackageInfo(name); -+ if (app != null && app.requestedPermissions != null) { -+ permission |= getNetdPermissionMask(app.requestedPermissions, -+ app.requestedPermissionsFlags); -+ } -+ } -+ } else { -+ // The last package of this uid is removed from device. Clean the package up. -+ permission = INetd.PERMISSION_UNINSTALLED; -+ } -+ return permission; -+ } -+ -+ // implements OnRuntimePermissionStateChangedListener -+ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName, -+ @UserIdInt int userId) { -+ // userId is _not_ uid -+ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId); -+ sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); -+ } -+ - public PermissionMonitor(Context context, INetd netd) { - mPackageManager = context.getPackageManager(); - mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE); - mNetd = netd; -+ -+ mPackageManagerInternal = LocalServices.getService( -+ PackageManagerInternal.class); -+ -+ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService( -+ PermissionManagerServiceInternal.class); -+ permManagerInternal.addOnRuntimePermissionStateChangedListener( -+ this::enforceINTERNETAsRuntimePermission); - } - - // Intended to be called only once at startup, after the system is ready. Installs a broadcast +- private PackageInfo getPackageInfo(String packageName) { ++ private PackageInfo getPackageInfo(String packageName, int userId) { + try { +- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS +- | MATCH_ANY_USER); +- return app; ++ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId); + } catch (NameNotFoundException e) { + return null; + } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-5.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-5.patch index d2f4ade4..5ec43a5b 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-5.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-5.patch @@ -1,82 +1,125 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: pratyush -Date: Sun, 25 Apr 2021 07:04:03 +0530 -Subject: [PATCH] fix INTERNET enforcement for secondary users +From: Pratyush +Date: Thu, 12 Aug 2021 03:44:41 +0530 +Subject: [PATCH] send uid for each user instead of just owner/admin user -This code was not specifying the profile for the app so it wasn't -working properly with INTERNET as a runtime permission. --- - .../connectivity/PermissionMonitor.java | 20 +++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) + .../connectivity/PermissionMonitor.java | 83 +++++++++++-------- + 1 file changed, 49 insertions(+), 34 deletions(-) diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -index 0b2012fa759a..3187d4ba1491 100644 +index 3187d4ba1491..0a9b8b6a6e94 100644 --- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java +++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -@@ -130,7 +130,8 @@ public class PermissionMonitor { - String[] packages = mPackageManager.getPackagesForUid(uid); - if (packages != null && packages.length > 0) { +@@ -132,7 +132,7 @@ public class PermissionMonitor { for (String name : packages) { -- final PackageInfo app = getPackageInfo(name); -+ int userId = UserHandle.getUserId(uid); -+ final PackageInfo app = getPackageInfo(name, userId); - if (app != null && app.requestedPermissions != null) { + int userId = UserHandle.getUserId(uid); + final PackageInfo app = getPackageInfo(name, userId); +- if (app != null && app.requestedPermissions != null) { ++ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) { permission |= getNetdPermissionMask(app.requestedPermissions, app.requestedPermissionsFlags); -@@ -147,7 +148,7 @@ public class PermissionMonitor { - private void enforceINTERNETAsRuntimePermission(@NonNull String packageName, - @UserIdInt int userId) { - // userId is _not_ uid -- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId); -+ int uid = mPackageManagerInternal.getPackageUid( packageName, GET_PERMISSIONS, userId); - sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); - } + } +@@ -177,44 +177,45 @@ public class PermissionMonitor { + } else { + loge("failed to get the PackageManagerInternal service"); + } +- List apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS +- | MATCH_ANY_USER); +- if (apps == null) { +- loge("No apps"); +- return; +- } -@@ -363,12 +364,13 @@ public class PermissionMonitor { - } + SparseIntArray netdPermsUids = new SparseIntArray(); - @VisibleForTesting -- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) { -+ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) { - if (currentPermission == SYSTEM) { - return currentPermission; +- for (PackageInfo app : apps) { +- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID; +- if (uid < 0) { +- continue; +- } +- mAllApps.add(UserHandle.getAppId(uid)); +- +- boolean isNetwork = hasNetworkPermission(app); +- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); +- +- if (isNetwork || hasRestrictedPermission) { +- Boolean permission = mApps.get(uid); +- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different +- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). +- if (permission == null || permission == NETWORK) { +- mApps.put(uid, hasRestrictedPermission); +- } +- } +- +- //TODO: unify the management of the permissions into one codepath. +- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions, +- app.requestedPermissionsFlags); +- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms); +- } +- + List users = mUserManager.getUsers(true); // exclude dying users + if (users != null) { + for (UserInfo user : users) { + mUsers.add(user.id); ++ ++ List apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id); ++ if (apps == null) { ++ loge("No apps"); ++ continue; ++ } ++ ++ for (PackageInfo app : apps) { ++ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID; ++ if (uid < 0) { ++ continue; ++ } ++ mAllApps.add(UserHandle.getAppId(uid)); ++ ++ boolean isNetwork = hasNetworkPermission(app); ++ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); ++ ++ if (isNetwork || hasRestrictedPermission) { ++ Boolean permission = mApps.get(uid); ++ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different ++ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). ++ if (permission == null || permission == NETWORK) { ++ mApps.put(uid, hasRestrictedPermission); ++ } ++ } ++ ++ //TODO: unify the management of the permissions into one codepath. ++ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions, ++ app.requestedPermissionsFlags); ++ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms); ++ } ++ + } + } + +@@ -307,9 +308,23 @@ public class PermissionMonitor { + List network = new ArrayList<>(); + List system = new ArrayList<>(); + for (Entry app : apps.entrySet()) { +- List list = app.getValue() ? system : network; + for (int user : users) { +- list.add(UserHandle.getUid(user, app.getKey())); ++ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey())); ++ if (uid < 0) continue; ++ String[] packages = mPackageManager.getPackagesForUid(uid); ++ if (packages == null) continue; ++ for (String pkg : packages) { ++ PackageInfo info = getPackageInfo(pkg, user); ++ if (info != null && info.applicationInfo.uid == uid) { ++ boolean isNetwork = hasNetworkPermission(info); ++ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info); ++ ++ if (isNetwork || hasRestrictedPermission) { ++ List list = hasRestrictedPermission ? system : network; ++ list.add(UserHandle.getUid(user, app.getKey())); ++ } ++ } ++ } + } } try { -- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS); -+ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS, -+ UserHandle.getUserId(uid)); - final boolean isNetwork = hasNetworkPermission(app); - final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); - if (isNetwork || hasRestrictedPermission) { -@@ -392,7 +394,7 @@ public class PermissionMonitor { - public synchronized void onPackageAdded(String packageName, int uid) { - // If multiple packages share a UID (cf: android:sharedUserId) and ask for different - // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). -- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName); -+ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid); - if (permission != mApps.get(uid)) { - mApps.put(uid, permission); - -@@ -444,7 +446,7 @@ public class PermissionMonitor { - String[] packages = mPackageManager.getPackagesForUid(uid); - if (packages != null && packages.length > 0) { - for (String name : packages) { -- permission = highestPermissionForUid(permission, name); -+ permission = highestPermissionForUid(permission, name, uid); - if (permission == SYSTEM) { - // An app with this UID still has the SYSTEM permission. - // Therefore, this UID must already have the SYSTEM permission. -@@ -484,11 +486,9 @@ public class PermissionMonitor { - return permissions; - } - -- private PackageInfo getPackageInfo(String packageName) { -+ private PackageInfo getPackageInfo(String packageName, int userId) { - try { -- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS -- | MATCH_ANY_USER); -- return app; -+ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId); - } catch (NameNotFoundException e) { - return null; - } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-6.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-6.patch index 5ec43a5b..cfbb71fc 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-6.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-6.patch @@ -1,125 +1,42 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pratyush -Date: Thu, 12 Aug 2021 03:44:41 +0530 -Subject: [PATCH] send uid for each user instead of just owner/admin user +From: Dmitry Muhomor +Date: Tue, 14 Dec 2021 18:17:11 +0200 +Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked --- - .../connectivity/PermissionMonitor.java | 83 +++++++++++-------- - 1 file changed, 49 insertions(+), 34 deletions(-) + core/java/android/net/ConnectivityManager.java | 8 ++++++++ + 1 file changed, 8 insertions(+) -diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -index 3187d4ba1491..0a9b8b6a6e94 100644 ---- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java -+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -@@ -132,7 +132,7 @@ public class PermissionMonitor { - for (String name : packages) { - int userId = UserHandle.getUserId(uid); - final PackageInfo app = getPackageInfo(name, userId); -- if (app != null && app.requestedPermissions != null) { -+ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) { - permission |= getNetdPermissionMask(app.requestedPermissions, - app.requestedPermissionsFlags); - } -@@ -177,44 +177,45 @@ public class PermissionMonitor { - } else { - loge("failed to get the PackageManagerInternal service"); - } -- List apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS -- | MATCH_ANY_USER); -- if (apps == null) { -- loge("No apps"); -- return; -- } +diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java +index 12102a140947..21661609ff72 100644 +--- a/core/java/android/net/ConnectivityManager.java ++++ b/core/java/android/net/ConnectivityManager.java +@@ -17,6 +17,7 @@ package android.net; - SparseIntArray netdPermsUids = new SparseIntArray(); + import static android.net.IpSecManager.INVALID_RESOURCE_ID; -- for (PackageInfo app : apps) { -- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID; -- if (uid < 0) { -- continue; -- } -- mAllApps.add(UserHandle.getAppId(uid)); -- -- boolean isNetwork = hasNetworkPermission(app); -- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); -- -- if (isNetwork || hasRestrictedPermission) { -- Boolean permission = mApps.get(uid); -- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different -- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). -- if (permission == null || permission == NETWORK) { -- mApps.put(uid, hasRestrictedPermission); -- } -- } -- -- //TODO: unify the management of the permissions into one codepath. -- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions, -- app.requestedPermissionsFlags); -- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms); -- } -- - List users = mUserManager.getUsers(true); // exclude dying users - if (users != null) { - for (UserInfo user : users) { - mUsers.add(user.id); -+ -+ List apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id); -+ if (apps == null) { -+ loge("No apps"); -+ continue; -+ } -+ -+ for (PackageInfo app : apps) { -+ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID; -+ if (uid < 0) { -+ continue; -+ } -+ mAllApps.add(UserHandle.getAppId(uid)); -+ -+ boolean isNetwork = hasNetworkPermission(app); -+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); -+ -+ if (isNetwork || hasRestrictedPermission) { -+ Boolean permission = mApps.get(uid); -+ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different -+ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). -+ if (permission == null || permission == NETWORK) { -+ mApps.put(uid, hasRestrictedPermission); -+ } -+ } -+ -+ //TODO: unify the management of the permissions into one codepath. -+ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions, -+ app.requestedPermissionsFlags); -+ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms); -+ } -+ - } - } - -@@ -307,9 +308,23 @@ public class PermissionMonitor { - List network = new ArrayList<>(); - List system = new ArrayList<>(); - for (Entry app : apps.entrySet()) { -- List list = app.getValue() ? system : network; - for (int user : users) { -- list.add(UserHandle.getUid(user, app.getKey())); -+ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey())); -+ if (uid < 0) continue; -+ String[] packages = mPackageManager.getPackagesForUid(uid); -+ if (packages == null) continue; -+ for (String pkg : packages) { -+ PackageInfo info = getPackageInfo(pkg, user); -+ if (info != null && info.applicationInfo.uid == uid) { -+ boolean isNetwork = hasNetworkPermission(info); -+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info); -+ -+ if (isNetwork || hasRestrictedPermission) { -+ List list = hasRestrictedPermission ? system : network; -+ list.add(UserHandle.getUid(user, app.getKey())); -+ } -+ } -+ } - } - } ++import android.Manifest; + import android.annotation.CallbackExecutor; + import android.annotation.IntDef; + import android.annotation.NonNull; +@@ -31,6 +32,7 @@ import android.annotation.UnsupportedAppUsage; + import android.app.PendingIntent; + import android.content.Context; + import android.content.Intent; ++import android.content.pm.PackageManager; + import android.net.IpSecManager.UdpEncapsulationSocket; + import android.net.SocketKeepalive.Callback; + import android.os.Binder; +@@ -3054,6 +3056,12 @@ public class ConnectivityManager { + */ + public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) { + printStackTrace(); ++ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) { ++ // ConnectivityService enforces this by throwing an unexpected SecurityException, ++ // which puts GMS into a crash loop. Also useful for other apps that don't expect that ++ // INTERNET permission might get revoked. ++ return; ++ } try { + mService.reportNetworkConnectivity(network, hasConnectivity); + } catch (RemoteException e) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-7.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-7.patch deleted file mode 100644 index cfbb71fc..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-7.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Dmitry Muhomor -Date: Tue, 14 Dec 2021 18:17:11 +0200 -Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked - ---- - core/java/android/net/ConnectivityManager.java | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java -index 12102a140947..21661609ff72 100644 ---- a/core/java/android/net/ConnectivityManager.java -+++ b/core/java/android/net/ConnectivityManager.java -@@ -17,6 +17,7 @@ package android.net; - - import static android.net.IpSecManager.INVALID_RESOURCE_ID; - -+import android.Manifest; - import android.annotation.CallbackExecutor; - import android.annotation.IntDef; - import android.annotation.NonNull; -@@ -31,6 +32,7 @@ import android.annotation.UnsupportedAppUsage; - import android.app.PendingIntent; - import android.content.Context; - import android.content.Intent; -+import android.content.pm.PackageManager; - import android.net.IpSecManager.UdpEncapsulationSocket; - import android.net.SocketKeepalive.Callback; - import android.os.Binder; -@@ -3054,6 +3056,12 @@ public class ConnectivityManager { - */ - public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) { - printStackTrace(); -+ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) { -+ // ConnectivityService enforces this by throwing an unexpected SecurityException, -+ // which puts GMS into a crash loop. Also useful for other apps that don't expect that -+ // INTERNET permission might get revoked. -+ return; -+ } - try { - mService.reportNetworkConnectivity(network, hasConnectivity); - } catch (RemoteException e) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Sensors_Permission.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Sensors_Permission.patch new file mode 100644 index 00000000..546e2b20 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Sensors_Permission.patch @@ -0,0 +1,114 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sat, 7 Oct 2017 15:54:42 -0400 +Subject: [PATCH] add special runtime permission for other sensors + +This covers sensors not included in the existing runtime permission for +body sensors. +--- + api/current.txt | 2 ++ + core/java/android/content/pm/PackageParser.java | 2 ++ + core/res/AndroidManifest.xml | 12 ++++++++++++ + core/res/res/values/strings.xml | 12 ++++++++++++ + .../pm/permission/PermissionManagerService.java | 2 +- + 5 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/api/current.txt b/api/current.txt +index b99634c11742..d74627f45dbd 100644 +--- a/api/current.txt ++++ b/api/current.txt +@@ -100,6 +100,7 @@ package android { + field public static final String MOUNT_UNMOUNT_FILESYSTEMS = "android.permission.MOUNT_UNMOUNT_FILESYSTEMS"; + field public static final String NFC = "android.permission.NFC"; + field public static final String NFC_TRANSACTION_EVENT = "android.permission.NFC_TRANSACTION_EVENT"; ++ field public static final String OTHER_SENSORS = "android.permission.OTHER_SENSORS"; + field public static final String PACKAGE_USAGE_STATS = "android.permission.PACKAGE_USAGE_STATS"; + field @Deprecated public static final String PERSISTENT_ACTIVITY = "android.permission.PERSISTENT_ACTIVITY"; + field @Deprecated public static final String PROCESS_OUTGOING_CALLS = "android.permission.PROCESS_OUTGOING_CALLS"; +@@ -177,6 +178,7 @@ package android { + field public static final String LOCATION = "android.permission-group.LOCATION"; + field public static final String MICROPHONE = "android.permission-group.MICROPHONE"; + field public static final String NETWORK = "android.permission-group.NETWORK"; ++ field public static final String OTHER_SENSORS = "android.permission-group.OTHER_SENSORS"; + field public static final String PHONE = "android.permission-group.PHONE"; + field public static final String SENSORS = "android.permission-group.SENSORS"; + field public static final String SMS = "android.permission-group.SMS"; +diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java +index 861b0d922d32..e9a0696ebaff 100644 +--- a/core/java/android/content/pm/PackageParser.java ++++ b/core/java/android/content/pm/PackageParser.java +@@ -286,6 +286,8 @@ public class PackageParser { + @UnsupportedAppUsage + public static final PackageParser.NewPermissionInfo NEW_PERMISSIONS[] = + new PackageParser.NewPermissionInfo[] { ++ new PackageParser.NewPermissionInfo(android.Manifest.permission.OTHER_SENSORS, ++ android.os.Build.VERSION_CODES.CUR_DEVELOPMENT + 1, 0), + new PackageParser.NewPermissionInfo(android.Manifest.permission.WRITE_EXTERNAL_STORAGE, + android.os.Build.VERSION_CODES.DONUT, 0), + new PackageParser.NewPermissionInfo(android.Manifest.permission.READ_PHONE_STATE, +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index b51e4f21454b..d5bc3cd38c07 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -1331,6 +1331,18 @@ + android:description="@string/permdesc_useBiometric" + android:protectionLevel="normal" /> + ++ ++ ++ ++ + + + +diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml +index 2cf2b923ef90..ae206c1f5872 100644 +--- a/core/res/res/values/strings.xml ++++ b/core/res/res/values/strings.xml +@@ -792,6 +792,11 @@ + Allow + <b>%1$s</b> to access sensor data about your vital signs? + ++ ++ Sensors ++ ++ access sensor data about orientation, movement, etc. ++ + + Network + +@@ -1085,6 +1090,13 @@ + Allows the app to access data from sensors + that monitor your physical condition, such as your heart rate. + ++ ++ access sensors (like the compass) ++ ++ ++ Allows the app to access data from sensors ++ monitoring orientation, movement, vibration (including low frequency sound) and environmental data ++ + + Read calendar events and details + +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index 3a71bc8d015b..3eb4262ba634 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -985,7 +985,7 @@ public class PermissionManagerService { + } + + public static boolean isSpecialRuntimePermission(final String permission) { +- return Manifest.permission.INTERNET.equals(permission); ++ return Manifest.permission.INTERNET.equals(permission) || Manifest.permission.OTHER_SENSORS.equals(permission); + } + + /** diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch new file mode 100644 index 00000000..39c439e6 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch @@ -0,0 +1,102 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Fri, 21 Jul 2017 08:42:55 -0400 +Subject: [PATCH] support new special runtime permissions + +These are treated as a runtime permission even for legacy apps. They +need to be granted by default for all apps to maintain compatibility. +--- + .../server/pm/PackageManagerService.java | 3 ++- + .../permission/PermissionManagerService.java | 23 +++++++++++++++---- + 2 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index edaa60f4b09e..834a6b0d5260 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -20162,7 +20162,8 @@ public class PackageManagerService extends IPackageManager.Stub + } + + // If this permission was granted by default, make sure it is. +- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) { ++ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0 ++ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) { + mPermissionManager.grantRuntimePermission(permName, packageName, false, + Process.SYSTEM_UID, userId, delayingPermCallback); + // Allow app op later as we are holding mPackages +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index 82f963e1df2a..293bdc7ba197 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -984,6 +984,10 @@ public class PermissionManagerService { + } + } + ++ public static boolean isSpecialRuntimePermission(final String permission) { ++ return false; ++ } ++ + /** + * Restore the permission state for a package. + * +@@ -1277,6 +1281,14 @@ public class PermissionManagerService { + } + } + } ++ ++ if (isSpecialRuntimePermission(bp.name) && ++ origPermissions.getRuntimePermissionState(bp.name, userId) == null) { ++ if (permissionsState.grantRuntimePermission(bp, userId) ++ != PERMISSION_OPERATION_FAILURE) { ++ wasChanged = true; ++ } ++ } + } else { + if (permState == null) { + // New permission +@@ -1410,7 +1422,7 @@ public class PermissionManagerService { + wasChanged = true; + } + } +- } else { ++ } else { + if (!permissionsState.hasRuntimePermission(bp.name, userId) + && permissionsState.grantRuntimePermission(bp, + userId) != PERMISSION_OPERATION_FAILURE) { +@@ -2183,7 +2195,7 @@ public class PermissionManagerService { + && (grantedPermissions == null + || ArrayUtils.contains(grantedPermissions, permission))) { + final int flags = permissionsState.getPermissionFlags(permission, userId); +- if (supportsRuntimePermissions) { ++ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) { + // Installer cannot change immutable permissions. + if ((flags & immutableFlags) == 0) { + grantRuntimePermission(permission, pkg.packageName, false, callingUid, +@@ -2242,7 +2254,7 @@ public class PermissionManagerService { + // to keep the review required permission flag per user while an + // install permission's state is shared across all users. + if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M +- && bp.isRuntime()) { ++ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) { + return; + } + +@@ -2294,7 +2306,8 @@ public class PermissionManagerService { + + permName + " for package " + packageName); + } + +- if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) { ++ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M ++ && !isSpecialRuntimePermission(permName)) { + Slog.w(TAG, "Cannot grant runtime permission to a legacy app"); + return; + } +@@ -2381,7 +2394,7 @@ public class PermissionManagerService { + // to keep the review required permission flag per user while an + // install permission's state is shared across all users. + if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M +- && bp.isRuntime()) { ++ && bp.isRuntime() && !isSpecialRuntimePermission(permName)) { + return; + } + diff --git a/Patches/LineageOS-17.1/android_frameworks_native/0001-Sensors.patch b/Patches/LineageOS-17.1/android_frameworks_native/0001-Sensors.patch index 92bd36ea..ba61caf2 100644 --- a/Patches/LineageOS-17.1/android_frameworks_native/0001-Sensors.patch +++ b/Patches/LineageOS-17.1/android_frameworks_native/0001-Sensors.patch @@ -1,81 +1,21 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Sat, 14 Nov 2020 13:21:18 +0100 -Subject: [PATCH] AppOps: New Op for (Other) sensors access +From: Daniel Micay +Date: Sat, 7 Oct 2017 16:28:57 -0400 +Subject: [PATCH] require OTHER_SENSORS permission for sensors - * Add missing Ops to the enum, as pre-requisite to add new sensor op - * Add new sensor op to enum - * Invoke OP_OTHER_SENSORS as default - * Adapt logic for checking the Ops, if no permission is linked - -Change-Id: If4011566a391314afed9a26e1dcf6e4bc838e4f7 --- - libs/binder/include/binder/AppOpsManager.h | 13 +++++++++++++ - libs/sensor/Sensor.cpp | 1 + - services/sensorservice/SensorService.cpp | 9 +++++---- - 3 files changed, 19 insertions(+), 4 deletions(-) + libs/sensor/Sensor.cpp | 1 + + 1 file changed, 1 insertion(+) -diff --git a/libs/binder/include/binder/AppOpsManager.h b/libs/binder/include/binder/AppOpsManager.h -index 17493b4252..89c0eacb8a 100644 ---- a/libs/binder/include/binder/AppOpsManager.h -+++ b/libs/binder/include/binder/AppOpsManager.h -@@ -109,6 +109,19 @@ public: - OP_START_FOREGROUND = 76, - OP_BLUETOOTH_SCAN = 77, - OP_USE_BIOMETRIC = 78, -+ OP_ACTIVITY_RECOGNITION = 79, -+ OP_SMS_FINANCIAL_TRANSACTIONS = 80, -+ OP_READ_MEDIA_AUDIO = 81, -+ OP_WRITE_MEDIA_AUDIO = 82, -+ OP_READ_MEDIA_VIDEO = 83, -+ OP_WRITE_MEDIA_VIDEO = 84, -+ OP_READ_MEDIA_IMAGES = 85, -+ OP_WRITE_MEDIA_IMAGES = 86, -+ OP_LEGACY_STORAGE = 87, -+ OP_ACCESS_ACCESSIBILITY = 88, -+ OP_READ_DEVICE_IDENTIFIERS = 89, -+ OP_ACCESS_MEDIA_LOCATION = 90, -+ OP_OTHER_SENSORS = 91, - }; - - AppOpsManager(); diff --git a/libs/sensor/Sensor.cpp b/libs/sensor/Sensor.cpp -index abc910302c..8a318543a7 100644 +index abc910302c..8b6e96aef6 100644 --- a/libs/sensor/Sensor.cpp +++ b/libs/sensor/Sensor.cpp @@ -59,6 +59,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi mMinDelay = hwSensor.minDelay; mFlags = 0; mUuid = uuid; -+ mRequiredAppOp = AppOpsManager::OP_OTHER_SENSORS; //default, other values are explicitly set ++ mRequiredPermission = "android.permission.OTHER_SENSORS"; // Set fifo event count zero for older devices which do not support batching. Fused // sensors also have their fifo counts set to zero. -diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp -index 6bb250e7bb..58297122a5 100644 ---- a/services/sensorservice/SensorService.cpp -+++ b/services/sensorservice/SensorService.cpp -@@ -1643,10 +1643,9 @@ status_t SensorService::flushSensor(const sp& connection, - - bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation, - const String16& opPackageName) { -+ - // Check if a permission is required for this sensor -- if (sensor.getRequiredPermission().length() <= 0) { -- return true; -- } -+ bool noAssociatedPermission = (sensor.getRequiredPermission().length() <= 0); - - const int32_t opCode = sensor.getRequiredAppOp(); - const int32_t appOpMode = sAppOpsManager.checkOp(opCode, -@@ -1654,7 +1653,9 @@ bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation, - bool appOpAllowed = appOpMode == AppOpsManager::MODE_ALLOWED; - - bool canAccess = false; -- if (hasPermissionForSensor(sensor)) { -+ if (noAssociatedPermission) { -+ canAccess = appOpAllowed; -+ } else if (hasPermissionForSensor(sensor)) { - // Ensure that the AppOp is allowed, or that there is no necessary app op for the sensor - if (opCode < 0 || appOpAllowed) { - canAccess = true; diff --git a/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Sensors_Permission-1.patch b/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Sensors_Permission-1.patch new file mode 100644 index 00000000..a61d50b2 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Sensors_Permission-1.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sat, 7 Oct 2017 15:55:58 -0400 +Subject: [PATCH] always treat OTHER_SENSORS as a runtime permission + +--- + .../packageinstaller/permission/model/AppPermissionGroup.java | 4 ++-- + .../android/packageinstaller/permission/model/Permission.java | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java +index c9fa2ca3e..7930b46ce 100644 +--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java ++++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java +@@ -786,7 +786,7 @@ public final class AppPermissionGroup implements Comparable + + boolean wasGranted = permission.isGrantedIncludingAppOp(); + +- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { ++ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) { + // Do not touch permissions fixed by the system. + if (permission.isSystemFixed()) { + wasAllGranted = false; +@@ -963,7 +963,7 @@ public final class AppPermissionGroup implements Comparable + break; + } + +- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { ++ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) { + // Revoke the permission if needed. + if (permission.isGranted()) { + permission.setGranted(false); +diff --git a/src/com/android/packageinstaller/permission/model/Permission.java b/src/com/android/packageinstaller/permission/model/Permission.java +index c2ec88902..4cd2a7349 100644 +--- a/src/com/android/packageinstaller/permission/model/Permission.java ++++ b/src/com/android/packageinstaller/permission/model/Permission.java +@@ -137,7 +137,7 @@ public final class Permission { + * @return {@code true} if the permission (and the app-op) is granted. + */ + public boolean isGrantedIncludingAppOp() { +- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName)); ++ return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName) || Manifest.permission.OTHER_SENSORS.equals(mName)); + } + + public boolean isReviewRequired() { diff --git a/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Sensors_Permission-2.patch b/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Sensors_Permission-2.patch new file mode 100644 index 00000000..11c3f7e8 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_apps_PermissionController/0001-Sensors_Permission-2.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sat, 7 Oct 2017 15:56:35 -0400 +Subject: [PATCH] add OTHER_SENSORS permission group + +--- + src/com/android/packageinstaller/permission/utils/Utils.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java +index 162b15f37..d1a19200b 100644 +--- a/src/com/android/packageinstaller/permission/utils/Utils.java ++++ b/src/com/android/packageinstaller/permission/utils/Utils.java +@@ -25,6 +25,7 @@ import static android.Manifest.permission_group.CONTACTS; + import static android.Manifest.permission_group.LOCATION; + import static android.Manifest.permission_group.MICROPHONE; + import static android.Manifest.permission_group.NETWORK; ++import static android.Manifest.permission_group.OTHER_SENSORS; + import static android.Manifest.permission_group.PHONE; + import static android.Manifest.permission_group.SENSORS; + import static android.Manifest.permission_group.SMS; +@@ -175,6 +176,7 @@ public final class Utils { + PLATFORM_PERMISSIONS.put(Manifest.permission.BODY_SENSORS, SENSORS); + + PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK); ++ PLATFORM_PERMISSIONS.put(Manifest.permission.OTHER_SENSORS, OTHER_SENSORS); + + PLATFORM_PERMISSION_GROUPS = new ArrayMap<>(); + int numPlatformPermissions = PLATFORM_PERMISSIONS.size(); diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0002-Sensors.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0002-Sensors.patch deleted file mode 100644 index 153bf0f2..00000000 --- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0002-Sensors.patch +++ /dev/null @@ -1,263 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Sat, 14 Nov 2020 15:17:37 +0100 -Subject: [PATCH] Special Access: Add an option to administer Sensor access - -Accesses the added AppOp for OP_OTHER_SENSORS - -Change-Id: I79c0ed4ab97494434edc6c308a8a54bd123c02ee ---- - res/values-de/strings.xml | 3 + - res/values-fr/strings.xml | 3 + - res/values/strings.xml | 5 + - res/xml/special_access.xml | 7 + - .../specialaccess/sensor/SensorAccess.java | 178 ++++++++++++++++++ - 5 files changed, 196 insertions(+) - create mode 100644 src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java - -diff --git a/res/values-de/strings.xml b/res/values-de/strings.xml -index e0b5bebaec..e4df5eb84f 100644 ---- a/res/values-de/strings.xml -+++ b/res/values-de/strings.xml -@@ -4667,6 +4667,9 @@ - "SIM-Kombination" - "Informationen zu den Arbeitsrichtlinien" - "Einstellungen, die von deinem IT-Administrator verwaltet werden" -+ Sensorzugriff von Benutzer-Apps kontrollieren -+ Zugriff auf Sensoren -+ Keine installierte App hat Sensorzugriff angefordert. - - - -diff --git a/res/values-fr/strings.xml b/res/values-fr/strings.xml -index fe92e77035..7834851bd9 100644 ---- a/res/values-fr/strings.xml -+++ b/res/values-fr/strings.xml -@@ -4666,6 +4666,9 @@ - "Combinaison de cartes SIM" - "Informations sur les règles professionnelles" - "Paramètres gérés par votre administrateur informatique" -+ Contrôler l\'accès des applications utilisateurs aux capteurs -+ Access aux Capteurs -+ Aucune app installée n\'a demandé de l\'accès aux capteurs. - - - -diff --git a/res/values/strings.xml b/res/values/strings.xml -index 2180ea45f6..6f48171135 100644 ---- a/res/values/strings.xml -+++ b/res/values/strings.xml -@@ -11426,6 +11426,11 @@ - - - -+ -+ Control sensor access for user apps -+ Access to Sensors -+ No installed apps have requested sensors access. -+ - - A device wants to access your messages. Tap for details. - -diff --git a/res/xml/special_access.xml b/res/xml/special_access.xml -index f846298341..bee9d6e2eb 100644 ---- a/res/xml/special_access.xml -+++ b/res/xml/special_access.xml -@@ -145,6 +145,13 @@ - android:value="com.android.settings.Settings$ChangeWifiStateActivity" /> - - -+ -+ -+ - apps = new ArrayList<>(); -+ final List installed = mPackageManager.getInstalledApplications(0); -+ if (installed != null) { -+ for (ApplicationInfo app : installed) { -+ // Skip system apps -+ if (isUserApp(app.packageName)) { -+ // Only apps effectively having the Op OTHER_SENSORS -+ if (mAppOpsManager.getOpsForPackage(getPackageUid(app.packageName), -+ app.packageName, new int[]{AppOpsManager.OP_OTHER_SENSORS}) != null) -+ apps.add(app); -+ } -+ } -+ } -+ Collections.sort(apps, new PackageItemInfo.DisplayNameComparator(mPackageManager)); -+ for (ApplicationInfo app : apps) { -+ final String pkg = app.packageName; -+ final CharSequence label = app.loadLabel(mPackageManager); -+ final SwitchPreference pref = new SwitchPreference(getPrefContext()); -+ pref.setPersistent(false); -+ pref.setIcon(app.loadIcon(mPackageManager)); -+ pref.setTitle(label); -+ updateState(pref, pkg); -+ pref.setOnPreferenceChangeListener(new OnPreferenceChangeListener() { -+ @Override -+ public boolean onPreferenceChange(Preference preference, Object newValue) { -+ boolean switchOn = (Boolean) newValue; -+ mAppOpsManager.setMode(AppOpsManager.OP_OTHER_SENSORS, getPackageUid(pkg), pkg, -+ switchOn ? AppOpsManager.MODE_ALLOWED : AppOpsManager.MODE_IGNORED); -+ pref.setChecked(switchOn); -+ return false; -+ } -+ }); -+ screen.addPreference(pref); -+ } -+ } -+ -+ public void updateState(SwitchPreference preference, String pkg) { -+ final int mode = mAppOpsManager -+ .checkOpNoThrow(AppOpsManager.OP_OTHER_SENSORS, getPackageUid(pkg), pkg); -+ if (mode == AppOpsManager.MODE_ERRORED) { -+ preference.setChecked(false); -+ } else { -+ final boolean checked = mode != AppOpsManager.MODE_IGNORED; -+ preference.setChecked(checked); -+ } -+ } -+ -+ private boolean isUserApp(String pkg) { -+ ApplicationInfo appInfo; -+ try { -+ appInfo = mPackageManager.getApplicationInfo(pkg, -+ PackageManager.GET_DISABLED_COMPONENTS -+ | PackageManager.GET_UNINSTALLED_PACKAGES); -+ } catch (PackageManager.NameNotFoundException e) { -+ Log.w(TAG, "Unable to find info for package " + pkg); -+ return false; -+ } -+ return ((appInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 0); -+ } -+ -+ private int getPackageUid(String pkg) { -+ int uid; -+ try { -+ uid = mPackageManager.getPackageUid(pkg, 0); -+ } catch (PackageManager.NameNotFoundException e) { -+ // We shouldn't hit this, ever. What can we even do after this? -+ uid = -1; -+ } -+ return uid; -+ } -+ -+ private final class SettingObserver extends ContentObserver { -+ public SettingObserver() { -+ super(new Handler(Looper.getMainLooper())); -+ } -+ -+ @Override -+ public void onChange(boolean selfChange, Uri uri) { -+ reloadList(); -+ } -+ } -+} diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch index d1e7cc19..044893f7 100644 --- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch +++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch @@ -55,7 +55,7 @@ index b983f467df..5813bb18db 100644 Small Default diff --git a/res/values/strings.xml b/res/values/strings.xml -index 6f48171135..e2469b4734 100644 +index 2180ea45f6..eeee1c039f 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -810,6 +810,9 @@ diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch index 43bf0074..bbed0a6d 100644 --- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch +++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch @@ -67,7 +67,7 @@ index 5813bb18db..40d01907a4 100644 15 seconds diff --git a/res/values/strings.xml b/res/values/strings.xml -index e2469b4734..288dca24e0 100644 +index eeee1c039f..c5287c4489 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -25,6 +25,25 @@ diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch index 560f5512..173fb8a7 100644 --- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch +++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch @@ -67,7 +67,7 @@ index 40d01907a4..0a9a9a31e8 100644 15 seconds diff --git a/res/values/strings.xml b/res/values/strings.xml -index 288dca24e0..dde0923463 100644 +index c5287c4489..0f254706ff 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -44,6 +44,25 @@ diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch index 4ab22c75..e9348fc6 100644 --- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch +++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch @@ -12,7 +12,7 @@ Subject: [PATCH] add native debugging setting create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java diff --git a/res/values/strings.xml b/res/values/strings.xml -index dde0923463..fd3d1cde64 100644 +index 0f254706ff..fcac812417 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -11316,6 +11316,9 @@ diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch index c36fb7e3..3e481bc3 100644 --- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch +++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch @@ -12,7 +12,7 @@ Subject: [PATCH] add exec spawning toggle create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java diff --git a/res/values/strings.xml b/res/values/strings.xml -index fd3d1cde64..4b9b109d89 100644 +index fcac812417..197882d66e 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -11316,6 +11316,8 @@ diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0010-Sensors.patch b/Patches/LineageOS-18.1/android_frameworks_base/0010-Sensors.patch deleted file mode 100644 index 7360587e..00000000 --- a/Patches/LineageOS-18.1/android_frameworks_base/0010-Sensors.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Sat, 14 Nov 2020 13:04:05 +0100 -Subject: [PATCH] AppOps: Add further Op for accessing Sensors - - (Adapted for R) - -Change-Id: Id7d84d910b849cc4f781aac2a6c21278e08bdeec ---- - core/java/android/app/AppOpsManager.java | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java -index 6baabb69e028..fb685b57e0a6 100644 ---- a/core/java/android/app/AppOpsManager.java -+++ b/core/java/android/app/AppOpsManager.java -@@ -1150,9 +1150,12 @@ public class AppOpsManager { - // TODO: Add as AppProtoEnums - public static final int OP_RECORD_AUDIO_HOTWORD = 102; - -+ /** @hide Access to other Sensors **/ -+ public static final int OP_OTHER_SENSORS = 103; -+ - /** @hide */ - @UnsupportedAppUsage -- public static final int _NUM_OP = 103; -+ public static final int _NUM_OP = 104; - - /** Access to coarse location information. */ - public static final String OPSTR_COARSE_LOCATION = "android:coarse_location"; -@@ -1490,6 +1493,9 @@ public class AppOpsManager { - */ - public static final String OPSTR_RECORD_AUDIO_HOTWORD = "android:record_audio_hotword"; - -+ /** @hide Other Sensors */ -+ public static final String OPSTR_OTHER_SENSORS = "android:other_sensors"; -+ - /** {@link #sAppOpsToNote} not initialized yet for this op */ - private static final byte SHOULD_COLLECT_NOTE_OP_NOT_INITIALIZED = 0; - /** Should not collect noting of this app-op in {@link #sAppOpsToNote} */ -@@ -1682,6 +1688,7 @@ public class AppOpsManager { - OP_PHONE_CALL_MICROPHONE, // OP_PHONE_CALL_MICROPHONE - OP_PHONE_CALL_CAMERA, // OP_PHONE_CALL_CAMERA - OP_RECORD_AUDIO_HOTWORD, // RECORD_AUDIO_HOTWORD -+ OP_OTHER_SENSORS, // OTHER SENSORS - }; - - /** -@@ -1791,6 +1798,7 @@ public class AppOpsManager { - OPSTR_PHONE_CALL_MICROPHONE, - OPSTR_PHONE_CALL_CAMERA, - OPSTR_RECORD_AUDIO_HOTWORD, -+ OPSTR_OTHER_SENSORS, - }; - - /** -@@ -1901,6 +1909,7 @@ public class AppOpsManager { - "PHONE_CALL_MICROPHONE", - "PHONE_CALL_CAMERA", - "RECORD_AUDIO_HOTWORD", -+ "OTHER_SENSORS", - }; - - /** -@@ -2012,6 +2021,7 @@ public class AppOpsManager { - null, // no permission for OP_PHONE_CALL_MICROPHONE - null, // no permission for OP_PHONE_CALL_CAMERA - null, // no permission for OP_RECORD_AUDIO_HOTWORD -+ null, // no permission for OP_OTHER_SENSORS - }; - - /** -@@ -2123,6 +2133,7 @@ public class AppOpsManager { - null, // PHONE_CALL_MICROPHONE - null, // PHONE_CALL_MICROPHONE - null, // RECORD_AUDIO_HOTWORD -+ null, // OTHER SENSORS - }; - - /** -@@ -2233,6 +2244,7 @@ public class AppOpsManager { - null, // PHONE_CALL_MICROPHONE - null, // PHONE_CALL_CAMERA - null, // RECORD_AUDIO_HOTWORD -+ null, // OTHER SENSORS - }; - - /** -@@ -2342,6 +2354,7 @@ public class AppOpsManager { - AppOpsManager.MODE_ALLOWED, // PHONE_CALL_MICROPHONE - AppOpsManager.MODE_ALLOWED, // PHONE_CALL_CAMERA - AppOpsManager.MODE_ALLOWED, // OP_RECORD_AUDIO_HOTWORD -+ AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS - }; - - /** -@@ -2455,6 +2468,7 @@ public class AppOpsManager { - false, // PHONE_CALL_MICROPHONE - false, // PHONE_CALL_CAMERA - false, // RECORD_AUDIO_HOTWORD -+ false, // OTHER SENSORS - }; - - /** diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-1.patch b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-1.patch index 13b26ea7..c3d9bbc2 100644 --- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-1.patch +++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-1.patch @@ -1,95 +1,37 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: inthewaves -Date: Sat, 12 Sep 2020 12:28:34 -0700 -Subject: [PATCH] support new special runtime permissions +From: Daniel Micay +Date: Sun, 17 Mar 2019 11:59:15 -0400 +Subject: [PATCH] make INTERNET into a special runtime permission -These are treated as a runtime permission even for legacy apps. They -need to be granted by default for all apps to maintain compatibility. - -Ported from 10: 4d5d82f4e2fb9ff68158bf30f3944591bb74dd04 - -Changes from 10: -- It seems like parts of PackageManagerService#resetUserChangesToRuntimePermissionsAndFlagsLPw -were refactored into PermissionManagerService#resetRuntimePermissionsInternal. -As a result, PackageManagerService is no longer modified. +Ported from 10: 5e2898e9d21dd6802bb0b0139e7e496c41e1cd80 --- - .../permission/PermissionManagerService.java | 24 +++++++++++++++---- - 1 file changed, 19 insertions(+), 5 deletions(-) + core/res/AndroidManifest.xml | 2 +- + .../android/server/pm/permission/PermissionManagerService.java | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index 26fd27b7b5ff..2a79c6019fc1 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -1607,7 +1607,7 @@ + ++ android:protectionLevel="dangerous|instant" /> + + + + ++ ++ ++ + -+ android:protectionLevel="dangerous|instant" /> + android:protectionLevel="dangerous|instant" /> +diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml +index 5c659123b027..7f114cf9b6b4 100644 +--- a/core/res/res/values/strings.xml ++++ b/core/res/res/values/strings.xml +@@ -804,6 +804,11 @@ + + access sensor data about your vital signs - ++ Network ++ ++ access the network ++ + + Retrieve window content + +diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt +index 5f15216e8400..189544f98594 100644 +--- a/non-updatable-api/current.txt ++++ b/non-updatable-api/current.txt +@@ -184,6 +184,7 @@ package android { + field public static final String CONTACTS = "android.permission-group.CONTACTS"; + field public static final String LOCATION = "android.permission-group.LOCATION"; + field public static final String MICROPHONE = "android.permission-group.MICROPHONE"; ++ field public static final String NETWORK = "android.permission-group.NETWORK"; + field public static final String PHONE = "android.permission-group.PHONE"; + field public static final String SENSORS = "android.permission-group.SENSORS"; + field public static final String SMS = "android.permission-group.SMS"; diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-3.patch b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-3.patch index 11cec44e..26d1ea1d 100644 --- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-3.patch +++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-3.patch @@ -1,81 +1,112 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Daniel Micay -Date: Fri, 21 Jul 2017 11:23:07 -0400 -Subject: [PATCH] add a NETWORK permission group for INTERNET +From: Zoraver Kang +Date: Mon, 16 Sep 2019 16:41:30 -0400 +Subject: [PATCH] Enforce INTERNET as a runtime permission. -Ported from 10: b5c9f9407d5f5407686ea8c02fa67573ddc07824 - -Changes from 10: -- Needed to run `m api-stubs-docs-non-updatable-update-current-api` -to fix the "You have tried to change the API from what has been -previously approved" errors. +Ported from 10: 69f726bc4219a7acea0319ae8d4b5fda48cd9861 --- - api/current.txt | 1 + - core/res/AndroidManifest.xml | 8 ++++++++ - core/res/res/values/strings.xml | 5 +++++ - non-updatable-api/current.txt | 1 + - 4 files changed, 15 insertions(+) + .../connectivity/PermissionMonitor.java | 59 ++++++++++++------- + 1 file changed, 39 insertions(+), 20 deletions(-) -diff --git a/api/current.txt b/api/current.txt -index 952ccdad992c..728c0e95ca6d 100644 ---- a/api/current.txt -+++ b/api/current.txt -@@ -184,6 +184,7 @@ package android { - field public static final String CONTACTS = "android.permission-group.CONTACTS"; - field public static final String LOCATION = "android.permission-group.LOCATION"; - field public static final String MICROPHONE = "android.permission-group.MICROPHONE"; -+ field public static final String NETWORK = "android.permission-group.NETWORK"; - field public static final String PHONE = "android.permission-group.PHONE"; - field public static final String SENSORS = "android.permission-group.SENSORS"; - field public static final String SMS = "android.permission-group.SMS"; -diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index 2a79c6019fc1..e70e54b62f61 100644 ---- a/core/res/AndroidManifest.xml -+++ b/core/res/AndroidManifest.xml -@@ -1601,10 +1601,18 @@ - - +diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java +index f0b7150dd84f..41c013b4b197 100644 +--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java ++++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java +@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID; + import static android.os.Process.SYSTEM_UID; -+ -+ -+ - - -diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml -index 5c659123b027..7f114cf9b6b4 100644 ---- a/core/res/res/values/strings.xml -+++ b/core/res/res/values/strings.xml -@@ -804,6 +804,11 @@ - - access sensor data about your vital signs + import android.annotation.NonNull; ++import android.annotation.UserIdInt; + import android.content.Context; + import android.content.pm.ApplicationInfo; + import android.content.pm.PackageInfo; +@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils; + import com.android.internal.util.IndentingPrintWriter; + import com.android.server.LocalServices; + import com.android.server.SystemConfig; ++import com.android.server.pm.permission.PermissionManagerServiceInternal; -+ -+ Network -+ -+ access the network + import java.util.ArrayList; + import java.util.Collection; +@@ -80,6 +82,7 @@ public class PermissionMonitor { + private static final int VERSION_Q = Build.VERSION_CODES.Q; + + private final PackageManager mPackageManager; ++ private final PackageManagerInternal mPackageManagerInternal; + private final UserManager mUserManager; + private final INetd mNetd; + +@@ -104,26 +107,6 @@ public class PermissionMonitor { + + private class PackageListObserver implements PackageManagerInternal.PackageListObserver { + +- private int getPermissionForUid(int uid) { +- int permission = 0; +- // Check all the packages for this UID. The UID has the permission if any of the +- // packages in it has the permission. +- String[] packages = mPackageManager.getPackagesForUid(uid); +- if (packages != null && packages.length > 0) { +- for (String name : packages) { +- final PackageInfo app = getPackageInfo(name); +- if (app != null && app.requestedPermissions != null) { +- permission |= getNetdPermissionMask(app.requestedPermissions, +- app.requestedPermissionsFlags); +- } +- } +- } else { +- // The last package of this uid is removed from device. Clean the package up. +- permission = INetd.PERMISSION_UNINSTALLED; +- } +- return permission; +- } +- + @Override + public void onPackageAdded(String packageName, int uid) { + sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); +@@ -140,10 +123,46 @@ public class PermissionMonitor { + } + } + ++ private int getPermissionForUid(int uid) { ++ int permission = 0; ++ // Check all the packages for this UID. The UID has the permission if any of the ++ // packages in it has the permission. ++ String[] packages = mPackageManager.getPackagesForUid(uid); ++ if (packages != null && packages.length > 0) { ++ for (String name : packages) { ++ final PackageInfo app = getPackageInfo(name); ++ if (app != null && app.requestedPermissions != null) { ++ permission |= getNetdPermissionMask(app.requestedPermissions, ++ app.requestedPermissionsFlags); ++ } ++ } ++ } else { ++ // The last package of this uid is removed from device. Clean the package up. ++ permission = INetd.PERMISSION_UNINSTALLED; ++ } ++ return permission; ++ } + - - Retrieve window content - -diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt -index 5f15216e8400..189544f98594 100644 ---- a/non-updatable-api/current.txt -+++ b/non-updatable-api/current.txt -@@ -184,6 +184,7 @@ package android { - field public static final String CONTACTS = "android.permission-group.CONTACTS"; - field public static final String LOCATION = "android.permission-group.LOCATION"; - field public static final String MICROPHONE = "android.permission-group.MICROPHONE"; -+ field public static final String NETWORK = "android.permission-group.NETWORK"; - field public static final String PHONE = "android.permission-group.PHONE"; - field public static final String SENSORS = "android.permission-group.SENSORS"; - field public static final String SMS = "android.permission-group.SMS"; ++ // implements OnRuntimePermissionStateChangedListener ++ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName, ++ @UserIdInt int userId) { ++ // userId is _not_ uid ++ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId); ++ sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); ++ } ++ + public PermissionMonitor(Context context, INetd netd) { + mPackageManager = context.getPackageManager(); + mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE); + mNetd = netd; ++ ++ mPackageManagerInternal = LocalServices.getService( ++ PackageManagerInternal.class); ++ ++ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService( ++ PermissionManagerServiceInternal.class); ++ permManagerInternal.addOnRuntimePermissionStateChangedListener( ++ this::enforceINTERNETAsRuntimePermission); + } + + // Intended to be called only once at startup, after the system is ready. Installs a broadcast diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-4.patch b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-4.patch index 26d1ea1d..b5108b4a 100644 --- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-4.patch +++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-4.patch @@ -1,112 +1,82 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Zoraver Kang -Date: Mon, 16 Sep 2019 16:41:30 -0400 -Subject: [PATCH] Enforce INTERNET as a runtime permission. +From: pratyush +Date: Sun, 25 Apr 2021 07:04:03 +0530 +Subject: [PATCH] fix INTERNET enforcement for secondary users -Ported from 10: 69f726bc4219a7acea0319ae8d4b5fda48cd9861 +This code was not specifying the profile for the app so it wasn't +working properly with INTERNET as a runtime permission. --- - .../connectivity/PermissionMonitor.java | 59 ++++++++++++------- - 1 file changed, 39 insertions(+), 20 deletions(-) + .../connectivity/PermissionMonitor.java | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -index f0b7150dd84f..41c013b4b197 100644 +index 41c013b4b197..09cd274cbb05 100644 --- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java +++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID; - import static android.os.Process.SYSTEM_UID; +@@ -130,7 +130,8 @@ public class PermissionMonitor { + String[] packages = mPackageManager.getPackagesForUid(uid); + if (packages != null && packages.length > 0) { + for (String name : packages) { +- final PackageInfo app = getPackageInfo(name); ++ int userId = UserHandle.getUserId(uid); ++ final PackageInfo app = getPackageInfo(name, userId); + if (app != null && app.requestedPermissions != null) { + permission |= getNetdPermissionMask(app.requestedPermissions, + app.requestedPermissionsFlags); +@@ -147,7 +148,7 @@ public class PermissionMonitor { + private void enforceINTERNETAsRuntimePermission(@NonNull String packageName, + @UserIdInt int userId) { + // userId is _not_ uid +- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId); ++ int uid = mPackageManagerInternal.getPackageUidInternal( packageName, GET_PERMISSIONS, userId); + sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); + } - import android.annotation.NonNull; -+import android.annotation.UserIdInt; - import android.content.Context; - import android.content.pm.ApplicationInfo; - import android.content.pm.PackageInfo; -@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils; - import com.android.internal.util.IndentingPrintWriter; - import com.android.server.LocalServices; - import com.android.server.SystemConfig; -+import com.android.server.pm.permission.PermissionManagerServiceInternal; +@@ -364,12 +365,13 @@ public class PermissionMonitor { + } - import java.util.ArrayList; - import java.util.Collection; -@@ -80,6 +82,7 @@ public class PermissionMonitor { - private static final int VERSION_Q = Build.VERSION_CODES.Q; - - private final PackageManager mPackageManager; -+ private final PackageManagerInternal mPackageManagerInternal; - private final UserManager mUserManager; - private final INetd mNetd; - -@@ -104,26 +107,6 @@ public class PermissionMonitor { - - private class PackageListObserver implements PackageManagerInternal.PackageListObserver { - -- private int getPermissionForUid(int uid) { -- int permission = 0; -- // Check all the packages for this UID. The UID has the permission if any of the -- // packages in it has the permission. -- String[] packages = mPackageManager.getPackagesForUid(uid); -- if (packages != null && packages.length > 0) { -- for (String name : packages) { -- final PackageInfo app = getPackageInfo(name); -- if (app != null && app.requestedPermissions != null) { -- permission |= getNetdPermissionMask(app.requestedPermissions, -- app.requestedPermissionsFlags); -- } -- } -- } else { -- // The last package of this uid is removed from device. Clean the package up. -- permission = INetd.PERMISSION_UNINSTALLED; -- } -- return permission; -- } -- - @Override - public void onPackageAdded(String packageName, int uid) { - sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); -@@ -140,10 +123,46 @@ public class PermissionMonitor { + @VisibleForTesting +- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) { ++ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) { + if (currentPermission == SYSTEM) { + return currentPermission; } + try { +- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS); ++ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS, ++ UserHandle.getUserId(uid)); + final boolean isNetwork = hasNetworkPermission(app); + final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); + if (isNetwork || hasRestrictedPermission) { +@@ -393,7 +395,7 @@ public class PermissionMonitor { + public synchronized void onPackageAdded(String packageName, int uid) { + // If multiple packages share a UID (cf: android:sharedUserId) and ask for different + // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). +- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName); ++ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid); + if (permission != mApps.get(uid)) { + mApps.put(uid, permission); + +@@ -445,7 +447,7 @@ public class PermissionMonitor { + String[] packages = mPackageManager.getPackagesForUid(uid); + if (packages != null && packages.length > 0) { + for (String name : packages) { +- permission = highestPermissionForUid(permission, name); ++ permission = highestPermissionForUid(permission, name, uid); + if (permission == SYSTEM) { + // An app with this UID still has the SYSTEM permission. + // Therefore, this UID must already have the SYSTEM permission. +@@ -485,11 +487,9 @@ public class PermissionMonitor { + return permissions; } -+ private int getPermissionForUid(int uid) { -+ int permission = 0; -+ // Check all the packages for this UID. The UID has the permission if any of the -+ // packages in it has the permission. -+ String[] packages = mPackageManager.getPackagesForUid(uid); -+ if (packages != null && packages.length > 0) { -+ for (String name : packages) { -+ final PackageInfo app = getPackageInfo(name); -+ if (app != null && app.requestedPermissions != null) { -+ permission |= getNetdPermissionMask(app.requestedPermissions, -+ app.requestedPermissionsFlags); -+ } -+ } -+ } else { -+ // The last package of this uid is removed from device. Clean the package up. -+ permission = INetd.PERMISSION_UNINSTALLED; -+ } -+ return permission; -+ } -+ -+ // implements OnRuntimePermissionStateChangedListener -+ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName, -+ @UserIdInt int userId) { -+ // userId is _not_ uid -+ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId); -+ sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); -+ } -+ - public PermissionMonitor(Context context, INetd netd) { - mPackageManager = context.getPackageManager(); - mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE); - mNetd = netd; -+ -+ mPackageManagerInternal = LocalServices.getService( -+ PackageManagerInternal.class); -+ -+ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService( -+ PermissionManagerServiceInternal.class); -+ permManagerInternal.addOnRuntimePermissionStateChangedListener( -+ this::enforceINTERNETAsRuntimePermission); - } - - // Intended to be called only once at startup, after the system is ready. Installs a broadcast +- private PackageInfo getPackageInfo(String packageName) { ++ private PackageInfo getPackageInfo(String packageName, int userId) { + try { +- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS +- | MATCH_ANY_USER); +- return app; ++ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId); + } catch (NameNotFoundException e) { + return null; + } diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-5.patch b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-5.patch index b5108b4a..4a22164b 100644 --- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-5.patch +++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-5.patch @@ -1,82 +1,125 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: pratyush -Date: Sun, 25 Apr 2021 07:04:03 +0530 -Subject: [PATCH] fix INTERNET enforcement for secondary users +From: Pratyush +Date: Thu, 12 Aug 2021 03:44:41 +0530 +Subject: [PATCH] send uid for each user instead of just owner/admin user -This code was not specifying the profile for the app so it wasn't -working properly with INTERNET as a runtime permission. --- - .../connectivity/PermissionMonitor.java | 20 +++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) + .../connectivity/PermissionMonitor.java | 83 +++++++++++-------- + 1 file changed, 49 insertions(+), 34 deletions(-) diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -index 41c013b4b197..09cd274cbb05 100644 +index 09cd274cbb05..ee0c531ef13e 100644 --- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java +++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -@@ -130,7 +130,8 @@ public class PermissionMonitor { - String[] packages = mPackageManager.getPackagesForUid(uid); - if (packages != null && packages.length > 0) { +@@ -132,7 +132,7 @@ public class PermissionMonitor { for (String name : packages) { -- final PackageInfo app = getPackageInfo(name); -+ int userId = UserHandle.getUserId(uid); -+ final PackageInfo app = getPackageInfo(name, userId); - if (app != null && app.requestedPermissions != null) { + int userId = UserHandle.getUserId(uid); + final PackageInfo app = getPackageInfo(name, userId); +- if (app != null && app.requestedPermissions != null) { ++ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) { permission |= getNetdPermissionMask(app.requestedPermissions, app.requestedPermissionsFlags); -@@ -147,7 +148,7 @@ public class PermissionMonitor { - private void enforceINTERNETAsRuntimePermission(@NonNull String packageName, - @UserIdInt int userId) { - // userId is _not_ uid -- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId); -+ int uid = mPackageManagerInternal.getPackageUidInternal( packageName, GET_PERMISSIONS, userId); - sendPackagePermissionsForUid(uid, getPermissionForUid(uid)); - } + } +@@ -177,44 +177,45 @@ public class PermissionMonitor { + } else { + loge("failed to get the PackageManagerInternal service"); + } +- List apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS +- | MATCH_ANY_USER); +- if (apps == null) { +- loge("No apps"); +- return; +- } -@@ -364,12 +365,13 @@ public class PermissionMonitor { - } + SparseIntArray netdPermsUids = new SparseIntArray(); - @VisibleForTesting -- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) { -+ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) { - if (currentPermission == SYSTEM) { - return currentPermission; +- for (PackageInfo app : apps) { +- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID; +- if (uid < 0) { +- continue; +- } +- mAllApps.add(UserHandle.getAppId(uid)); +- +- boolean isNetwork = hasNetworkPermission(app); +- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); +- +- if (isNetwork || hasRestrictedPermission) { +- Boolean permission = mApps.get(uid); +- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different +- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). +- if (permission == null || permission == NETWORK) { +- mApps.put(uid, hasRestrictedPermission); +- } +- } +- +- //TODO: unify the management of the permissions into one codepath. +- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions, +- app.requestedPermissionsFlags); +- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms); +- } +- + List users = mUserManager.getUsers(true); // exclude dying users + if (users != null) { + for (UserInfo user : users) { + mUsers.add(user.id); ++ ++ List apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id); ++ if (apps == null) { ++ loge("No apps"); ++ continue; ++ } ++ ++ for (PackageInfo app : apps) { ++ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID; ++ if (uid < 0) { ++ continue; ++ } ++ mAllApps.add(UserHandle.getAppId(uid)); ++ ++ boolean isNetwork = hasNetworkPermission(app); ++ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); ++ ++ if (isNetwork || hasRestrictedPermission) { ++ Boolean permission = mApps.get(uid); ++ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different ++ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). ++ if (permission == null || permission == NETWORK) { ++ mApps.put(uid, hasRestrictedPermission); ++ } ++ } ++ ++ //TODO: unify the management of the permissions into one codepath. ++ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions, ++ app.requestedPermissionsFlags); ++ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms); ++ } ++ + } + } + +@@ -308,9 +309,23 @@ public class PermissionMonitor { + List network = new ArrayList<>(); + List system = new ArrayList<>(); + for (Entry app : apps.entrySet()) { +- List list = app.getValue() ? system : network; + for (int user : users) { +- list.add(UserHandle.getUid(user, app.getKey())); ++ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey())); ++ if (uid < 0) continue; ++ String[] packages = mPackageManager.getPackagesForUid(uid); ++ if (packages == null) continue; ++ for (String pkg : packages) { ++ PackageInfo info = getPackageInfo(pkg, user); ++ if (info != null && info.applicationInfo.uid == uid) { ++ boolean isNetwork = hasNetworkPermission(info); ++ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info); ++ ++ if (isNetwork || hasRestrictedPermission) { ++ List list = hasRestrictedPermission ? system : network; ++ list.add(UserHandle.getUid(user, app.getKey())); ++ } ++ } ++ } + } } try { -- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS); -+ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS, -+ UserHandle.getUserId(uid)); - final boolean isNetwork = hasNetworkPermission(app); - final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); - if (isNetwork || hasRestrictedPermission) { -@@ -393,7 +395,7 @@ public class PermissionMonitor { - public synchronized void onPackageAdded(String packageName, int uid) { - // If multiple packages share a UID (cf: android:sharedUserId) and ask for different - // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). -- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName); -+ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid); - if (permission != mApps.get(uid)) { - mApps.put(uid, permission); - -@@ -445,7 +447,7 @@ public class PermissionMonitor { - String[] packages = mPackageManager.getPackagesForUid(uid); - if (packages != null && packages.length > 0) { - for (String name : packages) { -- permission = highestPermissionForUid(permission, name); -+ permission = highestPermissionForUid(permission, name, uid); - if (permission == SYSTEM) { - // An app with this UID still has the SYSTEM permission. - // Therefore, this UID must already have the SYSTEM permission. -@@ -485,11 +487,9 @@ public class PermissionMonitor { - return permissions; - } - -- private PackageInfo getPackageInfo(String packageName) { -+ private PackageInfo getPackageInfo(String packageName, int userId) { - try { -- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS -- | MATCH_ANY_USER); -- return app; -+ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId); - } catch (NameNotFoundException e) { - return null; - } diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-6.patch b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-6.patch index 4a22164b..b1601b1f 100644 --- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-6.patch +++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-6.patch @@ -1,125 +1,42 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pratyush -Date: Thu, 12 Aug 2021 03:44:41 +0530 -Subject: [PATCH] send uid for each user instead of just owner/admin user +From: Dmitry Muhomor +Date: Tue, 14 Dec 2021 18:17:11 +0200 +Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked --- - .../connectivity/PermissionMonitor.java | 83 +++++++++++-------- - 1 file changed, 49 insertions(+), 34 deletions(-) + core/java/android/net/ConnectivityManager.java | 8 ++++++++ + 1 file changed, 8 insertions(+) -diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -index 09cd274cbb05..ee0c531ef13e 100644 ---- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java -+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java -@@ -132,7 +132,7 @@ public class PermissionMonitor { - for (String name : packages) { - int userId = UserHandle.getUserId(uid); - final PackageInfo app = getPackageInfo(name, userId); -- if (app != null && app.requestedPermissions != null) { -+ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) { - permission |= getNetdPermissionMask(app.requestedPermissions, - app.requestedPermissionsFlags); - } -@@ -177,44 +177,45 @@ public class PermissionMonitor { - } else { - loge("failed to get the PackageManagerInternal service"); - } -- List apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS -- | MATCH_ANY_USER); -- if (apps == null) { -- loge("No apps"); -- return; -- } +diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java +index 7df32c10b16b..a2b04f3e9540 100644 +--- a/core/java/android/net/ConnectivityManager.java ++++ b/core/java/android/net/ConnectivityManager.java +@@ -17,6 +17,7 @@ package android.net; - SparseIntArray netdPermsUids = new SparseIntArray(); + import static android.net.IpSecManager.INVALID_RESOURCE_ID; -- for (PackageInfo app : apps) { -- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID; -- if (uid < 0) { -- continue; -- } -- mAllApps.add(UserHandle.getAppId(uid)); -- -- boolean isNetwork = hasNetworkPermission(app); -- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); -- -- if (isNetwork || hasRestrictedPermission) { -- Boolean permission = mApps.get(uid); -- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different -- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). -- if (permission == null || permission == NETWORK) { -- mApps.put(uid, hasRestrictedPermission); -- } -- } -- -- //TODO: unify the management of the permissions into one codepath. -- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions, -- app.requestedPermissionsFlags); -- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms); -- } -- - List users = mUserManager.getUsers(true); // exclude dying users - if (users != null) { - for (UserInfo user : users) { - mUsers.add(user.id); -+ -+ List apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id); -+ if (apps == null) { -+ loge("No apps"); -+ continue; -+ } -+ -+ for (PackageInfo app : apps) { -+ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID; -+ if (uid < 0) { -+ continue; -+ } -+ mAllApps.add(UserHandle.getAppId(uid)); -+ -+ boolean isNetwork = hasNetworkPermission(app); -+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app); -+ -+ if (isNetwork || hasRestrictedPermission) { -+ Boolean permission = mApps.get(uid); -+ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different -+ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is). -+ if (permission == null || permission == NETWORK) { -+ mApps.put(uid, hasRestrictedPermission); -+ } -+ } -+ -+ //TODO: unify the management of the permissions into one codepath. -+ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions, -+ app.requestedPermissionsFlags); -+ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms); -+ } -+ - } - } - -@@ -308,9 +309,23 @@ public class PermissionMonitor { - List network = new ArrayList<>(); - List system = new ArrayList<>(); - for (Entry app : apps.entrySet()) { -- List list = app.getValue() ? system : network; - for (int user : users) { -- list.add(UserHandle.getUid(user, app.getKey())); -+ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey())); -+ if (uid < 0) continue; -+ String[] packages = mPackageManager.getPackagesForUid(uid); -+ if (packages == null) continue; -+ for (String pkg : packages) { -+ PackageInfo info = getPackageInfo(pkg, user); -+ if (info != null && info.applicationInfo.uid == uid) { -+ boolean isNetwork = hasNetworkPermission(info); -+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info); -+ -+ if (isNetwork || hasRestrictedPermission) { -+ List list = hasRestrictedPermission ? system : network; -+ list.add(UserHandle.getUid(user, app.getKey())); -+ } -+ } -+ } - } - } ++import android.Manifest; + import android.annotation.CallbackExecutor; + import android.annotation.IntDef; + import android.annotation.NonNull; +@@ -31,6 +32,7 @@ import android.app.PendingIntent; + import android.compat.annotation.UnsupportedAppUsage; + import android.content.Context; + import android.content.Intent; ++import android.content.pm.PackageManager; + import android.net.IpSecManager.UdpEncapsulationSocket; + import android.net.SocketKeepalive.Callback; + import android.net.TetheringManager.StartTetheringCallback; +@@ -3047,6 +3049,12 @@ public class ConnectivityManager { + */ + public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) { + printStackTrace(); ++ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) { ++ // ConnectivityService enforces this by throwing an unexpected SecurityException, ++ // which puts GMS into a crash loop. Also useful for other apps that don't expect that ++ // INTERNET permission might get revoked. ++ return; ++ } try { + mService.reportNetworkConnectivity(network, hasConnectivity); + } catch (RemoteException e) { diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-7.patch b/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-7.patch deleted file mode 100644 index b1601b1f..00000000 --- a/Patches/LineageOS-18.1/android_frameworks_base/0013-Network_Permission-7.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Dmitry Muhomor -Date: Tue, 14 Dec 2021 18:17:11 +0200 -Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked - ---- - core/java/android/net/ConnectivityManager.java | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java -index 7df32c10b16b..a2b04f3e9540 100644 ---- a/core/java/android/net/ConnectivityManager.java -+++ b/core/java/android/net/ConnectivityManager.java -@@ -17,6 +17,7 @@ package android.net; - - import static android.net.IpSecManager.INVALID_RESOURCE_ID; - -+import android.Manifest; - import android.annotation.CallbackExecutor; - import android.annotation.IntDef; - import android.annotation.NonNull; -@@ -31,6 +32,7 @@ import android.app.PendingIntent; - import android.compat.annotation.UnsupportedAppUsage; - import android.content.Context; - import android.content.Intent; -+import android.content.pm.PackageManager; - import android.net.IpSecManager.UdpEncapsulationSocket; - import android.net.SocketKeepalive.Callback; - import android.net.TetheringManager.StartTetheringCallback; -@@ -3047,6 +3049,12 @@ public class ConnectivityManager { - */ - public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) { - printStackTrace(); -+ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) { -+ // ConnectivityService enforces this by throwing an unexpected SecurityException, -+ // which puts GMS into a crash loop. Also useful for other apps that don't expect that -+ // INTERNET permission might get revoked. -+ return; -+ } - try { - mService.reportNetworkConnectivity(network, hasConnectivity); - } catch (RemoteException e) { diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0013-Sensors_Permission.patch b/Patches/LineageOS-18.1/android_frameworks_base/0013-Sensors_Permission.patch new file mode 100644 index 00000000..86778eeb --- /dev/null +++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Sensors_Permission.patch @@ -0,0 +1,142 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sat, 7 Oct 2017 15:54:42 -0400 +Subject: [PATCH] add special runtime permission for other sensors + +This covers sensors not included in the existing runtime permission for +body sensors. + +Ported from 10: 9ec9f7f521323552fa658b46862c8408f1a7b41b + +Changes from 10: +- Needed to run `m api-stubs-docs-non-updatable-update-current-api` +to fix the "You have tried to change the API from what has been +previously approved" errors. +--- + api/current.txt | 2 ++ + core/java/android/content/pm/PackageParser.java | 2 ++ + core/res/AndroidManifest.xml | 12 ++++++++++++ + core/res/res/values/strings.xml | 12 ++++++++++++ + non-updatable-api/current.txt | 2 ++ + .../pm/permission/PermissionManagerService.java | 2 +- + 6 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/api/current.txt b/api/current.txt +index 728c0e95ca6d..4ab72254811f 100644 +--- a/api/current.txt ++++ b/api/current.txt +@@ -106,6 +106,7 @@ package android { + field public static final String NFC = "android.permission.NFC"; + field public static final String NFC_PREFERRED_PAYMENT_INFO = "android.permission.NFC_PREFERRED_PAYMENT_INFO"; + field public static final String NFC_TRANSACTION_EVENT = "android.permission.NFC_TRANSACTION_EVENT"; ++ field public static final String OTHER_SENSORS = "android.permission.OTHER_SENSORS"; + field public static final String PACKAGE_USAGE_STATS = "android.permission.PACKAGE_USAGE_STATS"; + field @Deprecated public static final String PERSISTENT_ACTIVITY = "android.permission.PERSISTENT_ACTIVITY"; + field @Deprecated public static final String PROCESS_OUTGOING_CALLS = "android.permission.PROCESS_OUTGOING_CALLS"; +@@ -185,6 +186,7 @@ package android { + field public static final String LOCATION = "android.permission-group.LOCATION"; + field public static final String MICROPHONE = "android.permission-group.MICROPHONE"; + field public static final String NETWORK = "android.permission-group.NETWORK"; ++ field public static final String OTHER_SENSORS = "android.permission-group.OTHER_SENSORS"; + field public static final String PHONE = "android.permission-group.PHONE"; + field public static final String SENSORS = "android.permission-group.SENSORS"; + field public static final String SMS = "android.permission-group.SMS"; +diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java +index 57f8a713ec13..c63fea6e3e0e 100644 +--- a/core/java/android/content/pm/PackageParser.java ++++ b/core/java/android/content/pm/PackageParser.java +@@ -280,6 +280,8 @@ public class PackageParser { + @UnsupportedAppUsage + public static final PackageParser.NewPermissionInfo NEW_PERMISSIONS[] = + new PackageParser.NewPermissionInfo[] { ++ new PackageParser.NewPermissionInfo(android.Manifest.permission.OTHER_SENSORS, ++ android.os.Build.VERSION_CODES.CUR_DEVELOPMENT + 1, 0), + new PackageParser.NewPermissionInfo(android.Manifest.permission.WRITE_EXTERNAL_STORAGE, + android.os.Build.VERSION_CODES.DONUT, 0), + new PackageParser.NewPermissionInfo(android.Manifest.permission.READ_PHONE_STATE, +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index e70e54b62f61..5d554d10b056 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -1391,6 +1391,18 @@ + android:description="@string/permdesc_useBiometric" + android:protectionLevel="normal" /> + ++ ++ ++ ++ + + + +diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml +index 7f114cf9b6b4..7eaa99ab324f 100644 +--- a/core/res/res/values/strings.xml ++++ b/core/res/res/values/strings.xml +@@ -804,6 +804,11 @@ + + access sensor data about your vital signs + ++ ++ Sensors ++ ++ access sensor data about orientation, movement, etc. ++ + + Network + +@@ -1118,6 +1123,13 @@ + Allows the app to access data from sensors + that monitor your physical condition, such as your heart rate. + ++ ++ access sensors (like the compass) ++ ++ ++ Allows the app to access data from sensors ++ monitoring orientation, movement, vibration (including low frequency sound) and environmental data ++ + + Read calendar events and details + +diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt +index 189544f98594..9badc8c4d9c0 100644 +--- a/non-updatable-api/current.txt ++++ b/non-updatable-api/current.txt +@@ -106,6 +106,7 @@ package android { + field public static final String NFC = "android.permission.NFC"; + field public static final String NFC_PREFERRED_PAYMENT_INFO = "android.permission.NFC_PREFERRED_PAYMENT_INFO"; + field public static final String NFC_TRANSACTION_EVENT = "android.permission.NFC_TRANSACTION_EVENT"; ++ field public static final String OTHER_SENSORS = "android.permission.OTHER_SENSORS"; + field public static final String PACKAGE_USAGE_STATS = "android.permission.PACKAGE_USAGE_STATS"; + field @Deprecated public static final String PERSISTENT_ACTIVITY = "android.permission.PERSISTENT_ACTIVITY"; + field @Deprecated public static final String PROCESS_OUTGOING_CALLS = "android.permission.PROCESS_OUTGOING_CALLS"; +@@ -185,6 +186,7 @@ package android { + field public static final String LOCATION = "android.permission-group.LOCATION"; + field public static final String MICROPHONE = "android.permission-group.MICROPHONE"; + field public static final String NETWORK = "android.permission-group.NETWORK"; ++ field public static final String OTHER_SENSORS = "android.permission-group.OTHER_SENSORS"; + field public static final String PHONE = "android.permission-group.PHONE"; + field public static final String SENSORS = "android.permission-group.SENSORS"; + field public static final String SMS = "android.permission-group.SMS"; +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index 9e6ecc739ffe..c744a0b5079a 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -2609,7 +2609,7 @@ public class PermissionManagerService extends IPermissionManager.Stub { + } + + public static boolean isSpecialRuntimePermission(final String permission) { +- return Manifest.permission.INTERNET.equals(permission); ++ return Manifest.permission.INTERNET.equals(permission) || Manifest.permission.OTHER_SENSORS.equals(permission); + } + + /** diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0013-Special_Permissions.patch b/Patches/LineageOS-18.1/android_frameworks_base/0013-Special_Permissions.patch new file mode 100644 index 00000000..13b26ea7 --- /dev/null +++ b/Patches/LineageOS-18.1/android_frameworks_base/0013-Special_Permissions.patch @@ -0,0 +1,95 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: inthewaves +Date: Sat, 12 Sep 2020 12:28:34 -0700 +Subject: [PATCH] support new special runtime permissions + +These are treated as a runtime permission even for legacy apps. They +need to be granted by default for all apps to maintain compatibility. + +Ported from 10: 4d5d82f4e2fb9ff68158bf30f3944591bb74dd04 + +Changes from 10: +- It seems like parts of PackageManagerService#resetUserChangesToRuntimePermissionsAndFlagsLPw +were refactored into PermissionManagerService#resetRuntimePermissionsInternal. +As a result, PackageManagerService is no longer modified. +--- + .../permission/PermissionManagerService.java | 24 +++++++++++++++---- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index 8d2363b6e831..26b959879084 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -1461,7 +1461,7 @@ public class PermissionManagerService extends IPermissionManager.Stub { + // to keep the review required permission flag per user while an + // install permission's state is shared across all users. + if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M +- && bp.isRuntime()) { ++ && bp.isRuntime() && !isSpecialRuntimePermission(permName)) { + return; + } + +@@ -1513,7 +1513,8 @@ public class PermissionManagerService extends IPermissionManager.Stub { + + permName + " for package " + packageName); + } + +- if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M) { ++ if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M ++ && !isSpecialRuntimePermission(permName)) { + Slog.w(TAG, "Cannot grant runtime permission to a legacy app"); + return; + } +@@ -1623,7 +1624,7 @@ public class PermissionManagerService extends IPermissionManager.Stub { + // to keep the review required permission flag per user while an + // install permission's state is shared across all users. + if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M +- && bp.isRuntime()) { ++ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) { + return; + } + +@@ -1847,7 +1848,8 @@ public class PermissionManagerService extends IPermissionManager.Stub { + + // If this permission was granted by default or role, make sure it is. + if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0 +- || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0) { ++ || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0 ++ || isSpecialRuntimePermission(bp.getName())) { + // PermissionPolicyService will handle the app op for runtime permissions later. + grantRuntimePermissionInternal(permName, packageName, false, + Process.SYSTEM_UID, userId, delayingPermCallback); +@@ -2606,6 +2608,10 @@ public class PermissionManagerService extends IPermissionManager.Stub { + } + } + ++ public static boolean isSpecialRuntimePermission(final String permission) { ++ return false; ++ } ++ + /** + * Restore the permission state for a package. + * +@@ -2952,6 +2958,14 @@ public class PermissionManagerService extends IPermissionManager.Stub { + } + } + } ++ ++ if (isSpecialRuntimePermission(bp.name) && ++ origPermissions.getRuntimePermissionState(bp.name, userId) == null) { ++ if (permissionsState.grantRuntimePermission(bp, userId) ++ != PERMISSION_OPERATION_FAILURE) { ++ wasChanged = true; ++ } ++ } + } else { + if (permState == null) { + // New permission +@@ -3907,7 +3921,7 @@ public class PermissionManagerService extends IPermissionManager.Stub { + && (grantedPermissions == null + || ArrayUtils.contains(grantedPermissions, permission))) { + final int flags = permissionsState.getPermissionFlags(permission, userId); +- if (supportsRuntimePermissions) { ++ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) { + // Installer cannot change immutable permissions. + if ((flags & immutableFlags) == 0) { + grantRuntimePermissionInternal(permission, pkg.getPackageName(), false, diff --git a/Patches/LineageOS-18.1/android_frameworks_native/0001-Sensors.patch b/Patches/LineageOS-18.1/android_frameworks_native/0001-Sensors.patch index 49424766..3101b6cf 100644 --- a/Patches/LineageOS-18.1/android_frameworks_native/0001-Sensors.patch +++ b/Patches/LineageOS-18.1/android_frameworks_native/0001-Sensors.patch @@ -1,73 +1,22 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Sat, 14 Nov 2020 13:21:18 +0100 -Subject: [PATCH] AppOps: New Op for (Other) sensors access +From: Daniel Micay +Date: Sat, 7 Oct 2017 16:28:57 -0400 +Subject: [PATCH] require OTHER_SENSORS permission for sensors - * Add new sensor op to enum - * Invoke OP_OTHER_SENSORS as default - * Adapt logic for checking the Ops, if no permission is linked - -cherry-picked from lin17-microG and adapted for R - -Change-Id: If4011566a391314afed9a26e1dcf6e4bc838e4f7 +Ported from 10: ff005a6b6a38baef95c4a01d7e1fc75aac651a58 --- - libs/binder/include/binder/AppOpsManager.h | 3 ++- - libs/sensor/Sensor.cpp | 1 + - services/sensorservice/SensorService.cpp | 10 ++++++---- - 3 files changed, 9 insertions(+), 5 deletions(-) + libs/sensor/Sensor.cpp | 1 + + 1 file changed, 1 insertion(+) -diff --git a/libs/binder/include/binder/AppOpsManager.h b/libs/binder/include/binder/AppOpsManager.h -index d93935ae5d..4a8c36f5b2 100644 ---- a/libs/binder/include/binder/AppOpsManager.h -+++ b/libs/binder/include/binder/AppOpsManager.h -@@ -135,7 +135,8 @@ public: - OP_PHONE_CALL_MICROPHONE = 100, - OP_PHONE_CALL_CAMERA = 101, - OP_RECORD_AUDIO_HOTWORD = 102, -- _NUM_OP = 103 -+ OP_OTHER_SENSORS = 103, -+ _NUM_OP = 104 - }; - - AppOpsManager(); diff --git a/libs/sensor/Sensor.cpp b/libs/sensor/Sensor.cpp -index 9d817ae0bd..76d365d5f7 100644 +index 9d817ae0bd..91df16e64a 100644 --- a/libs/sensor/Sensor.cpp +++ b/libs/sensor/Sensor.cpp @@ -59,6 +59,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi mMinDelay = hwSensor.minDelay; mFlags = 0; mUuid = uuid; -+ mRequiredAppOp = AppOpsManager::OP_OTHER_SENSORS; //default, other values are explicitly set ++ mRequiredPermission = "android.permission.OTHER_SENSORS"; // Set fifo event count zero for older devices which do not support batching. Fused // sensors also have their fifo counts set to zero. -diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp -index 3ca34bba1b..8a62b2bb9c 100644 ---- a/services/sensorservice/SensorService.cpp -+++ b/services/sensorservice/SensorService.cpp -@@ -1798,10 +1798,9 @@ status_t SensorService::flushSensor(const sp& connection, - - bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation, - const String16& opPackageName) { -+ - // Check if a permission is required for this sensor -- if (sensor.getRequiredPermission().length() <= 0) { -- return true; -- } -+ bool noAssociatedPermission = (sensor.getRequiredPermission().length() <= 0); - - const int32_t opCode = sensor.getRequiredAppOp(); - const int32_t appOpMode = sAppOpsManager.checkOp(opCode, -@@ -1816,7 +1815,10 @@ bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation, - // Allow access to step sensors if the application targets pre-Q, which is before the - // requirement to hold the AR permission to access Step Counter and Step Detector events - // was introduced. -- canAccess = true; -+ // [MSe1969: Of course only, if AppOpAllowed] -+ canAccess = appOpAllowed; -+ } else if (noAssociatedPermission) { -+ canAccess = appOpAllowed; - } else if (hasPermissionForSensor(sensor)) { - // Ensure that the AppOp is allowed, or that there is no necessary app op for the sensor - if (opCode < 0 || appOpAllowed) { diff --git a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Sensors_Permission-1.patch b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Sensors_Permission-1.patch new file mode 100644 index 00000000..6b5c6a9d --- /dev/null +++ b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Sensors_Permission-1.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sat, 7 Oct 2017 15:55:58 -0400 +Subject: [PATCH] always treat OTHER_SENSORS as a runtime permission + +ported from 10: a1204e6126189810018ff5540858536a1c58ac37 +--- + .../permission/model/AppPermissionGroup.java | 4 ++-- + .../permissioncontroller/permission/model/Permission.java | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java +index 0399a1836..4838046ac 100644 +--- a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java ++++ b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java +@@ -873,7 +873,7 @@ public final class AppPermissionGroup implements Comparable + + boolean wasGranted = permission.isGrantedIncludingAppOp(); + +- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { ++ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) { + // Do not touch permissions fixed by the system. + if (permission.isSystemFixed()) { + wasAllGranted = false; +@@ -1058,7 +1058,7 @@ public final class AppPermissionGroup implements Comparable + break; + } + +- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { ++ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) { + // Revoke the permission if needed. + if (permission.isGranted()) { + permission.setGranted(false); +diff --git a/src/com/android/permissioncontroller/permission/model/Permission.java b/src/com/android/permissioncontroller/permission/model/Permission.java +index 3af5241af..f65b75a9c 100644 +--- a/src/com/android/permissioncontroller/permission/model/Permission.java ++++ b/src/com/android/permissioncontroller/permission/model/Permission.java +@@ -138,7 +138,7 @@ public final class Permission { + * @return {@code true} if the permission (and the app-op) is granted. + */ + public boolean isGrantedIncludingAppOp() { +- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName)); ++ return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName) || Manifest.permission.OTHER_SENSORS.equals(mName)); + } + + public boolean isReviewRequired() { diff --git a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Sensors_Permission-2.patch b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Sensors_Permission-2.patch new file mode 100644 index 00000000..12245862 --- /dev/null +++ b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Sensors_Permission-2.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sat, 7 Oct 2017 15:56:35 -0400 +Subject: [PATCH] add OTHER_SENSORS permission group + +ported from 10: fc8c816e07ce39583774db8fe668e0505b6aa504 +--- + .../android/permissioncontroller/permission/utils/Utils.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java +index 2f0dc3d21..81d1994bc 100644 +--- a/src/com/android/permissioncontroller/permission/utils/Utils.java ++++ b/src/com/android/permissioncontroller/permission/utils/Utils.java +@@ -26,6 +26,7 @@ import static android.Manifest.permission_group.CONTACTS; + import static android.Manifest.permission_group.LOCATION; + import static android.Manifest.permission_group.MICROPHONE; + import static android.Manifest.permission_group.NETWORK; ++import static android.Manifest.permission_group.OTHER_SENSORS; + import static android.Manifest.permission_group.PHONE; + import static android.Manifest.permission_group.SENSORS; + import static android.Manifest.permission_group.SMS; +@@ -211,6 +212,7 @@ public final class Utils { + PLATFORM_PERMISSIONS.put(Manifest.permission.BODY_SENSORS, SENSORS); + + PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK); ++ PLATFORM_PERMISSIONS.put(Manifest.permission.OTHER_SENSORS, OTHER_SENSORS); + + PLATFORM_PERMISSION_GROUPS = new ArrayMap<>(); + int numPlatformPermissions = PLATFORM_PERMISSIONS.size(); diff --git a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-3.patch b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Special_Permissions-1.patch similarity index 83% rename from Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-3.patch rename to Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Special_Permissions-1.patch index a8179d51..739895f2 100644 --- a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-3.patch +++ b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Special_Permissions-1.patch @@ -4,13 +4,13 @@ Date: Sat, 12 Sep 2020 15:40:58 -0700 Subject: [PATCH] refactor handling of special runtime permissions --- - .../permission/model/AppPermissionGroup.java | 5 ++--- - .../permission/model/Permission.java | 5 +++-- - .../permission/utils/Utils.java | 17 +++++++++++++++++ - 3 files changed, 22 insertions(+), 5 deletions(-) + .../permission/model/AppPermissionGroup.java | 5 ++--- + .../permission/model/Permission.java | 5 +++-- + .../permission/utils/Utils.java | 18 ++++++++++++++++++ + 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java -index 0399a1836..cb4eab9f7 100644 +index 4838046ac..cb4eab9f7 100644 --- a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java +++ b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java @@ -34,7 +34,6 @@ import android.content.pm.PackageManager; @@ -25,7 +25,7 @@ index 0399a1836..cb4eab9f7 100644 boolean wasGranted = permission.isGrantedIncludingAppOp(); -- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { +- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) { + if (mAppSupportsRuntimePermissions || Utils.isSpecialRuntimePermission(permission.getName())) { // Do not touch permissions fixed by the system. if (permission.isSystemFixed()) { @@ -34,13 +34,13 @@ index 0399a1836..cb4eab9f7 100644 break; } -- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { +- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) { + if (mAppSupportsRuntimePermissions || Utils.isSpecialRuntimePermission(permission.getName())) { // Revoke the permission if needed. if (permission.isGranted()) { permission.setGranted(false); diff --git a/src/com/android/permissioncontroller/permission/model/Permission.java b/src/com/android/permissioncontroller/permission/model/Permission.java -index 3af5241af..3f17de882 100644 +index f65b75a9c..3f17de882 100644 --- a/src/com/android/permissioncontroller/permission/model/Permission.java +++ b/src/com/android/permissioncontroller/permission/model/Permission.java @@ -18,10 +18,11 @@ package com.android.permissioncontroller.permission.model; @@ -60,16 +60,16 @@ index 3af5241af..3f17de882 100644 * @return {@code true} if the permission (and the app-op) is granted. */ public boolean isGrantedIncludingAppOp() { -- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName)); +- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName) || Manifest.permission.OTHER_SENSORS.equals(mName)); + return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Utils.isSpecialRuntimePermission(mName)); } public boolean isReviewRequired() { diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java -index 2f0dc3d21..dab86e734 100644 +index 81d1994bc..2c55aed22 100644 --- a/src/com/android/permissioncontroller/permission/utils/Utils.java +++ b/src/com/android/permissioncontroller/permission/utils/Utils.java -@@ -145,6 +145,9 @@ public final class Utils { +@@ -146,6 +146,9 @@ public final class Utils { */ public static final long ONE_TIME_PERMISSIONS_TIMEOUT_MILLIS = 1 * 60 * 1000; // 1 minute @@ -79,17 +79,18 @@ index 2f0dc3d21..dab86e734 100644 /** Mapping permission -> group for all dangerous platform permissions */ private static final ArrayMap PLATFORM_PERMISSIONS; -@@ -212,6 +215,9 @@ public final class Utils { - +@@ -214,6 +217,10 @@ public final class Utils { PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK); + PLATFORM_PERMISSIONS.put(Manifest.permission.OTHER_SENSORS, OTHER_SENSORS); + SPECIAL_RUNTIME_PERMISSIONS = new ArrayMap<>(); + SPECIAL_RUNTIME_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK); ++ SPECIAL_RUNTIME_PERMISSIONS.put(Manifest.permission.OTHER_SENSORS, OTHER_SENSORS); + PLATFORM_PERMISSION_GROUPS = new ArrayMap<>(); int numPlatformPermissions = PLATFORM_PERMISSIONS.size(); for (int i = 0; i < numPlatformPermissions; i++) { -@@ -642,6 +648,17 @@ public final class Utils { +@@ -644,6 +651,17 @@ public final class Utils { return PLATFORM_PERMISSIONS.containsKey(permission); } diff --git a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-4.patch b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Special_Permissions-2.patch similarity index 98% rename from Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-4.patch rename to Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Special_Permissions-2.patch index 98206f66..7db7cd22 100644 --- a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-4.patch +++ b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Special_Permissions-2.patch @@ -60,10 +60,10 @@ index 8dd8e8f77..d7f8f229f 100644 val revocablePermissions = group.permissions.keys.toList() diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java -index dab86e734..4a7de5416 100644 +index 2c55aed22..90acf9223 100644 --- a/src/com/android/permissioncontroller/permission/utils/Utils.java +++ b/src/com/android/permissioncontroller/permission/utils/Utils.java -@@ -659,6 +659,17 @@ public final class Utils { +@@ -662,6 +662,17 @@ public final class Utils { return SPECIAL_RUNTIME_PERMISSIONS.containsKey(permission); } diff --git a/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-5.patch b/Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Special_Permissions-3.patch similarity index 100% rename from Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Network_Permission-5.patch rename to Patches/LineageOS-18.1/android_packages_apps_PermissionController/0002-Special_Permissions-3.patch diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/0002-Sensors.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/0002-Sensors.patch deleted file mode 100644 index 99bdc342..00000000 --- a/Patches/LineageOS-18.1/android_packages_apps_Settings/0002-Sensors.patch +++ /dev/null @@ -1,261 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: MSe1969 -Date: Sat, 14 Nov 2020 15:17:37 +0100 -Subject: [PATCH] Special Access: Add an option to administer Sensor access - -Accesses the added AppOp for OP_OTHER_SENSORS - -Change-Id: I79c0ed4ab97494434edc6c308a8a54bd123c02ee ---- - res/values-de/strings.xml | 3 + - res/values-fr/strings.xml | 3 + - res/values/strings.xml | 5 + - res/xml/special_access.xml | 7 + - .../specialaccess/sensor/SensorAccess.java | 178 ++++++++++++++++++ - 5 files changed, 196 insertions(+) - create mode 100644 src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java - -diff --git a/res/values-de/strings.xml b/res/values-de/strings.xml -index 4edd33d66b..a22b3de82c 100644 ---- a/res/values-de/strings.xml -+++ b/res/values-de/strings.xml -@@ -4945,6 +4945,9 @@ - - - -+ Sensorzugriff von Benutzer-Apps kontrollieren -+ Zugriff auf Sensoren -+ Keine installierte App hat Sensorzugriff angefordert. - "Streamen beenden" - "VoLTE deaktivieren?" - "Dadurch wird auch deine 5G-Verbindung deaktiviert.\nWährend eines Sprachanrufs kannst du das Internet nicht nutzen und manche Apps funktionieren möglicherweise nicht." -diff --git a/res/values-fr/strings.xml b/res/values-fr/strings.xml -index 005aa05953..7c2ad2eaf3 100644 ---- a/res/values-fr/strings.xml -+++ b/res/values-fr/strings.xml -@@ -4944,6 +4944,9 @@ - - - -+ Contrôler l\'accès des applications utilisateurs aux capteurs -+ Access aux Capteurs -+ Aucune app installée n\'a demandé de l\'accès aux capteurs. - "Arrêter la diffusion" - "Désactiver VoLTE ?" - "Cela désactive également votre connexion 5G.\nLorsque vous effectuez un appel vocal, vous n\'avez pas accès à Internet et certaines applications peuvent ne pas fonctionner." -diff --git a/res/values/strings.xml b/res/values/strings.xml -index 0c6fe1a541..120e82f4dd 100644 ---- a/res/values/strings.xml -+++ b/res/values/strings.xml -@@ -12237,4 +12237,9 @@ - Don\u2019t connect - - Connect -+ -+ -+ Control sensor access for user apps -+ Access to Sensors -+ No installed apps have requested sensors access. - -diff --git a/res/xml/special_access.xml b/res/xml/special_access.xml -index 6ee87f4664..f65ee68f7e 100644 ---- a/res/xml/special_access.xml -+++ b/res/xml/special_access.xml -@@ -154,6 +154,13 @@ - android:value="com.android.settings.Settings$ChangeWifiStateActivity" /> - - -+ -+ -+ - apps = new ArrayList<>(); -+ final List installed = mPackageManager.getInstalledApplications(0); -+ if (installed != null) { -+ for (ApplicationInfo app : installed) { -+ // Skip system apps -+ if (isUserApp(app.packageName)) { -+ // Only apps effectively having the Op OTHER_SENSORS -+ if (mAppOpsManager.getOpsForPackage(getPackageUid(app.packageName), -+ app.packageName, new int[]{AppOpsManager.OP_OTHER_SENSORS}) != null) -+ apps.add(app); -+ } -+ } -+ } -+ Collections.sort(apps, new PackageItemInfo.DisplayNameComparator(mPackageManager)); -+ for (ApplicationInfo app : apps) { -+ final String pkg = app.packageName; -+ final CharSequence label = app.loadLabel(mPackageManager); -+ final SwitchPreference pref = new SwitchPreference(getPrefContext()); -+ pref.setPersistent(false); -+ pref.setIcon(app.loadIcon(mPackageManager)); -+ pref.setTitle(label); -+ updateState(pref, pkg); -+ pref.setOnPreferenceChangeListener(new OnPreferenceChangeListener() { -+ @Override -+ public boolean onPreferenceChange(Preference preference, Object newValue) { -+ boolean switchOn = (Boolean) newValue; -+ mAppOpsManager.setMode(AppOpsManager.OP_OTHER_SENSORS, getPackageUid(pkg), pkg, -+ switchOn ? AppOpsManager.MODE_ALLOWED : AppOpsManager.MODE_IGNORED); -+ pref.setChecked(switchOn); -+ return false; -+ } -+ }); -+ screen.addPreference(pref); -+ } -+ } -+ -+ public void updateState(SwitchPreference preference, String pkg) { -+ final int mode = mAppOpsManager -+ .checkOpNoThrow(AppOpsManager.OP_OTHER_SENSORS, getPackageUid(pkg), pkg); -+ if (mode == AppOpsManager.MODE_ERRORED) { -+ preference.setChecked(false); -+ } else { -+ final boolean checked = mode != AppOpsManager.MODE_IGNORED; -+ preference.setChecked(checked); -+ } -+ } -+ -+ private boolean isUserApp(String pkg) { -+ ApplicationInfo appInfo; -+ try { -+ appInfo = mPackageManager.getApplicationInfo(pkg, -+ PackageManager.GET_DISABLED_COMPONENTS -+ | PackageManager.GET_UNINSTALLED_PACKAGES); -+ } catch (PackageManager.NameNotFoundException e) { -+ Log.w(TAG, "Unable to find info for package " + pkg); -+ return false; -+ } -+ return ((appInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 0); -+ } -+ -+ private int getPackageUid(String pkg) { -+ int uid; -+ try { -+ uid = mPackageManager.getPackageUid(pkg, 0); -+ } catch (PackageManager.NameNotFoundException e) { -+ // We shouldn't hit this, ever. What can we even do after this? -+ uid = -1; -+ } -+ return uid; -+ } -+ -+ private final class SettingObserver extends ContentObserver { -+ public SettingObserver() { -+ super(new Handler(Looper.getMainLooper())); -+ } -+ -+ @Override -+ public void onChange(boolean selfChange, Uri uri) { -+ reloadList(); -+ } -+ } -+} diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch index 5a900149..26b68906 100644 --- a/Patches/LineageOS-18.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch +++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch @@ -55,7 +55,7 @@ index 617548cadc..9caf926229 100644 Small Default diff --git a/res/values/strings.xml b/res/values/strings.xml -index 120e82f4dd..6ff1f16fdf 100644 +index 0c6fe1a541..b9f886d492 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -647,6 +647,9 @@ diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch index 997d123a..ca1e59d9 100644 --- a/Patches/LineageOS-18.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch +++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch @@ -67,7 +67,7 @@ index 9caf926229..d40e65e536 100644 15 seconds diff --git a/res/values/strings.xml b/res/values/strings.xml -index 6ff1f16fdf..3a7f3878bf 100644 +index b9f886d492..e925a30b3e 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -27,6 +27,25 @@ diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch index 96e7abb8..737f6ab4 100644 --- a/Patches/LineageOS-18.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch +++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch @@ -67,7 +67,7 @@ index d40e65e536..6259f4d1a5 100644 15 seconds diff --git a/res/values/strings.xml b/res/values/strings.xml -index 3a7f3878bf..dbbc4ba758 100644 +index e925a30b3e..de6d38bcbd 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -46,6 +46,25 @@ diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/0008-ptrace_scope.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/0008-ptrace_scope.patch index ed426a3e..22220435 100644 --- a/Patches/LineageOS-18.1/android_packages_apps_Settings/0008-ptrace_scope.patch +++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/0008-ptrace_scope.patch @@ -12,7 +12,7 @@ Subject: [PATCH] add native debugging setting create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java diff --git a/res/values/strings.xml b/res/values/strings.xml -index dbbc4ba758..87ef39ed10 100644 +index de6d38bcbd..dc14819f0c 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -11957,6 +11957,9 @@ diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/0009-Install_Restrictions.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/0009-Install_Restrictions.patch index 98833212..f8d53f53 100644 --- a/Patches/LineageOS-18.1/android_packages_apps_Settings/0009-Install_Restrictions.patch +++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/0009-Install_Restrictions.patch @@ -10,7 +10,7 @@ Subject: [PATCH] UserManager app installation restrictions 3 files changed, 44 insertions(+), 5 deletions(-) diff --git a/res/values/strings.xml b/res/values/strings.xml -index b33a94d4a6..1cd05427d1 100644 +index e612651bfe..c8e830342b 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -7088,6 +7088,8 @@ diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/0010-exec_spawning_toggle.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/0010-exec_spawning_toggle.patch index 920c3788..06e00f0e 100644 --- a/Patches/LineageOS-18.1/android_packages_apps_Settings/0010-exec_spawning_toggle.patch +++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/0010-exec_spawning_toggle.patch @@ -12,7 +12,7 @@ Subject: [PATCH] add exec spawning toggle create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java diff --git a/res/values/strings.xml b/res/values/strings.xml -index 87ef39ed10..b33a94d4a6 100644 +index dc14819f0c..e612651bfe 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -11957,6 +11957,8 @@ diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index aaac8ba0..8256ad9a 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -157,13 +157,11 @@ fi; applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS) -if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Sensors.patch"; fi; #Permission for sensors access (MSe1969) #applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS) -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS) -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch"; -fi; +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions.patch"; #Support new special runtime permissions (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Make INTERNET into a special runtime permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch"; #Add a NETWORK permission group for INTERNET (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0014-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox internal logging service sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; @@ -179,7 +177,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta fi; if enterAndClear "frameworks/native"; then -if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969) +applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS) fi; if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then @@ -234,7 +232,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8 fi; if enterAndClear "libcore"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0002-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; @@ -265,19 +263,15 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_pa fi; if enterAndClear "packages/apps/PackageInstaller"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then -applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS) -applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch"; -fi; +applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch"; #Add NETWORK permission group (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Sensors_Permission-1.patch"; #Add OTHER_SENSORS permission group (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Sensors_Permission-2.patch"; #Always treat OTHER_SENSORS as a runtime permission (GrapheneOS) fi; if enterAndClear "packages/apps/Settings"; then git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) -if [ "$DOS_SENSORS_PERM" = true ]; then -applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors-P1.patch"; #Permission for sensors access (MSe1969) -applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors-P2.patch"; -fi; #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS) #TODO: Needs work sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length (GrapheneOS) sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service @@ -304,7 +298,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disa fi; if enterAndClear "packages/providers/DownloadProvider"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) fi; if enterAndClear "packages/services/Telephony"; then diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index c76b42f9..0ef6c44a 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -152,18 +152,16 @@ fi; applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS) -if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Sensors.patch"; fi; #Permission for sensors access (MSe1969) applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Restore_SensorsOff.patch"; #Restore the Sensors Off tile applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS) -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then -applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS) -applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-2.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-3.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-4.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-7.patch"; -fi; +applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Special_Permissions.patch"; #Support new special runtime permissions (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-1.patch"; #Make INTERNET into a special runtime permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-2.patch"; #Add a NETWORK permission group for INTERNET (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-3.patch"; #Enforce INTERNET as a runtime permission. (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-4.patch"; #Fix INTERNET enforcement for secondary users (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch"; #Send uid for each user instead of just owner/admin user (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS) if [ "$DOS_TIMEOUTS" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0016-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS) @@ -187,7 +185,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta fi; if enterAndClear "frameworks/native"; then -if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969) +applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS) fi; if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then @@ -247,7 +245,7 @@ if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS) applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Based_Spawning-2.patch"; fi; -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0003-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_libcore/0003-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0004-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; @@ -279,16 +277,15 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_pa fi; if enterAndClear "packages/apps/PermissionController"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then -applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS) -applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-2.patch"; -fi; +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-2.patch"; #Add INTERNET permission toggle (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Sensors_Permission-1.patch"; #Always treat OTHER_SENSORS as a runtime permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Sensors_Permission-2.patch"; #Add OTHER_SENSORS permission group (GrapheneOS) fi; if enterAndClear "packages/apps/Settings"; then git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) -if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors.patch"; fi; #Permission for sensors access (MSe1969) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS) if [ "$DOS_TIMEOUTS" = true ]; then @@ -333,7 +330,7 @@ fi; #fi; if enterAndClear "packages/providers/DownloadProvider"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) fi; #if enterAndClear "packages/services/Telephony"; then @@ -364,7 +361,7 @@ applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; # fi; if enterAndClear "system/netd"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) fi; if enterAndClear "system/sepolicy"; then diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index e842ca90..9d5c371a 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -128,18 +128,16 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Rev applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS) -if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Sensors.patch"; fi #Permission for sensors access (MSe1969) applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Restore_SensorsOff.patch"; #Restore the Sensors Off tile applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS) -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS) -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch"; -applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-7.patch"; -fi; +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions.patch"; #Support new special runtime permissions (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Make INTERNET into a special runtime permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch"; #Add a NETWORK permission group for INTERNET (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch"; #Enforce INTERNET as a runtime permission. (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch"; #Fix INTERNET enforcement for secondary users (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch"; #Send uid for each user instead of just owner/admin user (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS) if [ "$DOS_TIMEOUTS" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS) @@ -183,7 +181,7 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_fr fi; if enterAndClear "frameworks/native"; then -if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969) +applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_native/0002-fix-uaf.patch"; #Fix use-after-free in adbd_auth (GrapheneOS) fi; @@ -249,7 +247,7 @@ applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-sm8150.patch"; fi; if enterAndClear "libcore"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0002-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0003-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS) @@ -285,18 +283,17 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_pa fi; if enterAndClear "packages/apps/PermissionController"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then -applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS) -applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-2.patch"; -applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-3.patch"; -applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-4.patch"; -applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-5.patch"; -fi; +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-2.patch"; #Add INTERNET permission toggle (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Sensors_Permission-1.patch"; #Add OTHER_SENSORS permission group (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Sensors_Permission-2.patch"; #Always treat OTHER_SENSORS as a runtime permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Special_Permissions-1.patch"; #Refactor handling of special runtime permissions (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Special_Permissions-2.patch"; #Don't auto revoke Network and Sensors (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Special_Permissions-3.patch"; #UI fix for special runtime permission (GrapheneOS) fi; if enterAndClear "packages/apps/Settings"; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) -if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors.patch"; fi; #Permission for sensors access (MSe1969) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS) if [ "$DOS_TIMEOUTS" = true ]; then @@ -341,7 +338,7 @@ fi; fi; if enterAndClear "packages/providers/DownloadProvider"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) fi; if enterAndClear "packages/providers/TelephonyProvider"; then @@ -368,7 +365,7 @@ applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; # fi; if enterAndClear "system/netd"; then -if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS) +applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) fi; if enterAndClear "system/sepolicy"; then diff --git a/Scripts/init.sh b/Scripts/init.sh index 84a3d157..5b0a0e57 100644 --- a/Scripts/init.sh +++ b/Scripts/init.sh @@ -62,7 +62,6 @@ export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' pa export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1+19.1 export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1+19.1 export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the GrapheneOS ptrace_scope toggle patchset on 17.1+18.1+19.1 -export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1, 19.1 has no toggle export DOS_GRAPHENE_RANDOM_MAC=true; #Enables the GrapheneOS always randomize Wi-Fi MAC patchset on 17.1+18.1+19.1 export DOS_TIMEOUTS=true; #Enables the GrapheneOS/CalyxOS patchset for automatic timeouts of reboot/Wi-Fi/Bluetooth on 17.1+18.1+19.1 export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file @@ -70,8 +69,7 @@ export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be export DOS_LOWRAM_ENABLED=false; #Set true to enable low_ram on all devices export DOS_MICROG_INCLUDED="NONE"; #Determines inclusion of microG. Options: NONE, NLP, FULL (removed) export DOS_SILENCE_INCLUDED=true; #Set false to disable inclusion of Silence SMS app -export DOS_SENSORS_PERM=false; #Set true to provide a per-app sensors permission for 14.1/15.1/16.0 #XXX: can break things like camera -export DOS_SENSORS_PERM_NEW=true; #For 17.1+18.1 +export DOS_SENSORS_PERM=false; #Set true to provide a per-app sensors permission for 14.1/15.1 #XXX: can break things like camera export DOS_STRONG_ENCRYPTION_ENABLED=false; #Set true to enable AES 256-bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS! export DOS_WEBVIEW_LFS=true; #Whether to `git lfs pull` in the WebView repository #alias DOS_WEBVIEW_CHERRYPICK='git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/00/316600/2'; @@ -132,7 +130,7 @@ gpgVerifyGitHead() { export -f gpgVerifyGitHead; BUILD_WORKING_DIR=${PWD##*/}; -DOS_VERSION=$BUILD_WORKING_DIR; +export DOS_VERSION=$BUILD_WORKING_DIR; if [ -d ".repo" ]; then echo "Detected $BUILD_WORKING_DIR"; else