Changelog 9 - Gello, Jelly and a security advisory

Written on May 15, 2017 by harryyoud

Welcome to LineageOS’ biweekly review, where we go over changes in the last couple of weeks

Major changes since the 2nd of May

  • The autobrightness slider, found in Quick Settings, can now be toggled in Settings > Status bar > Brightness
  • Gello has been dropped in favor of Jelly. Read below for more information
  • Jelly got various improvements, including desktop mode support
  • FlipFlap can now be disabled from within the app
  • Incorrect call durations in Dialer has been fixed
  • Webview has been updated to the latest stable release (based on Chromium 58)
  • Fixed a crash in some 3rd party apps that use the camera under some circumstances

Gello and Jelly

Last month, we introduced a new browser app, codenamed Jelly, made for devices that couldn’t handle a heavier browser such as Gello and/or Chrome.

We’ve been shipping Gello which was based on Chromium m42 (dated April 2015) for too long, and it has recently became unreliable with the latest upstream merges. We’ve finally managed to rebase it up to Chromium m58, but it isn’t going to ship in nightlies.

Gello is really hard to maintain for us, which means users will end up using an old vulnerable Chromium browser far too often. Jelly, instead, is easier to maintain and it depends only on the system webview (you can use Google’s one that’s updated from the Play Store too), so we’ve decided to drop Gello and just ship its little brother.

We’re still looking into a reliable way to allow people who are still interested in obtaining a downloadable Gello, but in the meanwhile you can use our Gello build environment to compile your own Gello m58 APK.

Kernel su-hide to address an important vulnerabilty

It has been claimed that the Privacy Guard implementation of ‘su’ has security vulnerabilities even when disabled. In other words, the mere presence of the su binary is enough to compromise the device.

Unfortunately, the person who reported this vulnerabilty refuses to disclose its exact nature, nor could we make sure to properly fix this exact issue. The next best solution is to ensure that su is only accessible when enabled in the Settings app and keep su disabled when it’s not in use.

We’ve created a kernel patch that hides the existence of su from all processes except root and system when the su daemon is not running (root needs access so that init can start the su daemon, and system needs access in order to populate the root access settings appropriately).

This effectively makes it impossible for unprivileged processes to exploit su when it is disabled in settings. Indeed, it makes it impossible to even see that the su binary exists. It cannot be seen either directly (via stat /system/xbin/su) or indirectly (via ls /system/xbin). A side effect of this, is that Play Services can’t detect su binary when root is disabled either, allowing some (older) devices to pass SafetyNet when root is installed but disabled.

This fix cannot be applied globally but must be merged to each device’s kernel. If your device hasn’t been patched yet, or you’re maintaining a device, take the proper patch and apply it as soon as possible (kernel 3.18, 3.10 and 3.4).

This is a precautionary measure. We are not aware of any active exploits targeting this issue.

Build roster

Changes to 14.1 devices

  • Nextbin Robin - ether has been readded - maintainers: chrmhoffmann, crpalmer, mikeioannina
    • The maintainers have been hard at work over the past couple of weeks squashing bugs and now it’s ready for nightlies again

Removed 14.1 devices

We’d like you to remember that all the devices that are removed from the build roster are just waiting for a new maintainer for nightlies to continue. If you’re interested in maintaining a dropped device, patch it and then submit your work to Gerrit, your contributions will be welcome.