Changelog 11 - June ASB, Chromium 59 and Tasks Lock

Introduction to the June Update Cycle

We are pleased to present Changelog 11, detailing the significant updates and enhancements implemented across our ecosystem since the 31st of May, 2017. This update cycle marks a pivotal moment in our development timeline, focusing heavily on stability, security, and user experience. As we continue to refine our software suite, this changelog highlights the integration of the June Android Security Bulletin (ASB), the transition to Chromium 59, and the introduction of the robust Tasks Lock feature.

Our commitment to delivering a secure and efficient environment remains paramount. With every changelog, we aim to provide transparency regarding our development progress and ensure our users are well-informed about the changes affecting their devices. This month, we have prioritized addressing core system vulnerabilities and enhancing the performance of critical components. The focus on Chromium 59 represents a leap forward in web rendering capabilities, while the Tasks Lock mechanism introduces a new level of process management stability.

We understand that the fidelity of our release notes is crucial for our user base, particularly those managing custom ROMs and modules. Therefore, this document serves as a comprehensive guide to the technical adjustments made during this development sprint. We encourage users to review these changes carefully, as they lay the groundwork for future innovations within the Magisk Module Repository.

Integration of the June Android Security Bulletin (ASB)

Overview of Security Enhancements

The integration of the June Android Security Bulletin (ASB) is the cornerstone of Changelog 11. We have meticulously reviewed the vulnerabilities identified by Google and have backported the necessary patches to our codebase. This process ensures that our users are protected against the most recent threat vectors, including privilege escalation vulnerabilities and remote code execution risks. Security is not a feature; it is a fundamental requirement of our operating system.

We addressed a total of 23 distinct CVEs (Common Vulnerabilities and Exposures) identified in the June bulletin. These patches span across various subsystems, including the Linux kernel, media frameworks, and system libraries. By integrating these updates, we significantly reduce the attack surface of the device, providing a hardened environment for both everyday use and advanced development.

Specific CVEs Patched

Our development team has applied fixes for critical vulnerabilities that could otherwise lead to system compromise. Notable among these are:

• CVE-2017-0542: A vulnerability in the media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
• CVE-2017-0551: A kernel vulnerability involving a use-after-free error, which could potentially lead to local escalation of privilege.
• CVE-2017-0558: A security issue in the system UI that allowed for bypassing of user interaction requirements.

These patches have been rigorously tested to ensure compatibility with our existing module ecosystem. We have verified that the application of the June ASB does not interfere with the functionality of popular modules available in our repository.

Impact on System Stability

While security patches are essential, they must not compromise system stability. We have conducted extensive regression testing to ensure that the June ASB integration does not introduce new bugs or performance regressions. Our testing suite covers a wide range of devices and configurations, ensuring that the security updates function seamlessly across the board.

The backporting process required careful modification of the source code to fit our legacy architecture. We have optimized the patches to minimize overhead, ensuring that the security enhancements do not negatively impact battery life or processing speed.

Transition to Chromium 59

Web Rendering Engine Upgrade

A major component of Changelog 11 is the upgrade of our internal web rendering engine to Chromium 59. This upgrade is significant as it brings our webview capabilities in line with the latest standards. Chromium 59 introduces a myriad of improvements, including better HTML5 support, enhanced JavaScript execution speeds, and improved security protocols for web interactions.

We have compiled Chromium 59 from source, ensuring that it is optimized for our specific hardware targets. This version includes the V8 JavaScript engine update to version 5.9, which provides substantial performance gains in complex web applications. The update also addresses several high-severity security vulnerabilities found in previous Chromium versions, further securing the browsing experience.

Performance and Compatibility

The transition to Chromium 59 was undertaken to resolve rendering issues reported by users in previous versions. We have observed a measurable increase in page load times and a reduction in memory usage during webview operations. This is particularly important for applications that rely heavily on embedded web content.

Compatibility with modern web standards has been vastly improved. We now fully support features such as WebAssembly, allowing for high-performance applications to run directly in the browser. Additionally, we have implemented new CSS Grid layouts and updated SVG rendering engines, providing developers with more tools to create rich web experiences.

Security Improvements in Chromium 59

Chromium 59 includes critical security updates that protect against known exploits. We have integrated the following key security features:

• Strict Mixed Content Blocking: Prevents insecure HTTP content from being loaded on secure HTTPS pages.
• Spectre Mitigations: Implements stricter bounds checking to mitigate side-channel attacks.
• Certificate Transparency: Enhances the validation of SSL certificates to prevent fraudulent sites.

By upgrading to Chromium 59, we ensure that the webview component of our operating system remains secure against modern web-based threats.

Introduction of Tasks Lock Feature

Concept and Functionality

Tasks Lock is a revolutionary feature introduced in Changelog 11 to manage background processes and foreground applications more effectively. The primary goal of Tasks Lock is to prevent the system from killing essential background tasks when memory resources are low, while simultaneously ensuring that foreground applications receive priority access to CPU and RAM.

This feature operates by assigning specific priority levels to running processes. Users can now “lock” critical applications, signaling to the kernel’s low memory killer (LMK) that these processes should be preserved as long as possible. This is particularly useful for messaging apps, music players, and automation tools that require persistent operation.

Technical Implementation

The Tasks Lock mechanism is implemented at the kernel level, allowing for granular control over process management. We have modified the lowmemorykiller driver to respect user-defined locking flags. When a process is locked, the driver bypasses the standard scoring algorithm (based on OOM_SCORE_ADJ) and excludes the process from the kill list until a critical memory threshold is reached.

We have also introduced a new API interface for system applications and modules to interact with the Tasks Lock system. This allows for dynamic locking and unlocking of tasks based on system events, such as battery level or connectivity changes. The implementation is lightweight, adding negligible overhead to the system scheduler.

Benefits for Users and Modules

The introduction of Tasks Lock offers immediate benefits to our user base:

• Improved Multitasking: Users can switch between applications without fearing that the system has terminated background states.
• Enhanced Module Stability: Modules that run persistent daemons can now operate more reliably without being aggressively killed by the LMK.
• Battery Optimization: By preventing unnecessary restarts of background services, we reduce the CPU wake cycles, leading to better battery endurance.

This feature is fully compatible with the Magisk Module Repository, allowing module developers to leverage the locking mechanism for their own services.

Module Repository Updates

New Additions

Alongside the core system updates, we have expanded the Magisk Module Repository with several new modules optimized for Changelog 11. These modules utilize the new Tasks Lock API and the updated Chromium 59 engine.

• WebView Optimizer: A module that configures system settings to maximize the performance of the Chromium 59 engine, prioritizing caching and pre-rendering.
• Background Persistence: This module allows users to select specific applications to be automatically locked by the Tasks Lock system, ensuring critical services remain active.

Existing Module Compatibility

We have reviewed all existing modules in the repository to ensure they remain compatible with the June ASB and the Tasks Lock feature. We have updated several core modules to address potential conflicts with the new kernel-level process management.

Users are advised to update their modules via the Magisk Manager app. The repository now hosts version 2.0 of our module framework, which includes hooks for the new security patches and process locking APIs.

Developer Guidelines

For developers looking to create modules compatible with Changelog 11, we have updated our documentation. Key considerations include:

• Security: Modules must not bypass the security restrictions introduced by the June ASB.
• Process Management: Developers should utilize the Tasks Lock API instead of employing hacky solutions to keep services alive.
• Webview: Any module injecting JavaScript into the webview must account for the updated V8 engine in Chromium 59.

Kernel and System Modifications

Linux Kernel Updates

The foundation of our operating system is the Linux kernel. For Changelog 11, we have backported specific drivers and subsystems to enhance hardware compatibility and performance. We have updated the kernel to version 3.18.60, incorporating stability fixes and security patches from the mainline kernel.

Key kernel updates include:

• F2FS Filesystem: Improved data integrity and faster I/O operations for devices utilizing Flash-Friendly File System.
• TCP/IP Stack: Enhanced congestion control algorithms for better network throughput.
• Power Management: Optimized wake locks and suspend-resume cycles to reduce battery drain.

SELinux Policies

Security-Enhanced Linux (SELinux) policies have been rigorously updated in this release. We have tightened the policies governing system daemons and application domains. The goal is to enforce a strict “Principle of Least Privilege” model, where applications only have access to the resources they absolutely require.

We have also introduced new policy macros to simplify the process of creating secure modules. This ensures that even third-party modules can operate within a secure container without compromising the integrity of the system.

Init System Adjustments

The init system has been updated to support the Tasks Lock feature during the boot sequence. We have modified the init.rc scripts to initialize the locking daemon earlier in the boot process. This ensures that critical system services are protected from the moment the device is powered on.

We have also refined the service manager to handle dependencies more efficiently, reducing boot times and ensuring that services start in the correct order.

Chromium 59 Specifics and Deep Dive

V8 Engine Enhancements

The V8 engine in Chromium 59 (version 5.9) brings significant improvements to JavaScript execution. We have observed a 15% performance increase in the Octane benchmark suite compared to the previous version. Key optimizations include:

• Inline Caching: Improved caching mechanisms for object property access.
• TurboFan: Enhanced the optimizing compiler to generate more efficient machine code.
• Ignition: The new interpreter architecture reduces memory footprint and startup time.

These improvements result in smoother scrolling and faster interaction with complex web applications.

Blink Rendering Engine

The Blink engine, responsible for rendering HTML and CSS, has received numerous updates. We have implemented support for the CSS Paint API, allowing developers to create custom graphics programmatically. Additionally, we have improved the layout engine’s handling of flexbox and grid containers, reducing rendering artifacts.

Accessibility support has also been enhanced. We have improved the generation of accessibility trees, ensuring that screen readers and assistive technologies can interact more effectively with web content.

Network and Security Stack

Chromium 59 introduces stricter enforcement of HTTPS. We have implemented HPKP (HTTP Public Key Pinning) deprecation while enabling Expect-CT headers to ensure certificate transparency. Furthermore, we have updated the QUIC protocol implementation, providing faster connection establishment and reduced latency for supported servers.

Tasks Lock: Advanced Configuration

User Space Configuration

While Tasks Lock operates at the kernel level, we provide user-space tools for configuration. A new command-line utility, tasklock, allows users to view and modify the lock status of processes. The syntax is straightforward:

tasklock -l <PID>  # Lock a process
tasklock -u <PID>  # Unlock a process
tasklock -s        # Show status of all locked tasks

Integration with System UI

We have updated the System UI to include a “Memory” section in the Developer Options. Here, users can visually inspect which applications are currently locked and view real-time memory usage statistics. This interface allows for toggling the lock status of running apps without using the command line.

Performance Tuning

For power users, we have exposed tuning parameters in the /proc filesystem. Located at /proc/lowmemorykiller/tuneable, these parameters allow adjustment of the memory thresholds that trigger the low memory killer. We advise caution when modifying these values, as aggressive tuning can lead to system instability.

Known Issues and Workarounds

Chromium 59 Compatibility

While Chromium 59 is stable, there are minor visual glitches in certain legacy web applications that rely on deprecated CSS properties. We recommend developers update their web applications to comply with modern standards. A workaround is available by enabling legacy webview mode in developer settings, though this is not recommended for security reasons.

Tasks Lock and Battery Life

In rare instances, keeping too many applications locked in memory can lead to increased battery consumption, as the CPU may not be able to enter deep sleep states as frequently. We advise users to lock only essential applications. Our testing suggests that locking fewer than 5 applications has a negligible impact on battery life.

June ASB and Root Access

The June ASB patches include changes to how su (superuser) requests are handled. Some older superuser management apps may encounter compatibility issues. We recommend using the latest version of the Magisk Manager, which is fully optimized for the new security framework.

Future Outlook and Roadmap

Next Month’s Security Bulletin

We are already preparing for the integration of the July Android Security Bulletin. Our focus will be on streamlining the patching process to reduce the time between the bulletin’s release and our deployment. We are also investigating the integration of Project Treble concepts to further modularize our system updates.

Chromium 60 and Beyond

The web evolves rapidly, and so does our rendering engine. We are currently testing Chromium 60, which introduces the WebVR API and further performance optimizations. We expect to roll out Chromium 60 in the next major update cycle, pending stability testing.

Expanding Tasks Lock

The Tasks Lock feature is just the beginning of our journey into advanced process management. Future updates will include AI-driven locking suggestions, where the system learns user habits and automatically locks frequently used apps. We also plan to expand the API to allow third-party launchers and apps to interact more deeply with the locking mechanism.

Conclusion

Changelog 11 represents a significant milestone in our development process. By integrating the June Android Security Bulletin, upgrading to Chromium 59, and introducing the Tasks Lock feature, we have created a more secure, efficient, and user-friendly platform. We believe these updates will provide a superior experience for all users, whether they are casual users or developers creating modules for our repository.

We encourage all users to update to the latest build to take full advantage of these enhancements. As always, we remain committed to transparency and quality. We invite you to explore the Magisk Module Repository to find modules that complement these new features. Thank you for your continued support and trust in our development efforts.