mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-23 14:39:24 -05:00
More eSIM work
- Add the GrapheneOS package hook mechanism - Ensure OpenEUICC and EuiccSupportPixel are only enabled in the system user - Prevent EuiccSupportPixel interactions - Remove INTERNET permission from EuiccSupportPixel Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
c070e856b2
commit
d6c3b6c8fa
@ -13,7 +13,7 @@ PRODUCT_PACKAGES += \
|
|||||||
# OpenCamera
|
# OpenCamera
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
ifeq (,$(filter crosshatch blueline bonito sargo coral flame sunfish barbet redfin bluejay oriole raven panther cheetah FP4,$(TARGET_PRODUCT)))
|
ifeq (,$(filter crosshatch blueline bonito sargo coral flame sunfish barbet redfin bluejay oriole raven panther cheetah FP4,$(TARGET_PRODUCT))) #FIXME
|
||||||
PRODUCT_PACKAGES += \
|
PRODUCT_PACKAGES += \
|
||||||
OpenEUICC
|
OpenEUICC
|
||||||
endif
|
endif
|
||||||
|
@ -0,0 +1,219 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||||
|
Date: Mon, 27 Mar 2023 16:00:00 +0300
|
||||||
|
Subject: [PATCH 1/2] add hooks for modifying PackageManagerService behavior
|
||||||
|
|
||||||
|
---
|
||||||
|
.../server/ext/PackageManagerHooks.java | 90 +++++++++++++++++++
|
||||||
|
.../com/android/server/pm/AppsFilterBase.java | 6 ++
|
||||||
|
.../java/com/android/server/pm/Settings.java | 8 +-
|
||||||
|
.../PermissionManagerServiceImpl.java | 13 +++
|
||||||
|
.../pm/pkg/parsing/ParsingPackageUtils.java | 3 +
|
||||||
|
5 files changed, 118 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 services/core/java/com/android/server/ext/PackageManagerHooks.java
|
||||||
|
|
||||||
|
diff --git a/services/core/java/com/android/server/ext/PackageManagerHooks.java b/services/core/java/com/android/server/ext/PackageManagerHooks.java
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000000..007b65349e55
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/services/core/java/com/android/server/ext/PackageManagerHooks.java
|
||||||
|
@@ -0,0 +1,90 @@
|
||||||
|
+package com.android.server.ext;
|
||||||
|
+
|
||||||
|
+import android.Manifest;
|
||||||
|
+import android.annotation.Nullable;
|
||||||
|
+import android.annotation.UserIdInt;
|
||||||
|
+import android.content.pm.PackageManager;
|
||||||
|
+import android.content.pm.PackageManagerInternal;
|
||||||
|
+import android.os.Build;
|
||||||
|
+import android.os.UserHandle;
|
||||||
|
+import android.util.ArraySet;
|
||||||
|
+
|
||||||
|
+import com.android.server.pm.parsing.pkg.AndroidPackage;
|
||||||
|
+import com.android.server.pm.permission.Permission;
|
||||||
|
+import com.android.server.pm.pkg.PackageStateInternal;
|
||||||
|
+import com.android.server.pm.pkg.parsing.ParsingPackage;
|
||||||
|
+
|
||||||
|
+public class PackageManagerHooks {
|
||||||
|
+
|
||||||
|
+ // Called when package enabled setting is deserialized from storage
|
||||||
|
+ @Nullable
|
||||||
|
+ public static Integer maybeOverridePackageEnabledSetting(String pkgName, @UserIdInt int userId) {
|
||||||
|
+ switch (pkgName) {
|
||||||
|
+ default:
|
||||||
|
+ return null;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Called when package parsing is completed
|
||||||
|
+ public static void amendParsedPackage(ParsingPackage pkg) {
|
||||||
|
+ String pkgName = pkg.getPackageName();
|
||||||
|
+
|
||||||
|
+ switch (pkgName) {
|
||||||
|
+ default:
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ public static void removeUsesPermissions(ParsingPackage pkg, String... perms) {
|
||||||
|
+ var set = new ArraySet<>(perms);
|
||||||
|
+ pkg.getRequestedPermissions().removeAll(set);
|
||||||
|
+ pkg.getUsesPermissions().removeIf(p -> set.contains(p.getName()));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ public static boolean shouldBlockGrantRuntimePermission(
|
||||||
|
+ PackageManagerInternal pm, String permName, String packageName, int userId)
|
||||||
|
+ {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ public static boolean shouldForciblyGrantPermission(AndroidPackage pkg, Permission perm) {
|
||||||
|
+ if (!Build.IS_DEBUGGABLE) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ String permName = perm.getName();
|
||||||
|
+
|
||||||
|
+ switch (pkg.getPackageName()) {
|
||||||
|
+ default:
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Called when AppsFilter decides whether to restrict package visibility
|
||||||
|
+ public static boolean shouldFilterAccess(@Nullable PackageStateInternal callingPkgSetting,
|
||||||
|
+ ArraySet<PackageStateInternal> callingSharedPkgSettings,
|
||||||
|
+ PackageStateInternal targetPkgSetting) {
|
||||||
|
+ if (callingPkgSetting != null && restrictedVisibilityPackages.contains(callingPkgSetting.getPackageName())) {
|
||||||
|
+ if (!targetPkgSetting.isSystem()) {
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (restrictedVisibilityPackages.contains(targetPkgSetting.getPackageName())) {
|
||||||
|
+ if (callingPkgSetting != null) {
|
||||||
|
+ return !callingPkgSetting.isSystem();
|
||||||
|
+ } else {
|
||||||
|
+ for (int i = callingSharedPkgSettings.size() - 1; i >= 0; i--) {
|
||||||
|
+ if (!callingSharedPkgSettings.valueAt(i).isSystem()) {
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Packages in this array are restricted from interacting with and being interacted by non-system apps
|
||||||
|
+ private static final ArraySet<String> restrictedVisibilityPackages = new ArraySet<>(new String[] {
|
||||||
|
+ });
|
||||||
|
+}
|
||||||
|
diff --git a/services/core/java/com/android/server/pm/AppsFilterBase.java b/services/core/java/com/android/server/pm/AppsFilterBase.java
|
||||||
|
index 07746236320e..e2d413419d6a 100644
|
||||||
|
--- a/services/core/java/com/android/server/pm/AppsFilterBase.java
|
||||||
|
+++ b/services/core/java/com/android/server/pm/AppsFilterBase.java
|
||||||
|
@@ -39,6 +39,7 @@ import android.util.SparseArray;
|
||||||
|
import com.android.internal.annotations.VisibleForTesting;
|
||||||
|
import com.android.internal.util.ArrayUtils;
|
||||||
|
import com.android.internal.util.function.QuadFunction;
|
||||||
|
+import com.android.server.ext.PackageManagerHooks;
|
||||||
|
import com.android.server.om.OverlayReferenceMapper;
|
||||||
|
import com.android.server.pm.parsing.pkg.AndroidPackage;
|
||||||
|
import com.android.server.pm.pkg.PackageStateInternal;
|
||||||
|
@@ -414,6 +415,11 @@ public abstract class AppsFilterBase implements AppsFilterSnapshot {
|
||||||
|
Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (PackageManagerHooks.shouldFilterAccess(callingPkgSetting, callingSharedPkgSettings,
|
||||||
|
+ targetPkgSetting)) {
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (callingPkgSetting != null) {
|
||||||
|
if (callingPkgSetting.getPkg() != null
|
||||||
|
&& !mFeatureConfig.packageIsEnabled(callingPkgSetting.getPkg())) {
|
||||||
|
diff --git a/services/core/java/com/android/server/pm/Settings.java b/services/core/java/com/android/server/pm/Settings.java
|
||||||
|
index a9b624653b92..9cac3e75a698 100644
|
||||||
|
--- a/services/core/java/com/android/server/pm/Settings.java
|
||||||
|
+++ b/services/core/java/com/android/server/pm/Settings.java
|
||||||
|
@@ -100,6 +100,7 @@ import com.android.permission.persistence.RuntimePermissionsPersistence;
|
||||||
|
import com.android.permission.persistence.RuntimePermissionsState;
|
||||||
|
import com.android.server.LocalServices;
|
||||||
|
import com.android.server.backup.PreferredActivityBackupHelper;
|
||||||
|
+import com.android.server.ext.PackageManagerHooks;
|
||||||
|
import com.android.server.pm.Installer.InstallerException;
|
||||||
|
import com.android.server.pm.parsing.PackageInfoUtils;
|
||||||
|
import com.android.server.pm.parsing.pkg.AndroidPackage;
|
||||||
|
@@ -1810,8 +1811,11 @@ public final class Settings implements Watchable, Snappable {
|
||||||
|
parser.getAttributeBoolean(null, ATTR_INSTANT_APP, false);
|
||||||
|
final boolean virtualPreload =
|
||||||
|
parser.getAttributeBoolean(null, ATTR_VIRTUAL_PRELOAD, false);
|
||||||
|
- final int enabled = parser.getAttributeInt(null, ATTR_ENABLED,
|
||||||
|
- COMPONENT_ENABLED_STATE_DEFAULT);
|
||||||
|
+ final Integer enabledOverride =
|
||||||
|
+ PackageManagerHooks.maybeOverridePackageEnabledSetting(name, userId);
|
||||||
|
+ final int enabled = (enabledOverride != null) ?
|
||||||
|
+ enabledOverride.intValue() :
|
||||||
|
+ parser.getAttributeInt(null, ATTR_ENABLED, COMPONENT_ENABLED_STATE_DEFAULT);
|
||||||
|
final String enabledCaller = parser.getAttributeValue(null,
|
||||||
|
ATTR_ENABLED_CALLER);
|
||||||
|
final String harmfulAppWarning =
|
||||||
|
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
|
||||||
|
index 5d2bb41c4b4d..fae8dc90371a 100644
|
||||||
|
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
|
||||||
|
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
|
||||||
|
@@ -127,6 +127,7 @@ import com.android.server.LocalServices;
|
||||||
|
import com.android.server.ServiceThread;
|
||||||
|
import com.android.server.SystemConfig;
|
||||||
|
import com.android.server.Watchdog;
|
||||||
|
+import com.android.server.ext.PackageManagerHooks;
|
||||||
|
import com.android.server.pm.ApexManager;
|
||||||
|
import com.android.server.pm.KnownPackages;
|
||||||
|
import com.android.server.pm.UserManagerInternal;
|
||||||
|
@@ -1363,6 +1364,13 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
|
||||||
|
isRolePermission = permission.isRole();
|
||||||
|
isSoftRestrictedPermission = permission.isSoftRestricted();
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (PackageManagerHooks.shouldBlockGrantRuntimePermission(mPackageManagerInt, permName, packageName, userId)) {
|
||||||
|
+ // this method is called from within system_server and from critical system processes,
|
||||||
|
+ // do not throw an exception, just return
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
final boolean mayGrantRolePermission = isRolePermission
|
||||||
|
&& mayManageRolePermission(callingUid);
|
||||||
|
final boolean mayGrantSoftRestrictedPermission = isSoftRestrictedPermission
|
||||||
|
@@ -2982,6 +2990,11 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
|
||||||
|
Slog.wtf(LOG_TAG, "Unknown permission protection " + bp.getProtection()
|
||||||
|
+ " for permission " + bp.getName());
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (Build.IS_DEBUGGABLE && PackageManagerHooks.shouldForciblyGrantPermission(pkg, bp)) {
|
||||||
|
+ uidState.grantPermission(bp);
|
||||||
|
+ Slog.d(TAG, "forcibly granted " + bp.getName() + " to " + pkg.getPackageName());
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((changedInstallPermission || replace)
|
||||||
|
diff --git a/services/core/java/com/android/server/pm/pkg/parsing/ParsingPackageUtils.java b/services/core/java/com/android/server/pm/pkg/parsing/ParsingPackageUtils.java
|
||||||
|
index 17ac255e60f6..8fd1e6058133 100644
|
||||||
|
--- a/services/core/java/com/android/server/pm/pkg/parsing/ParsingPackageUtils.java
|
||||||
|
+++ b/services/core/java/com/android/server/pm/pkg/parsing/ParsingPackageUtils.java
|
||||||
|
@@ -91,6 +91,7 @@ import com.android.internal.R;
|
||||||
|
import com.android.internal.os.ClassLoaderFactory;
|
||||||
|
import com.android.internal.util.ArrayUtils;
|
||||||
|
import com.android.internal.util.XmlUtils;
|
||||||
|
+import com.android.server.ext.PackageManagerHooks;
|
||||||
|
import com.android.server.pm.SharedUidMigration;
|
||||||
|
import com.android.server.pm.permission.CompatibilityPermissionInfo;
|
||||||
|
import com.android.server.pm.pkg.component.ComponentMutateUtils;
|
||||||
|
@@ -2203,6 +2204,8 @@ public class ParsingPackageUtils {
|
||||||
|
pkg.addActivity(a.getResult());
|
||||||
|
}
|
||||||
|
|
||||||
|
+ PackageManagerHooks.amendParsedPackage(pkg);
|
||||||
|
+
|
||||||
|
if (hasActivityOrder) {
|
||||||
|
pkg.sortActivities();
|
||||||
|
}
|
@ -0,0 +1,76 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||||
|
Date: Mon, 27 Mar 2023 16:29:13 +0300
|
||||||
|
Subject: [PATCH 2/2] integrate Google's EuiccSupportPixel package
|
||||||
|
|
||||||
|
Depends on commit: "don't crash apps that depend on missing Gservices provider"
|
||||||
|
|
||||||
|
[tad@spotco.us]: handle OpenEUICC here too
|
||||||
|
|
||||||
|
Change-Id: I49e3ff6f2ce8d74383da1c4dfd42913c713016c6
|
||||||
|
---
|
||||||
|
data/etc/preinstalled-packages-platform.xml | 6 ++++++
|
||||||
|
.../server/ext/PackageManagerHooks.java | 18 ++++++++++++++++++
|
||||||
|
2 files changed, 24 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/data/etc/preinstalled-packages-platform.xml b/data/etc/preinstalled-packages-platform.xml
|
||||||
|
index ff8d96dd23f2..97027ebbca2d 100644
|
||||||
|
--- a/data/etc/preinstalled-packages-platform.xml
|
||||||
|
+++ b/data/etc/preinstalled-packages-platform.xml
|
||||||
|
@@ -110,4 +110,10 @@ to pre-existing users, but cannot uninstall pre-existing system packages from pr
|
||||||
|
<install-in-user-type package="com.android.wallpaperbackup">
|
||||||
|
<install-in user-type="FULL" />
|
||||||
|
</install-in-user-type>
|
||||||
|
+ <install-in-user-type package="com.google.euiccpixel">
|
||||||
|
+ <install-in user-type="SYSTEM" />
|
||||||
|
+ </install-in-user-type>
|
||||||
|
+ <install-in-user-type package="im.angry.openeuicc">
|
||||||
|
+ <install-in user-type="SYSTEM" />
|
||||||
|
+ </install-in-user-type>
|
||||||
|
</config>
|
||||||
|
diff --git a/services/core/java/com/android/server/ext/PackageManagerHooks.java b/services/core/java/com/android/server/ext/PackageManagerHooks.java
|
||||||
|
index 007b65349e55..a69ce9999165 100644
|
||||||
|
--- a/services/core/java/com/android/server/ext/PackageManagerHooks.java
|
||||||
|
+++ b/services/core/java/com/android/server/ext/PackageManagerHooks.java
|
||||||
|
@@ -16,10 +16,23 @@ import com.android.server.pm.pkg.parsing.ParsingPackage;
|
||||||
|
|
||||||
|
public class PackageManagerHooks {
|
||||||
|
|
||||||
|
+ public static final String OPEN_EUICC_PKG_NAME = "im.angry.openeuicc";
|
||||||
|
+ public static final String EUICC_SUPPORT_PIXEL_PKG_NAME = "com.google.euiccpixel";
|
||||||
|
+
|
||||||
|
// Called when package enabled setting is deserialized from storage
|
||||||
|
@Nullable
|
||||||
|
public static Integer maybeOverridePackageEnabledSetting(String pkgName, @UserIdInt int userId) {
|
||||||
|
switch (pkgName) {
|
||||||
|
+ case OPEN_EUICC_PKG_NAME:
|
||||||
|
+ case EUICC_SUPPORT_PIXEL_PKG_NAME:
|
||||||
|
+ if (userId == UserHandle.USER_SYSTEM) {
|
||||||
|
+ // EuiccSupportPixel handles firmware updates and should always be enabled.
|
||||||
|
+ // It was previously unconditionally disabled after reboot.
|
||||||
|
+ return PackageManager.COMPONENT_ENABLED_STATE_DEFAULT;
|
||||||
|
+ } else {
|
||||||
|
+ // one of the previous OS versions enabled EuiccSupportPixel in all users
|
||||||
|
+ return PackageManager.COMPONENT_ENABLED_STATE_DISABLED;
|
||||||
|
+ }
|
||||||
|
default:
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
@@ -30,6 +43,10 @@ public class PackageManagerHooks {
|
||||||
|
String pkgName = pkg.getPackageName();
|
||||||
|
|
||||||
|
switch (pkgName) {
|
||||||
|
+ case EUICC_SUPPORT_PIXEL_PKG_NAME:
|
||||||
|
+ // EuiccSupportPixel uses INTERNET perm only as part of its dev mode
|
||||||
|
+ removeUsesPermissions(pkg, Manifest.permission.INTERNET);
|
||||||
|
+ return;
|
||||||
|
default:
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
@@ -86,5 +103,6 @@ public class PackageManagerHooks {
|
||||||
|
|
||||||
|
// Packages in this array are restricted from interacting with and being interacted by non-system apps
|
||||||
|
private static final ArraySet<String> restrictedVisibilityPackages = new ArraySet<>(new String[] {
|
||||||
|
+ EUICC_SUPPORT_PIXEL_PKG_NAME,
|
||||||
|
});
|
||||||
|
}
|
@ -187,6 +187,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0036-Unprivileged_microG_Handli
|
|||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0037-filter-gms.patch"; #Filter select package queries for GMS (CalyxOS)
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0037-filter-gms.patch"; #Filter select package queries for GMS (CalyxOS)
|
||||||
fi;
|
fi;
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0038-no-camera-lpad.patch"; #Do not auto-grant Camera permission to the eUICC LPA UI app (GrapheneOS)
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0038-no-camera-lpad.patch"; #Do not auto-grant Camera permission to the eUICC LPA UI app (GrapheneOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0039-package_hooks.patch"; #Add hooks for modifying PackageManagerService behavior (GrapheneOS)
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0040-euicc-restrictions.patch"; #Integrate Google's EuiccSupportPixel package (GrapheneOS)
|
||||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
|
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
|
||||||
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
|
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
|
||||||
sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)
|
sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)
|
||||||
|
Loading…
Reference in New Issue
Block a user