cp -r "$DOS_PREBUILT_APPS""Fennec_DOS-Shim""$DOS_BUILD_BASE""packages/apps/";#Add a shim to install Fennec DOS without actually including the large APK
cp -r "$DOS_PREBUILT_APPS""SupportDivestOS""$DOS_BUILD_BASE""packages/apps/";#Add the Support app
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-1.patch";#Add a real explicit_bzero implementation (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-2.patch"; #Replace brk and sbrk with stubs (GrapheneOS) #XXX: some vendor blobs use sbrk
#applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-3.patch"; #Use blocking getrandom and avoid urandom fallback (GrapheneOS) #XXX: some kernels do not have (working) getrandom
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-4.patch";#Fix undefined out-of-bounds accesses in sched.h (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-5.patch";#Stop implicitly marking mappings as mergeable (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-6.patch";#Replace VLA formatting with dprintf-like function (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-7.patch";#Increase default pthread stack to 8MiB on 64-bit (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-8.patch";#Make __stack_chk_guard read-only at runtime (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-9.patch";#On 64-bit, zero the leading stack canary byte (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-10.patch";#Switch pthread_atfork handler allocation to mmap (GrapheneOS) #XXX: patches from here on are known to cause boot issues on legacy devices
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-11.patch";#Add memory protection for pthread_atfork handlers (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-12.patch";#Add XOR mangling mitigation for thread-local dtors (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-13.patch";#Use a better pthread_attr junk filling pattern (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-14.patch";#Add guard page(s) between static_tls and stack (GrapheneOS)
applyPatch "$DOS_PATCHES/android_bootable_recovery/0001-No_SerialNum_Restrictions.patch";#Abort package installs if they are specific to a serial number (GrapheneOS)
fi;
if enterAndClear "build/make";then
git revert --no-edit 7f4b9a43f3c49a5a896dd4951be0a96584751f46;#Re-enable the downgrade check
applyPatch "$DOS_PATCHES/android_build/0001-Enable_fwrapv.patch";#Use -fwrapv at a minimum (GrapheneOS)
applyPatch "$DOS_PATCHES/android_build/0002-OTA_Keys.patch";#Add correct keys to recovery for OTA verification
if["$DOS_GRAPHENE_EXEC"=true];then applyPatch "$DOS_PATCHES/android_build/0003-Exec_Based_Spawning.patch";fi;#Add exec-based spawning support (GrapheneOS) #XXX: most devices override this
sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;#Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk;#Set the minimum supported target SDK to Pie (GrapheneOS)
fi;
if enterAndClear "build/soong";then
applyPatch "$DOS_PATCHES/android_build_soong/0001-Enable_fwrapv.patch";#Use -fwrapv at a minimum (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries #XXX 19REBASE
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch";#Always restrict access to Build.SERIAL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch";#Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch";#Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) #XXX 19REBASE: maybe not needed
applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch";#Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch";#Enable fingerprint lockout after three failed attempts (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0005-User_Logout.patch";#Allow user logout (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions.patch";#Support new special runtime permissions (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch";#Make INTERNET into a special runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch";#Add a NETWORK permission group for INTERNET (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch";#net: Notify ConnectivityService of runtime permission changes (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch";#Make DownloadManager.enqueue() a no-op when INTERNET permission is revoked (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch";#Make DownloadManager.query() a no-op when INTERNET permission is revoked (GrapheneOS)
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf;#Harden the default GPS config
changeDefaultDNS;#Change the default DNS servers
sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java;#Enable app compaction by default (GrapheneOS)
sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java;#Disable DropBox internal logging service
sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java;
sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java;#Notify the user if their location is requested via SUPL
sed -i 's/DEFAULT_STRONG_AUTH_TIMEOUT_MS = 72 \* 60 \* 60 \* 1000;/DEFAULT_STRONG_AUTH_TIMEOUT_MS = 12 * 60 * 60 * 1000;/' core/java/android/app/admin/DevicePolicyManager.java;#Decrease the strong auth prompt timeout to occur more often
##sed -i '282i\ if(packageList != null && packageList.size() > 0) { packageList.add("net.sourceforge.opencamera"); }' core/java/android/hardware/Camera.java; #Add Open Camera to aux camera allowlist XXX: needs testing, broke boot last time
if["$DOS_MICROG_INCLUDED" !="FULL"];then rm -rf packages/CompanionDeviceManager;fi;#Used to support Android Wear (which hard depends on GMS)
rm -rf packages/PrintRecommendationService;#Creates popups to install proprietary print apps
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0001-No_Google_Links.patch";#Remove Privacy Policy and Terms of Service links (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0002-No_Google_Backup.patch";#Backups are not sent to Google (GrapheneOS)
fi;
if enterAndClear "packages/apps/Dialer";then
applyPatch "$DOS_PATCHES/android_packages_apps_Dialer/0001-Not_Private_Banner.patch";#Add a privacy warning banner to calls (CalyxOS)
fi;
if enterAndClear "packages/apps/LineageParts";then
rm -rf src/org/lineageos/lineageparts/lineagestats/ res/xml/anonymous_stats.xml res/xml/preview_data.xml;#Nuke part of the analytics
if["$DOS_GRAPHENE_RANDOM_MAC"=true];then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC.patch";fi;#Add option to always randomize MAC (GrapheneOS)
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java;#Never disable secure start-up when enabling an accessibility service
cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/;#XXX: Likely no longer needed
fi;
if enterAndClear "packages/apps/Updater";then
applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0001-Server.patch";#Switch to our server
applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0002-Tor_Support.patch";#Add Tor support
sed -i 's/PROP_BUILD_VERSION_INCREMENTAL);/PROP_BUILD_VERSION_INCREMENTAL).replaceAll("\\\\.", "");/' src/org/lineageos/updater/misc/Utils.java;#Remove periods from incremental version
#TODO: Remove changelog
fi;
if enterAndClear "packages/inputmethods/LatinIME";then
if enterAndClear "packages/modules/Connectivity";then
applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-1.patch";#Add callback for enforcing INTERNET permission changes (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-2.patch";#Use uid instead of app id (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-3.patch";#Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS)
if enterAndClear "packages/modules/DnsResolver";then
applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0001-Hosts_Cache.patch";#DnsResolver: Sort and cache hosts file data for fast lookup (LineageOS)
applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0002-Hosts_Wildcards.patch";#DnsResolver: Support wildcards in cached hosts file (LineageOS)
if enterAndClear "packages/modules/NetworkStack";then
applyPatch "$DOS_PATCHES/android_packages_modules_NetworkStack/0001-Random_MAC.patch";#Avoid reusing DHCP state for full MAC randomization (GrapheneOS)
fi;
fi;
if enterAndClear "packages/modules/Permission";then
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0002-Network_Permission-1.patch";#always treat INTERNET as a runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0002-Network_Permission-2.patch";#add INTERNET permission toggle (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0003-Sensors_Permission-1.patch";#always treat OTHER_SENSORS as a runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0003-Sensors_Permission-2.patch";#add OTHER_SENSORS permission group (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0004-Special_Permission-1.patch";#refactor handling of special runtime permissions (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0004-Special_Permission-2.patch";#don't auto revoke Network and Sensors (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0004-Special_Permission-3.patch";#ui fix for special runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0004-Special_Permission-4.patch";#fix usage UI summary for Network/Sensors (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0005-Browser_No_Location.patch";#stop auto-granting location to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0006-Location_Indicators.patch";#SystemUI: Use new privacy indicators for location (GrapheneOS)
fi;
if["$DOS_GRAPHENE_RANDOM_MAC"=true];then
if enterAndClear "packages/modules/Wifi";then
applyPatch "$DOS_PATCHES/android_packages_modules_Wifi/0001-Random_MAC.patch";#Add support for always generating new random MAC (GrapheneOS)
fi;
fi;
if enterAndClear "packages/providers/DownloadProvider";then
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch";#Expose the NETWORK permission (GrapheneOS)
fi;
if enterAndClear "system/bt";then
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch";#Add alloc_size attributes to the allocator (GrapheneOS)
fi;
if enterAndClear "system/core";then
if["$DOS_HOSTS_BLOCKING"=true];then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts;fi;#Merge in our HOSTS file
applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch";#Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
if["$DOS_GRAPHENE_PTRACE_SCOPE"=true];then applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch";fi;#Add a property for controlling ptrace_scope (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch";#Label protected_{fifos,regular} as proc_security (GrapheneOS) #XXX 19REBASE: add to other versions too
if["$DOS_GRAPHENE_PTRACE_SCOPE"=true];then
applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch";#Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch";#Allow system to use persist.native_debug (GrapheneOS)
fi;
fi;
if enterAndClear "system/update_engine";then
git revert --no-edit a5a18ac5e2a2377fe036fcae93548967a7b40470;#Do not skip payload signature verification
if["$DOS_MICROG_INCLUDED"="NLP"];then sed -i '/Google provider/!b;n;s/com.google.android.gms/org.microg.nlp/' overlay/common/frameworks/base/core/res/res/values/config.xml;fi;#Adjust the fused providers
sed -i 's/LINEAGE_BUILDTYPE := UNOFFICIAL/LINEAGE_BUILDTYPE := dos/' config/*.mk;#Change buildtype
if["$DOS_NON_COMMERCIAL_USE_PATCHES"=true];then sed -i 's/LINEAGE_BUILDTYPE := dos/LINEAGE_BUILDTYPE := dosNC/' config/*.mk;fi;
#echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch #XXX 19REBASE: is this necessary?
echo"PRODUCT_PACKAGES += eSpeakNG" >> packages.mk;#PicoTTS needs work to compile on 18.1, use eSpeak-NG instead