From 6a22169f808c6482dcdd5149b8ac05019bc493d4 Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 3 Mar 2022 09:48:32 -0500 Subject: [PATCH] DivestOS's internet permission (#674) --- _data/operating-systems/android/3_divestos.yml | 8 ++------ collections/_evergreen/android.md | 2 +- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/_data/operating-systems/android/3_divestos.yml b/_data/operating-systems/android/3_divestos.yml index 1a623e55..a6c2cbcb 100644 --- a/_data/operating-systems/android/3_divestos.yml +++ b/_data/operating-systems/android/3_divestos.yml @@ -6,17 +6,13 @@ description: | DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. - DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, along with bundled [F-Droid](https://www.f-droid.org) as the app store. It also includes [UnifedNlp](https://github.com/microg/UnifiedNlp) for network location and some hardening with [Mulch Webview](https://gitlab.com/divested-mobile/mulch). DivestOS also includes kernel patches from GrapheneOS and enables security features in [defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698). + DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, and [F-Droid](https://www.f-droid.org) as the app store. It also includes [UnifedNlp](https://github.com/microg/UnifiedNlp) for network location and some hardening with [Mulch Webview](https://gitlab.com/divested-mobile/mulch). DivestOS also includes kernel patches from GrapheneOS and enables security features in [defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698). - DivestOS also inherits LineageOS's [iptables](https://reddit.com/comments/c4a6f7) network access feature. You can deny network access to an individual application by pressing and holding on the app's icon (App info → Data and Network → Uncheck "Network Access"). - - DivestOS 16.0 and 17.1 has GrapheneOS's [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc). There are plans to port this to DivestOS 18.1. + DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) permission toggle. DivestOS 16.0 and 17.1 also has GrapheneOS's [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc). There are plans to port this to DivestOS 18.1. #### Notes DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative. - Like CalyxOS's firewall, the network access toggle can also leak in [some](https://gitlab.com/LineageOS/issues/android/-/issues/3228) situations. - Not all of the supported devices have [verified boot](https://source.android.com/security/verifiedboot), and some perform it better than others. website: 'https://divestos.org' diff --git a/collections/_evergreen/android.md b/collections/_evergreen/android.md index 1f957d3c..b2ae01b0 100644 --- a/collections/_evergreen/android.md +++ b/collections/_evergreen/android.md @@ -160,7 +160,7 @@ GrapheneOS extends the [user profile](/android/#android-security-privacy) featur ### INTERNET permission vs packet filtering -[Packet filter](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) based solutions such [Datura Firewall](https://calyxos.org/docs/tech/datura-details), [LineageOS](https://gitlab.com/LineageOS/issues/android/-/issues/3228) (DivestOS), AFWall+ and NetGuard, are not ideal as they can leak and don't prevent an app from proxying a network request through another app using an [intent](https://developer.android.com/guide/components/intents-filters). +[Packet filter](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) based solutions such [Datura Firewall](https://calyxos.org/docs/tech/datura-details), [LineageOS](https://gitlab.com/LineageOS/issues/android/-/issues/3228), AFWall+ and NetGuard, are not ideal as they can leak and don't prevent an app from proxying a network request through another app using an [intent](https://developer.android.com/guide/components/intents-filters). Android has a built-in [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) permission. This is enforced by the operating system. On AOSP and most of its derivatives, it is treated as an install time permission. GrapheneOS changes it to [runtime](https://en.wikipedia.org/wiki/Runtime_(program_lifecycle_phase)) permission, meaning that it can be revoked to deny internet access to a specific app.