16.0: More bringup

This commit is contained in:
Tad 2019-03-04 03:27:18 -05:00
parent 23056ddef0
commit f5d99c938b
7 changed files with 152 additions and 10 deletions

View File

@ -59,8 +59,6 @@
<!-- END OF BRANCH SWITCHING --> <!-- END OF BRANCH SWITCHING -->
<!-- START OF ADDITIONAL REPOS --> <!-- START OF ADDITIONAL REPOS -->
<project path="external/svox" name="platform/external/svox" groups="pdk" remote="aosp" revision="master" />
<!-- F-Droid --> <!-- F-Droid -->
<remote name="fdroid" fetch="https://gitlab.com/fdroid/" /> <remote name="fdroid" fetch="https://gitlab.com/fdroid/" />

View File

@ -0,0 +1,113 @@
From 37658734891a14991c74563d9d86e5430d7ce672 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bernhard=20Rosenkr=C3=A4nzer?= <bero@lindev.ch>
Date: Mon, 4 Mar 2019 03:26:03 -0500
Subject: [PATCH] Add permission to allow an APK to fake a signature.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is needed by GmsCore (https://microg.org/) to pretend
the existence of the official Play Services to applications calling
Google APIs.
Forward-ported from https://github.com/microg/android_packages_apps_GmsCore/blob/master/patches/android_frameworks_base-N.patch
Change-Id: I603fd09200432f7e1bf997072188cdfa6da1594f
Signed-off-by: Bernhard Rosenkränzer <bero@lindev.ch>
---
core/res/AndroidManifest.xml | 7 ++++++
core/res/res/values/config.xml | 2 ++
core/res/res/values/strings.xml | 4 ++++
.../server/pm/PackageManagerService.java | 23 +++++++++++++++++--
4 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 34d26f0da90..08f95ec1fdf 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -2357,6 +2357,13 @@
android:description="@string/permdesc_getPackageSize"
android:protectionLevel="normal" />
+ <!-- @hide Allows an application to change the package signature as
+ seen by applications -->
+ <permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
+ android:protectionLevel="dangerous"
+ android:label="@string/permlab_fakePackageSignature"
+ android:description="@string/permdesc_fakePackageSignature" />
+
<!-- @deprecated No longer useful, see
{@link android.content.pm.PackageManager#addPackageToPreferred}
for details. -->
diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
index cf9bd122baf..2047c336acd 100644
--- a/core/res/res/values/config.xml
+++ b/core/res/res/values/config.xml
@@ -1682,6 +1682,8 @@
<string-array name="config_locationProviderPackageNames" translatable="false">
<!-- The standard AOSP fused location provider -->
<item>com.android.location.fused</item>
+ <!-- The (faked) microg fused location provider (a free reimplementation) -->
+ <item>com.google.android.gms</item>
</string-array>
<!-- This string array can be overriden to enable test location providers initially. -->
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index f6600462ea7..bad13100a79 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -785,6 +785,10 @@
<!-- Permissions -->
+ <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permlab_fakePackageSignature">Spoof package signature</string>
+ <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permdesc_fakePackageSignature">Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Legitimate uses include an emulator pretending to be what it emulates. Grant this permission with caution only!</string>
<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permlab_statusBar">disable or modify status bar</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 9b50a1545a5..58dc3fe926f 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -4001,8 +4001,9 @@ public class PackageManagerService extends IPackageManager.Stub
final Set<String> permissions = ArrayUtils.isEmpty(p.requestedPermissions)
? Collections.<String>emptySet() : permissionsState.getPermissions(userId);
- PackageInfo packageInfo = PackageParser.generatePackageInfo(p, gids, flags,
- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId);
+ PackageInfo packageInfo = mayFakeSignature(p, PackageParser.generatePackageInfo(p, gids, flags,
+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId),
+ permissions);
if (packageInfo == null) {
return null;
@@ -4038,6 +4039,24 @@ public class PackageManagerService extends IPackageManager.Stub
}
}
+ private PackageInfo mayFakeSignature(PackageParser.Package p, PackageInfo pi,
+ Set<String> permissions) {
+ try {
+ if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE")
+ && p.applicationInfo.targetSdkVersion > Build.VERSION_CODES.LOLLIPOP_MR1
+ && p.mAppMetaData != null) {
+ String sig = p.mAppMetaData.getString("fake-signature");
+ if (sig != null) {
+ pi.signatures = new Signature[] {new Signature(sig)};
+ }
+ }
+ } catch (Throwable t) {
+ // We should never die because of any failures, this is system code!
+ Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t);
+ }
+ return pi;
+ }
+
@Override
public void checkPackageStartable(String packageName, int userId) {
final int callingUid = Binder.getCallingUid();
--
2.20.1

View File

@ -0,0 +1,26 @@
From c018c699ddaf7f9b76cf9f11cc4dc4308054cc0b Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Mon, 12 Feb 2018 02:55:55 -0500
Subject: [PATCH] Harden signature spoofing
Change-Id: I86f35690710612f23ffce9067e1fd4d58b9fba6f
---
core/res/AndroidManifest.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 653caaca2a6..7f547dd07ac 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -2152,7 +2152,7 @@
<!-- @hide Allows an application to change the package signature as
seen by applications -->
<permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
- android:protectionLevel="dangerous"
+ android:protectionLevel="signature"
android:label="@string/permlab_fakePackageSignature"
android:description="@string/permdesc_fakePackageSignature" />
--
2.16.1

View File

@ -27,7 +27,7 @@ index 74e81e4b5..782d87968 100644
gid_t groups[] = { AID_READPROC }; gid_t groups[] = { AID_READPROC };
setgroups(arraysize(groups), groups); setgroups(arraysize(groups), groups);
- mount("sysfs", "/sys", "sysfs", 0, NULL); - mount("sysfs", "/sys", "sysfs", 0, NULL);
+ mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXE, NULL); + mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL);
mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL); mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL);
mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11)); mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11));

View File

@ -81,7 +81,7 @@ git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
enterAndClear "frameworks/base"; enterAndClear "frameworks/base";
hardenLocationFWB "$DOS_BUILD_BASE"; hardenLocationFWB "$DOS_BUILD_BASE";
sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG) if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key

View File

@ -48,9 +48,11 @@ export -f buildDeviceDebug;
buildAll() { buildAll() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi; if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
brunch lineage_bacon-user; #userdebug because 16.0 is littered with neverallows
brunch lineage_klte-user; brunch lineage_bacon-userdebug;
brunch lineage_shamu-user; brunch lineage_griffin-userdebug;
brunch lineage_klte-userdebug;
brunch lineage_shamu-userdebug;
} }
export -f buildAll; export -f buildAll;

View File

@ -76,10 +76,10 @@ git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
enterAndClear "frameworks/base"; enterAndClear "frameworks/base";
hardenLocationFWB "$DOS_BUILD_BASE"; hardenLocationFWB "$DOS_BUILD_BASE";
sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL
#if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG) #TODO: REBASE-16.0 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
#if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key #TODO: REBASE-16.0 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
changeDefaultDNS; changeDefaultDNS;
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Connectivity.patch"; #Change connectivity check URLs to ours #patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Connectivity.patch"; #Change connectivity check URLs to ours
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
@ -170,6 +170,9 @@ if [ "$DOS_HOSTS_BLOCKING" = false ]; then echo "PRODUCT_PACKAGES += $DOS_HOSTS_
# #
#START OF DEVICE CHANGES #START OF DEVICE CHANGES
# #
enterAndClear "device/oneplus/bacon";
sed -i 's/android.hardware.nfc@1.0-impl/android.hardware.nfc@1.0-impl.so/' device-proprietary-files.txt;
enterAndClear "device/oppo/msm8974-common"; enterAndClear "device/oppo/msm8974-common";
sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/ sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/