2018-04-04 07:52:11 -04:00
#!/bin/bash
2020-11-17 10:11:40 -05:00
#DivestOS: A privacy focused mobile distribution
2022-05-01 01:13:46 -04:00
#Copyright (c) 2017-2022 Divested Computing Group
2018-04-04 07:52:11 -04:00
#
#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program. If not, see <https://www.gnu.org/licenses/>.
2021-10-16 19:15:19 -04:00
umask 0022;
2018-04-04 07:52:11 -04:00
startPatcher( ) {
2020-10-01 14:56:37 -04:00
java -jar " $DOS_BINARY_PATCHER " patch workspace " $DOS_BUILD_BASE " " $DOS_WORKSPACE_ROOT " "Patches/Linux/" " $DOS_SCRIPTS_CVES " $1 ;
2018-04-04 07:52:11 -04:00
}
export -f startPatcher;
2022-08-26 22:00:59 -04:00
resetWorkspace( ) {
umask 0022;
2023-07-15 21:22:18 -04:00
if [ " $1 " = = "local" ] ; then local noNetwork = "--local-only" ; fi ;
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync --jobs-network= 6 --jobs-checkout= 12 --force-sync --detach $noNetwork ;
2022-08-26 22:00:59 -04:00
}
export -f resetWorkspace;
2023-03-31 11:21:35 -04:00
patchWorkspace( ) {
2023-04-01 10:02:22 -04:00
patchWorkspaceReal; #|& tee "$DOS_WORKSPACE_ROOT/Logs/patchWorkspace-$DOS_VERSION.log";
2023-03-31 11:21:35 -04:00
}
export -f patchWorkspace;
2022-08-26 23:02:25 -04:00
verifyAllPlatformTags( ) {
2023-03-31 12:59:45 -04:00
repo forall -v -c 'sh -c "source $DOS_WORKSPACE_ROOT/Scripts/Common/Tag_Verifier.sh && verifyTagIfPlatform $REPO_PROJECT $REPO_PATH"' ;
2022-08-26 22:00:59 -04:00
}
2022-08-26 23:02:25 -04:00
export -f verifyAllPlatformTags;
2022-08-26 22:00:59 -04:00
2018-04-04 07:52:11 -04:00
enter( ) {
echo "================================================================================================"
2019-09-17 00:55:50 -04:00
local dir = " $1 " ;
2023-03-08 00:22:01 -05:00
local dirReal = " $DOS_BUILD_BASE / $dir " ;
2021-06-27 14:14:34 -04:00
umask 0022;
2018-09-21 03:55:54 -04:00
if [ -d " $dirReal " ] ; then
cd " $dirReal " ;
echo -e " \e[0;32m[ENTERING] $dir \e[0m " ;
return 0;
else
echo -e " \e[0;31m[ENTERING FAILED] $dir \e[0m " ;
return 1;
fi ;
2018-04-04 07:52:11 -04:00
}
export -f enter;
enterAndClear( ) {
2020-11-01 09:50:03 -05:00
if enter " $1 " ; then gitReset; else return 1; fi ;
2018-04-04 07:52:11 -04:00
}
export -f enterAndClear;
gitReset( ) {
git add -A && git reset --hard;
}
export -f gitReset;
2021-10-14 14:01:10 -04:00
applyPatchReal( ) {
currentWorkingPatch = $1 ;
firstLine = $( head -n1 " $currentWorkingPatch " ) ;
if [ [ " $firstLine " = *"Mon Sep 17 00:00:00 2001" * ] ] || [ [ " $firstLine " = *"Thu Jan 1 00:00:00 1970" * ] ] ; then
2021-10-16 16:28:41 -04:00
if git am " $@ " ; then
2021-10-16 13:51:54 -04:00
if [ " $DOS_REFRESH_PATCHES " = true ] ; then
if [ [ " $currentWorkingPatch " = = $DOS_PATCHES * ] ] ; then
2021-10-26 01:29:14 -04:00
git format-patch -1 HEAD --zero-commit --no-signature --output= " $currentWorkingPatch " ;
2021-10-16 13:51:54 -04:00
fi ;
fi ;
fi ;
2021-10-14 14:01:10 -04:00
else
git apply " $@ " ;
echo " Applying (as diff): $currentWorkingPatch " ;
fi ;
}
export -f applyPatchReal;
applyPatch( ) {
currentWorkingPatch = $1 ;
if [ -f " $currentWorkingPatch " ] ; then
2021-10-16 16:28:41 -04:00
if git apply --check " $@ " & > /dev/null; then
2021-10-14 14:01:10 -04:00
applyPatchReal " $@ " ;
else
2021-10-16 16:28:41 -04:00
if git apply --reverse --check " $@ " & > /dev/null; then
2021-10-14 14:01:10 -04:00
echo " Already applied: $currentWorkingPatch " ;
else
2021-10-16 16:28:41 -04:00
if git apply --check " $@ " --3way & > /dev/null; then
2021-10-14 14:01:10 -04:00
applyPatchReal " $@ " --3way;
echo " Applied (as 3way): $currentWorkingPatch " ;
else
2021-10-16 14:05:45 -04:00
echo -e " \e[0;31mERROR: Cannot apply: $currentWorkingPatch \e[0m " ;
2021-10-14 14:01:10 -04:00
fi ;
fi ;
fi ;
else
2021-10-16 14:05:45 -04:00
echo -e " \e[0;31mERROR: Patch doesn't exist: $currentWorkingPatch \e[0m " ;
2021-10-14 14:01:10 -04:00
fi ;
}
export -f applyPatch;
2018-08-30 23:44:23 -04:00
gpgVerifyDirectory( ) {
2022-08-24 15:50:36 -04:00
if [ -r " $DOS_TMP_GNUPG /pubring.kbx " ] ; then
2018-08-30 23:44:23 -04:00
for sig in $1 /*.asc; do
2022-08-24 15:50:36 -04:00
if gpg --homedir " $DOS_TMP_GNUPG " --verify $sig & >/dev/null; then
2018-08-30 23:44:23 -04:00
echo -e " \e[0;32mGPG Verified Successfully: $sig \e[0m " ;
else
echo -e " \e[0;31mWARNING: GPG Verification Failed: $sig \e[0m " ;
sleep 60;
fi ;
done ;
else
2022-08-24 15:50:36 -04:00
echo -e " \e[0;33mWARNING: keyring is unavailable, GPG verification of $1 will not be performed!\e[0m " ;
2018-08-30 23:44:23 -04:00
fi ;
}
export -f gpgVerifyDirectory;
2018-05-10 23:45:29 -04:00
scanForMalware( ) {
2020-02-23 20:51:13 -05:00
if [ -x /usr/bin/clamscan ] && [ -r /var/lib/clamav/main.c*d ] ; then
2018-05-11 06:15:29 -04:00
echo -e "\e[0;32mStarting a malware scan...\e[0m" ;
2019-09-17 00:55:50 -04:00
local excludes = "--exclude-dir=\".git\" --exclude-dir=\".repo\"" ;
local scanQueue = " $2 " ;
2018-05-11 06:15:29 -04:00
if [ " $1 " = true ] ; then
2018-06-29 00:55:21 -04:00
if [ " $DOS_MALWARE_SCAN_SETTING " != "quick" ] || [ " $DOS_MALWARE_SCAN_SETTING " = "extra" ] ; then
scanQueue = $scanQueue " $DOS_BUILD_BASE /frameworks $DOS_BUILD_BASE /vendor " ;
2018-05-11 06:15:29 -04:00
fi ;
2018-06-29 00:55:21 -04:00
if [ " $DOS_MALWARE_SCAN_SETTING " = "slow" ] ; then
scanQueue = $scanQueue " $DOS_BUILD_BASE /external $DOS_BUILD_BASE /prebuilts $DOS_BUILD_BASE /toolchain $DOS_BUILD_BASE /tools " ;
2018-05-11 06:15:29 -04:00
fi ;
2018-06-29 00:55:21 -04:00
if [ " $DOS_MALWARE_SCAN_SETTING " = "full" ] ; then
scanQueue = " $DOS_BUILD_BASE " ;
2018-05-11 06:15:29 -04:00
fi ;
2018-05-11 02:50:52 -04:00
fi ;
2019-03-25 20:30:27 -04:00
du -hsc $scanQueue ;
2021-03-20 16:15:01 -04:00
/usr/bin/clamscan --recursive --detect-pua --infected --allmatch --max-filesize= 4000M --max-scansize= 4000M $excludes $scanQueue ;
2019-09-17 00:55:50 -04:00
local clamscanExit = " $? " ;
2018-05-10 23:45:29 -04:00
if [ " $clamscanExit " -eq "1" ] ; then
echo -e "\e[0;31m----------------------------------------------------------------\e[0m" ;
echo -e "\e[0;31mWARNING: MALWARE WAS FOUND! PLEASE INVESTIGATE!\e[0m" ;
echo -e "\e[0;31m----------------------------------------------------------------\e[0m" ;
2020-11-09 00:29:29 -05:00
echo -e "\e[0;33mFalse positives such as the following are probably OK\e[0m" ;
2019-03-25 20:30:27 -04:00
echo -e "\e[0;33mPUAs: Ewind, Mobidash\e[0m" ;
echo -e "\e[0;31m----------------------------------------------------------------\e[0m" ;
2018-05-11 02:50:52 -04:00
sleep 60;
2018-05-10 23:45:29 -04:00
fi ;
if [ " $clamscanExit " -eq "0" ] ; then
echo -e "\e[0;32mNo malware found\e[0m" ;
2018-05-11 02:50:52 -04:00
fi ;
if [ " $clamscanExit " -eq "2" ] ; then
echo -e "\e[0;33m----------------------------------------------------------------\e[0m" ;
echo -e "\e[0;33mWARNING: AN ERROR OCCURED. PLEASE INVESTIGATE!\e[0m" ;
echo -e "\e[0;33m----------------------------------------------------------------\e[0m" ;
sleep 60;
2018-05-10 23:45:29 -04:00
fi ;
else
echo -e "\e[0;33mWARNING: clamscan is unavailable, a malware scan will not be performed!\e[0m" ;
fi ;
}
export -f scanForMalware;
2018-06-24 04:26:59 -04:00
generateBootAnimationMask( ) {
2019-09-17 00:55:50 -04:00
local text = $1 ;
local font = $2
local output = $3 ;
2022-04-18 17:42:32 -04:00
convert -depth 8 -background black -fill transparent -font " $font " -gravity center -size 512x128 label:" $text " " PNG32: $output " ;
2018-06-24 04:26:59 -04:00
}
export -f generateBootAnimationMask;
2018-06-24 08:42:02 -04:00
generateBootAnimationShine( ) {
2019-09-17 00:55:50 -04:00
local color = $1 ;
local style = $2 ;
local output = $3 ;
2022-04-18 17:42:32 -04:00
#The colors need to be symmetrical in order to make the animation smooth and not have any noticeable lines
convert -depth 8 -size 1024x128 -define gradient:angle= 90 " $style " :" $color " \( +clone -flop \) +append " PNG24: $output " ;
2018-06-24 08:42:02 -04:00
}
export -f generateBootAnimationShine;
2018-06-13 19:48:53 -04:00
audit2allowCurrent( ) {
2023-03-08 00:22:01 -05:00
adb logcat -b all -d | audit2allow -p " $OUT /root/sepolicy " ;
2018-06-13 19:48:53 -04:00
}
export -f audit2allowCurrent;
audit2allowADB( ) {
adb pull /sys/fs/selinux/policy;
adb logcat -b all -d | audit2allow -p policy;
}
export -f audit2allowADB;
2019-08-29 14:37:06 -04:00
processRelease( ) {
2021-03-01 21:05:42 -05:00
#Reference (MIT): GrapheneOS
2023-05-24 11:07:29 -04:00
#https://github.com/GrapheneOS/script/blob/13/release.sh
2019-09-17 00:55:50 -04:00
local DEVICE = " $1 " ;
local BLOCK = " $2 " ;
local VERITY = " $3 " ;
2019-08-27 13:13:48 -04:00
2019-09-17 00:55:50 -04:00
local DATE = $( date -u '+%Y%m%d' )
local KEY_DIR = " $DOS_SIGNING_KEYS / $DEVICE " ;
local VERSION = $( echo $DOS_VERSION | cut -f2 -d "-" ) ;
local PREFIX = " $DOS_BRANDING_ZIP_PREFIX - $VERSION - $DATE -dos- $DEVICE " ;
local ARCHIVE = " $DOS_BUILDS / $DOS_VERSION /release_keys/ " ;
local OUT_DIR = " $DOS_BUILD_BASE /out/target/product/ $DEVICE / " ;
2019-08-27 13:13:48 -04:00
2021-04-05 22:57:59 -04:00
local RELEASETOOLS_PREFIX = "build/tools/releasetools/" ;
2022-10-15 16:22:53 -04:00
if [ [ " $DOS_VERSION " = = "LineageOS-18.1" ] ] || [ [ " $DOS_VERSION " = = "LineageOS-19.1" ] ] || [ [ " $DOS_VERSION " = = "LineageOS-20.0" ] ] ; then
2021-03-22 19:59:15 -04:00
local RELEASETOOLS_PREFIX = "" ;
fi ;
2021-06-27 14:14:34 -04:00
umask 0022;
2019-09-07 09:56:47 -04:00
echo -e " \e[0;32mProcessing release for $DEVICE \e[0m " ;
2019-08-29 14:37:06 -04:00
#Arguments
if [ " $BLOCK " != false ] ; then
2019-09-17 00:55:50 -04:00
local BLOCK_SWITCHES = "--block" ;
2019-08-29 14:37:06 -04:00
fi ;
2019-09-02 20:00:39 -04:00
if [ [ " $VERITY " = = "verity" ] ] ; then
2019-09-17 00:55:50 -04:00
local VERITY_SWITCHES = ( --replace_verity_public_key " $KEY_DIR /verity_key.pub " \
2019-08-27 13:13:48 -04:00
--replace_verity_private_key " $KEY_DIR /verity " \
--replace_verity_keyid " $KEY_DIR /verity.x509.pem " ) ;
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32m\t+ Verified Boot 1.0\e[0m" ;
2019-09-02 20:00:39 -04:00
elif [ [ " $VERITY " = = "avb" ] ] ; then
2019-09-17 00:55:50 -04:00
local AVB_PKMD = " $KEY_DIR /avb_pkmd.bin " ;
2022-04-06 15:45:20 -04:00
local VERITY_SWITCHES = ( --avb_vbmeta_key " $KEY_DIR /avb.pem " --avb_vbmeta_algorithm SHA256_RSA4096) ;
echo -e "\e[0;32m\t+ Verified Boot 2.0 with VBMETA and NOCHAIN\e[0m" ;
2022-04-06 10:32:44 -04:00
fi ;
2022-10-15 16:22:53 -04:00
2022-12-14 21:23:13 -05:00
#XXX: --extra_apks Bluetooth.apk="$KEY_DIR/bluetooth" \
2022-10-15 16:22:53 -04:00
local APK_SWITCHES = ( --extra_apks AdServicesApk.apk= " $KEY_DIR /releasekey " \
--extra_apks HalfSheetUX.apk= " $KEY_DIR /releasekey " \
--extra_apks OsuLogin.apk= " $KEY_DIR /releasekey " \
--extra_apks SafetyCenterResources.apk= " $KEY_DIR /releasekey " \
--extra_apks ServiceConnectivityResources.apk= " $KEY_DIR /releasekey " \
--extra_apks ServiceUwbResources.apk= " $KEY_DIR /releasekey " \
--extra_apks ServiceWifiResources.apk= " $KEY_DIR /releasekey " \
--extra_apks WifiDialog.apk= " $KEY_DIR /releasekey " ) ;
if [ [ " $DOS_VERSION " = = "LineageOS-20.0" ] ] ; then
local APK_SWITCHES_EXTRA = ( --extra_apks Bluetooth.apk= " $KEY_DIR /bluetooth " ) ;
fi ;
if [ [ " $DOS_VERSION " = = "LineageOS-17.1" ] ] || [ [ " $DOS_VERSION " = = "LineageOS-18.1" ] ] || [ [ " $DOS_VERSION " = = "LineageOS-19.1" ] ] || [ [ " $DOS_VERSION " = = "LineageOS-20.0" ] ] ; then
local APEX_SWITCHES = ( --extra_apks com.android.adbd.apex= " $KEY_DIR /releasekey " \
2022-04-06 10:32:44 -04:00
--extra_apex_payload_key com.android.adbd.apex= " $KEY_DIR /avb.pem " \
2022-10-15 14:51:30 -04:00
--extra_apks com.android.adservices.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.adservices.apex= " $KEY_DIR /avb.pem " \
2022-04-06 10:32:44 -04:00
--extra_apks com.android.apex.cts.shim.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.apex.cts.shim.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.appsearch.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.appsearch.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.art.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.art.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.art.debug.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.art.debug.apex= " $KEY_DIR /avb.pem " \
2022-10-15 14:51:30 -04:00
--extra_apks com.android.btservices.apex= " $KEY_DIR /bluetooth " \
--extra_apex_payload_key com.android.btservices.apex= " $KEY_DIR /avb.pem " \
2022-04-06 10:32:44 -04:00
--extra_apks com.android.cellbroadcast.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.cellbroadcast.apex= " $KEY_DIR /avb.pem " \
2022-10-15 14:51:30 -04:00
--extra_apks com.android.compos.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.compos.apex= " $KEY_DIR /avb.pem " \
2022-04-06 10:32:44 -04:00
--extra_apks com.android.conscrypt.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.conscrypt.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.extservices.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.extservices.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.i18n.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.i18n.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.ipsec.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.ipsec.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.media.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.media.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.media.swcodec.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.media.swcodec.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.mediaprovider.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.mediaprovider.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.neuralnetworks.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.neuralnetworks.apex= " $KEY_DIR /avb.pem " \
2022-10-15 14:51:30 -04:00
--extra_apks com.android.ondevicepersonalization.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.ondevicepersonalization.apex= " $KEY_DIR /avb.pem " \
2022-04-06 10:32:44 -04:00
--extra_apks com.android.os.statsd.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.os.statsd.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.permission.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.permission.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.resolv.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.resolv.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.runtime.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.runtime.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.scheduling.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.scheduling.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.sdkext.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.sdkext.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.tethering.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.tethering.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.tzdata.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.tzdata.apex= " $KEY_DIR /avb.pem " \
2022-10-15 14:51:30 -04:00
--extra_apks com.android.uwb.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.uwb.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.virt.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.virt.apex= " $KEY_DIR /avb.pem " \
2022-04-06 10:32:44 -04:00
--extra_apks com.android.vndk.current.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.vndk.current.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.wifi.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.wifi.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.google.pixel.camera.hal.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.google.pixel.camera.hal.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.vibrator.sunfish.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.vibrator.sunfish.apex= " $KEY_DIR /avb.pem " \
--extra_apks com.android.vibrator.drv2624.apex= " $KEY_DIR /releasekey " \
--extra_apex_payload_key com.android.vibrator.drv2624.apex= " $KEY_DIR /avb.pem " ) ;
2019-08-27 13:13:48 -04:00
fi ;
2019-10-13 20:35:24 -04:00
#Malware Scan
if [ " $DOS_MALWARE_SCAN_BEFORE_SIGN " = true ] ; then
echo -e "\e[0;32mScanning files for malware before signing\e[0m" ;
2021-04-05 22:57:59 -04:00
scanForMalware false $OUT_DIR /obj/PACKAGING/target_files_intermediates/*$DEVICE -target_files-*.zip;
2019-10-13 20:35:24 -04:00
fi ;
2019-08-29 14:37:06 -04:00
#Target Files
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32mSigning target files\e[0m" ;
2021-03-22 19:59:15 -04:00
" $RELEASETOOLS_PREFIX " sign_target_files_apks -o -d " $KEY_DIR " \
2022-10-15 16:22:53 -04:00
" ${ APK_SWITCHES [@] } " \
" ${ APK_SWITCHES_EXTRA [@] } " \
2022-04-06 10:32:44 -04:00
" ${ APEX_SWITCHES [@] } " \
2019-08-27 13:13:48 -04:00
" ${ VERITY_SWITCHES [@] } " \
2019-08-29 14:37:06 -04:00
$OUT_DIR /obj/PACKAGING/target_files_intermediates/*$DEVICE -target_files-*.zip \
2021-04-05 22:57:59 -04:00
" $OUT_DIR / $PREFIX -target_files.zip " ;
sha512sum " $OUT_DIR / $PREFIX -target_files.zip " > " $OUT_DIR / $PREFIX -target_files.zip.sha512sum " ;
2019-09-17 00:55:50 -04:00
local INCREMENTAL_ID = $( grep "ro.build.version.incremental" $OUT_DIR /system/build.prop | cut -f2 -d "=" | sed 's/\.//g' ) ;
2021-04-05 22:57:59 -04:00
echo " $INCREMENTAL_ID " > " $OUT_DIR / $PREFIX -target_files.zip.id " ;
2019-08-29 14:37:06 -04:00
#Image
2021-04-05 22:57:59 -04:00
unzip -l $OUT_DIR /$PREFIX -target_files.zip | grep -q recovery.img;
local hasRecoveryImg = " $? " ;
2023-06-26 15:33:57 -04:00
unzip -l $OUT_DIR /$PREFIX -target_files.zip | grep -q dtbo.img;
local hasDtboImg = " $? " ;
if [ " $hasRecoveryImg " = = "1" ] || [ " $hasDtboImg " = = "0" ] ; then
2019-09-23 12:45:00 -04:00
echo -e "\e[0;32mCreating fastboot image\e[0m" ;
2021-04-06 05:06:15 -04:00
" $RELEASETOOLS_PREFIX " img_from_target_files " $OUT_DIR / $PREFIX -target_files.zip " \
2021-04-05 22:57:59 -04:00
" $OUT_DIR / $PREFIX -fastboot.zip " ;
sha512sum " $OUT_DIR / $PREFIX -fastboot.zip " > " $OUT_DIR / $PREFIX -fastboot.zip.sha512sum " ;
2019-09-23 12:45:00 -04:00
fi
2019-08-29 14:37:06 -04:00
#OTA
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32mCreating OTA\e[0m" ;
2021-03-22 19:59:15 -04:00
" $RELEASETOOLS_PREFIX " ota_from_target_files $BLOCK_SWITCHES -k " $KEY_DIR /releasekey " \
2022-04-06 16:12:16 -04:00
" $OUT_DIR / $PREFIX -target_files.zip " \
2021-04-05 22:57:59 -04:00
" $OUT_DIR / $PREFIX -ota.zip " ;
sha512sum " $OUT_DIR / $PREFIX -ota.zip " > " $OUT_DIR / $PREFIX -ota.zip.sha512sum " ;
2019-08-29 14:37:06 -04:00
#Deltas
2022-04-28 22:43:09 -04:00
#grep update_engine Build/*/device/*/*/*.mk -l
2023-05-08 22:28:11 -04:00
local DOS_GENERATE_DELTAS_DEVICES = ( 'akari' 'akatsuki' 'alioth' 'Amber' 'aura' 'aurora' 'avicii' 'barbet' 'bluejay' 'blueline' 'bonito' 'bramble' 'cheetah' 'cheryl' 'coral' 'crosshatch' 'davinci' 'discovery' 'enchilada' 'fajita' 'flame' 'FP3' 'FP4' 'guacamole' 'guacamoleb' 'hotdog' 'hotdogb' 'instantnoodle' 'instantnoodlep' 'kebab' 'kirin' 'lemonade' 'lemonadep' 'lemonades' 'marlin' 'mata' 'mermaid' 'oriole' 'panther' 'pioneer' 'pro1' 'pro1x' 'raven' 'redfin' 'sailfish' 'sargo' 'sunfish' 'taimen' 'vayu' 'voyager' 'walleye' 'xz2c' ) ; #TODO: check lmi/alioth/apollon
2019-08-29 14:37:06 -04:00
if [ " $DOS_GENERATE_DELTAS " = true ] ; then
2021-04-14 20:48:15 -04:00
if [ [ " ${ DOS_GENERATE_DELTAS_DEVICES [@] } " = ~ " ${ DEVICE } " ] ] ; then
for LAST_TARGET_FILES in $ARCHIVE /target_files/$DOS_BRANDING_ZIP_PREFIX -$VERSION -*-dos-$DEVICE -target_files.zip; do
if [ [ -f " $LAST_TARGET_FILES .id " ] ] ; then
local LAST_INCREMENTAL_ID = $( cat " $LAST_TARGET_FILES .id " ) ;
echo -e " \e[0;32mGenerating incremental OTA against $LAST_INCREMENTAL_ID \e[0m " ;
#TODO: Verify GPG signature and checksum of previous target-files first!
" $RELEASETOOLS_PREFIX " ota_from_target_files $BLOCK_SWITCHES -t 8 -k " $KEY_DIR /releasekey " -i \
" $LAST_TARGET_FILES " \
" $OUT_DIR / $PREFIX -target_files.zip " \
" $OUT_DIR / $PREFIX -incremental_ $LAST_INCREMENTAL_ID .zip " ;
sha512sum " $OUT_DIR / $PREFIX -incremental_ $LAST_INCREMENTAL_ID .zip " > " $OUT_DIR / $PREFIX -incremental_ $LAST_INCREMENTAL_ID .zip.sha512sum " ;
fi ;
done ;
fi ;
2019-08-29 14:37:06 -04:00
fi ;
2019-08-27 13:13:48 -04:00
2020-02-22 18:32:59 -05:00
#Extract signed recovery
2023-06-26 15:33:57 -04:00
if [ " $hasRecoveryImg " = = "0" ] && [ " $hasDtboImg " = = "1" ] ; then
2020-02-22 18:32:59 -05:00
echo -e "\e[0;32mExtracting signed recovery.img\e[0m" ;
2021-04-05 22:57:59 -04:00
mkdir " $OUT_DIR /rec_tmp " ;
unzip " $OUT_DIR / $PREFIX -target_files.zip " "IMAGES/recovery.img" -d " $OUT_DIR /rec_tmp " ;
mv " $OUT_DIR /rec_tmp/IMAGES/recovery.img " " $OUT_DIR / $PREFIX -recovery.img " ;
sha512sum " $OUT_DIR / $PREFIX -recovery.img " > " $OUT_DIR / $PREFIX -recovery.img.sha512sum " ;
2020-02-22 18:32:59 -05:00
fi ;
2020-06-27 01:45:02 -04:00
#File name fixes
2023-07-24 03:59:03 -04:00
sed -i " s| $OUT_DIR /|| " $OUT_DIR /*.sha512sum;
sed -i 's/-ota\././' $OUT_DIR /*.sha512sum;
sed -i 's/-incremental_/-/' $OUT_DIR /*.sha512sum;
2020-06-14 09:36:39 -04:00
2020-06-17 13:18:16 -04:00
#GPG signing
if [ " $DOS_GPG_SIGNING " = true ] ; then
for checksum in $OUT_DIR /*.sha512sum; do
2020-06-20 14:19:40 -04:00
echo -e " \e[0;32mGPG signing $checksum \e[0m " ;
2021-10-16 16:28:41 -04:00
if gpg --homedir " $DOS_SIGNING_GPG " --sign --local-user " $DOS_GPG_SIGNING_KEY " --clearsign " $checksum " ; then
2020-06-17 13:18:16 -04:00
mv -f " $checksum .asc " " $checksum " ;
fi ;
done ;
fi ;
2022-01-24 18:01:21 -05:00
pkill java && sleep 10; #XXX: ugly hack
2019-08-29 14:37:06 -04:00
#Copy to archive
if [ " $DOS_AUTO_ARCHIVE_BUILDS " = true ] ; then
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32mCopying files to archive\e[0m" ;
2019-08-29 14:37:06 -04:00
mkdir -vp $ARCHIVE ;
mkdir -vp $ARCHIVE /target_files;
2019-10-04 10:17:25 -04:00
mkdir -vp $ARCHIVE /fastboot;
2019-08-29 14:37:06 -04:00
mkdir -vp $ARCHIVE /incrementals;
2019-08-27 13:13:48 -04:00
2023-07-13 10:39:30 -04:00
cp -v $OUT_DIR /$PREFIX -ota.zip* $ARCHIVE / || true;
2020-06-27 01:45:02 -04:00
rename -- "-ota." "." $ARCHIVE /$PREFIX -ota.zip*;
2023-07-14 15:45:35 -04:00
if [ " $hasRecoveryImg " = = "1" ] || [ " $hasDtboImg " = = "0" ] ; then cp -v $OUT_DIR /$PREFIX -fastboot.zip* $ARCHIVE /fastboot/ || true; fi ;
if [ " $hasRecoveryImg " = = "0" ] && [ " $hasDtboImg " = = "1" ] ; then cp -v $OUT_DIR /$PREFIX -recovery.img* $ARCHIVE / || true; fi ;
2023-07-13 10:45:43 -04:00
if [ " $DOS_GENERATE_DELTAS " = true ] ; then
2023-07-13 10:39:30 -04:00
if [ [ " ${ DOS_GENERATE_DELTAS_DEVICES [@] } " = ~ " ${ DEVICE } " ] ] ; then
cp -v $OUT_DIR /$PREFIX -target_files.zip* $ARCHIVE /target_files/ || true;
cp -v $OUT_DIR /$PREFIX -incremental_*.zip* $ARCHIVE /incrementals/ || true;
rename -- "-incremental_" "-" $ARCHIVE /incrementals/$PREFIX -incremental_*.zip* || true;
fi ;
fi ;
2020-05-02 22:29:23 -04:00
sync;
2019-10-13 20:35:24 -04:00
#Remove to make space for next build
if [ " $DOS_REMOVE_AFTER " = true ] ; then
echo -e "\e[0;32mRemoving to reclaim space\e[0m" ;
#TODO: add a sanity check
2022-03-11 22:35:10 -05:00
rm -rf --one-file-system " $OUT_DIR " ;
if [ " $DOS_REMOVE_AFTER_FULL " = true ] ; then rm -rf --one-file-system " $DOS_BUILD_BASE /out " ; fi ; #clobber entire workspace
2023-07-13 10:36:48 -04:00
sync;
2019-10-13 20:35:24 -04:00
fi ;
2019-08-29 14:37:06 -04:00
fi ;
2019-10-13 20:35:24 -04:00
sync;
2019-09-07 09:56:47 -04:00
echo -e "\e[0;32mRelease processing complete\e[0m" ;
2019-08-27 13:13:48 -04:00
}
2019-08-29 14:37:06 -04:00
export -f processRelease;
2019-08-27 13:13:48 -04:00
2020-06-14 09:36:39 -04:00
pushToServer( ) {
2023-03-08 00:22:01 -05:00
#Examples
2020-07-25 09:51:25 -04:00
rsync -Pau --no-perms --no-owner --no-group incrementals/divested-*-dos-$1 -*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1 /incrementals/ || true;
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1 .zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1 / || true;
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1 -recovery.img root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1 / || true;
rsync -Pau --no-perms --no-owner --no-group fastboot/divested-*-dos-$1 -*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1 / || true;
2020-06-14 09:36:39 -04:00
}
export -f pushToServer;
2020-11-01 09:50:03 -05:00
removeBuildFingerprints( ) {
#Removes the stock/vendor fingerprint, allowing one to be generated instead
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/BUILD_FINGERPRINT/' {}" \;
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/PRIVATE_BUILD_DESC/' {}" \;
echo "Removed stock build fingerprints" ;
2020-07-25 09:51:25 -04:00
}
2020-11-01 09:50:03 -05:00
export -f removeBuildFingerprints;
2020-07-25 09:51:25 -04:00
2023-06-17 14:50:49 -04:00
removeUntrustedCerts( ) {
cd " $DOS_BUILD_BASE /system/ca-certificates/files " ;
rm -fv 7c302982.0 c2c1704e.0 d0cddf45.0; #TrustCor
rm -fv cb156124.0; #E-Turga
cd " $DOS_BUILD_BASE " ;
echo "Removed untrusted certificate authorities" ;
}
export -f removeUntrustedCerts;
2018-04-04 07:52:11 -04:00
compressRamdisks( ) {
if [ -f BoardConfig.mk ] ; then
echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;
echo "Enabled ramdisk compression" ;
fi ;
}
export -f compressRamdisks;
2019-08-05 23:56:52 -04:00
smallerSystem( ) {
echo "BOARD_SYSTEMIMAGE_JOURNAL_SIZE := 0" >> BoardConfig.mk;
2021-04-12 21:24:57 -04:00
echo "PRODUCT_MINIMIZE_JAVA_DEBUG_INFO := true" >> device.mk;
2019-09-13 20:26:43 -04:00
echo "EXCLUDE_SERIF_FONTS := true" >> BoardConfig.mk;
echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
#echo "MINIMAL_FONT_FOOTPRINT := true" >> BoardConfig.mk;
2019-08-05 23:56:52 -04:00
sed -i 's/common_full_phone.mk/common_mini_phone.mk/' *.mk & >/dev/null || true;
2022-04-01 07:35:28 -04:00
echo " Set smaller system args for $PWD " ;
2019-08-05 23:56:52 -04:00
}
export -f smallerSystem;
2020-02-19 22:07:57 -05:00
deblobAudio( ) {
2021-01-18 09:11:37 -05:00
awk -i inplace '!/BOARD_SUPPORTS_SOUND_TRIGGER/' hardware/qcom/audio-caf/*/configs/*/*.mk & >/dev/null || true;
awk -i inplace '!/android.hardware.soundtrigger/' hardware/qcom/audio-caf/*/configs/*/*.mk & >/dev/null || true;
2022-02-21 23:30:45 -05:00
if [ " $DOS_DEBLOBBER_REMOVE_AUDIOFX " = true ] ; then
awk -i inplace '!/DOLBY_/' hardware/qcom/audio-caf/*/configs/*/*.mk & >/dev/null || true;
#awk -i inplace '!/vendor.audio.dolby/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
fi ;
2022-04-01 07:35:28 -04:00
echo "Deblobbed audio!" ;
2020-02-19 22:07:57 -05:00
}
export -f deblobAudio;
2020-10-22 15:24:17 -04:00
volteOverride( ) {
2023-03-08 00:22:01 -05:00
cd " $DOS_BUILD_BASE / $1 " ;
2020-10-22 15:24:17 -04:00
if grep -sq "config_device_volte_available" "overlay/frameworks/base/core/res/res/values/config.xml" ; then
if [ -f vendor.prop ] && ! grep -sq "volte_avail_ovr" "vendor.prop" ; then
2023-05-19 12:26:16 -04:00
echo -e 'persist.dbg.volte_avail_ovr=1' >> vendor.prop;
2020-10-22 15:24:17 -04:00
echo " Set VoLTE override in vendor.prop for $1 " ;
2021-01-15 17:28:35 -05:00
elif [ -f system.prop ] && ! grep -sq "volte_avail_ovr" "system.prop" ; then
2023-05-19 12:26:16 -04:00
echo -e 'persist.dbg.volte_avail_ovr=1' >> system.prop;
2021-01-15 17:28:35 -05:00
echo " Set VoLTE override in system.prop for $1 " ;
2020-10-22 15:24:17 -04:00
fi ;
if [ -f vendor_prop.mk ] && ! grep -sq "volte_avail_ovr" "vendor_prop.mk" ; then
2023-05-19 12:26:16 -04:00
echo -e '\nPRODUCT_PROPERTY_OVERRIDES += \\\n persist.dbg.volte_avail_ovr=1' >> vendor_prop.mk;
2020-10-22 15:24:17 -04:00
echo " Set VoLTE override in vendor_prop.mk for $1 " ;
fi ;
2021-01-15 17:28:35 -05:00
#TODO: init/init*.cpp, device*.mk
2020-10-22 15:24:17 -04:00
fi ;
cd " $DOS_BUILD_BASE " ;
}
export -f volteOverride;
2020-02-19 22:07:57 -05:00
2023-05-05 22:25:47 -04:00
hardenLocationSerials( ) {
#Prevent Qualcomm location stack from sending chipset serial number
#Devices using blob xtra-daemon (which Deblob.sh removes)
2023-07-06 16:37:45 -04:00
if [ [ " $DOS_VERSION " != "LineageOS-20.0" ] ] ; then #20.0 has sysfs_soc_sensitive label
find device -name "hal_gnss*.te" -type f -exec sh -c "awk -i inplace '!/sysfs_soc/' {}" \;
find device -name "location.te" -type f -exec sh -c "awk -i inplace '!/sysfs_soc/' {}" \;
fi ;
2023-05-05 22:25:47 -04:00
#Devices using source built libloc, these ones typically have broad /sys access
## Null out the User-Agent header
find device -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's/userAgent, strlen(userAgent)/\"-\", 1/' {}" \;
find hardware -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's/userAgent, strlen(userAgent)/\"-\", 1/' {}" \;
## Prevent reading the serial number
find device -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's|soc0/serial_number|soc0/invalid|' {}" \;
find hardware -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's|soc0/serial_number|soc0/invalid|' {}" \;
2023-05-03 21:39:48 -04:00
echo "Removed serial number access to Qualcomm location stacks" ;
}
2023-05-05 22:25:47 -04:00
export -f hardenLocationSerials;
2023-05-03 21:39:48 -04:00
2019-02-08 18:46:42 -05:00
hardenLocationConf( ) {
2019-09-17 00:55:50 -04:00
local gpsConfig = $1 ;
2020-11-01 09:50:03 -05:00
#Debugging: adb logcat -b all | grep -i -e locsvc -e izat -e gps -e gnss -e location -e xtra
2023-05-17 01:27:02 -04:00
#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 4|' "$gpsConfig" &> /dev/null || true; #Debug
#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 2|' "$gpsConfig" &> /dev/null || true; #Warning
2018-04-04 07:52:11 -04:00
#Enable GLONASS
2018-08-07 23:07:36 -04:00
if [ " $DOS_GPS_GLONASS_FORCED " = true ] ; then
2019-02-06 17:15:45 -05:00
sed -i 's/#A_GLONASS_POS_PROTOCOL_SELECT =/A_GLONASS_POS_PROTOCOL_SELECT =/' " $gpsConfig " & >/dev/null || true;
2018-08-07 23:07:36 -04:00
sed -i 's/A_GLONASS_POS_PROTOCOL_SELECT = 0.*/A_GLONASS_POS_PROTOCOL_SELECT = 15/' " $gpsConfig " & >/dev/null || true;
2018-06-03 08:24:23 -04:00
fi ;
2018-08-07 23:07:36 -04:00
#Change capabilities
2018-09-19 01:03:02 -04:00
sed -i 's|CAPABILITIES=.*|CAPABILITIES=0x13|' " $gpsConfig " & > /dev/null || true; #Disable MSA (privacy) and geofencing/ULP (both broken by deblobber)
2023-07-09 23:47:24 -04:00
sed -i 's|CAPABILITIES = .*|CAPABILITIES = 0x13|' " $gpsConfig " & > /dev/null || true;
sed -i 's/#SUPL_MODE=/SUPL_MODE=/' " $gpsConfig " & >/dev/null || true; #Uncomment
sed -i 's/#SUPL_MODE = /SUPL_MODE = /' " $gpsConfig " & >/dev/null || true;
2019-02-06 17:15:45 -05:00
sed -i 's/SUPL_MODE=$/SUPL_MODE=1/' " $gpsConfig " & >/dev/null || true; #Set to MSB if blank (to prevent MSA+MSB default)
2023-07-09 23:47:24 -04:00
sed -i 's/SUPL_MODE = $/SUPL_MODE = 1/' " $gpsConfig " & >/dev/null || true;
2019-02-08 18:46:42 -05:00
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" " $gpsConfig " & > /dev/null || true; #Disable MSA (privacy)
2023-07-09 23:47:24 -04:00
sed -i "s|SUPL_MODE = 3|SUPL_MODE = 1|" " $gpsConfig " & > /dev/null || true;
sed -i 's/#LPP_PROFILE=/LPP_PROFILE=/' " $gpsConfig " & >/dev/null || true; #Uncomment
sed -i 's/#LPP_PROFILE = /LPP_PROFILE = /' " $gpsConfig " & >/dev/null || true;
sed -i "s|LPP_PROFILE=.*|LPP_PROFILE=0|" " $gpsConfig " & > /dev/null || true; #Disable LPP (privacy)
sed -i "s|LPP_PROFILE = .*|LPP_PROFILE = 0|" " $gpsConfig " & > /dev/null || true;
sed -i "s|LPPE_CP_TECHNOLOGY=.*|LPPE_CP_TECHNOLOGY=0|" " $gpsConfig " & > /dev/null || true;
sed -i "s|LPPE_CP_TECHNOLOGY = .*|LPPE_CP_TECHNOLOGY = 0|" " $gpsConfig " & > /dev/null || true;
sed -i "s|LPPE_UP_TECHNOLOGY=.*|LPPE_UP_TECHNOLOGY=0|" " $gpsConfig " & > /dev/null || true;
sed -i "s|LPPE_UP_TECHNOLOGY = .*|LPPE_UP_TECHNOLOGY = 0|" " $gpsConfig " & > /dev/null || true;
2019-02-06 17:15:45 -05:00
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
sed -i 's/#SUPL_ES=/SUPL_ES=/' " $gpsConfig " & >/dev/null || true;
2019-02-08 18:46:42 -05:00
sed -i "s|SUPL_ES=0|SUPL_ES=1|" " $gpsConfig " & > /dev/null || true;
2018-08-07 23:07:36 -04:00
#Change servers
sed -i " s|SUPL_HOST=.*|SUPL_HOST= $DOS_GPS_SUPL_HOST | " " $gpsConfig " & > /dev/null || true;
2023-07-09 23:47:24 -04:00
sed -i " s|SUPL_HOST = .*|SUPL_HOST = $DOS_GPS_SUPL_HOST | " " $gpsConfig " & > /dev/null || true;
2018-08-07 23:07:36 -04:00
sed -i " s|NTP_SERVER=.*|NTP_SERVER= $DOS_GPS_NTP_SERVER | " " $gpsConfig " & > /dev/null || true;
2023-07-09 23:47:24 -04:00
sed -i " s|NTP_SERVER = .*|NTP_SERVER = $DOS_GPS_NTP_SERVER | " " $gpsConfig " & > /dev/null || true;
2019-02-06 17:15:45 -05:00
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
2018-04-04 07:52:11 -04:00
#XTRA: Only use specified URLs
2018-08-07 23:07:36 -04:00
sed -i 's|XTRA_SERVER_QUERY=1|XTRA_SERVER_QUERY=0|' " $gpsConfig " & >/dev/null || true;
2023-07-09 23:47:24 -04:00
sed -i 's|XTRA_SERVER_QUERY = 1|XTRA_SERVER_QUERY = 0|' " $gpsConfig " & >/dev/null || true;
2018-08-07 23:07:36 -04:00
sed -i 's|#XTRA_SERVER|XTRA_SERVER|' " $gpsConfig " & >/dev/null || true;
2018-08-09 00:42:07 -04:00
#Switch gpsOneXtra to IZatCloud (invalid certificate)
2019-02-08 18:46:42 -05:00
sed -i '/xtrapath/!s|://xtra|://xtrapath|' " $gpsConfig " & >/dev/null || true;
sed -i 's|gpsonextra.net|izatcloud.net|' " $gpsConfig " & >/dev/null || true;
2020-08-09 12:14:29 -04:00
sed -i 's|xtrapath1|xtrapath4|' " $gpsConfig " & >/dev/null || true;
sed -i 's|xtrapath2|xtrapath5|' " $gpsConfig " & >/dev/null || true;
sed -i 's|xtrapath3|xtrapath6|' " $gpsConfig " & >/dev/null || true;
2018-08-09 00:42:07 -04:00
#Enable HTTPS (IZatCloud supports HTTPS)
2019-02-08 18:46:42 -05:00
sed -i 's|http://xtrapath|https://xtrapath|' " $gpsConfig " & >/dev/null || true;
2023-01-20 21:20:29 -05:00
sed -i 's|http://gllto|https://gllto|' " $gpsConfig " & >/dev/null || true;
2019-02-08 18:46:42 -05:00
echo " Enhanced location services for $gpsConfig " ;
2018-04-04 07:52:11 -04:00
}
2019-02-08 18:46:42 -05:00
export -f hardenLocationConf;
2019-02-08 20:58:15 -05:00
hardenLocationFWB( ) {
2019-09-17 00:55:50 -04:00
local dir = $1 ;
2019-02-08 18:46:42 -05:00
#Enable GLONASS
if [ " $DOS_GPS_GLONASS_FORCED " = true ] ; then
sed -i 's|A_GLONASS_POS_PROTOCOL_SELECT=0.*</item>|A_GLONASS_POS_PROTOCOL_SELECT=15</item>|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
fi ;
#Change capabilities
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" " $dir " /frameworks/base/core/res/res/values*/*.xml & > /dev/null || true; #Disable MSA (privacy)
2023-07-09 23:47:24 -04:00
sed -i "s|LPP_PROFILE=.*</item>|LPP_PROFILE=0</item>|" " $dir " /frameworks/base/core/res/res/values*/*.xml & > /dev/null || true; #Disable LPP (privacy)
sed -i "s|LPPE_CP_TECHNOLOGY=.*</item>|LPPE_CP_TECHNOLOGY=0</item>|" " $dir " /frameworks/base/core/res/res/values*/*.xml & > /dev/null || true
sed -i "s|LPPE_UP_TECHNOLOGY=.*</item>|LPPE_UP_TECHNOLOGY=0</item>|" " $dir " /frameworks/base/core/res/res/values*/*.xml & > /dev/null || true;
2019-02-08 18:46:42 -05:00
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
sed -i "s|SUPL_ES=0|SUPL_ES=1|" " $dir " /frameworks/base/core/res/res/values*/*.xml & > /dev/null || true;
#Change servers
sed -i " s|NTP_SERVER=.*</item>|NTP_SERVER= $DOS_GPS_NTP_SERVER </item>| " " $dir " /frameworks/base/core/res/res/values*/*.xml & > /dev/null || true;
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
#Switch gpsOneXtra to IZatCloud (invalid certificate)
sed -i '/xtrapath/!s|://xtra|://xtrapath|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
sed -i 's|gpsonextra.net|izatcloud.net|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
2020-08-09 12:14:29 -04:00
sed -i 's|xtrapath1|xtrapath4|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
sed -i 's|xtrapath2|xtrapath5|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
sed -i 's|xtrapath3|xtrapath6|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
2019-02-08 18:46:42 -05:00
#Enable HTTPS (IZatCloud supports HTTPS)
sed -i 's|http://xtrapath|https://xtrapath|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
2023-01-20 21:20:29 -05:00
sed -i 's|http://gllto|https://gllto|' " $dir " /frameworks/base/core/res/res/values*/*.xml & >/dev/null || true;
2019-02-08 18:46:42 -05:00
echo " Enhanced location services for $dir " ;
}
2019-02-08 20:58:15 -05:00
export -f hardenLocationFWB;
2018-04-04 07:52:11 -04:00
2018-09-12 13:43:05 -04:00
hardenUserdata( ) {
2023-03-08 00:22:01 -05:00
cd " $DOS_BUILD_BASE / $1 " ;
2018-12-20 17:22:34 -05:00
#Remove latemount to allow selinux contexts be restored upon /cache wipe
#Fixes broken OTA updater and broken /recovery updater
2022-04-06 16:12:16 -04:00
sed -i '/\/cache/s|latemount,||' *fstab* */*fstab* */*/*fstab* & >/dev/null || true;
2018-12-20 17:22:34 -05:00
2018-09-12 13:43:05 -04:00
#TODO: Ensure: noatime,nosuid,nodev
2022-04-06 16:12:16 -04:00
sed -i '/\/data/{/discard/!s|nosuid|discard,nosuid|}' *fstab* */*fstab* */*/*fstab* & >/dev/null || true;
2024-02-13 17:04:24 -05:00
if [ " $1 " != "device/samsung/tuna" ] && [ " $1 " != "device/amazon/hdx-common" ] && [ " $1 " != "device/motorola/athene" ] && [ [ " $DOS_VERSION " != "LineageOS-20.0" ] ] ; then #tuna needs first boot to init, hdx-c has broken encryption
2022-04-06 16:12:16 -04:00
sed -i 's|encryptable=/|forceencrypt=/|' *fstab* */*fstab* */*/*fstab* & >/dev/null || true;
2019-03-26 19:37:56 -04:00
fi ;
2018-09-12 13:43:05 -04:00
echo " Hardened /data for $1 " ;
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE " ;
2018-04-04 07:52:11 -04:00
}
2018-09-12 13:43:05 -04:00
export -f hardenUserdata;
2018-04-04 07:52:11 -04:00
2022-03-31 20:27:25 -04:00
enableAutoVarInit( ) {
2022-04-19 12:26:51 -04:00
#grep TARGET_KERNEL_CLANG_COMPILE Build/*/device/*/*/*.mk -l
2022-12-14 21:23:13 -05:00
#but exclude: grep INIT_STACK_ALL_ZERO Build/*/kernel/*/*/security/Kconfig.hardening -l
2023-04-17 13:06:09 -04:00
#already supported: fairphone/sm7225, fxtec/sm6115, google/bluejay, google/gs101, google/gs201, google/msm-4.14, google/raviole, google/redbull, oneplus/sm8250, oneplus/sm8350
2023-11-07 18:59:53 -05:00
local DOS_AUTOVARINIT_KERNELS = ( 'essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'samsung/exynos9810' 'samsung/universal9810' 'sony/sdm660' 'sony/sdm845' 'xiaomi/msm8937' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/vayu' 'xiaomi/sm8250' 'zuk/msm8996' ) ;
2022-03-31 20:27:25 -04:00
cd " $DOS_BUILD_BASE " ;
2022-04-01 07:35:28 -04:00
echo "auto-var-init: Starting!" ;
2022-03-31 20:27:25 -04:00
for kernel in " ${ DOS_AUTOVARINIT_KERNELS [@] } "
do
if [ -d " $DOS_BUILD_BASE /kernel/ $kernel " ] ; then
cd " $DOS_BUILD_BASE /kernel/ $kernel " ;
if git apply --check " $DOS_PATCHES_COMMON /android_kernel_common/0001-auto_var_init.patch " & > /dev/null; then
if git apply " $DOS_PATCHES_COMMON /android_kernel_common/0001-auto_var_init.patch " & > /dev/null; then #(GrapheneOS)
echo " auto-var-init: Enabled for $kernel " ;
else
echo " auto-var-init: Failed to enable for $kernel " ;
fi ;
elif git apply --check --reverse " $DOS_PATCHES_COMMON /android_kernel_common/0001-auto_var_init.patch " & > /dev/null; then
echo " auto-var-init: Already enabled for $kernel " ;
elif grep -q "trivial-auto-var-init=pattern" Makefile; then
sed -i 's/ftrivial-auto-var-init=pattern/ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang/' Makefile; #(GrapheneOS)
grep -q "trivial-auto-var-init=pattern" Makefile;
if [ $? -eq 0 ] ; then
echo " auto-var-init: Failed to switch from pattern to zero on $kernel " ;
else
echo " auto-var-init: Switched from pattern to zero on $kernel " ;
fi ;
elif grep -q "trivial-auto-var-init=zero" Makefile; then
echo " auto-var-init: Already enabled for $kernel " ;
else
echo " auto-var-init: Could not enable for $kernel " ;
fi ;
2022-04-02 02:18:30 -04:00
# else
# echo "auto-var-init: $kernel not in tree";
2022-03-31 20:27:25 -04:00
fi ;
done ;
2022-04-01 07:35:28 -04:00
echo "auto-var-init: Finished!" ;
2022-03-31 20:27:25 -04:00
cd " $DOS_BUILD_BASE " ;
}
export -f enableAutoVarInit;
2022-04-19 11:25:19 -04:00
updateRegDb( ) {
2023-03-08 00:22:01 -05:00
cd " $DOS_BUILD_BASE / $1 " ;
2022-04-19 11:25:19 -04:00
#Latest database cannot be used due to differing flags, only update supported kernels
2022-04-19 12:26:51 -04:00
#md5sum Build/*/kernel/*/*/net/wireless/genregdb.awk | sort
2022-04-19 11:25:19 -04:00
if echo "d9ef5910b573c634fa7845bb6511ba89 net/wireless/genregdb.awk" | md5sum --check --quiet & >/dev/null; then
2023-10-13 02:24:25 -04:00
#cp "$DOS_PATCHES_COMMON/wireless-regdb/db.txt" "net/wireless/db.txt";
#echo "regdb: updated for $1";
echo " regdb: skipping regdb update for $1 " ;
2022-04-19 11:25:19 -04:00
fi ;
cd " $DOS_BUILD_BASE " ;
}
export -f updateRegDb;
2023-02-03 22:05:01 -05:00
fixupCarrierConfigs( ) {
cd " $DOS_BUILD_BASE " ;
local pathsToFixup = "packages/apps/CarrierConfig/assets/*.xml device/*/*/overlay/packages/apps/CarrierConfig/res/xml/vendor.xml device/*/*/overlay/CarrierConfigResCommon/res/xml/vendor.xml device/*/*/rro_overlays/CarrierConfigOverlay/res/xml/vendor.xml" ;
#Things we don't want
#Reference (BSD-3-Clause): https://github.com/GrapheneOS/carriersettings-extractor/blob/13/carriersettings_extractor.py
2023-07-13 11:24:46 -04:00
local ccLines = "allow_adding_apns_bool|apn_expand_bool|hide_ims_apn_bool|hide_preset_apn_details_bool|hide_enable_2g_bool|gps.lpp_profile|gps.persist_lpp_mode_bool" ;
2023-02-03 22:05:01 -05:00
sed -i -E " /( $ccLines )/d " $pathsToFixup ;
local ccArrays = "read_only_apn_fields_string_array|read_only_apn_types_string_array" ;
sed -i -E "/(" $ccArrays ").*num=\"0\"/d" $pathsToFixup ; #ugly hack because next line is very greedy
perl -0777 -pe 's,(<string-array.*?>.*?</string-array>),$1 =~ /' $ccArrays '/?"":$1,gse' -i $pathsToFixup ; #Credit: https://unix.stackexchange.com/a/72160
sed -i " /^ $/d " $pathsToFixup ;
sed -i " /^ $/d " $pathsToFixup ;
#sed -i '/^[[:space:]]*$/d' *.xml;
cd " $DOS_BUILD_BASE " ;
}
export -f fixupCarrierConfigs;
2022-03-28 21:58:05 -04:00
disableEnforceRRO( ) {
2023-03-08 00:22:01 -05:00
cd " $DOS_BUILD_BASE / $1 " ;
2022-03-28 21:58:05 -04:00
awk -i inplace '!/PRODUCT_ENFORCE_RRO_TARGETS .= framework-res/' *.mk & >/dev/null || true;
awk -i inplace '!/PRODUCT_ENFORCE_RRO_TARGETS .= \*/' *.mk & >/dev/null || true;
sed -i '/PRODUCT_ENFORCE_RRO_TARGETS .= \\/,+1 d' *.mk & >/dev/null || true;
2022-04-01 07:35:28 -04:00
echo " Disabled enforced RRO for $1 " ;
2022-03-28 21:58:05 -04:00
cd " $DOS_BUILD_BASE " ;
}
export -f disableEnforceRRO;
2021-03-29 17:09:12 -04:00
disableAPEX( ) {
2023-03-08 00:22:01 -05:00
cd " $DOS_BUILD_BASE / $1 " ;
Many fixes to get bluejay booting & working proper
- Enable APEX for Pixel 6/7, necessary for camera and pKVM
- Also drop hack removing pKVM for Pixel 6/7
- patch from GrapheneOS
- Extend hmalloc workaround to /apex
- Deblobber:
- actually handle wildcard f/w/b overlays
- move some stuff around
- remove some more Pixel blobs
- flag and disable removal of camera extensions, being able to use the second camera is nice
- Adjust what hardenDefconfig disables, caused boot issues
minimal impact as most of these are already default-disabled
can be narrowed down in future
- Disable some of the bionic hardening patches, causing more boot issues
annoying to lose, but having a phone that boots is more important
- Add LTE only mode to 17.1, 18.1, 19.1, and 20.0, credit GrapheneOS
- Remove Pixel 2 ramdisk compression reverts, fixed upstream
And yes, I know I should've split up this commit...
Signed-off-by: Tad <tad@spotco.us>
2022-12-23 22:00:31 -05:00
if [ [ " $1 " != *"device/google/gs101" * ] ] && [ [ " $1 " != *"device/google/gs201" * ] ] && [ [ " $1 " != *"device/google/oriole" * ] ] && [ [ " $1 " != *"device/google/raven" * ] ] && [ [ " $1 " != *"device/google/raviole" * ] ] && [ [ " $1 " != *"device/google/bluejay" * ] ] && [ [ " $1 " != *"device/google/panther" * ] ] && [ [ " $1 " != *"device/google/cheetah" * ] ] && [ [ " $1 " != *"device/google/pantah" * ] ] ; then
awk -i inplace '!/DEXPREOPT_GENERATE_APEX_IMAGE/' *.mk & >/dev/null || true;
awk -i inplace '!/updatable_apex.mk/' *.mk & >/dev/null || true;
echo " Disabled APEX for $1 " ;
else
echo " Skipped disabling APEX for $1 " ;
fi ;
2021-03-29 17:09:12 -04:00
cd " $DOS_BUILD_BASE " ;
}
export -f disableAPEX;
2023-08-21 17:56:38 -04:00
includeOE( ) {
cd " $DOS_BUILD_BASE / $1 " ;
2023-08-24 01:17:08 -04:00
#Skip: Pixel 2 series (only supports Google Fi), Pixel 3/a series (broken on 20.0)
if [ [ " $1 " != *"device/google/bonito" * ] ] && [ [ " $1 " != *"device/google/crosshatch" * ] ] && [ [ " $1 " != *"device/google/wahoo" * ] ] ; then
if [ -f device.mk ] ; then
if grep -sq "euicc.xml" device.mk; then
echo -e "\nPRODUCT_PACKAGES += OpenEUICC" >> device.mk;
echo " Enabled OpenEUICC inclusion for $1 " ;
fi ;
2023-08-21 17:56:38 -04:00
fi ;
2023-08-24 01:17:08 -04:00
if [ -f device-lineage.mk ] ; then
if grep -sq "euicc.xml" device-lineage.mk; then
echo -e "\nPRODUCT_PACKAGES += OpenEUICC" >> device-lineage.mk;
echo " Enabled OpenEUICC inclusion for $1 " ;
fi ;
2023-08-21 17:56:38 -04:00
fi ;
fi ;
cd " $DOS_BUILD_BASE " ;
}
export -f includeOE;
2018-04-04 07:52:11 -04:00
enableStrongEncryption( ) {
2023-03-08 00:22:01 -05:00
cd " $DOS_BUILD_BASE / $1 " ;
2018-04-04 07:52:11 -04:00
if [ -f BoardConfig.mk ] ; then
2018-04-28 15:35:53 -04:00
echo "TARGET_WANTS_STRONG_ENCRYPTION := true" >> BoardConfig.mk;
echo " Enabled AES-256 encryption for $1 " ;
2018-04-04 07:52:11 -04:00
fi ;
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE " ;
2018-04-04 07:52:11 -04:00
}
export -f enableStrongEncryption;
2021-04-04 17:06:47 -04:00
addAdbKey( ) {
if [ -f ~/.android/adbkey.pub ] ; then
cp ~/.android/adbkey.pub " $DOS_BUILD_BASE /vendor/divested/ " ;
echo "PRODUCT_ADB_KEYS := vendor/divested/adbkey.pub" >> " $DOS_BUILD_BASE /vendor/divested/divestos.mk " ;
fi ;
}
export -f addAdbKey;
2018-06-24 01:27:33 -04:00
changeDefaultDNS( ) {
2019-09-17 00:55:50 -04:00
local dnsPrimary = "" ;
local dnsPrimaryV6 = "" ;
local dnsSecondary = "" ;
local dnsSecondaryV6 = "" ;
2020-12-12 09:50:27 -05:00
if [ ! -z " $DOS_DEFAULT_DNS_PRESET " ] ; then
2020-04-05 14:05:17 -04:00
if [ [ " $DOS_DEFAULT_DNS_PRESET " = = "AdGuard" ] ] ; then #https://adguard.com/en/adguard-dns/overview.html
2021-10-22 00:55:50 -04:00
dnsHex = "0xb0678282L" ;
2020-04-05 14:05:17 -04:00
dnsPrimary = "176.103.130.130" ;
dnsPrimaryV6 = "2a00:5a60::ad1:0ff" ;
dnsSecondary = "176.103.130.131" ;
dnsSecondaryV6 = "2a00:5a60::ad2:0ff" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "AdGuard-NOBL" ] ] ; then #https://adguard.com/en/adguard-dns/overview.html
2021-10-22 00:55:50 -04:00
dnsHex = "0xb0678288L" ;
2020-04-05 14:05:17 -04:00
dnsPrimary = "176.103.130.136" ;
dnsPrimaryV6 = "2a00:5a60::01:ff" ;
dnsSecondary = "176.103.130.137" ;
dnsSecondaryV6 = "2a00:5a60::02:ff" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "CensurfriDNS" ] ] ; then #https://uncensoreddns.org
2021-10-22 00:55:50 -04:00
dnsHex = "0x5bef6464L" ;
2019-02-09 18:44:45 -05:00
dnsPrimary = "91.239.100.100" ;
dnsPrimaryV6 = "2001:67c:28a4::" ;
dnsSecondary = "89.233.43.71" ;
dnsSecondaryV6 = "2a01:3a0:53:53::" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Cloudflare" ] ] ; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
2021-10-22 00:55:50 -04:00
dnsHex = "0x01000001L" ;
2018-06-24 01:27:33 -04:00
dnsPrimary = "1.0.0.1" ;
dnsPrimaryV6 = "2606:4700:4700::1001" ;
dnsSecondary = "1.1.1.1" ;
dnsSecondaryV6 = "2606:4700:4700::1111" ;
2020-04-05 14:05:17 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Cloudflare-BL" ] ] ; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
2021-10-22 00:55:50 -04:00
dnsHex = "0x01000002L" ;
2020-04-05 14:05:17 -04:00
dnsPrimary = "1.0.0.2" ;
dnsPrimaryV6 = "2606:4700:4700::1002" ;
dnsSecondary = "1.1.1.2" ;
dnsSecondaryV6 = "2606:4700:4700::1112" ;
2018-06-29 00:55:21 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "DNSWATCH" ] ] ; then #https://dns.watch
2021-10-22 00:55:50 -04:00
dnsHex = "0x54c84550L" ;
2018-06-24 01:27:33 -04:00
dnsPrimary = "84.200.69.80" ;
dnsPrimaryV6 = "2001:1608:10:25::1c04:b12f" ;
dnsSecondary = "84.200.70.40" ;
dnsSecondaryV6 = "2001:1608:10:25::9249:d69b" ;
2018-06-29 00:55:21 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Google" ] ] ; then #https://developers.google.com/speed/public-dns/privacy
2021-10-22 00:55:50 -04:00
dnsHex = "0x08080808L" ;
2018-06-24 01:27:33 -04:00
dnsPrimary = "8.8.8.8" ;
dnsPrimaryV6 = "2001:4860:4860::8888" ;
dnsSecondary = "8.8.4.4" ;
dnsSecondaryV6 = "2001:4860:4860::8844" ;
2019-02-09 18:44:45 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Neustar" ] ] ; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
2021-10-22 00:55:50 -04:00
dnsHex = "0x9c9a4602L" ;
2019-02-09 18:44:45 -05:00
dnsPrimary = "156.154.70.2" ;
dnsPrimaryV6 = "2610:a1:1018::2" ;
dnsSecondary = "156.154.71.2" ;
dnsSecondaryV6 = "2610:a1:1019::2" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Neustar-NOBL" ] ] ; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
2021-10-22 00:55:50 -04:00
dnsHex = "0x9c9a4605L" ;
2019-02-09 18:44:45 -05:00
dnsPrimary = "156.154.70.5" ;
dnsPrimaryV6 = "2610:a1:1018::5" ;
dnsSecondary = "156.154.71.5" ;
dnsSecondaryV6 = "2610:a1:1019::5" ;
2018-06-29 00:55:21 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "OpenDNS" ] ] ; then #https://www.cisco.com/c/en/us/about/legal/privacy-full.html
2021-10-22 00:55:50 -04:00
dnsHex = "0xd043dedeL" ;
2018-06-24 01:27:33 -04:00
dnsPrimary = "208.67.222.222" ;
dnsPrimaryV6 = "2620:0:ccc::2" ;
dnsSecondary = "208.67.220.220" ;
dnsSecondaryV6 = "2620:0:ccd::2" ;
2019-02-09 18:44:45 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Quad9" ] ] ; then #https://www.quad9.net/privacy
2021-10-22 00:55:50 -04:00
dnsHex = "0x09090909L" ;
2018-06-24 01:27:33 -04:00
dnsPrimary = "9.9.9.9" ;
dnsPrimaryV6 = "2620:fe::fe" ;
dnsSecondary = "149.112.112.112" ;
2018-12-24 23:29:56 -05:00
dnsSecondaryV6 = "2620:fe::9" ;
2020-11-12 22:49:23 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Quad9-EDNS" ] ] ; then #https://www.quad9.net/privacy
2021-10-22 00:55:50 -04:00
dnsHex = "0x0909090bL" ;
2020-11-12 22:49:23 -05:00
dnsPrimary = "9.9.9.11" ;
dnsPrimaryV6 = "2620:fe::11" ;
dnsSecondary = "149.112.112.11" ;
dnsSecondaryV6 = "2620:fe::fe:11" ;
2019-02-09 18:44:45 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Quad9-NOBL" ] ] ; then #https://www.quad9.net/privacy
2021-10-22 00:55:50 -04:00
dnsHex = "0x0909090aL" ;
2018-06-25 19:15:22 -04:00
dnsPrimary = "9.9.9.10" ;
dnsPrimaryV6 = "2620:fe::10" ;
dnsSecondary = "149.112.112.10" ;
2018-12-24 23:29:56 -05:00
dnsSecondaryV6 = "2620:fe::fe:10" ;
2018-06-29 00:55:21 -04:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Verisign" ] ] ; then #https://www.verisign.com/en_US/security-services/public-dns/terms-of-service/index.xhtml
2021-10-22 00:55:50 -04:00
dnsHex = "0x40064006L" ;
2018-06-24 04:26:59 -04:00
dnsPrimary = "64.6.64.6" ;
dnsPrimaryV6 = "2620:74:1b::1:1" ;
dnsSecondary = "64.6.65.6" ;
dnsSecondaryV6 = "2620:74:1c::2:2" ;
2019-02-09 18:44:45 -05:00
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Yandex" ] ] ; then #https://dns.yandex.com/advanced
2021-10-22 00:55:50 -04:00
dnsHex = "0x4d580858L" ;
2019-02-09 18:44:45 -05:00
dnsPrimary = "77.88.8.88" ;
dnsPrimaryV6 = "2a02:6b8::feed:bad" ;
dnsSecondary = "77.88.8.2" ;
dnsSecondaryV6 = "2a02:6b8:0:1::feed:bad" ;
elif [ [ " $DOS_DEFAULT_DNS_PRESET " = = "Yandex-NOBL" ] ] ; then #https://dns.yandex.com/advanced
2021-10-22 00:55:50 -04:00
dnsHex = "0x4d580808L" ;
2019-02-09 18:44:45 -05:00
dnsPrimary = "77.88.8.8" ;
dnsPrimaryV6 = "2a02:6b8::feed:0ff" ;
dnsSecondary = "77.88.8.1" ;
dnsSecondaryV6 = "2a02:6b8:0:1::feed:0ff" ;
2018-06-24 01:27:33 -04:00
fi ;
else
2020-12-12 09:50:27 -05:00
echo "You must first set a preset via the DOS_DEFAULT_DNS_PRESET variable in init.sh!" ;
2018-06-24 01:27:33 -04:00
fi ;
2023-02-10 17:17:22 -05:00
local files = "bionic/libc/dns/net/getaddrinfo.c frameworks/base/core/java/android/net/util/DnsUtils.java frameworks/base/core/java/com/android/internal/net/VpnProfile.java frameworks/base/core/res/res/values/config.xml frameworks/base/packages/SettingsLib/res/values/strings.xml frameworks/base/packages/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java frameworks/base/services/core/java/com/android/server/connectivity/NetworkDiagnostics.java frameworks/base/services/core/java/com/android/server/connectivity/Tethering.java frameworks/base/services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java frameworks/base/services/java/com/android/server/connectivity/Tethering.java packages/apps/Dialer/java/com/android/voicemail/impl/sync/VvmNetworkRequestCallback.java packages/modules/Connectivity/framework/src/android/net/util/DnsUtils.java packages/modules/Connectivity/service/native/libs/libclat/clatutils_test.cpp packages/modules/Connectivity/service/ServiceConnectivityResources/res/values/config.xml packages/modules/Connectivity/service/src/com/android/server/connectivity/ClatCoordinator.java packages/modules/Connectivity/service/src/com/android/server/connectivity/NetworkDiagnostics.java packages/modules/Connectivity/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java packages/modules/DnsResolver/DnsResolver/doh.rs packages/modules/DnsResolver/DnsResolver/getaddrinfo.cpp packages/modules/DnsResolver/getaddrinfo.cpp" ;
#TODO: handle packages/modules/DnsResolver/PrivateDnsConfiguration.h maybe? or just leave as is
2023-02-01 18:06:59 -05:00
sed -i " s/8\.8\.8\.8/ $dnsPrimary /g " $files & >/dev/null || true;
sed -i " s/2001:4860:4860::8888/ $dnsPrimaryV6 /g " $files & >/dev/null || true;
sed -i " s/8\.8\.4\.4/ $dnsSecondary /g " $files & >/dev/null || true;
sed -i " s/4\.4\.4\.4/ $dnsSecondary /g " $files & >/dev/null || true;
sed -i " s/2001:4860:4860::8844/ $dnsSecondaryV6 /g " $files & >/dev/null || true;
sed -i " s/0x08080808L/ $dnsHex /g " $files & >/dev/null || true;
2018-06-24 01:27:33 -04:00
}
export -f changeDefaultDNS;
2018-04-04 07:52:11 -04:00
editKernelLocalversion( ) {
2019-09-17 00:55:50 -04:00
local defconfigPath = $( getDefconfig)
2018-06-23 01:08:42 -04:00
sed -i 's/CONFIG_LOCALVERSION=".*"/CONFIG_LOCALVERSION="' " $1 " '"/' $defconfigPath & >/dev/null || true;
2021-09-18 21:38:43 -04:00
sed -zi '/CONFIG_LOCALVERSION="' " $1 " '"/!s/$/\nCONFIG_LOCALVERSION="' " $1 " '"/' $defconfigPath & >/dev/null;
2018-04-04 07:52:11 -04:00
}
export -f editKernelLocalversion;
2020-07-25 09:51:25 -04:00
getDefconfig( ) {
2022-12-15 18:00:23 -05:00
if ls private/gs-google/arch/arm64/configs/*_gki_defconfig 1> /dev/null 2>& 1; then
local defconfigPath = "private/gs-google/arch/arm64/configs/cloudripper_gki_defconfig private/gs-google/arch/arm64/configs/slider_gki_defconfig" ;
2020-07-25 09:51:25 -04:00
elif ls arch/arm64/configs/lineage*defconfig 1> /dev/null 2>& 1; then
local defconfigPath = "arch/arm64/configs/lineage*defconfig" ;
2022-12-15 18:00:23 -05:00
elif ls arch/arm/configs/lineage*defconfig 1> /dev/null 2>& 1; then
local defconfigPath = "arch/arm/configs/lineage*defconfig" ;
2020-07-25 09:51:25 -04:00
else
2022-06-02 15:18:47 -04:00
#grep TARGET_KERNEL_CONFIG Build/*/device/ -Rih | sed 's|TARGET_KERNEL_CONFIG .= |arch/arm\*/configs/|' | grep -v lineage | sort -u
#grep TARGET_KERNEL_VARIANT_CONFIG Build/*/device/ -Rih | sed 's|TARGET_KERNEL_VARIANT_CONFIG .= |arch/arm\*/configs/|' | grep -v lineage | sort -u
2023-11-07 18:59:53 -05:00
local defconfigPath = "arch/arm*/configs/lineage*defconfig arch/arm*/configs/vendor/lineage*defconfig arch/arm*/configs/apollo_defconfig arch/arm*/configs/apq8084_sec_defconfig arch/arm*/configs/apq8084_sec_kccat6_eur_defconfig arch/arm*/configs/apq8084_sec_lentislte_skt_defconfig arch/arm*/configs/athene_defconfig arch/arm*/configs/aura_defconfig arch/arm*/configs/b1c1_defconfig arch/arm*/configs/beryllium_defconfig arch/arm*/configs/bonito_defconfig arch/arm*/configs/clark_defconfig arch/arm*/configs/cloudripper_gki_defconfig arch/arm*/configs/discovery_defconfig arch/arm*/configs/enchilada_defconfig arch/arm*/configs/exynos8890-hero2lte_defconfig arch/arm*/configs/exynos8890-herolte_defconfig arch/arm*/configs/exynos9810-crownlte_defconfig arch/arm*/configs/exynos9810-star2lte_defconfig arch/arm*/configs/exynos9810-starlte_defconfig arch/arm*/configs/floral_defconfig arch/arm*/configs/FP4_defconfig arch/arm*/configs/griffin_defconfig arch/arm*/configs/grouper_defconfig arch/arm*/configs/harpia_defconfig arch/arm*/configs/jactive_eur_defconfig arch/arm*/configs/jf_att_defconfig arch/arm*/configs/jf_eur_defconfig arch/arm*/configs/jf_spr_defconfig arch/arm*/configs/jfve_eur_defconfig arch/arm*/configs/jf_vzw_defconfig arch/arm*/configs/kirin_defconfig arch/arm*/configs/lavender_defconfig arch/arm*/configs/m1s1_defconfig arch/arm*/configs/m7_defconfig arch/arm*/configs/m8_defconfig arch/arm*/configs/m8dug_defconfig arch/arm*/configs/merlin_defconfig arch/arm*/configs/mermaid_defconfig arch/arm*/configs/msm8930_serrano_eur_3g_defconfig arch/arm*/configs/msm8930_serrano_eur_lte_defconfig arch/arm*/configs/msm8974-hdx_defconfig arch/arm*/configs/msm8974-hdx-perf_defconfig arch/arm*/configs/oneplus2_defconfig arch/arm*/configs/osprey_defconfig arch/arm*/configs/pioneer_defconfig arch/arm*/configs/platina_defconfig arch/arm*/configs/redbull_defconfig arch/arm*/configs/samsung_serrano_defconfig arch/arm*/configs/samsung_serrano_usa_defconfig arch/arm*/configs/shamu_defconfig arch/arm*/configs/slider_gki_defconfig arch/arm*/configs/sunfish_defconfig arch/arm*/configs/surnia_defconfig arch/arm*/configs/tama_akari_defconfig arch/arm*/configs/tama_akatsuki_defconfig arch/arm*/configs/tama_apollo_defconfig arch/arm*/configs/tama_aurora_defconfig arch/arm*/configs/thor_defconfig arch/arm*/configs/tulip_defconfig arch/arm*/configs/tuna_defconfig arch/arm*/configs/twrp_defconfig arch/arm*/configs/vendor/alioth_defconfig arch/arm*/configs/vendor/apollo_defconfig arch/arm*/configs/vendor/davinci.config arch/arm*/configs/vendor/fairphone/FP4.config arch/arm*/configs/vendor/kona-perf_defconfig arch/arm*/configs/vendor/lahaina-qgki_defconfig arch/arm*/configs/vendor/lito-perf_defconfig arch/arm*/configs/vendor/lmi_defconfig arch/arm*/configs/vendor/msm8937-perf_defconfig arch/arm*/configs/vendor/raphael_defconfig arch/arm*/configs/vendor/sdmsteppe-perf_defconfig arch/arm*/configs/vendor/sm8150-perf_defconfig arch/arm*/configs/vendor/vayu_defconfig arch/arm*/configs/vendor/vendor/fairphone/FP4.config arch/arm*/configs/vendor/vendor/xiaomi/sm8250-common.config arch/arm*/configs/vendor/xiaomi/alioth.config arch/arm*/configs/vendor/xiaomi/apollo.config arch/arm*/configs/vendor/xiaomi/beryllium.config arch/arm*/configs/vendor/xiaomi/dipper.config arch/arm*/configs/vendor/xiaomi/equuleus.config arch/arm*/configs/vendor/xiaomi/lmi.config arch/arm*/configs/vendor/xiaomi/mi845_defconfig arch/arm*/configs/vendor/xiaomi/polaris.config arch/arm*/configs/vendor/xiaomi/sm8150-common.config arch/arm*/configs/vendor/xiaomi/sm8250-common.config arch/arm*/configs/vendor/xiaomi/ursa.config arch/arm*/configs/vendor/xiaomi/vayu.config arch/arm*/configs/voyager_defconfig arch/arm*/configs/wayne_defconfig arch/arm*/configs/whyred_defconfig arch/arm*/configs/yellowstone_defconfig arch/arm*/configs/Z00T_defconfig arch/arm*/configs/z2_plus_defconfig arch/arm*/configs/zenfone3-perf_defconfig" ;
2020-07-25 09:51:25 -04:00
fi ;
echo $defconfigPath ;
}
export -f getDefconfig;
2018-04-04 07:52:11 -04:00
hardenDefconfig( ) {
2023-03-08 00:22:01 -05:00
cd " $DOS_BUILD_BASE / $1 " ;
2018-04-04 07:52:11 -04:00
#Attempts to enable/disable supported options to increase security
#See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2021-09-20 12:12:58 -04:00
#and (GPL-3.0) https://github.com/a13xp0p0v/kconfig-hardened-check/blob/master/kconfig_hardened_check/__init__.py
2018-04-04 07:52:11 -04:00
2022-06-02 15:18:47 -04:00
local defconfigPath = $( getDefconfig) ;
local kernelVersion = "0.0.0" ;
if [ -f "Makefile" ] ; then
local kernelVersion = $( head -n5 "Makefile" | sed '/# SPDX-License-Identifier: GPL-2.0/d;/EXTRAVERSION/d;/NAME/d' | sed 's/.*= //;s/\n//' | sed -e :a -e N -e '$!ba' -e 's/\n/ /g' | sed 's/\ /./g' ) ;
fi ;
2018-04-04 07:52:11 -04:00
#Enable supported options
2021-08-13 22:40:12 -04:00
#Linux <3.0
2022-10-03 08:24:34 -04:00
declare -a optionsYes = ( "BUG" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "STRICT_DEVMEM" "SYN_COOKIES" ) ;
optionsYes += ( "DEBUG_KERNEL" "DEBUG_CREDENTIALS" "DEBUG_LIST" "DEBUG_VIRTUAL" ) ;
optionsYes += ( "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" ) ;
2022-04-29 12:14:05 -04:00
#optionsYes+=("DEBUG_SG"); #bootloops - https://patchwork.kernel.org/patch/8989981
2023-07-14 17:35:48 -04:00
if [ " $DOS_USE_KSM " = true ] && [ -f "mm/ksm.c" ] ; then
if [ [ $kernelVersion = = "3." * ] ] || [ [ $kernelVersion = = "4.4" * ] ] || [ [ $kernelVersion = = "4.9" * ] ] ; then
optionsYes += ( "KSM" ) ;
sed -i 's/unsigned int ksm_run = KSM_RUN_STOP;/unsigned int ksm_run = KSM_RUN_MERGE;/' mm/ksm.c & >/dev/null || true;
sed -i 's/unsigned long ksm_run = KSM_RUN_STOP;/unsigned long ksm_run = KSM_RUN_MERGE;/' mm/ksm.c & >/dev/null || true;
else
local ksmNotNeeded = true;
sed -i 's/unsigned int ksm_run = KSM_RUN_MERGE;/unsigned int ksm_run = KSM_RUN_STOP;/' mm/ksm.c & >/dev/null || true;
sed -i 's/unsigned long ksm_run = KSM_RUN_MERGE;/unsigned long ksm_run = KSM_RUN_STOP;/' mm/ksm.c & >/dev/null || true;
fi ;
fi ;
2021-08-13 22:40:12 -04:00
2022-08-25 15:03:59 -04:00
if [ [ $kernelVersion = = "3." * ] ] || [ [ $kernelVersion = = "4.4" * ] ] || [ [ $kernelVersion = = "4.9" * ] ] ; then
optionsYes += ( "DEBUG_NOTIFIERS" ) ; #(https://github.com/GrapheneOS/os-issue-tracker/issues/681)
fi ;
2021-08-13 22:40:12 -04:00
#Linux 3.4
optionsYes += ( "SECURITY_YAMA" ) ;
#Linux 3.5
optionsYes += ( "PANIC_ON_OOPS" "SECCOMP_FILTER" ) ;
#Linux 3.7
optionsYes += ( "ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "SECURITY_YAMA_STACKED" "X509_CERTIFICATE_PARSER" ) ;
#Linux 3.13
optionsYes += ( "SYSTEM_TRUSTED_KEYRING" ) ;
#Linux 3.14
optionsYes += ( "CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG" ) ;
#Linux 3.17
optionsYes += ( "PKCS7_MESSAGE_PARSER" ) ;
#Linux 3.18
optionsYes += ( "HARDENED_USERCOPY" "SCHED_STACK_END_CHECK" ) ;
#Linux 4.3
optionsYes += ( "ARM64_PAN" "CPU_SW_DOMAIN_PAN" ) ;
#Linux 4.4
optionsYes += ( "LEGACY_VSYSCALL_NONE" ) ;
#Linux 4.5
optionsYes += ( "IO_STRICT_DEVMEM" ) ;
#Linux 4.6
2022-04-02 15:15:30 -04:00
optionsYes += ( "ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ZERO" "PAGE_POISONING_NO_SANITY" ) ;
2021-08-13 22:40:12 -04:00
#Linux 4.7
optionsYes += ( "ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM" ) ;
#Linux 4.8
optionsYes += ( "RANDOMIZE_MEMORY" ) ;
#Linux 4.9
optionsYes += ( "THREAD_INFO_IN_TASK" "VMAP_STACK" ) ;
#Linux 4.10
2021-10-14 14:01:10 -04:00
optionsYes += ( "ARM64_SW_TTBR0_PAN" "BUG_ON_DATA_CORRUPTION" ) ;
2021-08-13 22:40:12 -04:00
#Linux 4.11
optionsYes += ( "STRICT_KERNEL_RWX" "STRICT_MODULE_RWX" ) ;
#Linux 4.13
optionsYes += ( "FORTIFY_SOURCE" "REFCOUNT_FULL" ) ;
#Linux 4.14
optionsYes += ( "SLAB_FREELIST_HARDENED" ) ;
2022-05-18 19:00:45 -04:00
#optionsYes+=("LTO_CLANG" "CFI_CLANG");
#optionsYes+=("RESET_ATTACK_MITIGATION"); #EFI only
2021-08-13 22:40:12 -04:00
#Linux 4.15
optionsYes += ( "PAGE_TABLE_ISOLATION" "RETPOLINE" ) ;
#Linux 4.16
optionsYes += ( "UNMAP_KERNEL_AT_EL0" ) ;
#Linux 4.17
optionsYes += ( "HARDEN_EL2_VECTORS" ) ;
#Linux 4.18
optionsYes += ( "HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG" ) ;
#Linux 5.0
2022-10-03 08:24:34 -04:00
optionsYes += ( "ARM64_PTR_AUTH" ) ; #can stall CPUs on boot if missing support
optionsYes += ( "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK" ) ;
2021-08-13 22:40:12 -04:00
#Linux 5.2
optionsYes += ( "INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR" ) ;
#Linux 5.8
optionsYes += ( "ARM64_BTI_KERNEL" "DEBUG_WX" ) ;
#Linux 5.9
optionsYes += ( "INIT_STACK_ALL_ZERO" ) ;
2021-09-19 01:20:41 -04:00
#Linux 5.10
optionsYes += ( "ARM64_MTE" ) ;
2022-04-29 12:14:05 -04:00
#Linux 5.12
2022-05-18 19:00:45 -04:00
#optionsYes+=("KFENCE"); #useless?
2022-04-29 12:14:05 -04:00
2021-09-19 01:20:41 -04:00
#Linux 5.13
optionsYes += ( "ARM64_EPAN" "RANDOMIZE_KSTACK_OFFSET_DEFAULT" ) ;
2022-04-29 12:14:05 -04:00
#Linux 5.15
optionsYes += ( "IOMMU_DEFAULT_DMA_STRICT" "ZERO_CALL_USED_REGS" ) ;
#optionsYes+=("WERROR");
#Linux 5.17
optionsYes += ( "HARDEN_BRANCH_HISTORY" "MITIGATE_SPECTRE_BRANCH_HISTORY" ) ;
#Linux 5.18
2022-05-01 01:13:46 -04:00
#optionsYes+=("SHADOW_CALL_STACK" "SHADOW_CALL_STACK_VMAP");
2022-04-29 12:14:05 -04:00
2021-08-13 22:40:12 -04:00
#GCC Plugins - 4.19 - 5.2
2022-04-29 12:14:05 -04:00
#optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STACKLEAK" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
2022-05-18 19:00:45 -04:00
#AOSP uses Clang, not GCC
2021-08-13 22:40:12 -04:00
#GrapheneOS Patches
2022-04-02 15:15:30 -04:00
optionsYes += ( "PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY" ) ;
2022-08-25 15:03:59 -04:00
#Disabled: SLAB_CANARY (https://github.com/GrapheneOS/os-issue-tracker/issues/124)
2021-08-13 22:40:12 -04:00
#out of tree or renamed or removed ?
optionsYes += ( "KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX" ) ;
#Hardware enablement #XXX: This needs a better home
optionsYes += ( "HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER" ) ;
2022-12-14 21:23:13 -05:00
#grep INIT_ON_ALLOC_DEFAULT_ON Build/*/kernel/*/*/security/Kconfig.hardening -l
2023-11-07 18:59:53 -05:00
modernKernels = ( 'fairphone/sm7225' 'fxtec/sm6115' 'google/barbet' 'google/bluejay' 'google/coral' 'google/gs101' 'google/gs201' 'google/msm-4.14' 'google/raviole' 'google/redbull' 'google/sunfish' 'oneplus/sm8150' 'oneplus/sm8250' 'oneplus/sm8350' 'xiaomi/sm8150' 'xiaomi/sm8250' 'xiaomi/vayu' ) ;
2022-04-02 02:18:30 -04:00
for kernelModern in " ${ modernKernels [@] } " ; do
if [ [ " $1 " = = *" / $kernelModern " * ] ] ; then
2022-04-02 15:15:30 -04:00
optionsYes += ( "INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" ) ;
2022-04-02 02:18:30 -04:00
fi ;
done ;
2022-12-14 21:23:13 -05:00
#excluding above: grep PAGE_POISONING_ENABLE_DEFAULT Build/*/kernel/*/*/mm/Kconfig.debug -l
2023-04-17 13:06:09 -04:00
oldKernels = ( 'essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/msm-4.9' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/msm8937' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'yandex/sdm660' 'zuk/msm8996' ) ;
2022-04-02 02:18:30 -04:00
for kernelOld in " ${ oldKernels [@] } " ; do
if [ [ " $1 " = = *" / $kernelOld " * ] ] ; then
optionsYes += ( "PAGE_POISONING_ENABLE_DEFAULT" ) ;
fi ;
done ;
2018-04-04 07:52:11 -04:00
for option in " ${ optionsYes [@] } "
do
2021-09-18 21:38:43 -04:00
#If the option is disabled, enable it
sed -i 's/# CONFIG_' " $option " ' is not set/CONFIG_' " $option " '=y/' $defconfigPath & >/dev/null || true;
2023-04-23 23:29:34 -04:00
if [ [ " $1 " != *"kernel/oneplus/msm8996" * ] ] && [ [ " $1 " != *"kernel/xiaomi/msm8937" * ] ] ; then
2021-09-18 21:38:43 -04:00
#If the option isn't present, add it enabled
sed -zi '/CONFIG_' " $option " '=y/!s/$/\nCONFIG_' " $option " '=y/' $defconfigPath & >/dev/null || true;
2018-04-04 07:52:11 -04:00
fi ;
done
#Disable supported options
2022-10-03 08:24:34 -04:00
#debugging
declare -a optionsNo = ( "ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" ) ;
optionsNo += ( "CHECKPOINT_RESTORE" "MEM_SOFT_DIRTY" ) ;
optionsNo += ( "CP_ACCESS64" "WLAN_FEATURE_MEMDUMP" ) ;
optionsNo += ( "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "PROC_KCORE" "PROC_VMCORE" "X86_PTDUMP" ) ;
optionsNo += ( "HWPOISON_INJECT" "NOTIFIER_ERROR_INJECTION" ) ;
optionsNo += ( "INPUT_EVBUG" ) ;
Many fixes to get bluejay booting & working proper
- Enable APEX for Pixel 6/7, necessary for camera and pKVM
- Also drop hack removing pKVM for Pixel 6/7
- patch from GrapheneOS
- Extend hmalloc workaround to /apex
- Deblobber:
- actually handle wildcard f/w/b overlays
- move some stuff around
- remove some more Pixel blobs
- flag and disable removal of camera extensions, being able to use the second camera is nice
- Adjust what hardenDefconfig disables, caused boot issues
minimal impact as most of these are already default-disabled
can be narrowed down in future
- Disable some of the bionic hardening patches, causing more boot issues
annoying to lose, but having a phone that boots is more important
- Add LTE only mode to 17.1, 18.1, 19.1, and 20.0, credit GrapheneOS
- Remove Pixel 2 ramdisk compression reverts, fixed upstream
And yes, I know I should've split up this commit...
Signed-off-by: Tad <tad@spotco.us>
2022-12-23 22:00:31 -05:00
optionsNo += ( "LOG_BUF_MAGIC" ) ;
optionsNo += ( "L2TP_DEBUGFS" ) ;
2022-10-03 08:24:34 -04:00
optionsNo += ( "PAGE_OWNER" ) ;
optionsNo += ( "TIMER_STATS" "ZSMALLOC_STAT" ) ;
optionsNo += ( "UPROBES" ) ;
Many fixes to get bluejay booting & working proper
- Enable APEX for Pixel 6/7, necessary for camera and pKVM
- Also drop hack removing pKVM for Pixel 6/7
- patch from GrapheneOS
- Extend hmalloc workaround to /apex
- Deblobber:
- actually handle wildcard f/w/b overlays
- move some stuff around
- remove some more Pixel blobs
- flag and disable removal of camera extensions, being able to use the second camera is nice
- Adjust what hardenDefconfig disables, caused boot issues
minimal impact as most of these are already default-disabled
can be narrowed down in future
- Disable some of the bionic hardening patches, causing more boot issues
annoying to lose, but having a phone that boots is more important
- Add LTE only mode to 17.1, 18.1, 19.1, and 20.0, credit GrapheneOS
- Remove Pixel 2 ramdisk compression reverts, fixed upstream
And yes, I know I should've split up this commit...
Signed-off-by: Tad <tad@spotco.us>
2022-12-23 22:00:31 -05:00
#optionsNo+=("SLUB_DEBUG" "SLUB_DEBUG_ON");
2022-10-03 08:24:34 -04:00
#optionsNo+=("STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE"); #GCC only
Many fixes to get bluejay booting & working proper
- Enable APEX for Pixel 6/7, necessary for camera and pKVM
- Also drop hack removing pKVM for Pixel 6/7
- patch from GrapheneOS
- Extend hmalloc workaround to /apex
- Deblobber:
- actually handle wildcard f/w/b overlays
- move some stuff around
- remove some more Pixel blobs
- flag and disable removal of camera extensions, being able to use the second camera is nice
- Adjust what hardenDefconfig disables, caused boot issues
minimal impact as most of these are already default-disabled
can be narrowed down in future
- Disable some of the bionic hardening patches, causing more boot issues
annoying to lose, but having a phone that boots is more important
- Add LTE only mode to 17.1, 18.1, 19.1, and 20.0, credit GrapheneOS
- Remove Pixel 2 ramdisk compression reverts, fixed upstream
And yes, I know I should've split up this commit...
Signed-off-by: Tad <tad@spotco.us>
2022-12-23 22:00:31 -05:00
#optionsNo+=("MMIOTRACE" "MMIOTRACE_TEST");
#optionsNo+=("IOMMU_DEBUG" "IOMMU_DEBUG_TRACKING" "IOMMU_NON_SECURE" "IOMMU_TESTS");
#optionsNo+=("DEBUG_ATOMIC_SLEEP" "DEBUG_BUS_VOTER" "DEBUG_MUTEXES" "DEBUG_KMEMLEAK" "DEBUG_PAGEALLOC" "DEBUG_STACK_USAGE" "DEBUG_SPINLOCK");
#if [[ $kernelVersion == "4."* ]] || [[ $kernelVersion == "5."* ]]; then
# #optionsNo+=("DEBUG_FS");
# optionsNo+=("FTRACE" "KPROBE_EVENTS" "UPROBE_EVENTS" "GENERIC_TRACER" "FUNCTION_TRACER" "STACK_TRACER" "HIST_TRIGGERS" "BLK_DEV_IO_TRACE" "FAIL_FUTEX" "DYNAMIC_DEBUG" "PREEMPT_TRACER");
#fi;
#if [[ "$1" != *"kernel/oneplus/sm8250"* ]]; then
# optionsNo+=("CORESIGHT_CSR" "CORESIGHT_CTI_SAVE_DISABLE" "CORESIGHT_CTI" "CORESIGHT_DBGUI" "CORESIGHT_ETM" "CORESIGHT_ETMV4" "CORESIGHT_EVENT" "CORESIGHT_FUNNEL" "CORESIGHT_FUSE" "CORESIGHT_HWEVENT" "CORESIGHT_QPDI" "CORESIGHT_REMOTE_ETM" "CORESIGHT_REPLICATOR" "CORESIGHT_STM_DEFAULT_ENABLE" "CORESIGHT_STM" "CORESIGHT_TMC" "CORESIGHT_TPDA" "CORESIGHT_TPDM_DEFAULT_ENABLE" "CORESIGHT_TPDM" "CORESIGHT_TPIU" "CORESIGHT" "OF_CORESIGHT");
#fi;
2022-10-03 08:24:34 -04:00
#legacy
optionsNo += ( "BINFMT_AOUT" "BINFMT_MISC" ) ;
optionsNo += ( "COMPAT_BRK" "COMPAT_VDSO" ) ;
optionsNo += ( "LDISC_AUTOLOAD" "LEGACY_PTYS" ) ;
optionsNo += ( "MODIFY_LDT_SYSCALL" ) ;
optionsNo += ( "OABI_COMPAT" ) ;
optionsNo += ( "USELIB" ) ;
optionsNo += ( "X86_IOPL_IOPERM" "X86_VSYSCALL_EMULATION" ) ;
#unnecessary
optionsNo += ( "BLK_DEV_FD" "BT_HS" "IO_URING" "IP_DCCP" "IP_SCTP" "VIDEO_VIVID" "FB_VIRTUAL" "RDS" "RDS_TCP" ) ;
optionsNo += ( "HIBERNATION" ) ;
optionsNo += ( "KEXEC" "KEXEC_FILE" ) ;
2023-07-14 15:45:35 -04:00
optionsNo += ( "UKSM" ) ;
2023-07-14 17:35:48 -04:00
if [ " $DOS_USE_KSM " = false ] || [ " $ksmNotNeeded " = true ] ; then optionsNo += ( "KSM" ) ; fi ;
2022-10-03 08:24:34 -04:00
optionsNo += ( "LIVEPATCH" ) ;
2021-01-29 20:37:43 -05:00
optionsNo += ( "WIREGUARD" ) ; #Requires root access, which we do not provide
2022-10-03 08:24:34 -04:00
if [ " $DOS_DEBLOBBER_REMOVE_IPA " = true ] ; then optionsNo += ( "IPA" "RMNET_IPA" ) ; fi ;
#unsafe
optionsNo += ( "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" ) ;
optionsNo += ( "HARDENED_USERCOPY_FALLBACK" ) ;
optionsNo += ( "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" ) ;
2023-07-14 15:45:35 -04:00
if [ " $DOS_USE_KSM " = false ] ; then optionsNo += ( "SLAB_MERGE_DEFAULT" ) ; fi ;
2022-10-16 11:06:48 -04:00
if [ [ " $DOS_VERSION " != "LineageOS-20.0" ] ] ; then optionsNo += ( "USERFAULTFD" ) ; fi ;
2022-10-03 08:24:34 -04:00
#optionsNo+=("CFI_PERMISSIVE");
Many fixes to get bluejay booting & working proper
- Enable APEX for Pixel 6/7, necessary for camera and pKVM
- Also drop hack removing pKVM for Pixel 6/7
- patch from GrapheneOS
- Extend hmalloc workaround to /apex
- Deblobber:
- actually handle wildcard f/w/b overlays
- move some stuff around
- remove some more Pixel blobs
- flag and disable removal of camera extensions, being able to use the second camera is nice
- Adjust what hardenDefconfig disables, caused boot issues
minimal impact as most of these are already default-disabled
can be narrowed down in future
- Disable some of the bionic hardening patches, causing more boot issues
annoying to lose, but having a phone that boots is more important
- Add LTE only mode to 17.1, 18.1, 19.1, and 20.0, credit GrapheneOS
- Remove Pixel 2 ramdisk compression reverts, fixed upstream
And yes, I know I should've split up this commit...
Signed-off-by: Tad <tad@spotco.us>
2022-12-23 22:00:31 -05:00
#misc
2022-10-03 08:24:34 -04:00
optionsNo += ( "FB_MSM_MDSS_XLOG_DEBUG" "MSM_BUSPM_DEV" "MSMB_CAMERA_DEBUG" "MSM_CAMERA_DEBUG" "MSM_SMD_DEBUG" ) ;
optionsNo += ( "NEEDS_SYSCALL_FOR_CMPXCHG" ) ;
optionsNo += ( "TSC" "TSPP2" ) ;
#breakage
optionsNo += ( "HARDENED_USERCOPY_PAGESPAN" ) ;
#optionsNo+=("IKCONFIG"); #breaks recovery
#optionsNo+=("KALLSYMS"); #breaks boot on select devices
#optionsNo+=("MAGIC_SYSRQ"); #breaks compile
#optionsNo+=("MSM_DLOAD_MODE"); #breaks compile
#optionsNo+=("MSM_SMP2P_TEST" "INET_DIAG");
#optionsNo+=("PROC_PAGE_MONITOR"); #breaks memory stats
#optionsNo+=("SCHED_DEBUG"); #breaks compile
2021-08-13 22:40:12 -04:00
Many fixes to get bluejay booting & working proper
- Enable APEX for Pixel 6/7, necessary for camera and pKVM
- Also drop hack removing pKVM for Pixel 6/7
- patch from GrapheneOS
- Extend hmalloc workaround to /apex
- Deblobber:
- actually handle wildcard f/w/b overlays
- move some stuff around
- remove some more Pixel blobs
- flag and disable removal of camera extensions, being able to use the second camera is nice
- Adjust what hardenDefconfig disables, caused boot issues
minimal impact as most of these are already default-disabled
can be narrowed down in future
- Disable some of the bionic hardening patches, causing more boot issues
annoying to lose, but having a phone that boots is more important
- Add LTE only mode to 17.1, 18.1, 19.1, and 20.0, credit GrapheneOS
- Remove Pixel 2 ramdisk compression reverts, fixed upstream
And yes, I know I should've split up this commit...
Signed-off-by: Tad <tad@spotco.us>
2022-12-23 22:00:31 -05:00
if [ " $DOS_DEFCONFIG_DISABLER " = true ] ; then
for option in " ${ optionsNo [@] } "
do
#If the option is enabled, disable it
sed -i 's/CONFIG_' " $option " '=y/CONFIG_' " $option " '=n/' $defconfigPath & >/dev/null || true;
#If the option isn't present, add it disabled
sed -zi '/CONFIG_' " $option " '=n/!s/$/\nCONFIG_' " $option " '=n/' $defconfigPath & >/dev/null || true;
done
fi ;
2021-08-13 22:40:12 -04:00
2018-04-04 07:52:11 -04:00
#Extras
2018-06-23 01:08:42 -04:00
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' $defconfigPath & >/dev/null || true;
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' $defconfigPath & >/dev/null || true;
sed -i 's/CONFIG_DEFAULT_MMAP_MIN_ADDR=4096/CONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' $defconfigPath & >/dev/null || true;
2021-09-18 21:38:43 -04:00
sed -zi '/CONFIG_DEFAULT_MMAP_MIN_ADDR/!s/$/\nCONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' $defconfigPath & >/dev/null || true;
2018-06-26 05:57:22 -04:00
sed -i 's/CONFIG_LSM_MMAP_MIN_ADDR=4096/CONFIG_LSM_MMAP_MIN_ADDR=32768/' $defconfigPath & >/dev/null || true;
2021-09-18 21:38:43 -04:00
sed -zi '/CONFIG_LSM_MMAP_MIN_ADDR/!s/$/\nCONFIG_LSM_MMAP_MIN_ADDR=32768/' $defconfigPath & >/dev/null || true;
2018-04-04 07:52:11 -04:00
editKernelLocalversion "-dos" ;
echo " Hardened defconfig for $1 " ;
2018-06-29 00:55:21 -04:00
cd " $DOS_BUILD_BASE " ;
2018-04-04 07:52:11 -04:00
}
export -f hardenDefconfig;