2018-04-04 07:52:11 -04:00
#!/bin/bash
2020-11-17 10:11:40 -05:00
#DivestOS: A privacy focused mobile distribution
2020-04-14 21:39:51 -04:00
#Copyright (c) 2017-2020 Divested Computing Group
2018-04-04 07:52:11 -04:00
#
#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program. If not, see <https://www.gnu.org/licenses/>.
2018-06-29 00:55:21 -04:00
if [ " $DOS_NON_COMMERCIAL_USE_PATCHES " = true ] ; then
2018-06-03 08:24:23 -04:00
echo -e "\e[0;33mWARNING: YOU HAVE ENABLED PATCHES THAT WHILE ARE OPEN SOURCE ARE ALSO ENCUMBERED BY RESTRICTIVE LICENSES\e[0m" ;
2018-04-23 18:18:09 -04:00
echo -e "\e[0;33mPLEASE SEE THE 'LICENSES' FILE AT THE ROOT OF THIS REPOSITORY FOR MORE INFORMATION\e[0m" ;
2018-06-03 08:24:23 -04:00
echo -e "\e[0;33mDISABLE THEM BY SETTING 'NON_COMMERCIAL_USE_PATCHES' TO 'false' IN 'Scripts/init.sh'\e[0m" ;
2018-04-23 18:18:09 -04:00
sleep 15;
fi ;
2018-04-04 07:52:11 -04:00
startPatcher( ) {
2020-10-01 14:56:37 -04:00
java -jar " $DOS_BINARY_PATCHER " patch workspace " $DOS_BUILD_BASE " " $DOS_WORKSPACE_ROOT " "Patches/Linux/" " $DOS_SCRIPTS_CVES " $1 ;
2018-04-04 07:52:11 -04:00
}
export -f startPatcher;
enter( ) {
echo "================================================================================================"
2019-09-17 00:55:50 -04:00
local dir = " $1 " ;
local dirReal = " $DOS_BUILD_BASE $dir " ;
2021-06-27 14:14:34 -04:00
umask 0022;
2018-09-21 03:55:54 -04:00
if [ -d " $dirReal " ] ; then
cd " $dirReal " ;
echo -e " \e[0;32m[ENTERING] $dir \e[0m " ;
return 0;
else
echo -e " \e[0;31m[ENTERING FAILED] $dir \e[0m " ;
return 1;
fi ;
2018-04-04 07:52:11 -04:00
}
export -f enter;
enterAndClear( ) {
2020-11-01 09:50:03 -05:00
if enter " $1 " ; then gitReset; else return 1; fi ;
2018-04-04 07:52:11 -04:00
}
export -f enterAndClear;
gitReset( ) {
git add -A && git reset --hard;
}
export -f gitReset;
2018-08-30 23:44:23 -04:00
gpgVerifyDirectory( ) {
if [ -r " $HOME /.gnupg " ] ; then
for sig in $1 /*.asc; do
gpg --verify $sig & >/dev/null;
if [ " $? " -eq "0" ] ; then
echo -e " \e[0;32mGPG Verified Successfully: $sig \e[0m " ;
else
echo -e " \e[0;31mWARNING: GPG Verification Failed: $sig \e[0m " ;
sleep 60;
fi ;
done ;
else
echo -e " \e[0;33mWARNING: ~/.gnupg is unavailable, GPG verification of $1 will not be performed!\e[0m " ;
fi ;
}
export -f gpgVerifyDirectory;
2018-05-10 23:45:29 -04:00
scanForMalware( ) {
2020-02-23 20:51:13 -05:00
if [ -x /usr/bin/clamscan ] && [ -r /var/lib/clamav/main.c*d ] ; then
2018-05-11 06:15:29 -04:00
echo -e "\e[0;32mStarting a malware scan...\e[0m" ;
2019-09-17 00:55:50 -04:00
local excludes = "--exclude-dir=\".git\" --exclude-dir=\".repo\"" ;
local scanQueue = " $2 " ;
2018-05-11 06:15:29 -04:00
if [ " $1 " = true ] ; then
2018-06-29 00:55:21 -04:00
if [ " $DOS_MALWARE_SCAN_SETTING " != "quick" ] || [ " $DOS_MALWARE_SCAN_SETTING " = "extra" ] ; then
scanQueue = $scanQueue " $DOS_BUILD_BASE /frameworks $DOS_BUILD_BASE /vendor " ;
2018-05-11 06:15:29 -04:00
fi ;
2018-06-29 00:55:21 -04:00
if [ " $DOS_MALWARE_SCAN_SETTING " = "slow" ] ; then
scanQueue = $scanQueue " $DOS_BUILD_BASE /external $DOS_BUILD_BASE /prebuilts $DOS_BUILD_BASE /toolchain $DOS_BUILD_BASE /tools " ;
2018-05-11 06:15:29 -04:00
fi ;
2018-06-29 00:55:21 -04:00
if [ " $DOS_MALWARE_SCAN_SETTING " = "full" ] ; then
scanQueue = " $DOS_BUILD_BASE " ;
2018-05-11 06:15:29 -04:00
fi ;
2018-05-11 02:50:52 -04:00
fi ;
2019-03-25 20:30:27 -04:00
du -hsc $scanQueue ;
2021-03-20 16:15:01 -04:00
/usr/bin/clamscan --recursive --detect-pua --infected --allmatch --max-filesize= 4000M --max-scansize= 4000M $excludes $scanQueue ;
2019-09-17 00:55:50 -04:00
local clamscanExit = " $? " ;
2018-05-10 23:45:29 -04:00
if [ " $clamscanExit " -eq "1" ] ; then
echo -e "\e[0;31m----------------------------------------------------------------\e[0m" ;
echo -e "\e[0;31mWARNING: MALWARE WAS FOUND! PLEASE INVESTIGATE!\e[0m" ;
echo -e "\e[0;31m----------------------------------------------------------------\e[0m" ;
2020-11-09 00:29:29 -05:00
echo -e "\e[0;33mFalse positives such as the following are probably OK\e[0m" ;
2019-03-25 20:30:27 -04:00
echo -e "\e[0;33mPUAs: Ewind, Mobidash\e[0m" ;
echo -e "\e[0;31m----------------------------------------------------------------\e[0m" ;
2018-05-11 02:50:52 -04:00
sleep 60;
2018-05-10 23:45:29 -04:00
fi ;
if [ " $clamscanExit " -eq "0" ] ; then
echo -e "\e[0;32mNo malware found\e[0m" ;
2018-05-11 02:50:52 -04:00
fi ;
if [ " $clamscanExit " -eq "2" ] ; then
echo -e "\e[0;33m----------------------------------------------------------------\e[0m" ;
echo -e "\e[0;33mWARNING: AN ERROR OCCURED. PLEASE INVESTIGATE!\e[0m" ;
echo -e "\e[0;33m----------------------------------------------------------------\e[0m" ;
sleep 60;
2018-05-10 23:45:29 -04:00
fi ;
else
echo -e "\e[0;33mWARNING: clamscan is unavailable, a malware scan will not be performed!\e[0m" ;
fi ;
}
export -f scanForMalware;
2018-06-24 04:26:59 -04:00
generateBootAnimationMask( ) {
2019-09-17 00:55:50 -04:00
local text = $1 ;
local font = $2
local output = $3 ;
2021-06-26 14:13:03 -04:00
convert -background black -fill transparent -font " $font " -gravity center -size 512x128 label:" $text " " $output " ;
2021-07-07 14:41:28 -04:00
#optipng "$output"; #XXX: breaks boot animation on 14.1?
2018-06-24 04:26:59 -04:00
}
export -f generateBootAnimationMask;
2018-06-24 08:42:02 -04:00
generateBootAnimationShine( ) {
2019-09-17 00:55:50 -04:00
local color = $1 ;
local style = $2 ;
local output = $3 ;
2018-06-25 14:19:38 -04:00
#The colors need to be symmetrical in order to make the animation smooth and not have any noticble lines
convert -size 1024x128 -define gradient:angle= 90 " $style " :" $color " \( +clone -flop \) +append " $output " ;
2021-07-07 14:41:28 -04:00
#optipng "$output";
2018-06-24 08:42:02 -04:00
}
export -f generateBootAnimationShine;
2018-06-13 19:48:53 -04:00
audit2allowCurrent( ) {
2019-08-30 02:09:45 -04:00
adb logcat -b all -d | audit2allow -p " $OUT " /root/sepolicy;
2018-06-13 19:48:53 -04:00
}
export -f audit2allowCurrent;
audit2allowADB( ) {
adb pull /sys/fs/selinux/policy;
adb logcat -b all -d | audit2allow -p policy;
}
export -f audit2allowADB;
2019-08-29 14:37:06 -04:00
processRelease( ) {
2021-03-01 21:05:42 -05:00
#Reference (MIT): GrapheneOS
2020-09-02 14:15:21 -04:00
#https://github.com/GrapheneOS/script/blob/10/release.sh
2019-09-17 00:55:50 -04:00
local DEVICE = " $1 " ;
local BLOCK = " $2 " ;
local VERITY = " $3 " ;
2019-08-27 13:13:48 -04:00
2019-09-17 00:55:50 -04:00
local DATE = $( date -u '+%Y%m%d' )
local KEY_DIR = " $DOS_SIGNING_KEYS / $DEVICE " ;
local VERSION = $( echo $DOS_VERSION | cut -f2 -d "-" ) ;
local PREFIX = " $DOS_BRANDING_ZIP_PREFIX - $VERSION - $DATE -dos- $DEVICE " ;
local ARCHIVE = " $DOS_BUILDS / $DOS_VERSION /release_keys/ " ;
local OUT_DIR = " $DOS_BUILD_BASE /out/target/product/ $DEVICE / " ;
2019-08-27 13:13:48 -04:00
2021-04-05 22:57:59 -04:00
local RELEASETOOLS_PREFIX = "build/tools/releasetools/" ;
2021-03-22 19:59:15 -04:00
if [ [ " $DOS_VERSION " = = "LineageOS-18.1" ] ] ; then
local RELEASETOOLS_PREFIX = "" ;
fi ;
2021-06-27 14:14:34 -04:00
umask 0022;
2019-09-07 09:56:47 -04:00
echo -e " \e[0;32mProcessing release for $DEVICE \e[0m " ;
2019-08-29 14:37:06 -04:00
#Arguments
if [ " $BLOCK " != false ] ; then
2019-09-17 00:55:50 -04:00
local BLOCK_SWITCHES = "--block" ;
2019-08-29 14:37:06 -04:00
fi ;
2019-09-02 20:00:39 -04:00
if [ [ " $VERITY " = = "verity" ] ] ; then
2019-09-17 00:55:50 -04:00
local VERITY_SWITCHES = ( --replace_verity_public_key " $KEY_DIR /verity_key.pub " \
2019-08-27 13:13:48 -04:00
--replace_verity_private_key " $KEY_DIR /verity " \
--replace_verity_keyid " $KEY_DIR /verity.x509.pem " ) ;
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32m\t+ Verified Boot 1.0\e[0m" ;
2019-09-02 20:00:39 -04:00
elif [ [ " $VERITY " = = "avb" ] ] ; then
2020-09-02 14:15:21 -04:00
#TODO: Verify if both SHA512 and RSA4096 is always supported
2019-09-17 00:55:50 -04:00
local VERITY_SWITCHES = ( --avb_vbmeta_key " $KEY_DIR /avb.pem " \
2021-08-31 18:35:07 -04:00
--avb_vbmeta_algorithm SHA256_RSA4096 \
2019-09-02 20:00:39 -04:00
--avb_system_key " $KEY_DIR /avb.pem " \
2021-08-31 18:35:07 -04:00
--avb_system_algorithm SHA256_RSA4096) ;
2019-09-17 00:55:50 -04:00
local AVB_PKMD = " $KEY_DIR /avb_pkmd.bin " ;
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32m\t+ Verified Boot 2.0\e[0m" ;
2019-08-27 13:13:48 -04:00
fi ;
2019-10-13 20:35:24 -04:00
#Malware Scan
if [ " $DOS_MALWARE_SCAN_BEFORE_SIGN " = true ] ; then
echo -e "\e[0;32mScanning files for malware before signing\e[0m" ;
2021-04-05 22:57:59 -04:00
scanForMalware false $OUT_DIR /obj/PACKAGING/target_files_intermediates/*$DEVICE -target_files-*.zip;
2019-10-13 20:35:24 -04:00
fi ;
2019-08-29 14:37:06 -04:00
#Target Files
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32mSigning target files\e[0m" ;
2021-03-22 19:59:15 -04:00
" $RELEASETOOLS_PREFIX " sign_target_files_apks -o -d " $KEY_DIR " \
2019-08-27 13:13:48 -04:00
" ${ VERITY_SWITCHES [@] } " \
2019-08-29 14:37:06 -04:00
$OUT_DIR /obj/PACKAGING/target_files_intermediates/*$DEVICE -target_files-*.zip \
2021-04-05 22:57:59 -04:00
" $OUT_DIR / $PREFIX -target_files.zip " ;
sha512sum " $OUT_DIR / $PREFIX -target_files.zip " > " $OUT_DIR / $PREFIX -target_files.zip.sha512sum " ;
2019-09-17 00:55:50 -04:00
local INCREMENTAL_ID = $( grep "ro.build.version.incremental" $OUT_DIR /system/build.prop | cut -f2 -d "=" | sed 's/\.//g' ) ;
2021-04-05 22:57:59 -04:00
echo " $INCREMENTAL_ID " > " $OUT_DIR / $PREFIX -target_files.zip.id " ;
2019-08-29 14:37:06 -04:00
#Image
2021-04-05 22:57:59 -04:00
unzip -l $OUT_DIR /$PREFIX -target_files.zip | grep -q recovery.img;
local hasRecoveryImg = " $? " ;
2021-04-06 05:06:15 -04:00
if [ " $hasRecoveryImg " = = "1" ] ; then
2019-09-23 12:45:00 -04:00
echo -e "\e[0;32mCreating fastboot image\e[0m" ;
2021-04-06 05:06:15 -04:00
" $RELEASETOOLS_PREFIX " img_from_target_files " $OUT_DIR / $PREFIX -target_files.zip " \
2021-04-05 22:57:59 -04:00
" $OUT_DIR / $PREFIX -fastboot.zip " ;
sha512sum " $OUT_DIR / $PREFIX -fastboot.zip " > " $OUT_DIR / $PREFIX -fastboot.zip.sha512sum " ;
2019-09-23 12:45:00 -04:00
fi
2019-08-29 14:37:06 -04:00
#OTA
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32mCreating OTA\e[0m" ;
2021-03-22 19:59:15 -04:00
" $RELEASETOOLS_PREFIX " ota_from_target_files $BLOCK_SWITCHES -k " $KEY_DIR /releasekey " \
2021-04-05 22:57:59 -04:00
" $OUT_DIR / $PREFIX -target_files.zip " \
" $OUT_DIR / $PREFIX -ota.zip " ;
md5sum " $OUT_DIR / $PREFIX -ota.zip " > " $OUT_DIR / $PREFIX -ota.zip.md5sum " ;
sha512sum " $OUT_DIR / $PREFIX -ota.zip " > " $OUT_DIR / $PREFIX -ota.zip.sha512sum " ;
2019-08-29 14:37:06 -04:00
#Deltas
if [ " $DOS_GENERATE_DELTAS " = true ] ; then
2021-04-14 20:48:15 -04:00
if [ [ " ${ DOS_GENERATE_DELTAS_DEVICES [@] } " = ~ " ${ DEVICE } " ] ] ; then
for LAST_TARGET_FILES in $ARCHIVE /target_files/$DOS_BRANDING_ZIP_PREFIX -$VERSION -*-dos-$DEVICE -target_files.zip; do
if [ [ -f " $LAST_TARGET_FILES .id " ] ] ; then
local LAST_INCREMENTAL_ID = $( cat " $LAST_TARGET_FILES .id " ) ;
echo -e " \e[0;32mGenerating incremental OTA against $LAST_INCREMENTAL_ID \e[0m " ;
#TODO: Verify GPG signature and checksum of previous target-files first!
" $RELEASETOOLS_PREFIX " ota_from_target_files $BLOCK_SWITCHES -t 8 -k " $KEY_DIR /releasekey " -i \
" $LAST_TARGET_FILES " \
" $OUT_DIR / $PREFIX -target_files.zip " \
" $OUT_DIR / $PREFIX -incremental_ $LAST_INCREMENTAL_ID .zip " ;
sha512sum " $OUT_DIR / $PREFIX -incremental_ $LAST_INCREMENTAL_ID .zip " > " $OUT_DIR / $PREFIX -incremental_ $LAST_INCREMENTAL_ID .zip.sha512sum " ;
fi ;
done ;
fi ;
2019-08-29 14:37:06 -04:00
fi ;
2019-08-27 13:13:48 -04:00
2020-02-22 18:32:59 -05:00
#Extract signed recovery
2020-02-23 20:51:13 -05:00
if [ " $hasRecoveryImg " = = "0" ] ; then
2020-02-22 18:32:59 -05:00
echo -e "\e[0;32mExtracting signed recovery.img\e[0m" ;
2021-04-05 22:57:59 -04:00
mkdir " $OUT_DIR /rec_tmp " ;
unzip " $OUT_DIR / $PREFIX -target_files.zip " "IMAGES/recovery.img" -d " $OUT_DIR /rec_tmp " ;
mv " $OUT_DIR /rec_tmp/IMAGES/recovery.img " " $OUT_DIR / $PREFIX -recovery.img " ;
sha512sum " $OUT_DIR / $PREFIX -recovery.img " > " $OUT_DIR / $PREFIX -recovery.img.sha512sum " ;
2020-02-22 18:32:59 -05:00
fi ;
2020-06-27 01:45:02 -04:00
#File name fixes
2020-06-14 10:05:34 -04:00
sed -i " s| $OUT_DIR /|| " $OUT_DIR /*.md5sum $OUT_DIR /*.sha512sum;
2020-06-27 01:45:02 -04:00
sed -i 's/-ota\././' $OUT_DIR /*.md5sum $OUT_DIR /*.sha512sum;
sed -i 's/-incremental_/-/' $OUT_DIR /*.md5sum $OUT_DIR /*.sha512sum;
2020-06-14 09:36:39 -04:00
2020-06-17 13:18:16 -04:00
#GPG signing
if [ " $DOS_GPG_SIGNING " = true ] ; then
for checksum in $OUT_DIR /*.sha512sum; do
2020-06-20 14:19:40 -04:00
echo -e " \e[0;32mGPG signing $checksum \e[0m " ;
2020-06-17 13:18:16 -04:00
gpg --homedir " $DOS_SIGNING_GPG " --sign --local-user " $DOS_GPG_SIGNING_KEY " --clearsign " $checksum " ;
if [ " $? " -eq "0" ] ; then
mv -f " $checksum .asc " " $checksum " ;
fi ;
done ;
fi ;
2019-08-29 14:37:06 -04:00
#Copy to archive
if [ " $DOS_AUTO_ARCHIVE_BUILDS " = true ] ; then
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32mCopying files to archive\e[0m" ;
2019-08-29 14:37:06 -04:00
mkdir -vp $ARCHIVE ;
mkdir -vp $ARCHIVE /target_files;
2019-10-04 10:17:25 -04:00
mkdir -vp $ARCHIVE /fastboot;
2019-08-29 14:37:06 -04:00
mkdir -vp $ARCHIVE /incrementals;
2019-08-27 13:13:48 -04:00
2021-07-04 17:05:27 -04:00
if [ [ " ${ DOS_GENERATE_DELTAS_DEVICES [@] } " = ~ " ${ DEVICE } " ] ] ; then cp -v $OUT_DIR /$PREFIX -target_files.zip* $ARCHIVE /target_files/; fi ;
2019-10-04 10:17:25 -04:00
cp -v $OUT_DIR /$PREFIX -fastboot.zip* $ARCHIVE /fastboot/ || true;
2019-08-29 14:37:06 -04:00
cp -v $OUT_DIR /$PREFIX -ota.zip* $ARCHIVE /;
2019-09-23 12:45:00 -04:00
cp -v $OUT_DIR /$PREFIX -incremental_*.zip* $ARCHIVE /incrementals/ || true;
2020-06-14 10:05:34 -04:00
cp -v $OUT_DIR /$PREFIX -recovery.img* $ARCHIVE / || true;
2020-06-27 01:45:02 -04:00
rename -- "-ota." "." $ARCHIVE /$PREFIX -ota.zip*;
rename -- "-incremental_" "-" $ARCHIVE /incrementals/$PREFIX -incremental_*.zip*;
2020-05-02 22:29:23 -04:00
sync;
2019-10-13 20:35:24 -04:00
#Remove to make space for next build
if [ " $DOS_REMOVE_AFTER " = true ] ; then
echo -e "\e[0;32mRemoving to reclaim space\e[0m" ;
#TODO: add a sanity check
rm -rf " $OUT_DIR " ;
fi ;
2019-08-29 14:37:06 -04:00
fi ;
2019-10-13 20:35:24 -04:00
sync;
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32mRelease processing complete\e[0m" ;
2019-08-27 13:13:48 -04:00
}
2019-08-29 14:37:06 -04:00
export -f processRelease;
2019-08-27 13:13:48 -04:00
2020-06-14 09:36:39 -04:00
pushToServer( ) {
2020-07-25 09:51:25 -04:00
rsync -Pau --no-perms --no-owner --no-group incrementals/divested-*-dos-$1 -*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1 /incrementals/ || true;
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1 .zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1 / || true;
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1 -recovery.img root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1 / || true;
rsync -Pau --no-perms --no-owner --no-group fastboot/divested-*-dos-$1 -*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1 / || true;
2020-06-14 09:36:39 -04:00
}
export -f pushToServer;
2020-11-01 09:50:03 -05:00
removeBuildFingerprints( ) {
#Removes the stock/vendor fingerprint, allowing one to be generated instead
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/BUILD_FINGERPRINT/' {}" \;
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/PRIVATE_BUILD_DESC/' {}" \;
echo "Removed stock build fingerprints" ;
2020-07-25 09:51:25 -04:00
}
2020-11-01 09:50:03 -05:00
export -f removeBuildFingerprints;
2020-07-25 09:51:25 -04:00
2018-04-04 07:52:11 -04:00
disableDexPreOpt( ) {
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE $1 " ;
2018-04-04 07:52:11 -04:00
if [ -f BoardConfig.mk ] ; then
sed -i "s/WITH_DEXPREOPT := true/WITH_DEXPREOPT := false/" BoardConfig.mk;
echo "Disabled dexpreopt" ;
fi ;
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE " ;
2018-04-04 07:52:11 -04:00
}
export -f disableDexPreOpt;
compressRamdisks( ) {
if [ -f BoardConfig.mk ] ; then
echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;
echo "Enabled ramdisk compression" ;
fi ;
}
export -f compressRamdisks;
2019-05-08 05:27:51 -04:00
addVerity( ) {
echo 'ifeq ($(TARGET_BUILD_VARIANT),user)' >> device.mk;
echo 'PRODUCT_SYSTEM_VERITY_PARTITION := /dev/block/by-name/system' >> device.mk;
echo '$(call inherit-product, build/target/product/verity.mk)' >> device.mk;
echo 'endif' >> device.mk;
sed -i '/on init/a\\ verity_load_state' rootdir/etc/init." ${ PWD ##*/ } " .rc;
sed -i '/on early-boot/a\\ verity_update_state' rootdir/etc/init." ${ PWD ##*/ } " .rc;
}
export -f addVerity;
enableVerity( ) {
sed -i 's/--set_hashtree_disabled_flag//' *.mk;
2021-05-10 09:12:13 -04:00
sed -i 's/AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 3/AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/' *.mk;
2019-05-08 05:27:51 -04:00
sed -i '/\/system/{/verify/!s|wait|wait,verify|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* & >/dev/null || true;
}
export -f enableVerity;
2019-08-05 20:34:08 -04:00
optimizeImagesRecursive( ) {
find " $1 " -type f -name "*.jp*g" -print0 | xargs -0 -n1 -P 16 jpegoptim;
find " $1 " -type f -name "*.png" -print0 | xargs -0 -n1 -P 16 optipng;
}
export -f optimizeImagesRecursive;
2019-08-05 23:56:52 -04:00
smallerSystem( ) {
echo "BOARD_SYSTEMIMAGE_JOURNAL_SIZE := 0" >> BoardConfig.mk;
2021-04-12 21:24:57 -04:00
echo "PRODUCT_MINIMIZE_JAVA_DEBUG_INFO := true" >> device.mk;
2019-09-13 20:26:43 -04:00
echo "EXCLUDE_SERIF_FONTS := true" >> BoardConfig.mk;
echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
#echo "MINIMAL_FONT_FOOTPRINT := true" >> BoardConfig.mk;
2019-08-05 23:56:52 -04:00
sed -i 's/common_full_phone.mk/common_mini_phone.mk/' *.mk & >/dev/null || true;
}
export -f smallerSystem;
2020-02-19 22:07:57 -05:00
deblobAudio( ) {
2021-01-18 09:11:37 -05:00
awk -i inplace '!/BOARD_SUPPORTS_SOUND_TRIGGER/' hardware/qcom/audio-caf/*/configs/*/*.mk & >/dev/null || true;
awk -i inplace '!/android.hardware.soundtrigger/' hardware/qcom/audio-caf/*/configs/*/*.mk & >/dev/null || true;
2020-02-19 22:07:57 -05:00
awk -i inplace '!/DOLBY_/' hardware/qcom/audio-caf/*/configs/*/*.mk & >/dev/null || true;
#awk -i inplace '!/vendor.audio.dolby/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
}
export -f deblobAudio;
2020-11-02 19:13:32 -05:00
imsAllowDiag( ) {
find device -name "ims.te" -type f -exec sh -c "echo 'diag_use(ims)' >> {}" \;
find device -name "hal_imsrtp.te" -type f -exec sh -c "echo 'diag_use(hal_imsrtp)' >> {}" \;
}
export -f imsAllowDiag;
2021-06-10 04:31:15 -04:00
extremeWiFiDeepSleep( ) {
sed -i 's/gEnablePowerSaveOffload=2/gEnablePowerSaveOffload=4/' $1 ;
}
export -f extremeWiFiDeepSleep;
2020-10-22 15:24:17 -04:00
volteOverride( ) {
cd " $DOS_BUILD_BASE $1 " ;
if grep -sq "config_device_volte_available" "overlay/frameworks/base/core/res/res/values/config.xml" ; then
if [ -f vendor.prop ] && ! grep -sq "volte_avail_ovr" "vendor.prop" ; then
echo -e 'persist.dbg.volte_avail_ovr=1\npersist.dbg.vt_avail_ovr=1' >> vendor.prop;
echo " Set VoLTE override in vendor.prop for $1 " ;
2021-01-15 17:28:35 -05:00
elif [ -f system.prop ] && ! grep -sq "volte_avail_ovr" "system.prop" ; then
echo -e 'persist.dbg.volte_avail_ovr=1\npersist.dbg.vt_avail_ovr=1' >> system.prop;
echo " Set VoLTE override in system.prop for $1 " ;
2020-10-22 15:24:17 -04:00
fi ;
if [ -f vendor_prop.mk ] && ! grep -sq "volte_avail_ovr" "vendor_prop.mk" ; then
echo -e '\nPRODUCT_PROPERTY_OVERRIDES += \\\n persist.dbg.volte_avail_ovr=1 \\\n persist.dbg.vt_avail_ovr=1' >> vendor_prop.mk;
echo " Set VoLTE override in vendor_prop.mk for $1 " ;
fi ;
2021-01-15 17:28:35 -05:00
#TODO: init/init*.cpp, device*.mk
2020-10-22 15:24:17 -04:00
fi ;
cd " $DOS_BUILD_BASE " ;
}
export -f volteOverride;
2020-02-19 22:07:57 -05:00
2019-02-08 18:46:42 -05:00
hardenLocationConf( ) {
2019-09-17 00:55:50 -04:00
local gpsConfig = $1 ;
2020-11-01 09:50:03 -05:00
#Debugging: adb logcat -b all | grep -i -e locsvc -e izat -e gps -e gnss -e location -e xtra
2018-08-07 23:07:36 -04:00
#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 4|' "$gpsConfig" &> /dev/null || true;
2018-04-04 07:52:11 -04:00
#Enable GLONASS
2018-08-07 23:07:36 -04:00
if [ " $DOS_GPS_GLONASS_FORCED " = true ] ; then
2019-02-06 17:15:45 -05:00
sed -i 's/#A_GLONASS_POS_PROTOCOL_SELECT =/A_GLONASS_POS_PROTOCOL_SELECT =/' " $gpsConfig " & >/dev/null || true;
2018-08-07 23:07:36 -04:00
sed -i 's/A_GLONASS_POS_PROTOCOL_SELECT = 0.*/A_GLONASS_POS_PROTOCOL_SELECT = 15/' " $gpsConfig " & >/dev/null || true;
2018-06-03 08:24:23 -04:00
fi ;
2018-08-07 23:07:36 -04:00
#Change capabilities
2018-09-19 01:03:02 -04:00
sed -i 's|CAPABILITIES=.*|CAPABILITIES=0x13|' " $gpsConfig " & > /dev/null || true; #Disable MSA (privacy) and geofencing/ULP (both broken by deblobber)
2019-02-06 17:15:45 -05:00
sed -i 's/#SUPL_MODE=/SUPL_MODE=/' " $gpsConfig " & >/dev/null || true;
sed -i 's/SUPL_MODE=$/SUPL_MODE=1/' " $gpsConfig " & >/dev/null || true; #Set to MSB if blank (to prevent MSA+MSB default)
2019-02-08 18:46:42 -05:00
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" " $gpsConfig " & > /dev/null || true; #Disable MSA (privacy)
2019-02-06 17:15:45 -05:00
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
sed -i 's/#SUPL_ES=/SUPL_ES=/' " $gpsConfig " & >/dev/null || true;
2019-02-08 18:46:42 -05:00
sed -i "s|SUPL_ES=0|SUPL_ES=1|" " $gpsConfig " & > /dev/null || true;
2018-08-07 23:07:36 -04:00
#Change servers
sed -i " s|SUPL_HOST=.*|SUPL_HOST= $DOS_GPS_SUPL_HOST | " " $gpsConfig " & > /dev/null || true;
sed -i " s|NTP_SERVER=.*|NTP_SERVER= $DOS_GPS_NTP_SERVER | " " $gpsConfig " & > /dev/null || true;
2019-02-06 17:15:45 -05:00
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
2018-04-04 07:52:11 -04:00
#XTRA: Only use specified URLs
2018-08-07 23:07:36 -04:00
sed -i 's|XTRA_SERVER_QUERY=1|XTRA_SERVER_QUERY=0|' " $gpsConfig " & >/dev/null || true;
sed -i 's|#XTRA_SERVER|XTRA_SERVER|' " $gpsConfig " & >/dev/null || true;
2018-08-09 00:42:07 -04:00
#Switch gpsOneXtra to IZatCloud (invalid certificate)
2019-02-08 18:46:42 -05:00
sed -i '/xtrapath/!s|://xtra|://xtrapath|' " $gpsConfig " & >/dev/null || true;
sed -i 's|gpsonextra.net|izatcloud.net|' " $gpsConfig " & >/dev/null || true;
2020-08-09 12:14:29 -04:00
sed -i 's|xtrapath1|xtrapath4|' " $gpsConfig " & >/dev/null || true;
sed -i 's|xtrapath2|xtrapath5|' " $gpsConfig " & >/dev/null || true;
sed -i 's|xtrapath3|xtrapath6|' " $gpsConfig " & >/dev/null || true;
2018-08-09 00:42:07 -04:00
#Enable HTTPS (IZatCloud supports HTTPS)
2019-02-08 18:46:42 -05:00
sed -i 's|http://xtrapath|https://xtrapath|' " $gpsConfig " & >/dev/null || true;
#sed -i 's|http://gllto|https://gllto|' "$gpsConfig" &>/dev/null || true; XXX: GLPals has an invaid certificate
echo " Enhanced location services for $gpsConfig " ;
2018-04-04 07:52:11 -04:00
}
2019-02-08 18:46:42 -05:00
export -f hardenLocationConf;
2019-02-08 20:58:15 -05:00
hardenLocationFWB( ) {
2019-09-17 00:55:50 -04:00
local dir = $1 ;
2019-02-08 18:46:42 -05:00
#Enable GLONASS
if [ " $DOS_GPS_GLONASS_FORCED " = true ] ; then
sed -i 's|A_GLONASS_POS_PROTOCOL_SELECT=0.*</item>|A_GLONASS_POS_PROTOCOL_SELECT=15</item>|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
fi ;
#Change capabilities
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" " $dir " /frameworks/base/core/res/res/values*/*.xml & > /dev/null || true; #Disable MSA (privacy)
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
sed -i "s|SUPL_ES=0|SUPL_ES=1|" " $dir " /frameworks/base/core/res/res/values*/*.xml & > /dev/null || true;
#Change servers
sed -i " s|NTP_SERVER=.*</item>|NTP_SERVER= $DOS_GPS_NTP_SERVER </item>| " " $dir " /frameworks/base/core/res/res/values*/*.xml & > /dev/null || true;
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
#Switch gpsOneXtra to IZatCloud (invalid certificate)
sed -i '/xtrapath/!s|://xtra|://xtrapath|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
sed -i 's|gpsonextra.net|izatcloud.net|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
2020-08-09 12:14:29 -04:00
sed -i 's|xtrapath1|xtrapath4|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
sed -i 's|xtrapath2|xtrapath5|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
sed -i 's|xtrapath3|xtrapath6|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
2019-02-08 18:46:42 -05:00
#Enable HTTPS (IZatCloud supports HTTPS)
sed -i 's|http://xtrapath|https://xtrapath|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
#sed -i 's|http://gllto|https://gllto|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true; XXX: GLPals has an invaid certificate
echo " Enhanced location services for $dir " ;
}
2019-02-08 20:58:15 -05:00
export -f hardenLocationFWB;
2018-04-04 07:52:11 -04:00
enableZram( ) {
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE $1 " ;
2018-12-20 17:22:34 -05:00
sed -i 's|#/dev/block/zram0|/dev/block/zram0|' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* & >/dev/null || true;
2018-04-04 07:52:11 -04:00
echo " Enabled zram for $1 " ;
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE " ;
2018-04-04 07:52:11 -04:00
}
export -f enableZram;
2018-09-12 13:43:05 -04:00
hardenUserdata( ) {
2018-09-11 19:53:50 -04:00
cd " $DOS_BUILD_BASE $1 " ;
2018-12-20 17:22:34 -05:00
2020-04-19 13:19:22 -04:00
#awk -i inplace '!/f2fs/' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
2018-12-20 17:22:34 -05:00
#Remove latemount to allow selinux contexts be restored upon /cache wipe
#Fixes broken OTA updater and broken /recovery updater
sed -i '/\/cache/s|latemount,||' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* & >/dev/null || true;
2018-09-12 13:43:05 -04:00
#TODO: Ensure: noatime,nosuid,nodev
2018-12-20 17:22:34 -05:00
sed -i '/\/data/{/discard/!s|nosuid|discard,nosuid|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* & >/dev/null || true;
2021-04-06 15:36:20 -04:00
if [ " $1 " != "device/samsung/tuna" ] && [ " $1 " != "device/amazon/hdx-common" ] ; then #tuna needs first boot to init, hdx-c has broken encryption
2021-04-14 03:57:29 -04:00
sed -i 's|encryptable=/|forceencrypt=/|' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* & >/dev/null || true;
2019-03-26 19:37:56 -04:00
fi ;
2018-09-12 13:43:05 -04:00
echo " Hardened /data for $1 " ;
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE " ;
2018-04-04 07:52:11 -04:00
}
2018-09-12 13:43:05 -04:00
export -f hardenUserdata;
2018-04-04 07:52:11 -04:00
2019-10-18 18:50:48 -04:00
hardenBootArgs( ) {
cd " $DOS_BUILD_BASE $1 " ;
2020-10-15 21:44:48 -04:00
#Unavailable: kpti=on pti=on page_alloc.shuffle=1 init_on_alloc=1 init_on_free=1 lockdown=confidentiality
sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := slab_nomerge slub_debug=FZP page_poison=1 /' BoardConfig*.mk */BoardConfig*.mk & >/dev/null || true;
2019-10-18 18:50:48 -04:00
echo " Hardened kernel command line arguments for $1 " ;
cd " $DOS_BUILD_BASE " ;
}
export -f hardenBootArgs;
2021-03-29 17:09:12 -04:00
disableAPEX( ) {
cd " $DOS_BUILD_BASE $1 " ;
awk -i inplace '!/DEXPREOPT_GENERATE_APEX_IMAGE/' *.mk & >/dev/null || true;
awk -i inplace '!/updatable_apex.mk/' *.mk & >/dev/null || true;
cd " $DOS_BUILD_BASE " ;
}
export -f disableAPEX;
2018-04-04 07:52:11 -04:00
enableStrongEncryption( ) {
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE $1 " ;
2018-04-04 07:52:11 -04:00
if [ -f BoardConfig.mk ] ; then
2018-04-28 15:35:53 -04:00
echo "TARGET_WANTS_STRONG_ENCRYPTION := true" >> BoardConfig.mk;
echo " Enabled AES-256 encryption for $1 " ;
2018-04-04 07:52:11 -04:00
fi ;
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE " ;
2018-04-04 07:52:11 -04:00
}
export -f enableStrongEncryption;
2021-04-04 17:06:47 -04:00
addAdbKey( ) {
if [ -f ~/.android/adbkey.pub ] ; then
cp ~/.android/adbkey.pub " $DOS_BUILD_BASE /vendor/divested/ " ;
echo "PRODUCT_ADB_KEYS := vendor/divested/adbkey.pub" >> " $DOS_BUILD_BASE /vendor/divested/divestos.mk " ;
fi ;
}
export -f addAdbKey;
2018-06-24 01:27:33 -04:00
changeDefaultDNS( ) {
2019-09-17 00:55:50 -04:00
local dnsPrimary = "" ;
local dnsPrimaryV6 = "" ;
local dnsSecondary = "" ;
local dnsSecondaryV6 = "" ;
2020-12-12 09:50:27 -05:00
if [ ! -z " $DOS_DEFAULT_DNS_PRESET " ] ; then
2020-04-05 14:05:17 -04:00
if [ [ " $DOS_DEFAULT_DNS_PRESET " = = "AdGuard" ] ] ; then #https://adguard.com/en/adguard-dns/overview.html
dnsPrimary = "176.103.130.130" ;
dnsPrimaryV6 = "2a00:5a60::ad1:0ff" ;
dnsSecondary = "176.103.130.131" ;
dnsSecondaryV6 = "2a00:5a60::ad2:0ff" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "AdGuard-NOBL" ] ] ; then #https://adguard.com/en/adguard-dns/overview.html
dnsPrimary = "176.103.130.136" ;
dnsPrimaryV6 = "2a00:5a60::01:ff" ;
dnsSecondary = "176.103.130.137" ;
dnsSecondaryV6 = "2a00:5a60::02:ff" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "CensurfriDNS" ] ] ; then #https://uncensoreddns.org
2019-02-09 18:44:45 -05:00
dnsPrimary = "91.239.100.100" ;
dnsPrimaryV6 = "2001:67c:28a4::" ;
dnsSecondary = "89.233.43.71" ;
dnsSecondaryV6 = "2a01:3a0:53:53::" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Cloudflare" ] ] ; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
2018-06-24 01:27:33 -04:00
dnsPrimary = "1.0.0.1" ;
dnsPrimaryV6 = "2606:4700:4700::1001" ;
dnsSecondary = "1.1.1.1" ;
dnsSecondaryV6 = "2606:4700:4700::1111" ;
2020-04-05 14:05:17 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Cloudflare-BL" ] ] ; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
dnsPrimary = "1.0.0.2" ;
dnsPrimaryV6 = "2606:4700:4700::1002" ;
dnsSecondary = "1.1.1.2" ;
dnsSecondaryV6 = "2606:4700:4700::1112" ;
2018-06-29 00:55:21 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "OpenNIC" ] ] ; then #https://servers.opennicproject.org/edit.php?srv=ns3.any.dns.opennic.glue
2020-03-25 22:08:25 -04:00
dnsPrimary = "169.239.202.202" ; #FIXME
2018-06-24 01:27:33 -04:00
dnsPrimaryV6 = "2a05:dfc7:5353::53" ;
dnsSecondary = "185.121.177.177" ;
dnsSecondaryV6 = "2a05:dfc7:5::53" ;
2018-06-29 00:55:21 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "DNSWATCH" ] ] ; then #https://dns.watch
2018-06-24 01:27:33 -04:00
dnsPrimary = "84.200.69.80" ;
dnsPrimaryV6 = "2001:1608:10:25::1c04:b12f" ;
dnsSecondary = "84.200.70.40" ;
dnsSecondaryV6 = "2001:1608:10:25::9249:d69b" ;
2018-06-29 00:55:21 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Google" ] ] ; then #https://developers.google.com/speed/public-dns/privacy
2018-06-24 01:27:33 -04:00
dnsPrimary = "8.8.8.8" ;
dnsPrimaryV6 = "2001:4860:4860::8888" ;
dnsSecondary = "8.8.4.4" ;
dnsSecondaryV6 = "2001:4860:4860::8844" ;
2019-02-09 18:44:45 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Neustar" ] ] ; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
dnsPrimary = "156.154.70.2" ;
dnsPrimaryV6 = "2610:a1:1018::2" ;
dnsSecondary = "156.154.71.2" ;
dnsSecondaryV6 = "2610:a1:1019::2" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Neustar-NOBL" ] ] ; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
dnsPrimary = "156.154.70.5" ;
dnsPrimaryV6 = "2610:a1:1018::5" ;
dnsSecondary = "156.154.71.5" ;
dnsSecondaryV6 = "2610:a1:1019::5" ;
2020-04-05 14:05:17 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "NixNet" ] ] ; then #https://docs.nixnet.services/DNS
dnsPrimary = "198.251.90.114" ;
dnsPrimaryV6 = "2605:6400:20:e6d::1" ;
dnsSecondary = "198.251.90.114" ;
dnsSecondaryV6 = "2605:6400:30:f881::1" ;
2018-06-29 00:55:21 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "OpenDNS" ] ] ; then #https://www.cisco.com/c/en/us/about/legal/privacy-full.html
2018-06-24 01:27:33 -04:00
dnsPrimary = "208.67.222.222" ;
dnsPrimaryV6 = "2620:0:ccc::2" ;
dnsSecondary = "208.67.220.220" ;
dnsSecondaryV6 = "2620:0:ccd::2" ;
2019-02-09 18:44:45 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Quad9" ] ] ; then #https://www.quad9.net/privacy
2018-06-24 01:27:33 -04:00
dnsPrimary = "9.9.9.9" ;
dnsPrimaryV6 = "2620:fe::fe" ;
dnsSecondary = "149.112.112.112" ;
2018-12-24 23:29:56 -05:00
dnsSecondaryV6 = "2620:fe::9" ;
2020-11-12 22:49:23 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Quad9-EDNS" ] ] ; then #https://www.quad9.net/privacy
dnsPrimary = "9.9.9.11" ;
dnsPrimaryV6 = "2620:fe::11" ;
dnsSecondary = "149.112.112.11" ;
dnsSecondaryV6 = "2620:fe::fe:11" ;
2019-02-09 18:44:45 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Quad9-NOBL" ] ] ; then #https://www.quad9.net/privacy
2018-06-25 19:15:22 -04:00
dnsPrimary = "9.9.9.10" ;
dnsPrimaryV6 = "2620:fe::10" ;
dnsSecondary = "149.112.112.10" ;
2018-12-24 23:29:56 -05:00
dnsSecondaryV6 = "2620:fe::fe:10" ;
2018-06-29 00:55:21 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Verisign" ] ] ; then #https://www.verisign.com/en_US/security-services/public-dns/terms-of-service/index.xhtml
2018-06-24 04:26:59 -04:00
dnsPrimary = "64.6.64.6" ;
dnsPrimaryV6 = "2620:74:1b::1:1" ;
dnsSecondary = "64.6.65.6" ;
dnsSecondaryV6 = "2620:74:1c::2:2" ;
2019-02-09 18:44:45 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Yandex" ] ] ; then #https://dns.yandex.com/advanced
dnsPrimary = "77.88.8.88" ;
dnsPrimaryV6 = "2a02:6b8::feed:bad" ;
dnsSecondary = "77.88.8.2" ;
dnsSecondaryV6 = "2a02:6b8:0:1::feed:bad" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Yandex-NOBL" ] ] ; then #https://dns.yandex.com/advanced
dnsPrimary = "77.88.8.8" ;
dnsPrimaryV6 = "2a02:6b8::feed:0ff" ;
dnsSecondary = "77.88.8.1" ;
dnsSecondaryV6 = "2a02:6b8:0:1::feed:0ff" ;
2018-06-24 01:27:33 -04:00
fi ;
else
2020-12-12 09:50:27 -05:00
echo "You must first set a preset via the DOS_DEFAULT_DNS_PRESET variable in init.sh!" ;
2018-06-24 01:27:33 -04:00
fi ;
2021-03-22 19:59:15 -04:00
local files = "core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java services/java/com/android/server/connectivity/Tethering.java packages/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java core/java/android/net/util/DnsUtils.java" ;
2018-06-24 01:27:33 -04:00
sed -i " s/8\.8\.8\.8/ $dnsPrimary / " $files & >/dev/null || true;
sed -i " s/2001:4860:4860::8888/ $dnsPrimaryV6 / " $files & >/dev/null || true;
sed -i " s/8\.8\.4\.4/ $dnsSecondary / " $files & >/dev/null || true;
2020-10-11 19:22:14 -04:00
sed -i " s/4\.4\.4\.4/ $dnsSecondary / " $files & >/dev/null || true;
2018-06-24 01:27:33 -04:00
sed -i " s/2001:4860:4860::8844/ $dnsSecondaryV6 / " $files & >/dev/null || true;
}
export -f changeDefaultDNS;
2018-04-04 07:52:11 -04:00
editKernelLocalversion( ) {
2019-09-17 00:55:50 -04:00
local defconfigPath = $( getDefconfig)
2018-06-23 01:08:42 -04:00
sed -i 's/CONFIG_LOCALVERSION=".*"/CONFIG_LOCALVERSION="' " $1 " '"/' $defconfigPath & >/dev/null || true;
2018-04-04 07:52:11 -04:00
}
export -f editKernelLocalversion;
2020-07-25 09:51:25 -04:00
getDefconfig( ) {
if ls arch/arm/configs/lineage*defconfig 1> /dev/null 2>& 1; then
local defconfigPath = "arch/arm/configs/lineage*defconfig" ;
elif ls arch/arm64/configs/lineage*defconfig 1> /dev/null 2>& 1; then
local defconfigPath = "arch/arm64/configs/lineage*defconfig" ;
else
2021-08-09 18:02:39 -04:00
local defconfigPath = "arch/arm*/configs/*defconfig arch/arm*/configs/*/*defconfig" ;
2020-07-25 09:51:25 -04:00
fi ;
echo $defconfigPath ;
}
export -f getDefconfig;
2018-04-04 07:52:11 -04:00
hardenDefconfig( ) {
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE $1 " ;
2018-04-04 07:52:11 -04:00
#Attempts to enable/disable supported options to increase security
#See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2021-03-01 21:05:42 -05:00
#and (GPLv3) https://github.com/a13xp0p0v/kconfig-hardened-check/blob/master/kconfig_hardened_check/__init__.py
2018-04-04 07:52:11 -04:00
2019-09-17 00:55:50 -04:00
local defconfigPath = $( getDefconfig)
2018-04-04 07:52:11 -04:00
#Enable supported options
2021-08-13 22:40:12 -04:00
#Linux <3.0
declare -a optionsYes = ( "BUG" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "SLUB_DEBUG" "STRICT_DEVMEM" "SYN_COOKIES" ) ;
2020-07-25 09:51:25 -04:00
#Disabled: DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
2021-08-13 22:40:12 -04:00
#Linux 3.4
optionsYes += ( "SECURITY_YAMA" ) ;
#Linux 3.5
optionsYes += ( "PANIC_ON_OOPS" "SECCOMP_FILTER" ) ;
#Linux 3.7
optionsYes += ( "ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "SECURITY_YAMA_STACKED" "X509_CERTIFICATE_PARSER" ) ;
#Linux 3.13
optionsYes += ( "SYSTEM_TRUSTED_KEYRING" ) ;
#Linux 3.14
optionsYes += ( "CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG" ) ;
#Linux 3.17
optionsYes += ( "PKCS7_MESSAGE_PARSER" ) ;
#Linux 3.18
optionsYes += ( "HARDENED_USERCOPY" "SCHED_STACK_END_CHECK" ) ;
#Linux 4.3
optionsYes += ( "ARM64_PAN" "CPU_SW_DOMAIN_PAN" ) ;
#Linux 4.4
optionsYes += ( "LEGACY_VSYSCALL_NONE" ) ;
#Linux 4.5
optionsYes += ( "IO_STRICT_DEVMEM" ) ;
#Linux 4.6
optionsYes += ( "ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_NO_SANITY" ) ;
#Linux 4.7
optionsYes += ( "ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM" ) ;
#Linux 4.8
optionsYes += ( "RANDOMIZE_MEMORY" ) ;
#Linux 4.9
optionsYes += ( "THREAD_INFO_IN_TASK" "VMAP_STACK" ) ;
#Linux 4.10
optionsYes += ( "ARM64_SW_TTBR0_PAN" "BUG_ON_DATA_CORRUPTION" ) ;
#Linux 4.11
optionsYes += ( "STRICT_KERNEL_RWX" "STRICT_MODULE_RWX" ) ;
#Linux 4.13
optionsYes += ( "FORTIFY_SOURCE" "REFCOUNT_FULL" ) ;
#Linux 4.14
optionsYes += ( "SLAB_FREELIST_HARDENED" ) ;
#Linux 4.15
optionsYes += ( "PAGE_TABLE_ISOLATION" "RETPOLINE" ) ;
#Linux 4.16
optionsYes += ( "UNMAP_KERNEL_AT_EL0" ) ;
#Linux 4.17
optionsYes += ( "HARDEN_EL2_VECTORS" ) ;
#Linux 4.18
optionsYes += ( "HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG" ) ;
#Linux 4.19
optionsYes += ( "PAGE_POISONING_ZERO" ) ;
#Linux 5.0
optionsYes += ( "ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK" ) ;
#Linux 5.2
optionsYes += ( "INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR" ) ;
#Linux 5.3
optionsYes += ( "INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" ) ;
#Linux 5.8
optionsYes += ( "ARM64_BTI_KERNEL" "DEBUG_WX" ) ;
#Linux 5.9
optionsYes += ( "INIT_STACK_ALL_ZERO" ) ;
#GCC Plugins - 4.19 - 5.2
#optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
#GrapheneOS Patches
2021-08-13 23:18:52 -04:00
optionsYes += ( "PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY" ) ;
#Disabled: SLAB_CANARY (breakage?)
2021-08-13 22:40:12 -04:00
#out of tree or renamed or removed ?
optionsYes += ( "KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX" ) ;
#Time hardware
2020-07-25 09:51:25 -04:00
#if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("RTC_DRV_MSM" "RTC_DRV_PM8XXX" "RTC_DRV_MSM7X00A" "RTC_DRV_QPNP"); fi;
2021-08-13 22:40:12 -04:00
#Hardware enablement #XXX: This needs a better home
optionsYes += ( "HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER" ) ;
2018-04-04 07:52:11 -04:00
for option in " ${ optionsYes [@] } "
do
2020-07-25 09:51:25 -04:00
sed -i 's/# ' " CONFIG_ $option " ' is not set/' " CONFIG_ $option " '=y/' $defconfigPath & >/dev/null || true;
2018-04-04 07:52:11 -04:00
#Some defconfigs are very minimal/not-autogenerated, so lets add the rest. Obviously most won't have any affect as they aren't supported.
2021-05-12 02:42:50 -04:00
if [ [ " $defconfigPath " = = *"lineage" * ] ] && [ [ " $1 " != *"kernel/oneplus/msm8996" * ] ] ; then
2020-07-25 09:51:25 -04:00
if ! grep -q " CONFIG_ $option =y " $defconfigPath ; then
echo " CONFIG_ $option =y " | tee -a $defconfigPath > /dev/null;
2018-04-04 07:52:11 -04:00
fi ;
fi ;
done
#Disable supported options
2020-10-11 19:22:14 -04:00
#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile)
2021-02-10 14:52:47 -05:00
declare -a optionsNo = ( "ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "HARDENED_USERCOPY_FALLBACK" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_PAGE_MONITOR" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT" ) ;
2021-08-13 22:40:12 -04:00
2020-07-25 09:51:25 -04:00
if [ " $DOS_DEBLOBBER_REMOVE_IPA " = true ] ; then optionsNo += ( "IPA" "RMNET_IPA" ) ; fi ;
2021-01-29 20:37:43 -05:00
optionsNo += ( "WIREGUARD" ) ; #Requires root access, which we do not provide
2021-08-05 23:42:37 -04:00
#optionsNo+=("LTO_CLANG"); #Can easily require 64GB of RAM on host system to compile
2021-08-13 22:40:12 -04:00
2018-04-04 07:52:11 -04:00
for option in " ${ optionsNo [@] } "
do
2020-07-25 09:51:25 -04:00
sed -i 's/' " CONFIG_ $option " '=y/# ' " CONFIG_ $option " ' is not set/' $defconfigPath & >/dev/null || true;
#sed -i 's/'"CONFIG_$option"'=y/'"CONFIG_$option"'=n/' $defconfigPath &>/dev/null || true;
2018-08-24 23:56:38 -04:00
#Some defconfigs are very minimal/not-autogenerated, so lets add the rest. Obviously most won't have any affect as they aren't supported.
if [ [ " $defconfigPath " = = *"lineage" * ] ] ; then
2020-07-25 09:51:25 -04:00
if ! grep -q " CONFIG_ $option =n " $defconfigPath ; then
echo " CONFIG_ $option =n " | tee -a $defconfigPath > /dev/null;
2018-08-24 23:56:38 -04:00
fi ;
fi ;
2018-04-04 07:52:11 -04:00
done
2021-08-13 22:40:12 -04:00
2018-04-04 07:52:11 -04:00
#Extras
2018-06-23 01:08:42 -04:00
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' $defconfigPath & >/dev/null || true;
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' $defconfigPath & >/dev/null || true;
sed -i 's/CONFIG_DEFAULT_MMAP_MIN_ADDR=4096/CONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' $defconfigPath & >/dev/null || true;
2018-06-26 05:57:22 -04:00
sed -i 's/CONFIG_LSM_MMAP_MIN_ADDR=4096/CONFIG_LSM_MMAP_MIN_ADDR=32768/' $defconfigPath & >/dev/null || true;
2018-04-04 07:52:11 -04:00
2020-07-25 09:51:25 -04:00
#Resurrect dm-verity XXX: This needs a better home
2019-05-08 05:27:51 -04:00
sed -i 's/^\treturn VERITY_STATE_DISABLE;//' drivers/md/dm-android-verity.c & >/dev/null || true;
#sed -i 's/#if 0/#if 1/' drivers/power/reset/msm-poweroff.c &>/dev/null || true;
2020-10-11 19:22:14 -04:00
#Workaround broken MSM_DLOAD_MODE=y+PANIC_ON_OOPS=y for devices that oops on shutdown
#MSM_DLOAD_MODE can't be disabled as it breaks compile
sed -i 's/set_dload_mode(in_panic)/set_dload_mode(0)/' arch/arm/mach-msm/restart.c & >/dev/null || true;
2018-04-04 07:52:11 -04:00
editKernelLocalversion "-dos" ;
echo " Hardened defconfig for $1 " ;
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE " ;
2018-04-04 07:52:11 -04:00
}
export -f hardenDefconfig;