Introduction

Google publishes Android Security Bulletin (ASB) on the first Monday of each month where they list details of security vulnerabilities affecting Android devices. 1

This bulletin mentions a Security patch level YYYY-MM-01 or YYYY-MM-05. These are the dates on which the patches are tagged 2! Read more on How Monthly Android Security Patch Updates Work by XDA.

Android Security patch level is mentioned in the Settings -> About Phone section.

Now, AOSP has a ton of repositories 3 that get downloaded when we do repo sync 4. These projects are present inside the manifest. You can browse them all here https://github.com/orgs/aosp-mirror/repositories.

After the platform fixes(patches) are merged into AOSP, these security-related patches are tagged with the prefix android-security-12.0.0_rXY (with X and Y being the versioning in incrementing order).

Example: Tag android-security-12.0.0_r43 on repo platform_build. https://github.com/aosp-mirror/platform_build/releases/tag/android-security-12.0.0_r43

Most of the custom roms projects maintain a forked version of these repositories to customize them. These security patches are then pulled into their respective forks. After all the security patches are merged, the Security String is updated to the corresponding Security patch level mentioned in ASB.

The security patch level is present in platform/build/core/version_defaults.mk inside a variable PLATFORM_SECURITY_PATCH.

Take a look at this commit history for LineageOS: Update Security String to YYYY-MM-DD

Manual way of merging security patches

So now that we know how the whole things work, we now have to get these security patches merged from AOSP into our own (forked) source.

Assuming you know how to sync sources, we first sync the clean AOSP source as it is using Downloading the Source | Android Open Source Project.

Then perform the following setups to get security patches from android-security-12.0.0_r43 and the version we are currently patched with android-security-12.0.0_r42:

  1. We sync last month’s AOSP tag or tag on which we have already patched previously.

    • Suppose we want to merge android-security-12.0.0_r43 released in January 2023,
    • We sync android-security-12.0.0_r42.
    • repo init -u https://android.googlesource.com/platform/manifest \
  -b android-security-12.0.0_r42 --depth=1

    • repo sync --force-sync --current-branch --no-clone-bundle \
  --optimized-fetch --prune -j$(nproc --all)

  2. Fetch the presnt month’s tag/latest tag.

    • We use repo forall
    • repo forall -p -c 'git fetch aosp android-security-12.0.0_r43'

  3. Diff the commits/commit hash and save it in a file.

    • repo forall -p -c 'git log --oneline HEAD..FETCH_HEAD' \
  > 12.0.0_r42-to-12.0.0_r43.diff.txt
    • The commit hashes will be present in file 12.0.0_r42-to-12.0.0_r43.diff.txt

  4. Cherry-pick these commits into specific repos.

    • For project frameworks/base if we have a fork, we will cherry-pick the above-mentioned commits.
    • If we are dealing with CAF based ROMs such as AOSPA (paranoidandroid) we will clone the repo/project from CAF and then cherry-pick the above mentioned commits from AOSP.
    • As an example, we can see that LineageOS Team has done the same: https://review.lineageos.org/q/topic:S_asb_2023-01

  5. Done! We have added all the security patches to our sources. And ready to ship it with the next release.

✅ We can now add a new commit to android_build/core/version_defaults.mk updating the security patch level string against variable PLATFORM_SECURITY_PATCH and add message as Bump Security String to 2023-01-05.

Credits:

  1. https://source.android.com/docs/security/bulletin#bulletins ↩︎

  2. https://git-scm.com/book/en/v2/Git-Basics-Tagging ↩︎

  3. https://cs.android.com/android/platform/superproject/ ↩︎

  4. https://source.android.com/docs/setup/download/downloading#getting-the-files ↩︎