DivestOS/Scripts/Common/Functions.sh

1250 lines
64 KiB
Bash
Raw Normal View History

2018-04-04 07:52:11 -04:00
#!/bin/bash
2020-11-17 10:11:40 -05:00
#DivestOS: A privacy focused mobile distribution
#Copyright (c) 2017-2022 Divested Computing Group
2018-04-04 07:52:11 -04:00
#
#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program. If not, see <https://www.gnu.org/licenses/>.
umask 0022;
2018-04-04 07:52:11 -04:00
make divest functions error aware this commit adds (the currently non-existing) error handling when using divest's functions and scripts. all the magic here gets activated when `source ../../Scripts/init.sh` gets executed which is already a mandatory step before starting any of the divest functions. when something fails during patching, resetting or building each error will be catched + printed including an error code now. last but not least the executed file and the line number causing that failure will be shown, too. as all divest functions get source'd and so not a single build script gets executed all ERR's needs to be trapped to catch issues. I am not aware of another way to handle that properly as sourcing means we cannot track a script or smth while this approach here just works. Example for an error thrown in a function call: > ERROR: $DOS_WORKSPACE_ROOT/Scripts/Common/Functions.sh -> verifyAllPlatformTags() ended with status >1< at line >49< Final SUCCESS result message after using `patchWorkspace`: > [FINAL RESULT] No error detected (please check the above output nevertheless!) Final ERROR result message after using `patchWorkspace`: > [FINAL RESULT] Serious error(s) found!!! > Summary error code was: 126. Check & fix all error lines above Some notes: - when an error occurs the process continues until the end (like it is now) i.e. an error will not stop the current and following tasks - when multiple errors occur the exit codes will be summed - buildDevice: a (summed) end result gets printed (SUCCESS or ERROR) at the very end - the trap used to catch any error will also be active for any command executed on the cli. that means: type "false" -> ENTER and you will get an error, too same for any script exectued after source init.sh - when all goes well the trap will be resetted at the end but there are cases where this might not happen -> that is why `resetEnv` can be executed to reset the trap, i.e. all becomes as it was before sourcing init.sh - `resetEnv` gets called automatically: - after a successful `patchWorkspace` run - whenever CTRL+C is used (during a running task or just on the cli) - a process get killed (SIGHUP, TERM) - the whole implementation might not catch all errors though - it highly depends on how the function or the script/program called actually handles errors or better said: if they return a proper exit code on failures. For example some tools (like some git cmds) might print an error but don't return a non-zero exit code. This cannot be tracked other then with your eyes or these must be replaced by other methods returning a non-zero exit code on failures. Signed-off-by: steadfasterX <steadfasterX@gmail.com>
2023-04-14 04:24:46 -04:00
_fetchError(){
local last_status="$1";
local error_line_number="$2";
local last_func="$3";
local file=$(echo "$4" | sed "s#$DOS_WORKSPACE_ROOT#\$DOS_WORKSPACE_ROOT#g");
# ignore when pressing TAB or sim.
if [[ "$file" =~ .*bash_completion ]];then return; fi
case $last_func in
command_not_found_handle|_filedir) return;;
esac
make divest functions error aware this commit adds (the currently non-existing) error handling when using divest's functions and scripts. all the magic here gets activated when `source ../../Scripts/init.sh` gets executed which is already a mandatory step before starting any of the divest functions. when something fails during patching, resetting or building each error will be catched + printed including an error code now. last but not least the executed file and the line number causing that failure will be shown, too. as all divest functions get source'd and so not a single build script gets executed all ERR's needs to be trapped to catch issues. I am not aware of another way to handle that properly as sourcing means we cannot track a script or smth while this approach here just works. Example for an error thrown in a function call: > ERROR: $DOS_WORKSPACE_ROOT/Scripts/Common/Functions.sh -> verifyAllPlatformTags() ended with status >1< at line >49< Final SUCCESS result message after using `patchWorkspace`: > [FINAL RESULT] No error detected (please check the above output nevertheless!) Final ERROR result message after using `patchWorkspace`: > [FINAL RESULT] Serious error(s) found!!! > Summary error code was: 126. Check & fix all error lines above Some notes: - when an error occurs the process continues until the end (like it is now) i.e. an error will not stop the current and following tasks - when multiple errors occur the exit codes will be summed - buildDevice: a (summed) end result gets printed (SUCCESS or ERROR) at the very end - the trap used to catch any error will also be active for any command executed on the cli. that means: type "false" -> ENTER and you will get an error, too same for any script exectued after source init.sh - when all goes well the trap will be resetted at the end but there are cases where this might not happen -> that is why `resetEnv` can be executed to reset the trap, i.e. all becomes as it was before sourcing init.sh - `resetEnv` gets called automatically: - after a successful `patchWorkspace` run - whenever CTRL+C is used (during a running task or just on the cli) - a process get killed (SIGHUP, TERM) - the whole implementation might not catch all errors though - it highly depends on how the function or the script/program called actually handles errors or better said: if they return a proper exit code on failures. For example some tools (like some git cmds) might print an error but don't return a non-zero exit code. This cannot be tracked other then with your eyes or these must be replaced by other methods returning a non-zero exit code on failures. Signed-off-by: steadfasterX <steadfasterX@gmail.com>
2023-04-14 04:24:46 -04:00
if [ ! -z "$last_func" ] && [ ! -z "$file" ];then
echo -e "\e[0;31mERROR: $file -> ${last_func}() ended with status >${last_status}< at line >$((error_line_number -1))<\e[0m";
elif [ ! -z "$last_func" ];then
echo -e "\e[0;31mERROR: ${last_func}() ended with status >${last_status}< at line >$((error_line_number -1))<\e[0m";
make divest functions error aware this commit adds (the currently non-existing) error handling when using divest's functions and scripts. all the magic here gets activated when `source ../../Scripts/init.sh` gets executed which is already a mandatory step before starting any of the divest functions. when something fails during patching, resetting or building each error will be catched + printed including an error code now. last but not least the executed file and the line number causing that failure will be shown, too. as all divest functions get source'd and so not a single build script gets executed all ERR's needs to be trapped to catch issues. I am not aware of another way to handle that properly as sourcing means we cannot track a script or smth while this approach here just works. Example for an error thrown in a function call: > ERROR: $DOS_WORKSPACE_ROOT/Scripts/Common/Functions.sh -> verifyAllPlatformTags() ended with status >1< at line >49< Final SUCCESS result message after using `patchWorkspace`: > [FINAL RESULT] No error detected (please check the above output nevertheless!) Final ERROR result message after using `patchWorkspace`: > [FINAL RESULT] Serious error(s) found!!! > Summary error code was: 126. Check & fix all error lines above Some notes: - when an error occurs the process continues until the end (like it is now) i.e. an error will not stop the current and following tasks - when multiple errors occur the exit codes will be summed - buildDevice: a (summed) end result gets printed (SUCCESS or ERROR) at the very end - the trap used to catch any error will also be active for any command executed on the cli. that means: type "false" -> ENTER and you will get an error, too same for any script exectued after source init.sh - when all goes well the trap will be resetted at the end but there are cases where this might not happen -> that is why `resetEnv` can be executed to reset the trap, i.e. all becomes as it was before sourcing init.sh - `resetEnv` gets called automatically: - after a successful `patchWorkspace` run - whenever CTRL+C is used (during a running task or just on the cli) - a process get killed (SIGHUP, TERM) - the whole implementation might not catch all errors though - it highly depends on how the function or the script/program called actually handles errors or better said: if they return a proper exit code on failures. For example some tools (like some git cmds) might print an error but don't return a non-zero exit code. This cannot be tracked other then with your eyes or these must be replaced by other methods returning a non-zero exit code on failures. Signed-off-by: steadfasterX <steadfasterX@gmail.com>
2023-04-14 04:24:46 -04:00
else
echo -e "\e[0;31mERROR: last command ended with status >${last_status}< at line >$((error_line_number -1))<\e[0m";
fi
export TR_ERR=$last_status
_exit_report
make divest functions error aware this commit adds (the currently non-existing) error handling when using divest's functions and scripts. all the magic here gets activated when `source ../../Scripts/init.sh` gets executed which is already a mandatory step before starting any of the divest functions. when something fails during patching, resetting or building each error will be catched + printed including an error code now. last but not least the executed file and the line number causing that failure will be shown, too. as all divest functions get source'd and so not a single build script gets executed all ERR's needs to be trapped to catch issues. I am not aware of another way to handle that properly as sourcing means we cannot track a script or smth while this approach here just works. Example for an error thrown in a function call: > ERROR: $DOS_WORKSPACE_ROOT/Scripts/Common/Functions.sh -> verifyAllPlatformTags() ended with status >1< at line >49< Final SUCCESS result message after using `patchWorkspace`: > [FINAL RESULT] No error detected (please check the above output nevertheless!) Final ERROR result message after using `patchWorkspace`: > [FINAL RESULT] Serious error(s) found!!! > Summary error code was: 126. Check & fix all error lines above Some notes: - when an error occurs the process continues until the end (like it is now) i.e. an error will not stop the current and following tasks - when multiple errors occur the exit codes will be summed - buildDevice: a (summed) end result gets printed (SUCCESS or ERROR) at the very end - the trap used to catch any error will also be active for any command executed on the cli. that means: type "false" -> ENTER and you will get an error, too same for any script exectued after source init.sh - when all goes well the trap will be resetted at the end but there are cases where this might not happen -> that is why `resetEnv` can be executed to reset the trap, i.e. all becomes as it was before sourcing init.sh - `resetEnv` gets called automatically: - after a successful `patchWorkspace` run - whenever CTRL+C is used (during a running task or just on the cli) - a process get killed (SIGHUP, TERM) - the whole implementation might not catch all errors though - it highly depends on how the function or the script/program called actually handles errors or better said: if they return a proper exit code on failures. For example some tools (like some git cmds) might print an error but don't return a non-zero exit code. This cannot be tracked other then with your eyes or these must be replaced by other methods returning a non-zero exit code on failures. Signed-off-by: steadfasterX <steadfasterX@gmail.com>
2023-04-14 04:24:46 -04:00
}
export -f _fetchError;
2018-04-04 07:52:11 -04:00
startPatcher() {
2020-10-01 14:56:37 -04:00
java -jar "$DOS_BINARY_PATCHER" patch workspace "$DOS_BUILD_BASE" "$DOS_WORKSPACE_ROOT""Patches/Linux/" "$DOS_SCRIPTS_CVES" $1;
2018-04-04 07:52:11 -04:00
}
export -f startPatcher;
resetWorkspace() {
umask 0022;
if [ "$1" == "local" ]; then local noNetwork="--local-only"; fi;
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync --jobs-network=6 --jobs-checkout=12 --force-sync --detach $noNetwork;
repo forall -v -c 'echo "$REPO_PATH $(git rev-parse HEAD)"' | sort -u > "$DOS_WORKSPACE_ROOT/Logs/resetWorkspace-$DOS_VERSION.txt";
}
export -f resetWorkspace;
patchWorkspace() {
patchWorkspaceReal; #|& tee "$DOS_WORKSPACE_ROOT/Logs/patchWorkspace-$DOS_VERSION.log";
}
export -f patchWorkspace;
verifyAllPlatformTags() {
repo forall -v -c 'sh -c "source $DOS_WORKSPACE_ROOT/Scripts/Common/Tag_Verifier.sh && verifyTagIfPlatform $REPO_PROJECT $REPO_PATH"';
}
export -f verifyAllPlatformTags;
2018-04-04 07:52:11 -04:00
enter() {
echo "================================================================================================"
local dir="$1";
local dirReal="$DOS_BUILD_BASE/$dir";
umask 0022;
if [ -d "$dirReal" ]; then
cd "$dirReal";
echo -e "\e[0;32m[ENTERING] $dir\e[0m";
return 0;
else
echo -e "\e[0;31m[ENTERING FAILED] $dir\e[0m";
return 1;
fi;
2018-04-04 07:52:11 -04:00
}
export -f enter;
enterAndClear() {
if enter "$1"; then gitReset; else return 1; fi;
2018-04-04 07:52:11 -04:00
}
export -f enterAndClear;
gitReset() {
(git add -A && git reset --hard) || true;
2018-04-04 07:52:11 -04:00
}
export -f gitReset;
applyPatchReal() {
currentWorkingPatch=$1;
firstLine=$(head -n1 "$currentWorkingPatch");
if [[ "$firstLine" = *"Mon Sep 17 00:00:00 2001"* ]] || [[ "$firstLine" = *"Thu Jan 1 00:00:00 1970"* ]]; then
if git am "$@"; then
if [ "$DOS_REFRESH_PATCHES" = true ]; then
if [[ "$currentWorkingPatch" == $DOS_PATCHES* ]]; then
git format-patch -1 HEAD --zero-commit --no-signature --output="$currentWorkingPatch";
fi;
fi;
else
echo "Applying (git am): $currentWorkingPatch - FAILED"
git am --abort || true
echo "Applying (patch fallback): $currentWorkingPatch"
patch -r - --no-backup-if-mismatch --forward --ignore-whitespace --verbose -p1 < $currentWorkingPatch
fi;
else
echo "Applying (as diff): $currentWorkingPatch";
git apply "$@";
fi;
}
export -f applyPatchReal;
applyPatch() {
currentWorkingPatch=$1;
set -E
if [ -f "$currentWorkingPatch" ]; then
if git apply --check "$@" &> /dev/null; then
applyPatchReal "$@";
else
if git apply --reverse --check "$@" &> /dev/null; then
echo "Already applied: $currentWorkingPatch";
else
if git apply --check "$@" --3way &> /dev/null; then
applyPatchReal "$@" --3way;
echo "Applied (as 3way): $currentWorkingPatch";
else
echo -e "\e[0;31mERROR: Cannot apply: $currentWorkingPatch\e[0m";
false
fi;
fi;
fi;
else
echo -e "\e[0;31mERROR: Patch doesn't exist: $currentWorkingPatch\e[0m";
false
fi;
}
export -f applyPatch;
gpgVerifyDirectory() {
if [ -r "$DOS_TMP_GNUPG/pubring.kbx" ]; then
for sig in $1/*.asc; do
if gpg --homedir "$DOS_TMP_GNUPG" --verify $sig &>/dev/null; then
echo -e "\e[0;32mGPG Verified Successfully: $sig\e[0m";
else
echo -e "\e[0;31mWARNING: GPG Verification Failed: $sig\e[0m";
sleep 60;
fi;
done;
else
echo -e "\e[0;33mWARNING: keyring is unavailable, GPG verification of $1 will not be performed!\e[0m";
fi;
}
export -f gpgVerifyDirectory;
scanForMalware() {
if [ -x /usr/bin/clamscan ] && [ -r /var/lib/clamav/main.c*d ]; then
2018-05-11 06:15:29 -04:00
echo -e "\e[0;32mStarting a malware scan...\e[0m";
local excludes="--exclude-dir=\".git\" --exclude-dir=\".repo\"";
local scanQueue="$2";
2018-05-11 06:15:29 -04:00
if [ "$1" = true ]; then
2018-06-29 00:55:21 -04:00
if [ "$DOS_MALWARE_SCAN_SETTING" != "quick" ] || [ "$DOS_MALWARE_SCAN_SETTING" = "extra" ]; then
scanQueue=$scanQueue" $DOS_BUILD_BASE/frameworks $DOS_BUILD_BASE/vendor";
2018-05-11 06:15:29 -04:00
fi;
2018-06-29 00:55:21 -04:00
if [ "$DOS_MALWARE_SCAN_SETTING" = "slow" ]; then
scanQueue=$scanQueue"$DOS_BUILD_BASE/external $DOS_BUILD_BASE/prebuilts $DOS_BUILD_BASE/toolchain $DOS_BUILD_BASE/tools";
2018-05-11 06:15:29 -04:00
fi;
2018-06-29 00:55:21 -04:00
if [ "$DOS_MALWARE_SCAN_SETTING" = "full" ]; then
scanQueue="$DOS_BUILD_BASE";
2018-05-11 06:15:29 -04:00
fi;
fi;
2019-03-25 20:30:27 -04:00
du -hsc $scanQueue;
2021-03-20 16:15:01 -04:00
/usr/bin/clamscan --recursive --detect-pua --infected --allmatch --max-filesize=4000M --max-scansize=4000M $excludes $scanQueue;
local clamscanExit="$?";
if [ "$clamscanExit" -eq "1" ]; then
echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
echo -e "\e[0;31mWARNING: MALWARE WAS FOUND! PLEASE INVESTIGATE!\e[0m";
echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
2020-11-09 00:29:29 -05:00
echo -e "\e[0;33mFalse positives such as the following are probably OK\e[0m";
2019-03-25 20:30:27 -04:00
echo -e "\e[0;33mPUAs: Ewind, Mobidash\e[0m";
echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
sleep 60;
fi;
if [ "$clamscanExit" -eq "0" ]; then
echo -e "\e[0;32mNo malware found\e[0m";
fi;
if [ "$clamscanExit" -eq "2" ]; then
echo -e "\e[0;33m----------------------------------------------------------------\e[0m";
echo -e "\e[0;33mWARNING: AN ERROR OCCURED. PLEASE INVESTIGATE!\e[0m";
echo -e "\e[0;33m----------------------------------------------------------------\e[0m";
sleep 60;
fi;
else
echo -e "\e[0;33mWARNING: clamscan is unavailable, a malware scan will not be performed!\e[0m";
fi;
}
export -f scanForMalware;
2018-06-24 04:26:59 -04:00
generateBootAnimationMask() {
local text=$1;
local font=$2
local output=$3;
convert -depth 8 -background black -fill transparent -font "$font" -gravity center -size 512x128 label:"$text" "PNG32:$output";
2018-06-24 04:26:59 -04:00
}
export -f generateBootAnimationMask;
2018-06-24 08:42:02 -04:00
generateBootAnimationShine() {
local color=$1;
local style=$2;
local output=$3;
#The colors need to be symmetrical in order to make the animation smooth and not have any noticeable lines
convert -depth 8 -size 1024x128 -define gradient:angle=90 "$style":"$color" \( +clone -flop \) +append "PNG24:$output";
2018-06-24 08:42:02 -04:00
}
export -f generateBootAnimationShine;
2018-06-13 19:48:53 -04:00
audit2allowCurrent() {
adb logcat -b all -d | audit2allow -p "$OUT/root/sepolicy";
2018-06-13 19:48:53 -04:00
}
export -f audit2allowCurrent;
audit2allowADB() {
adb pull /sys/fs/selinux/policy;
adb logcat -b all -d | audit2allow -p policy;
}
export -f audit2allowADB;
processRelease() {
2021-03-01 21:05:42 -05:00
#Reference (MIT): GrapheneOS
#https://github.com/GrapheneOS/script/blob/13/release.sh
local DEVICE="$1";
local BLOCK="$2";
local VERITY="$3";
local DATE=$(date -u '+%Y%m%d')
local KEY_DIR="$DOS_SIGNING_KEYS/$DEVICE";
local VERSION=$(echo $DOS_VERSION | cut -f2 -d "-");
local PREFIX="$DOS_BRANDING_ZIP_PREFIX-$VERSION-$DATE-dos-$DEVICE";
local ARCHIVE="$DOS_BUILDS/$DOS_VERSION/release_keys/";
local OUT_DIR="$DOS_BUILD_BASE/out/target/product/$DEVICE/";
local RELEASETOOLS_PREFIX="build/tools/releasetools/";
if [[ "$DOS_VERSION" == "LineageOS-18.1" ]] || [[ "$DOS_VERSION" == "LineageOS-19.1" ]] || [[ "$DOS_VERSION" == "LineageOS-20.0" ]]; then
local RELEASETOOLS_PREFIX="";
fi;
umask 0022;
echo -e "\e[0;32mProcessing release for $DEVICE\e[0m";
#Arguments
if [ "$BLOCK" != false ]; then
local BLOCK_SWITCHES="--block";
fi;
if [[ "$VERITY" == "verity" ]]; then
local VERITY_SWITCHES=(--replace_verity_public_key "$KEY_DIR/verity_key.pub" \
--replace_verity_private_key "$KEY_DIR/verity" \
--replace_verity_keyid "$KEY_DIR/verity.x509.pem");
echo -e "\e[0;32m\t+ Verified Boot 1.0\e[0m";
elif [[ "$VERITY" == "avb" ]]; then
local AVB_PKMD="$KEY_DIR/avb_pkmd.bin";
local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" --avb_vbmeta_algorithm SHA256_RSA4096);
echo -e "\e[0;32m\t+ Verified Boot 2.0 with VBMETA and NOCHAIN\e[0m";
fi;
#XXX: --extra_apks Bluetooth.apk="$KEY_DIR/bluetooth" \
local APK_SWITCHES=(--extra_apks AdServicesApk.apk="$KEY_DIR/releasekey" \
--extra_apks HalfSheetUX.apk="$KEY_DIR/releasekey" \
--extra_apks OsuLogin.apk="$KEY_DIR/releasekey" \
--extra_apks SafetyCenterResources.apk="$KEY_DIR/releasekey" \
--extra_apks ServiceConnectivityResources.apk="$KEY_DIR/releasekey" \
--extra_apks ServiceUwbResources.apk="$KEY_DIR/releasekey" \
--extra_apks ServiceWifiResources.apk="$KEY_DIR/releasekey" \
--extra_apks WifiDialog.apk="$KEY_DIR/releasekey");
if [[ "$DOS_VERSION" == "LineageOS-20.0" ]]; then
local APK_SWITCHES_EXTRA=(--extra_apks Bluetooth.apk="$KEY_DIR/bluetooth");
fi;
if [[ "$DOS_VERSION" == "LineageOS-17.1" ]] || [[ "$DOS_VERSION" == "LineageOS-18.1" ]] || [[ "$DOS_VERSION" == "LineageOS-19.1" ]] || [[ "$DOS_VERSION" == "LineageOS-20.0" ]]; then
local APEX_SWITCHES=(--extra_apks com.android.adbd.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.adbd.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.adservices.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.adservices.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.adservices.api.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.adservices.api.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.apex.cts.shim.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.apex.cts.shim.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.appsearch.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.appsearch.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.art.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.art.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.art.debug.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.art.debug.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.btservices.apex="$KEY_DIR/bluetooth" \
--extra_apex_payload_key com.android.btservices.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.cellbroadcast.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.cellbroadcast.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.compos.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.compos.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.configinfrastructure.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.configinfrastructure.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.connectivity.resources.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.connectivity.resources.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.conscrypt.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.conscrypt.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.devicelock.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.devicelock.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.extservices.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.extservices.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.graphics.pdf.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.graphics.pdf.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.hardware.biometrics.face.virtual.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.hardware.biometrics.face.virtual.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.hardware.biometrics.fingerprint.virtual.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.hardware.biometrics.fingerprint.virtual.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.hardware.cas.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.hardware.cas.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.hardware.wifi.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.hardware.wifi.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.healthfitness.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.healthfitness.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.hotspot2.osulogin.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.hotspot2.osulogin.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.i18n.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.i18n.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.ipsec.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.ipsec.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.media.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.media.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.mediaprovider.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.mediaprovider.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.media.swcodec.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.media.swcodec.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.nearby.halfsheet.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.nearby.halfsheet.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.networkstack.tethering.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.networkstack.tethering.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.neuralnetworks.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.neuralnetworks.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.ondevicepersonalization.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.ondevicepersonalization.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.os.statsd.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.os.statsd.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.permission.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.permission.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.resolv.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.resolv.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.rkpd.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.rkpd.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.runtime.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.runtime.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.safetycenter.resources.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.safetycenter.resources.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.scheduling.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.scheduling.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.sdkext.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.sdkext.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.support.apexer.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.support.apexer.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.telephony.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.telephony.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.telephonymodules.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.telephonymodules.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.tethering.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.tethering.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.tzdata.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.tzdata.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.uwb.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.uwb.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.uwb.resources.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.uwb.resources.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.vibrator.drv2624.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.vibrator.drv2624.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.vibrator.sunfish.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.vibrator.sunfish.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.virt.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.virt.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.vndk.current.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.vndk.current.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.vndk.current.on_vendor.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.vndk.current.on_vendor.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.wifi.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.wifi.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.wifi.dialog.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.wifi.dialog.apex="$KEY_DIR/avb.pem" \
--extra_apks com.android.wifi.resources.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.android.wifi.resources.apex="$KEY_DIR/avb.pem" \
--extra_apks com.google.pixel.camera.hal.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.google.pixel.camera.hal.apex="$KEY_DIR/avb.pem" \
--extra_apks com.google.pixel.vibrator.hal.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.google.pixel.vibrator.hal.apex="$KEY_DIR/avb.pem" \
--extra_apks com.qorvo.uwb.apex="$KEY_DIR/releasekey" \
--extra_apex_payload_key com.qorvo.uwb.apex="$KEY_DIR/avb.pem");
fi;
#Malware Scan
if [ "$DOS_MALWARE_SCAN_BEFORE_SIGN" = true ]; then
echo -e "\e[0;32mScanning files for malware before signing\e[0m";
scanForMalware false $OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip;
fi;
#Target Files
echo -e "\e[0;32mSigning target files\e[0m";
"$RELEASETOOLS_PREFIX"sign_target_files_apks -o -d "$KEY_DIR" \
"${APK_SWITCHES[@]}" \
"${APK_SWITCHES_EXTRA[@]}" \
"${APEX_SWITCHES[@]}" \
"${VERITY_SWITCHES[@]}" \
$OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip \
"$OUT_DIR/$PREFIX-target_files.zip";
sha512sum "$OUT_DIR/$PREFIX-target_files.zip" > "$OUT_DIR/$PREFIX-target_files.zip.sha512sum";
local INCREMENTAL_ID=$(grep "ro.build.version.incremental" $OUT_DIR/system/build.prop | cut -f2 -d "=" | sed 's/\.//g');
echo "$INCREMENTAL_ID" > "$OUT_DIR/$PREFIX-target_files.zip.id";
#Image
unzip -l $OUT_DIR/$PREFIX-target_files.zip | grep -q recovery.img || true;
local hasRecoveryImg="$?";
unzip -l $OUT_DIR/$PREFIX-target_files.zip | grep -q dtbo.img;
local hasDtboImg="$?";
if [ "$hasRecoveryImg" == "1" ] || [ "$hasDtboImg" == "0" ]; then
echo -e "\e[0;32mCreating fastboot image\e[0m";
"$RELEASETOOLS_PREFIX"img_from_target_files "$OUT_DIR/$PREFIX-target_files.zip" \
"$OUT_DIR/$PREFIX-fastboot.zip";
sha512sum "$OUT_DIR/$PREFIX-fastboot.zip" > "$OUT_DIR/$PREFIX-fastboot.zip.sha512sum";
fi
#OTA
echo -e "\e[0;32mCreating OTA\e[0m";
"$RELEASETOOLS_PREFIX"ota_from_target_files $BLOCK_SWITCHES -k "$KEY_DIR/releasekey" \
2022-04-06 16:12:16 -04:00
"$OUT_DIR/$PREFIX-target_files.zip" \
"$OUT_DIR/$PREFIX-ota.zip";
sha512sum "$OUT_DIR/$PREFIX-ota.zip" > "$OUT_DIR/$PREFIX-ota.zip.sha512sum";
#Deltas
#grep update_engine Build/*/device/*/*/*.mk -l
local DOS_GENERATE_DELTAS_DEVICES=('akari' 'akatsuki' 'alioth' 'Amber' 'aura' 'aurora' 'avicii' 'barbet' 'bluejay' 'blueline' 'bonito' 'bramble' 'cheetah' 'cheryl' 'coral' 'crosshatch' 'davinci' 'discovery' 'enchilada' 'fajita' 'flame' 'FP3' 'FP4' 'guacamole' 'guacamoleb' 'hotdog' 'hotdogb' 'instantnoodle' 'instantnoodlep' 'kebab' 'kirin' 'lemonade' 'lemonadep' 'lemonades' 'marlin' 'mata' 'mermaid' 'oriole' 'panther' 'pioneer' 'pro1' 'pro1x' 'raven' 'redfin' 'sailfish' 'sargo' 'sunfish' 'taimen' 'vayu' 'voyager' 'walleye' 'xz2c'); #TODO: check lmi/alioth/apollon
if [ "$DOS_GENERATE_DELTAS" = true ]; then
if [[ " ${DOS_GENERATE_DELTAS_DEVICES[@]} " =~ " ${DEVICE} " ]]; then
for LAST_TARGET_FILES in $ARCHIVE/target_files/$DOS_BRANDING_ZIP_PREFIX-$VERSION-*-dos-$DEVICE-target_files.zip; do
if [[ -f "$LAST_TARGET_FILES.id" ]]; then
local LAST_INCREMENTAL_ID=$(cat "$LAST_TARGET_FILES.id");
echo -e "\e[0;32mGenerating incremental OTA against $LAST_INCREMENTAL_ID\e[0m";
#TODO: Verify GPG signature and checksum of previous target-files first!
"$RELEASETOOLS_PREFIX"ota_from_target_files $BLOCK_SWITCHES -t 8 -k "$KEY_DIR/releasekey" -i \
"$LAST_TARGET_FILES" \
"$OUT_DIR/$PREFIX-target_files.zip" \
"$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip";
sha512sum "$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip" > "$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip.sha512sum";
fi;
done;
fi;
fi;
#Extract signed recovery
if [ "$hasRecoveryImg" == "0" ] && [ "$hasDtboImg" == "1" ]; then
echo -e "\e[0;32mExtracting signed recovery.img\e[0m";
mkdir "$OUT_DIR/rec_tmp";
unzip "$OUT_DIR/$PREFIX-target_files.zip" "IMAGES/recovery.img" -d "$OUT_DIR/rec_tmp";
mv "$OUT_DIR/rec_tmp/IMAGES/recovery.img" "$OUT_DIR/$PREFIX-recovery.img";
sha512sum "$OUT_DIR/$PREFIX-recovery.img" > "$OUT_DIR/$PREFIX-recovery.img.sha512sum";
fi;
2020-06-27 01:45:02 -04:00
#File name fixes
sed -i "s|$OUT_DIR/||" $OUT_DIR/*.sha512sum;
sed -i 's/-ota\././' $OUT_DIR/*.sha512sum;
sed -i 's/-incremental_/-/' $OUT_DIR/*.sha512sum;
2020-06-14 09:36:39 -04:00
2020-06-17 13:18:16 -04:00
#GPG signing
if [ "$DOS_GPG_SIGNING" = true ]; then
for checksum in $OUT_DIR/*.sha512sum; do
2020-06-20 14:19:40 -04:00
echo -e "\e[0;32mGPG signing $checksum\e[0m";
if gpg --homedir "$DOS_SIGNING_GPG" --sign --local-user "$DOS_GPG_SIGNING_KEY" --clearsign "$checksum"; then
2020-06-17 13:18:16 -04:00
mv -f "$checksum.asc" "$checksum";
fi;
done;
fi;
pkill java && sleep 10; #XXX: ugly hack
#Copy to archive
if [ "$DOS_AUTO_ARCHIVE_BUILDS" = true ]; then
echo -e "\e[0;32mCopying files to archive\e[0m";
mkdir -vp $ARCHIVE;
mkdir -vp $ARCHIVE/target_files;
2019-10-04 10:17:25 -04:00
mkdir -vp $ARCHIVE/fastboot;
mkdir -vp $ARCHIVE/incrementals;
cp -v $OUT_DIR/$PREFIX-ota.zip* $ARCHIVE/ || true;
2020-06-27 01:45:02 -04:00
rename -- "-ota." "." $ARCHIVE/$PREFIX-ota.zip*;
if [ "$hasRecoveryImg" == "1" ] || [ "$hasDtboImg" == "0" ]; then cp -v $OUT_DIR/$PREFIX-fastboot.zip* $ARCHIVE/fastboot/ || true; fi;
if [ "$hasRecoveryImg" == "0" ] && [ "$hasDtboImg" == "1" ]; then cp -v $OUT_DIR/$PREFIX-recovery.img* $ARCHIVE/ || true; fi;
if [ "$DOS_GENERATE_DELTAS" = true ]; then
if [[ " ${DOS_GENERATE_DELTAS_DEVICES[@]} " =~ " ${DEVICE} " ]]; then
cp -v $OUT_DIR/$PREFIX-target_files.zip* $ARCHIVE/target_files/ || true;
cp -v $OUT_DIR/$PREFIX-incremental_*.zip* $ARCHIVE/incrementals/ || true;
rename -- "-incremental_" "-" $ARCHIVE/incrementals/$PREFIX-incremental_*.zip* || true;
fi;
fi;
2020-05-02 22:29:23 -04:00
sync;
#Remove to make space for next build
if [ "$DOS_REMOVE_AFTER" = true ]; then
echo -e "\e[0;32mRemoving to reclaim space\e[0m";
#TODO: add a sanity check
rm -rf --one-file-system "$OUT_DIR";
if [ "$DOS_REMOVE_AFTER_FULL" = true ]; then rm -rf --one-file-system "$DOS_BUILD_BASE/out"; fi; #clobber entire workspace
sync;
fi;
fi;
sync;
echo -e "\e[0;32mRelease processing complete\e[0m";
}
export -f processRelease;
2020-06-14 09:36:39 -04:00
pushToServer() {
#Examples
2020-07-25 09:51:25 -04:00
rsync -Pau --no-perms --no-owner --no-group incrementals/divested-*-dos-$1-*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/incrementals/ || true;
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/ || true;
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1-recovery.img root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/ || true;
rsync -Pau --no-perms --no-owner --no-group fastboot/divested-*-dos-$1-*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/ || true;
2020-06-14 09:36:39 -04:00
}
export -f pushToServer;
removeBuildFingerprints() {
#Removes the stock/vendor fingerprint, allowing one to be generated instead
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/BUILD_FINGERPRINT/' {}" \;
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/PRIVATE_BUILD_DESC/' {}" \;
echo "Removed stock build fingerprints";
2020-07-25 09:51:25 -04:00
}
export -f removeBuildFingerprints;
2020-07-25 09:51:25 -04:00
removeUntrustedCerts() {
cd "$DOS_BUILD_BASE/system/ca-certificates/files";
rm -fv 7c302982.0 c2c1704e.0 d0cddf45.0; #TrustCor
rm -fv cb156124.0; #E-Turga
cd "$DOS_BUILD_BASE";
echo "Removed untrusted certificate authorities";
}
export -f removeUntrustedCerts;
2018-04-04 07:52:11 -04:00
compressRamdisks() {
if [ -f BoardConfig.mk ]; then
echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;
echo "Enabled ramdisk compression";
fi;
}
export -f compressRamdisks;
smallerSystem() {
echo "BOARD_SYSTEMIMAGE_JOURNAL_SIZE := 0" >> BoardConfig.mk;
2021-04-12 21:24:57 -04:00
echo "PRODUCT_MINIMIZE_JAVA_DEBUG_INFO := true" >> device.mk;
echo "EXCLUDE_SERIF_FONTS := true" >> BoardConfig.mk;
echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
#echo "MINIMAL_FONT_FOOTPRINT := true" >> BoardConfig.mk;
sed -i 's/common_full_phone.mk/common_mini_phone.mk/' *.mk &>/dev/null || true;
echo "Set smaller system args for $PWD";
}
export -f smallerSystem;
deblobAudio() {
awk -i inplace '!/BOARD_SUPPORTS_SOUND_TRIGGER/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
awk -i inplace '!/android.hardware.soundtrigger/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then
awk -i inplace '!/DOLBY_/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
#awk -i inplace '!/vendor.audio.dolby/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
fi;
echo "Deblobbed audio!";
}
export -f deblobAudio;
2020-10-22 15:24:17 -04:00
volteOverride() {
cd "$DOS_BUILD_BASE/$1";
2020-10-22 15:24:17 -04:00
if grep -sq "config_device_volte_available" "overlay/frameworks/base/core/res/res/values/config.xml"; then
if [ -f vendor.prop ] && ! grep -sq "volte_avail_ovr" "vendor.prop"; then
echo -e 'persist.dbg.volte_avail_ovr=1' >> vendor.prop;
2020-10-22 15:24:17 -04:00
echo "Set VoLTE override in vendor.prop for $1";
elif [ -f system.prop ] && ! grep -sq "volte_avail_ovr" "system.prop"; then
echo -e 'persist.dbg.volte_avail_ovr=1' >> system.prop;
echo "Set VoLTE override in system.prop for $1";
2020-10-22 15:24:17 -04:00
fi;
if [ -f vendor_prop.mk ] && ! grep -sq "volte_avail_ovr" "vendor_prop.mk"; then
echo -e '\nPRODUCT_PROPERTY_OVERRIDES += \\\n persist.dbg.volte_avail_ovr=1' >> vendor_prop.mk;
2020-10-22 15:24:17 -04:00
echo "Set VoLTE override in vendor_prop.mk for $1";
fi;
#TODO: init/init*.cpp, device*.mk
2020-10-22 15:24:17 -04:00
fi;
cd "$DOS_BUILD_BASE";
}
export -f volteOverride;
hardenLocationSerials() {
#Prevent Qualcomm location stack from sending chipset serial number
#Devices using blob xtra-daemon (which Deblob.sh removes)
if [[ "$DOS_VERSION" != "LineageOS-20.0" ]]; then #20.0 has sysfs_soc_sensitive label
find device -name "hal_gnss*.te" -type f -exec sh -c "awk -i inplace '!/sysfs_soc/' {}" \;
find device -name "location.te" -type f -exec sh -c "awk -i inplace '!/sysfs_soc/' {}" \;
fi;
#Devices using source built libloc, these ones typically have broad /sys access
## Null out the User-Agent header
find device -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's/userAgent, strlen(userAgent)/\"-\", 1/' {}" \;
find hardware -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's/userAgent, strlen(userAgent)/\"-\", 1/' {}" \;
## Prevent reading the serial number
find device -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's|soc0/serial_number|soc0/invalid|' {}" \;
find hardware -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's|soc0/serial_number|soc0/invalid|' {}" \;
echo "Removed serial number access to Qualcomm location stacks";
}
export -f hardenLocationSerials;
hardenLocationConf() {
local gpsConfig=$1;
#Debugging: adb logcat -b all | grep -i -e locsvc -e izat -e gps -e gnss -e location -e xtra
#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 4|' "$gpsConfig" &> /dev/null || true; #Debug
#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 2|' "$gpsConfig" &> /dev/null || true; #Warning
2018-04-04 07:52:11 -04:00
#Enable GLONASS
2018-08-07 23:07:36 -04:00
if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
2019-02-06 17:15:45 -05:00
sed -i 's/#A_GLONASS_POS_PROTOCOL_SELECT =/A_GLONASS_POS_PROTOCOL_SELECT =/' "$gpsConfig" &>/dev/null || true;
2018-08-07 23:07:36 -04:00
sed -i 's/A_GLONASS_POS_PROTOCOL_SELECT = 0.*/A_GLONASS_POS_PROTOCOL_SELECT = 15/' "$gpsConfig" &>/dev/null || true;
2018-06-03 08:24:23 -04:00
fi;
2018-08-07 23:07:36 -04:00
#Change capabilities
2018-09-19 01:03:02 -04:00
sed -i 's|CAPABILITIES=.*|CAPABILITIES=0x13|' "$gpsConfig" &> /dev/null || true; #Disable MSA (privacy) and geofencing/ULP (both broken by deblobber)
sed -i 's|CAPABILITIES = .*|CAPABILITIES = 0x13|' "$gpsConfig" &> /dev/null || true;
sed -i 's/#SUPL_MODE=/SUPL_MODE=/' "$gpsConfig" &>/dev/null || true; #Uncomment
sed -i 's/#SUPL_MODE = /SUPL_MODE = /' "$gpsConfig" &>/dev/null || true;
2019-02-06 17:15:45 -05:00
sed -i 's/SUPL_MODE=$/SUPL_MODE=1/' "$gpsConfig" &>/dev/null || true; #Set to MSB if blank (to prevent MSA+MSB default)
sed -i 's/SUPL_MODE = $/SUPL_MODE = 1/' "$gpsConfig" &>/dev/null || true;
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" "$gpsConfig" &> /dev/null || true; #Disable MSA (privacy)
sed -i "s|SUPL_MODE = 3|SUPL_MODE = 1|" "$gpsConfig" &> /dev/null || true;
sed -i 's/#LPP_PROFILE=/LPP_PROFILE=/' "$gpsConfig" &>/dev/null || true; #Uncomment
sed -i 's/#LPP_PROFILE = /LPP_PROFILE = /' "$gpsConfig" &>/dev/null || true;
sed -i "s|LPP_PROFILE=.*|LPP_PROFILE=0|" "$gpsConfig" &> /dev/null || true; #Disable LPP (privacy)
sed -i "s|LPP_PROFILE = .*|LPP_PROFILE = 0|" "$gpsConfig" &> /dev/null || true;
sed -i "s|LPPE_CP_TECHNOLOGY=.*|LPPE_CP_TECHNOLOGY=0|" "$gpsConfig" &> /dev/null || true;
sed -i "s|LPPE_CP_TECHNOLOGY = .*|LPPE_CP_TECHNOLOGY = 0|" "$gpsConfig" &> /dev/null || true;
sed -i "s|LPPE_UP_TECHNOLOGY=.*|LPPE_UP_TECHNOLOGY=0|" "$gpsConfig" &> /dev/null || true;
sed -i "s|LPPE_UP_TECHNOLOGY = .*|LPPE_UP_TECHNOLOGY = 0|" "$gpsConfig" &> /dev/null || true;
2019-02-06 17:15:45 -05:00
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
sed -i 's/#SUPL_ES=/SUPL_ES=/' "$gpsConfig" &>/dev/null || true;
sed -i "s|SUPL_ES=0|SUPL_ES=1|" "$gpsConfig" &> /dev/null || true;
2018-08-07 23:07:36 -04:00
#Change servers
sed -i "s|SUPL_HOST=.*|SUPL_HOST=$DOS_GPS_SUPL_HOST|" "$gpsConfig" &> /dev/null || true;
sed -i "s|SUPL_HOST = .*|SUPL_HOST = $DOS_GPS_SUPL_HOST|" "$gpsConfig" &> /dev/null || true;
2018-08-07 23:07:36 -04:00
sed -i "s|NTP_SERVER=.*|NTP_SERVER=$DOS_GPS_NTP_SERVER|" "$gpsConfig" &> /dev/null || true;
sed -i "s|NTP_SERVER = .*|NTP_SERVER = $DOS_GPS_NTP_SERVER|" "$gpsConfig" &> /dev/null || true;
2019-02-06 17:15:45 -05:00
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
2018-04-04 07:52:11 -04:00
#XTRA: Only use specified URLs
2018-08-07 23:07:36 -04:00
sed -i 's|XTRA_SERVER_QUERY=1|XTRA_SERVER_QUERY=0|' "$gpsConfig" &>/dev/null || true;
sed -i 's|XTRA_SERVER_QUERY = 1|XTRA_SERVER_QUERY = 0|' "$gpsConfig" &>/dev/null || true;
2018-08-07 23:07:36 -04:00
sed -i 's|#XTRA_SERVER|XTRA_SERVER|' "$gpsConfig" &>/dev/null || true;
2018-08-09 00:42:07 -04:00
#Switch gpsOneXtra to IZatCloud (invalid certificate)
sed -i '/xtrapath/!s|://xtra|://xtrapath|' "$gpsConfig" &>/dev/null || true;
sed -i 's|gpsonextra.net|izatcloud.net|' "$gpsConfig" &>/dev/null || true;
sed -i 's|xtrapath1|xtrapath4|' "$gpsConfig" &>/dev/null || true;
sed -i 's|xtrapath2|xtrapath5|' "$gpsConfig" &>/dev/null || true;
sed -i 's|xtrapath3|xtrapath6|' "$gpsConfig" &>/dev/null || true;
2018-08-09 00:42:07 -04:00
#Enable HTTPS (IZatCloud supports HTTPS)
sed -i 's|http://xtrapath|https://xtrapath|' "$gpsConfig" &>/dev/null || true;
sed -i 's|http://gllto|https://gllto|' "$gpsConfig" &>/dev/null || true;
echo "Enhanced location services for $gpsConfig";
2018-04-04 07:52:11 -04:00
}
export -f hardenLocationConf;
hardenLocationFWB() {
local dir=$1;
#Enable GLONASS
if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
sed -i 's|A_GLONASS_POS_PROTOCOL_SELECT=0.*</item>|A_GLONASS_POS_PROTOCOL_SELECT=15</item>|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
fi;
#Change capabilities
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true; #Disable MSA (privacy)
sed -i "s|LPP_PROFILE=.*</item>|LPP_PROFILE=0</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true; #Disable LPP (privacy)
sed -i "s|LPPE_CP_TECHNOLOGY=.*</item>|LPPE_CP_TECHNOLOGY=0</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true
sed -i "s|LPPE_UP_TECHNOLOGY=.*</item>|LPPE_UP_TECHNOLOGY=0</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
sed -i "s|SUPL_ES=0|SUPL_ES=1|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
#Change servers
sed -i "s|NTP_SERVER=.*</item>|NTP_SERVER=$DOS_GPS_NTP_SERVER</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
#Switch gpsOneXtra to IZatCloud (invalid certificate)
sed -i '/xtrapath/!s|://xtra|://xtrapath|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
sed -i 's|gpsonextra.net|izatcloud.net|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
sed -i 's|xtrapath1|xtrapath4|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
sed -i 's|xtrapath2|xtrapath5|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
sed -i 's|xtrapath3|xtrapath6|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
#Enable HTTPS (IZatCloud supports HTTPS)
sed -i 's|http://xtrapath|https://xtrapath|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
sed -i 's|http://gllto|https://gllto|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
echo "Enhanced location services for $dir";
}
export -f hardenLocationFWB;
2018-04-04 07:52:11 -04:00
2018-09-12 13:43:05 -04:00
hardenUserdata() {
cd "$DOS_BUILD_BASE/$1";
#Remove latemount to allow selinux contexts be restored upon /cache wipe
#Fixes broken OTA updater and broken /recovery updater
2022-04-06 16:12:16 -04:00
sed -i '/\/cache/s|latemount,||' *fstab* */*fstab* */*/*fstab* &>/dev/null || true;
2018-09-12 13:43:05 -04:00
#TODO: Ensure: noatime,nosuid,nodev
2022-04-06 16:12:16 -04:00
sed -i '/\/data/{/discard/!s|nosuid|discard,nosuid|}' *fstab* */*fstab* */*/*fstab* &>/dev/null || true;
if [ "$1" != "device/samsung/tuna" ] && [ "$1" != "device/amazon/hdx-common" ] && [ "$1" != "device/motorola/athene" ] && [[ "$DOS_VERSION" != "LineageOS-20.0" ]]; then #tuna needs first boot to init, hdx-c has broken encryption
2022-04-06 16:12:16 -04:00
sed -i 's|encryptable=/|forceencrypt=/|' *fstab* */*fstab* */*/*fstab* &>/dev/null || true;
2019-03-26 19:37:56 -04:00
fi;
2018-09-12 13:43:05 -04:00
echo "Hardened /data for $1";
2018-06-29 00:55:21 -04:00
cd "$DOS_BUILD_BASE";
2018-04-04 07:52:11 -04:00
}
2018-09-12 13:43:05 -04:00
export -f hardenUserdata;
2018-04-04 07:52:11 -04:00
enableAutoVarInit() {
#grep TARGET_KERNEL_CLANG_COMPILE Build/*/device/*/*/*.mk -l
#but exclude: grep INIT_STACK_ALL_ZERO Build/*/kernel/*/*/security/Kconfig.hardening -l
#already supported: fairphone/sm7225, fxtec/sm6115, google/bluejay, google/gs101, google/gs201, google/msm-4.14, google/raviole, google/redbull, oneplus/sm8250, oneplus/sm8350
local DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'samsung/exynos9810' 'samsung/universal9810' 'sony/sdm660' 'sony/sdm845' 'xiaomi/msm8937' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/vayu' 'xiaomi/sm8250' 'zuk/msm8996');
cd "$DOS_BUILD_BASE";
echo "auto-var-init: Starting!";
for kernel in "${DOS_AUTOVARINIT_KERNELS[@]}"
do
if [ -d "$DOS_BUILD_BASE/kernel/$kernel" ]; then
cd "$DOS_BUILD_BASE/kernel/$kernel";
if git apply --check "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init.patch" &> /dev/null; then
if git apply "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init.patch" &> /dev/null; then #(GrapheneOS)
echo "auto-var-init: Enabled for $kernel";
else
echo "auto-var-init: Failed to enable for $kernel";
fi;
elif git apply --check --reverse "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init.patch" &> /dev/null; then
echo "auto-var-init: Already enabled for $kernel";
elif grep -q "trivial-auto-var-init=pattern" Makefile; then
sed -i 's/ftrivial-auto-var-init=pattern/ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang/' Makefile; #(GrapheneOS)
grep -q "trivial-auto-var-init=pattern" Makefile;
if [ $? -eq 0 ]; then
echo "auto-var-init: Failed to switch from pattern to zero on $kernel";
else
echo "auto-var-init: Switched from pattern to zero on $kernel";
fi;
elif grep -q "trivial-auto-var-init=zero" Makefile; then
echo "auto-var-init: Already enabled for $kernel";
else
echo "auto-var-init: Could not enable for $kernel";
fi;
# else
# echo "auto-var-init: $kernel not in tree";
fi;
done;
echo "auto-var-init: Finished!";
cd "$DOS_BUILD_BASE";
}
export -f enableAutoVarInit;
updateRegDb() {
cd "$DOS_BUILD_BASE/$1";
#Latest database cannot be used due to differing flags, only update supported kernels
#md5sum Build/*/kernel/*/*/net/wireless/genregdb.awk | sort
if echo "d9ef5910b573c634fa7845bb6511ba89 net/wireless/genregdb.awk" | md5sum --check --quiet &>/dev/null; then
#cp "$DOS_PATCHES_COMMON/wireless-regdb/db.txt" "net/wireless/db.txt";
#echo "regdb: updated for $1";
echo "regdb: skipping regdb update for $1";
fi;
cd "$DOS_BUILD_BASE";
}
export -f updateRegDb;
fixupCarrierConfigs() {
cd "$DOS_BUILD_BASE";
local pathsToFixup="packages/apps/CarrierConfig/assets/*.xml device/*/*/overlay/packages/apps/CarrierConfig/res/xml/vendor.xml device/*/*/overlay/CarrierConfigResCommon/res/xml/vendor.xml device/*/*/rro_overlays/CarrierConfigOverlay/res/xml/vendor.xml";
#Things we don't want
#Reference (BSD-3-Clause): https://github.com/GrapheneOS/carriersettings-extractor/blob/13/carriersettings_extractor.py
local ccLines="allow_adding_apns_bool|apn_expand_bool|hide_ims_apn_bool|hide_preset_apn_details_bool|hide_enable_2g_bool|gps.lpp_profile|gps.persist_lpp_mode_bool";
sed -i -E "/($ccLines)/d" $pathsToFixup;
local ccArrays="read_only_apn_fields_string_array|read_only_apn_types_string_array";
sed -i -E "/("$ccArrays").*num=\"0\"/d" $pathsToFixup; #ugly hack because next line is very greedy
perl -0777 -pe 's,(<string-array.*?>.*?</string-array>),$1 =~ /'$ccArrays'/?"":$1,gse' -i $pathsToFixup; #Credit: https://unix.stackexchange.com/a/72160
sed -i "/^ $/d" $pathsToFixup;
sed -i "/^ $/d" $pathsToFixup;
#sed -i '/^[[:space:]]*$/d' *.xml;
cd "$DOS_BUILD_BASE";
}
export -f fixupCarrierConfigs;
disableEnforceRRO() {
cd "$DOS_BUILD_BASE/$1";
awk -i inplace '!/PRODUCT_ENFORCE_RRO_TARGETS .= framework-res/' *.mk &>/dev/null || true;
awk -i inplace '!/PRODUCT_ENFORCE_RRO_TARGETS .= \*/' *.mk &>/dev/null || true;
sed -i '/PRODUCT_ENFORCE_RRO_TARGETS .= \\/,+1 d' *.mk &>/dev/null || true;
echo "Disabled enforced RRO for $1";
cd "$DOS_BUILD_BASE";
}
export -f disableEnforceRRO;
disableAPEX() {
cd "$DOS_BUILD_BASE/$1";
if [[ "$1" != *"device/google/gs101"* ]] && [[ "$1" != *"device/google/gs201"* ]] && [[ "$1" != *"device/google/oriole"* ]] && [[ "$1" != *"device/google/raven"* ]] && [[ "$1" != *"device/google/raviole"* ]] && [[ "$1" != *"device/google/bluejay"* ]] && [[ "$1" != *"device/google/panther"* ]] && [[ "$1" != *"device/google/cheetah"* ]] && [[ "$1" != *"device/google/pantah"* ]]; then
awk -i inplace '!/DEXPREOPT_GENERATE_APEX_IMAGE/' *.mk &>/dev/null || true;
awk -i inplace '!/updatable_apex.mk/' *.mk &>/dev/null || true;
echo "Disabled APEX for $1";
else
echo "Skipped disabling APEX for $1";
fi;
cd "$DOS_BUILD_BASE";
}
export -f disableAPEX;
includeOE() {
cd "$DOS_BUILD_BASE/$1";
#Skip: Pixel 2 series (only supports Google Fi), Pixel 3/a series (broken on 20.0)
if [[ "$1" != *"device/google/bonito"* ]] && [[ "$1" != *"device/google/crosshatch"* ]] && [[ "$1" != *"device/google/wahoo"* ]]; then
if [ -f device.mk ]; then
if grep -sq "euicc.xml" device.mk; then
echo -e "\nPRODUCT_PACKAGES += OpenEUICC" >> device.mk;
echo "Enabled OpenEUICC inclusion for $1";
fi;
fi;
if [ -f device-lineage.mk ]; then
if grep -sq "euicc.xml" device-lineage.mk; then
echo -e "\nPRODUCT_PACKAGES += OpenEUICC" >> device-lineage.mk;
echo "Enabled OpenEUICC inclusion for $1";
fi;
fi;
fi;
cd "$DOS_BUILD_BASE";
}
export -f includeOE;
2018-04-04 07:52:11 -04:00
enableStrongEncryption() {
cd "$DOS_BUILD_BASE/$1";
2018-04-04 07:52:11 -04:00
if [ -f BoardConfig.mk ]; then
echo "TARGET_WANTS_STRONG_ENCRYPTION := true" >> BoardConfig.mk;
echo "Enabled AES-256 encryption for $1";
2018-04-04 07:52:11 -04:00
fi;
2018-06-29 00:55:21 -04:00
cd "$DOS_BUILD_BASE";
2018-04-04 07:52:11 -04:00
}
export -f enableStrongEncryption;
addAdbKey() {
if [ -f ~/.android/adbkey.pub ]; then
cp ~/.android/adbkey.pub "$DOS_BUILD_BASE/vendor/divested/";
echo "PRODUCT_ADB_KEYS := vendor/divested/adbkey.pub" >> "$DOS_BUILD_BASE/vendor/divested/divestos.mk";
fi;
}
export -f addAdbKey;
changeDefaultDNS() {
local dnsPrimary="";
local dnsPrimaryV6="";
local dnsSecondary="";
local dnsSecondaryV6="";
2020-12-12 09:50:27 -05:00
if [ ! -z "$DOS_DEFAULT_DNS_PRESET" ]; then
if [[ "$DOS_DEFAULT_DNS_PRESET" == "AdGuard" ]]; then #https://adguard.com/en/adguard-dns/overview.html
dnsHex="0xb0678282L";
dnsPrimary="176.103.130.130";
dnsPrimaryV6="2a00:5a60::ad1:0ff";
dnsSecondary="176.103.130.131";
dnsSecondaryV6="2a00:5a60::ad2:0ff";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "AdGuard-NOBL" ]]; then #https://adguard.com/en/adguard-dns/overview.html
dnsHex="0xb0678288L";
dnsPrimary="176.103.130.136";
dnsPrimaryV6="2a00:5a60::01:ff";
dnsSecondary="176.103.130.137";
dnsSecondaryV6="2a00:5a60::02:ff";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "CensurfriDNS" ]]; then #https://uncensoreddns.org
dnsHex="0x5bef6464L";
dnsPrimary="91.239.100.100";
dnsPrimaryV6="2001:67c:28a4::";
dnsSecondary="89.233.43.71";
dnsSecondaryV6="2a01:3a0:53:53::";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Cloudflare" ]]; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
dnsHex="0x01000001L";
dnsPrimary="1.0.0.1";
dnsPrimaryV6="2606:4700:4700::1001";
dnsSecondary="1.1.1.1";
dnsSecondaryV6="2606:4700:4700::1111";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Cloudflare-BL" ]]; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
dnsHex="0x01000002L";
dnsPrimary="1.0.0.2";
dnsPrimaryV6="2606:4700:4700::1002";
dnsSecondary="1.1.1.2";
dnsSecondaryV6="2606:4700:4700::1112";
2018-06-29 00:55:21 -04:00
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "DNSWATCH" ]]; then #https://dns.watch
dnsHex="0x54c84550L";
dnsPrimary="84.200.69.80";
dnsPrimaryV6="2001:1608:10:25::1c04:b12f";
dnsSecondary="84.200.70.40";
dnsSecondaryV6="2001:1608:10:25::9249:d69b";
2018-06-29 00:55:21 -04:00
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Google" ]]; then #https://developers.google.com/speed/public-dns/privacy
dnsHex="0x08080808L";
dnsPrimary="8.8.8.8";
dnsPrimaryV6="2001:4860:4860::8888";
dnsSecondary="8.8.4.4";
dnsSecondaryV6="2001:4860:4860::8844";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Neustar" ]]; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
dnsHex="0x9c9a4602L";
dnsPrimary="156.154.70.2";
dnsPrimaryV6="2610:a1:1018::2";
dnsSecondary="156.154.71.2";
dnsSecondaryV6="2610:a1:1019::2";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Neustar-NOBL" ]]; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
dnsHex="0x9c9a4605L";
dnsPrimary="156.154.70.5";
dnsPrimaryV6="2610:a1:1018::5";
dnsSecondary="156.154.71.5";
dnsSecondaryV6="2610:a1:1019::5";
2018-06-29 00:55:21 -04:00
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "OpenDNS" ]]; then #https://www.cisco.com/c/en/us/about/legal/privacy-full.html
dnsHex="0xd043dedeL";
dnsPrimary="208.67.222.222";
dnsPrimaryV6="2620:0:ccc::2";
dnsSecondary="208.67.220.220";
dnsSecondaryV6="2620:0:ccd::2";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Quad9" ]]; then #https://www.quad9.net/privacy
dnsHex="0x09090909L";
dnsPrimary="9.9.9.9";
dnsPrimaryV6="2620:fe::fe";
dnsSecondary="149.112.112.112";
dnsSecondaryV6="2620:fe::9";
2020-11-12 22:49:23 -05:00
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Quad9-EDNS" ]]; then #https://www.quad9.net/privacy
dnsHex="0x0909090bL";
2020-11-12 22:49:23 -05:00
dnsPrimary="9.9.9.11";
dnsPrimaryV6="2620:fe::11";
dnsSecondary="149.112.112.11";
dnsSecondaryV6="2620:fe::fe:11";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Quad9-NOBL" ]]; then #https://www.quad9.net/privacy
dnsHex="0x0909090aL";
dnsPrimary="9.9.9.10";
dnsPrimaryV6="2620:fe::10";
dnsSecondary="149.112.112.10";
dnsSecondaryV6="2620:fe::fe:10";
2018-06-29 00:55:21 -04:00
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Verisign" ]]; then #https://www.verisign.com/en_US/security-services/public-dns/terms-of-service/index.xhtml
dnsHex="0x40064006L";
2018-06-24 04:26:59 -04:00
dnsPrimary="64.6.64.6";
dnsPrimaryV6="2620:74:1b::1:1";
dnsSecondary="64.6.65.6";
dnsSecondaryV6="2620:74:1c::2:2";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Yandex" ]]; then #https://dns.yandex.com/advanced
dnsHex="0x4d580858L";
dnsPrimary="77.88.8.88";
dnsPrimaryV6="2a02:6b8::feed:bad";
dnsSecondary="77.88.8.2";
dnsSecondaryV6="2a02:6b8:0:1::feed:bad";
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Yandex-NOBL" ]]; then #https://dns.yandex.com/advanced
dnsHex="0x4d580808L";
dnsPrimary="77.88.8.8";
dnsPrimaryV6="2a02:6b8::feed:0ff";
dnsSecondary="77.88.8.1";
dnsSecondaryV6="2a02:6b8:0:1::feed:0ff";
fi;
else
2020-12-12 09:50:27 -05:00
echo "You must first set a preset via the DOS_DEFAULT_DNS_PRESET variable in init.sh!";
fi;
local files="bionic/libc/dns/net/getaddrinfo.c frameworks/base/core/java/android/net/util/DnsUtils.java frameworks/base/core/java/com/android/internal/net/VpnProfile.java frameworks/base/core/res/res/values/config.xml frameworks/base/packages/SettingsLib/res/values/strings.xml frameworks/base/packages/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java frameworks/base/services/core/java/com/android/server/connectivity/NetworkDiagnostics.java frameworks/base/services/core/java/com/android/server/connectivity/Tethering.java frameworks/base/services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java frameworks/base/services/java/com/android/server/connectivity/Tethering.java packages/apps/Dialer/java/com/android/voicemail/impl/sync/VvmNetworkRequestCallback.java packages/modules/Connectivity/framework/src/android/net/util/DnsUtils.java packages/modules/Connectivity/service/native/libs/libclat/clatutils_test.cpp packages/modules/Connectivity/service/ServiceConnectivityResources/res/values/config.xml packages/modules/Connectivity/service/src/com/android/server/connectivity/ClatCoordinator.java packages/modules/Connectivity/service/src/com/android/server/connectivity/NetworkDiagnostics.java packages/modules/Connectivity/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java packages/modules/DnsResolver/DnsResolver/doh.rs packages/modules/DnsResolver/DnsResolver/getaddrinfo.cpp packages/modules/DnsResolver/getaddrinfo.cpp";
#TODO: handle packages/modules/DnsResolver/PrivateDnsConfiguration.h maybe? or just leave as is
sed -i "s/8\.8\.8\.8/$dnsPrimary/g" $files &>/dev/null || true;
sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/g" $files &>/dev/null || true;
sed -i "s/8\.8\.4\.4/$dnsSecondary/g" $files &>/dev/null || true;
sed -i "s/4\.4\.4\.4/$dnsSecondary/g" $files &>/dev/null || true;
sed -i "s/2001:4860:4860::8844/$dnsSecondaryV6/g" $files &>/dev/null || true;
sed -i "s/0x08080808L/$dnsHex/g" $files &>/dev/null || true;
}
export -f changeDefaultDNS;
2018-04-04 07:52:11 -04:00
editKernelLocalversion() {
local defconfigPath=$(getDefconfig)
local replacement=$1;
if [ "$DOS_SNET" = true ]; then local replacement="-oink"; fi;
sed -i 's/CONFIG_LOCALVERSION=".*"/CONFIG_LOCALVERSION="'"$replacement"'"/' $defconfigPath &>/dev/null || true;
sed -zi '/CONFIG_LOCALVERSION="'"$replacement"'"/!s/$/\nCONFIG_LOCALVERSION="'"$replacement"'"/' $defconfigPath &>/dev/null;
2018-04-04 07:52:11 -04:00
}
export -f editKernelLocalversion;
2020-07-25 09:51:25 -04:00
getDefconfig() {
if ls private/gs-google/arch/arm64/configs/*_gki_defconfig 1> /dev/null 2>&1; then
local defconfigPath="private/gs-google/arch/arm64/configs/cloudripper_gki_defconfig private/gs-google/arch/arm64/configs/slider_gki_defconfig";
2020-07-25 09:51:25 -04:00
elif ls arch/arm64/configs/lineage*defconfig 1> /dev/null 2>&1; then
local defconfigPath="arch/arm64/configs/lineage*defconfig";
elif ls arch/arm/configs/lineage*defconfig 1> /dev/null 2>&1; then
local defconfigPath="arch/arm/configs/lineage*defconfig";
2020-07-25 09:51:25 -04:00
else
#grep TARGET_KERNEL_CONFIG Build/*/device/ -Rih | sed 's|TARGET_KERNEL_CONFIG .= |arch/arm\*/configs/|' | grep -v lineage | sort -u
#grep TARGET_KERNEL_VARIANT_CONFIG Build/*/device/ -Rih | sed 's|TARGET_KERNEL_VARIANT_CONFIG .= |arch/arm\*/configs/|' | grep -v lineage | sort -u
local defconfigPath="arch/arm*/configs/lineage*defconfig arch/arm*/configs/vendor/lineage*defconfig arch/arm*/configs/apollo_defconfig arch/arm*/configs/apq8084_sec_defconfig arch/arm*/configs/apq8084_sec_kccat6_eur_defconfig arch/arm*/configs/apq8084_sec_lentislte_skt_defconfig arch/arm*/configs/athene_defconfig arch/arm*/configs/aura_defconfig arch/arm*/configs/b1c1_defconfig arch/arm*/configs/beryllium_defconfig arch/arm*/configs/bonito_defconfig arch/arm*/configs/clark_defconfig arch/arm*/configs/cloudripper_gki_defconfig arch/arm*/configs/discovery_defconfig arch/arm*/configs/enchilada_defconfig arch/arm*/configs/exynos8890-hero2lte_defconfig arch/arm*/configs/exynos8890-herolte_defconfig arch/arm*/configs/exynos9810-crownlte_defconfig arch/arm*/configs/exynos9810-star2lte_defconfig arch/arm*/configs/exynos9810-starlte_defconfig arch/arm*/configs/floral_defconfig arch/arm*/configs/FP4_defconfig arch/arm*/configs/griffin_defconfig arch/arm*/configs/grouper_defconfig arch/arm*/configs/harpia_defconfig arch/arm*/configs/jactive_eur_defconfig arch/arm*/configs/jf_att_defconfig arch/arm*/configs/jf_eur_defconfig arch/arm*/configs/jf_spr_defconfig arch/arm*/configs/jfve_eur_defconfig arch/arm*/configs/jf_vzw_defconfig arch/arm*/configs/kirin_defconfig arch/arm*/configs/lavender_defconfig arch/arm*/configs/m1s1_defconfig arch/arm*/configs/m7_defconfig arch/arm*/configs/m8_defconfig arch/arm*/configs/m8dug_defconfig arch/arm*/configs/merlin_defconfig arch/arm*/configs/mermaid_defconfig arch/arm*/configs/msm8930_serrano_eur_3g_defconfig arch/arm*/configs/msm8930_serrano_eur_lte_defconfig arch/arm*/configs/msm8974-hdx_defconfig arch/arm*/configs/msm8974-hdx-perf_defconfig arch/arm*/configs/oneplus2_defconfig arch/arm*/configs/osprey_defconfig arch/arm*/configs/pioneer_defconfig arch/arm*/configs/platina_defconfig arch/arm*/configs/redbull_defconfig arch/arm*/configs/samsung_serrano_defconfig arch/arm*/configs/samsung_serrano_usa_defconfig arch/arm*/configs/shamu_defconfig arch/arm*/configs/slider_gki_defconfig arch/arm*/configs/sunfish_defconfig arch/arm*/configs/surnia_defconfig arch/arm*/configs/tama_akari_defconfig arch/arm*/configs/tama_akatsuki_defconfig arch/arm*/configs/tama_apollo_defconfig arch/arm*/configs/tama_aurora_defconfig arch/arm*/configs/thor_defconfig arch/arm*/configs/tulip_defconfig arch/arm*/configs/tuna_defconfig arch/arm*/configs/twrp_defconfig arch/arm*/configs/vendor/alioth_defconfig arch/arm*/configs/vendor/apollo_defconfig arch/arm*/configs/vendor/davinci.config arch/arm*/configs/vendor/fairphone/FP4.config arch/arm*/configs/vendor/kona-perf_defconfig arch/arm*/configs/vendor/lahaina-qgki_defconfig arch/arm*/configs/vendor/lito-perf_defconfig arch/arm*/configs/vendor/lmi_defconfig arch/arm*/configs/vendor/msm8937-perf_defconfig arch/arm*/configs/vendor/raphael_defconfig arch/arm*/configs/vendor/sdmsteppe-perf_defconfig arch/arm*/configs/vendor/sm8150-perf_defconfig arch/arm*/configs/vendor/vayu_defconfig arch/arm*/configs/vendor/vendor/fairphone/FP4.config arch/arm*/configs/vendor/vendor/xiaomi/sm8150-common.config arch/arm*/configs/vendor/vendor/xiaomi/sm8250-common.config arch/arm*/configs/vendor/xiaomi/alioth.config arch/arm*/configs/vendor/xiaomi/apollo.config arch/arm*/configs/vendor/xiaomi/beryllium.config arch/arm*/configs/vendor/xiaomi/dipper.config arch/arm*/configs/vendor/xiaomi/equuleus.config arch/arm*/configs/vendor/xiaomi/lmi.config arch/arm*/configs/vendor/xiaomi/mi845_defconfig arch/arm*/configs/vendor/xiaomi/polaris.config arch/arm*/configs/vendor/xiaomi/sm8150-common.config arch/arm*/configs/vendor/xiaomi/sm8250-common.config arch/arm*/configs/vendor/xiaomi/ursa.config arch/arm*/configs/vendor/xiaomi/vayu.config arch/arm*/configs/voyager_defconfig arch/arm*/configs/wayne_defconfig arch/arm*/configs/whyred_defconfig arch/arm*/configs/yellowstone_defconfig arch/arm*/configs/Z00T_defconfig arch/arm*/configs/z2_plus_defconfig arch/arm*/configs/zenfone3-perf_defconfig";
2020-07-25 09:51:25 -04:00
fi;
echo $defconfigPath;
}
export -f getDefconfig;
2018-04-04 07:52:11 -04:00
hardenDefconfig() {
cd "$DOS_BUILD_BASE/$1";
2018-04-04 07:52:11 -04:00
#Attempts to enable/disable supported options to increase security
#See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
#and (GPL-3.0) https://github.com/a13xp0p0v/kconfig-hardened-check/blob/master/kconfig_hardened_check/__init__.py
2018-04-04 07:52:11 -04:00
local defconfigPath=$(getDefconfig);
local kernelVersion="0.0.0";
if [ -f "Makefile" ]; then
local kernelVersion=$(head -n5 "Makefile" | sed '/# SPDX-License-Identifier: GPL-2.0/d;/EXTRAVERSION/d;/NAME/d' | sed 's/.*= //;s/\n//' | sed -e :a -e N -e '$!ba' -e 's/\n/ /g' | sed 's/\ /./g');
fi;
2018-04-04 07:52:11 -04:00
#Enable supported options
#Linux <3.0
declare -a optionsYes=("BUG" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "STRICT_DEVMEM" "SYN_COOKIES");
optionsYes+=("DEBUG_KERNEL" "DEBUG_CREDENTIALS" "DEBUG_LIST" "DEBUG_VIRTUAL");
optionsYes+=("DEBUG_RODATA" "DEBUG_SET_MODULE_RONX");
#optionsYes+=("DEBUG_SG"); #bootloops - https://patchwork.kernel.org/patch/8989981
if [ "$DOS_USE_KSM" = true ] && [ -f "mm/ksm.c" ]; then
if [[ $kernelVersion == "3."* ]] || [[ $kernelVersion == "4.4"* ]] || [[ $kernelVersion == "4.9"* ]]; then
optionsYes+=("KSM");
sed -i 's/unsigned int ksm_run = KSM_RUN_STOP;/unsigned int ksm_run = KSM_RUN_MERGE;/' mm/ksm.c &>/dev/null || true;
sed -i 's/unsigned long ksm_run = KSM_RUN_STOP;/unsigned long ksm_run = KSM_RUN_MERGE;/' mm/ksm.c &>/dev/null || true;
else
local ksmNotNeeded=true;
sed -i 's/unsigned int ksm_run = KSM_RUN_MERGE;/unsigned int ksm_run = KSM_RUN_STOP;/' mm/ksm.c &>/dev/null || true;
sed -i 's/unsigned long ksm_run = KSM_RUN_MERGE;/unsigned long ksm_run = KSM_RUN_STOP;/' mm/ksm.c &>/dev/null || true;
fi;
fi;
if [[ $kernelVersion == "3."* ]] || [[ $kernelVersion == "4.4"* ]] || [[ $kernelVersion == "4.9"* ]]; then
optionsYes+=("DEBUG_NOTIFIERS"); #(https://github.com/GrapheneOS/os-issue-tracker/issues/681)
fi;
#Linux 3.4
optionsYes+=("SECURITY_YAMA");
#Linux 3.5
optionsYes+=("PANIC_ON_OOPS" "SECCOMP_FILTER");
#Linux 3.7
optionsYes+=("ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "SECURITY_YAMA_STACKED" "X509_CERTIFICATE_PARSER");
#Linux 3.13
optionsYes+=("SYSTEM_TRUSTED_KEYRING");
#Linux 3.14
optionsYes+=("CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG");
#Linux 3.17
optionsYes+=("PKCS7_MESSAGE_PARSER");
#Linux 3.18
optionsYes+=("HARDENED_USERCOPY" "SCHED_STACK_END_CHECK");
#Linux 4.3
optionsYes+=("ARM64_PAN" "CPU_SW_DOMAIN_PAN");
#Linux 4.4
optionsYes+=("LEGACY_VSYSCALL_NONE");
#Linux 4.5
optionsYes+=("IO_STRICT_DEVMEM");
#Linux 4.6
optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ZERO" "PAGE_POISONING_NO_SANITY");
#Linux 4.7
optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM");
#Linux 4.8
optionsYes+=("RANDOMIZE_MEMORY");
#Linux 4.9
optionsYes+=("THREAD_INFO_IN_TASK" "VMAP_STACK");
#Linux 4.10
optionsYes+=("ARM64_SW_TTBR0_PAN" "BUG_ON_DATA_CORRUPTION");
#Linux 4.11
optionsYes+=("STRICT_KERNEL_RWX" "STRICT_MODULE_RWX");
#Linux 4.13
optionsYes+=("FORTIFY_SOURCE" "REFCOUNT_FULL");
#Linux 4.14
optionsYes+=("SLAB_FREELIST_HARDENED");
#optionsYes+=("LTO_CLANG" "CFI_CLANG");
#optionsYes+=("RESET_ATTACK_MITIGATION"); #EFI only
#Linux 4.15
optionsYes+=("PAGE_TABLE_ISOLATION" "RETPOLINE");
#Linux 4.16
optionsYes+=("UNMAP_KERNEL_AT_EL0");
#Linux 4.17
optionsYes+=("HARDEN_EL2_VECTORS");
#Linux 4.18
optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG");
#Linux 5.0
optionsYes+=("ARM64_PTR_AUTH"); #can stall CPUs on boot if missing support
optionsYes+=("RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK");
#Linux 5.2
optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR");
#Linux 5.8
optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX");
#Linux 5.9
optionsYes+=("INIT_STACK_ALL_ZERO");
#Linux 5.10
optionsYes+=("ARM64_MTE");
#Linux 5.12
#optionsYes+=("KFENCE"); #useless?
#Linux 5.13
optionsYes+=("ARM64_EPAN" "RANDOMIZE_KSTACK_OFFSET_DEFAULT");
#Linux 5.15
optionsYes+=("IOMMU_DEFAULT_DMA_STRICT" "ZERO_CALL_USED_REGS");
#optionsYes+=("WERROR");
#Linux 5.17
optionsYes+=("HARDEN_BRANCH_HISTORY" "MITIGATE_SPECTRE_BRANCH_HISTORY");
#Linux 5.18
#optionsYes+=("SHADOW_CALL_STACK" "SHADOW_CALL_STACK_VMAP");
#GCC Plugins - 4.19 - 5.2
#optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STACKLEAK" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
#AOSP uses Clang, not GCC
#GrapheneOS Patches
optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
#Disabled: SLAB_CANARY (https://github.com/GrapheneOS/os-issue-tracker/issues/124)
#out of tree or renamed or removed ?
optionsYes+=("KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX");
#Hardware enablement #XXX: This needs a better home
optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER");
#grep INIT_ON_ALLOC_DEFAULT_ON Build/*/kernel/*/*/security/Kconfig.hardening -l
modernKernels=('fairphone/sm7225' 'fxtec/sm6115' 'google/barbet' 'google/bluejay' 'google/coral' 'google/gs101' 'google/gs201' 'google/msm-4.14' 'google/raviole' 'google/redbull' 'google/sunfish' 'oneplus/sm8150' 'oneplus/sm8250' 'oneplus/sm8350' 'xiaomi/sm8150' 'xiaomi/sm8250' 'xiaomi/vayu');
for kernelModern in "${modernKernels[@]}"; do
if [[ "$1" == *"/$kernelModern"* ]]; then
optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON");
fi;
done;
#excluding above: grep PAGE_POISONING_ENABLE_DEFAULT Build/*/kernel/*/*/mm/Kconfig.debug -l
oldKernels=('essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/msm-4.9' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/msm8937' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'yandex/sdm660' 'zuk/msm8996');
for kernelOld in "${oldKernels[@]}"; do
if [[ "$1" == *"/$kernelOld"* ]]; then
optionsYes+=("PAGE_POISONING_ENABLE_DEFAULT");
fi;
done;
2018-04-04 07:52:11 -04:00
for option in "${optionsYes[@]}"
do
2021-09-18 21:38:43 -04:00
#If the option is disabled, enable it
sed -i 's/# CONFIG_'"$option"' is not set/CONFIG_'"$option"'=y/' $defconfigPath &>/dev/null || true;
if [[ "$1" != *"kernel/oneplus/msm8996"* ]] && [[ "$1" != *"kernel/xiaomi/msm8937"* ]]; then
2021-09-18 21:38:43 -04:00
#If the option isn't present, add it enabled
sed -zi '/CONFIG_'"$option"'=y/!s/$/\nCONFIG_'"$option"'=y/' $defconfigPath &>/dev/null || true;
2018-04-04 07:52:11 -04:00
fi;
done
#Disable supported options
#debugging
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE");
optionsNo+=("CHECKPOINT_RESTORE" "MEM_SOFT_DIRTY");
optionsNo+=("CP_ACCESS64" "WLAN_FEATURE_MEMDUMP");
optionsNo+=("DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "PROC_KCORE" "PROC_VMCORE" "X86_PTDUMP");
optionsNo+=("HWPOISON_INJECT" "NOTIFIER_ERROR_INJECTION");
optionsNo+=("INPUT_EVBUG");
optionsNo+=("LOG_BUF_MAGIC");
optionsNo+=("L2TP_DEBUGFS");
optionsNo+=("PAGE_OWNER");
optionsNo+=("TIMER_STATS" "ZSMALLOC_STAT");
optionsNo+=("UPROBES");
#optionsNo+=("SLUB_DEBUG" "SLUB_DEBUG_ON");
#optionsNo+=("STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE"); #GCC only
#optionsNo+=("MMIOTRACE" "MMIOTRACE_TEST");
#optionsNo+=("IOMMU_DEBUG" "IOMMU_DEBUG_TRACKING" "IOMMU_NON_SECURE" "IOMMU_TESTS");
#optionsNo+=("DEBUG_ATOMIC_SLEEP" "DEBUG_BUS_VOTER" "DEBUG_MUTEXES" "DEBUG_KMEMLEAK" "DEBUG_PAGEALLOC" "DEBUG_STACK_USAGE" "DEBUG_SPINLOCK");
#if [[ $kernelVersion == "4."* ]] || [[ $kernelVersion == "5."* ]]; then
# #optionsNo+=("DEBUG_FS");
# optionsNo+=("FTRACE" "KPROBE_EVENTS" "UPROBE_EVENTS" "GENERIC_TRACER" "FUNCTION_TRACER" "STACK_TRACER" "HIST_TRIGGERS" "BLK_DEV_IO_TRACE" "FAIL_FUTEX" "DYNAMIC_DEBUG" "PREEMPT_TRACER");
#fi;
#if [[ "$1" != *"kernel/oneplus/sm8250"* ]]; then
# optionsNo+=("CORESIGHT_CSR" "CORESIGHT_CTI_SAVE_DISABLE" "CORESIGHT_CTI" "CORESIGHT_DBGUI" "CORESIGHT_ETM" "CORESIGHT_ETMV4" "CORESIGHT_EVENT" "CORESIGHT_FUNNEL" "CORESIGHT_FUSE" "CORESIGHT_HWEVENT" "CORESIGHT_QPDI" "CORESIGHT_REMOTE_ETM" "CORESIGHT_REPLICATOR" "CORESIGHT_STM_DEFAULT_ENABLE" "CORESIGHT_STM" "CORESIGHT_TMC" "CORESIGHT_TPDA" "CORESIGHT_TPDM_DEFAULT_ENABLE" "CORESIGHT_TPDM" "CORESIGHT_TPIU" "CORESIGHT" "OF_CORESIGHT");
#fi;
#legacy
optionsNo+=("BINFMT_AOUT" "BINFMT_MISC");
optionsNo+=("COMPAT_BRK" "COMPAT_VDSO");
optionsNo+=("LDISC_AUTOLOAD" "LEGACY_PTYS");
optionsNo+=("MODIFY_LDT_SYSCALL");
optionsNo+=("OABI_COMPAT");
optionsNo+=("USELIB");
optionsNo+=("X86_IOPL_IOPERM" "X86_VSYSCALL_EMULATION");
#unnecessary
optionsNo+=("BLK_DEV_FD" "BT_HS" "IO_URING" "IP_DCCP" "IP_SCTP" "VIDEO_VIVID" "FB_VIRTUAL" "RDS" "RDS_TCP");
optionsNo+=("HIBERNATION");
optionsNo+=("KEXEC" "KEXEC_FILE");
optionsNo+=("UKSM");
if [ "$DOS_USE_KSM" = false ] || [ "$ksmNotNeeded" = true ]; then optionsNo+=("KSM"); fi;
optionsNo+=("LIVEPATCH");
2021-01-29 20:37:43 -05:00
optionsNo+=("WIREGUARD"); #Requires root access, which we do not provide
if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi;
#unsafe
optionsNo+=("GCC_PLUGIN_RANDSTRUCT_PERFORMANCE");
optionsNo+=("HARDENED_USERCOPY_FALLBACK");
optionsNo+=("SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS");
if [ "$DOS_USE_KSM" = false ]; then optionsNo+=("SLAB_MERGE_DEFAULT"); fi;
if [[ "$DOS_VERSION" != "LineageOS-20.0" ]]; then optionsNo+=("USERFAULTFD"); fi;
#optionsNo+=("CFI_PERMISSIVE");
#misc
optionsNo+=("FB_MSM_MDSS_XLOG_DEBUG" "MSM_BUSPM_DEV" "MSMB_CAMERA_DEBUG" "MSM_CAMERA_DEBUG" "MSM_SMD_DEBUG");
optionsNo+=("NEEDS_SYSCALL_FOR_CMPXCHG");
optionsNo+=("TSC" "TSPP2");
#breakage
optionsNo+=("HARDENED_USERCOPY_PAGESPAN");
#optionsNo+=("IKCONFIG"); #breaks recovery
#optionsNo+=("KALLSYMS"); #breaks boot on select devices
#optionsNo+=("MAGIC_SYSRQ"); #breaks compile
#optionsNo+=("MSM_DLOAD_MODE"); #breaks compile
#optionsNo+=("MSM_SMP2P_TEST" "INET_DIAG");
#optionsNo+=("PROC_PAGE_MONITOR"); #breaks memory stats
#optionsNo+=("SCHED_DEBUG"); #breaks compile
if [ "$DOS_DEFCONFIG_DISABLER" = true ]; then
for option in "${optionsNo[@]}"
do
#If the option is enabled, disable it
sed -i 's/CONFIG_'"$option"'=y/CONFIG_'"$option"'=n/' $defconfigPath &>/dev/null || true;
#If the option isn't present, add it disabled
sed -zi '/CONFIG_'"$option"'=n/!s/$/\nCONFIG_'"$option"'=n/' $defconfigPath &>/dev/null || true;
done
fi;
2018-04-04 07:52:11 -04:00
#Extras
2018-06-23 01:08:42 -04:00
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' $defconfigPath &>/dev/null || true;
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' $defconfigPath &>/dev/null || true;
sed -i 's/CONFIG_DEFAULT_MMAP_MIN_ADDR=4096/CONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
2021-09-18 21:38:43 -04:00
sed -zi '/CONFIG_DEFAULT_MMAP_MIN_ADDR/!s/$/\nCONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
2018-06-26 05:57:22 -04:00
sed -i 's/CONFIG_LSM_MMAP_MIN_ADDR=4096/CONFIG_LSM_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
2021-09-18 21:38:43 -04:00
sed -zi '/CONFIG_LSM_MMAP_MIN_ADDR/!s/$/\nCONFIG_LSM_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
2018-04-04 07:52:11 -04:00
editKernelLocalversion "-dos";
echo "Hardened defconfig for $1";
2018-06-29 00:55:21 -04:00
cd "$DOS_BUILD_BASE";
2018-04-04 07:52:11 -04:00
}
export -f hardenDefconfig;