From 05930af0143fdf578189b2a139fd24208fe5545f Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 14 May 2022 21:05:54 -0400 Subject: [PATCH] Various changes --- .../0004-ptrace_scope.patch | 26 ++ .../0002-protected_files.patch | 1 + .../0003-ptrace_scope-1.patch | 175 ++++++++++++ .../0003-ptrace_scope-2.patch | 63 +++++ .../0002-protected_files.patch | 1 + .../0003-ptrace_scope-1.patch | 88 +++++- .../0003-ptrace_scope-2.patch | 3 + .../0002-protected_files.patch | 1 + .../0003-ptrace_scope-1.patch | 116 +++++++- .../0003-ptrace_scope-2.patch | 3 + .../0002-protected_files.patch | 101 ++++++- .../0003-ptrace_scope-1.patch | 251 +++++++++++++++++- .../0003-ptrace_scope-2.patch | 83 +++++- Scripts/LineageOS-16.0/Patch.sh | 3 + Scripts/LineageOS-17.1/Patch.sh | 18 +- Scripts/LineageOS-18.1/Patch.sh | 18 +- Scripts/LineageOS-19.1/Functions.sh | 3 +- Scripts/LineageOS-19.1/Patch.sh | 24 +- Scripts/init.sh | 3 - 19 files changed, 924 insertions(+), 57 deletions(-) create mode 100644 Patches/LineageOS-16.0/android_system_core/0004-ptrace_scope.patch create mode 100644 Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-1.patch create mode 100644 Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-2.patch diff --git a/Patches/LineageOS-16.0/android_system_core/0004-ptrace_scope.patch b/Patches/LineageOS-16.0/android_system_core/0004-ptrace_scope.patch new file mode 100644 index 00000000..6a9b9262 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_core/0004-ptrace_scope.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Mon, 5 Apr 2021 03:02:51 +0100 +Subject: [PATCH] add a property for controlling ptrace_scope + +--- + rootdir/init.rc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/rootdir/init.rc b/rootdir/init.rc +index 4a8a60a96..e0bead37b 100644 +--- a/rootdir/init.rc ++++ b/rootdir/init.rc +@@ -724,6 +724,12 @@ on property:sys.sysctl.extra_free_kbytes=* + on property:sys.sysctl.tcp_def_init_rwnd=* + write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} + ++on property:persist.native_debug=true ++ write /proc/sys/kernel/yama/ptrace_scope 0 ++ ++on property:persist.native_debug=false ++ write /proc/sys/kernel/yama/ptrace_scope 2 ++ + on property:security.perf_harden=0 + write /proc/sys/kernel/perf_event_paranoid 1 + diff --git a/Patches/LineageOS-16.0/android_system_sepolicy/0002-protected_files.patch b/Patches/LineageOS-16.0/android_system_sepolicy/0002-protected_files.patch index c5033a7a..28d06683 100644 --- a/Patches/LineageOS-16.0/android_system_sepolicy/0002-protected_files.patch +++ b/Patches/LineageOS-16.0/android_system_sepolicy/0002-protected_files.patch @@ -7,6 +7,7 @@ This is needed for init to override the default values. Signed-off-by: anupritaisno1 [tad@spotco.us]: added to older targets to match + Change-Id: I19be49956510d3e74f96b837ce7e8d33cff650c1 --- prebuilts/api/26.0/private/genfs_contexts | 2 ++ diff --git a/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-1.patch b/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-1.patch new file mode 100644 index 00000000..291700f1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-1.patch @@ -0,0 +1,175 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Mon, 5 Apr 2021 02:26:20 +0100 +Subject: [PATCH] allow init to control kernel.yama.ptrace_scope + +[tad@spotco.us]: added to older targets to match + +Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650 +--- + prebuilts/api/26.0/private/domain.te | 1 + + prebuilts/api/26.0/private/genfs_contexts | 1 + + prebuilts/api/26.0/public/init.te | 3 +++ + prebuilts/api/27.0/private/domain.te | 1 + + prebuilts/api/27.0/private/genfs_contexts | 1 + + prebuilts/api/27.0/public/init.te | 3 +++ + prebuilts/api/28.0/private/domain.te | 1 + + prebuilts/api/28.0/private/genfs_contexts | 1 + + prebuilts/api/28.0/public/init.te | 3 +++ + private/domain.te | 1 + + private/genfs_contexts | 1 + + public/init.te | 3 +++ + 12 files changed, 20 insertions(+) + +diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te +index d37a0bd26..69f98161c 100644 +--- a/prebuilts/api/26.0/private/domain.te ++++ b/prebuilts/api/26.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + -storaged +diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts +index 753cabf15..67203c998 100644 +--- a/prebuilts/api/26.0/private/genfs_contexts ++++ b/prebuilts/api/26.0/private/genfs_contexts +@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0 + genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 + genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 + genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te +index 6d43ef463..947eaaeca 100644 +--- a/prebuilts/api/26.0/public/init.te ++++ b/prebuilts/api/26.0/public/init.te +@@ -96,6 +96,9 @@ allow init self:capability { sys_rawio mknod }; + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems. + # Only allow relabelto for types used in context= mount options, + # which should all be assigned the contextmount_type attribute. +diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te +index d37a0bd26..69f98161c 100644 +--- a/prebuilts/api/27.0/private/domain.te ++++ b/prebuilts/api/27.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + -storaged +diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts +index 606d46cbe..ac54e423a 100644 +--- a/prebuilts/api/27.0/private/genfs_contexts ++++ b/prebuilts/api/27.0/private/genfs_contexts +@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0 + genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 + genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 + genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te +index e6162a939..76de36515 100644 +--- a/prebuilts/api/27.0/public/init.te ++++ b/prebuilts/api/27.0/public/init.te +@@ -101,6 +101,9 @@ allow init self:capability { sys_rawio mknod }; + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems. + # Only allow relabelto for types used in context= mount options, + # which should all be assigned the contextmount_type attribute. +diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te +index fb6ba4f78..e4bf76af7 100644 +--- a/prebuilts/api/28.0/private/domain.te ++++ b/prebuilts/api/28.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + userdebug_or_eng(`-incidentd') +diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts +index 656a9557a..126313ed8 100644 +--- a/prebuilts/api/28.0/private/genfs_contexts ++++ b/prebuilts/api/28.0/private/genfs_contexts +@@ -59,6 +59,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te +index 9eff0b0be..e52fa7eee 100644 +--- a/prebuilts/api/28.0/public/init.te ++++ b/prebuilts/api/28.0/public/init.te +@@ -115,6 +115,9 @@ allow init self:global_capability_class_set { sys_rawio mknod }; + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems. + # Only allow relabelto for types used in context= mount options, + # which should all be assigned the contextmount_type attribute. +diff --git a/private/domain.te b/private/domain.te +index fb6ba4f78..e4bf76af7 100644 +--- a/private/domain.te ++++ b/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + userdebug_or_eng(`-incidentd') +diff --git a/private/genfs_contexts b/private/genfs_contexts +index 28cf83ab2..bd64f01ba 100644 +--- a/private/genfs_contexts ++++ b/private/genfs_contexts +@@ -62,6 +62,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/public/init.te b/public/init.te +index 05a61aec3..0dd4481a5 100644 +--- a/public/init.te ++++ b/public/init.te +@@ -112,6 +112,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + diff --git a/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-2.patch b/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-2.patch new file mode 100644 index 00000000..e84f8b74 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_sepolicy/0003-ptrace_scope-2.patch @@ -0,0 +1,63 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Mon, 5 Apr 2021 02:27:06 +0100 +Subject: [PATCH] allow system to use persist.native_debug + +[tad@spotco.us]: added to older targets to match + +Change-Id: I252d92ae9f29143cce3cce1c0a2feb513f70b641 +--- + prebuilts/api/26.0/private/property_contexts | 1 + + prebuilts/api/27.0/private/property_contexts | 1 + + prebuilts/api/28.0/private/property_contexts | 1 + + private/property_contexts | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts +index 4c27b35d6..c48ba4012 100644 +--- a/prebuilts/api/26.0/private/property_contexts ++++ b/prebuilts/api/26.0/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 + persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts +index 8eb2f28b2..237e6fcc1 100644 +--- a/prebuilts/api/27.0/private/property_contexts ++++ b/prebuilts/api/27.0/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 + persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts +index 32be0b377..afe0f70fe 100644 +--- a/prebuilts/api/28.0/private/property_contexts ++++ b/prebuilts/api/28.0/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 +diff --git a/private/property_contexts b/private/property_contexts +index 32be0b377..afe0f70fe 100644 +--- a/private/property_contexts ++++ b/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 diff --git a/Patches/LineageOS-17.1/android_system_sepolicy/0002-protected_files.patch b/Patches/LineageOS-17.1/android_system_sepolicy/0002-protected_files.patch index d3444a57..6de948e6 100644 --- a/Patches/LineageOS-17.1/android_system_sepolicy/0002-protected_files.patch +++ b/Patches/LineageOS-17.1/android_system_sepolicy/0002-protected_files.patch @@ -7,6 +7,7 @@ This is needed for init to override the default values. Signed-off-by: anupritaisno1 [tad@spotco.us]: added to older targets to match + Change-Id: I19be49956510d3e74f96b837ce7e8d33cff650c1 --- prebuilts/api/26.0/private/genfs_contexts | 2 ++ diff --git a/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-1.patch b/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-1.patch index ac1c7bf0..21194052 100644 --- a/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-1.patch +++ b/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-1.patch @@ -3,19 +3,39 @@ From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Mon, 5 Apr 2021 02:26:20 +0100 Subject: [PATCH] allow init to control kernel.yama.ptrace_scope +[tad@spotco.us]: added to older targets to match + Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650 --- + prebuilts/api/26.0/private/domain.te | 1 + prebuilts/api/26.0/private/genfs_contexts | 1 + + prebuilts/api/26.0/public/init.te | 3 +++ + prebuilts/api/27.0/private/domain.te | 1 + prebuilts/api/27.0/private/genfs_contexts | 1 + + prebuilts/api/27.0/public/init.te | 3 +++ + prebuilts/api/28.0/private/domain.te | 1 + prebuilts/api/28.0/private/genfs_contexts | 1 + + prebuilts/api/28.0/public/init.te | 3 +++ prebuilts/api/29.0/private/domain.te | 1 + prebuilts/api/29.0/private/genfs_contexts | 1 + prebuilts/api/29.0/public/init.te | 3 +++ private/domain.te | 1 + private/genfs_contexts | 1 + public/init.te | 3 +++ - 9 files changed, 13 insertions(+) + 15 files changed, 25 insertions(+) +diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te +index d37a0bd26..69f98161c 100644 +--- a/prebuilts/api/26.0/private/domain.te ++++ b/prebuilts/api/26.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + -storaged diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts index 753cabf15..67203c998 100644 --- a/prebuilts/api/26.0/private/genfs_contexts @@ -28,6 +48,32 @@ index 753cabf15..67203c998 100644 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te +index 6d43ef463..04422e1d0 100644 +--- a/prebuilts/api/26.0/public/init.te ++++ b/prebuilts/api/26.0/public/init.te +@@ -93,6 +93,9 @@ allow init self:capability sys_time; + + allow init self:capability { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + +diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te +index d37a0bd26..69f98161c 100644 +--- a/prebuilts/api/27.0/private/domain.te ++++ b/prebuilts/api/27.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + -storaged diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts index 606d46cbe..ac54e423a 100644 --- a/prebuilts/api/27.0/private/genfs_contexts @@ -40,6 +86,32 @@ index 606d46cbe..ac54e423a 100644 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te +index e6162a939..78d1ab527 100644 +--- a/prebuilts/api/27.0/public/init.te ++++ b/prebuilts/api/27.0/public/init.te +@@ -98,6 +98,9 @@ allow init self:capability sys_time; + + allow init self:capability { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + +diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te +index fb6ba4f78..e4bf76af7 100644 +--- a/prebuilts/api/28.0/private/domain.te ++++ b/prebuilts/api/28.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + userdebug_or_eng(`-incidentd') diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts index 44ca95fd5..89b55b28d 100644 --- a/prebuilts/api/28.0/private/genfs_contexts @@ -52,6 +124,20 @@ index 44ca95fd5..89b55b28d 100644 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te +index dafc06f99..bc38c7760 100644 +--- a/prebuilts/api/28.0/public/init.te ++++ b/prebuilts/api/28.0/public/init.te +@@ -112,6 +112,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te index 1d26761d6..62cbb04a1 100644 --- a/prebuilts/api/29.0/private/domain.te diff --git a/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-2.patch b/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-2.patch index f5ce93f7..9e07df50 100644 --- a/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-2.patch +++ b/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-2.patch @@ -3,6 +3,9 @@ From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Mon, 5 Apr 2021 02:27:06 +0100 Subject: [PATCH] allow system to use persist.native_debug +[tad@spotco.us]: added to older targets to match + +Change-Id: I252d92ae9f29143cce3cce1c0a2feb513f70b641 --- prebuilts/api/26.0/private/property_contexts | 1 + prebuilts/api/27.0/private/property_contexts | 1 + diff --git a/Patches/LineageOS-18.1/android_system_sepolicy/0002-protected_files.patch b/Patches/LineageOS-18.1/android_system_sepolicy/0002-protected_files.patch index 3117a663..07664b3e 100644 --- a/Patches/LineageOS-18.1/android_system_sepolicy/0002-protected_files.patch +++ b/Patches/LineageOS-18.1/android_system_sepolicy/0002-protected_files.patch @@ -7,6 +7,7 @@ This is needed for init to override the default values. Signed-off-by: anupritaisno1 [tad@spotco.us]: added to older targets to match + Change-Id: I19be49956510d3e74f96b837ce7e8d33cff650c1 --- prebuilts/api/26.0/private/genfs_contexts | 2 ++ diff --git a/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch index 91a6ef41..2c367ba8 100644 --- a/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch +++ b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch @@ -3,20 +3,42 @@ From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Mon, 5 Apr 2021 02:26:20 +0100 Subject: [PATCH] allow init to control kernel.yama.ptrace_scope +[tad@spotco.us]: added to older targets to match + Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650 --- + prebuilts/api/26.0/private/domain.te | 1 + prebuilts/api/26.0/private/genfs_contexts | 1 + + prebuilts/api/26.0/public/init.te | 3 +++ + prebuilts/api/27.0/private/domain.te | 1 + prebuilts/api/27.0/private/genfs_contexts | 1 + + prebuilts/api/27.0/public/init.te | 3 +++ + prebuilts/api/28.0/private/domain.te | 1 + prebuilts/api/28.0/private/genfs_contexts | 1 + + prebuilts/api/28.0/public/init.te | 3 +++ + prebuilts/api/29.0/private/domain.te | 1 + prebuilts/api/29.0/private/genfs_contexts | 1 + + prebuilts/api/29.0/public/init.te | 3 +++ prebuilts/api/30.0/private/domain.te | 1 + prebuilts/api/30.0/private/genfs_contexts | 1 + prebuilts/api/30.0/public/init.te | 3 +++ private/domain.te | 1 + private/genfs_contexts | 1 + public/init.te | 3 +++ - 10 files changed, 14 insertions(+) + 18 files changed, 30 insertions(+) +diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te +index d37a0bd26..69f98161c 100644 +--- a/prebuilts/api/26.0/private/domain.te ++++ b/prebuilts/api/26.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + -storaged diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts index 753cabf15..67203c998 100644 --- a/prebuilts/api/26.0/private/genfs_contexts @@ -29,6 +51,32 @@ index 753cabf15..67203c998 100644 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te +index 6d43ef463..04422e1d0 100644 +--- a/prebuilts/api/26.0/public/init.te ++++ b/prebuilts/api/26.0/public/init.te +@@ -93,6 +93,9 @@ allow init self:capability sys_time; + + allow init self:capability { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + +diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te +index d37a0bd26..69f98161c 100644 +--- a/prebuilts/api/27.0/private/domain.te ++++ b/prebuilts/api/27.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + -storaged diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts index 606d46cbe..ac54e423a 100644 --- a/prebuilts/api/27.0/private/genfs_contexts @@ -41,6 +89,32 @@ index 606d46cbe..ac54e423a 100644 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te +index e6162a939..78d1ab527 100644 +--- a/prebuilts/api/27.0/public/init.te ++++ b/prebuilts/api/27.0/public/init.te +@@ -98,6 +98,9 @@ allow init self:capability sys_time; + + allow init self:capability { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + +diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te +index fb6ba4f78..e4bf76af7 100644 +--- a/prebuilts/api/28.0/private/domain.te ++++ b/prebuilts/api/28.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + userdebug_or_eng(`-incidentd') diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts index 44ca95fd5..89b55b28d 100644 --- a/prebuilts/api/28.0/private/genfs_contexts @@ -53,6 +127,32 @@ index 44ca95fd5..89b55b28d 100644 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te +index dafc06f99..bc38c7760 100644 +--- a/prebuilts/api/28.0/public/init.te ++++ b/prebuilts/api/28.0/public/init.te +@@ -112,6 +112,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + +diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te +index 209eeb0dd..3a36ec678 100644 +--- a/prebuilts/api/29.0/private/domain.te ++++ b/prebuilts/api/29.0/private/domain.te +@@ -86,6 +86,7 @@ userdebug_or_eng(` + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + userdebug_or_eng(`-llkd') + -dumpstate diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts index 804996685..22a1ebf8d 100644 --- a/prebuilts/api/29.0/private/genfs_contexts @@ -65,6 +165,20 @@ index 804996685..22a1ebf8d 100644 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te +index 2d52f5966..aa0036f1b 100644 +--- a/prebuilts/api/29.0/public/init.te ++++ b/prebuilts/api/29.0/public/init.te +@@ -121,6 +121,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + allowxperm init dev_type:blk_file ioctl BLKROSET; diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te index 7116dadfd..55264d01a 100644 --- a/prebuilts/api/30.0/private/domain.te diff --git a/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch index 85467c28..6440176b 100644 --- a/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch +++ b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch @@ -3,6 +3,9 @@ From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Mon, 5 Apr 2021 02:27:06 +0100 Subject: [PATCH] allow system to use persist.native_debug +[tad@spotco.us]: added to older targets to match + +Change-Id: I252d92ae9f29143cce3cce1c0a2feb513f70b641 --- prebuilts/api/26.0/private/property_contexts | 1 + prebuilts/api/27.0/private/property_contexts | 1 + diff --git a/Patches/LineageOS-19.1/android_system_sepolicy/0002-protected_files.patch b/Patches/LineageOS-19.1/android_system_sepolicy/0002-protected_files.patch index 1ef62e95..98eb8495 100644 --- a/Patches/LineageOS-19.1/android_system_sepolicy/0002-protected_files.patch +++ b/Patches/LineageOS-19.1/android_system_sepolicy/0002-protected_files.patch @@ -6,11 +6,110 @@ Subject: [PATCH] label protected_{fifos,regular} as proc_security This is needed for init to override the default values. Signed-off-by: anupritaisno1 +[tad@spotco.us]: added to older targets to match + +Change-Id: I19be49956510d3e74f96b837ce7e8d33cff650c1 --- + prebuilts/api/26.0/private/genfs_contexts | 2 ++ + prebuilts/api/27.0/private/genfs_contexts | 2 ++ + prebuilts/api/28.0/private/genfs_contexts | 2 ++ + prebuilts/api/29.0/private/genfs_contexts | 2 ++ + prebuilts/api/30.0/private/genfs_contexts | 2 ++ + prebuilts/api/31.0/private/genfs_contexts | 2 ++ prebuilts/api/32.0/private/genfs_contexts | 2 ++ private/genfs_contexts | 2 ++ - 2 files changed, 4 insertions(+) + 8 files changed, 16 insertions(+) +diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts +index a2d9b892f..65e05f77a 100644 +--- a/prebuilts/api/26.0/private/genfs_contexts ++++ b/prebuilts/api/26.0/private/genfs_contexts +@@ -14,8 +14,10 @@ genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 + genfscon proc /softirqs u:object_r:proc_timer:s0 + genfscon proc /stat u:object_r:proc_stat:s0 + genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 ++genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 ++genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0 + genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 + genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 + genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 +diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts +index e77a39b92..bcd1b1b1e 100644 +--- a/prebuilts/api/27.0/private/genfs_contexts ++++ b/prebuilts/api/27.0/private/genfs_contexts +@@ -14,8 +14,10 @@ genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 + genfscon proc /softirqs u:object_r:proc_timer:s0 + genfscon proc /stat u:object_r:proc_stat:s0 + genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 ++genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 ++genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0 + genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 + genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 + genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 +diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts +index 7e2ea5092..6696dfe0e 100644 +--- a/prebuilts/api/28.0/private/genfs_contexts ++++ b/prebuilts/api/28.0/private/genfs_contexts +@@ -27,8 +27,10 @@ genfscon proc /swaps u:object_r:proc_swaps:s0 + genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 + genfscon proc /sys/abi/swp u:object_r:proc_abi:s0 + genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0 ++genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 ++genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0 + genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 + genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 + genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0 +diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts +index 380d4a050..7601aa01c 100644 +--- a/prebuilts/api/29.0/private/genfs_contexts ++++ b/prebuilts/api/29.0/private/genfs_contexts +@@ -34,8 +34,10 @@ genfscon proc /swaps u:object_r:proc_swaps:s0 + genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 + genfscon proc /sys/abi/swp u:object_r:proc_abi:s0 + genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0 ++genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 ++genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0 + genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 + genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0 + genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 +diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts +index 89232bc01..6a206bb64 100644 +--- a/prebuilts/api/30.0/private/genfs_contexts ++++ b/prebuilts/api/30.0/private/genfs_contexts +@@ -36,8 +36,10 @@ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 + genfscon proc /kpageflags u:object_r:proc_kpageflags:s0 + genfscon proc /sys/abi/swp u:object_r:proc_abi:s0 + genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0 ++genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 ++genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0 + genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 + genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0 + genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 +diff --git a/prebuilts/api/31.0/private/genfs_contexts b/prebuilts/api/31.0/private/genfs_contexts +index 13bfb46e1..72c9a94aa 100644 +--- a/prebuilts/api/31.0/private/genfs_contexts ++++ b/prebuilts/api/31.0/private/genfs_contexts +@@ -39,8 +39,10 @@ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 + genfscon proc /kpageflags u:object_r:proc_kpageflags:s0 + genfscon proc /sys/abi/swp u:object_r:proc_abi:s0 + genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0 ++genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 + genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 ++genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0 + genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 + genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0 + genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 diff --git a/prebuilts/api/32.0/private/genfs_contexts b/prebuilts/api/32.0/private/genfs_contexts index 13bfb46e1..30f3496e6 100644 --- a/prebuilts/api/32.0/private/genfs_contexts diff --git a/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-1.patch b/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-1.patch index e2f5968c..75363dca 100644 --- a/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-1.patch +++ b/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-1.patch @@ -3,15 +3,264 @@ From: flawedworld Date: Mon, 11 Oct 2021 02:33:31 +0100 Subject: [PATCH] allow init to control kernel.yama.ptrace_scope +[tad@spotco.us]: added to older targets to match + +Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650 --- + prebuilts/api/26.0/private/domain.te | 1 + + prebuilts/api/26.0/private/genfs_contexts | 1 + + prebuilts/api/26.0/public/init.te | 3 +++ + prebuilts/api/27.0/private/domain.te | 1 + + prebuilts/api/27.0/private/genfs_contexts | 1 + + prebuilts/api/27.0/public/init.te | 3 +++ + prebuilts/api/28.0/private/domain.te | 1 + + prebuilts/api/28.0/private/genfs_contexts | 1 + + prebuilts/api/28.0/public/init.te | 3 +++ + prebuilts/api/29.0/private/domain.te | 1 + + prebuilts/api/29.0/private/genfs_contexts | 1 + + prebuilts/api/29.0/public/init.te | 3 +++ + prebuilts/api/30.0/private/domain.te | 1 + + prebuilts/api/30.0/private/genfs_contexts | 1 + + prebuilts/api/30.0/public/init.te | 3 +++ + prebuilts/api/31.0/private/domain.te | 1 + + prebuilts/api/31.0/private/genfs_contexts | 1 + + prebuilts/api/31.0/public/init.te | 3 +++ prebuilts/api/32.0/private/domain.te | 1 + prebuilts/api/32.0/private/genfs_contexts | 1 + prebuilts/api/32.0/public/init.te | 3 +++ private/domain.te | 1 + private/genfs_contexts | 1 + public/init.te | 3 +++ - 6 files changed, 10 insertions(+) + 24 files changed, 40 insertions(+) +diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te +index 999c16a3d..b3213d879 100644 +--- a/prebuilts/api/26.0/private/domain.te ++++ b/prebuilts/api/26.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these allowlisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + -storaged +diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts +index 65e05f77a..4ced22584 100644 +--- a/prebuilts/api/26.0/private/genfs_contexts ++++ b/prebuilts/api/26.0/private/genfs_contexts +@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0 + genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 + genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 + genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te +index 6d43ef463..04422e1d0 100644 +--- a/prebuilts/api/26.0/public/init.te ++++ b/prebuilts/api/26.0/public/init.te +@@ -93,6 +93,9 @@ allow init self:capability sys_time; + + allow init self:capability { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + +diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te +index 999c16a3d..b3213d879 100644 +--- a/prebuilts/api/27.0/private/domain.te ++++ b/prebuilts/api/27.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these allowlisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + -storaged +diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts +index bcd1b1b1e..f813ac1d5 100644 +--- a/prebuilts/api/27.0/private/genfs_contexts ++++ b/prebuilts/api/27.0/private/genfs_contexts +@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0 + genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 + genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 + genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te +index e6162a939..78d1ab527 100644 +--- a/prebuilts/api/27.0/public/init.te ++++ b/prebuilts/api/27.0/public/init.te +@@ -98,6 +98,9 @@ allow init self:capability sys_time; + + allow init self:capability { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + +diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te +index 5053c287b..4d5cd4796 100644 +--- a/prebuilts/api/28.0/private/domain.te ++++ b/prebuilts/api/28.0/private/domain.te +@@ -7,6 +7,7 @@ allow domain crash_dump:process sigchld; + # with other UIDs to these allowlisted domains. + neverallow { + domain ++ -init + -vold + -dumpstate + userdebug_or_eng(`-incidentd') +diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts +index 6696dfe0e..ab0ef45bd 100644 +--- a/prebuilts/api/28.0/private/genfs_contexts ++++ b/prebuilts/api/28.0/private/genfs_contexts +@@ -58,6 +58,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te +index dafc06f99..bc38c7760 100644 +--- a/prebuilts/api/28.0/public/init.te ++++ b/prebuilts/api/28.0/public/init.te +@@ -112,6 +112,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + +diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te +index 447176ed0..74541b1be 100644 +--- a/prebuilts/api/29.0/private/domain.te ++++ b/prebuilts/api/29.0/private/domain.te +@@ -86,6 +86,7 @@ userdebug_or_eng(` + # with other UIDs to these allowlisted domains. + neverallow { + domain ++ -init + -vold + userdebug_or_eng(`-llkd') + -dumpstate +diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts +index 7601aa01c..7498beba5 100644 +--- a/prebuilts/api/29.0/private/genfs_contexts ++++ b/prebuilts/api/29.0/private/genfs_contexts +@@ -68,6 +68,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te +index 2d52f5966..aa0036f1b 100644 +--- a/prebuilts/api/29.0/public/init.te ++++ b/prebuilts/api/29.0/public/init.te +@@ -121,6 +121,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + allowxperm init dev_type:blk_file ioctl BLKROSET; +diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te +index 430cb3f09..0b2c6ef25 100644 +--- a/prebuilts/api/30.0/private/domain.te ++++ b/prebuilts/api/30.0/private/domain.te +@@ -125,6 +125,7 @@ allow domain boringssl_self_test_marker:dir search; + # with other UIDs to these allowlisted domains. + neverallow { + domain ++ -init + -vold + userdebug_or_eng(`-llkd') + -dumpstate +diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts +index 6a206bb64..03264f854 100644 +--- a/prebuilts/api/30.0/private/genfs_contexts ++++ b/prebuilts/api/30.0/private/genfs_contexts +@@ -70,6 +70,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/30.0/public/init.te b/prebuilts/api/30.0/public/init.te +index 403b4c5e6..e7630cd98 100644 +--- a/prebuilts/api/30.0/public/init.te ++++ b/prebuilts/api/30.0/public/init.te +@@ -144,6 +144,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + allowxperm init dev_type:blk_file ioctl BLKROSET; +diff --git a/prebuilts/api/31.0/private/domain.te b/prebuilts/api/31.0/private/domain.te +index b91d36d85..d4ca398de 100644 +--- a/prebuilts/api/31.0/private/domain.te ++++ b/prebuilts/api/31.0/private/domain.te +@@ -116,6 +116,7 @@ allow domain boringssl_self_test_marker:dir search; + # with other UIDs to these allowlisted domains. + neverallow { + domain ++ -init + -vold + userdebug_or_eng(`-llkd') + -dumpstate +diff --git a/prebuilts/api/31.0/private/genfs_contexts b/prebuilts/api/31.0/private/genfs_contexts +index 72c9a94aa..0b84824de 100644 +--- a/prebuilts/api/31.0/private/genfs_contexts ++++ b/prebuilts/api/31.0/private/genfs_contexts +@@ -76,6 +76,7 @@ genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched: + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/31.0/public/init.te b/prebuilts/api/31.0/public/init.te +index ea5a9793d..49b23ee61 100644 +--- a/prebuilts/api/31.0/public/init.te ++++ b/prebuilts/api/31.0/public/init.te +@@ -153,6 +153,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + allowxperm init dev_type:blk_file ioctl BLKROSET; diff --git a/prebuilts/api/32.0/private/domain.te b/prebuilts/api/32.0/private/domain.te index b91d36d85..d4ca398de 100644 --- a/prebuilts/api/32.0/private/domain.te diff --git a/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-2.patch b/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-2.patch index 86f6f6ca..faa2891c 100644 --- a/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-2.patch +++ b/Patches/LineageOS-19.1/android_system_sepolicy/0003-ptrace_scope-2.patch @@ -3,11 +3,92 @@ From: flawedworld Date: Mon, 11 Oct 2021 02:35:13 +0100 Subject: [PATCH] allow system to use persist.native_debug +[tad@spotco.us]: added to older targets to match + +Change-Id: I252d92ae9f29143cce3cce1c0a2feb513f70b641 --- + prebuilts/api/26.0/private/property_contexts | 1 + + prebuilts/api/27.0/private/property_contexts | 1 + + prebuilts/api/28.0/private/property_contexts | 1 + + prebuilts/api/29.0/private/property_contexts | 1 + + prebuilts/api/30.0/private/property_contexts | 1 + + prebuilts/api/31.0/private/property_contexts | 1 + prebuilts/api/32.0/private/property_contexts | 1 + private/property_contexts | 1 + - 2 files changed, 2 insertions(+) + 8 files changed, 8 insertions(+) +diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts +index 4c27b35d6..c48ba4012 100644 +--- a/prebuilts/api/26.0/private/property_contexts ++++ b/prebuilts/api/26.0/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 + persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts +index 8eb2f28b2..237e6fcc1 100644 +--- a/prebuilts/api/27.0/private/property_contexts ++++ b/prebuilts/api/27.0/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 + persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts +index 32be0b377..afe0f70fe 100644 +--- a/prebuilts/api/28.0/private/property_contexts ++++ b/prebuilts/api/28.0/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 +diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts +index cb81ba693..f1fbfebd0 100644 +--- a/prebuilts/api/29.0/private/property_contexts ++++ b/prebuilts/api/29.0/private/property_contexts +@@ -49,6 +49,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 +diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts +index 7908bb107..5f2dae1e5 100644 +--- a/prebuilts/api/30.0/private/property_contexts ++++ b/prebuilts/api/30.0/private/property_contexts +@@ -57,6 +57,7 @@ persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.nfc_cfg. u:object_r:nfc_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 +diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts +index a51fa3a07..a294de0a3 100644 +--- a/prebuilts/api/31.0/private/property_contexts ++++ b/prebuilts/api/31.0/private/property_contexts +@@ -54,6 +54,7 @@ persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.nfc_cfg. u:object_r:nfc_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + logd. u:object_r:logd_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 diff --git a/prebuilts/api/32.0/private/property_contexts b/prebuilts/api/32.0/private/property_contexts index f235b35b7..895b8f1df 100644 --- a/prebuilts/api/32.0/private/property_contexts diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index d1fa3dba..d9697e19 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -317,6 +317,7 @@ git revert --no-edit b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update re applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS) if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS) if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS) +#applyPatch "$DOS_PATCHES/android_system_core/0004-ptrace_scope.patch"; #Add a property for controlling ptrace_scope (GrapheneOS) fi; if enterAndClear "system/extras"; then @@ -325,6 +326,8 @@ fi; if enterAndClear "system/sepolicy"; then applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS) +#applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS) +#applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS) git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices (DivestOS) patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/28.0"; patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/27.0"; diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 19902895..a147255c 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -162,13 +162,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-4.patch applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch"; #Send uid for each user instead of just owner/admin user (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS) -if [ "$DOS_TIMEOUTS" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0016-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0017-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS) -fi; if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0018-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; fi; #Add option of always randomizing MAC addresses (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; #Add option of always randomizing MAC addresses (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly (DivestOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP) sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox internal logging service @@ -197,7 +195,7 @@ fi; if enterAndClear "frameworks/opt/net/wifi"; then if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; fi; #Add support for always generating new random MAC (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS) fi; if enterAndClear "hardware/qcom/display"; then @@ -289,17 +287,13 @@ git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM u applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile (DivestOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) -if [ "$DOS_TIMEOUTS" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS) -fi; -if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; #Add native debugging setting (GrapheneOS) if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-exec_spawning_toggle.patch"; fi; #Add exec spawning toggle (GrapheneOS) -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-Random_MAC-1.patch"; #Add option to always randomize MAC (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-Random_MAC-2.patch"; #Remove partial MAC randomization translations (GrapheneOS) -fi; sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length (GrapheneOS) sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service fi; @@ -324,11 +318,9 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS) fi; -#if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then #if enterAndClear "packages/modules/NetworkStack"; then #applyPatch "$DOS_PATCHES/android_packages_modules_NetworkStack/0001-Random_MAC.patch"; #Avoid reusing DHCP state for full MAC randomization (GrapheneOS) #FIXME: DhcpClient.java:960: error: cannot find symbol #fi; -#fi; if enterAndClear "packages/providers/DownloadProvider"; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) @@ -354,7 +346,7 @@ git revert --no-edit bd4142eab8b3cead0c25a2e660b4b048d1315d3c; #Always update re applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS) if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS) if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS) -if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0004-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS) +applyPatch "$DOS_PATCHES/android_system_core/0004-ptrace_scope.patch"; #Add a property for controlling ptrace_scope (GrapheneOS) fi; if enterAndClear "system/extras"; then @@ -367,10 +359,8 @@ fi; if enterAndClear "system/sepolicy"; then applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS) -if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS) applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS) -fi; git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices (DivestOS) patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0"; patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/28.0"; diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index 64114cc2..d1c24b37 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -139,11 +139,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch"; #Send uid for each user instead of just owner/admin user (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS) -if [ "$DOS_TIMEOUTS" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0016-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS) -fi; if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0017-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS) @@ -160,7 +158,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-11.pat applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-12.patch"; sed -i 's/sys.spawn.exec/persist.security.exec_spawn_new/' core/java/com/android/internal/os/ZygoteConnection.java; fi; -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; fi; #Add option of always randomizing MAC addresses (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; #Add option of always randomizing MAC addresses (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly (DivestOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP) hardenLocationConf services/core/java/com/android/server/location/gps_debug.conf; #Harden the default GPS config @@ -193,11 +191,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_opt_net_ims/0001-Fix_Calling.patch"; fi; fi; -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then if enterAndClear "frameworks/opt/net/wifi"; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS) fi; -fi; if enterAndClear "hardware/qcom/display"; then applyPatch "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8084.patch" --directory="msm8084"; #(Qualcomm) @@ -302,17 +298,13 @@ if enterAndClear "packages/apps/Settings"; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile (DivestOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) -if [ "$DOS_TIMEOUTS" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS) -fi; -if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; #Add native debugging setting (GrapheneOS) if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-exec_spawning_toggle.patch"; fi; #Add exec spawning toggle (GrapheneOS) -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC-1.patch"; #Add option to always randomize MAC (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC-2.patch"; #Remove partial MAC randomization translations (GrapheneOS) -fi; applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-Install_Restrictions.patch"; #UserManager app installation restrictions (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (heavily based off of a GrapheneOS patch) sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service @@ -343,11 +335,9 @@ if enterAndClear "packages/modules/DnsResolver"; then applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0001-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS) fi; -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then if enterAndClear "packages/modules/NetworkStack"; then applyPatch "$DOS_PATCHES/android_packages_modules_NetworkStack/0001-Random_MAC.patch"; #Avoid reusing DHCP state for full MAC randomization (GrapheneOS) fi; -fi; if enterAndClear "packages/providers/DownloadProvider"; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) @@ -367,7 +357,7 @@ if enterAndClear "system/core"; then if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file git revert --no-edit e8dcabaf6b55ec55eb73c4585501ddbafc04fc9b 79f606ece6b74652d374eb4f79de309a0aa81360; #insanity applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS) -if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS) +applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; #Add a property for controlling ptrace_scope (GrapheneOS) if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS) if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0004-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS) fi; @@ -382,10 +372,8 @@ fi; if enterAndClear "system/sepolicy"; then applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS) -if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS) applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS) -fi; git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices (DivestOS) patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/30.0"; patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0"; diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh index bbd9b298..41d6dfd3 100644 --- a/Scripts/LineageOS-19.1/Functions.sh +++ b/Scripts/LineageOS-19.1/Functions.sh @@ -97,8 +97,7 @@ patchWorkspace() { touch DOS_PATCHED_FLAG; if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi; - source build/envsetup.sh; - repopick -i 330781; #PermissionManager: add null check for mLocationProviderPkgName, mLocationExtraPkgNames + #source build/envsetup.sh; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index 7ad13018..ce5d9101 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -126,7 +126,7 @@ fi; if enterAndClear "frameworks/base"; then applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) -applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) #XXX 19REBASE: maybe not needed +applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS) @@ -137,11 +137,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch"; #Make DownloadManager.enqueue() a no-op when INTERNET permission is revoked (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch"; #Make DownloadManager.query() a no-op when INTERNET permission is revoked (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS) -if [ "$DOS_TIMEOUTS" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0016-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS) -fi; if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0017-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS) @@ -194,11 +192,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_opt_net_ims/0001-Fix_Calling.patch"; fi; fi; -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then if enterAndClear "frameworks/opt/net/wifi"; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS) fi; -fi; if enterAndClear "hardware/qcom-caf/msm8998/audio"; then applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-8998.patch"; #audio_extn: Fix unused parameter warning in utils.c (codeworkx) @@ -255,14 +251,12 @@ fi; if enterAndClear "packages/apps/Settings"; then #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) #XXX 19REBASE: broken? #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #XXX 19REBASE -if [ "$DOS_TIMEOUTS" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS) -fi; -if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; #Add native debugging setting (GrapheneOS) if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-exec_spawning_toggle.patch"; fi; #Add exec spawning toggle (GrapheneOS) -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC.patch"; fi; #Add option to always randomize MAC (GrapheneOS) +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-Random_MAC.patch"; #Add option to always randomize MAC (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-Install_Restrictions.patch"; #UserManager app installation restrictions (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (heavily based off of a GrapheneOS patch) sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service @@ -301,11 +295,9 @@ applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0001-Hosts_Wildcar applyPatch "$DOS_PATCHES/android_packages_modules_DnsResolver/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS) fi; -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then if enterAndClear "packages/modules/NetworkStack"; then applyPatch "$DOS_PATCHES/android_packages_modules_NetworkStack/0001-Random_MAC.patch"; #Avoid reusing DHCP state for full MAC randomization (GrapheneOS) fi; -fi; if enterAndClear "packages/modules/Permission"; then applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0002-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS) @@ -320,11 +312,9 @@ applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0005-Browser_No_Loc applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0006-Location_Indicators.patch"; #SystemUI: Use new privacy indicators for location (GrapheneOS) fi; -if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then if enterAndClear "packages/modules/Wifi"; then applyPatch "$DOS_PATCHES/android_packages_modules_Wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS) fi; -fi; if enterAndClear "packages/providers/DownloadProvider"; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) @@ -338,7 +328,7 @@ if enterAndClear "system/core"; then if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file git revert --no-edit 07adb89d0f8c966c88869d1abffc57da0e707568; #insanity applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS) -if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS) +applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; #Add a property for controlling ptrace_scope (GrapheneOS) if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS) fi; @@ -351,11 +341,9 @@ applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Ex fi; if enterAndClear "system/sepolicy"; then -applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS) #XXX 19REBASE: add to other versions too -if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then +applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS) applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS) applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS) -fi; awk -i inplace '!/domain=gmscore_app/' private/seapp_contexts prebuilts/api/*/private/seapp_contexts; #Disable unused gmscore_app domain (GrapheneOS) fi; @@ -384,7 +372,7 @@ if enter "vendor/divested"; then awk -i inplace '!/_lookup/' overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove all lookup provider overrides if [ "$DOS_MICROG_INCLUDED" != "NONE" ]; then echo "PRODUCT_PACKAGES += DejaVuNlpBackend IchnaeaNlpBackend NominatimNlpBackend" >> packages.mk; fi; #Include UnifiedNlp backends if [ "$DOS_MICROG_INCLUDED" = "NLP" ]; then echo "PRODUCT_PACKAGES += UnifiedNLP" >> packages.mk; fi; #Include UnifiedNlp -#echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch #XXX 19REBASE: is this necessary? +echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch echo "PRODUCT_PACKAGES += eSpeakNG" >> packages.mk; #PicoTTS needs work to compile on 18.1, use eSpeak-NG instead sed -i 's/OpenCamera/SecureCamera/' packages.mk #Use the GrapheneOS camera app awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices diff --git a/Scripts/init.sh b/Scripts/init.sh index 5cdbd375..a3a81400 100644 --- a/Scripts/init.sh +++ b/Scripts/init.sh @@ -62,9 +62,6 @@ export DOS_GRAPHENE_BIONIC=true; #Enables the bionic hardening patchset on 16.0+ export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' patchset on 16.0+17.1+18.1+19.1 export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1+19.1 export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1+19.1 -export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the GrapheneOS ptrace_scope toggle patchset on 17.1+18.1+19.1 -export DOS_GRAPHENE_RANDOM_MAC=true; #Enables the GrapheneOS always randomize Wi-Fi MAC patchset on 17.1+18.1+19.1 -export DOS_TIMEOUTS=true; #Enables the GrapheneOS/CalyxOS patchset for automatic timeouts of reboot/Wi-Fi/Bluetooth on 17.1+18.1+19.1 export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be in the format "127.0.0.1 bad.domain.tld" export DOS_MICROG_INCLUDED="NONE"; #Determines inclusion of microG. Options: NONE, NLP, FULL (removed)