Merge pull request #612 from lineageos4microg/nns-v21-spoofing-patches

Nns v21 spoofing patches

Dockerfile

@@ -102,8 +102,16 @@ ENV LOGS_SUBDIR true
 # restricted patch and embedding the apps that requires it as system privileged
 # apps is a much secure option. See the README.md ("Custom mode") for an
 # example.
+#
+# LineageOS versions 18.1, 19.1, 20.0 and 21.0 and up include built-in
+# signature spoofing for microG, and custom patches are not required. They may
+# still, however, optionally be enabled
 ENV SIGNATURE_SPOOFING "no"
 
+# Enable the built-in signature spoofing for the user build type, not just
+# userdebug and eng
+ENV USER_BUILD_SPOOFING "no"
+
 # Delete old zips in $ZIP_DIR, keep only the N latest one (0 to disable)
 ENV DELETE_OLD_ZIPS 0
 

README.md

@@ -110,8 +110,14 @@ And when starting the build, set the `CUSTOM_PACKAGES` variable to a list of app
 
 #### Signature spoofing
 
-There are two options for the [signature spoofing patch][signature-spoofing]
-required for [microG][microg]:
+For LineageOS versions 18.1, 19.1, 20.0 and 21.0, built-in support for
+signature spoofing has been added. This specifically only allows microG to
+spoof its signature; no other apps are allowed to do so. If this is fine, the
+`SIGNATURE_SPOOFING` environment variable may be left unset (defaulting to
+`no`).
+
+If not, two custom [signature spoofing patches][signature-spoofing] are
+provided:
  * "Original" [patches][signature-spoofing-patches]
  * Restricted patches
 
@@ -124,15 +130,19 @@ A more strict option is the restricted patch, where the FAKE_SIGNATURE
 permission can be obtained only by privileged system apps, embedded in the ROM
 during the build process.
 
-The signature spoofing patch can be optionally included with:
+The custom signature spoofing patch can be optionally included with:
 
  * `SIGNATURE_SPOOFING (no)`: `yes` to use the original patch, `restricted` for
-    the restricted one, `no` for none of them
+    the restricted one, `no` for none of them and to default to built-in
+    signature spoofing.
 
 If in doubt, use `restricted`: note that packages that requires the
 FAKE_SIGNATURE permission must be included in the build as system apps
 (e.g. as part of GMS or `CUSTOM_PACKAGES`)
 
+These patches are currently disabled for LineageOS 21 entirely. If you have an
+use case which requires the use of custom patches on 21,
+[please open an issue][issue-tracker].
 
 #### Proprietary files
 
@@ -409,7 +419,7 @@ The LineageOS for MicroG project is not in a position to offer much by way of te
 - the number of active volunteer maintainers / contributors is very small, and we spend what time we have trying to ensure that the process of making regular builds keeps going. We can generally investigate problems with the build tools, but not with the ROM itself;
 - we don't have access to any devices for testing / debugging
 
-The [project issue tracker](https://github.com/lineageos4microg/docker-lineage-cicd/issues) is mostly for tracking problems with the Docker build tool. It is ***not*** intended for tracking problems with ***installing*** or ***running*** the LineageOS for MicroG ROM. If you run into such problems, our advice is to work through the following steps to see if they help. (Make a backup of your user apps & data first):
+The [project issue tracker][issue-tracker] is mostly for tracking problems with the Docker build tool. It is ***not*** intended for tracking problems with ***installing*** or ***running*** the LineageOS for MicroG ROM. If you run into such problems, our advice is to work through the following steps to see if they help. (Make a backup of your user apps & data first):
 - full power off and restart
 - factory reset
 - format data partition
@@ -475,7 +485,7 @@ We build for the same devices as LineageOS using [their list of build targets](h
 
 We currently make builds monthly, starting on the first day of the month. The devices included in a build run are defined by the content of the [LOS target list](https://github.com/LineageOS/hudson/blob/master/lineage-build-targets) ***at the point the build run starts***. Our monthly build run takes 15-16 days to complete. You can see the current status of the build in [the dedicated matrix room](https://matrix.to/#/#microg-lineage-os-builds:matrix.domainepublic.net) 
 
-If builds for any devices fail during a build run, we will try the build again ***after the main build run has completed***. If you do not see a new build for your device when you expect it, please check whether the build failure was reported in the matrix room. If it was, there is no need to report it - we will deal with it! If the failure was not reported in the matrix room, then please report it in [our issue tracker](https://github.com/lineageos4microg/docker-lineage-cicd/issues) or in [the XDA Forums thread](https://xdaforums.com/t/lineageos-for-microg.3700997/)
+If builds for any devices fail during a build run, we will try the build again ***after the main build run has completed***. If you do not see a new build for your device when you expect it, please check whether the build failure was reported in the matrix room. If it was, there is no need to report it - we will deal with it! If the failure was not reported in the matrix room, then please report it in [our issue tracker][issue-tracker] or in [the XDA Forums thread](https://xdaforums.com/t/lineageos-for-microg.3700997/)
 
 
 ### Project Scope
@@ -559,3 +569,4 @@ Upstream projects have their own channels for supporting users.
 [a6000-xda]: https://xdaforums.com/t/eol-rom-8-1-0_r43-f2fs-lineageos-15-1-arm-stable-final-android-go.3733747/
 [a6000-device-tree-deps]: https://github.com/dev-harsh1998/android_device_lenovo_a6000/blob/lineage-15.1/lineage.dependencies
 [a6000-common-tree-deps]: https://github.com/dev-harsh1998/android_device_lenovo_msm8916-common/blob/lineage-15.1/lineage.dependencies
+[issue-tracker]: https://github.com/lineageos4microg/docker-lineage-cicd/issues

src/build.sh

@@ -175,24 +175,28 @@ for branch in ${BRANCH_NAME//,/ }; do
         android_version="11"
         frameworks_base_patch="android_frameworks_base-R.patch"
         apps_permissioncontroller_patch="packages_apps_PermissionController-R.patch"
+        user_build_spoofing_patch="android_frameworks_base-user_build.patch"
         ;;
       lineage-19.1*)
         themuppets_branch="lineage-19.1"
         android_version="12"
         frameworks_base_patch="android_frameworks_base-S.patch"
         modules_permission_patch="packages_modules_Permission-S.patch"
+        user_build_spoofing_patch="android_frameworks_base-user_build.patch"
         ;;
       lineage-20.0*)
         themuppets_branch="lineage-20.0"
         android_version="13"
         frameworks_base_patch="android_frameworks_base-Android13.patch"
         modules_permission_patch="packages_modules_Permission-Android13.patch"
+        user_build_spoofing_patch="android_frameworks_base-user_build.patch"
         ;;
       lineage-21.0*)
         themuppets_branch="lineage-21.0"
         android_version="14"
         frameworks_base_patch="android_frameworks_base-Android14.patch"
         modules_permission_patch="packages_modules_Permission-Android14.patch"
+        user_build_spoofing_patch="android_frameworks_base-user_build.patch"
         ;;
       *)
         echo ">> [$(date)] Building branch $branch is not (yet) suppported"
@@ -279,40 +283,57 @@ for branch in ${BRANCH_NAME//,/ }; do
     los_ver="$los_ver_major.$los_ver_minor"
 
     if [ "$APPLY_PATCHES" = true ]; then
-    # If needed, apply the microG's signature spoofing patch
-      if [ "$SIGNATURE_SPOOFING" = "yes" ] || [ "$SIGNATURE_SPOOFING" = "restricted" ]; then
-        # Determine which patch should be applied to the current Android source tree
-        cd frameworks/base
-        if [ "$SIGNATURE_SPOOFING" = "yes" ]; then
-          echo ">> [$(date)] Applying the standard signature spoofing patch ($frameworks_base_patch) to frameworks/base"
-          echo ">> [$(date)] WARNING: the standard signature spoofing patch introduces a security threat"
-          patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$frameworks_base_patch"
+      # If user build variant should also enable LOS signature spoofing
+      if [ "$USER_BUILD_SPOOFING" = "yes" ]; then
+        if [ -n "$user_build_spoofing_patch" ]; then
+          cd frameworks/base
+          echo ">> [$(date)] Applying the user build variant signature spoofing patch ($user_build_spoofing_patch) to frameworks/base"
+          patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$user_build_spoofing_patch"
+          git clean -q -f
+          cd ../..
         else
-          echo ">> [$(date)] Applying the restricted signature spoofing patch (based on $frameworks_base_patch) to frameworks/base"
-          sed 's/android:protectionLevel="dangerous"/android:protectionLevel="signature|privileged"/' "/root/signature_spoofing_patches/$frameworks_base_patch" | patch --quiet --force -p1
+          echo ">> [$(date)] WARNING: User build signature spoofing requested, but branch ($branch) does not support built-in signature spoofing"
         fi
-        git clean -q -f
-        cd ../..
+      fi
 
-        if [ -n "$apps_permissioncontroller_patch" ] && [ "$SIGNATURE_SPOOFING" = "yes" ]; then
-          cd packages/apps/PermissionController
-          echo ">> [$(date)] Applying the apps/PermissionController patch ($apps_permissioncontroller_patch) to packages/apps/PermissionController"
-          patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$apps_permissioncontroller_patch"
+      # If needed, apply the microG's signature spoofing patch
+      if [ "$SIGNATURE_SPOOFING" = "yes" ] || [ "$SIGNATURE_SPOOFING" = "restricted" ]; then
+        if [ -n "$frameworks_base_patch" ]; then
+          echo ">> [$(date)] WARNING: Signature spoofing patches requested, but branch ($branch) does not support microG patches"
+        else
+          # Determine which patch should be applied to the current Android source tree
+          cd frameworks/base
+          if [ "$SIGNATURE_SPOOFING" = "yes" ]; then
+            echo ">> [$(date)] Applying the standard signature spoofing patch ($frameworks_base_patch) to frameworks/base"
+            echo ">> [$(date)] WARNING: the standard signature spoofing patch introduces a security threat"
+            patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$frameworks_base_patch"
+          else
+            echo ">> [$(date)] Applying the restricted signature spoofing patch (based on $frameworks_base_patch) to frameworks/base"
+            sed 's/android:protectionLevel="dangerous"/android:protectionLevel="signature|privileged"/' "/root/signature_spoofing_patches/$frameworks_base_patch" | patch --quiet --force -p1
+          fi
           git clean -q -f
-          cd ../../..
-        fi
+          cd ../..
 
-        if [ -n "$modules_permission_patch" ] && [ "$SIGNATURE_SPOOFING" = "yes" ]; then
-          cd packages/modules/Permission
-          echo ">> [$(date)] Applying the modules/Permission patch ($modules_permission_patch) to packages/modules/Permission"
-          patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$modules_permission_patch"
-          git clean -q -f
-          cd ../../..
-        fi
+          if [ -n "$apps_permissioncontroller_patch" ] && [ "$SIGNATURE_SPOOFING" = "yes" ]; then
+            cd packages/apps/PermissionController
+            echo ">> [$(date)] Applying the apps/PermissionController patch ($apps_permissioncontroller_patch) to packages/apps/PermissionController"
+            patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$apps_permissioncontroller_patch"
+            git clean -q -f
+            cd ../../..
+          fi
 
-        # Override device-specific settings for the location providers
-        mkdir -p "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/"
-        cp /root/signature_spoofing_patches/frameworks_base_config.xml "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/config.xml"
+          if [ -n "$modules_permission_patch" ] && [ "$SIGNATURE_SPOOFING" = "yes" ]; then
+            cd packages/modules/Permission
+            echo ">> [$(date)] Applying the modules/Permission patch ($modules_permission_patch) to packages/modules/Permission"
+            patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$modules_permission_patch"
+            git clean -q -f
+            cd ../../..
+          fi
+
+          # Override device-specific settings for the location providers
+          mkdir -p "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/"
+          cp /root/signature_spoofing_patches/frameworks_base_config.xml "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/config.xml"
+        fi
       fi
     else
       echo ">> [$(date)] Applying patches disabled"

src/signature_spoofing_patches/android_frameworks_base-user_build.patch

@@ -0,0 +1,27 @@
+From d467f4bdb09f16988965a44d6a42f0f180f7e6d7 Mon Sep 17 00:00:00 2001
+From: Rasmus Moorats <xx@nns.ee>
+Date: Tue, 9 Apr 2024 13:18:17 +0300
+Subject: [PATCH] Remove the check to isDebuggable()
+
+This makes the microG signature spoofing work in regular user builds.
+---
+ services/core/java/com/android/server/pm/ComputerEngine.java | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/ComputerEngine.java b/services/core/java/com/android/server/pm/ComputerEngine.java
+index d8cbe9d5..13af78f5 100644
+--- a/services/core/java/com/android/server/pm/ComputerEngine.java
++++ b/services/core/java/com/android/server/pm/ComputerEngine.java
+@@ -1472,10 +1472,6 @@ public class ComputerEngine implements Computer {
+     private static native boolean isDebuggable();
+ 
+     public static boolean isMicrogSigned(AndroidPackage p) {
+-        if (!isDebuggable()) {
+-            return false;
+-        }
+-
+         // Allowlist the following apps:
+         // * com.android.vending - microG Companion
+         // * com.google.android.gms - microG Services
+--
+2.44.0