init: Do not set safety net props for ENG builds

Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>
init: Spoof more props
2025-04-17 23:12:25 +00:00 · 2025-04-17 23:12:25 +00:00 · 2025-04-17 23:12:25 +00:00 · 2025-04-17 23:12:25 +00:00 · 2025-04-17 23:11:59 +00:00
2 changed files with 53 additions and 2 deletions
--- a/init/Android.bp
+++ b/init/Android.bp
@ -123,6 +123,7 @@ libinit_cc_defaults {
        "-DREBOOT_BOOTLOADER_ON_PANIC=0",
        "-DSHUTDOWN_ZERO_TIMEOUT=0",
        "-DWORLD_WRITABLE_KMSG=0",
+        "-DSPOOF_SAFETYNET=1",
        "-Wall",
        "-Werror",
        "-Wextra",
@ -150,6 +151,8 @@ libinit_cc_defaults {
            cppflags: [
                "-USHUTDOWN_ZERO_TIMEOUT",
                "-DSHUTDOWN_ZERO_TIMEOUT=1",
+                "-USPOOF_SAFETYNET",
+                "-DSPOOF_SAFETYNET=0",
            ],
        },
        uml: {
@ -419,6 +422,7 @@ init_first_stage_cc_defaults {
        "-DSHUTDOWN_ZERO_TIMEOUT=0",
        "-DLOG_UEVENTS=0",
        "-DSEPOLICY_VERSION=30", // TODO(jiyong): externalize the version number
+        "-DSPOOF_SAFETYNET=1",
    ],

    product_variables: {
@ -448,6 +452,8 @@ init_first_stage_cc_defaults {
            cflags: [
                "-USHUTDOWN_ZERO_TIMEOUT",
                "-DSHUTDOWN_ZERO_TIMEOUT=1",
+                "-USPOOF_SAFETYNET",
+                "-DSPOOF_SAFETYNET=0",
            ],
        },
    },
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@ -132,6 +132,8 @@ struct PropertyAuditData {
    const char* name;
 };

+static bool weaken_prop_override_security = false;
+
 static int PropertyAuditCallback(void* data, security_class_t /*cls*/, char* buf, size_t len) {
    auto* d = reinterpret_cast<PropertyAuditData*>(data);

@ -406,8 +408,8 @@ static std::optional<uint32_t> PropertySet(const std::string& name, const std::s
    } else {
        prop_info* pi = (prop_info*)__system_property_find(name.c_str());
        if (pi != nullptr) {
-            // ro.* properties are actually "write-once".
-            if (StartsWith(name, "ro.")) {
+            // ro.* properties are actually "write-once", unless the system decides to
+            if (StartsWith(name, "ro.") && !weaken_prop_override_security) {
                *error = "Read-only property was already set";
                return {PROP_ERROR_READ_ONLY_PROPERTY};
            }
@ -1242,6 +1244,9 @@ void PropertyLoadBootDefaults() {
        }
    }

+    // Weaken property override security during execution of the vendor init extension
+    weaken_prop_override_security = true;
+
    // Update with vendor-specific property runtime overrides
    vendor_load_properties();

@ -1252,6 +1257,9 @@ void PropertyLoadBootDefaults() {
    property_initialize_ro_cpu_abilist();
    property_initialize_ro_vendor_api_level();

+    // Restore the normal property override security after init extension is executed
+    weaken_prop_override_security = false;
+
    update_sys_usb_config();
 }

@ -1410,6 +1418,33 @@ static void ProcessBootconfig() {
    });
 }

+static void SetSafetyNetProps() {
+    InitPropertySet("ro.boot.flash.locked", "1");
+    InitPropertySet("ro.boot.vbmeta.device_state", "locked");
+    InitPropertySet("ro.boot.verifiedbootstate", "green");
+    InitPropertySet("ro.boot.veritymode", "enforcing");
+    InitPropertySet("ro.boot.warranty_bit", "0");
+    InitPropertySet("ro.warranty_bit", "0");
+    InitPropertySet("ro.debuggable", "0");
+    InitPropertySet("ro.secure", "1");
+    InitPropertySet("ro.bootimage.build.type", "user");
+    InitPropertySet("ro.build.type", "user");
+    InitPropertySet("ro.build.keys", "release-keys");
+    InitPropertySet("ro.build.tags", "release-keys");
+    InitPropertySet("ro.system.build.tags", "release-keys");
+    InitPropertySet("ro.product.build.type", "user");
+    InitPropertySet("ro.odm.build.type", "user");
+    InitPropertySet("ro.system.build.type", "user");
+    InitPropertySet("ro.system_ext.build.type", "user");
+    InitPropertySet("ro.vendor.build.type", "user");
+    InitPropertySet("ro.vendor_dlkm.build.type", "user");
+    InitPropertySet("ro.vendor.boot.warranty_bit", "0");
+    InitPropertySet("ro.vendor.warranty_bit", "0");
+    InitPropertySet("vendor.boot.vbmeta.device_state", "locked");
+    InitPropertySet("vendor.boot.verifiedbootstate", "green");
+    InitPropertySet("oplusboot.verifiedbootstate", "green");
+}
+
 void PropertyInit() {
    selinux_callback cb;
    cb.func_audit = PropertyAuditCallback;
@ -1424,6 +1459,16 @@ void PropertyInit() {
        LOG(FATAL) << "Failed to load serialized property info file";
    }

+    // Report a valid verified boot chain to make Google SafetyNet integrity
+    // checks pass. This needs to be done before parsing the kernel cmdline as
+    // these properties are read-only and will be set to invalid values with
+    // androidboot cmdline arguments.
+    if (SPOOF_SAFETYNET) {
+      if (!IsRecoveryMode()) {
+        SetSafetyNetProps();
+      }
+    }
+
    // If arguments are passed both on the command line and in DT,
    // properties set in DT always have priority over the command-line ones.
    ProcessKernelDt();
Author	SHA1	Message	Date
Pranav Vashi	e5106dcec6	init: Do not set safety net props for ENG builds Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>	2025-04-17 23:12:25 +00:00
jhenrique09	bd7d27af34	init: Spoof more props Change-Id: Ic0ddbd6a0dd40c877248f7864082eddab2b32366 Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>	2025-04-17 23:12:25 +00:00
spezi77	9eef643c87	init: Add more properties to spoof. Signed-off-by: neobuddy89 <neobuddy89@gmail.com> Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>	2025-04-17 23:12:25 +00:00
Alex Naidis	af70f20d4c	init: Weaken property override security for the init extension Sometimes we need to override ro.* properties by using our vendor init extension. Previously there was a security check which was blocking that. To resolve the issue, we need to weaken the security check during the execution of our vendor init extension. This is safe because the vendor init extension gets executed as part of init construction and it is considered a trusted system component. Change-Id: I6198b453745cb92c65d3e3d49e3262354cddd2a2 Signed-off-by: Alex Naidis <alex.naidis@linux.com> Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>	2025-04-17 23:12:25 +00:00
Danny Lin	35dd4cf950	init: Set properties to make SafetyNet pass This is a squash of the following commits. Author: Danny Lin <danny@kdrag0n.dev> Date: Wed Oct 7 00:24:54 2020 -0700 init: Set properties to make SafetyNet pass Google's SafetyNet integrity checks will check the values of these properties when performing basic attestation. Setting fake values helps us pass basic SafetyNet with no Magisk Hide or kernel patches necessary. Note that these properties need to be set very early, before parsing the kernel command-line, as they are read-only properties that the bootloader sets using androidboot kernel arguments. The bootloader's real values cause SafetyNet to fail with an unlocked bootloader and/or custom software because the verified boot chain is broken in that case. Change-Id: I66d23fd91d82906b00d5eb020668f01ae83ec31f Signed-off-by: Omkar Chandorkar <gotenksIN@aospa.co> Author: Jarl-Penguin <jarlpenguin@outlook.com> Date: Wed Jun 16 11:28:46 2021 +0000 init: Don't spoof SafetyNet properties in recovery mode Change-Id: Ib6d3808c3b8f3e0cffab685a24d3cdd436b0fe9b Change-Id: I0a219245b8e8f59ab1acc31068b4f8f98f708d81 Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>	2025-04-17 23:11:59 +00:00