-
-
Notifications
You must be signed in to change notification settings - Fork 27
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Port the GrapheneOS NETWORK permission to 17.1 and 18.1
Some patches were ported from 12 to 10/11 Some patches from 11 were ported to 10 This 10/11 port should be very close to 12 BOUNS: 16.0 patches, disabled Signed-off-by: Tad <tad@spotco.us>
- Loading branch information
1 parent
f4fbe65
commit 5e15217
Showing
39 changed files
with
2,098 additions
and
2 deletions.
There are no files selected for viewing
116 changes: 116 additions & 0 deletions
116
Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
From 09632b10185b9133949a431e27089f72b5cfeefa Mon Sep 17 00:00:00 2001 | ||
From: Daniel Micay <danielmicay@gmail.com> | ||
Date: Fri, 21 Jul 2017 08:42:55 -0400 | ||
Subject: [PATCH] support new special runtime permissions | ||
|
||
These are treated as a runtime permission even for legacy apps. They | ||
need to be granted by default for all apps to maintain compatibility. | ||
--- | ||
.../server/pm/PackageManagerService.java | 3 +- | ||
.../permission/PermissionManagerService.java | 30 ++++++++++++++----- | ||
2 files changed, 25 insertions(+), 8 deletions(-) | ||
|
||
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java | ||
index c414abac12a7..46f02259e741 100644 | ||
--- a/services/core/java/com/android/server/pm/PackageManagerService.java | ||
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java | ||
@@ -19462,7 +19462,8 @@ private void resetUserChangesToRuntimePermissionsAndFlagsLPw( | ||
} | ||
|
||
// If this permission was granted by default, make sure it is. | ||
- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) { | ||
+ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0 | ||
+ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) { | ||
if (permissionsState.grantRuntimePermission(bp, userId) | ||
!= PERMISSION_OPERATION_FAILURE) { | ||
writeRuntimePermissions = true; | ||
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java | ||
index c51a72406b53..cb8facb31020 100644 | ||
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java | ||
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java | ||
@@ -659,6 +659,10 @@ private void removeDynamicPermission( | ||
} | ||
} | ||
|
||
+ public static boolean isSpecialRuntimePermission(final String permission) { | ||
+ return false; | ||
+ } | ||
+ | ||
private void grantPermissions(PackageParser.Package pkg, boolean replace, | ||
String packageOfInterest, PermissionCallback callback) { | ||
// IMPORTANT: There are two types of permissions: install and runtime. | ||
@@ -767,7 +771,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace, | ||
// their permissions as always granted runtime ones since we need | ||
// to keep the review required permission flag per user while an | ||
// install permission's state is shared across all users. | ||
- if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired) { | ||
+ if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired && | ||
+ !isSpecialRuntimePermission(bp.getName())) { | ||
// For legacy apps dangerous permissions are install time ones. | ||
grant = GRANT_INSTALL; | ||
} else if (origPermissions.hasInstallPermission(bp.getName())) { | ||
@@ -877,7 +882,8 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace, | ||
updatedUserIds, userId); | ||
} | ||
} else if (mSettings.mPermissionReviewRequired | ||
- && !appSupportsRuntimePermissions) { | ||
+ && !appSupportsRuntimePermissions | ||
+ && !isSpecialRuntimePermission(bp.getName())) { | ||
// For legacy apps that need a permission review, every new | ||
// runtime permission is granted but it is pending a review. | ||
// We also need to review only platform defined runtime | ||
@@ -898,7 +904,15 @@ private void grantPermissions(PackageParser.Package pkg, boolean replace, | ||
updatedUserIds = ArrayUtils.appendInt( | ||
updatedUserIds, userId); | ||
} | ||
- } | ||
+ } else if (isSpecialRuntimePermission(bp.name) && | ||
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) { | ||
+ if (permissionsState.grantRuntimePermission(bp, userId) | ||
+ != PermissionsState.PERMISSION_OPERATION_FAILURE) { | ||
+ // We changed the permission, hence have to write. | ||
+ updatedUserIds = ArrayUtils.appendInt( | ||
+ updatedUserIds, userId); | ||
+ } | ||
+ } | ||
// Propagate the permission flags. | ||
permissionsState.updatePermissionFlags(bp, userId, flags, flags); | ||
} | ||
@@ -1350,7 +1364,7 @@ private void grantRequestedRuntimePermissionsForUser(PackageParser.Package pkg, | ||
&& (grantedPermissions == null | ||
|| ArrayUtils.contains(grantedPermissions, permission))) { | ||
final int flags = permissionsState.getPermissionFlags(permission, userId); | ||
- if (supportsRuntimePermissions) { | ||
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) { | ||
// Installer cannot change immutable permissions. | ||
if ((flags & immutableFlags) == 0) { | ||
grantRuntimePermission(permission, pkg.packageName, false, callingUid, | ||
@@ -1409,7 +1423,7 @@ private void grantRuntimePermission(String permName, String packageName, boolean | ||
// install permission's state is shared across all users. | ||
if (mSettings.mPermissionReviewRequired | ||
&& pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M | ||
- && bp.isRuntime()) { | ||
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) { | ||
return; | ||
} | ||
|
||
@@ -1445,7 +1459,8 @@ private void grantRuntimePermission(String permName, String packageName, boolean | ||
+ permName + " for package " + packageName); | ||
} | ||
|
||
- if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) { | ||
+ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M | ||
+ && !isSpecialRuntimePermission(permName)) { | ||
Slog.w(TAG, "Cannot grant runtime permission to a legacy app"); | ||
return; | ||
} | ||
@@ -1530,7 +1545,8 @@ private void revokeRuntimePermission(String permName, String packageName, | ||
// install permission's state is shared across all users. | ||
if (mSettings.mPermissionReviewRequired | ||
&& pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M | ||
- && bp.isRuntime()) { | ||
+ && bp.isRuntime() | ||
+ && !isSpecialRuntimePermission(permName)) { | ||
return; | ||
} | ||
|
36 changes: 36 additions & 0 deletions
36
Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-2.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
From 2dd00723364fcf10e6c9e6c2e022e31524fda92d Mon Sep 17 00:00:00 2001 | ||
From: Daniel Micay <danielmicay@gmail.com> | ||
Date: Sun, 17 Mar 2019 11:59:15 -0400 | ||
Subject: [PATCH] make INTERNET into a special runtime permission | ||
|
||
--- | ||
core/res/AndroidManifest.xml | 2 +- | ||
.../android/server/pm/permission/PermissionManagerService.java | 2 +- | ||
2 files changed, 2 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml | ||
index d0ae9dbc55ae..d0449dfc4f57 100644 | ||
--- a/core/res/AndroidManifest.xml | ||
+++ b/core/res/AndroidManifest.xml | ||
@@ -1348,7 +1348,7 @@ | ||
<permission android:name="android.permission.INTERNET" | ||
android:description="@string/permdesc_createNetworkSockets" | ||
android:label="@string/permlab_createNetworkSockets" | ||
- android:protectionLevel="normal|instant" /> | ||
+ android:protectionLevel="dangerous|instant" /> | ||
|
||
<!-- Allows applications to access information about networks. | ||
<p>Protection level: normal | ||
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java | ||
index cb8facb31020..9b11c8e0ffd7 100644 | ||
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java | ||
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java | ||
@@ -660,7 +660,7 @@ private void removeDynamicPermission( | ||
} | ||
|
||
public static boolean isSpecialRuntimePermission(final String permission) { | ||
- return false; | ||
+ return Manifest.permission.INTERNET.equals(permission); | ||
} | ||
|
||
private void grantPermissions(PackageParser.Package pkg, boolean replace, |
51 changes: 51 additions & 0 deletions
51
Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-3.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
From 6ef61fd6f745b9709269d3612a3a4eea2250ebec Mon Sep 17 00:00:00 2001 | ||
From: Daniel Micay <danielmicay@gmail.com> | ||
Date: Fri, 21 Jul 2017 11:23:07 -0400 | ||
Subject: [PATCH] add a NETWORK permission group for INTERNET | ||
|
||
--- | ||
core/res/AndroidManifest.xml | 10 ++++++++++ | ||
core/res/res/values/strings.xml | 5 +++++ | ||
2 files changed, 15 insertions(+) | ||
|
||
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml | ||
index d0449dfc4f57..822cf1166539 100644 | ||
--- a/core/res/AndroidManifest.xml | ||
+++ b/core/res/AndroidManifest.xml | ||
@@ -1342,10 +1342,20 @@ | ||
<!-- ======================================= --> | ||
<eat-comment /> | ||
|
||
+ <!-- Network access | ||
+ @hide | ||
+ --> | ||
+ <permission-group android:name="android.permission-group.NETWORK" | ||
+ android:icon="@drawable/perm_group_network" | ||
+ android:label="@string/permgrouplab_network" | ||
+ android:description="@string/permgroupdesc_network" | ||
+ android:priority="900" /> | ||
+ | ||
<!-- Allows applications to open network sockets. | ||
<p>Protection level: normal | ||
--> | ||
<permission android:name="android.permission.INTERNET" | ||
+ android:permissionGroup="android.permission-group.NETWORK" | ||
android:description="@string/permdesc_createNetworkSockets" | ||
android:label="@string/permlab_createNetworkSockets" | ||
android:protectionLevel="dangerous|instant" /> | ||
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml | ||
index f6600462ea74..a79fa8e95b6e 100644 | ||
--- a/core/res/res/values/strings.xml | ||
+++ b/core/res/res/values/strings.xml | ||
@@ -747,6 +747,11 @@ | ||
<string name="permgrouprequest_sensors">Allow | ||
<b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g></b> to access sensor data about your vital signs?</string> | ||
|
||
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. --> | ||
+ <string name="permgrouplab_network">Network</string> | ||
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. --> | ||
+ <string name="permgroupdesc_network">network access</string> | ||
+ | ||
<!-- Title for the capability of an accessibility service to retrieve window content. --> | ||
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string> | ||
<!-- Description for the capability of an accessibility service to retrieve window content. --> |
31 changes: 31 additions & 0 deletions
31
Patches/LineageOS-16.0/android_libcore/0001-Network_Permission.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Dmitry Muhomor <muhomor.dmitry@gmail.com> | ||
Date: Tue, 14 Dec 2021 21:10:51 +0200 | ||
Subject: [PATCH] don't throw SecurityException when INTERNET permission is | ||
revoked | ||
|
||
--- | ||
ojluni/src/main/java/java/net/Inet6AddressImpl.java | 10 +--------- | ||
1 file changed, 1 insertion(+), 9 deletions(-) | ||
|
||
diff --git a/ojluni/src/main/java/java/net/Inet6AddressImpl.java b/ojluni/src/main/java/java/net/Inet6AddressImpl.java | ||
index 1edfe344ce..2176973b44 100644 | ||
--- a/ojluni/src/main/java/java/net/Inet6AddressImpl.java | ||
+++ b/ojluni/src/main/java/java/net/Inet6AddressImpl.java | ||
@@ -143,15 +143,7 @@ class Inet6AddressImpl implements InetAddressImpl { | ||
addressCache.put(host, netId, addresses); | ||
return addresses; | ||
} catch (GaiException gaiException) { | ||
- // If the failure appears to have been a lack of INTERNET permission, throw a clear | ||
- // SecurityException to aid in debugging this common mistake. | ||
- // http://code.google.com/p/android/issues/detail?id=15722 | ||
- if (gaiException.getCause() instanceof ErrnoException) { | ||
- if (((ErrnoException) gaiException.getCause()).errno == EACCES) { | ||
- throw new SecurityException("Permission denied (missing INTERNET permission?)", gaiException); | ||
- } | ||
- } | ||
- // Otherwise, throw an UnknownHostException. | ||
+ // Throw an UnknownHostException. | ||
String detailMessage = "Unable to resolve host \"" + host + "\": " + Libcore.os.gai_strerror(gaiException.error); | ||
addressCache.putUnknownHost(host, netId, detailMessage); | ||
throw gaiException.rethrowAsUnknownHostException(detailMessage); |
48 changes: 48 additions & 0 deletions
48
...hes/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
From 880011e7af233249e1b70177daa3cd786574bc85 Mon Sep 17 00:00:00 2001 | ||
From: Daniel Micay <danielmicay@gmail.com> | ||
Date: Sat, 22 Jul 2017 21:43:50 -0400 | ||
Subject: [PATCH] always treat INTERNET as a runtime permission | ||
|
||
--- | ||
.../permission/model/AppPermissionGroup.java | 7 ++++--- | ||
1 file changed, 4 insertions(+), 3 deletions(-) | ||
|
||
diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java | ||
index aafce8df5..e6087de4c 100644 | ||
--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java | ||
+++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java | ||
@@ -26,6 +26,7 @@ | ||
import android.content.pm.PackageManager; | ||
import android.content.pm.PermissionGroupInfo; | ||
import android.content.pm.PermissionInfo; | ||
+import android.Manifest; | ||
import android.os.Build; | ||
import android.os.Process; | ||
import android.os.UserHandle; | ||
@@ -338,7 +339,7 @@ public boolean areRuntimePermissionsGranted(String[] filterPermissions) { | ||
&& !ArrayUtils.contains(filterPermissions, permission.getName())) { | ||
continue; | ||
} | ||
- if (mAppSupportsRuntimePermissions) { | ||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { | ||
if (permission.isGranted()) { | ||
return true; | ||
} | ||
@@ -371,7 +372,7 @@ public boolean grantRuntimePermissions(boolean fixedByTheUser, String[] filterPe | ||
continue; | ||
} | ||
|
||
- if (mAppSupportsRuntimePermissions) { | ||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { | ||
// Do not touch permissions fixed by the system. | ||
if (permission.isSystemFixed()) { | ||
return false; | ||
@@ -473,7 +474,7 @@ public boolean revokeRuntimePermissions(boolean fixedByTheUser, String[] filterP | ||
continue; | ||
} | ||
|
||
- if (mAppSupportsRuntimePermissions) { | ||
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) { | ||
// Do not touch permissions fixed by the system. | ||
if (permission.isSystemFixed()) { | ||
return false; |
23 changes: 23 additions & 0 deletions
23
...hes/LineageOS-16.0/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
From c3c6a3206c1753cac7a8db72e2f05ddcf4c66d99 Mon Sep 17 00:00:00 2001 | ||
From: Daniel Micay <danielmicay@gmail.com> | ||
Date: Fri, 21 Jul 2017 10:29:15 -0400 | ||
Subject: [PATCH] add NETWORK permission group | ||
|
||
--- | ||
src/com/android/packageinstaller/permission/utils/Utils.java | 3 ++- | ||
1 file changed, 2 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java | ||
index 85a102831..423b319ee 100644 | ||
--- a/src/com/android/packageinstaller/permission/utils/Utils.java | ||
+++ b/src/com/android/packageinstaller/permission/utils/Utils.java | ||
@@ -51,7 +51,8 @@ | ||
Manifest.permission_group.SMS, | ||
Manifest.permission_group.PHONE, | ||
Manifest.permission_group.MICROPHONE, | ||
- Manifest.permission_group.STORAGE | ||
+ Manifest.permission_group.STORAGE, | ||
+ Manifest.permission_group.NETWORK | ||
}; | ||
|
||
private static final Intent LAUNCHER_INTENT = new Intent(Intent.ACTION_MAIN, null) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
.../LineageOS-16.0/android_packages_providers_DownloadProvider/0001-Network_Permission.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Daniel Micay <danielmicay@gmail.com> | ||
Date: Sun, 6 Aug 2017 08:19:36 -0400 | ||
Subject: [PATCH] remove legacy NETWORK permission group reference | ||
|
||
--- | ||
AndroidManifest.xml | 1 - | ||
1 file changed, 1 deletion(-) | ||
|
||
diff --git a/AndroidManifest.xml b/AndroidManifest.xml | ||
index 302a58e5..65f38e86 100644 | ||
--- a/AndroidManifest.xml | ||
+++ b/AndroidManifest.xml | ||
@@ -29,7 +29,6 @@ | ||
|
||
<!-- Allows to queue downloads without a notification shown while the download runs. --> | ||
<permission android:name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION" | ||
- android:permissionGroup="android.permission-group.NETWORK" | ||
android:label="@string/permlab_downloadWithoutNotification" | ||
android:description="@string/permdesc_downloadWithoutNotification" | ||
android:protectionLevel="normal"/> |
Oops, something went wrong.