Evaluate stricter Signature Spoofing function and permission

Summary

Evaluating the signature spoof function of /e/ against AOSP-/Lineage based ROMs for possible improvements.

The problem

At the moment any App is allowed to fake its signature after the permission is granted.

But is there a need for it? If the pool of Apps needing to fake their signature is known beyond what microG requires to work, it could be restricted to this list.

Too, moving from 'dangerous' protectionLevel to 'signature' would make sure only packages signed with the same key will be able to ask and be granted the fake signature permission.

Technical informations

Calyx filters for specific package names before allowing the spoof: com.google.android.gms / com.android.vending

https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/bfeee22ba01b6fddb795c6c9b2d93565bb6a4965 (still current in 11R)

and sets the protection level of the permission from 'dangerous' (-> user interaction) to

android:protectionLevel="signature|privileged"

.. that implies automatically granting the permission to the package if signed with the same key - or as in |privileged, resides in a dedicated folder in the /system partition.

DivestOS uses the the 'signature' in https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Patches/LineageOS-18.1/android_frameworks_base/ as the protectionLevel documentation at https://developer.android.com/guide/topics/manifest/permission-element declares sufficient.

And for historical footnotes - Lineage/CM discussion on the spoofing patch: https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/65366