Port the GrapheneOS NETWORK permission to 17.1 and 18.1

Some patches were ported from 12 to 10/11 Some patches from 11 were ported to 10 This 10/11 port should be very close to 12 BOUNS: 16.0 patches, disabled Signed-off-by: Tad <tad@spotco.us>
Divested-Mobile · Feb 25, 2022 · 5e15217 · 5e15217
1 parent f4fbe65
commit 5e15217
Show file tree

Hide file tree

Showing 39 changed files with 2,098 additions and 2 deletions.
diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch
@@ -0,0 +1,116 @@
+From 09632b10185b9133949a431e27089f72b5cfeefa Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 08:42:55 -0400
+Subject: [PATCH] support new special runtime permissions
+
+These are treated as a runtime permission even for legacy apps. They
+need to be granted by default for all apps to maintain compatibility.
+---
+ .../server/pm/PackageManagerService.java      |  3 +-
+ .../permission/PermissionManagerService.java  | 30 ++++++++++++++-----
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index c414abac12a7..46f02259e741 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -19462,7 +19462,8 @@ private void resetUserChangesToRuntimePermissionsAndFlagsLPw(
+             }
+
+             // If this permission was granted by default, make sure it is.
+-            if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) {
++            if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
++                    || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) {
+                 if (permissionsState.grantRuntimePermission(bp, userId)
+                         != PERMISSION_OPERATION_FAILURE) {
+                     writeRuntimePermissions = true;
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index c51a72406b53..cb8facb31020 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -659,6 +659,10 @@ private void removeDynamicPermission(
+         }
+     }
+
++    public static boolean isSpecialRuntimePermission(final String permission) {
++        return false;
++    }
++
+     private void grantPermissions(PackageParser.Package pkg, boolean replace,
+             String packageOfInterest, PermissionCallback callback) {
+         // IMPORTANT: There are two types of permissions: install and runtime.
+@@ -767,7 +771,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
+                     // their permissions as always granted runtime ones since we need
+                     // to keep the review required permission flag per user while an
+                     // install permission's state is shared across all users.
+-                    if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired) {
++                    if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired &&
++                            !isSpecialRuntimePermission(bp.getName())) {
+                         // For legacy apps dangerous permissions are install time ones.
+                         grant = GRANT_INSTALL;
+                     } else if (origPermissions.hasInstallPermission(bp.getName())) {
+@@ -877,7 +882,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
+                                                 updatedUserIds, userId);
+                                     }
+                                 } else if (mSettings.mPermissionReviewRequired
+-                                        && !appSupportsRuntimePermissions) {
++                                        && !appSupportsRuntimePermissions
++                                        && !isSpecialRuntimePermission(bp.getName())) {
+                                     // For legacy apps that need a permission review, every new
+                                     // runtime permission is granted but it is pending a review.
+                                     // We also need to review only platform defined runtime
+@@ -898,7 +904,15 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace,
+                                         updatedUserIds = ArrayUtils.appendInt(
+                                                 updatedUserIds, userId);
+                                     }
+-                                }
++				} else if (isSpecialRuntimePermission(bp.name) &&
++					origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
++                                    if (permissionsState.grantRuntimePermission(bp, userId)
++                                            != PermissionsState.PERMISSION_OPERATION_FAILURE) {
++                                        // We changed the permission, hence have to write.
++                                        updatedUserIds = ArrayUtils.appendInt(
++                                                updatedUserIds, userId);
++                                    }
++				}
+                                 // Propagate the permission flags.
+                                 permissionsState.updatePermissionFlags(bp, userId, flags, flags);
+                             }
+@@ -1350,7 +1364,7 @@ private void grantRequestedRuntimePermissionsForUser(PackageParser.Package pkg,
+                     && (grantedPermissions == null
+                            || ArrayUtils.contains(grantedPermissions, permission))) {
+                 final int flags = permissionsState.getPermissionFlags(permission, userId);
+-                if (supportsRuntimePermissions) {
++                if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
+                     // Installer cannot change immutable permissions.
+                     if ((flags & immutableFlags) == 0) {
+                         grantRuntimePermission(permission, pkg.packageName, false, callingUid,
+@@ -1409,7 +1423,7 @@ private void grantRuntimePermission(String permName, String packageName, boolean
+         // install permission's state is shared across all users.
+         if (mSettings.mPermissionReviewRequired
+                 && pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+-                && bp.isRuntime()) {
++                && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
+             return;
+         }
+
+@@ -1445,7 +1459,8 @@ private void grantRuntimePermission(String permName, String packageName, boolean
+                     + permName + " for package " + packageName);
+         }
+
+-        if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) {
++        if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
++                && !isSpecialRuntimePermission(permName)) {
+             Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
+             return;
+         }
+@@ -1530,7 +1545,8 @@ private void revokeRuntimePermission(String permName, String packageName,
+         // install permission's state is shared across all users.
+         if (mSettings.mPermissionReviewRequired
+                 && pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+-                && bp.isRuntime()) {
++                && bp.isRuntime()
++                && !isSpecialRuntimePermission(permName)) {
+             return;
+         }
+
diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-2.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-2.patch
@@ -0,0 +1,36 @@
+From 2dd00723364fcf10e6c9e6c2e022e31524fda92d Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sun, 17 Mar 2019 11:59:15 -0400
+Subject: [PATCH] make INTERNET into a special runtime permission
+
+---
+ core/res/AndroidManifest.xml                                    | 2 +-
+ .../android/server/pm/permission/PermissionManagerService.java  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index d0ae9dbc55ae..d0449dfc4f57 100644
+--- a/core/res/AndroidManifest.xml
++++ b/core/res/AndroidManifest.xml
+@@ -1348,7 +1348,7 @@
+     <permission android:name="android.permission.INTERNET"
+         android:description="@string/permdesc_createNetworkSockets"
+         android:label="@string/permlab_createNetworkSockets"
+-        android:protectionLevel="normal|instant" />
++        android:protectionLevel="dangerous|instant" />
+
+     <!-- Allows applications to access information about networks.
+          <p>Protection level: normal
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index cb8facb31020..9b11c8e0ffd7 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -660,7 +660,7 @@ private void removeDynamicPermission(
+     }
+
+     public static boolean isSpecialRuntimePermission(final String permission) {
+-        return false;
++        return Manifest.permission.INTERNET.equals(permission);
+     }
+
+     private void grantPermissions(PackageParser.Package pkg, boolean replace,
diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch
@@ -0,0 +1,51 @@
+From 6ef61fd6f745b9709269d3612a3a4eea2250ebec Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 11:23:07 -0400
+Subject: [PATCH] add a NETWORK permission group for INTERNET
+
+---
+ core/res/AndroidManifest.xml    | 10 ++++++++++
+ core/res/res/values/strings.xml |  5 +++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index d0449dfc4f57..822cf1166539 100644
+--- a/core/res/AndroidManifest.xml
++++ b/core/res/AndroidManifest.xml
+@@ -1342,10 +1342,20 @@
+     <!-- ======================================= -->
+     <eat-comment />
+
++    <!-- Network access
++         @hide
++    -->
++    <permission-group android:name="android.permission-group.NETWORK"
++        android:icon="@drawable/perm_group_network"
++        android:label="@string/permgrouplab_network"
++        android:description="@string/permgroupdesc_network"
++        android:priority="900" />
++
+     <!-- Allows applications to open network sockets.
+          <p>Protection level: normal
+     -->
+     <permission android:name="android.permission.INTERNET"
++        android:permissionGroup="android.permission-group.NETWORK"
+         android:description="@string/permdesc_createNetworkSockets"
+         android:label="@string/permlab_createNetworkSockets"
+         android:protectionLevel="dangerous|instant" />
+diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
+index f6600462ea74..a79fa8e95b6e 100644
+--- a/core/res/res/values/strings.xml
++++ b/core/res/res/values/strings.xml
+@@ -747,6 +747,11 @@
+     <string name="permgrouprequest_sensors">Allow
+         &lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to access sensor data about your vital signs?</string>
+
++    <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
++    <string name="permgrouplab_network">Network</string>
++    <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
++    <string name="permgroupdesc_network">network access</string>
++
+     <!-- Title for the capability of an accessibility service to retrieve window content. -->
+     <string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
+     <!-- Description for the capability of an accessibility service to retrieve window content. -->
diff --git a/Patches/LineageOS-16.0/android_libcore/0001-Network_Permission.patch b/Patches/LineageOS-16.0/android_libcore/0001-Network_Permission.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Tue, 14 Dec 2021 21:10:51 +0200
+Subject: [PATCH] don't throw SecurityException when INTERNET permission is
+ revoked
+
+---
+ ojluni/src/main/java/java/net/Inet6AddressImpl.java | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/ojluni/src/main/java/java/net/Inet6AddressImpl.java b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+index 1edfe344ce..2176973b44 100644
+--- a/ojluni/src/main/java/java/net/Inet6AddressImpl.java
++++ b/ojluni/src/main/java/java/net/Inet6AddressImpl.java
+@@ -143,15 +143,7 @@ class Inet6AddressImpl implements InetAddressImpl {
+             addressCache.put(host, netId, addresses);
+             return addresses;
+         } catch (GaiException gaiException) {
+-            // If the failure appears to have been a lack of INTERNET permission, throw a clear
+-            // SecurityException to aid in debugging this common mistake.
+-            // http://code.google.com/p/android/issues/detail?id=15722
+-            if (gaiException.getCause() instanceof ErrnoException) {
+-                if (((ErrnoException) gaiException.getCause()).errno == EACCES) {
+-                    throw new SecurityException("Permission denied (missing INTERNET permission?)", gaiException);
+-                }
+-            }
+-            // Otherwise, throw an UnknownHostException.
++            // Throw an UnknownHostException.
+             String detailMessage = "Unable to resolve host \"" + host + "\": " + Libcore.os.gai_strerror(gaiException.error);
+             addressCache.putUnknownHost(host, netId, detailMessage);
+             throw gaiException.rethrowAsUnknownHostException(detailMessage);
diff --git a/...hes/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch b/...hes/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch
@@ -0,0 +1,48 @@
+From 880011e7af233249e1b70177daa3cd786574bc85 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sat, 22 Jul 2017 21:43:50 -0400
+Subject: [PATCH] always treat INTERNET as a runtime permission
+
+---
+ .../permission/model/AppPermissionGroup.java               | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+index aafce8df5..e6087de4c 100644
+--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
++++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+@@ -26,6 +26,7 @@
+ import android.content.pm.PackageManager;
+ import android.content.pm.PermissionGroupInfo;
+ import android.content.pm.PermissionInfo;
++import android.Manifest;
+ import android.os.Build;
+ import android.os.Process;
+ import android.os.UserHandle;
+@@ -338,7 +339,7 @@ public boolean areRuntimePermissionsGranted(String[] filterPermissions) {
+                     && !ArrayUtils.contains(filterPermissions, permission.getName())) {
+                 continue;
+             }
+-            if (mAppSupportsRuntimePermissions) {
++            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 if (permission.isGranted()) {
+                     return true;
+                 }
+@@ -371,7 +372,7 @@ public boolean grantRuntimePermissions(boolean fixedByTheUser, String[] filterPe
+                 continue;
+             }
+
+-            if (mAppSupportsRuntimePermissions) {
++            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 // Do not touch permissions fixed by the system.
+                 if (permission.isSystemFixed()) {
+                     return false;
+@@ -473,7 +474,7 @@ public boolean revokeRuntimePermissions(boolean fixedByTheUser, String[] filterP
+                 continue;
+             }
+
+-            if (mAppSupportsRuntimePermissions) {
++            if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+                 // Do not touch permissions fixed by the system.
+                 if (permission.isSystemFixed()) {
+                     return false;
diff --git a/...hes/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch b/...hes/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch
@@ -0,0 +1,23 @@
+From c3c6a3206c1753cac7a8db72e2f05ddcf4c66d99 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 21 Jul 2017 10:29:15 -0400
+Subject: [PATCH] add NETWORK permission group
+
+---
+ src/com/android/packageinstaller/permission/utils/Utils.java | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java
+index 85a102831..423b319ee 100644
+--- a/src/com/android/packageinstaller/permission/utils/Utils.java
++++ b/src/com/android/packageinstaller/permission/utils/Utils.java
+@@ -51,7 +51,8 @@
+             Manifest.permission_group.SMS,
+             Manifest.permission_group.PHONE,
+             Manifest.permission_group.MICROPHONE,
+-            Manifest.permission_group.STORAGE
++            Manifest.permission_group.STORAGE,
++            Manifest.permission_group.NETWORK
+     };
+
+     private static final Intent LAUNCHER_INTENT = new Intent(Intent.ACTION_MAIN, null)
diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
@@ -26,7 +26,7 @@ Change-Id: Ibbffdb5f3930df74ca8b4ba93d451f7fad086989
  create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialogHost.java
 
 diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml
-index 53dca0e6e7..dee07db2b4 100644
+index e78bbea120..54e2864c9a 100644
 --- a/res/values-de/cm_strings.xml
 +++ b/res/values-de/cm_strings.xml
 @@ -308,4 +308,7 @@

diff --git a/.../LineageOS-16.0/android_packages_providers_DownloadProvider/0001-Network_Permission.patch b/.../LineageOS-16.0/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
@@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sun, 6 Aug 2017 08:19:36 -0400
+Subject: [PATCH] remove legacy NETWORK permission group reference
+
+---
+ AndroidManifest.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/AndroidManifest.xml b/AndroidManifest.xml
+index 302a58e5..65f38e86 100644
+--- a/AndroidManifest.xml
++++ b/AndroidManifest.xml
+@@ -29,7 +29,6 @@
+
+     <!-- Allows to queue downloads without a notification shown while the download runs. -->
+     <permission android:name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION"
+-        android:permissionGroup="android.permission-group.NETWORK"
+         android:label="@string/permlab_downloadWithoutNotification"
+         android:description="@string/permdesc_downloadWithoutNotification"
+         android:protectionLevel="normal"/>