profile
viewpoint
Daniel Micay thestinger Toronto, Ontario, Canada https://twitter.com/DanielMicay Security researcher

thestinger/termite 2630

A keyboard-centric VTE-based terminal, aimed at use within a window manager with tiling and/or tabbing support.

thestinger/playpen 291

A secure application sandbox built with modern Linux sandboxing features - no longer actively developed, but still works fine, use bubblewrap if you need more functionality

thestinger/vte-ng 112

enhanced vte terminal widget

thestinger/allocator 46

experimental high performance, low fragmentation memory allocator

thestinger/paxd-archive 42

PaX exception daemon - Temporarily abandoned due to the PaX and grsecurity patches becoming private

thestinger/hardening-wrapper-deprecated 27

Wrapper scripts for building hardened executables by default (deprecated, replaced by standard Arch Linux toolchain changes)

thestinger/wiki 9

toy wiki implementation

thestinger/util 6

various utility functions and classes

GrapheneOS/branding_extra 5

Branding for everything outside the OS. This is not used as part of the OS.

GrapheneOS/device_google_bonito 5

Pixel 3a and Pixel 3a XL device sources.

push eventGrapheneOS/Vanadium

Daniel Micay

commit sha 374e580f75e6eabe0104f4b1cd4cc6772ff059eb

update to 84.0.4147.125

view details

push time in an hour

issue closedGrapheneOS/os_issue_tracker

Error Extracting Files From sargo-factory-2020.08.07.01

Not sure if these two things are related: I get an error when extracting the files from the .zip. 'Error Extracting Files' but they show up extracted in the folder. I upload the OS it gets to the "fastbootd" screen on the Pixel then the loading stops and a <waiting for device> Thanks!

closed time in 3 hours

carl4315

issue commentGrapheneOS/os_issue_tracker

Error Extracting Files From sargo-factory-2020.08.07.01

You should request support on the IRC / Matrix channel. The issue tracker isn't a support platform.

carl4315

comment created time in 3 hours

push eventGrapheneOS/platform_system_sepolicy

Daniel Micay

commit sha d2febd0ca4639794f8ec0109f4302b5135b3aa6e

auditallow apk_data_file execute For libraries, apps should be migrating to the more modern approach of storing them in the apk uncompressed and mapping them directly from it. This is the most modern approach available for executables and is better than using app data, but ideally it wouldn't be done. For now, audit use of `execute_no_trans` anyway while this is given more thought.

view details

Renlord

commit sha 69a57d949b850ff07c0fa051e7d1ad5fb13def5a

remove base system app apk_data_file execute

view details

Daniel Micay

commit sha 085af3195f9bdc90a2ce8a86a7ff6c9a0d544207

remove zygote execmem GrapheneOS doesn't use the ART JIT compiler.

view details

Daniel Micay

commit sha e629b9de6e78313c0c19c61c6a31234bf1eaec93

remove zygote access to apk_data_file GrapheneOS doesn't use out-of-band updates for base system apps (with a few exceptions) or APEX, so the zygote should never require this access. GrapheneOS also uses exec-based app spawning so it doesn't benefit from preloading in the standard code path.

view details

Daniel Micay

commit sha 6efc656808d9157635b3f4505d62550c7976a559

remove system_server_startup domain APEX isn't used for out-of-band updates by GrapheneOS, so this extra attack surface is not required.

view details

push time in 2 days

push eventGrapheneOS/grapheneos.org

theaeonsolution

commit sha 9a61980024f2f2fc6267eda5d9c84773a88d5794

reword

view details

push time in 2 days

issue closedGrapheneOS/os_issue_tracker

Notification Light

Hi, I have a Pixel 2 xl, I cannot get the notification light to work, Has always worked on other roms. Possible that your OS doesn't support it?

Thank you,

Brian

closed time in 2 days

Bohica68

issue commentGrapheneOS/os_issue_tracker

Notification Light

It works fine. You'll need to provide more information on what you've tried to do.

Bohica68

comment created time in 2 days

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha 584ffdff087d09ec64a0c19add0747b8dc6bff67

2020.08.07.01 release notes

view details

push time in 2 days

created tagGrapheneOS/platform_manifest

tagQQ3A.200805.001.2020.08.07.01

Repo manifest for the GrapheneOS mobile privacy and security hardening project.

created time in 2 days

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha 925284118a502eef9fb34c899c668cf9e9bef74b

2020.08.07.01 release notes

view details

push time in 2 days

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha 10da83642d2f69583ecd4deb7bd24080bd936764

2020.08.08.13 release notes

view details

push time in 2 days

created tagGrapheneOS/vendor_linaro

tagQQ3A.200805.001.2020.08.07.01

Minimal vendor files for testing on HiKey and HiKey 960. Not suitable for production usage.

created time in 2 days

created tagGrapheneOS/Vanadium

tagQQ3A.200805.001.2020.08.07.01

Privacy and security enhanced releases of Chromium for GrapheneOS. Vanadium provides the WebView and standard user-facing browser on GrapheneOS. It depends on hardening in other GrapheneOS repositories and doesn't include patches not relevant to the build targets used on GrapheneOS.

created time in 2 days

created tagGrapheneOS/script

tagQQ3A.200805.001.2020.08.07.01

Scripting for generating signed production releases of AOSP and metadata for the Updater app along with partially automated maintenance of out-of-tree patch sets.

created time in 2 days

created tagGrapheneOS/platform_packages_apps_Updater

tagQQ3A.200805.001.2020.08.07.01

Automatic background updater for Android. Primarily intended for use with A/B updates but has a fallback path for the legacy recovery system too. See https://github.com/GrapheneOS/script/blob/10/generate_metadata.py for the server metadata generation tool.

created time in 2 days

created tagGrapheneOS/platform_external_seedvault

tagQQ3A.200805.001.2020.08.07.01

Prebuilt repository for https://github.com/stevesoltys/seedvault.

created time in 2 days

created tagGrapheneOS/platform_external_vanadium

tagQQ3A.200805.001.2020.08.07.01

Vanadium integration for GrapheneOS. See https://github.com/GrapheneOS/Vanadium for the Vanadium build configuration and patches.

created time in 2 days

created tagGrapheneOS/platform_external_PdfViewer

tagQQ3A.200805.001.2020.08.07.01

PdfViewer app prebuilt using the latest official release of the PdfViewer app.

created time in 2 days

created tagGrapheneOS/platform_external_Auditor

tagQQ3A.200805.001.2020.08.07.01

Auditor app prebuilt using the latest official release of the Auditor app.

created time in 2 days

created tagGrapheneOS/kernel_google_coral_techpack_audio

tagQQ3A.200805.001.2020.08.07.01

Pixel 4 and Pixel 4 XL audio driver sources.

created time in 2 days

created tagGrapheneOS/kernel_google_coral_drivers_staging_qcacld-3.0

tagQQ3A.200805.001.2020.08.07.01

Pixel 4 and Pixel 4 XL Wi-Fi kernel driver sources.

created time in 2 days

created tagGrapheneOS/kernel_google_crosshatch_techpack_audio

tagQQ3A.200805.001.2020.08.07.01

Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL audio driver sources.

created time in 2 days

created tagGrapheneOS/kernel_google_crosshatch_drivers_staging_qcacld-3.0

tagQQ3A.200805.001.2020.08.07.01

Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL Wi-Fi kernel driver sources.

created time in 2 days

created tagGrapheneOS/hardened_malloc

tagQQ3A.200805.001.2020.08.07.01

Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-based platforms. It will gain more portability / integration over time.

created time in 2 days

created tagGrapheneOS/device_google_coral-kernel

tagQQ3A.200805.001.2020.08.07.01

Pixel 4 and 4 XL kernel prebuilts.

created time in 2 days

created tagGrapheneOS/branding

tagQQ3A.200805.001.2020.08.07.01

Stub repository for future branding of the OS including wallpapers, boot animations, etc.

created time in 2 days

created tagGrapheneOS/android-prepare-vendor

tagQQ3A.200805.001.2020.08.07.01

Set of scripts to automate AOSP compatible vendor blobs generation from factory images

created time in 2 days

created tagGrapheneOS/kernel_google_crosshatch

tagQQ3A.200805.001.2020.08.07.01

Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL kernel sources.

created time in 2 days

created tagGrapheneOS/kernel_google_coral

tagQQ3A.200805.001.2020.08.07.01

Pixel 4 and Pixel 4 XL kernel sources.

created time in 2 days

created tagGrapheneOS/kernel_google_wahoo

tagQQ3A.200805.001.2020.08.07.01

Pixel 2 and Pixel 2 XL kernel sources.

created time in 2 days

created tagGrapheneOS/platform_system_sepolicy

tagQQ3A.200805.001.2020.08.07.01

Base SELinux policy

created time in 2 days

created tagGrapheneOS/platform_packages_apps_Launcher3

tagQQ3A.200805.001.2020.08.07.01

GrapheneOS launcher app

created time in 2 days

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha b89ca1e534a96014e1fa3840c689491c66376360

2020.08.08.13 release notes

view details

push time in 2 days

push eventGrapheneOS/platform_manifest

Daniel Micay

commit sha 88efab8621b6044bc3e273a0b09472f8c4760029

QQ3A.200805.001.2020.08.07.01

view details

push time in 2 days

created tagGrapheneOS/platform_build

tagQQ3A.200805.001.2020.08.07.01

Make Build System (being phased out upstream)

created time in 2 days

created tagGrapheneOS/platform_bionic

tagQQ3A.200805.001.2020.08.07.01

Hardened Android standard C library. Some of the past hardening has not yet been ported from Marshmallow, Nougat and Oreo to this Android Pie repository. Most is available via archived tags in https://github.com/AndroidHardeningArchive/platform_bionic (check both the most recent Oreo and Nougat tags).

created time in 2 days

created tagGrapheneOS/kernel_configs

tagQQ3A.200805.001.2020.08.07.01

Base and recommended kernel configurations. The base configurations are enforced by the VTS and are modified to permit GrapheneOS changes.

created time in 2 days

created tagGrapheneOS/device_linaro_hikey

tagQQ3A.200805.001.2020.08.07.01

HiKey and HiKey 960 device sources.

created time in 2 days

created tagGrapheneOS/device_google_wahoo

tagQQ3A.200805.001.2020.08.07.01

Common Pixel 2 and Pixel 2 XL device sources.

created time in 2 days

created tagGrapheneOS/device_google_taimen

tagQQ3A.200805.001.2020.08.07.01

Pixel 2 XL device sources not shared with the Pixel 2.

created time in 2 days

created tagGrapheneOS/device_google_muskie

tagQQ3A.200805.001.2020.08.07.01

Pixel 2 device sources not shared with the Pixel 2 XL.

created time in 2 days

created tagGrapheneOS/device_google_crosshatch-sepolicy

tagQQ3A.200805.001.2020.08.07.01

Pixel 3 and Pixel 3 XL device SELinux policy extensions.

created time in 2 days

created tagGrapheneOS/device_google_crosshatch

tagQQ3A.200805.001.2020.08.07.01

Pixel 3 and Pixel 3 XL device sources.

created time in 2 days

created tagGrapheneOS/device_google_coral-sepolicy

tagQQ3A.200805.001.2020.08.07.01

Pixel 4 and Pixel 4 XL SELinux policy extensions.

created time in 2 days

created tagGrapheneOS/device_google_coral

tagQQ3A.200805.001.2020.08.07.01

Common Pixel 4 and Pixel 4 XL device sources.

created time in 2 days

created tagGrapheneOS/device_google_bonito-sepolicy

tagQQ3A.200805.001.2020.08.07.01

Pixel 3a and Pixel 3a XL SELinux policy extensions.

created time in 2 days

created tagGrapheneOS/device_google_bonito

tagQQ3A.200805.001.2020.08.07.01

Pixel 3a and Pixel 3a XL device sources.

created time in 2 days

created tagGrapheneOS/device_generic_goldfish

tagQQ3A.200805.001.2020.08.07.01

Temporary fork until Android 11 when the Python compatibility issue is resolved upstream.

created time in 2 days

created tagGrapheneOS/device_common

tagQQ3A.200805.001.2020.08.07.01

Common device sources.

created time in 2 days

push eventGrapheneOS/AttestationServer

Daniel Micay

commit sha 7f338a068495d3e6b79de263b9ede20753f0c261

validate that passwords are valid Unicode

view details

push time in 2 days

pull request commentGrapheneOS/Vanadium

remove learn more button from the incognito new tab page

I think you should be able to just make it properly hidden / inactive rather than removing the text.

refragable

comment created time in 3 days

push eventGrapheneOS/AttestationServer

Daniel Micay

commit sha 34531cae729913bf4661006f85a391d7ca3ae3ad

remove legacy ALTER TABLE migration code

view details

push time in 3 days

push eventGrapheneOS/AttestationServer

Daniel Micay

commit sha 5213c98329c01b5bf404e576a7f5b2476ca6aa7a

fetch current user_version

view details

push time in 3 days

push eventGrapheneOS/AttestationServer

Daniel Micay

commit sha 7a1c3178846a31b0b475345653f094338b18fb93

fetch current user_version

view details

push time in 3 days

pull request commentGrapheneOS/Vanadium

remove learn more button from the incognito new tab page

Ideally this change would be a lot less invasive such as hiding the link rather than actually removing it to reduce the changes required.

refragable

comment created time in 3 days

push eventGrapheneOS/AttestationServer

Daniel Micay

commit sha ed3d67f5053d3eb602107d6802b17fb2119afa48

add a comment about adding COLLATE NOCASE

view details

Daniel Micay

commit sha 9ef73e063ebd2843f80b4bc924a868b0d4fc6bde

document COLLATE NOCASE compatibility approach

view details

push time in 4 days

push eventGrapheneOS/AttestationServer

Daniel Micay

commit sha b8284160f2fe7c4ddc19e6b84f93ac51fdf95775

use COLLATE NOCASE for username column This is only applied for new deployments for compatibility.

view details

push time in 4 days

push eventGrapheneOS/AttestationServer

Daniel Micay

commit sha 629d22beb1722a85e993e6b726f77029fd2411ad

include username in emails

view details

push time in 4 days

push eventGrapheneOS/AttestationServer

Daniel Micay

commit sha 99fc010203b6f7a16a4ade1042ca4446c1905d93

clearer variable names for email configuration

view details

push time in 4 days

issue closedGrapheneOS/os_issue_tracker

Selinux hardening is crashing a few apps

The selinux policy hardening crashes certain apps that try to execute native code. Examples are orbot and synching

This seems to be the selinux denial

avc: denied { execute_no_trans } for comm=4173796E635461736B202331 path="/data/app/com.nutomic.syncthingandroid-CrK2Oi_6UwwLkTcdpnHw8w==/lib/arm64/libsyncthing.so" dev="sda13" ino=2573634 scontext=u:r:untrusted_app_27:s0:c104,c257,c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 app=com.nutomic.syncthingandroid

closed time in 4 days

anupritaisno1

issue commentGrapheneOS/os_issue_tracker

Selinux hardening is crashing a few apps

This is fixed and there will be a new release addressing it. However, I'm concerned that it took so long to get a report that apps using native executables via the proper mechanism are broken.

anupritaisno1

comment created time in 4 days

push eventGrapheneOS/platform_system_sepolicy

Daniel Micay

commit sha 33a6efeee31c2b0ad600b71301eb05b4642ac6f8

auditallow apk_data_file execute

view details

Renlord

commit sha 2af71688f970579287751105250cf8aff4771f6b

remove base system app apk_data_file execute

view details

Daniel Micay

commit sha d800c3cc164ad8452411bcbe1cbc2793857de5c0

remove zygote execmem GrapheneOS doesn't use the ART JIT compiler.

view details

Daniel Micay

commit sha 1572c22de1e53a8448527a1a7e8dc2d857df780c

remove zygote access to apk_data_file GrapheneOS doesn't use out-of-band updates for base system apps (with a few exceptions) or APEX, so the zygote should never require this access. GrapheneOS also uses exec-based app spawning so it doesn't benefit from preloading in the standard code path.

view details

Daniel Micay

commit sha a53867442547016159e279fa5c6f68ad7e2e7fdb

remove system_server_startup domain APEX isn't used for out-of-band updates by GrapheneOS, so this extra attack surface is not required.

view details

push time in 4 days

issue commentGrapheneOS/os_issue_tracker

Selinux hardening is crashing a few apps

I don't understand why this wasn't reported much earlier.

anupritaisno1

comment created time in 4 days

push eventGrapheneOS/AttestationServer

Daniel Micay

commit sha 2a3a335bddd0e8455502c12ddbdf312a2387ec75

update site generation dependencies

view details

push time in 5 days

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha 51f86a59714d2ebdf2dd9894202157065a36199c

update site generation dependencies

view details

push time in 5 days

push eventGrapheneOS/grapheneos.org

Daniel Micay

commit sha 0e1758df960daa4cf64f52e63214e0f8c55bbbea

update static releases listing

view details

push time in 5 days

push eventGrapheneOS/hardened_malloc

Daniel Micay

commit sha bcb93cab639176078b881911b7f7686c759f6052

avoid an ifdef

view details

Daniel Micay

commit sha dd7291ebfeedfa475e2f27079a2ed454245fd810

better wording for page size mismatch error

view details

Daniel Micay

commit sha ccebbd0c176f772eb2824969ac4bf80feb7c8635

temporary workarounds for bugs

view details

Daniel Micay

commit sha 526ccd915180ae9d0464f4e92c1c485c2ec91dec

workaround for audio service sorting bug

view details

push time in 5 days

push eventGrapheneOS/hardened_malloc

Daniel Micay

commit sha dd7291ebfeedfa475e2f27079a2ed454245fd810

better wording for page size mismatch error

view details

push time in 5 days

issue commentGrapheneOS/PdfViewer

publish to f-droid?

https://f-droid.org/en/packages/org.ninthfloor.copperpdf/ is a fork of an early alpha version of this code and was never really actively developed.

szaimen

comment created time in 5 days

more