1
0
mirror of https://github.com/lineageos4microg/docker-lineage-cicd synced 2024-11-09 10:09:56 +01:00

Merge pull request #612 from lineageos4microg/nns-v21-spoofing-patches

Nns v21 spoofing patches
This commit is contained in:
Pete Fotheringham 2024-04-28 19:36:15 +01:00 committed by GitHub
commit 4a76ef4404
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 101 additions and 34 deletions

@ -102,8 +102,16 @@ ENV LOGS_SUBDIR true
# restricted patch and embedding the apps that requires it as system privileged # restricted patch and embedding the apps that requires it as system privileged
# apps is a much secure option. See the README.md ("Custom mode") for an # apps is a much secure option. See the README.md ("Custom mode") for an
# example. # example.
#
# LineageOS versions 18.1, 19.1, 20.0 and 21.0 and up include built-in
# signature spoofing for microG, and custom patches are not required. They may
# still, however, optionally be enabled
ENV SIGNATURE_SPOOFING "no" ENV SIGNATURE_SPOOFING "no"
# Enable the built-in signature spoofing for the user build type, not just
# userdebug and eng
ENV USER_BUILD_SPOOFING "no"
# Delete old zips in $ZIP_DIR, keep only the N latest one (0 to disable) # Delete old zips in $ZIP_DIR, keep only the N latest one (0 to disable)
ENV DELETE_OLD_ZIPS 0 ENV DELETE_OLD_ZIPS 0

@ -110,8 +110,14 @@ And when starting the build, set the `CUSTOM_PACKAGES` variable to a list of app
#### Signature spoofing #### Signature spoofing
There are two options for the [signature spoofing patch][signature-spoofing] For LineageOS versions 18.1, 19.1, 20.0 and 21.0, built-in support for
required for [microG][microg]: signature spoofing has been added. This specifically only allows microG to
spoof its signature; no other apps are allowed to do so. If this is fine, the
`SIGNATURE_SPOOFING` environment variable may be left unset (defaulting to
`no`).
If not, two custom [signature spoofing patches][signature-spoofing] are
provided:
* "Original" [patches][signature-spoofing-patches] * "Original" [patches][signature-spoofing-patches]
* Restricted patches * Restricted patches
@ -124,15 +130,19 @@ A more strict option is the restricted patch, where the FAKE_SIGNATURE
permission can be obtained only by privileged system apps, embedded in the ROM permission can be obtained only by privileged system apps, embedded in the ROM
during the build process. during the build process.
The signature spoofing patch can be optionally included with: The custom signature spoofing patch can be optionally included with:
* `SIGNATURE_SPOOFING (no)`: `yes` to use the original patch, `restricted` for * `SIGNATURE_SPOOFING (no)`: `yes` to use the original patch, `restricted` for
the restricted one, `no` for none of them the restricted one, `no` for none of them and to default to built-in
signature spoofing.
If in doubt, use `restricted`: note that packages that requires the If in doubt, use `restricted`: note that packages that requires the
FAKE_SIGNATURE permission must be included in the build as system apps FAKE_SIGNATURE permission must be included in the build as system apps
(e.g. as part of GMS or `CUSTOM_PACKAGES`) (e.g. as part of GMS or `CUSTOM_PACKAGES`)
These patches are currently disabled for LineageOS 21 entirely. If you have an
use case which requires the use of custom patches on 21,
[please open an issue][issue-tracker].
#### Proprietary files #### Proprietary files
@ -409,7 +419,7 @@ The LineageOS for MicroG project is not in a position to offer much by way of te
- the number of active volunteer maintainers / contributors is very small, and we spend what time we have trying to ensure that the process of making regular builds keeps going. We can generally investigate problems with the build tools, but not with the ROM itself; - the number of active volunteer maintainers / contributors is very small, and we spend what time we have trying to ensure that the process of making regular builds keeps going. We can generally investigate problems with the build tools, but not with the ROM itself;
- we don't have access to any devices for testing / debugging - we don't have access to any devices for testing / debugging
The [project issue tracker](https://github.com/lineageos4microg/docker-lineage-cicd/issues) is mostly for tracking problems with the Docker build tool. It is ***not*** intended for tracking problems with ***installing*** or ***running*** the LineageOS for MicroG ROM. If you run into such problems, our advice is to work through the following steps to see if they help. (Make a backup of your user apps & data first): The [project issue tracker][issue-tracker] is mostly for tracking problems with the Docker build tool. It is ***not*** intended for tracking problems with ***installing*** or ***running*** the LineageOS for MicroG ROM. If you run into such problems, our advice is to work through the following steps to see if they help. (Make a backup of your user apps & data first):
- full power off and restart - full power off and restart
- factory reset - factory reset
- format data partition - format data partition
@ -475,7 +485,7 @@ We build for the same devices as LineageOS using [their list of build targets](h
We currently make builds monthly, starting on the first day of the month. The devices included in a build run are defined by the content of the [LOS target list](https://github.com/LineageOS/hudson/blob/master/lineage-build-targets) ***at the point the build run starts***. Our monthly build run takes 15-16 days to complete. You can see the current status of the build in [the dedicated matrix room](https://matrix.to/#/#microg-lineage-os-builds:matrix.domainepublic.net) We currently make builds monthly, starting on the first day of the month. The devices included in a build run are defined by the content of the [LOS target list](https://github.com/LineageOS/hudson/blob/master/lineage-build-targets) ***at the point the build run starts***. Our monthly build run takes 15-16 days to complete. You can see the current status of the build in [the dedicated matrix room](https://matrix.to/#/#microg-lineage-os-builds:matrix.domainepublic.net)
If builds for any devices fail during a build run, we will try the build again ***after the main build run has completed***. If you do not see a new build for your device when you expect it, please check whether the build failure was reported in the matrix room. If it was, there is no need to report it - we will deal with it! If the failure was not reported in the matrix room, then please report it in [our issue tracker](https://github.com/lineageos4microg/docker-lineage-cicd/issues) or in [the XDA Forums thread](https://xdaforums.com/t/lineageos-for-microg.3700997/) If builds for any devices fail during a build run, we will try the build again ***after the main build run has completed***. If you do not see a new build for your device when you expect it, please check whether the build failure was reported in the matrix room. If it was, there is no need to report it - we will deal with it! If the failure was not reported in the matrix room, then please report it in [our issue tracker][issue-tracker] or in [the XDA Forums thread](https://xdaforums.com/t/lineageos-for-microg.3700997/)
### Project Scope ### Project Scope
@ -559,3 +569,4 @@ Upstream projects have their own channels for supporting users.
[a6000-xda]: https://xdaforums.com/t/eol-rom-8-1-0_r43-f2fs-lineageos-15-1-arm-stable-final-android-go.3733747/ [a6000-xda]: https://xdaforums.com/t/eol-rom-8-1-0_r43-f2fs-lineageos-15-1-arm-stable-final-android-go.3733747/
[a6000-device-tree-deps]: https://github.com/dev-harsh1998/android_device_lenovo_a6000/blob/lineage-15.1/lineage.dependencies [a6000-device-tree-deps]: https://github.com/dev-harsh1998/android_device_lenovo_a6000/blob/lineage-15.1/lineage.dependencies
[a6000-common-tree-deps]: https://github.com/dev-harsh1998/android_device_lenovo_msm8916-common/blob/lineage-15.1/lineage.dependencies [a6000-common-tree-deps]: https://github.com/dev-harsh1998/android_device_lenovo_msm8916-common/blob/lineage-15.1/lineage.dependencies
[issue-tracker]: https://github.com/lineageos4microg/docker-lineage-cicd/issues

@ -175,24 +175,28 @@ for branch in ${BRANCH_NAME//,/ }; do
android_version="11" android_version="11"
frameworks_base_patch="android_frameworks_base-R.patch" frameworks_base_patch="android_frameworks_base-R.patch"
apps_permissioncontroller_patch="packages_apps_PermissionController-R.patch" apps_permissioncontroller_patch="packages_apps_PermissionController-R.patch"
user_build_spoofing_patch="android_frameworks_base-user_build.patch"
;; ;;
lineage-19.1*) lineage-19.1*)
themuppets_branch="lineage-19.1" themuppets_branch="lineage-19.1"
android_version="12" android_version="12"
frameworks_base_patch="android_frameworks_base-S.patch" frameworks_base_patch="android_frameworks_base-S.patch"
modules_permission_patch="packages_modules_Permission-S.patch" modules_permission_patch="packages_modules_Permission-S.patch"
user_build_spoofing_patch="android_frameworks_base-user_build.patch"
;; ;;
lineage-20.0*) lineage-20.0*)
themuppets_branch="lineage-20.0" themuppets_branch="lineage-20.0"
android_version="13" android_version="13"
frameworks_base_patch="android_frameworks_base-Android13.patch" frameworks_base_patch="android_frameworks_base-Android13.patch"
modules_permission_patch="packages_modules_Permission-Android13.patch" modules_permission_patch="packages_modules_Permission-Android13.patch"
user_build_spoofing_patch="android_frameworks_base-user_build.patch"
;; ;;
lineage-21.0*) lineage-21.0*)
themuppets_branch="lineage-21.0" themuppets_branch="lineage-21.0"
android_version="14" android_version="14"
frameworks_base_patch="android_frameworks_base-Android14.patch" frameworks_base_patch="android_frameworks_base-Android14.patch"
modules_permission_patch="packages_modules_Permission-Android14.patch" modules_permission_patch="packages_modules_Permission-Android14.patch"
user_build_spoofing_patch="android_frameworks_base-user_build.patch"
;; ;;
*) *)
echo ">> [$(date)] Building branch $branch is not (yet) suppported" echo ">> [$(date)] Building branch $branch is not (yet) suppported"
@ -279,40 +283,57 @@ for branch in ${BRANCH_NAME//,/ }; do
los_ver="$los_ver_major.$los_ver_minor" los_ver="$los_ver_major.$los_ver_minor"
if [ "$APPLY_PATCHES" = true ]; then if [ "$APPLY_PATCHES" = true ]; then
# If needed, apply the microG's signature spoofing patch # If user build variant should also enable LOS signature spoofing
if [ "$SIGNATURE_SPOOFING" = "yes" ] || [ "$SIGNATURE_SPOOFING" = "restricted" ]; then if [ "$USER_BUILD_SPOOFING" = "yes" ]; then
# Determine which patch should be applied to the current Android source tree if [ -n "$user_build_spoofing_patch" ]; then
cd frameworks/base cd frameworks/base
if [ "$SIGNATURE_SPOOFING" = "yes" ]; then echo ">> [$(date)] Applying the user build variant signature spoofing patch ($user_build_spoofing_patch) to frameworks/base"
echo ">> [$(date)] Applying the standard signature spoofing patch ($frameworks_base_patch) to frameworks/base" patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$user_build_spoofing_patch"
echo ">> [$(date)] WARNING: the standard signature spoofing patch introduces a security threat" git clean -q -f
patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$frameworks_base_patch" cd ../..
else else
echo ">> [$(date)] Applying the restricted signature spoofing patch (based on $frameworks_base_patch) to frameworks/base" echo ">> [$(date)] WARNING: User build signature spoofing requested, but branch ($branch) does not support built-in signature spoofing"
sed 's/android:protectionLevel="dangerous"/android:protectionLevel="signature|privileged"/' "/root/signature_spoofing_patches/$frameworks_base_patch" | patch --quiet --force -p1
fi fi
git clean -q -f fi
cd ../..
if [ -n "$apps_permissioncontroller_patch" ] && [ "$SIGNATURE_SPOOFING" = "yes" ]; then # If needed, apply the microG's signature spoofing patch
cd packages/apps/PermissionController if [ "$SIGNATURE_SPOOFING" = "yes" ] || [ "$SIGNATURE_SPOOFING" = "restricted" ]; then
echo ">> [$(date)] Applying the apps/PermissionController patch ($apps_permissioncontroller_patch) to packages/apps/PermissionController" if [ -n "$frameworks_base_patch" ]; then
patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$apps_permissioncontroller_patch" echo ">> [$(date)] WARNING: Signature spoofing patches requested, but branch ($branch) does not support microG patches"
else
# Determine which patch should be applied to the current Android source tree
cd frameworks/base
if [ "$SIGNATURE_SPOOFING" = "yes" ]; then
echo ">> [$(date)] Applying the standard signature spoofing patch ($frameworks_base_patch) to frameworks/base"
echo ">> [$(date)] WARNING: the standard signature spoofing patch introduces a security threat"
patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$frameworks_base_patch"
else
echo ">> [$(date)] Applying the restricted signature spoofing patch (based on $frameworks_base_patch) to frameworks/base"
sed 's/android:protectionLevel="dangerous"/android:protectionLevel="signature|privileged"/' "/root/signature_spoofing_patches/$frameworks_base_patch" | patch --quiet --force -p1
fi
git clean -q -f git clean -q -f
cd ../../.. cd ../..
fi
if [ -n "$modules_permission_patch" ] && [ "$SIGNATURE_SPOOFING" = "yes" ]; then if [ -n "$apps_permissioncontroller_patch" ] && [ "$SIGNATURE_SPOOFING" = "yes" ]; then
cd packages/modules/Permission cd packages/apps/PermissionController
echo ">> [$(date)] Applying the modules/Permission patch ($modules_permission_patch) to packages/modules/Permission" echo ">> [$(date)] Applying the apps/PermissionController patch ($apps_permissioncontroller_patch) to packages/apps/PermissionController"
patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$modules_permission_patch" patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$apps_permissioncontroller_patch"
git clean -q -f git clean -q -f
cd ../../.. cd ../../..
fi fi
# Override device-specific settings for the location providers if [ -n "$modules_permission_patch" ] && [ "$SIGNATURE_SPOOFING" = "yes" ]; then
mkdir -p "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/" cd packages/modules/Permission
cp /root/signature_spoofing_patches/frameworks_base_config.xml "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/config.xml" echo ">> [$(date)] Applying the modules/Permission patch ($modules_permission_patch) to packages/modules/Permission"
patch --quiet --force -p1 -i "/root/signature_spoofing_patches/$modules_permission_patch"
git clean -q -f
cd ../../..
fi
# Override device-specific settings for the location providers
mkdir -p "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/"
cp /root/signature_spoofing_patches/frameworks_base_config.xml "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/config.xml"
fi
fi fi
else else
echo ">> [$(date)] Applying patches disabled" echo ">> [$(date)] Applying patches disabled"

@ -0,0 +1,27 @@
From d467f4bdb09f16988965a44d6a42f0f180f7e6d7 Mon Sep 17 00:00:00 2001
From: Rasmus Moorats <xx@nns.ee>
Date: Tue, 9 Apr 2024 13:18:17 +0300
Subject: [PATCH] Remove the check to isDebuggable()
This makes the microG signature spoofing work in regular user builds.
---
services/core/java/com/android/server/pm/ComputerEngine.java | 4 ----
1 file changed, 4 deletions(-)
diff --git a/services/core/java/com/android/server/pm/ComputerEngine.java b/services/core/java/com/android/server/pm/ComputerEngine.java
index d8cbe9d5..13af78f5 100644
--- a/services/core/java/com/android/server/pm/ComputerEngine.java
+++ b/services/core/java/com/android/server/pm/ComputerEngine.java
@@ -1472,10 +1472,6 @@ public class ComputerEngine implements Computer {
private static native boolean isDebuggable();
public static boolean isMicrogSigned(AndroidPackage p) {
- if (!isDebuggable()) {
- return false;
- }
-
// Allowlist the following apps:
// * com.android.vending - microG Companion
// * com.google.android.gms - microG Services
--
2.44.0