diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7366edb60087adf7a0c57ac11b21ef7d3ce5f8dd..40afd9b7c1cf1452b5473763bcafe9fc174245f8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -5,30 +5,18 @@ variables: DOCKER_DRIVER: overlay2 CONTAINER_IMAGE: registry.gitlab.e.foundation:5000/$CI_PROJECT_PATH -.build_image: +build_image: stage: build image: docker:git services: - docker:18-dind + variables: + IMAGE_TAG: $CI_COMMIT_REF_NAME + IMAGE_TAG_RELEASE: prod script: - "docker pull $CONTAINER_IMAGE:$IMAGE_TAG || true" - "docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.gitlab.e.foundation:5000" - "docker build --cache-from $CONTAINER_IMAGE:$IMAGE_TAG -t $CONTAINER_IMAGE -t $CONTAINER_IMAGE:$IMAGE_TAG -t $CONTAINER_IMAGE:$IMAGE_TAG_RELEASE ." - "docker push $CONTAINER_IMAGE:$IMAGE_TAG" - 'if [ "${CI_COMMIT_REF_NAME}" = master ] ; then docker push $CONTAINER_IMAGE:$IMAGE_TAG_RELEASE ; fi' - -build_prod: - extends: .build_image - after_script: - 'if [ "${CI_COMMIT_REF_NAME}" = master ] ; then docker push $CONTAINER_IMAGE:latest ; fi' - variables: - IMAGE_TAG: $CI_COMMIT_REF_NAME - IMAGE_TAG_RELEASE: prod - -build_debug: - extends: .build_image - before_script: - - "mv build.dev.sh src/build.sh" - variables: - IMAGE_TAG: $CI_COMMIT_REF_NAME-debug - IMAGE_TAG_RELEASE: debug diff --git a/Dockerfile b/Dockerfile index b50ef6c1cfc4305a1ff46487d52d6edfdfe8c59e..c5545f6f5b4d49ed71b39367c8f763d0c77ce614 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,10 @@ -FROM debian:stretch +FROM debian:buster MAINTAINER Nicola Corna # Environment variables ####################### -ENV MIRROR_DIR /srv/mirror ENV SRC_DIR /srv/src -ENV TMP_DIR /srv/tmp ENV CCACHE_DIR /srv/ccache ENV ZIP_DIR /srv/zips ENV LMANIFEST_DIR /srv/local_manifests @@ -30,41 +28,28 @@ ENV USE_CCACHE 1 # for no limit. ENV CCACHE_SIZE 50G -# Environment for the LineageOS branches name +# Environment for the /e/ branches name # See https://github.com/LineageOS/android_vendor_cm/branches for possible options -ENV BRANCH_NAME 'cm-14.1' +ENV BRANCH_NAME 'v1-pie' -# Environment for the device list (separate by comma if more than one) -# eg. DEVICE_LIST=hammerhead,bullhead,angler -ENV DEVICE_LIST '' +# Environment for the device +# eg. DEVICE=hammerhead +ENV DEVICE '' # Release type string ENV RELEASE_TYPE 'UNOFFICIAL' # Repo use for build -ENV REPO 'https://github.com/LineageOS/android.git' - -# Repo use for build -ENV MIRROR 'https://github.com/LineageOS/mirror' - -# OTA URL that will be used inside CMUpdater -# Use this in combination with LineageOTA to make sure your device can auto-update itself from this buildbot -ENV OTA_URL '' +ENV REPO 'https://gitlab.e.foundation/e/os/android.git' # User identity -ENV USER_NAME 'LineageOS Buildbot' -ENV USER_MAIL 'lineageos-buildbot@docker.host' +ENV USER_NAME '/e/ robot' +ENV USER_MAIL 'erobot@e.email' # Include proprietary files, downloaded automatically from github.com/TheMuppets/ # Only some branches are supported ENV INCLUDE_PROPRIETARY true -# Mount an overlay filesystem over the source dir to do each build on a clean source -ENV BUILD_OVERLAY false - -# Clone the full LineageOS mirror (> 200 GB) -ENV LOCAL_MIRROR false - # If you want to preserve old ZIPs set this to 'false' ENV CLEAN_OUTDIR false @@ -76,9 +61,6 @@ ENV CRONTAB_TIME 'now' # Clean artifacts output after each build ENV CLEAN_AFTER_BUILD true -# Provide root capabilities builtin inside the ROM (see http://lineageos.org/Update-and-Build-Prep/) -ENV WITH_SU false - # Provide a default JACK configuration in order to avoid out-of-memory issues ENV ANDROID_JACK_VM_ARGS "-Dfile.encoding=UTF-8 -XX:+TieredCompilation -Xmx4G" @@ -97,17 +79,6 @@ ENV ZIP_SUBDIR true # Write the verbose logs to $LOGS_DIR/$codename instead of $LOGS_DIR/ ENV LOGS_SUBDIR true -# Apply the MicroG's signature spoofing patch -# Valid values are "no", "yes" (for the original MicroG's patch) and -# "restricted" (to grant the permission only to the system privileged apps). -# -# The original ("yes") patch allows user apps to gain the ability to spoof -# themselves as other apps, which can be a major security threat. Using the -# restricted patch and embedding the apps that requires it as system privileged -# apps is a much secure option. See the README.md ("Custom mode") for an -# example. -ENV SIGNATURE_SPOOFING "no" - # Generate delta files ENV BUILD_DELTA false @@ -137,9 +108,7 @@ ENV OPENDELTA_BUILDS_JSON '' # Create Volume entry points ############################ -VOLUME $MIRROR_DIR VOLUME $SRC_DIR -VOLUME $TMP_DIR VOLUME $CCACHE_DIR VOLUME $ZIP_DIR VOLUME $LMANIFEST_DIR @@ -155,9 +124,7 @@ COPY src/ /root/ # Create missing directories ############################ -RUN mkdir -p $MIRROR_DIR RUN mkdir -p $SRC_DIR -RUN mkdir -p $TMP_DIR RUN mkdir -p $CCACHE_DIR RUN mkdir -p $ZIP_DIR RUN mkdir -p $LMANIFEST_DIR @@ -169,8 +136,6 @@ RUN mkdir -p $USERSCRIPTS_DIR # Install build dependencies ############################ COPY apt_preferences /etc/apt/preferences -RUN apt-get -qq update -RUN apt-get install -y imagemagick libwxgtk3.0-dev openjdk-8-jdk RUN echo 'deb http://deb.debian.org/debian sid main' >> /etc/apt/sources.list RUN echo 'deb http://deb.debian.org/debian experimental main' >> /etc/apt/sources.list @@ -179,14 +144,21 @@ RUN apt-get -qqy upgrade RUN apt-get install -y bc bison bsdmainutils build-essential ccache cgpt cron \ curl flex g++-multilib gcc-multilib git gnupg gperf imagemagick kmod \ - lib32ncurses5-dev lib32readline-dev lib32z1-dev libesd0-dev liblz4-tool \ - libncurses5-dev libsdl1.2-dev libssl-dev libxml2 \ + lib32ncurses5-dev libncurses5 lib32readline-dev lib32z1-dev libtinfo5 liblz4-tool \ + libncurses5-dev libsdl1.2-dev libssl-dev libwxgtk3.0-dev libxml2 \ libxml2-utils lsof lzop maven pngcrush \ - procps python rsync schedtool squashfs-tools wget xdelta3 xsltproc yasm \ + procps python python3 rsync schedtool squashfs-tools software-properties-common wget xdelta3 xsltproc yasm \ zip zlib1g-dev RUN curl https://storage.googleapis.com/git-repo-downloads/repo > /usr/local/bin/repo RUN chmod a+x /usr/local/bin/repo +RUN ln -fs /usr/bin/python3 /usr/bin/python + +# Use adoptopenjdk.net to be able to use OpeJDK8 on debian:buster +RUN curl -q https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add - +RUN add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ +RUN apt-get -qq update && apt-get install -y adoptopenjdk-8-hotspot +RUN update-alternatives --set java /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java # Download and build delta tools ################################ diff --git a/src/build.sh b/src/build.sh index f3fdeaae6c60427464eca52048f4b215c300cb55..ca6c7e5856e058af59c36e837d2cb79859a7f80c 100755 --- a/src/build.sh +++ b/src/build.sh @@ -17,8 +17,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -repo_log="$LOGS_DIR/repo-$(date +%Y%m%d).log" - # cd to working directory cd "$SRC_DIR" @@ -33,24 +31,31 @@ if [ "$CLEAN_OUTDIR" = true ]; then rm -rf "$ZIP_DIR/"* fi -# Treat DEVICE_LIST as DEVICE_LIST_ -first_branch=$(cut -d ',' -f 1 <<< "$BRANCH_NAME") -if [ -n "$DEVICE_LIST" ]; then - device_list_first_branch="DEVICE_LIST_$(sed 's/.*-\([a-zA-Z]*\)$/\1/' <<< $first_branch)" - device_list_first_branch=${device_list_first_branch^^} - read $device_list_first_branch <<< "$DEVICE_LIST,${!device_list_first_branch}" -fi - sync_successful=true -if [ "$LOCAL_MIRROR" = true ]; then +branch_dir=$(sed 's/.*-\([a-zA-Z]*\)$/\1/' <<< ${BRANCH_NAME}) +branch_dir=${branch_dir^^} - cd "$MIRROR_DIR" +if [ -n "${BRANCH_NAME}" ] && [ -n "${DEVICE}" ]; then - if [ ! -d .repo ]; then - echo ">> [$(date)] Initializing mirror repository" | tee -a "$repo_log" - yes | repo init -u "$MIRROR" --mirror --no-clone-bundle -p linux &>> "$repo_log" - fi + mkdir -p "$SRC_DIR/$branch_dir" + cd "$SRC_DIR/$branch_dir" + + echo ">> [$(date)] Branch: ${BRANCH_NAME}" + echo ">> [$(date)] Device: ${DEVICE}" + + # Remove previous changes of vendor/cm, vendor/lineage and frameworks/base (if they exist) + for path in "vendor/cm" "vendor/lineage" "frameworks/base"; do + if [ -d "$path" ]; then + cd "$path" + git reset -q --hard + git clean -q -fd + cd "$SRC_DIR/$branch_dir" + fi + done + + echo ">> [$(date)] (Re)initializing branch repository" + yes | repo init -u "$REPO" -b "${BRANCH_NAME}" # Copy local manifests to the appropriate folder in order take them into consideration echo ">> [$(date)] Copying '$LMANIFEST_DIR/*.xml' to '.repo/local_manifests/'" @@ -59,365 +64,204 @@ if [ "$LOCAL_MIRROR" = true ]; then rm -f .repo/local_manifests/proprietary.xml if [ "$INCLUDE_PROPRIETARY" = true ]; then - wget -q -O .repo/local_manifests/proprietary.xml "https://raw.githubusercontent.com/TheMuppets/manifests/mirror/default.xml" + if [[ ${BRANCH_NAME} =~ nougat$ ]]; then + themuppets_branch=cm-14.1 + echo ">> [$(date)] Use branch $themuppets_branch on github.com/TheMuppets" + elif [[ ${BRANCH_NAME} =~ oreo$ ]]; then + themuppets_branch=lineage-15.1 + echo ">> [$(date)] Use branch $themuppets_branch on github.com/TheMuppets" + elif [[ ${BRANCH_NAME} =~ pie$ ]]; then + themuppets_branch=lineage-16.0 + echo ">> [$(date)] Use branch $themuppets_branch on github.com/TheMuppets" + else + themuppets_branch=cm-14.1 + echo ">> [$(date)] Can't find a matching branch on github.com/TheMuppets, using $themuppets_branch" + fi + wget -q -O .repo/local_manifests/proprietary.xml "https://raw.githubusercontent.com/TheMuppets/manifests/$themuppets_branch/muppets.xml" fi - echo ">> [$(date)] Syncing mirror repository" | tee -a "$repo_log" - repo sync --force-sync --no-clone-bundle &>> "$repo_log" + echo ">> [$(date)] Syncing branch repository" + builddate=$(date +%Y%m%d) + repo sync -c --force-sync if [ $? != 0 ]; then sync_successful=false fi -fi - -for branch in ${BRANCH_NAME//,/ }; do - branch_dir=$(sed 's/.*-\([a-zA-Z]*\)$/\1/' <<< $branch) - branch_dir=${branch_dir^^} - device_list_cur_branch="DEVICE_LIST_$branch_dir" - devices=${!device_list_cur_branch} - - if [ -n "$branch" ] && [ -n "$devices" ]; then - - mkdir -p "$SRC_DIR/$branch_dir" - cd "$SRC_DIR/$branch_dir" - echo ">> [$(date)] Branch: $branch" - echo ">> [$(date)] Devices: $devices" - - # Remove previous changes of vendor/cm, vendor/lineage and frameworks/base (if they exist) - for path in "vendor/cm" "vendor/lineage" "frameworks/base"; do - if [ -d "$path" ]; then - cd "$path" - git reset -q --hard - git clean -q -fd - cd "$SRC_DIR/$branch_dir" + android_version=$(sed -n -e 's/^\s*PLATFORM_VERSION\.OPM1 := //p' build/core/version_defaults.mk) + if [ -z $android_version ]; then + android_version=$(sed -n -e 's/^\s*PLATFORM_VERSION\.PPR1 := //p' build/core/version_defaults.mk) + if [ -z $android_version ]; then + android_version=$(sed -n -e 's/^\s*PLATFORM_VERSION := //p' build/core/version_defaults.mk) + if [ -z $android_version ]; then + echo ">> [$(date)] Can't detect the android version" + exit 1 fi - done - - echo ">> [$(date)] (Re)initializing branch repository" | tee -a "$repo_log" - if [ "$LOCAL_MIRROR" = true ]; then - yes | repo init -u "$REPO" --reference "$MIRROR_DIR" -b "$branch" &>> "$repo_log" - else - yes | repo init -u "$REPO" -b "$branch" &>> "$repo_log" fi + fi + android_version_major=$(cut -d '.' -f 1 <<< $android_version) - # Copy local manifests to the appropriate folder in order take them into consideration - echo ">> [$(date)] Copying '$LMANIFEST_DIR/*.xml' to '.repo/local_manifests/'" - mkdir -p .repo/local_manifests - rsync -a --delete --include '*.xml' --exclude '*' "$LMANIFEST_DIR/" .repo/local_manifests/ - - rm -f .repo/local_manifests/proprietary.xml - if [ "$INCLUDE_PROPRIETARY" = true ]; then - if [[ $branch =~ nougat$ ]]; then - themuppets_branch=cm-14.1 - echo ">> [$(date)] Use branch $themuppets_branch on github.com/TheMuppets" - elif [[ $branch =~ oreo$ ]]; then - themuppets_branch=lineage-15.1 - echo ">> [$(date)] Use branch $themuppets_branch on github.com/TheMuppets" - elif [[ $branch =~ pie$ ]]; then - themuppets_branch=lineage-16.0 - echo ">> [$(date)] Use branch $themuppets_branch on github.com/TheMuppets" - else - themuppets_branch=cm-14.1 - echo ">> [$(date)] Can't find a matching branch on github.com/TheMuppets, using $themuppets_branch" - fi - wget -q -O .repo/local_manifests/proprietary.xml "https://raw.githubusercontent.com/TheMuppets/manifests/$themuppets_branch/muppets.xml" - fi + if [ "$android_version_major" -ge "8" ]; then + vendor="lineage" + else + vendor="cm" + fi - echo ">> [$(date)] Syncing branch repository" | tee -a "$repo_log" - builddate=$(date +%Y%m%d) - repo sync -c --force-sync &>> "$repo_log" + if [ ! -d "vendor/$vendor" ]; then + echo ">> [$(date)] Missing \"vendor/$vendor\", aborting" + exit 1 + fi - if [ $? != 0 ]; then - sync_successful=false - fi + los_ver_major=$(sed -n -e 's/^\s*PRODUCT_VERSION_MAJOR = //p' "vendor/$vendor/config/common.mk") + los_ver_minor=$(sed -n -e 's/^\s*PRODUCT_VERSION_MINOR = //p' "vendor/$vendor/config/common.mk") + los_ver="$los_ver_major.$los_ver_minor" - android_version=$(sed -n -e 's/^\s*PLATFORM_VERSION\.OPM1 := //p' build/core/version_defaults.mk) - if [ -z $android_version ]; then - android_version=$(sed -n -e 's/^\s*PLATFORM_VERSION\.PPR1 := //p' build/core/version_defaults.mk) - if [ -z $android_version ]; then - android_version=$(sed -n -e 's/^\s*PLATFORM_VERSION := //p' build/core/version_defaults.mk) - if [ -z $android_version ]; then - echo ">> [$(date)] Can't detect the android version" - exit 1 - fi - fi - fi - android_version_major=$(cut -d '.' -f 1 <<< $android_version) + if [ "$SIGN_BUILDS" = true ]; then + echo ">> [$(date)] Adding keys path ($KEYS_DIR)" + # Soong (Android 9+) complains if the signing keys are outside the build path + ln -sf "$KEYS_DIR" user-keys + sed -i "1s;^;PRODUCT_DEFAULT_DEV_CERTIFICATE := user-keys/releasekey\nPRODUCT_OTA_PUBLIC_KEYS := user-keys/releasekey\nPRODUCT_EXTRA_RECOVERY_KEYS := user-keys/releasekey\n\n;" "vendor/$vendor/config/common.mk" + fi - if [ "$android_version_major" -ge "8" ]; then - vendor="lineage" - else - vendor="cm" - fi + echo ">> [$(date)] Using OpenJDK $jdk_version" + update-java-alternatives -s java-1.$jdk_version.0-openjdk-amd64 &> /dev/null - if [ ! -d "vendor/$vendor" ]; then - echo ">> [$(date)] Missing \"vendor/$vendor\", aborting" - exit 1 - fi + # Prepare the environment + echo ">> [$(date)] Preparing build environment" + source build/envsetup.sh > /dev/null - # Set up our overlay - mkdir -p "vendor/$vendor/overlay/microg/" - sed -i "1s;^;PRODUCT_PACKAGE_OVERLAYS := vendor/$vendor/overlay/microg\n;" "vendor/$vendor/config/common.mk" - - los_ver_major=$(sed -n -e 's/^\s*PRODUCT_VERSION_MAJOR = //p' "vendor/$vendor/config/common.mk") - los_ver_minor=$(sed -n -e 's/^\s*PRODUCT_VERSION_MINOR = //p' "vendor/$vendor/config/common.mk") - los_ver="$los_ver_major.$los_ver_minor" - - # If needed, apply the microG's signature spoofing patch - if [ "$SIGNATURE_SPOOFING" = "yes" ] || [ "$SIGNATURE_SPOOFING" = "restricted" ]; then - # Determine which patch should be applied to the current Android source tree - patch_name="" - case $android_version in - 4.4* ) patch_name="android_frameworks_base-KK-LP.patch" ;; - 5.* ) patch_name="android_frameworks_base-KK-LP.patch" ;; - 6.* ) patch_name="android_frameworks_base-M.patch" ;; - 7.* ) patch_name="android_frameworks_base-N.patch" ;; - 8.* ) patch_name="android_frameworks_base-O.patch" ;; - 9* ) patch_name="android_frameworks_base-P.patch" ;; #not sure why 9 not 9.0 but here's a fix that will work until android 90 - esac - - if ! [ -z $patch_name ]; then - cd frameworks/base - if [ "$SIGNATURE_SPOOFING" = "yes" ]; then - echo ">> [$(date)] Applying the standard signature spoofing patch ($patch_name) to frameworks/base" - echo ">> [$(date)] WARNING: the standard signature spoofing patch introduces a security threat" - patch --quiet -p1 -i "/root/signature_spoofing_patches/$patch_name" - else - echo ">> [$(date)] Applying the restricted signature spoofing patch (based on $patch_name) to frameworks/base" - sed 's/android:protectionLevel="dangerous"/android:protectionLevel="signature|privileged"/' "/root/signature_spoofing_patches/$patch_name" | patch --quiet -p1 - fi - git clean -q -f - cd ../.. + if [ -f /root/userscripts/before.sh ]; then + echo ">> [$(date)] Running before.sh" + /root/userscripts/before.sh + fi - # Override device-specific settings for the location providers - mkdir -p "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/" - cp /root/signature_spoofing_patches/frameworks_base_config.xml "vendor/$vendor/overlay/microg/frameworks/base/core/res/res/values/config.xml" - else - echo ">> [$(date)] ERROR: can't find a suitable signature spoofing patch for the current Android version ($android_version)" - exit 1 - fi - fi + build_device=true + if ! [ -z "${DEVICE}" ]; then - echo ">> [$(date)] Setting \"$RELEASE_TYPE\" as release type" - sed -i "/\$(filter .*\$(${vendor^^}_BUILDTYPE)/,+2d" "vendor/$vendor/config/common.mk" - - # Set a custom updater URI if a OTA URL is provided - echo ">> [$(date)] Adding OTA URL overlay (for custom URL $OTA_URL)" - if ! [ -z "$OTA_URL" ]; then - updater_url_overlay_dir="vendor/$vendor/overlay/microg/packages/apps/Updater/res/values/" - mkdir -p "$updater_url_overlay_dir" - - if [ -n "$(grep updater_server_url packages/apps/Updater/res/values/strings.xml)" ]; then - # "New" updater configuration: full URL (with placeholders {device}, {type} and {incr}) - sed "s|{name}|updater_server_url|g; s|{url}|$OTA_URL/v1/{device}/{type}/{incr}|g" /root/packages_updater_strings.xml > "$updater_url_overlay_dir/strings.xml" - elif [ -n "$(grep conf_update_server_url_def packages/apps/Updater/res/values/strings.xml)" ]; then - # "Old" updater configuration: just the URL - sed "s|{name}|conf_update_server_url_def|g; s|{url}|$OTA_URL|g" /root/packages_updater_strings.xml > "$updater_url_overlay_dir/strings.xml" - else - echo ">> [$(date)] ERROR: no known Updater URL property found" - exit 1 + currentdate=$(date +%Y%m%d) + if [ "$builddate" != "$currentdate" ]; then + # Sync the source code + builddate=$currentdate + + echo ">> [$(date)] Syncing branch repository" + cd "$SRC_DIR/$branch_dir" + repo sync -c --force-sync + + if [ $? != 0 ]; then + sync_successful=false + build_device=false fi fi - # Add custom packages to be installed - if ! [ -z "$CUSTOM_PACKAGES" ]; then - echo ">> [$(date)] Adding custom packages ($CUSTOM_PACKAGES)" - sed -i "1s;^;PRODUCT_PACKAGES += $CUSTOM_PACKAGES\n\n;" "vendor/$vendor/config/common.mk" - fi + source_dir="$SRC_DIR/$branch_dir" + cd "$source_dir" - if [ "$SIGN_BUILDS" = true ]; then - echo ">> [$(date)] Adding keys path ($KEYS_DIR)" - # Soong (Android 9+) complains if the signing keys are outside the build path - ln -sf "$KEYS_DIR" user-keys - sed -i "1s;^;PRODUCT_DEFAULT_DEV_CERTIFICATE := user-keys/releasekey\nPRODUCT_OTA_PUBLIC_KEYS := user-keys/releasekey\nPRODUCT_EXTRA_RECOVERY_KEYS := user-keys/releasekey\n\n;" "vendor/$vendor/config/common.mk" + if [ "$ZIP_SUBDIR" = true ]; then + zipsubdir=${DEVICE} + mkdir -p "$ZIP_DIR/$zipsubdir" + else + zipsubdir= fi - - if [ "$android_version_major" -ge "7" ]; then - jdk_version=8 - elif [ "$android_version_major" -ge "5" ]; then - jdk_version=7 + if [ "$LOGS_SUBDIR" = true ]; then + logsubdir=${DEVICE} + mkdir -p "$LOGS_DIR/$logsubdir" else - echo ">> [$(date)] ERROR: $branch requires a JDK version too old (< 7); aborting" - exit 1 + logsubdir= fi - echo ">> [$(date)] Using OpenJDK $jdk_version" - update-java-alternatives -s java-1.$jdk_version.0-openjdk-amd64 &> /dev/null - - # Prepare the environment - echo ">> [$(date)] Preparing build environment" - source build/envsetup.sh > /dev/null + if [ -f /root/userscripts/pre-build.sh ]; then + echo ">> [$(date)] Running pre-build.sh for ${DEVICE}" + /root/userscripts/pre-build.sh ${DEVICE} - if [ -f /root/userscripts/before.sh ]; then - echo ">> [$(date)] Running before.sh" - /root/userscripts/before.sh + if [ $? != 0 ]; then + build_device=false + fi fi - for codename in ${devices//,/ }; do - build_device=true - if ! [ -z "$codename" ]; then - - currentdate=$(date +%Y%m%d) - if [ "$builddate" != "$currentdate" ]; then - # Sync the source code - builddate=$currentdate - - if [ "$LOCAL_MIRROR" = true ]; then - echo ">> [$(date)] Syncing mirror repository" | tee -a "$repo_log" - cd "$MIRROR_DIR" - repo sync --force-sync --no-clone-bundle &>> "$repo_log" - - if [ $? != 0 ]; then - sync_successful=false - build_device=false - fi - fi - - echo ">> [$(date)] Syncing branch repository" | tee -a "$repo_log" - cd "$SRC_DIR/$branch_dir" - repo sync -c --force-sync &>> "$repo_log" - - if [ $? != 0 ]; then - sync_successful=false - build_device=false - fi - fi - - if [ "$BUILD_OVERLAY" = true ]; then - mkdir -p "$TMP_DIR/device" "$TMP_DIR/workdir" "$TMP_DIR/merged" - mount -t overlay overlay -o lowerdir="$SRC_DIR/$branch_dir",upperdir="$TMP_DIR/device",workdir="$TMP_DIR/workdir" "$TMP_DIR/merged" - source_dir="$TMP_DIR/merged" - else - source_dir="$SRC_DIR/$branch_dir" - fi - cd "$source_dir" - - if [ "$ZIP_SUBDIR" = true ]; then - zipsubdir=$codename - mkdir -p "$ZIP_DIR/$zipsubdir" - else - zipsubdir= - fi - if [ "$LOGS_SUBDIR" = true ]; then - logsubdir=$codename - mkdir -p "$LOGS_DIR/$logsubdir" - else - logsubdir= - fi - - DEBUG_LOG="$LOGS_DIR/$logsubdir/eelo-$los_ver-$builddate-$RELEASE_TYPE-$codename.log" - - if [ -f /root/userscripts/pre-build.sh ]; then - echo ">> [$(date)] Running pre-build.sh for $codename" >> "$DEBUG_LOG" - /root/userscripts/pre-build.sh $codename &>> "$DEBUG_LOG" - - if [ $? != 0 ]; then - build_device=false - fi - fi + if [ "$build_device" = false ]; then + echo ">> [$(date)] No build for ${DEVICE}" + continue + fi - if [ "$build_device" = false ]; then - echo ">> [$(date)] No build for $codename" >> "$DEBUG_LOG" - continue - fi + # Start the build + echo ">> [$(date)] Starting build for ${DEVICE}, ${BRANCH_NAME} branch" + build_successful=false + echo "ANDROID_JACK_VM_ARGS=${ANDROID_JACK_VM_ARGS}" + echo "Switch to Python2" + ln -fs /usr/bin/python2 /usr/bin/python + if brunch ${DEVICE}; then + currentdate=$(date +%Y%m%d) + if [ "$builddate" != "$currentdate" ]; then + find out/target/product/${DEVICE} -maxdepth 1 -name "e-*-$currentdate-*.zip*" -type f -exec sh /root/fix_build_date.sh {} $currentdate $builddate \; + fi - # Start the build - echo ">> [$(date)] Starting build for $codename, $branch branch" | tee -a "$DEBUG_LOG" - build_successful=false - echo "ANDROID_JACK_VM_ARGS=${ANDROID_JACK_VM_ARGS}" - if brunch $codename &>> "$DEBUG_LOG"; then - currentdate=$(date +%Y%m%d) - if [ "$builddate" != "$currentdate" ]; then - find out/target/product/$codename -maxdepth 1 -name "e-*-$currentdate-*.zip*" -type f -exec sh /root/fix_build_date.sh {} $currentdate $builddate \; &>> "$DEBUG_LOG" + if [ "$BUILD_DELTA" = true ]; then + if [ -d "delta_last/${DEVICE}/" ]; then + # If not the first build, create delta files + echo ">> [$(date)] Generating delta files for ${DEVICE}" + cd /root/delta + if ./opendelta.sh ${DEVICE}; then + echo ">> [$(date)] Delta generation for ${DEVICE} completed" + else + echo ">> [$(date)] Delta generation for ${DEVICE} failed" fi - - if [ "$BUILD_DELTA" = true ]; then - if [ -d "delta_last/$codename/" ]; then - # If not the first build, create delta files - echo ">> [$(date)] Generating delta files for $codename" | tee -a "$DEBUG_LOG" - cd /root/delta - if ./opendelta.sh $codename &>> "$DEBUG_LOG"; then - echo ">> [$(date)] Delta generation for $codename completed" | tee -a "$DEBUG_LOG" - else - echo ">> [$(date)] Delta generation for $codename failed" | tee -a "$DEBUG_LOG" - fi - if [ "$DELETE_OLD_DELTAS" -gt "0" ]; then - /usr/bin/python /root/clean_up.py -n $DELETE_OLD_DELTAS -V $los_ver -N 1 "$DELTA_DIR/$codename" &>> $DEBUG_LOG - fi - cd "$source_dir" - else - # If the first build, copy the current full zip in $source_dir/delta_last/$codename/ - echo ">> [$(date)] No previous build for $codename; using current build as base for the next delta" | tee -a "$DEBUG_LOG" - mkdir -p delta_last/$codename/ &>> "$DEBUG_LOG" - find out/target/product/$codename -maxdepth 1 -name 'e-*.zip' -type f -exec cp {} "$source_dir/delta_last/$codename/" \; &>> "$DEBUG_LOG" - fi + if [ "$DELETE_OLD_DELTAS" -gt "0" ]; then + /usr/bin/python /root/clean_up.py -n $DELETE_OLD_DELTAS -V $los_ver -N 1 "$DELTA_DIR/${DEVICE}" fi - # Move produced ZIP files to the main OUT directory - echo ">> [$(date)] Moving build artifacts for $codename to '$ZIP_DIR/$zipsubdir'" | tee -a "$DEBUG_LOG" - cd out/target/product/$codename - for build in e-*.zip; do - sha256sum "$build" > "$ZIP_DIR/$zipsubdir/$build.sha256sum" - done - find . -maxdepth 1 -name 'e-*.zip*' -type f -exec mv {} "$ZIP_DIR/$zipsubdir/" \; &>> "$DEBUG_LOG" cd "$source_dir" - build_successful=true else - echo ">> [$(date)] Failed build for $codename" | tee -a "$DEBUG_LOG" + # If the first build, copy the current full zip in $source_dir/delta_last/${DEVICE}/ + echo ">> [$(date)] No previous build for ${DEVICE}; using current build as base for the next delta" + mkdir -p delta_last/${DEVICE}/ + find out/target/product/${DEVICE} -maxdepth 1 -name 'e-*.zip' -type f -exec cp {} "$source_dir/delta_last/${DEVICE}/" \; fi + fi + # Move produced ZIP files to the main OUT directory + echo ">> [$(date)] Moving build artifacts for ${DEVICE} to '$ZIP_DIR/$zipsubdir'" + cd out/target/product/${DEVICE} + for build in e-*.zip; do + sha256sum "$build" > "$ZIP_DIR/$zipsubdir/$build.sha256sum" + done + find . -maxdepth 1 -name 'e-*.zip*' -type f -exec mv {} "$ZIP_DIR/$zipsubdir/" \; + cd "$source_dir" + build_successful=true + else + echo ">> [$(date)] Failed build for ${DEVICE}" + fi - # Remove old zips and logs - if [ "$DELETE_OLD_ZIPS" -gt "0" ]; then - if [ "$ZIP_SUBDIR" = true ]; then - /usr/bin/python /root/clean_up.py -n $DELETE_OLD_ZIPS -V $los_ver -N 1 "$ZIP_DIR/$zipsubdir" - else - /usr/bin/python /root/clean_up.py -n $DELETE_OLD_ZIPS -V $los_ver -N 1 -c $codename "$ZIP_DIR" - fi - fi - if [ "$DELETE_OLD_LOGS" -gt "0" ]; then - if [ "$LOGS_SUBDIR" = true ]; then - /usr/bin/python /root/clean_up.py -n $DELETE_OLD_LOGS -V $los_ver -N 1 "$LOGS_DIR/$logsubdir" - else - /usr/bin/python /root/clean_up.py -n $DELETE_OLD_LOGS -V $los_ver -N 1 -c $codename "$LOGS_DIR" - fi - fi - if [ -f /root/userscripts/post-build.sh ]; then - echo ">> [$(date)] Running post-build.sh for $codename" >> "$DEBUG_LOG" - /root/userscripts/post-build.sh $codename $build_successful &>> "$DEBUG_LOG" - fi - echo ">> [$(date)] Finishing build for $codename" | tee -a "$DEBUG_LOG" - - if [ "$BUILD_OVERLAY" = true ]; then - # The Jack server must be stopped manually, as we want to unmount $TMP_DIR/merged - cd "$TMP_DIR" - if [ -f "$TMP_DIR/merged/prebuilts/sdk/tools/jack-admin" ]; then - "$TMP_DIR/merged/prebuilts/sdk/tools/jack-admin kill-server" &> /dev/null || true - fi - lsof | grep "$TMP_DIR/merged" | awk '{ print $2 }' | sort -u | xargs -r kill &> /dev/null - - while [ -n "$(lsof | grep $TMP_DIR/merged)" ]; do - sleep 1 - done + # Remove old zips and logs + if [ "$DELETE_OLD_ZIPS" -gt "0" ]; then + if [ "$ZIP_SUBDIR" = true ]; then + /usr/bin/python /root/clean_up.py -n $DELETE_OLD_ZIPS -V $los_ver -N 1 "$ZIP_DIR/$zipsubdir" + else + /usr/bin/python /root/clean_up.py -n $DELETE_OLD_ZIPS -V $los_ver -N 1 -c ${DEVICE} "$ZIP_DIR" + fi + fi + if [ "$DELETE_OLD_LOGS" -gt "0" ]; then + if [ "$LOGS_SUBDIR" = true ]; then + /usr/bin/python /root/clean_up.py -n $DELETE_OLD_LOGS -V $los_ver -N 1 "$LOGS_DIR/$logsubdir" + else + /usr/bin/python /root/clean_up.py -n $DELETE_OLD_LOGS -V $los_ver -N 1 -c ${DEVICE} "$LOGS_DIR" + fi + fi + if [ -f /root/userscripts/post-build.sh ]; then + echo ">> [$(date)] Running post-build.sh for ${DEVICE}" + /root/userscripts/post-build.sh ${DEVICE} $build_successful + fi + echo ">> [$(date)] Finishing build for ${DEVICE}" - umount "$TMP_DIR/merged" - fi + if [ "$CLEAN_AFTER_BUILD" = true ]; then + echo ">> [$(date)] Cleaning source dir for device ${DEVICE}" + cd "$source_dir" + mka clean + fi - if [ "$CLEAN_AFTER_BUILD" = true ]; then - echo ">> [$(date)] Cleaning source dir for device $codename" | tee -a "$DEBUG_LOG" - if [ "$BUILD_OVERLAY" = true ]; then - cd "$TMP_DIR" - rm -rf ./* - else - cd "$source_dir" - mka clean &>> "$DEBUG_LOG" - fi - fi + fi - fi - done + echo "Switch back to Python3" + ln -fs /usr/bin/python3 /usr/bin/python - fi -done +fi # Create the OpenDelta's builds JSON file if ! [ -z "$OPENDELTA_BUILDS_JSON" ]; then diff --git a/src/init.sh b/src/init.sh index 3c6ae12dfba420181d141e46ad3c52ce8ce03537..57656d597070d7a3c693f1b57b0d73578e63df38 100755 --- a/src/init.sh +++ b/src/init.sh @@ -57,18 +57,6 @@ if [ "$SIGN_BUILDS" = true ]; then done fi -# Define memory to use for jack (depending of runner tag) -if [[ -n ${CI_RUNNER_TAGS} ]] -then - jack_memory=$(echo ${CI_RUNNER_TAGS} | grep GB | sed 's/.*ram:\([0-9]*G\)B.*/\1/') - if [ -n ${jack_memory} ] - then - ANDROID_JACK_VM_ARGS="-Dfile.encoding=UTF-8 -XX:+TieredCompilation -Xmx"${jack_memory} - export ANDROID_JACK_VM_ARGS - echo "ANDROID_JACK_VM_ARGS set to ${ANDROID_JACK_VM_ARGS}" - fi -fi - if [ "$CRONTAB_TIME" = "now" ]; then /root/build.sh else diff --git a/src/packages_updater_strings.xml b/src/packages_updater_strings.xml deleted file mode 100644 index 64001db33dbcc9615d0fd9bb955baaf8f11dde5b..0000000000000000000000000000000000000000 --- a/src/packages_updater_strings.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - {url} - - diff --git a/src/signature_spoofing_patches/android_frameworks_base-KK-LP.patch b/src/signature_spoofing_patches/android_frameworks_base-KK-LP.patch deleted file mode 100644 index 5571a587565685ae54b62aa07cf538ea9a826cf9..0000000000000000000000000000000000000000 --- a/src/signature_spoofing_patches/android_frameworks_base-KK-LP.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java -index e6da288..66684d3 100644 ---- a/core/java/android/content/pm/PackageParser.java -+++ b/core/java/android/content/pm/PackageParser.java -@@ -447,10 +447,23 @@ public class PackageParser { - } - } - if ((flags&PackageManager.GET_SIGNATURES) != 0) { -- int N = (p.mSignatures != null) ? p.mSignatures.length : 0; -- if (N > 0) { -- pi.signatures = new Signature[N]; -- System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N); -+ boolean handledFakeSignature = false; -+ try { -+ if (p.requestedPermissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") && p.mAppMetaData != null -+ && p.mAppMetaData.get("fake-signature") instanceof String) { -+ pi.signatures = new Signature[] {new Signature(p.mAppMetaData.getString("fake-signature"))}; -+ handledFakeSignature = true; -+ } -+ } catch (Throwable t) { -+ // We should never die because of any failures, this is system code! -+ Log.w("PackageParser.FAKE_PACKAGE_SIGNATURE", t); -+ } -+ if (!handledFakeSignature) { -+ int N = (p.mSignatures != null) ? p.mSignatures.length : 0; -+ if (N > 0) { -+ pi.signatures = new Signature[N]; -+ System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N); -+ } - } - } - return pi; -diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index 558a475..4e7aa65 100644 ---- a/core/res/AndroidManifest.xml -+++ b/core/res/AndroidManifest.xml -@@ -1562,6 +1562,13 @@ - android:label="@string/permlab_getPackageSize" - android:description="@string/permdesc_getPackageSize" /> - -+ -+ -+ - -diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml -index 790e166..8e66470 100644 ---- a/core/res/res/values/strings.xml -+++ b/core/res/res/values/strings.xml -@@ -1135,6 +1135,11 @@ - Allows the app to retrieve its code, data, and cache sizes - - -+ mimic package signature -+ -+ Allows the app to use mimic another app\'s package signature. -+ -+ - directly install apps - - Allows the app to install new or updated diff --git a/src/signature_spoofing_patches/android_frameworks_base-M.patch b/src/signature_spoofing_patches/android_frameworks_base-M.patch deleted file mode 100644 index 72d68e7ebfc5490fa41f88cb10f591e5824512c4..0000000000000000000000000000000000000000 --- a/src/signature_spoofing_patches/android_frameworks_base-M.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 7357f8c0c8a6bdc09555ab47dae83f28346b8470 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Beno=C3=AEt=20Mauduit?= -Date: Wed, 22 Jun 2016 15:04:56 +0200 -Subject: [PATCH 1/1] Add signature Spoofing permission -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is needed by GmsCore (https://microg.org/) to pretend -the existence of the official Play Services to applications calling -Google APIs. - -Signed-off-by: Benoît Mauduit ---- - core/res/AndroidManifest.xml | 7 +++++++ - core/res/res/values/config.xml | 2 ++ - core/res/res/values/strings.xml | 5 +++++ - .../android/server/pm/PackageManagerService.java | 23 ++++++++++++++++++++-- - 4 files changed, 35 insertions(+), 2 deletions(-) - -diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index ea0e39c..a936983 100644 ---- a/core/res/AndroidManifest.xml -+++ b/core/res/AndroidManifest.xml -@@ -1654,6 +1654,13 @@ - android:description="@string/permdesc_getPackageSize" - android:protectionLevel="normal" /> - -+ -+ -+ - -diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml -index c7846cf..916d8a5 100644 ---- a/core/res/res/values/config.xml -+++ b/core/res/res/values/config.xml -@@ -1298,6 +1298,8 @@ - - - com.android.location.fused -+ -+ com.google.android.gms - - - -diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml -index 58135db..e65367a 100644 ---- a/core/res/res/values/strings.xml -+++ b/core/res/res/values/strings.xml -@@ -616,6 +616,11 @@ - - - -+ Spoof package signature -+ -+ Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Grant this permission with caution only! -+ -+ - disable or modify status bar - - Allows the app to disable the status bar or add and remove system icons. -diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index 0493180..35f49d7 100644 ---- a/services/core/java/com/android/server/pm/PackageManagerService.java -+++ b/services/core/java/com/android/server/pm/PackageManagerService.java -@@ -2816,8 +2816,27 @@ public class PackageManagerService extends IPackageManager.Stub { - final Set permissions = permissionsState.getPermissions(userId); - final PackageUserState state = ps.readUserState(userId); - -- return PackageParser.generatePackageInfo(p, gids, flags, -- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId); -+ return mayFakeSignature(p, PackageParser.generatePackageInfo(p, gids, flags, -+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId), -+ permissions); -+ } -+ -+ private PackageInfo mayFakeSignature(PackageParser.Package p, PackageInfo pi, -+ Set permissions) { -+ try { -+ if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") -+ && p.applicationInfo.targetSdkVersion > Build.VERSION_CODES.LOLLIPOP_MR1 -+ && p.mAppMetaData != null) { -+ String sig = p.mAppMetaData.getString("fake-signature"); -+ if (sig != null) { -+ pi.signatures = new Signature[] {new Signature(sig)}; -+ } -+ } -+ } catch (Throwable t) { -+ // We should never die because of any failures, this is system code! -+ Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t); -+ } -+ return pi; - } - - @Override --- -2.8.1 - diff --git a/src/signature_spoofing_patches/android_frameworks_base-N.patch b/src/signature_spoofing_patches/android_frameworks_base-N.patch deleted file mode 100644 index 6e6125c663ebd4027808ddb3e7ed6a5b67400452..0000000000000000000000000000000000000000 --- a/src/signature_spoofing_patches/android_frameworks_base-N.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 7357f8c0c8a6bdc09555ab47dae83f28346b8470 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Beno=C3=AEt=20Mauduit?= -Date: Wed, 22 Jun 2016 15:04:56 +0200 -Subject: [PATCH 1/1] Add signature Spoofing permission -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is needed by GmsCore (https://microg.org/) to pretend -the existence of the official Play Services to applications calling -Google APIs. - -Signed-off-by: Benoît Mauduit ---- - core/res/AndroidManifest.xml | 7 +++++++ - core/res/res/values/config.xml | 2 ++ - core/res/res/values/strings.xml | 5 +++++ - .../android/server/pm/PackageManagerService.java | 23 ++++++++++++++++++++-- - 4 files changed, 35 insertions(+), 2 deletions(-) - -diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index ea0e39c..a936983 100644 ---- a/core/res/AndroidManifest.xml -+++ b/core/res/AndroidManifest.xml -@@ -1654,6 +1654,13 @@ - android:description="@string/permdesc_getPackageSize" - android:protectionLevel="normal" /> - -+ -+ -+ - -diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml -index c7846cf..916d8a5 100644 ---- a/core/res/res/values/config.xml -+++ b/core/res/res/values/config.xml -@@ -1298,6 +1298,8 @@ - - - com.android.location.fused -+ -+ com.google.android.gms - - - -diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml -index 58135db..e65367a 100644 ---- a/core/res/res/values/strings.xml -+++ b/core/res/res/values/strings.xml -@@ -616,6 +616,11 @@ - - - -+ Spoof package signature -+ -+ Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Grant this permission with caution only! -+ -+ - disable or modify status bar - - Allows the app to disable the status bar or add and remove system icons. -diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index 0493180..35f49d7 100644 ---- a/services/core/java/com/android/server/pm/PackageManagerService.java -+++ b/services/core/java/com/android/server/pm/PackageManagerService.java -@@ -3067,8 +3067,27 @@ public class PackageManagerService extends IPackageManager.Stub { - ? Collections.emptySet() : permissionsState.getPermissions(userId); - final PackageUserState state = ps.readUserState(userId); - -- return PackageParser.generatePackageInfo(p, gids, flags, -- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId); -+ return mayFakeSignature(p, PackageParser.generatePackageInfo(p, gids, flags, -+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId), -+ permissions); -+ } -+ -+ private PackageInfo mayFakeSignature(PackageParser.Package p, PackageInfo pi, -+ Set permissions) { -+ try { -+ if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") -+ && p.applicationInfo.targetSdkVersion > Build.VERSION_CODES.LOLLIPOP_MR1 -+ && p.mAppMetaData != null) { -+ String sig = p.mAppMetaData.getString("fake-signature"); -+ if (sig != null) { -+ pi.signatures = new Signature[] {new Signature(sig)}; -+ } -+ } -+ } catch (Throwable t) { -+ // We should never die because of any failures, this is system code! -+ Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t); -+ } -+ return pi; - } - - @Override --- -2.8.1 - diff --git a/src/signature_spoofing_patches/android_frameworks_base-O.patch b/src/signature_spoofing_patches/android_frameworks_base-O.patch deleted file mode 100644 index cc1d338581ff6dc666007982937a7b4952b54835..0000000000000000000000000000000000000000 --- a/src/signature_spoofing_patches/android_frameworks_base-O.patch +++ /dev/null @@ -1,102 +0,0 @@ -commit 4e9d677b35b9656c22c922c9abca4107ab95c9b4 -Author: Bernhard Rosenkränzer -Date: Tue Aug 29 00:34:27 2017 +0200 - - Add permission to allow an APK to fake a signature. - - This is needed by GmsCore (https://microg.org/) to pretend - the existence of the official Play Services to applications calling - Google APIs. - - Forward-ported from https://github.com/microg/android_packages_apps_GmsCore/blob/master/patches/android_frameworks_base-N.patch - - Change-Id: I603fd09200432f7e1bf997072188cdfa6da1594f - Signed-off-by: Bernhard Rosenkränzer - -diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index 794d4f8b78b..b3189077256 100644 ---- a/core/res/AndroidManifest.xml -+++ b/core/res/AndroidManifest.xml -@@ -2075,6 +2075,13 @@ - android:description="@string/permdesc_getPackageSize" - android:protectionLevel="normal" /> - -+ -+ -+ - -diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml -index 3613acf44aa..d1636c862c5 100644 ---- a/core/res/res/values/config.xml -+++ b/core/res/res/values/config.xml -@@ -1385,6 +1385,8 @@ - - - com.android.location.fused -+ -+ com.google.android.gms - - - -diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml -index 3eebe7eb68d..7405386cd49 100644 ---- a/core/res/res/values/strings.xml -+++ b/core/res/res/values/strings.xml -@@ -764,6 +764,10 @@ - - - -+ -+ Spoof package signature -+ -+ Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Legitimate uses include an emulator pretending to be what it emulates. Grant this permission with caution only! - - disable or modify status bar - -diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index f36b762c5e9..048a057d39c 100644 ---- a/services/core/java/com/android/server/pm/PackageManagerService.java -+++ b/services/core/java/com/android/server/pm/PackageManagerService.java -@@ -3571,8 +3571,9 @@ public class PackageManagerService extends IPackageManager.Stub - flags |= MATCH_ANY_USER; - } - -- PackageInfo packageInfo = PackageParser.generatePackageInfo(p, gids, flags, -- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId); -+ PackageInfo packageInfo = mayFakeSignature(p, PackageParser.generatePackageInfo(p, gids, flags, -+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId), -+ permissions); - - if (packageInfo == null) { - return null; -@@ -3584,6 +3585,24 @@ public class PackageManagerService extends IPackageManager.Stub - return packageInfo; - } - -+ private PackageInfo mayFakeSignature(PackageParser.Package p, PackageInfo pi, -+ Set permissions) { -+ try { -+ if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") -+ && p.applicationInfo.targetSdkVersion > Build.VERSION_CODES.LOLLIPOP_MR1 -+ && p.mAppMetaData != null) { -+ String sig = p.mAppMetaData.getString("fake-signature"); -+ if (sig != null) { -+ pi.signatures = new Signature[] {new Signature(sig)}; -+ } -+ } -+ } catch (Throwable t) { -+ // We should never die because of any failures, this is system code! -+ Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t); -+ } -+ return pi; -+ } -+ - @Override - public void checkPackageStartable(String packageName, int userId) { - final int callingUid = Binder.getCallingUid(); diff --git a/src/signature_spoofing_patches/android_frameworks_base-P.patch b/src/signature_spoofing_patches/android_frameworks_base-P.patch deleted file mode 100644 index ad0fdf2d9f0928e0b2fa89b0c9221fbf8ec064f3..0000000000000000000000000000000000000000 --- a/src/signature_spoofing_patches/android_frameworks_base-P.patch +++ /dev/null @@ -1,88 +0,0 @@ -diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml -index 66c497e9977..c1b2e703109 100644 ---- a/core/res/AndroidManifest.xml -+++ b/core/res/AndroidManifest.xml -@@ -2341,6 +2341,13 @@ - android:description="@string/permdesc_getPackageSize" - android:protectionLevel="normal" /> - -+ -+ -+ - -diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml -index 0b5dd7e70e8..bbdba64f2ba 100644 ---- a/core/res/res/values/config.xml -+++ b/core/res/res/values/config.xml -@@ -1650,6 +1650,8 @@ - - - com.android.location.fused -+ -+ com.google.android.gms - - - -diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml -index 3c5159c89bf..7583f1c567f 100644 ---- a/core/res/res/values/strings.xml -+++ b/core/res/res/values/strings.xml -@@ -786,6 +786,11 @@ - - - -+ Spoof package signature -+ -+ Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Legitimate uses include an emulator pretending to be what it emulates. Grant this permission with caution only! -+ -+ - disable or modify status bar - - Allows the app to disable the status bar or add and remove system icons. -diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index 9ed2b9c1854..4c5ce24cfa7 100644 ---- a/services/core/java/com/android/server/pm/PackageManagerService.java -+++ b/services/core/java/com/android/server/pm/PackageManagerService.java -@@ -3937,8 +3937,9 @@ public class PackageManagerService extends IPackageManager.Stub - final Set permissions = ArrayUtils.isEmpty(p.requestedPermissions) - ? Collections.emptySet() : permissionsState.getPermissions(userId); - -- PackageInfo packageInfo = PackageParser.generatePackageInfo(p, gids, flags, -- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId); -+ PackageInfo packageInfo = mayFakeSignature(p, PackageParser.generatePackageInfo(p, gids, flags, -+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId), -+ permissions); - - if (packageInfo == null) { - return null; -@@ -3974,6 +3975,24 @@ public class PackageManagerService extends IPackageManager.Stub - } - } - -+ private PackageInfo mayFakeSignature(PackageParser.Package p, PackageInfo pi, -+ Set permissions) { -+ try { -+ if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") -+ && p.applicationInfo.targetSdkVersion > Build.VERSION_CODES.LOLLIPOP_MR1 -+ && p.mAppMetaData != null) { -+ String sig = p.mAppMetaData.getString("fake-signature"); -+ if (sig != null) { -+ pi.signatures = new Signature[] {new Signature(sig)}; -+ } -+ } -+ } catch (Throwable t) { -+ // We should never die because of any failures, this is system code! -+ Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t); -+ } -+ return pi; -+ } -+ - @Override - public void checkPackageStartable(String packageName, int userId) { - final int callingUid = Binder.getCallingUid(); diff --git a/src/signature_spoofing_patches/frameworks_base_config.xml b/src/signature_spoofing_patches/frameworks_base_config.xml deleted file mode 100644 index 59252771c7f23dbc651e5244fa7a42a41c82797b..0000000000000000000000000000000000000000 --- a/src/signature_spoofing_patches/frameworks_base_config.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - true - true - -