Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 23c0a5c1 authored by LuK1337's avatar LuK1337 Committed by Michael Bestas
Browse files

Allow signature spoofing for microG Companion/Services 



This patch enables signature spoofing when the following conditions are
met:
* Build is debuggable (userdebug/eng)
* Package name is com.android.vending or com.google.android.gms
* Package is signed with microG release keys
* Fake signature is correct

Additionally, we let these apps be forceQueryable if they so desire.

Also spoof PackageInfo signingInfo + signatures so that G suite apps
do not complain.

Co-authored-by: default avatarJonathan Klee <jonathan.klee@e.email>
Change-Id: I8fc82ed266a2cc59636b662c7ea7e29c94f509b5
parent 456fccb0

services/core/java/com/android/server/pm/AppsFilterImpl.java

+2 −0
Original line number Diff line number Diff line
@@ -36,6 +36,7 @@ import static com.android.server.pm.AppsFilterUtils.canQueryAsUpdateOwner; 
import static com.android.server.pm.AppsFilterUtils.canQueryViaComponents;

import static com.android.server.pm.AppsFilterUtils.canQueryViaPackage;

import static com.android.server.pm.AppsFilterUtils.canQueryViaUsesLibrary;

import static com.android.server.pm.ComputerEngine.isMicrogSigned;



import android.annotation.NonNull;

import android.annotation.Nullable;
@@ -608,6 +609,7 @@ public final class AppsFilterImpl extends AppsFilterLocked implements Watchable, 
            newIsForceQueryable = mForceQueryable.contains(newPkgSetting.getAppId())

                            /* shared user that is already force queryable */

                            || newPkgSetting.isForceQueryableOverride() /* adb override */

                            || (newPkg.isForceQueryable() && isMicrogSigned(newPkg))

                            || (newPkgSetting.isSystem() && (mSystemAppsQueryable

                            || newPkg.isForceQueryable()

                            || ArrayUtils.contains(mForceQueryableByDevicePackageNames,

services/core/java/com/android/server/pm/ComputerEngine.java

+67 −0
Original line number Diff line number Diff line
@@ -103,6 +103,7 @@ import android.content.pm.UserPackage; 
import android.content.pm.VersionedPackage;

import android.os.Binder;

import android.os.Build;

import android.os.Bundle;

import android.os.IBinder;

import android.os.ParcelableException;

import android.os.PatternMatcher;
@@ -169,12 +170,14 @@ import java.io.FileOutputStream; 
import java.io.IOException;

import java.io.PrintWriter;

import java.nio.charset.StandardCharsets;

import java.security.cert.CertificateException;

import java.util.ArrayList;

import java.util.Arrays;

import java.util.Collections;

import java.util.Comparator;

import java.util.List;

import java.util.Objects;

import java.util.Optional;

import java.util.Set;

import java.util.UUID;
@@ -420,6 +423,10 @@ public class ComputerEngine implements Computer { 
    private final PackageManagerInternal.ExternalSourcesPolicy mExternalSourcesPolicy;

    private final CrossProfileIntentResolverEngine mCrossProfileIntentResolverEngine;



    // Signatures used by microG

    private static final Signature MICROG_FAKE_SIGNATURE = new Signature("308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a");

    private static final Signature MICROG_REAL_SIGNATURE = new Signature("308202ed308201d5a003020102020426ffa009300d06092a864886f70d01010b05003027310b300906035504061302444531183016060355040a130f4e4f47415050532050726f6a656374301e170d3132313030363132303533325a170d3337303933303132303533325a3027310b300906035504061302444531183016060355040a130f4e4f47415050532050726f6a65637430820122300d06092a864886f70d01010105000382010f003082010a02820101009a8d2a5336b0eaaad89ce447828c7753b157459b79e3215dc962ca48f58c2cd7650df67d2dd7bda0880c682791f32b35c504e43e77b43c3e4e541f86e35a8293a54fb46e6b16af54d3a4eda458f1a7c8bc1b7479861ca7043337180e40079d9cdccb7e051ada9b6c88c9ec635541e2ebf0842521c3024c826f6fd6db6fd117c74e859d5af4db04448965ab5469b71ce719939a06ef30580f50febf96c474a7d265bb63f86a822ff7b643de6b76e966a18553c2858416cf3309dd24278374bdd82b4404ef6f7f122cec93859351fc6e5ea947e3ceb9d67374fe970e593e5cd05c905e1d24f5a5484f4aadef766e498adf64f7cf04bddd602ae8137b6eea40722d0203010001a321301f301d0603551d0e04160414110b7aa9ebc840b20399f69a431f4dba6ac42a64300d06092a864886f70d01010b0500038201010007c32ad893349cf86952fb5a49cfdc9b13f5e3c800aece77b2e7e0e9c83e34052f140f357ec7e6f4b432dc1ed542218a14835acd2df2deea7efd3fd5e8f1c34e1fb39ec6a427c6e6f4178b609b369040ac1f8844b789f3694dc640de06e44b247afed11637173f36f5886170fafd74954049858c6096308fc93c1bc4dd5685fa7a1f982a422f2a3b36baa8c9500474cf2af91c39cbec1bc898d10194d368aa5e91f1137ec115087c31962d8f76cd120d28c249cf76f4c70f5baa08c70a7234ce4123be080cee789477401965cfe537b924ef36747e8caca62dfefdd1a6288dcb1c4fd2aaa6131a7ad254e9742022cfd597d2ca5c660ce9e41ff537e5a4041e37");



    // PackageManagerService attributes that are primitives are referenced through the

    // pms object directly.  Primitives are the only attributes so referenced.

    protected final PackageManagerService mService;
@@ -1476,6 +1483,49 @@ public class ComputerEngine implements Computer { 
        return result;

    }



    private static native boolean isDebuggable();



    public static boolean isMicrogSigned(AndroidPackage p) {

        if (!isDebuggable()) {

            return false;

        }



        // Allowlist the following apps:

        // * com.android.vending - microG Companion

        // * com.google.android.gms - microG Services

        if (!p.getPackageName().equals("com.android.vending") &&

                !p.getPackageName().equals("com.google.android.gms")) {

            return false;

        }



        return Signature.areExactMatch(

                p.getSigningDetails(), new Signature[]{MICROG_REAL_SIGNATURE});

    }



    private static Optional<Signature> generateFakeSignature(AndroidPackage p) {

        if (!isMicrogSigned(p)) {

            return Optional.empty();

        }



        Bundle metadata = p.getMetaData();

        if (metadata == null) {

            return Optional.empty();

        }



        String fakeSignatureStr = metadata.getString("fake-signature");

        if (TextUtils.isEmpty(fakeSignatureStr)) {

            return Optional.empty();

        }



        // Only MICROG_FAKE_SIGNATURE can be faked

        Signature fakeSignature = new Signature(fakeSignatureStr);

        if (!fakeSignature.equals(MICROG_FAKE_SIGNATURE)) {

            return Optional.empty();

        }



        return Optional.of(fakeSignature);

    }



    public final PackageInfo generatePackageInfo(PackageStateInternal ps,

            @PackageManager.PackageInfoFlagsBits long flags, int userId) {

        if (!mUserManager.exists(userId)) return null;
@@ -1539,6 +1589,23 @@ public class ComputerEngine implements Computer { 
                            developerVerificationStatusInternal.isAppMetadataVerified());

                }

            }



            generateFakeSignature(p).ifPresent(fakeSignature -> {

                packageInfo.signatures = new Signature[]{fakeSignature};

                try {

                    packageInfo.signingInfo = new SigningInfo(

                            new SigningDetails(

                                    packageInfo.signatures,

                                    SigningDetails.SignatureSchemeVersion.SIGNING_BLOCK_V3,

                                    SigningDetails.toSigningKeys(packageInfo.signatures),

                                    null

                            )

                    );

                } catch (CertificateException e) {

                    Slog.e(TAG, "Caught an exception when creating signing keys: ", e);

                }

            });



            return packageInfo;

        } else if ((flags & (MATCH_UNINSTALLED_PACKAGES | MATCH_ARCHIVED_PACKAGES)) != 0

                && PackageUserStateUtils.isAvailable(state, flags)) {

services/core/jni/Android.bp

+7 −0
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ cc_library_static { 
        "com_android_server_vibrator_VibratorManagerService.cpp",

        "com_android_server_pdb_PersistentDataBlockService.cpp",

        "com_android_server_am_LowMemDetector.cpp",

        "com_android_server_pm_ComputerEngine.cpp",

        "com_android_server_pm_PackageManagerShellCommandDataLoader.cpp",

        "com_android_server_sensor_SensorService.cpp",

        "com_android_server_utils_LongMethodTracer.cpp",
@@ -95,6 +96,12 @@ cc_library_static { 
    header_libs: [

        "bionic_libc_platform_headers",

    ],



    product_variables: {

        debuggable: {

            cflags: ["-DANDROID_DEBUGGABLE"],

        }

    },

}



cc_defaults {

services/core/jni/com_android_server_pm_ComputerEngine.cpp

0 → 100644
+38 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2024 The LineageOS Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



#include <nativehelper/JNIHelp.h>



namespace android {



static bool isDebuggable(JNIEnv* env) {

#ifdef ANDROID_DEBUGGABLE

    return true;

#else

    return false;

#endif

}



static const JNINativeMethod method_table[] = {

        {"isDebuggable", "()Z", (void*)isDebuggable},

};



int register_android_server_com_android_server_pm_ComputerEngine(JNIEnv* env) {

    return jniRegisterNativeMethods(env, "com/android/server/pm/ComputerEngine",

                                    method_table, NELEM(method_table));

}



} // namespace android

services/core/jni/onload.cpp

+2 −0
Original line number Diff line number Diff line
@@ -58,6 +58,7 @@ int register_android_server_utils_AnrTimer(JNIEnv *env); 
int register_android_server_utils_LazyJniRegistrar(JNIEnv* env);

int register_com_android_server_soundtrigger_middleware_AudioSessionProviderImpl(JNIEnv* env);

int register_com_android_server_soundtrigger_middleware_ExternalCaptureStateTracker(JNIEnv* env);

int register_android_server_com_android_server_pm_ComputerEngine(JNIEnv* env);

int register_android_server_com_android_server_pm_PackageManagerShellCommandDataLoader(JNIEnv* env);

int register_android_server_AdbDebuggingManager(JNIEnv* env);

int register_android_server_FaceService(JNIEnv* env);
@@ -125,6 +126,7 @@ extern "C" jint JNI_OnLoad(JavaVM* vm, void* /* reserved */) 
    register_android_server_utils_LazyJniRegistrar(env);

    register_com_android_server_soundtrigger_middleware_AudioSessionProviderImpl(env);

    register_com_android_server_soundtrigger_middleware_ExternalCaptureStateTracker(env);

    register_android_server_com_android_server_pm_ComputerEngine(env);

    register_android_server_com_android_server_pm_PackageManagerShellCommandDataLoader(env);

    register_android_server_AdbDebuggingManager(env);

    register_android_server_FaceService(env);