danielfullmer · October 3, 2020 21:50
diff --git a/microg-android11.patch b/microg-android11.patch
 From a96be5768120819c2972d03e2ff9f154dcbb7eb3 Mon Sep 17 00:00:00 2001
 From: Daniel Fullmer <[email protected]>
 Date: Mon, 28 Sep 2020 21:07:39 -0700
 Subject: [PATCH] Allow selective signature spoofing for microG

 * Permission FAKE_PACKAGE_SIGNATURE required
 * Only microG and FakeStore can spoof signature
 * Only the official Google signature can be spoofed, the
  "fake-signature" field is unused.

 Change-Id: Ia43832998970bc3daffdfda54437c9af08bffb45
 ---
 core/res/AndroidManifest.xml                  |  7 +++++
 core/res/res/values/config.xml                |  2 ++
 core/res/res/values/strings.xml               |  4 +++
 .../server/pm/PackageManagerService.java      | 28 +++++++++++++++++--
 4 files changed, 39 insertions(+), 2 deletions(-)

 diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
 index 9945057f0e9..874f15a360a 100644
 --- a/core/res/AndroidManifest.xml
 +++ b/core/res/AndroidManifest.xml
 @@ -2829,6 +2829,13 @@
         android:description="@string/permdesc_getPackageSize"
         android:protectionLevel="normal" />
 
 +    <!-- @hide Allows an application to change the package signature as
 +	 seen by applications -->
 +    <permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
 +        android:protectionLevel="dangerous"
 +        android:label="@string/permlab_fakePackageSignature"
 +        android:description="@string/permdesc_fakePackageSignature" />
 +
     <!-- @deprecated No longer useful, see
          {@link android.content.pm.PackageManager#addPackageToPreferred}
          for details. -->
 diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
 index 39d20bbff3b..c7270c5942b 100644
 --- a/core/res/res/values/config.xml
 +++ b/core/res/res/values/config.xml
 @@ -1646,6 +1646,8 @@
     <string-array name="config_locationProviderPackageNames" translatable="false">
         <!-- The standard AOSP fused location provider -->
         <item>com.android.location.fused</item>
 +        <!-- The (faked) microg fused location provider (a free reimplementation) -->
 +        <item>com.google.android.gms</item>
     </string-array>
 
     <!-- This string array can be overriden to enable test location providers initially. -->
 diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
 index 0c8745392f5..fd74f012c89 100644
 --- a/core/res/res/values/strings.xml
 +++ b/core/res/res/values/strings.xml
 @@ -847,6 +847,10 @@
 
     <!--  Permissions -->
 
 +    <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
 +    <string name="permlab_fakePackageSignature">Spoof package signature</string>
 +    <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
 +    <string name="permdesc_fakePackageSignature">Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Legitimate uses include an emulator pretending to be what it emulates. Grant this permission with caution only!</string>
     <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
     <string name="permlab_statusBar">disable or modify status bar</string>
     <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
 diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
 index 63c721a5da7..f6b441d990a 100644
 --- a/services/core/java/com/android/server/pm/PackageManagerService.java
 +++ b/services/core/java/com/android/server/pm/PackageManagerService.java
 @@ -703,6 +703,11 @@ public class PackageManagerService extends IPackageManager.Stub
 
     private static final String RANDOM_DIR_PREFIX = "~~";
 
 +    /**
 +     * The Google signature faked by microG.
 +     */
 +    private static final String MICROG_FAKE_SIGNATURE = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
 +
     final ServiceThread mHandlerThread;
 
     final Handler mHandler;
 @@ -4383,8 +4388,9 @@ public class PackageManagerService extends IPackageManager.Stub
             final Set<String> permissions = ArrayUtils.isEmpty(p.getRequestedPermissions())
                     ? Collections.emptySet() : permissionsState.getPermissions(userId);
 
 -            PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
 -                    ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
 +            PackageInfo packageInfo = mayFakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
 +                ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps),
 +                permissions);
 
             if (packageInfo == null) {
                 return null;
 @@ -4420,6 +4426,24 @@ public class PackageManagerService extends IPackageManager.Stub
         }
     }
 
 +    private PackageInfo mayFakeSignature(AndroidPackage p, PackageInfo pi,
 +            Set<String> permissions) {
 +        try {
 +            if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE")
 +                    && p.getTargetSdkVersion() > Build.VERSION_CODES.LOLLIPOP_MR1) {
 +                // Only allow microG and FakeStore
 +                String packageName = p.getPackageName();
 +                if (packageName.equals("com.google.android.gms") || packageName.equals("com.android.vending")) {
 +                    pi.signatures = new Signature[] {new Signature(MICROG_FAKE_SIGNATURE)};
 +                }
 +            }
 +        } catch (Throwable t) {
 +            // We should never die because of any failures, this is system code!
 +            Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t);
 +	}
 +        return pi;
 +    }
 +
     @Override
     public void checkPackageStartable(String packageName, int userId) {
         final int callingUid = Binder.getCallingUid();
 -- 
 2.28.0
	From a96be5768120819c2972d03e2ff9f154dcbb7eb3 Mon Sep 17 00:00:00 2001
	From: Daniel Fullmer <[email protected]>
	Date: Mon, 28 Sep 2020 21:07:39 -0700
	Subject: [PATCH] Allow selective signature spoofing for microG

	* Permission FAKE_PACKAGE_SIGNATURE required
	* Only microG and FakeStore can spoof signature
	* Only the official Google signature can be spoofed, the
	"fake-signature" field is unused.

	Change-Id: Ia43832998970bc3daffdfda54437c9af08bffb45
	---
	core/res/AndroidManifest.xml \| 7 +++++
	core/res/res/values/config.xml \| 2 ++
	core/res/res/values/strings.xml \| 4 +++
	.../server/pm/PackageManagerService.java \| 28 +++++++++++++++++--
	4 files changed, 39 insertions(+), 2 deletions(-)

	diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
	index 9945057f0e9..874f15a360a 100644
	--- a/core/res/AndroidManifest.xml
	+++ b/core/res/AndroidManifest.xml
	@@ -2829,6 +2829,13 @@
	android:description="@string/permdesc_getPackageSize"
	android:protectionLevel="normal" />

	+ <!-- @hide Allows an application to change the package signature as
	+ seen by applications -->
	+ <permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
	+ android:protectionLevel="dangerous"
	+ android:label="@string/permlab_fakePackageSignature"
	+ android:description="@string/permdesc_fakePackageSignature" />
	+
	<!-- @deprecated No longer useful, see
	{@link android.content.pm.PackageManager#addPackageToPreferred}
	for details. -->
	diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
	index 39d20bbff3b..c7270c5942b 100644
	--- a/core/res/res/values/config.xml
	+++ b/core/res/res/values/config.xml
	@@ -1646,6 +1646,8 @@
	<string-array name="config_locationProviderPackageNames" translatable="false">
	<!-- The standard AOSP fused location provider -->
	<item>com.android.location.fused</item>
	+ <!-- The (faked) microg fused location provider (a free reimplementation) -->
	+ <item>com.google.android.gms</item>
	</string-array>

	<!-- This string array can be overriden to enable test location providers initially. -->
	diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
	index 0c8745392f5..fd74f012c89 100644
	--- a/core/res/res/values/strings.xml
	+++ b/core/res/res/values/strings.xml
	@@ -847,6 +847,10 @@

	<!-- Permissions -->

	+ <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
	+ <string name="permlab_fakePackageSignature">Spoof package signature</string>
	+ <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
	+ <string name="permdesc_fakePackageSignature">Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Legitimate uses include an emulator pretending to be what it emulates. Grant this permission with caution only!</string>
	<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
	<string name="permlab_statusBar">disable or modify status bar</string>
	<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
	diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
	index 63c721a5da7..f6b441d990a 100644
	--- a/services/core/java/com/android/server/pm/PackageManagerService.java
	+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
	@@ -703,6 +703,11 @@ public class PackageManagerService extends IPackageManager.Stub

	private static final String RANDOM_DIR_PREFIX = "~~";

	+ /**
	+ * The Google signature faked by microG.
	+ */
	+ private static final String MICROG_FAKE_SIGNATURE = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
	+
	final ServiceThread mHandlerThread;

	final Handler mHandler;
	@@ -4383,8 +4388,9 @@ public class PackageManagerService extends IPackageManager.Stub
	final Set<String> permissions = ArrayUtils.isEmpty(p.getRequestedPermissions())
	? Collections.emptySet() : permissionsState.getPermissions(userId);

	- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
	- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
	+ PackageInfo packageInfo = mayFakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
	+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps),
	+ permissions);

	if (packageInfo == null) {
	return null;
	@@ -4420,6 +4426,24 @@ public class PackageManagerService extends IPackageManager.Stub
	}
	}

	+ private PackageInfo mayFakeSignature(AndroidPackage p, PackageInfo pi,
	+ Set<String> permissions) {
	+ try {
	+ if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE")
	+ && p.getTargetSdkVersion() > Build.VERSION_CODES.LOLLIPOP_MR1) {
	+ // Only allow microG and FakeStore
	+ String packageName = p.getPackageName();
	+ if (packageName.equals("com.google.android.gms") \|\| packageName.equals("com.android.vending")) {
	+ pi.signatures = new Signature[] {new Signature(MICROG_FAKE_SIGNATURE)};
	+ }
	+ }
	+ } catch (Throwable t) {
	+ // We should never die because of any failures, this is system code!
	+ Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t);
	+ }
	+ return pi;
	+ }
	+
	@Override
	public void checkPackageStartable(String packageName, int userId) {
	final int callingUid = Binder.getCallingUid();
	--
	2.28.0