Introduction
Google publishes Android Security Bulletin (ASB) on the first Monday of each month where they list details of security vulnerabilities affecting Android devices. 1
This bulletin mentions a Security patch level YYYY-MM-01
or YYYY-MM-05
. These are the dates on which the patches are tagged 2!
Read more on How Monthly Android Security Patch Updates Work by XDA.
Android Security patch level is mentioned in the Settings
-> About Phone
section.
Now, AOSP has a ton of repositories 3 that get downloaded when we do repo sync
4.
These projects are present inside the manifest. You can browse them all here https://github.com/orgs/aosp-mirror/repositories.
After the platform fixes(patches) are merged into AOSP, these security-related patches are tagged with the prefix android-security-12.0.0_rXY
(with X and Y being the versioning in incrementing order).
Example: Tag android-security-12.0.0_r43
on repo platform_build
.
https://github.com/aosp-mirror/platform_build/releases/tag/android-security-12.0.0_r43
Most of the custom roms projects maintain a forked version of these repositories to customize them.
These security patches are then pulled into their respective forks.
After all the security patches are merged, the Security String
is updated to the corresponding Security patch level
mentioned in ASB.
The security patch level is present in
platform/build/core/version_defaults.mk
inside a variablePLATFORM_SECURITY_PATCH
.
Take a look at this commit history for LineageOS: Update Security String to YYYY-MM-DD
Manual way of merging security patches
So now that we know how the whole things work, we now have to get these security patches merged from AOSP into our own (forked) source.
Assuming you know how to sync sources, we first sync the clean AOSP source as it is using Downloading the Source | Android Open Source Project.
Then perform the following setups to get security patches from android-security-12.0.0_r43
and the version we are currently patched with android-security-12.0.0_r42
:
-
We sync last month’s AOSP tag or tag on which we have already patched previously.
- Suppose we want to merge
android-security-12.0.0_r43
released in January 2023, - We sync
android-security-12.0.0_r42
. -
repo init -u https://android.googlesource.com/platform/manifest \ -b android-security-12.0.0_r42 --depth=1
-
repo sync --force-sync --current-branch --no-clone-bundle \ --optimized-fetch --prune -j$(nproc --all)
- Suppose we want to merge
-
Fetch the presnt month’s tag/latest tag.
- We use
repo forall
-
repo forall -p -c 'git fetch aosp android-security-12.0.0_r43'
- We use
-
Diff the commits/commit hash and save it in a file.
-
repo forall -p -c 'git log --oneline HEAD..FETCH_HEAD' \ > 12.0.0_r42-to-12.0.0_r43.diff.txt
- The commit hashes will be present in file
12.0.0_r42-to-12.0.0_r43.diff.txt
-
-
Cherry-pick these commits into specific repos.
- For project
frameworks/base
if we have a fork, we will cherry-pick the above-mentioned commits. - If we are dealing with CAF based ROMs such as AOSPA (paranoidandroid) we will clone the repo/project from CAF and then cherry-pick the above mentioned commits from AOSP.
- As an example, we can see that LineageOS Team has done the same: https://review.lineageos.org/q/topic:S_asb_2023-01
- For project
-
Done! We have added all the security patches to our sources. And ready to ship it with the next release.
✅ We can now add a new commit to android_build/core/version_defaults.mk
updating the security patch level string against variable PLATFORM_SECURITY_PATCH
and add message as Bump Security String to 2023-01-05
.
Credits:
-
🙌 Kudos to Jake from paranoidandroid team for sharing this with me few years ago.
-
The green Android robot image used in the thumbnail/cover image from https://developer.android.com/distribute/marketing-tools/brand-guidelines#android_robot