From 36e287e9ae5114b891cb850afefd107baaead57a Mon Sep 17 00:00:00 2001
From: Danny Lin <danny@kdrag0n.dev>
Date: Mon, 5 Oct 2020 12:36:35 -0700
Subject: [PATCH 1/3] fwb: Add support for app signature spoofing

This is needed by microG GmsCore to pretend to be the official Google
Play Services package, because client apps check the package signature
to make sure it matches Google's official certificate.

This was forward-ported from the Android 10 patch by gudenau:
https://github.com/microg/android_packages_apps_GmsCore/pull/957

Changes made for Android 11:
  - Updated PackageInfo calls
  - Added new permission to public API surface, needed for
    PermissionController which is now an updatable APEX on 11
  - Added a dummy permission group to allow users to manage the
    permission through the PermissionController UI
    (by Vachounet <vachounet@live.fr>)
  - Updated location provider comment for conciseness

Change-Id: Ied7d6ce0b83a2d2345c3abba0429998d86494a88
Signed-off-by: rockstar5495 <pratyakshom.05@gmail.com>
---
 api/current.txt                               |  2 ++
 core/res/AndroidManifest.xml                  | 15 ++++++++++++
 core/res/res/values/colt_strings.xml          | 12 ++++++++++
 non-updatable-api/current.txt                 |  2 ++
 .../server/pm/PackageManagerService.java      | 23 +++++++++++++++++--
 5 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/api/current.txt b/api/current.txt
index bbe1d9595094..0fefd9a99ccc 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -79,6 +79,7 @@ package android {
     field public static final String DUMP = "android.permission.DUMP";
     field public static final String EXPAND_STATUS_BAR = "android.permission.EXPAND_STATUS_BAR";
     field public static final String FACTORY_TEST = "android.permission.FACTORY_TEST";
+    field public static final String FAKE_PACKAGE_SIGNATURE = "android.permission.FAKE_PACKAGE_SIGNATURE";
     field public static final String FOREGROUND_SERVICE = "android.permission.FOREGROUND_SERVICE";
     field public static final String GET_ACCOUNTS = "android.permission.GET_ACCOUNTS";
     field public static final String GET_ACCOUNTS_PRIVILEGED = "android.permission.GET_ACCOUNTS_PRIVILEGED";
@@ -183,6 +184,7 @@ package android {
     field public static final String CALL_LOG = "android.permission-group.CALL_LOG";
     field public static final String CAMERA = "android.permission-group.CAMERA";
     field public static final String CONTACTS = "android.permission-group.CONTACTS";
+    field public static final String FAKE_PACKAGE = "android.permission-group.FAKE_PACKAGE";
     field public static final String LOCATION = "android.permission-group.LOCATION";
     field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
     field public static final String NETWORK = "android.permission-group.NETWORK";
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 4763c357a86d..dfc154045c20 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -2882,6 +2882,21 @@
         android:description="@string/permdesc_getPackageSize"
         android:protectionLevel="normal" />
 
+    <!-- Dummy user-facing group for faking package signature -->
+    <permission-group android:name="android.permission-group.FAKE_PACKAGE"
+        android:label="@string/permgrouplab_fake_package_signature"
+        android:description="@string/permgroupdesc_fake_package_signature"
+        android:request="@string/permgrouprequest_fake_package_signature"
+        android:priority="100" />
+
+    <!-- Allows an application to change the package signature as
+         seen by applications -->
+    <permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
+        android:permissionGroup="android.permission-group.UNDEFINED"
+        android:protectionLevel="dangerous"
+        android:label="@string/permlab_fakePackageSignature"
+        android:description="@string/permdesc_fakePackageSignature" />
+
     <!-- @deprecated No longer useful, see
          {@link android.content.pm.PackageManager#addPackageToPreferred}
          for details. -->
diff --git a/core/res/res/values/colt_strings.xml b/core/res/res/values/colt_strings.xml
index fc0e68fb20eb..67040fdccff1 100644
--- a/core/res/res/values/colt_strings.xml
+++ b/core/res/res/values/colt_strings.xml
@@ -72,4 +72,16 @@
     <string name="systemui_restart_title">SystemUI restart required</string> 
     <string name="systemui_restart_message">For all changes to take effect, a SystemUI restart is required. Restart SystemUI now?</string>
 
+    <!-- MicroG -->
+    <string name="permlab_fakePackageSignature">Spoof package signature</string>
+    <!-- Description of an application permission, listed so the user can choose whether
+         they want to allow the application to do this. -->
+    <string name="permdesc_fakePackageSignature">Allows the app to pretend to be a different app. Malicious applications might be able to use this to access private application data. Legitimate uses include an emulator pretending to be what it emulates. Grant this permission with caution only!</string>
+    <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permgrouplab_fake_package_signature">Spoof package signature</string>
+    <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permgroupdesc_fake_package_signature">allow to spoof package signature</string>
+    <!-- Message shown to the user when the apps requests permission from this group. If ever possible this should stay below 80 characters (assuming the parameters takes 20 characters). Don't abbreviate until the message reaches 120 characters though. [CHAR LIMIT=120] -->
+    <string name="permgrouprequest_fake_package_signature">Allow
+        &lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to spoof package signature?</string>
 </resources>
diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt
index dd72e746e8a4..7f94b63243df 100644
--- a/non-updatable-api/current.txt
+++ b/non-updatable-api/current.txt
@@ -79,6 +79,7 @@ package android {
     field public static final String DUMP = "android.permission.DUMP";
     field public static final String EXPAND_STATUS_BAR = "android.permission.EXPAND_STATUS_BAR";
     field public static final String FACTORY_TEST = "android.permission.FACTORY_TEST";
+    field public static final String FAKE_PACKAGE_SIGNATURE = "android.permission.FAKE_PACKAGE_SIGNATURE";
     field public static final String FOREGROUND_SERVICE = "android.permission.FOREGROUND_SERVICE";
     field public static final String GET_ACCOUNTS = "android.permission.GET_ACCOUNTS";
     field public static final String GET_ACCOUNTS_PRIVILEGED = "android.permission.GET_ACCOUNTS_PRIVILEGED";
@@ -183,6 +184,7 @@ package android {
     field public static final String CALL_LOG = "android.permission-group.CALL_LOG";
     field public static final String CAMERA = "android.permission-group.CAMERA";
     field public static final String CONTACTS = "android.permission-group.CONTACTS";
+    field public static final String FAKE_PACKAGE = "android.permission-group.FAKE_PACKAGE";
     field public static final String LOCATION = "android.permission-group.LOCATION";
     field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
     field public static final String NETWORK = "android.permission-group.NETWORK";
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 3c5a94201189..6d27250e2416 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -4468,8 +4468,9 @@ private PackageInfo generatePackageInfo(PackageSetting ps, int flags, int userId
                 });
             }
 
-            PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
-                    ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
+            PackageInfo packageInfo = mayFakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
+                    ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps),
+                    permissions);
 
             if (packageInfo == null) {
                 return null;
@@ -4505,6 +4506,24 @@ private PackageInfo generatePackageInfo(PackageSetting ps, int flags, int userId
         }
     }
 
+    private PackageInfo mayFakeSignature(AndroidPackage p, PackageInfo pi,
+            Set<String> permissions) {
+        try {
+            if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE")
+                    && p.getTargetSdkVersion() > Build.VERSION_CODES.LOLLIPOP_MR1
+                    && p.getMetaData() != null) {
+                String sig = p.getMetaData().getString("fake-signature");
+                if (sig != null) {
+                    pi.signatures = new Signature[] {new Signature(sig)};
+                }
+            }
+        } catch (Throwable t) {
+            // We should never die because of any failures, this is system code!
+            Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t);
+        }
+        return pi;
+    }
+
     @Override
     public void checkPackageStartable(String packageName, int userId) {
         final int callingUid = Binder.getCallingUid();

From c99025fd51d98354e4d1a0c3d43977622ebd03b5 Mon Sep 17 00:00:00 2001
From: Zhuying Li <vend_wsd_am_027@mediatek.com>
Date: Tue, 13 Oct 2020 14:04:21 +0800
Subject: [PATCH 2/3] Use name instead of package name

Can't get package setting info with wrong package name.
The API toStaticSharedLibraryPackageName will build correct package name
with correct information.

Bug: 170699390
Bug: 172232086
Test: manual test pass.
Change-Id: Iad97a3adf19ec37797123070a0662bfc7fc3337c
Signed-off-by: DennySPb <dennyspb@gmail.com>
---
 .../core/java/com/android/server/pm/PackageManagerService.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 6d27250e2416..946a0bb0b443 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -10681,7 +10681,7 @@ private void executeSharedLibrariesUpdateLPr(AndroidPackage pkg,
                     continue;
                 }
                 final PackageSetting staticLibPkgSetting = getPackageSetting(
-                        toStaticSharedLibraryPackageName(sharedLibraryInfo.getPackageName(),
+                        toStaticSharedLibraryPackageName(sharedLibraryInfo.getName(),
                                 sharedLibraryInfo.getLongVersion()));
                 if (staticLibPkgSetting == null) {
                     Slog.wtf(TAG, "Shared lib without setting: " + sharedLibraryInfo);

From 8187642bd1c4814fe20a6b2baec0580ecb71834f Mon Sep 17 00:00:00 2001
From: mar-v-in <github@rvin.mooo.com>
Date: Tue, 18 Oct 2016 21:51:21 +0800
Subject: [PATCH 3/3] PM: Signature spoofing [1/2]

* @neobuddy89: Moved to Global.
---
 core/java/android/provider/Settings.java                  | 8 ++++++++
 .../java/com/android/server/pm/PackageManagerService.java | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index d93627701e0f..5a9c6c316015 100644
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -15790,6 +15790,14 @@ public static final class Global extends NameValueTable {
                 LOCATION_GLOBAL_KILL_SWITCH,
         };
 
+        /**
+         * Whether applications can fake a signature.
+         * 1 = permit apps to fake signature
+         * 0 = disable this feature
+         * @hide
+         */
+        public static final String ALLOW_SIGNATURE_FAKE = "allow_signature_fake";
+
         /**
          * Keys we no longer back up under the current schema, but want to continue to
          * process when restoring historical backup datasets.
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 946a0bb0b443..9c9874efb65d 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -4511,6 +4511,8 @@ private PackageInfo mayFakeSignature(AndroidPackage p, PackageInfo pi,
         try {
             if (permissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE")
                     && p.getTargetSdkVersion() > Build.VERSION_CODES.LOLLIPOP_MR1
+                    && android.provider.Settings.Global.getInt(mContext.getContentResolver(),
+                       android.provider.Settings.Global.ALLOW_SIGNATURE_FAKE, 0) == 1
                     && p.getMetaData() != null) {
                 String sig = p.getMetaData().getString("fake-signature");
                 if (sig != null) {