Various changes

2022-05-14 21:05:54 -04:00 · 2022-05-14 21:05:54 -04:00 · 05930af014
parent 3e7b657295
commit 05930af014
19 changed files with 924 additions and 57 deletions
--- a/Patches/LineageOS-16.0/android_system_core/0004-ptrace_scope.patch
+++ b/Patches/LineageOS-16.0/android_system_core/0004-ptrace_scope.patch
@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: flawedworld <38294951+flawedworld@users.noreply.github.com>
+Date: Mon, 5 Apr 2021 03:02:51 +0100
+Subject: [PATCH] add a property for controlling ptrace_scope
+
+---
+ rootdir/init.rc | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/rootdir/init.rc b/rootdir/init.rc
+index 4a8a60a96..e0bead37b 100644
+--- a/rootdir/init.rc
+++ b/rootdir/init.rc
+@@ -724,6 +724,12 @@ on property:sys.sysctl.extra_free_kbytes=*
+ on property:sys.sysctl.tcp_def_init_rwnd=*
+     write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
+ 
+on property:persist.native_debug=true
+    write /proc/sys/kernel/yama/ptrace_scope 0
+
+on property:persist.native_debug=false
+    write /proc/sys/kernel/yama/ptrace_scope 2
+
+ on property:security.perf_harden=0
+     write /proc/sys/kernel/perf_event_paranoid 1
+ 
--- a/Patches/LineageOS-16.0/android_system_sepolicy/0002-protected_files.patch
+++ b/Patches/LineageOS-16.0/android_system_sepolicy/0002-protected_files.patch
@ -7,6 +7,7 @@ This is needed for init to override the default values.

 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
 [tad@spotco.us]: added to older targets to match
+
 Change-Id: I19be49956510d3e74f96b837ce7e8d33cff650c1
 ---
 prebuilts/api/26.0/private/genfs_contexts | 2 ++
--- a/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-1.patch
+++ b/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-1.patch
@ -0,0 +1,175 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: flawedworld <38294951+flawedworld@users.noreply.github.com>
+Date: Mon, 5 Apr 2021 02:26:20 +0100
+Subject: [PATCH] allow init to control kernel.yama.ptrace_scope
+
+[tad@spotco.us]: added to older targets to match
+
+Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650
+---
+ prebuilts/api/26.0/private/domain.te      | 1 +
+ prebuilts/api/26.0/private/genfs_contexts | 1 +
+ prebuilts/api/26.0/public/init.te         | 3 +++
+ prebuilts/api/27.0/private/domain.te      | 1 +
+ prebuilts/api/27.0/private/genfs_contexts | 1 +
+ prebuilts/api/27.0/public/init.te         | 3 +++
+ prebuilts/api/28.0/private/domain.te      | 1 +
+ prebuilts/api/28.0/private/genfs_contexts | 1 +
+ prebuilts/api/28.0/public/init.te         | 3 +++
+ private/domain.te                         | 1 +
+ private/genfs_contexts                    | 1 +
+ public/init.te                            | 3 +++
+ 12 files changed, 20 insertions(+)
+
+diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
+index d37a0bd26..69f98161c 100644
+--- a/prebuilts/api/26.0/private/domain.te
+++ b/prebuilts/api/26.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   -storaged
+diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
+index 753cabf15..67203c998 100644
+--- a/prebuilts/api/26.0/private/genfs_contexts
+++ b/prebuilts/api/26.0/private/genfs_contexts
+@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+ genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+ genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te
+index 6d43ef463..947eaaeca 100644
+--- a/prebuilts/api/26.0/public/init.te
+++ b/prebuilts/api/26.0/public/init.te
+@@ -96,6 +96,9 @@ allow init self:capability { sys_rawio mknod };
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems.
+ # Only allow relabelto for types used in context= mount options,
+ # which should all be assigned the contextmount_type attribute.
+diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
+index d37a0bd26..69f98161c 100644
+--- a/prebuilts/api/27.0/private/domain.te
+++ b/prebuilts/api/27.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   -storaged
+diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
+index 606d46cbe..ac54e423a 100644
+--- a/prebuilts/api/27.0/private/genfs_contexts
+++ b/prebuilts/api/27.0/private/genfs_contexts
+@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+ genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+ genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te
+index e6162a939..76de36515 100644
+--- a/prebuilts/api/27.0/public/init.te
+++ b/prebuilts/api/27.0/public/init.te
+@@ -101,6 +101,9 @@ allow init self:capability { sys_rawio mknod };
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems.
+ # Only allow relabelto for types used in context= mount options,
+ # which should all be assigned the contextmount_type attribute.
+diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te
+index fb6ba4f78..e4bf76af7 100644
+--- a/prebuilts/api/28.0/private/domain.te
+++ b/prebuilts/api/28.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   userdebug_or_eng(`-incidentd')
+diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
+index 656a9557a..126313ed8 100644
+--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
+@@ -59,6 +59,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+ genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
+index 9eff0b0be..e52fa7eee 100644
+--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
+@@ -115,6 +115,9 @@ allow init self:global_capability_class_set { sys_rawio mknod };
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems.
+ # Only allow relabelto for types used in context= mount options,
+ # which should all be assigned the contextmount_type attribute.
+diff --git a/private/domain.te b/private/domain.te
+index fb6ba4f78..e4bf76af7 100644
+--- a/private/domain.te
+++ b/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   userdebug_or_eng(`-incidentd')
+diff --git a/private/genfs_contexts b/private/genfs_contexts
+index 28cf83ab2..bd64f01ba 100644
+--- a/private/genfs_contexts
+++ b/private/genfs_contexts
+@@ -62,6 +62,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+ genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/public/init.te b/public/init.te
+index 05a61aec3..0dd4481a5 100644
+--- a/public/init.te
+++ b/public/init.te
+@@ -112,6 +112,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
--- a/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-2.patch
+++ b/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-2.patch
@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: flawedworld <38294951+flawedworld@users.noreply.github.com>
+Date: Mon, 5 Apr 2021 02:27:06 +0100
+Subject: [PATCH] allow system to use persist.native_debug
+
+[tad@spotco.us]: added to older targets to match
+
+Change-Id: I252d92ae9f29143cce3cce1c0a2feb513f70b641
+---
+ prebuilts/api/26.0/private/property_contexts | 1 +
+ prebuilts/api/27.0/private/property_contexts | 1 +
+ prebuilts/api/28.0/private/property_contexts | 1 +
+ private/property_contexts                    | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts
+index 4c27b35d6..c48ba4012 100644
+--- a/prebuilts/api/26.0/private/property_contexts
+++ b/prebuilts/api/26.0/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+ persist.logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
+diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts
+index 8eb2f28b2..237e6fcc1 100644
+--- a/prebuilts/api/27.0/private/property_contexts
+++ b/prebuilts/api/27.0/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+ persist.logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
+diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts
+index 32be0b377..afe0f70fe 100644
+--- a/prebuilts/api/28.0/private/property_contexts
+++ b/prebuilts/api/28.0/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ ro.logd.                u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+diff --git a/private/property_contexts b/private/property_contexts
+index 32be0b377..afe0f70fe 100644
+--- a/private/property_contexts
+++ b/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ ro.logd.                u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
--- a/Patches/LineageOS-17.1/android_system_sepolicy/0002-protected_files.patch
+++ b/Patches/LineageOS-17.1/android_system_sepolicy/0002-protected_files.patch
@ -7,6 +7,7 @@ This is needed for init to override the default values.

 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
 [tad@spotco.us]: added to older targets to match
+
 Change-Id: I19be49956510d3e74f96b837ce7e8d33cff650c1
 ---
 prebuilts/api/26.0/private/genfs_contexts | 2 ++
--- a/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-1.patch
+++ b/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-1.patch
@ -3,19 +3,39 @@ From: flawedworld <38294951+flawedworld@users.noreply.github.com>
 Date: Mon, 5 Apr 2021 02:26:20 +0100
 Subject: [PATCH] allow init to control kernel.yama.ptrace_scope

+[tad@spotco.us]: added to older targets to match
+
 Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650
 ---
+ prebuilts/api/26.0/private/domain.te      | 1 +
 prebuilts/api/26.0/private/genfs_contexts | 1 +
+ prebuilts/api/26.0/public/init.te         | 3 +++
+ prebuilts/api/27.0/private/domain.te      | 1 +
 prebuilts/api/27.0/private/genfs_contexts | 1 +
+ prebuilts/api/27.0/public/init.te         | 3 +++
+ prebuilts/api/28.0/private/domain.te      | 1 +
 prebuilts/api/28.0/private/genfs_contexts | 1 +
+ prebuilts/api/28.0/public/init.te         | 3 +++
 prebuilts/api/29.0/private/domain.te      | 1 +
 prebuilts/api/29.0/private/genfs_contexts | 1 +
 prebuilts/api/29.0/public/init.te         | 3 +++
 private/domain.te                         | 1 +
 private/genfs_contexts                    | 1 +
 public/init.te                            | 3 +++
- 9 files changed, 13 insertions(+)
+ 15 files changed, 25 insertions(+)

+diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
+index d37a0bd26..69f98161c 100644
+--- a/prebuilts/api/26.0/private/domain.te
+++ b/prebuilts/api/26.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   -storaged
 diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
 index 753cabf15..67203c998 100644
 --- a/prebuilts/api/26.0/private/genfs_contexts
@ -28,6 +48,32 @@ index 753cabf15..67203c998 100644
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te
+index 6d43ef463..04422e1d0 100644
+--- a/prebuilts/api/26.0/public/init.te
+++ b/prebuilts/api/26.0/public/init.te
+@@ -93,6 +93,9 @@ allow init self:capability sys_time;
+ 
+ allow init self:capability { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
+index d37a0bd26..69f98161c 100644
+--- a/prebuilts/api/27.0/private/domain.te
+++ b/prebuilts/api/27.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   -storaged
 diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
 index 606d46cbe..ac54e423a 100644
 --- a/prebuilts/api/27.0/private/genfs_contexts
@ -40,6 +86,32 @@ index 606d46cbe..ac54e423a 100644
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te
+index e6162a939..78d1ab527 100644
+--- a/prebuilts/api/27.0/public/init.te
+++ b/prebuilts/api/27.0/public/init.te
+@@ -98,6 +98,9 @@ allow init self:capability sys_time;
+ 
+ allow init self:capability { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te
+index fb6ba4f78..e4bf76af7 100644
+--- a/prebuilts/api/28.0/private/domain.te
+++ b/prebuilts/api/28.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   userdebug_or_eng(`-incidentd')
 diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
 index 44ca95fd5..89b55b28d 100644
 --- a/prebuilts/api/28.0/private/genfs_contexts
@ -52,6 +124,20 @@ index 44ca95fd5..89b55b28d 100644
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
 genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
+index dafc06f99..bc38c7760 100644
+--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
+@@ -112,6 +112,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
 diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
 index 1d26761d6..62cbb04a1 100644
 --- a/prebuilts/api/29.0/private/domain.te
--- a/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-2.patch
+++ b/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-2.patch
@ -3,6 +3,9 @@ From: flawedworld <38294951+flawedworld@users.noreply.github.com>
 Date: Mon, 5 Apr 2021 02:27:06 +0100
 Subject: [PATCH] allow system to use persist.native_debug

+[tad@spotco.us]: added to older targets to match
+
+Change-Id: I252d92ae9f29143cce3cce1c0a2feb513f70b641
 ---
 prebuilts/api/26.0/private/property_contexts | 1 +
 prebuilts/api/27.0/private/property_contexts | 1 +
--- a/Patches/LineageOS-18.1/android_system_sepolicy/0002-protected_files.patch
+++ b/Patches/LineageOS-18.1/android_system_sepolicy/0002-protected_files.patch
@ -7,6 +7,7 @@ This is needed for init to override the default values.

 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
 [tad@spotco.us]: added to older targets to match
+
 Change-Id: I19be49956510d3e74f96b837ce7e8d33cff650c1
 ---
 prebuilts/api/26.0/private/genfs_contexts | 2 ++
--- a/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch
+++ b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch
@ -3,20 +3,42 @@ From: flawedworld <38294951+flawedworld@users.noreply.github.com>
 Date: Mon, 5 Apr 2021 02:26:20 +0100
 Subject: [PATCH] allow init to control kernel.yama.ptrace_scope

+[tad@spotco.us]: added to older targets to match
+
 Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650
 ---
+ prebuilts/api/26.0/private/domain.te      | 1 +
 prebuilts/api/26.0/private/genfs_contexts | 1 +
+ prebuilts/api/26.0/public/init.te         | 3 +++
+ prebuilts/api/27.0/private/domain.te      | 1 +
 prebuilts/api/27.0/private/genfs_contexts | 1 +
+ prebuilts/api/27.0/public/init.te         | 3 +++
+ prebuilts/api/28.0/private/domain.te      | 1 +
 prebuilts/api/28.0/private/genfs_contexts | 1 +
+ prebuilts/api/28.0/public/init.te         | 3 +++
+ prebuilts/api/29.0/private/domain.te      | 1 +
 prebuilts/api/29.0/private/genfs_contexts | 1 +
+ prebuilts/api/29.0/public/init.te         | 3 +++
 prebuilts/api/30.0/private/domain.te      | 1 +
 prebuilts/api/30.0/private/genfs_contexts | 1 +
 prebuilts/api/30.0/public/init.te         | 3 +++
 private/domain.te                         | 1 +
 private/genfs_contexts                    | 1 +
 public/init.te                            | 3 +++
- 10 files changed, 14 insertions(+)
+ 18 files changed, 30 insertions(+)

+diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
+index d37a0bd26..69f98161c 100644
+--- a/prebuilts/api/26.0/private/domain.te
+++ b/prebuilts/api/26.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   -storaged
 diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
 index 753cabf15..67203c998 100644
 --- a/prebuilts/api/26.0/private/genfs_contexts
@ -29,6 +51,32 @@ index 753cabf15..67203c998 100644
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te
+index 6d43ef463..04422e1d0 100644
+--- a/prebuilts/api/26.0/public/init.te
+++ b/prebuilts/api/26.0/public/init.te
+@@ -93,6 +93,9 @@ allow init self:capability sys_time;
+ 
+ allow init self:capability { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
+index d37a0bd26..69f98161c 100644
+--- a/prebuilts/api/27.0/private/domain.te
+++ b/prebuilts/api/27.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   -storaged
 diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
 index 606d46cbe..ac54e423a 100644
 --- a/prebuilts/api/27.0/private/genfs_contexts
@ -41,6 +89,32 @@ index 606d46cbe..ac54e423a 100644
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te
+index e6162a939..78d1ab527 100644
+--- a/prebuilts/api/27.0/public/init.te
+++ b/prebuilts/api/27.0/public/init.te
+@@ -98,6 +98,9 @@ allow init self:capability sys_time;
+ 
+ allow init self:capability { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te
+index fb6ba4f78..e4bf76af7 100644
+--- a/prebuilts/api/28.0/private/domain.te
+++ b/prebuilts/api/28.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   userdebug_or_eng(`-incidentd')
 diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
 index 44ca95fd5..89b55b28d 100644
 --- a/prebuilts/api/28.0/private/genfs_contexts
@ -53,6 +127,32 @@ index 44ca95fd5..89b55b28d 100644
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
 genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
+index dafc06f99..bc38c7760 100644
+--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
+@@ -112,6 +112,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
+index 209eeb0dd..3a36ec678 100644
+--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
+@@ -86,6 +86,7 @@ userdebug_or_eng(`
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   userdebug_or_eng(`-llkd')
+   -dumpstate
 diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
 index 804996685..22a1ebf8d 100644
 --- a/prebuilts/api/29.0/private/genfs_contexts
@ -65,6 +165,20 @@ index 804996685..22a1ebf8d 100644
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
 genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
+index 2d52f5966..aa0036f1b 100644
+--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
+@@ -121,6 +121,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ allowxperm init dev_type:blk_file ioctl BLKROSET;
 diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
 index 7116dadfd..55264d01a 100644
 --- a/prebuilts/api/30.0/private/domain.te
--- a/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch
+++ b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch
@ -3,6 +3,9 @@ From: flawedworld <38294951+flawedworld@users.noreply.github.com>
 Date: Mon, 5 Apr 2021 02:27:06 +0100
 Subject: [PATCH] allow system to use persist.native_debug

+[tad@spotco.us]: added to older targets to match
+
+Change-Id: I252d92ae9f29143cce3cce1c0a2feb513f70b641
 ---
 prebuilts/api/26.0/private/property_contexts | 1 +
 prebuilts/api/27.0/private/property_contexts | 1 +
--- a/Patches/LineageOS-19.1/android_system_sepolicy/0002-protected_files.patch
+++ b/Patches/LineageOS-19.1/android_system_sepolicy/0002-protected_files.patch
@ -6,11 +6,110 @@ Subject: [PATCH] label protected_{fifos,regular} as proc_security
 This is needed for init to override the default values.

 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
+[tad@spotco.us]: added to older targets to match
+
+Change-Id: I19be49956510d3e74f96b837ce7e8d33cff650c1
 ---
+ prebuilts/api/26.0/private/genfs_contexts | 2 ++
+ prebuilts/api/27.0/private/genfs_contexts | 2 ++
+ prebuilts/api/28.0/private/genfs_contexts | 2 ++
+ prebuilts/api/29.0/private/genfs_contexts | 2 ++
+ prebuilts/api/30.0/private/genfs_contexts | 2 ++
+ prebuilts/api/31.0/private/genfs_contexts | 2 ++
 prebuilts/api/32.0/private/genfs_contexts | 2 ++
 private/genfs_contexts                    | 2 ++
- 2 files changed, 4 insertions(+)
+ 8 files changed, 16 insertions(+)

+diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
+index a2d9b892f..65e05f77a 100644
+--- a/prebuilts/api/26.0/private/genfs_contexts
+++ b/prebuilts/api/26.0/private/genfs_contexts
+@@ -14,8 +14,10 @@ genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+ genfscon proc /softirqs u:object_r:proc_timer:s0
+ genfscon proc /stat u:object_r:proc_stat:s0
+ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0
+ genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+ genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+ genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
+index e77a39b92..bcd1b1b1e 100644
+--- a/prebuilts/api/27.0/private/genfs_contexts
+++ b/prebuilts/api/27.0/private/genfs_contexts
+@@ -14,8 +14,10 @@ genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+ genfscon proc /softirqs u:object_r:proc_timer:s0
+ genfscon proc /stat u:object_r:proc_stat:s0
+ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0
+ genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+ genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+ genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
+index 7e2ea5092..6696dfe0e 100644
+--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
+@@ -27,8 +27,10 @@ genfscon proc /swaps u:object_r:proc_swaps:s0
+ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+ genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+ genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0
+ genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+ genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+ genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
+index 380d4a050..7601aa01c 100644
+--- a/prebuilts/api/29.0/private/genfs_contexts
+++ b/prebuilts/api/29.0/private/genfs_contexts
+@@ -34,8 +34,10 @@ genfscon proc /swaps u:object_r:proc_swaps:s0
+ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+ genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+ genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0
+ genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+ genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+ genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
+index 89232bc01..6a206bb64 100644
+--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
+@@ -36,8 +36,10 @@ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+ genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
+ genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+ genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0
+ genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+ genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+ genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+diff --git a/prebuilts/api/31.0/private/genfs_contexts b/prebuilts/api/31.0/private/genfs_contexts
+index 13bfb46e1..72c9a94aa 100644
+--- a/prebuilts/api/31.0/private/genfs_contexts
+++ b/prebuilts/api/31.0/private/genfs_contexts
+@@ -39,8 +39,10 @@ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+ genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
+ genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+ genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0
+ genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+ genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+ genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 diff --git a/prebuilts/api/32.0/private/genfs_contexts b/prebuilts/api/32.0/private/genfs_contexts
 index 13bfb46e1..30f3496e6 100644
 --- a/prebuilts/api/32.0/private/genfs_contexts
--- a/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-1.patch
+++ b/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-1.patch
@ -3,15 +3,264 @@ From: flawedworld <flawedworld@flawed.world>
 Date: Mon, 11 Oct 2021 02:33:31 +0100
 Subject: [PATCH] allow init to control kernel.yama.ptrace_scope

+[tad@spotco.us]: added to older targets to match
+
+Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650
 ---
+ prebuilts/api/26.0/private/domain.te      | 1 +
+ prebuilts/api/26.0/private/genfs_contexts | 1 +
+ prebuilts/api/26.0/public/init.te         | 3 +++
+ prebuilts/api/27.0/private/domain.te      | 1 +
+ prebuilts/api/27.0/private/genfs_contexts | 1 +
+ prebuilts/api/27.0/public/init.te         | 3 +++
+ prebuilts/api/28.0/private/domain.te      | 1 +
+ prebuilts/api/28.0/private/genfs_contexts | 1 +
+ prebuilts/api/28.0/public/init.te         | 3 +++
+ prebuilts/api/29.0/private/domain.te      | 1 +
+ prebuilts/api/29.0/private/genfs_contexts | 1 +
+ prebuilts/api/29.0/public/init.te         | 3 +++
+ prebuilts/api/30.0/private/domain.te      | 1 +
+ prebuilts/api/30.0/private/genfs_contexts | 1 +
+ prebuilts/api/30.0/public/init.te         | 3 +++
+ prebuilts/api/31.0/private/domain.te      | 1 +
+ prebuilts/api/31.0/private/genfs_contexts | 1 +
+ prebuilts/api/31.0/public/init.te         | 3 +++
 prebuilts/api/32.0/private/domain.te      | 1 +
 prebuilts/api/32.0/private/genfs_contexts | 1 +
 prebuilts/api/32.0/public/init.te         | 3 +++
 private/domain.te                         | 1 +
 private/genfs_contexts                    | 1 +
 public/init.te                            | 3 +++
- 6 files changed, 10 insertions(+)
+ 24 files changed, 40 insertions(+)

+diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
+index 999c16a3d..b3213d879 100644
+--- a/prebuilts/api/26.0/private/domain.te
+++ b/prebuilts/api/26.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these allowlisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   -storaged
+diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
+index 65e05f77a..4ced22584 100644
+--- a/prebuilts/api/26.0/private/genfs_contexts
+++ b/prebuilts/api/26.0/private/genfs_contexts
+@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+ genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+ genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te
+index 6d43ef463..04422e1d0 100644
+--- a/prebuilts/api/26.0/public/init.te
+++ b/prebuilts/api/26.0/public/init.te
+@@ -93,6 +93,9 @@ allow init self:capability sys_time;
+ 
+ allow init self:capability { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
+index 999c16a3d..b3213d879 100644
+--- a/prebuilts/api/27.0/private/domain.te
+++ b/prebuilts/api/27.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these allowlisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   -storaged
+diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
+index bcd1b1b1e..f813ac1d5 100644
+--- a/prebuilts/api/27.0/private/genfs_contexts
+++ b/prebuilts/api/27.0/private/genfs_contexts
+@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+ genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+ genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te
+index e6162a939..78d1ab527 100644
+--- a/prebuilts/api/27.0/public/init.te
+++ b/prebuilts/api/27.0/public/init.te
+@@ -98,6 +98,9 @@ allow init self:capability sys_time;
+ 
+ allow init self:capability { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te
+index 5053c287b..4d5cd4796 100644
+--- a/prebuilts/api/28.0/private/domain.te
+++ b/prebuilts/api/28.0/private/domain.te
+@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld;
+ # with other UIDs to these allowlisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   -dumpstate
+   userdebug_or_eng(`-incidentd')
+diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
+index 6696dfe0e..ab0ef45bd 100644
+--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
+@@ -58,6 +58,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+ genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
+index dafc06f99..bc38c7760 100644
+--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
+@@ -112,6 +112,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ 
+diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
+index 447176ed0..74541b1be 100644
+--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
+@@ -86,6 +86,7 @@ userdebug_or_eng(`
+ # with other UIDs to these allowlisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   userdebug_or_eng(`-llkd')
+   -dumpstate
+diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
+index 7601aa01c..7498beba5 100644
+--- a/prebuilts/api/29.0/private/genfs_contexts
+++ b/prebuilts/api/29.0/private/genfs_contexts
+@@ -68,6 +68,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+ genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
+index 2d52f5966..aa0036f1b 100644
+--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
+@@ -121,6 +121,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ allowxperm init dev_type:blk_file ioctl BLKROSET;
+diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
+index 430cb3f09..0b2c6ef25 100644
+--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
+@@ -125,6 +125,7 @@ allow domain boringssl_self_test_marker:dir search;
+ # with other UIDs to these allowlisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   userdebug_or_eng(`-llkd')
+   -dumpstate
+diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
+index 6a206bb64..03264f854 100644
+--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
+@@ -70,6 +70,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+ genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/30.0/public/init.te b/prebuilts/api/30.0/public/init.te
+index 403b4c5e6..e7630cd98 100644
+--- a/prebuilts/api/30.0/public/init.te
+++ b/prebuilts/api/30.0/public/init.te
+@@ -144,6 +144,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ allowxperm init dev_type:blk_file ioctl BLKROSET;
+diff --git a/prebuilts/api/31.0/private/domain.te b/prebuilts/api/31.0/private/domain.te
+index b91d36d85..d4ca398de 100644
+--- a/prebuilts/api/31.0/private/domain.te
+++ b/prebuilts/api/31.0/private/domain.te
+@@ -116,6 +116,7 @@ allow domain boringssl_self_test_marker:dir search;
+ # with other UIDs to these allowlisted domains.
+ neverallow {
+   domain
+  -init
+   -vold
+   userdebug_or_eng(`-llkd')
+   -dumpstate
+diff --git a/prebuilts/api/31.0/private/genfs_contexts b/prebuilts/api/31.0/private/genfs_contexts
+index 72c9a94aa..0b84824de 100644
+--- a/prebuilts/api/31.0/private/genfs_contexts
+++ b/prebuilts/api/31.0/private/genfs_contexts
+@@ -76,6 +76,7 @@ genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:
+ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+ genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/31.0/public/init.te b/prebuilts/api/31.0/public/init.te
+index ea5a9793d..49b23ee61 100644
+--- a/prebuilts/api/31.0/public/init.te
+++ b/prebuilts/api/31.0/public/init.te
+@@ -153,6 +153,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ allowxperm init dev_type:blk_file ioctl BLKROSET;
 diff --git a/prebuilts/api/32.0/private/domain.te b/prebuilts/api/32.0/private/domain.te
 index b91d36d85..d4ca398de 100644
 --- a/prebuilts/api/32.0/private/domain.te
--- a/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-2.patch
+++ b/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-2.patch
@ -3,11 +3,92 @@ From: flawedworld <flawedworld@flawed.world>
 Date: Mon, 11 Oct 2021 02:35:13 +0100
 Subject: [PATCH] allow system to use persist.native_debug

+[tad@spotco.us]: added to older targets to match
+
+Change-Id: I252d92ae9f29143cce3cce1c0a2feb513f70b641
 ---
+ prebuilts/api/26.0/private/property_contexts | 1 +
+ prebuilts/api/27.0/private/property_contexts | 1 +
+ prebuilts/api/28.0/private/property_contexts | 1 +
+ prebuilts/api/29.0/private/property_contexts | 1 +
+ prebuilts/api/30.0/private/property_contexts | 1 +
+ prebuilts/api/31.0/private/property_contexts | 1 +
 prebuilts/api/32.0/private/property_contexts | 1 +
 private/property_contexts                    | 1 +
- 2 files changed, 2 insertions(+)
+ 8 files changed, 8 insertions(+)

+diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts
+index 4c27b35d6..c48ba4012 100644
+--- a/prebuilts/api/26.0/private/property_contexts
+++ b/prebuilts/api/26.0/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+ persist.logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
+diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts
+index 8eb2f28b2..237e6fcc1 100644
+--- a/prebuilts/api/27.0/private/property_contexts
+++ b/prebuilts/api/27.0/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+ persist.logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
+diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts
+index 32be0b377..afe0f70fe 100644
+--- a/prebuilts/api/28.0/private/property_contexts
+++ b/prebuilts/api/28.0/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ ro.logd.                u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
+index cb81ba693..f1fbfebd0 100644
+--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts
+@@ -49,6 +49,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ ro.logd.                u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
+index 7908bb107..5f2dae1e5 100644
+--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
+@@ -57,6 +57,7 @@ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.nfc_cfg.        u:object_r:nfc_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ ro.logd.                u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
+index a51fa3a07..a294de0a3 100644
+--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
+@@ -54,6 +54,7 @@ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.nfc_cfg.        u:object_r:nfc_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
+persist.native_debug    u:object_r:system_prop:s0
+ logd.                   u:object_r:logd_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ ro.logd.                u:object_r:logd_prop:s0
 diff --git a/prebuilts/api/32.0/private/property_contexts b/prebuilts/api/32.0/private/property_contexts
 index f235b35b7..895b8f1df 100644
 --- a/prebuilts/api/32.0/private/property_contexts
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -317,6 +317,7 @@ git revert --no-edit b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update re
 applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
 if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS)
+#applyPatch "$DOS_PATCHES/android_system_core/0004-ptrace_scope.patch"; #Add a property for controlling ptrace_scope (GrapheneOS)
 fi;

 if enterAndClear "system/extras"; then
@ -325,6 +326,8 @@ fi;

 if enterAndClear "system/sepolicy"; then
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
+#applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
+#applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS)
 git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices (DivestOS)
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/28.0";
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/27.0";
--- a/Scripts/LineageOS-17.1/Patch.sh
+++ b/Scripts/LineageOS-17.1/Patch.sh
@ -162,13 +162,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-4.patch
 applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch"; #Send uid for each user instead of just owner/admin user (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS)
-if [ "$DOS_TIMEOUTS" = true ]; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0016-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0017-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS)
-fi;
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0018-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; fi; #Add option of always randomizing MAC addresses (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; #Add option of always randomizing MAC addresses (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly (DivestOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
 sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox internal logging service
@ -197,7 +195,7 @@ fi;

 if enterAndClear "frameworks/opt/net/wifi"; then
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; fi; #Add support for always generating new random MAC (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
 fi;

 if enterAndClear "hardware/qcom/display"; then
@ -289,17 +287,13 @@ git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM u
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile (DivestOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch)
-if [ "$DOS_TIMEOUTS" = true ]; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
-fi;
-if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; #Add native debugging setting (GrapheneOS)
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-exec_spawning_toggle.patch"; fi; #Add exec spawning toggle (GrapheneOS)
-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-Random_MAC-1.patch"; #Add option to always randomize MAC (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-Random_MAC-2.patch"; #Remove partial MAC randomization translations (GrapheneOS)
-fi;
 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length (GrapheneOS)
 sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
 fi;
@ -324,11 +318,9 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic
 applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
 fi;

-#if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then
 #if enterAndClear "packages/modules/NetworkStack"; then
 #applyPatch "$DOS_PATCHES/android_packages_modules_NetworkStack/0001-Random_MAC.patch"; #Avoid reusing DHCP state for full MAC randomization (GrapheneOS) #FIXME: DhcpClient.java:960: error: cannot find symbol
 #fi;
-#fi;

 if enterAndClear "packages/providers/DownloadProvider"; then
 applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
@ -354,7 +346,7 @@ git revert --no-edit bd4142eab8b3cead0c25a2e660b4b048d1315d3c; #Always update re
 applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
 if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS)
-if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0004-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_system_core/0004-ptrace_scope.patch"; #Add a property for controlling ptrace_scope (GrapheneOS)
 fi;

 if enterAndClear "system/extras"; then
@ -367,10 +359,8 @@ fi;

 if enterAndClear "system/sepolicy"; then
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
-if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS)
-fi;
 git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices (DivestOS)
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0";
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/28.0";
--- a/Scripts/LineageOS-18.1/Patch.sh
+++ b/Scripts/LineageOS-18.1/Patch.sh
@ -139,11 +139,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch"; #Send uid for each user instead of just owner/admin user (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS)
-if [ "$DOS_TIMEOUTS" = true ]; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0016-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS)
-fi;
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0017-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS)
@ -160,7 +158,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-11.pat
 applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-12.patch";
 sed -i 's/sys.spawn.exec/persist.security.exec_spawn_new/' core/java/com/android/internal/os/ZygoteConnection.java;
 fi;
-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; fi; #Add option of always randomizing MAC addresses (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; #Add option of always randomizing MAC addresses (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly (DivestOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
 hardenLocationConf services/core/java/com/android/server/location/gps_debug.conf; #Harden the default GPS config
@ -193,11 +191,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_opt_net_ims/0001-Fix_Calling.patch";
 fi;
 fi;

-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then
 if enterAndClear "frameworks/opt/net/wifi"; then
 applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
 fi;
-fi;

 if enterAndClear "hardware/qcom/display"; then
 applyPatch "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8084.patch" --directory="msm8084"; #(Qualcomm)
@ -302,17 +298,13 @@ if enterAndClear "packages/apps/Settings"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile (DivestOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch)
-if [ "$DOS_TIMEOUTS" = true ]; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
-fi;
-if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; #Add native debugging setting (GrapheneOS)
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-exec_spawning_toggle.patch"; fi; #Add exec spawning toggle (GrapheneOS)
-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC-1.patch"; #Add option to always randomize MAC (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC-2.patch"; #Remove partial MAC randomization translations (GrapheneOS)
-fi;
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-Install_Restrictions.patch"; #UserManager app installation restrictions (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (heavily based off of a GrapheneOS patch)
 sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
@ -343,11 +335,9 @@ if enterAndClear "packages/modules/DnsResolver"; then
 applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0001-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS)
 fi;

-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then
 if enterAndClear "packages/modules/NetworkStack"; then
 applyPatch "$DOS_PATCHES/android_packages_modules_NetworkStack/0001-Random_MAC.patch"; #Avoid reusing DHCP state for full MAC randomization (GrapheneOS)
 fi;
-fi;

 if enterAndClear "packages/providers/DownloadProvider"; then
 applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
@ -367,7 +357,7 @@ if enterAndClear "system/core"; then
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert --no-edit e8dcabaf6b55ec55eb73c4585501ddbafc04fc9b 79f606ece6b74652d374eb4f79de309a0aa81360; #insanity
 applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
-if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; #Add a property for controlling ptrace_scope (GrapheneOS)
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
 if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0004-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS)
 fi;
@ -382,10 +372,8 @@ fi;

 if enterAndClear "system/sepolicy"; then
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS)
-if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS)
-fi;
 git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices (DivestOS)
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/30.0";
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0";
--- a/Scripts/LineageOS-19.1/Functions.sh
+++ b/Scripts/LineageOS-19.1/Functions.sh
@ -97,8 +97,7 @@ patchWorkspace() {
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;

-	source build/envsetup.sh;
-	repopick -i 330781; #PermissionManager: add null check for mLocationProviderPkgName, mLocationExtraPkgNames
+	#source build/envsetup.sh;

 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
--- a/Scripts/LineageOS-19.1/Patch.sh
+++ b/Scripts/LineageOS-19.1/Patch.sh
@ -126,7 +126,7 @@ fi;
 if enterAndClear "frameworks/base"; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
-applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) #XXX 19REBASE: maybe not needed
+applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS)
@ -137,11 +137,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch"; #Make DownloadManager.enqueue() a no-op when INTERNET permission is revoked (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch"; #Make DownloadManager.query() a no-op when INTERNET permission is revoked (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS)
-if [ "$DOS_TIMEOUTS" = true ]; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0016-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS)
-fi;
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0017-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS)
@ -194,11 +192,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_opt_net_ims/0001-Fix_Calling.patch";
 fi;
 fi;

-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then
 if enterAndClear "frameworks/opt/net/wifi"; then
 applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
 fi;
-fi;

 if enterAndClear "hardware/qcom-caf/msm8998/audio"; then
 applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-8998.patch"; #audio_extn: Fix unused parameter warning in utils.c (codeworkx)
@ -255,14 +251,12 @@ fi;
 if enterAndClear "packages/apps/Settings"; then
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) #XXX 19REBASE: broken?
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #XXX 19REBASE
-if [ "$DOS_TIMEOUTS" = true ]; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
-fi;
-if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; #Add native debugging setting (GrapheneOS)
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-exec_spawning_toggle.patch"; fi; #Add exec spawning toggle (GrapheneOS)
-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC.patch"; fi; #Add option to always randomize MAC (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC.patch"; #Add option to always randomize MAC (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-Install_Restrictions.patch"; #UserManager app installation restrictions (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (heavily based off of a GrapheneOS patch)
 sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
@ -301,11 +295,9 @@ applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0001-Hosts_Wildcar
 applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS)
 fi;

-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then
 if enterAndClear "packages/modules/NetworkStack"; then
 applyPatch "$DOS_PATCHES/android_packages_modules_NetworkStack/0001-Random_MAC.patch"; #Avoid reusing DHCP state for full MAC randomization (GrapheneOS)
 fi;
-fi;

 if enterAndClear "packages/modules/Permission"; then
 applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0002-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS)
@ -320,11 +312,9 @@ applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0005-Browser_No_Loc
 applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0006-Location_Indicators.patch"; #SystemUI: Use new privacy indicators for location (GrapheneOS)
 fi;

-if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then
 if enterAndClear "packages/modules/Wifi"; then
 applyPatch "$DOS_PATCHES/android_packages_modules_Wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
 fi;
-fi;

 if enterAndClear "packages/providers/DownloadProvider"; then
 applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
@ -338,7 +328,7 @@ if enterAndClear "system/core"; then
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert --no-edit 07adb89d0f8c966c88869d1abffc57da0e707568; #insanity
 applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
-if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; #Add a property for controlling ptrace_scope (GrapheneOS)
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
 fi;

@ -351,11 +341,9 @@ applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Ex
 fi;

 if enterAndClear "system/sepolicy"; then
-applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS) #XXX 19REBASE: add to other versions too
-if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then
+applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS)
-fi;
 awk -i inplace '!/domain=gmscore_app/' private/seapp_contexts prebuilts/api/*/private/seapp_contexts; #Disable unused gmscore_app domain (GrapheneOS)
 fi;

@ -384,7 +372,7 @@ if enter "vendor/divested"; then
 awk -i inplace '!/_lookup/' overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove all lookup provider overrides
 if [ "$DOS_MICROG_INCLUDED" != "NONE" ]; then echo "PRODUCT_PACKAGES += DejaVuNlpBackend IchnaeaNlpBackend NominatimNlpBackend" >> packages.mk; fi; #Include UnifiedNlp backends
 if [ "$DOS_MICROG_INCLUDED" = "NLP" ]; then echo "PRODUCT_PACKAGES += UnifiedNLP" >> packages.mk; fi; #Include UnifiedNlp
-#echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch #XXX 19REBASE: is this necessary?
+echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch
 echo "PRODUCT_PACKAGES += eSpeakNG" >> packages.mk; #PicoTTS needs work to compile on 18.1, use eSpeak-NG instead
 sed -i 's/OpenCamera/SecureCamera/' packages.mk #Use the GrapheneOS camera app
 awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices
--- a/Scripts/init.sh
+++ b/Scripts/init.sh
@ -62,9 +62,6 @@ export DOS_GRAPHENE_BIONIC=true; #Enables the bionic hardening patchset on 16.0+
 export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' patchset on 16.0+17.1+18.1+19.1
 export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1+19.1
 export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1+19.1
-export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the GrapheneOS ptrace_scope toggle patchset on 17.1+18.1+19.1
-export DOS_GRAPHENE_RANDOM_MAC=true; #Enables the GrapheneOS always randomize Wi-Fi MAC patchset on 17.1+18.1+19.1
-export DOS_TIMEOUTS=true; #Enables the GrapheneOS/CalyxOS patchset for automatic timeouts of reboot/Wi-Fi/Bluetooth on 17.1+18.1+19.1
 export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
 export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be in the format "127.0.0.1 bad.domain.tld"
 export DOS_MICROG_INCLUDED="NONE"; #Determines inclusion of microG. Options: NONE, NLP, FULL (removed)