diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0029-NetSDKSandboxCrash.patch b/Patches/LineageOS-20.0/android_frameworks_base/0029-NetSDKSandboxCrash.patch deleted file mode 100644 index e56b1dc8..00000000 --- a/Patches/LineageOS-20.0/android_frameworks_base/0029-NetSDKSandboxCrash.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Tad -Date: Sat, 3 Dec 2022 23:00:52 -0500 -Subject: [PATCH] Don't crash system when adding SDK sandbox rules - -This is an ugly hack to prevent bailing and help debug. - -12-03 17:15:29.395 1406 1737 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: NetworkPolicy.uid -12-03 17:15:29.395 1406 1737 E AndroidRuntime: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 103 -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at android.util.SparseIntArray.keyAt(SparseIntArray.java:183) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at com.android.server.net.NetworkPolicyManagerService.addSdkSandboxUidsIfNeeded(NetworkPolicyManagerService.java:5982) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at com.android.server.net.NetworkPolicyManagerService.setUidFirewallRulesUL(NetworkPolicyManagerService.java:6002) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at com.android.server.net.NetworkPolicyManagerService.updateRestrictedModeAllowlistUL(NetworkPolicyManagerService.java:4454) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at com.android.server.net.NetworkPolicyManagerService$12.onAvailable(NetworkPolicyManagerService.java:1449) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at android.net.ConnectivityManager$NetworkCallback.onAvailable(ConnectivityManager.java:3801) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at android.net.ConnectivityManager$NetworkCallback.onAvailable(ConnectivityManager.java:3783) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at android.net.ConnectivityManager$CallbackHandler.handleMessage(ConnectivityManager.java:4107) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:106) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at android.os.Looper.loopOnce(Looper.java:201) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at android.os.Looper.loop(Looper.java:288) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at android.os.HandlerThread.run(HandlerThread.java:67) -12-03 17:15:29.395 1406 1737 E AndroidRuntime: at com.android.server.ServiceThread.run(ServiceThread.java:44) -12-03 17:15:29.396 1406 1737 I am_crash: [1406,0,system_server,-1,java.lang.ArrayIndexOutOfBoundsException,Array index out of range: 103,SparseIntArray.java,183] - -Change-Id: I97fead6014ba47e107a90c57e12584b656a8e220 -Signed-off-by: Tad ---- - .../server/net/NetworkPolicyManagerService.java | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java -index 44f8e76c4dd0..030d4f23b11d 100644 ---- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java -+++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java -@@ -5978,12 +5978,16 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { - private void addSdkSandboxUidsIfNeeded(SparseIntArray uidRules) { - final int size = uidRules.size(); - final SparseIntArray sdkSandboxUids = new SparseIntArray(); -- for (int index = 0; index < size; index++) { -- final int uid = uidRules.keyAt(index); -- final int rule = uidRules.valueAt(index); -- if (Process.isApplicationUid(uid)) { -- sdkSandboxUids.put(Process.toSdkSandboxUid(uid), rule); -+ try { -+ for (int index = 0; index < size; index++) { -+ final int uid = uidRules.keyAt(index); -+ final int rule = uidRules.valueAt(index); -+ if (Process.isApplicationUid(uid)) { -+ sdkSandboxUids.put(Process.toSdkSandboxUid(uid), rule); -+ } - } -+ } catch (Exception e) { -+ Log.e(TAG, "problem setting sandbox uid rules, size: " + size, e); - } - - for (int index = 0; index < sdkSandboxUids.size(); index++) { diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0029-Split_Tunnel_Fixes.patch b/Patches/LineageOS-20.0/android_frameworks_base/0029-Split_Tunnel_Fixes.patch new file mode 100644 index 00000000..73996157 --- /dev/null +++ b/Patches/LineageOS-20.0/android_frameworks_base/0029-Split_Tunnel_Fixes.patch @@ -0,0 +1,101 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tommy Webb +Date: Mon, 5 Dec 2022 14:42:38 +0100 +Subject: [PATCH] Reland "Fix network leaks with split-tunnel VPNs" + +This does two things: +1. Revert the portion of I48e08f34 "fw/b: Add support for allowing + /disallowing apps on cellular, vpn and wifi networks" that was + previously responsible for updating the restricted mode allowlist + based on changes to the default network. +2. Bring in Ib4bcf5ae "Fix network leaks with split-tunnel VPNs", which + meets the same goal of updating the allowlist, but in a wider range + of conditions. Retaining the prior implementation led to a race + condition which caused crashes and soft reboots, because the calls + to `updateRestrictedModeAllowlistUL()` were not being appropriately + guarded by `mUidRulesFirstLock`. + +Ultimately, this patch should probably be squashed into I48e08f34. + +Co-authored-by: Oliver Scott +Issue: calyxos#1081 +Change-Id: I84c7667824cc840724a07e7d0435f5ec59a67986 +--- + .../net/NetworkPolicyManagerService.java | 43 ++++++------------- + 1 file changed, 12 insertions(+), 31 deletions(-) + +diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java +index 8102d892c2d7..7addf69a28af 100644 +--- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java ++++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java +@@ -1105,14 +1105,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { + ACTION_CARRIER_CONFIG_CHANGED); + mContext.registerReceiver(mCarrierConfigReceiver, carrierConfigFilter, null, mHandler); + +- for (UserInfo userInfo : mUserManager.getAliveUsers()) { +- mConnManager.registerDefaultNetworkCallbackForUid( +- UserHandle.getUid(userInfo.id, Process.myUid()), +- mDefaultNetworkCallback, +- mUidEventHandler +- ); +- } +- + // listen for meteredness changes + mConnManager.registerNetworkCallback( + new NetworkRequest.Builder().build(), mNetworkCallback); +@@ -1303,11 +1295,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { + ConnectivitySettingsManager.getUidsAllowedOnRestrictedNetworks( + mContext); + if (action == ACTION_USER_ADDED) { +- mConnManager.registerDefaultNetworkCallbackForUid( +- UserHandle.getUid(userId, Process.myUid()), +- mDefaultNetworkCallback, +- mUidEventHandler +- ); + // Add apps that are allowed by default. + addDefaultRestrictBackgroundAllowlistUidsUL(userId); + try { +@@ -1443,24 +1430,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { + return changed; + } + +- private final NetworkCallback mDefaultNetworkCallback = new NetworkCallback() { +- @Override +- public void onAvailable(@NonNull Network network) { +- updateRestrictedModeAllowlistUL(); +- } +- +- @Override +- public void onCapabilitiesChanged(@NonNull Network network, +- @NonNull NetworkCapabilities networkCapabilities) { +- final int[] newTransports = networkCapabilities.getTransportTypes(); +- final boolean transportsChanged = updateTransportChange( +- mNetworkTransports, newTransports, network); +- if (transportsChanged) { +- updateRestrictedModeAllowlistUL(); +- } +- } +- }; +- + private final NetworkCallback mNetworkCallback = new NetworkCallback() { + @Override + public void onCapabilitiesChanged(@NonNull Network network, +@@ -1888,6 +1857,18 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { + updateSubscriptions(); + + synchronized (mUidRulesFirstLock) { ++ /* With split-tunnel VPNs (those that only include specific apps), ++ * the usual NetworkCallback handlers are never called, because the call to ++ * registerDefaultNetworkCallbackForUid only detects changes that affect this ++ * process; if this process is not covered by the VPN, it won't get callbacks. ++ * Ordinarily, updateRestrictedModeAllowlistUL() would be called from those. ++ * Firewall restrictions for apps will not be updated properly on VPN connect ++ * or disconnect if we don't call it from somewhere else, like here. */ ++ // TODO: Come up with an appropriate callback that runs more promptly. ++ // updateNetworksInternal runs later than NetworkCallback handlers run, so ++ // this may present a window of opportunity for unauthorized network access. ++ updateRestrictedModeAllowlistUL(); ++ + synchronized (mNetworkPoliciesSecondLock) { + ensureActiveCarrierPolicyAL(); + normalizePoliciesNL(); diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index fa1f7445..93143d63 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -55,10 +55,6 @@ gpgVerifyDirectory "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/packa cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/divested/"; #Add our vendor files -if enterAndClear "art"; then -applyPatch "$DOS_PATCHES_COMMON/android_art/0001-mmap_fix.patch"; #Workaround for mmap error when building (AOSP) -fi; - if enterAndClear "bionic"; then applyPatch "$DOS_PATCHES_COMMON/android_bionic/0001-Wildcard_Hosts.patch"; #Support wildcards in cached hosts file (backport from 16.0+) (tdm) #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS) diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 6936b065..d0e5d2fb 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -56,7 +56,6 @@ cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BAS cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/divested/"; #Add our vendor files if enterAndClear "art"; then -applyPatch "$DOS_PATCHES_COMMON/android_art/0001-mmap_fix.patch"; #Workaround for mmap error when building (AOSP) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_art/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; diff --git a/Scripts/LineageOS-17.1/Functions.sh b/Scripts/LineageOS-17.1/Functions.sh index 000ca459..427b3f02 100644 --- a/Scripts/LineageOS-17.1/Functions.sh +++ b/Scripts/LineageOS-17.1/Functions.sh @@ -84,6 +84,7 @@ patchWorkspace() { #source build/envsetup.sh; #repopick -it ten-firewall; repopick -it Q_tzdb2022f; + repopick -it Q_asb_2022-12; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh index cd5319fc..6c9605f3 100644 --- a/Scripts/LineageOS-18.1/Functions.sh +++ b/Scripts/LineageOS-18.1/Functions.sh @@ -115,6 +115,7 @@ patchWorkspace() { #repopick -i 314453; #TaskViewTouchController: Null check current animation on drag #repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default repopick -it R_tzdb2022f; + repopick -it R_asb_2022-12; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index dc158691..1314e2d4 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -183,6 +183,11 @@ if enterAndClear "frameworks/ex"; then if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_ex/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; +if enterAndClear "frameworks/minikin"; then +git fetch https://github.com/LineageOS/android_frameworks_minikin refs/changes/50/345450/1 && git cherry-pick FETCH_HEAD; #R_asb_2022-12 +git fetch https://github.com/LineageOS/android_frameworks_minikin refs/changes/51/345451/1 && git cherry-pick FETCH_HEAD; +fi; + if enterAndClear "frameworks/native"; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_native/0002-fix-uaf.patch"; #Fix use-after-free in adbd_auth (GrapheneOS) diff --git a/Scripts/LineageOS-20.0/Patch.sh b/Scripts/LineageOS-20.0/Patch.sh index 335c43b9..b3910ae7 100644 --- a/Scripts/LineageOS-20.0/Patch.sh +++ b/Scripts/LineageOS-20.0/Patch.sh @@ -128,6 +128,7 @@ sed -i '11iLOCAL_OVERRIDES_PACKAGES := Aperture Camera Camera2 LegacyCamera Snap fi; if enterAndClear "frameworks/base"; then +git revert --no-edit 70cc90b9298ac0b18fe79a4f8f9251c01b8f96d3; #causes soft reboots due to race applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) #applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) @@ -177,7 +178,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0023-Skip_Screen_Animation.patc applyPatch "$DOS_PATCHES/android_frameworks_base/0026-Crash_Details.patch"; #Add an option to show the details of an application error to the user (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0027-Installer_Glitch.patch"; #Make sure PackageInstaller UI returns a result (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0028-Remove_Legacy_Package_Query.patch"; #Don't leak device-wide package list to apps when work profile is present (GrapheneOS) -applyPatch "$DOS_PATCHES/android_frameworks_base/0029-NetSDKSandboxCrash.patch"; #Don't crash system when adding SDK sandbox rules (DivestOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Split_Tunnel_Fixes.patch"; #Reland "Fix network leaks with split-tunnel VPNs" (CalyxOS) hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config changeDefaultDNS; #Change the default DNS servers sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)