From fba75880fa54e67d6cd09feb43e912c578e4a1fc Mon Sep 17 00:00:00 2001
From: Nicola Corna <nicola@corna.info>
Date: Sun, 30 Jul 2017 18:10:47 +0200
Subject: [PATCH] Use the appropriate signature spoofing patch

---
 Dockerfile                                    |  14 ++-
 src/build.sh                                  |  36 ++++--
 .../android_frameworks_base-KK-LP.patch       |  66 +++++++++++
 .../android_frameworks_base-M.patch           | 104 ++++++++++++++++++
 .../android_frameworks_base-N.patch           |   0
 5 files changed, 207 insertions(+), 13 deletions(-)
 create mode 100644 src/signature_spoofing_patches/android_frameworks_base-KK-LP.patch
 create mode 100644 src/signature_spoofing_patches/android_frameworks_base-M.patch
 rename src/{ => signature_spoofing_patches}/android_frameworks_base-N.patch (100%)

diff --git a/Dockerfile b/Dockerfile
index e103315..04c8642 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -71,9 +71,15 @@ ENV SIGN_BUILDS false
 # Move the resulting zips to $ZIP_DIR/$codename instead of $ZIP_DIR/
 ENV ZIP_SUBDIR false
 
-# Apply the signature spoofing patch
-# Valid values are "no", "yes" (for the original MicroG's patch) and "restricted" (to grant the
-# permission only to the privileged apps)
+# Apply the MicroG's signature spoofing patch
+# Valid values are "no", "yes" (for the original MicroG's patch) and
+# "restricted" (to grant the permission only to the system privileged apps).
+#
+# The original ("yes") patch allows user apps to gain the ability to spoof
+# themselves as other apps, which can be a major security threat. Using the
+# restricted patch and embedding the apps that requires it as system privileged
+# apps is a much secure option. See the README.md ("Custom mode") for an
+# example.
 ENV SIGNATURE_SPOOFING "no"
 
 # Generate delta files
@@ -96,7 +102,7 @@ VOLUME $KEYS_DIR
 
 # Copy required files
 #####################
-COPY src/* /root/
+COPY src/ /root/
 
 # Create missing directories
 ############################
diff --git a/src/build.sh b/src/build.sh
index d667b38..1c065d2 100755
--- a/src/build.sh
+++ b/src/build.sh
@@ -59,15 +59,33 @@ if ! [ -z "$DEVICE_LIST" ]; then
   repo sync 2>&1 >&$DEBUG_LOG
 
   # If needed, apply the MicroG's signature spoofing patch
-  cd frameworks/base
-  if [ "$SIGNATURE_SPOOFING" = "yes" ]; then
-    echo ">> [$(date)] Applying the standard signature spoofing patch to frameworks/base" >> $DOCKER_LOG
-    patch -p1 -i /root/android_frameworks_base-N.patch
-    git clean -f
-  elif [ "$SIGNATURE_SPOOFING" = "restricted" ]; then
-    echo ">> [$(date)] Applying the restricted signature spoofing patch to frameworks/base" >> $DOCKER_LOG
-    sed 's/android:protectionLevel="dangerous"/android:protectionLevel="signature|privileged"/' /root/android_frameworks_base-N.patch | patch -p1 
-    git clean -f
+  if [ "$SIGNATURE_SPOOFING" = "yes" ] || [ "$SIGNATURE_SPOOFING" = "restricted" ]; then
+    # Determine which patch should be applied to the current branch
+    patch_name=""
+    git_branch=$(repo --no-pager info 2> /dev/null | grep -i "Manifest branch: ")
+    git_branch=${git_branch#Manifest branch: }
+    case $(echo $git_branch | grep -o "cm-[0-9][0-9]*\.[0-9]") in
+      "cm-11.0")            patch_name="android_frameworks_base-KK-LP.patch" ;;
+      "cm-12.0"|"cm-12.1")  patch_name="android_frameworks_base-KK-LP.patch" ;;
+      "cm-13.0")            patch_name="android_frameworks_base-M.patch" ;;
+      "cm-14.0"|"cm-14.1")  patch_name="android_frameworks_base-N.patch" ;;
+    esac
+
+    if ! [ -z $patch_name ]; then
+      cd frameworks/base
+      if [ "$SIGNATURE_SPOOFING" = "yes" ]; then
+        echo ">> [$(date)] Applying the standard signature spoofing patch ($patch_name) to frameworks/base" >> $DOCKER_LOG
+        echo ">> [$(date)] WARNING: the standard signature spoofing patch introduces a security threat" >> $DOCKER_LOG
+        patch -p1 -i "/root/signature_spoofing_patches/$patch_name"
+      else
+        echo ">> [$(date)] Applying the restricted signature spoofing patch (based on $patch_name) to frameworks/base" >> $DOCKER_LOG
+        sed 's/android:protectionLevel="dangerous"/android:protectionLevel="signature|privileged"/' "/root/signature_spoofing_patches/$patch_name" | patch -p1
+      fi
+      git clean -f
+    else
+      echo ">> [$(date)] ERROR: can't find a suitable signature spoofing patch for the current LineageOS branch ($git_branch)" >> $DOCKER_LOG
+      exit 1
+    fi
   fi
   cd $SRC_DIR
 
diff --git a/src/signature_spoofing_patches/android_frameworks_base-KK-LP.patch b/src/signature_spoofing_patches/android_frameworks_base-KK-LP.patch
new file mode 100644
index 0000000..5571a58
--- /dev/null
+++ b/src/signature_spoofing_patches/android_frameworks_base-KK-LP.patch
@@ -0,0 +1,66 @@
+diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
+index e6da288..66684d3 100644
+--- a/core/java/android/content/pm/PackageParser.java
++++ b/core/java/android/content/pm/PackageParser.java
+@@ -447,10 +447,23 @@ public class PackageParser {
+             }
+         }
+         if ((flags&PackageManager.GET_SIGNATURES) != 0) {
+-           int N = (p.mSignatures != null) ? p.mSignatures.length : 0;
+-           if (N > 0) {
+-                pi.signatures = new Signature[N];
+-                System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N);
++            boolean handledFakeSignature = false;
++            try {
++                if (p.requestedPermissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") && p.mAppMetaData != null
++                        && p.mAppMetaData.get("fake-signature") instanceof String) {
++                    pi.signatures = new Signature[] {new Signature(p.mAppMetaData.getString("fake-signature"))};
++                    handledFakeSignature = true;
++                }
++            } catch (Throwable t) {
++                // We should never die because of any failures, this is system code!
++                Log.w("PackageParser.FAKE_PACKAGE_SIGNATURE", t);
++            }
++            if (!handledFakeSignature) {
++                int N = (p.mSignatures != null) ? p.mSignatures.length : 0;
++                if (N > 0) {
++                    pi.signatures = new Signature[N];
++                    System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N);
++                }
+             }
+         }
+         return pi;
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index 558a475..4e7aa65 100644
+--- a/core/res/AndroidManifest.xml
++++ b/core/res/AndroidManifest.xml
+@@ -1562,6 +1562,13 @@
+         android:label="@string/permlab_getPackageSize"
+         android:description="@string/permdesc_getPackageSize" />
+ 
++    <!-- Allows an application to change the package signature as seen by applications -->
++    <permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
++                android:permissionGroup="android.permission-group.SYSTEM_TOOLS"
++                android:protectionLevel="dangerous"
++                android:label="@string/permlab_fakePackageSignature"
++                android:description="@string/permdesc_fakePackageSignature" />
++
+     <!-- @deprecated No longer useful, see
+          {@link android.content.pm.PackageManager#addPackageToPreferred}
+          for details. -->
+diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
+index 790e166..8e66470 100644
+--- a/core/res/res/values/strings.xml
++++ b/core/res/res/values/strings.xml
+@@ -1135,6 +1135,11 @@
+     <string name="permdesc_getPackageSize">Allows the app to retrieve its code, data, and cache sizes</string>
+ 
+     <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
++    <string name="permlab_fakePackageSignature">mimic package signature</string>
++    <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
++    <string name="permdesc_fakePackageSignature">Allows the app to use mimic another app\'s package signature.</string>
++
++    <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+     <string name="permlab_installPackages">directly install apps</string>
+     <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+     <string name="permdesc_installPackages">Allows the app to install new or updated
diff --git a/src/signature_spoofing_patches/android_frameworks_base-M.patch b/src/signature_spoofing_patches/android_frameworks_base-M.patch
new file mode 100644
index 0000000..72d68e7
--- /dev/null
+++ b/src/signature_spoofing_patches/android_frameworks_base-M.patch
@@ -0,0 +1,104 @@
+From 7357f8c0c8a6bdc09555ab47dae83f28346b8470 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Mauduit?= <bmauduit@beneth.fr>
+Date: Wed, 22 Jun 2016 15:04:56 +0200
+Subject: [PATCH 1/1] Add signature Spoofing permission
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is needed by GmsCore (https://microg.org/) to pretend
+the existence of the official Play Services to applications calling
+Google APIs.
+
+Signed-off-by: Benoît Mauduit <bmauduit@beneth.fr>
+---
+ core/res/AndroidManifest.xml                       |  7 +++++++
+ core/res/res/values/config.xml                     |  2 ++
+ core/res/res/values/strings.xml                    |  5 +++++
+ .../android/server/pm/PackageManagerService.java   | 23 ++++++++++++++++++++--
+ 4 files changed, 35 insertions(+), 2 deletions(-)
+
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index ea0e39c..a936983 100644
+--- a/core/res/AndroidManifest.xml
++++ b/core/res/AndroidManifest.xml
+@@ -1654,6 +1654,13 @@
+         android:description="@string/permdesc_getPackageSize"
+         android:protectionLevel="normal" />
+ 
++    <!-- @hide Allows an application to change the package signature as
++         seen by applications -->
++    <permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
++        android:protectionLevel="dangerous"
++        android:label="@string/permlab_fakePackageSignature"
++        android:description="@string/permdesc_fakePackageSignature" />
++
+     <!-- @deprecated No longer useful, see
+          {@link android.content.pm.PackageManager#addPackageToPreferred}
+          for details. -->
+diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
+index c7846cf..916d8a5 100644
+--- a/core/res/res/values/config.xml
++++ b/core/res/res/values/config.xml
+@@ -1298,6 +1298,8 @@
+     <string-array name="config_locationProviderPackageNames" translatable="false">
+         <!-- The standard AOSP fused location provider -->
+         <item>com.android.location.fused</item>
++        <!-- The (faked) microg fused location provider -->
++        <item>com.google.android.gms</item>
+     </string-array>
+ 
+     <!-- This string array can be overriden to enable test location providers initially. -->
+diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
+index 58135db..e65367a 100644
+--- a/core/res/res/values/strings.xml
++++ b/core/res/res/values/strings.xml
+@@ -616,6 +616,11 @@
+     <!--  Permissions -->
+ 
+     <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
++    <string name="permlab_fakePackageSignature">Spoof package signature</string>
++    <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
++    <string name="permdesc_fakePackageSignature">Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Grant this permission with caution only!</string>
++
++    <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+     <string name="permlab_statusBar">disable or modify status bar</string>
+     <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+     <string name="permdesc_statusBar">Allows the app to disable the status bar or add and remove system icons.</string>
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 0493180..35f49d7 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -2816,8 +2816,27 @@ public class PackageManagerService extends IPackageManager.Stub {
+         final Set<String> permissions = permissionsState.getPermissions(userId);
+         final PackageUserState state = ps.readUserState(userId);
+ 
+-        return PackageParser.generatePackageInfo(p, gids, flags,
+-                ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId);
++        return mayFakeSignature(p, PackageParser.generatePackageInfo(p, gids, flags,
++                ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId),
++                permissions);
++    }
++
++    private PackageInfo mayFakeSignature(PackageParser.Package p, PackageInfo pi,
++            Set<String> permissions) {
++        try {
++            if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE")
++                    && p.applicationInfo.targetSdkVersion > Build.VERSION_CODES.LOLLIPOP_MR1
++                    && p.mAppMetaData != null) {
++                String sig = p.mAppMetaData.getString("fake-signature");
++                if (sig != null) {
++                    pi.signatures = new Signature[] {new Signature(sig)};
++                }
++            }
++        } catch (Throwable t) {
++            // We should never die because of any failures, this is system code!
++            Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t);
++        }
++        return pi;
+     }
+ 
+     @Override
+-- 
+2.8.1
+
diff --git a/src/android_frameworks_base-N.patch b/src/signature_spoofing_patches/android_frameworks_base-N.patch
similarity index 100%
rename from src/android_frameworks_base-N.patch
rename to src/signature_spoofing_patches/android_frameworks_base-N.patch