DivestOS/Patches/LineageOS-14.1/android_system_core/0001-Harden.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Wed, 28 Jun 2017 07:54:49 -0400
Subject: [PATCH] Harden

Change-Id: I46e3fc4ac896a509ab8ca90ae4ce09b820da434b
[tad@spotco.us]: added protected fifos and regular from newer GrapheneOS patches
[tad@spotco.us]: added IPv6 privacy options TODO split into another patch
---
 init/init.cpp   |  6 +++---
 rootdir/init.rc | 11 +++++++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/init/init.cpp b/init/init.cpp
index 7a370596e..35bf44a7b 100755
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -579,10 +579,10 @@ int main(int argc, char** argv) {
         mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");
         mkdir("/dev/pts", 0755);
         mkdir("/dev/socket", 0755);
-        mount("devpts", "/dev/pts", "devpts", 0, NULL);
+        mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL);
         #define MAKE_STR(x) __STRING(x)
-        mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
-        mount("sysfs", "/sys", "sysfs", 0, NULL);
+        mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
+        mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL);
     }
 
     // We must have some place other than / to create the device nodes for
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 40a36402e..4abc6d1a8 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -126,6 +126,17 @@ on init
     write /proc/sys/kernel/sched_child_runs_first 0
 
     write /proc/sys/kernel/randomize_va_space 2
+    write /proc/sys/kernel/dmesg_restrict 1
+    write /proc/sys/fs/protected_hardlinks 1
+    write /proc/sys/fs/protected_symlinks 1
+    write /proc/sys/fs/protected_fifos 1
+    write /proc/sys/fs/protected_regular 1
+    write /proc/sys/net/ipv6/conf/all/use_tempaddr 2
+    write /proc/sys/net/ipv6/conf/all/max_addresses 128
+    write /proc/sys/net/ipv6/conf/all/temp_prefered_lft 21600
+    write /proc/sys/net/ipv6/conf/default/use_tempaddr 2
+    write /proc/sys/net/ipv6/conf/default/max_addresses 128
+    write /proc/sys/net/ipv6/conf/default/temp_prefered_lft 21600
     write /proc/sys/kernel/kptr_restrict 2
     write /proc/sys/vm/mmap_min_addr 32768
     write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
Refresh most branch specific patches Fixed up: LineageOS-16.0/android_packages_apps_Backgrounds/308977.patch LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch LineageOS-17.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch LineageOS-18.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch Must review again: LineageOS-14.1/android_packages_apps_PackageInstaller/64d8b44.patch Signed-off-by: Tad <tad@spotco.us> 2021-10-16 18:05:45 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
Fix patch authors 2017-05-30 00:19:40 +00:00			`From: Daniel Micay <danielmicay@gmail.com>`
Improved network hardening 2017-06-28 12:20:24 +00:00			`Date: Wed, 28 Jun 2017 07:54:49 -0400`
Enable IPv6 privacy extensions 2019-07-05 20:47:59 +00:00			`Subject: [PATCH] Harden`
More LineageOS prep 2016-12-27 18:37:38 +00:00
Improved network hardening 2017-06-28 12:20:24 +00:00			`Change-Id: I46e3fc4ac896a509ab8ca90ae4ce09b820da434b`
Verify authorship and Change-Id of all contained patches - No patches were found with incorrect authorship/From: lines - The older AndroidHardening patch repos are no longer available to verify CID. - New GrapheneOS patches do not include a CID. - Signature_Spoofing.patch CID could not be found. - Fixed CID of Harden_Sig_Spoofing.patch to match 14.1 - Fixed CID of LGE_Fixes.patch to match 14.1 - Fixed CID of Harden.patch to match 14.1 - Added edit note to Harden.patch - Fixed CID of PREREQ_Handle_All_Modes.patch to match 14.1 - Fixed CID of More_Preferred_Network_Modes.patch to match 14.1 - Fixed CID of AES256.patch to match 14.1 - Fixed CID of 0001-OTA_Keys.patch to match 18.1 - Fixed CID of Camera_Fix.patch to match 15.1 - Fixed CID of Connectivity.patch to match 14.1 - Fixed CID of Fix_Calling.patch to match 14.1 - Fixed CID of Remove_Analytics.patch to match 14.1 - Fixed CID of Unused-.patch/audio_extn to match original Signed-off-by: Tad <tad@spotco.us> 2022-03-05 17:24:18 +00:00			`[tad@spotco.us]: added protected fifos and regular from newer GrapheneOS patches`
			`[tad@spotco.us]: added IPv6 privacy options TODO split into another patch`
More LineageOS prep 2016-12-27 18:37:38 +00:00			`---`
More small fixes 2020-07-14 01:28:17 +00:00			`init/init.cpp \| 6 +++---`
Refresh most branch specific patches Fixed up: LineageOS-16.0/android_packages_apps_Backgrounds/308977.patch LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch LineageOS-17.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch LineageOS-18.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch Must review again: LineageOS-14.1/android_packages_apps_PackageInstaller/64d8b44.patch Signed-off-by: Tad <tad@spotco.us> 2021-10-16 18:05:45 +00:00			`rootdir/init.rc \| 11 +++++++++++`
			`2 files changed, 14 insertions(+), 3 deletions(-)`
More LineageOS prep 2016-12-27 18:37:38 +00:00
			`diff --git a/init/init.cpp b/init/init.cpp`
Fix patch authors 2017-05-30 00:19:40 +00:00			`index 7a370596e..35bf44a7b 100755`
More LineageOS prep 2016-12-27 18:37:38 +00:00			`--- a/init/init.cpp`
			`+++ b/init/init.cpp`
Fix patch authors 2017-05-30 00:19:40 +00:00			`@@ -579,10 +579,10 @@ int main(int argc, char** argv) {`
More LineageOS prep 2016-12-27 18:37:38 +00:00			`mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");`
			`mkdir("/dev/pts", 0755);`
			`mkdir("/dev/socket", 0755);`
			`- mount("devpts", "/dev/pts", "devpts", 0, NULL);`
			`+ mount("devpts", "/dev/pts", "devpts", MS_NOSUID\|MS_NOEXEC, NULL);`
			`#define MAKE_STR(x) __STRING(x)`
			`- mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));`
			`- mount("sysfs", "/sys", "sysfs", 0, NULL);`
			`+ mount("proc", "/proc", "proc", MS_NOSUID\|MS_NODEV\|MS_NOEXEC, "hidepid=2,gid=" MAKE_STR(AID_READPROC));`
			`+ mount("sysfs", "/sys", "sysfs", MS_NOSUID\|MS_NODEV\|MS_NOEXEC, NULL);`
			`}`

			`// We must have some place other than / to create the device nodes for`
More small fixes 2020-07-14 01:28:17 +00:00			`diff --git a/rootdir/init.rc b/rootdir/init.rc`
Refresh most branch specific patches Fixed up: LineageOS-16.0/android_packages_apps_Backgrounds/308977.patch LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch LineageOS-17.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch LineageOS-18.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch Must review again: LineageOS-14.1/android_packages_apps_PackageInstaller/64d8b44.patch Signed-off-by: Tad <tad@spotco.us> 2021-10-16 18:05:45 +00:00			`index 40a36402e..4abc6d1a8 100644`
More LineageOS prep 2016-12-27 18:37:38 +00:00			`--- a/rootdir/init.rc`
			`+++ b/rootdir/init.rc`
Update CVE patchers - Drop tcp_sack=0 sysctl, as most devices are now patched 2020-10-12 19:19:15 +00:00			`@@ -126,6 +126,17 @@ on init`
More LineageOS prep 2016-12-27 18:37:38 +00:00			`write /proc/sys/kernel/sched_child_runs_first 0`

			`write /proc/sys/kernel/randomize_va_space 2`
Minor tweaks 2020-05-13 21:25:52 +00:00			`+ write /proc/sys/kernel/dmesg_restrict 1`
Minor tweaks - 14.1+15.1+16.0: enable kernel protections for files - protected_*: hardlinks, symlinks, fifos, regular - from GrapheneOS - defconfig: enable more verity options - cleanup 2019-08-28 19:12:42 +00:00			`+ write /proc/sys/fs/protected_hardlinks 1`
			`+ write /proc/sys/fs/protected_symlinks 1`
			`+ write /proc/sys/fs/protected_fifos 1`
			`+ write /proc/sys/fs/protected_regular 1`
Enable IPv6 privacy extensions 2019-07-05 20:47:59 +00:00			`+ write /proc/sys/net/ipv6/conf/all/use_tempaddr 2`
Minor tweaks 2020-05-13 21:25:52 +00:00			`+ write /proc/sys/net/ipv6/conf/all/max_addresses 128`
			`+ write /proc/sys/net/ipv6/conf/all/temp_prefered_lft 21600`
Enable IPv6 privacy extensions 2019-07-05 20:47:59 +00:00			`+ write /proc/sys/net/ipv6/conf/default/use_tempaddr 2`
Minor tweaks 2020-05-13 21:25:52 +00:00			`+ write /proc/sys/net/ipv6/conf/default/max_addresses 128`
			`+ write /proc/sys/net/ipv6/conf/default/temp_prefered_lft 21600`
More LineageOS prep 2016-12-27 18:37:38 +00:00			`write /proc/sys/kernel/kptr_restrict 2`
			`write /proc/sys/vm/mmap_min_addr 32768`
			`write /proc/sys/net/ipv4/ping_group_range "0 2147483647"`