DivestOS/Scripts/Common/Functions.sh

#!/bin/bash
#DivestOS: A privacy oriented Android distribution
#Copyright (c) 2017-2018 Divested Computing, Inc.
#
#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program.  If not, see <https://www.gnu.org/licenses/>.

if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then
	echo -e "\e[0;33mWARNING: YOU HAVE ENABLED PATCHES THAT WHILE ARE OPEN SOURCE ARE ALSO ENCUMBERED BY RESTRICTIVE LICENSES\e[0m";
	echo -e "\e[0;33mPLEASE SEE THE 'LICENSES' FILE AT THE ROOT OF THIS REPOSITORY FOR MORE INFORMATION\e[0m";
	echo -e "\e[0;33mDISABLE THEM BY SETTING 'NON_COMMERCIAL_USE_PATCHES' TO 'false' IN 'Scripts/init.sh'\e[0m";
	sleep 15;
fi;

startPatcher() {
	#$cvePatcher must be set!
	java -jar "$cvePatcher" patch "$base" "$androidWorkspace""Patches/" "$cveScripts" "$1";
}
export -f startPatcher;

enter() {
	echo "================================================================================================"
	dir="$1";
	cd "$base$dir";
	echo "[ENTERING] $dir";
}
export -f enter;

enterAndClear() {
	enter "$1";
	gitReset;
}
export -f enterAndClear;

gitReset() {
	git add -A && git reset --hard;
}
export -f gitReset;

scanForMalware() {
	if [ -x /usr/bin/clamscan ] && [ -r /var/lib/clamav/main.cvd ]; then
		echo -e "\e[0;32mStarting a malware scan...\e[0m";
		excludes="--exclude-dir=\".git\" --exclude-dir=\".repo\"";
		scanQueue="$2";
		if [ "$1" = true ]; then
			if [ "$MALWARE_SCAN_SETTING" != "quick" ] || [ "$MALWARE_SCAN_SETTING" = "extra" ]; then
				scanQueue=$scanQueue" $base/frameworks $base/vendor";
			fi;
			if [ "$MALWARE_SCAN_SETTING" = "slow" ]; then
				scanQueue=$scanQueue"$base/external $base/prebuilts $base/toolchain $base/tools";
			fi;
			if [ "$MALWARE_SCAN_SETTING" = "full" ]; then
				scanQueue="$base";
			fi;
		fi;
		du -hsc "$scanQueue";
		/usr/bin/clamscan --recursive --detect-pua --infected "$excludes" "$scanQueue";
		clamscanExit="$?";
		if [ "$clamscanExit" -eq "1" ]; then
			echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
			echo -e "\e[0;31mWARNING: MALWARE WAS FOUND! PLEASE INVESTIGATE!\e[0m";
			echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
			sleep 60;
		fi;
		if [ "$clamscanExit" -eq "0" ]; then
			echo -e "\e[0;32mNo malware found\e[0m";
		fi;
		if [ "$clamscanExit" -eq "2" ]; then
			echo -e "\e[0;33m----------------------------------------------------------------\e[0m";
			echo -e "\e[0;33mWARNING: AN ERROR OCCURED. PLEASE INVESTIGATE!\e[0m";
			echo -e "\e[0;33m----------------------------------------------------------------\e[0m";
			sleep 60;
		fi;
	else
		echo -e "\e[0;33mWARNING: clamscan is unavailable, a malware scan will not be performed!\e[0m";
	fi;
}
export -f scanForMalware;

audit2allowCurrent() {
		adb shell dmesg | grep denied | audit2allow -p "$ANDROID_PRODUCT_OUT"/root/sepolicy;
}
export -f audit2allowCurrent;

audit2allowADB() {
	adb pull /sys/fs/selinux/policy;
	adb logcat -b all -d | audit2allow -p policy;
}
export -f audit2allowADB;

disableDexPreOpt() {
	cd "$base$1";
	if [ -f BoardConfig.mk ]; then
		sed -i "s/WITH_DEXPREOPT := true/WITH_DEXPREOPT := false/" BoardConfig.mk;
		echo "Disabled dexpreopt";
	fi;
	cd "$base";
}
export -f disableDexPreOpt;

compressRamdisks() {
	if [ -f BoardConfig.mk ]; then
		echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;
		echo "Enabled ramdisk compression";
	fi;
}
export -f compressRamdisks;

enhanceLocation() {
	cd "$base$1";
	#Enable GLONASS
	if [ "$GLONASS_FORCED_ENABLE" = false ]; then
	sed -i 's/#A_GLONASS_POS_PROTOCOL_SELECT/A_GLONASS_POS_PROTOCOL_SELECT/' gps.conf gps/gps.conf configs/gps.conf &>/dev/null || true;
	sed -i 's/A_GLONASS_POS_PROTOCOL_SELECT = 0.*/A_GLONASS_POS_PROTOCOL_SELECT = 15/' gps.conf gps/gps.conf configs/gps.conf &>/dev/null || true;
	sed -i 's|A_GLONASS_POS_PROTOCOL_SELECT=0.*</item>|A_GLONASS_POS_PROTOCOL_SELECT=15</item>|' overlay/frameworks/base/core/res/res/values-*/*.xml &>/dev/null || true;
	fi;
	#Recommended reading: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
	#XTRA: Only use specified URLs
	sed -i 's|XTRA_SERVER_QUERY=1|XTRA_SERVER_QUERY=0|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null || true;
	sed -i 's|#XTRA_SERVER|XTRA_SERVER|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null || true;
	#XTRA: Enable HTTPS
	sed -i 's|http://xtra|https://xtra|' overlay/frameworks/base/core/res/res/values-*/*.xml gps.conf gps/gps.conf configs/gps.conf &>/dev/null || true;
	#XTRA: Use format version 3 if possible
	if grep -sq "XTRA_VERSION_CHECK" gps.conf gps/gps.conf configs/gps.conf; then #Using hardware/qcom/gps OR precompiled blob OR device specific implementation
		sed -i 's|XTRA_VERSION_CHECK=0|XTRA_VERSION_CHECK=1|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null || true;
		sed -i 's|xtra2.bin|xtra3grc.bin|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null || true;
	elif grep -sq "BOARD_VENDOR_QCOM_LOC_PDK_FEATURE_SET := true" BoardConfig.mk boards/*gps.mk; then
		if ! grep -sq "USE_DEVICE_SPECIFIC_LOC_API := true" BoardConfig.mk boards/*gps.mk; then
			if ! grep -sq "libloc" ./*proprietary*.txt; then #Using hardware/qcom/gps
				sed -i 's|xtra2.bin|xtra3grc.bin|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null || true;
			fi;
		fi;
	fi;
	echo "Enhanced location services for $1";
	cd "$base";
}
export -f enhanceLocation;

enableZram() {
	cd "$base$1";
	sed -i 's|#/dev/block/zram0|/dev/block/zram0|' fstab.* root/fstab.* rootdir/fstab.* rootdir/etc/fstab.* &>/dev/null || true;
	echo "Enabled zram for $1";
	cd "$base";
}
export -f enableZram;

enableForcedEncryption() {
	cd "$base$1";
	sed -i 's|encryptable=/|forceencrypt=/|' fstab.* root/fstab.* rootdir/fstab.* rootdir/etc/fstab.* &>/dev/null || true;
	echo "Enabled forceencrypt for $1";
	cd "$base";
}
export -f enableForcedEncryption;

enableStrongEncryption() {
	cd "$base$1";
	if [ -f BoardConfig.mk ]; then
		echo "TARGET_WANTS_STRONG_ENCRYPTION := true" >> BoardConfig.mk;
		echo "Enabled AES-256 encryption for $1";
	fi;
	cd "$base";
}
export -f enableStrongEncryption;

getDefconfig() {
	if ls arch/arm/configs/lineage*defconfig 1> /dev/null 2>&1; then
		defconfigPath="arch/arm/configs/lineage*defconfig";
	elif ls arch/arm64/configs/lineage*defconfig 1> /dev/null 2>&1; then
		defconfigPath="arch/arm64/configs/lineage*defconfig";
	else
		defconfigPath="arch/arm/configs/*defconfig arch/arm64/configs/*defconfig";
	fi;
	echo "$defconfigPath";
	#echo "Found defconfig at $defconfigPath"
}
export -f getDefconfig;

editKernelLocalversion() {
	defconfigPath=$(getDefconfig)
	sed -i 's/CONFIG_LOCALVERSION=".*"/CONFIG_LOCALVERSION="'"$1"'"/' "$defconfigPath" &>/dev/null || true;
}
export -f editKernelLocalversion;

hardenDefconfig() {
	cd "$base$1";

	#Attempts to enable/disable supported options to increase security
	#See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

	defconfigPath=$(getDefconfig)

	#Enable supported options
	#Disabled: CONFIG_DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
	declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE")
	for option in "${optionsYes[@]}"
	do
		sed -i 's/# '"$option"' is not set/'"$option"'=y/' "$defconfigPath" &>/dev/null || true;
		#Some defconfigs are very minimal/not-autogenerated, so lets add the rest. Obviously most won't have any affect as they aren't supported.
		if [[ "$defconfigPath" == *"lineage"* ]]; then
			if ! grep -q "$option""=y" "$defconfigPath"; then
				echo "$option""=y" | tee -a "$defconfigPath" > /dev/null;
			fi;
		fi;
	done
	#Disable supported options
	#TODO: Disable earjack/uart debugger
	declare -a optionsNo=("CONFIG_ACPI_CUSTOM_METHOD" "CONFIG_BINFMT_MISC" "CONFIG_COMPAT_BRK" "CONFIG_COMPAT_VDSO" "CONFIG_CP_ACCESS64" "CONFIG_DEVKMEM" "CONFIG_DEVMEM" "CONFIG_DEVPORT" "CONFIG_HIBERNATION" "CONFIG_INET_DIAG" "CONFIG_KEXEC" "CONFIG_LEGACY_PTYS" "CONFIG_MSM_BUSPM_DEV" "CONFIG_OABI_COMPAT" "CONFIG_PROC_KCORE" "CONFIG_PROC_VMCORE" "CONFIG_SECURITY_SELINUX_DISABLE" "CONFIG_SLAB_MERGE_DEFAULT" "CONFIG_WLAN_FEATURE_MEMDUMP")
	for option in "${optionsNo[@]}"
	do
		sed -i 's/'"$option"'=y/# '"$option"' is not set/' "$defconfigPath" &>/dev/null || true;
	done
	#Extras
	sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' "$defconfigPath" &>/dev/null || true;
	sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' "$defconfigPath" &>/dev/null || true;
	sed -i 's/CONFIG_DEFAULT_MMAP_MIN_ADDR=4096/CONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' "$defconfigPath" &>/dev/null || true;
	sed -i 's/CONFIG_LSM_MMAP_MIN_ADDR=4096/CONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' "$defconfigPath" &>/dev/null || true;

	editKernelLocalversion "-dos";

	echo "Hardened defconfig for $1";
	cd "$base";
}
export -f hardenDefconfig;
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`#!/bin/bash`
			`#DivestOS: A privacy oriented Android distribution`
Going the distance... 2018-06-03 14:13:59 -04:00			`#Copyright (c) 2017-2018 Divested Computing, Inc.`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`#`
			`#This program is free software: you can redistribute it and/or modify`
			`#it under the terms of the GNU General Public License as published by`
			`#the Free Software Foundation, either version 3 of the License, or`
			`#(at your option) any later version.`
			`#`
			`#This program is distributed in the hope that it will be useful,`
			`#but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`#GNU General Public License for more details.`
			`#`
			`#You should have received a copy of the GNU General Public License`
			`#along with this program. If not, see <https://www.gnu.org/licenses/>.`

Add a warning when restricted patches are enabled 2018-04-23 18:18:09 -04:00			`if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then`
Misc tweaks 2018-06-03 08:24:23 -04:00			`echo -e "\e[0;33mWARNING: YOU HAVE ENABLED PATCHES THAT WHILE ARE OPEN SOURCE ARE ALSO ENCUMBERED BY RESTRICTIVE LICENSES\e[0m";`
Add a warning when restricted patches are enabled 2018-04-23 18:18:09 -04:00			`echo -e "\e[0;33mPLEASE SEE THE 'LICENSES' FILE AT THE ROOT OF THIS REPOSITORY FOR MORE INFORMATION\e[0m";`
Misc tweaks 2018-06-03 08:24:23 -04:00			`echo -e "\e[0;33mDISABLE THEM BY SETTING 'NON_COMMERCIAL_USE_PATCHES' TO 'false' IN 'Scripts/init.sh'\e[0m";`
Add a warning when restricted patches are enabled 2018-04-23 18:18:09 -04:00			`sleep 15;`
			`fi;`

Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`startPatcher() {`
			`#$cvePatcher must be set!`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`java -jar "$cvePatcher" patch "$base" "$androidWorkspace""Patches/" "$cveScripts" "$1";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`}`
			`export -f startPatcher;`

			`enter() {`
			`echo "================================================================================================"`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`dir="$1";`
			`cd "$base$dir";`
			`echo "[ENTERING] $dir";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`}`
			`export -f enter;`

			`enterAndClear() {`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`enter "$1";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`gitReset;`
			`}`
			`export -f enterAndClear;`

			`gitReset() {`
			`git add -A && git reset --hard;`
			`}`
			`export -f gitReset;`

Many changes - Add support to scan for malware in certain directories - 15.1: Add new device, griffin - Note deprecation status of various devices - Add a few blobs to the deblobber 2018-05-10 23:45:29 -04:00			`scanForMalware() {`
Further improve malware scanner 2018-05-11 06:15:29 -04:00			`if [ -x /usr/bin/clamscan ] && [ -r /var/lib/clamav/main.cvd ]; then`
			`echo -e "\e[0;32mStarting a malware scan...\e[0m";`
			`excludes="--exclude-dir=\".git\" --exclude-dir=\".repo\"";`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`scanQueue="$2";`
Further improve malware scanner 2018-05-11 06:15:29 -04:00			`if [ "$1" = true ]; then`
			`if [ "$MALWARE_SCAN_SETTING" != "quick" ] \|\| [ "$MALWARE_SCAN_SETTING" = "extra" ]; then`
			`scanQueue=$scanQueue" $base/frameworks $base/vendor";`
			`fi;`
			`if [ "$MALWARE_SCAN_SETTING" = "slow" ]; then`
			`scanQueue=$scanQueue"$base/external $base/prebuilts $base/toolchain $base/tools";`
			`fi;`
			`if [ "$MALWARE_SCAN_SETTING" = "full" ]; then`
			`scanQueue="$base";`
			`fi;`
Improve the malware scanner and enable by default 2018-05-11 02:50:52 -04:00			`fi;`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`du -hsc "$scanQueue";`
			`/usr/bin/clamscan --recursive --detect-pua --infected "$excludes" "$scanQueue";`
			`clamscanExit="$?";`
Many changes - Add support to scan for malware in certain directories - 15.1: Add new device, griffin - Note deprecation status of various devices - Add a few blobs to the deblobber 2018-05-10 23:45:29 -04:00			`if [ "$clamscanExit" -eq "1" ]; then`
			`echo -e "\e[0;31m----------------------------------------------------------------\e[0m";`
			`echo -e "\e[0;31mWARNING: MALWARE WAS FOUND! PLEASE INVESTIGATE!\e[0m";`
			`echo -e "\e[0;31m----------------------------------------------------------------\e[0m";`
Improve the malware scanner and enable by default 2018-05-11 02:50:52 -04:00			`sleep 60;`
Many changes - Add support to scan for malware in certain directories - 15.1: Add new device, griffin - Note deprecation status of various devices - Add a few blobs to the deblobber 2018-05-10 23:45:29 -04:00			`fi;`
			`if [ "$clamscanExit" -eq "0" ]; then`
			`echo -e "\e[0;32mNo malware found\e[0m";`
Improve the malware scanner and enable by default 2018-05-11 02:50:52 -04:00			`fi;`
			`if [ "$clamscanExit" -eq "2" ]; then`
			`echo -e "\e[0;33m----------------------------------------------------------------\e[0m";`
			`echo -e "\e[0;33mWARNING: AN ERROR OCCURED. PLEASE INVESTIGATE!\e[0m";`
			`echo -e "\e[0;33m----------------------------------------------------------------\e[0m";`
			`sleep 60;`
Many changes - Add support to scan for malware in certain directories - 15.1: Add new device, griffin - Note deprecation status of various devices - Add a few blobs to the deblobber 2018-05-10 23:45:29 -04:00			`fi;`
			`else`
			`echo -e "\e[0;33mWARNING: clamscan is unavailable, a malware scan will not be performed!\e[0m";`
			`fi;`
			`}`
			`export -f scanForMalware;`

Cleanup 2018-06-13 19:48:53 -04:00			`audit2allowCurrent() {`
			`adb shell dmesg \| grep denied \| audit2allow -p "$ANDROID_PRODUCT_OUT"/root/sepolicy;`
			`}`
			`export -f audit2allowCurrent;`

			`audit2allowADB() {`
			`adb pull /sys/fs/selinux/policy;`
			`adb logcat -b all -d \| audit2allow -p policy;`
			`}`
			`export -f audit2allowADB;`

Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`disableDexPreOpt() {`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base$1";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`if [ -f BoardConfig.mk ]; then`
			`sed -i "s/WITH_DEXPREOPT := true/WITH_DEXPREOPT := false/" BoardConfig.mk;`
			`echo "Disabled dexpreopt";`
			`fi;`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`}`
			`export -f disableDexPreOpt;`

			`compressRamdisks() {`
			`if [ -f BoardConfig.mk ]; then`
			`echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;`
			`echo "Enabled ramdisk compression";`
			`fi;`
			`}`
			`export -f compressRamdisks;`

			`enhanceLocation() {`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base$1";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`#Enable GLONASS`
Misc tweaks 2018-06-03 08:24:23 -04:00			`if [ "$GLONASS_FORCED_ENABLE" = false ]; then`
			`sed -i 's/#A_GLONASS_POS_PROTOCOL_SELECT/A_GLONASS_POS_PROTOCOL_SELECT/' gps.conf gps/gps.conf configs/gps.conf &>/dev/null \|\| true;`
			`sed -i 's/A_GLONASS_POS_PROTOCOL_SELECT = 0.*/A_GLONASS_POS_PROTOCOL_SELECT = 15/' gps.conf gps/gps.conf configs/gps.conf &>/dev/null \|\| true;`
			`sed -i 's\|A_GLONASS_POS_PROTOCOL_SELECT=0.</item>\|A_GLONASS_POS_PROTOCOL_SELECT=15</item>\|' overlay/frameworks/base/core/res/res/values-/*.xml &>/dev/null \|\| true;`
			`fi;`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`#Recommended reading: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/`
			`#XTRA: Only use specified URLs`
			`sed -i 's\|XTRA_SERVER_QUERY=1\|XTRA_SERVER_QUERY=0\|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null \|\| true;`
			`sed -i 's\|#XTRA_SERVER\|XTRA_SERVER\|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null \|\| true;`
			`#XTRA: Enable HTTPS`
			`sed -i 's\|http://xtra\|https://xtra\|' overlay/frameworks/base/core/res/res/values-/.xml gps.conf gps/gps.conf configs/gps.conf &>/dev/null \|\| true;`
			`#XTRA: Use format version 3 if possible`
			`if grep -sq "XTRA_VERSION_CHECK" gps.conf gps/gps.conf configs/gps.conf; then #Using hardware/qcom/gps OR precompiled blob OR device specific implementation`
			`sed -i 's\|XTRA_VERSION_CHECK=0\|XTRA_VERSION_CHECK=1\|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null \|\| true;`
			`sed -i 's\|xtra2.bin\|xtra3grc.bin\|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null \|\| true;`
			`elif grep -sq "BOARD_VENDOR_QCOM_LOC_PDK_FEATURE_SET := true" BoardConfig.mk boards/*gps.mk; then`
			`if ! grep -sq "USE_DEVICE_SPECIFIC_LOC_API := true" BoardConfig.mk boards/*gps.mk; then`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`if ! grep -sq "libloc" ./proprietary.txt; then #Using hardware/qcom/gps`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`sed -i 's\|xtra2.bin\|xtra3grc.bin\|' gps.conf gps/gps.conf configs/gps.conf &>/dev/null \|\| true;`
			`fi;`
			`fi;`
			`fi;`
			`echo "Enhanced location services for $1";`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`}`
			`export -f enhanceLocation;`

			`enableZram() {`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base$1";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`sed -i 's\|#/dev/block/zram0\|/dev/block/zram0\|' fstab.* root/fstab.* rootdir/fstab.* rootdir/etc/fstab.* &>/dev/null \|\| true;`
			`echo "Enabled zram for $1";`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`}`
			`export -f enableZram;`

			`enableForcedEncryption() {`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base$1";`
Many changes - Disable patches with restrictive licenses by default - Update LICENSE - Fixup the fix for F-Droid building - 15.1: Fix forceencrypt on mako - 15.1: Fix crashes when accessing factory reset and development settings menus on devices without support for factory reset protection or oem unlocking 2018-04-23 15:41:43 -04:00			`sed -i 's\|encryptable=/\|forceencrypt=/\|' fstab.* root/fstab.* rootdir/fstab.* rootdir/etc/fstab.* &>/dev/null \|\| true;`
			`echo "Enabled forceencrypt for $1";`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`}`
			`export -f enableForcedEncryption;`

			`enableStrongEncryption() {`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base$1";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`if [ -f BoardConfig.mk ]; then`
Revert "Strong AES patch changes" This reverts commit 60b85e10fed14c14fe3939cfc0dc42fe45dc2a6d. 2018-04-28 15:35:53 -04:00			`echo "TARGET_WANTS_STRONG_ENCRYPTION := true" >> BoardConfig.mk;`
			`echo "Enabled AES-256 encryption for $1";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`fi;`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`}`
			`export -f enableStrongEncryption;`

			`getDefconfig() {`
			`if ls arch/arm/configs/lineage*defconfig 1> /dev/null 2>&1; then`
			`defconfigPath="arch/arm/configs/lineage*defconfig";`
			`elif ls arch/arm64/configs/lineage*defconfig 1> /dev/null 2>&1; then`
			`defconfigPath="arch/arm64/configs/lineage*defconfig";`
			`else`
			`defconfigPath="arch/arm/configs/defconfig arch/arm64/configs/defconfig";`
			`fi;`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`echo "$defconfigPath";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`#echo "Found defconfig at $defconfigPath"`
			`}`
			`export -f getDefconfig;`

			`editKernelLocalversion() {`
			`defconfigPath=$(getDefconfig)`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`sed -i 's/CONFIG_LOCALVERSION=".*"/CONFIG_LOCALVERSION="'"$1"'"/' "$defconfigPath" &>/dev/null \|\| true;`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`}`
			`export -f editKernelLocalversion;`

			`hardenDefconfig() {`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base$1";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00
			`#Attempts to enable/disable supported options to increase security`
			`#See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings`

			`defconfigPath=$(getDefconfig)`

			`#Enable supported options`
			`#Disabled: CONFIG_DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)`
Cleanup 2018-06-13 19:48:53 -04:00			declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE")
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`for option in "${optionsYes[@]}"`
			`do`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`sed -i 's/# '"$option"' is not set/'"$option"'=y/' "$defconfigPath" &>/dev/null \|\| true;`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`#Some defconfigs are very minimal/not-autogenerated, so lets add the rest. Obviously most won't have any affect as they aren't supported.`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`if [[ "$defconfigPath" == "lineage" ]]; then`
			`if ! grep -q "$option""=y" "$defconfigPath"; then`
			`echo "$option""=y" \| tee -a "$defconfigPath" > /dev/null;`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`fi;`
			`fi;`
			`done`
			`#Disable supported options`
			`#TODO: Disable earjack/uart debugger`
Cleanup 2018-06-13 19:48:53 -04:00			`declare -a optionsNo=("CONFIG_ACPI_CUSTOM_METHOD" "CONFIG_BINFMT_MISC" "CONFIG_COMPAT_BRK" "CONFIG_COMPAT_VDSO" "CONFIG_CP_ACCESS64" "CONFIG_DEVKMEM" "CONFIG_DEVMEM" "CONFIG_DEVPORT" "CONFIG_HIBERNATION" "CONFIG_INET_DIAG" "CONFIG_KEXEC" "CONFIG_LEGACY_PTYS" "CONFIG_MSM_BUSPM_DEV" "CONFIG_OABI_COMPAT" "CONFIG_PROC_KCORE" "CONFIG_PROC_VMCORE" "CONFIG_SECURITY_SELINUX_DISABLE" "CONFIG_SLAB_MERGE_DEFAULT" "CONFIG_WLAN_FEATURE_MEMDUMP")`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`for option in "${optionsNo[@]}"`
			`do`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`sed -i 's/'"$option"'=y/# '"$option"' is not set/' "$defconfigPath" &>/dev/null \|\| true;`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`done`
			`#Extras`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' "$defconfigPath" &>/dev/null \|\| true;`
			`sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' "$defconfigPath" &>/dev/null \|\| true;`
			`sed -i 's/CONFIG_DEFAULT_MMAP_MIN_ADDR=4096/CONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' "$defconfigPath" &>/dev/null \|\| true;`
			`sed -i 's/CONFIG_LSM_MMAP_MIN_ADDR=4096/CONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' "$defconfigPath" &>/dev/null \|\| true;`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00
			`editKernelLocalversion "-dos";`

			`echo "Hardened defconfig for $1";`
Shellcheck mainly just double quoting 2018-06-23 00:21:48 -04:00			`cd "$base";`
Dramatically deduplicate scripts 2018-04-04 07:52:11 -04:00			`}`
			`export -f hardenDefconfig;`