From 24c291c630019d8ce872595d7da11e3803d22d55 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Fri, 8 Feb 2019 18:46:42 -0500
Subject: [PATCH] Improve hardenLocation to include fwb and its overlays

---
 Scripts/Common/Functions.sh     | 45 +++++++++++++++++++++++++--------
 Scripts/LineageOS-11.0/Patch.sh |  6 +++--
 Scripts/LineageOS-14.1/Patch.sh |  6 +++--
 Scripts/LineageOS-15.1/Patch.sh |  6 +++--
 4 files changed, 46 insertions(+), 17 deletions(-)

diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh
index 2a42778a..91a3ce97 100644
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@@ -155,7 +155,7 @@ compressRamdisks() {
 }
 export -f compressRamdisks;
 
-hardenLocation() {
+hardenLocationConf() {
 	gpsConfig=$1;
 	#Attempt to get the real device directory
 	if [[ "$gpsConfig" = *"device/"* ]]; then
@@ -172,30 +172,28 @@ hardenLocation() {
 	if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
 	sed -i 's/#A_GLONASS_POS_PROTOCOL_SELECT =/A_GLONASS_POS_PROTOCOL_SELECT =/' "$gpsConfig" &>/dev/null || true;
 	sed -i 's/A_GLONASS_POS_PROTOCOL_SELECT = 0.*/A_GLONASS_POS_PROTOCOL_SELECT = 15/' "$gpsConfig" &>/dev/null || true;
-	sed -i 's|A_GLONASS_POS_PROTOCOL_SELECT=0.*</item>|A_GLONASS_POS_PROTOCOL_SELECT=15</item>|' "$deviceDir"overlay/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
 	fi;
 	#Change capabilities
 	sed -i 's|CAPABILITIES=.*|CAPABILITIES=0x13|' "$gpsConfig" &> /dev/null || true; #Disable MSA (privacy) and geofencing/ULP (both broken by deblobber)
 	sed -i 's/#SUPL_MODE=/SUPL_MODE=/' "$gpsConfig" &>/dev/null || true;
 	sed -i 's/SUPL_MODE=$/SUPL_MODE=1/' "$gpsConfig" &>/dev/null || true; #Set to MSB if blank (to prevent MSA+MSB default)
-	sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" "$deviceDir"overlay/frameworks/base/core/res/res/values*/*.xml "$gpsConfig" &> /dev/null || true; #Disable MSA (privacy)
+	sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" "$gpsConfig" &> /dev/null || true; #Disable MSA (privacy)
 	#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
 	sed -i 's/#SUPL_ES=/SUPL_ES=/' "$gpsConfig" &>/dev/null || true;
-	sed -i "s|SUPL_ES=0|SUPL_ES=1|" "$deviceDir"overlay/frameworks/base/core/res/res/values*/*.xml "$gpsConfig" &> /dev/null || true;
+	sed -i "s|SUPL_ES=0|SUPL_ES=1|" "$gpsConfig" &> /dev/null || true;
 	#Change servers
 	sed -i "s|SUPL_HOST=.*|SUPL_HOST=$DOS_GPS_SUPL_HOST|" "$gpsConfig" &> /dev/null || true;
 	sed -i "s|NTP_SERVER=.*|NTP_SERVER=$DOS_GPS_NTP_SERVER|" "$gpsConfig" &> /dev/null || true;
-	sed -i "s|NTP_SERVER=.*</item>|NTP_SERVER=$DOS_GPS_NTP_SERVER</item>|" "$deviceDir"overlay/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
 	#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
 	#XTRA: Only use specified URLs
 	sed -i 's|XTRA_SERVER_QUERY=1|XTRA_SERVER_QUERY=0|' "$gpsConfig" &>/dev/null || true;
 	sed -i 's|#XTRA_SERVER|XTRA_SERVER|' "$gpsConfig" &>/dev/null || true;
 	#Switch gpsOneXtra to IZatCloud (invalid certificate)
-	sed -i '/xtrapath/!s|://xtra|://xtrapath|' "$deviceDir"overlay/frameworks/base/core/res/res/values*/*.xml "$gpsConfig" &>/dev/null || true;
-	sed -i 's|gpsonextra.net|izatcloud.net|' "$deviceDir"overlay/frameworks/base/core/res/res/values*/*.xml "$gpsConfig" &>/dev/null || true;
+	sed -i '/xtrapath/!s|://xtra|://xtrapath|' "$gpsConfig" &>/dev/null || true;
+	sed -i 's|gpsonextra.net|izatcloud.net|' "$gpsConfig" &>/dev/null || true;
 	#Enable HTTPS (IZatCloud supports HTTPS)
-	sed -i 's|http://xtrapath|https://xtrapath|' "$deviceDir"overlay/frameworks/base/core/res/res/values*/*.xml "$gpsConfig" &>/dev/null || true;
-	#sed -i 's|http://gllto|https://gllto|' "$deviceDir"overlay/frameworks/base/core/res/res/values*/*.xml "$gpsConfig" &>/dev/null || true; XXX: GLPals has an invaid certificate
+	sed -i 's|http://xtrapath|https://xtrapath|' "$gpsConfig" &>/dev/null || true;
+	#sed -i 's|http://gllto|https://gllto|' "$gpsConfig" &>/dev/null || true; XXX: GLPals has an invaid certificate
 	#XTRA: Use format version 3 if possible
 	if grep -sq "XTRA_VERSION_CHECK" "$gpsConfig"; then #Using hardware/qcom/gps OR precompiled blob OR device specific implementation
 		sed -i 's|XTRA_VERSION_CHECK=0|XTRA_VERSION_CHECK=1|' "$gpsConfig" &>/dev/null || true;
@@ -207,9 +205,34 @@ hardenLocation() {
 			fi;
 		fi;
 	fi;
-	echo "Enhanced location services for $deviceDir";
+	echo "Enhanced location services for $gpsConfig";
 }
-export -f hardenLocation;
+export -f hardenLocationConf;
+
+hardenLocationDir() {
+	dir=$1;
+	#Debugging (adb logcat | grep -i -e locsvc -e izat -e gps -e gnss -e location)
+	#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 4|' "$gpsConfig" &> /dev/null || true;
+	#Enable GLONASS
+	if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
+	sed -i 's|A_GLONASS_POS_PROTOCOL_SELECT=0.*</item>|A_GLONASS_POS_PROTOCOL_SELECT=15</item>|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
+	fi;
+	#Change capabilities
+	sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true; #Disable MSA (privacy)
+	#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
+	sed -i "s|SUPL_ES=0|SUPL_ES=1|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
+	#Change servers
+	sed -i "s|NTP_SERVER=.*</item>|NTP_SERVER=$DOS_GPS_NTP_SERVER</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
+	#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
+	#Switch gpsOneXtra to IZatCloud (invalid certificate)
+	sed -i '/xtrapath/!s|://xtra|://xtrapath|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
+	sed -i 's|gpsonextra.net|izatcloud.net|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
+	#Enable HTTPS (IZatCloud supports HTTPS)
+	sed -i 's|http://xtrapath|https://xtrapath|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
+	#sed -i 's|http://gllto|https://gllto|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true; XXX: GLPals has an invaid certificate
+	echo "Enhanced location services for $dir";
+}
+export -f hardenLocationDir;
 
 enableZram() {
 	cd "$DOS_BUILD_BASE$1";
diff --git a/Scripts/LineageOS-11.0/Patch.sh b/Scripts/LineageOS-11.0/Patch.sh
index ebae69dc..4619d8a3 100644
--- a/Scripts/LineageOS-11.0/Patch.sh
+++ b/Scripts/LineageOS-11.0/Patch.sh
@@ -77,6 +77,7 @@ enterAndClear "external/sqlite";
 patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0)
 
 enterAndClear "frameworks/base";
+hardenLocationDir "$DOS_BUILD_BASE";
 sed -i 's/com.android.mms/org.smssecure.smssecure/' core/res/res/values/config.xml; #Change default SMS app to Silence
 sed -i 's|db_default_journal_mode">PERSIST|db_default_journal_mode">TRUNCATE|' core/res/res/values/config.xml; #Mirror SQLite secure_delete
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0001-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
@@ -144,8 +145,9 @@ patch -p1 < "$DOS_PATCHES/android_kernel_zte_msm8930/0001-MDP-Fix.patch";
 
 #Make changes to all devices
 cd "$DOS_BUILD_BASE";
-find "hardware/qcom/gps" -name "gps\.conf" -type f -exec bash -c 'hardenLocation "$0"' {} \;;
-find "device" -name "gps\.conf" -type f -exec bash -c 'hardenLocation "$0"' {} \;;
+find "hardware/qcom/gps" -name "gps\.conf" -type f -exec bash -c 'hardenLocationConf "$0"' {} \;;
+find "device" -name "gps\.conf" -type f -exec bash -c 'hardenLocationConf "$0"' {} \;;
+find "device" -type d -name "overlay" -mindepth 2 -exec bash -c 'hardenLocationDir "$0"' {} \;;
 find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenUserdata "$0"' {} \;;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenDefconfig "$0"' {} \;;
 cd "$DOS_BUILD_BASE";
diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh
index 008b238c..e8ca37e8 100644
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@@ -77,6 +77,7 @@ enterAndClear "external/sqlite";
 patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0)
 
 enterAndClear "frameworks/base";
+hardenLocationDir "$DOS_BUILD_BASE";
 git revert 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #re-enable doze on devices without gms
 sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480
@@ -228,8 +229,9 @@ echo "" > atv/atv-common.mk;
 #Make changes to all devices
 cd "$DOS_BUILD_BASE";
 if [ "$DOS_LOWRAM_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableLowRam "$0"' {} \;; fi;
-find "hardware/qcom/gps" -name "gps\.conf" -type f -exec bash -c 'hardenLocation "$0"' {} \;;
-find "device" -name "gps\.conf" -type f -exec bash -c 'hardenLocation "$0"' {} \;;
+find "hardware/qcom/gps" -name "gps\.conf" -type f -exec bash -c 'hardenLocationConf "$0"' {} \;;
+find "device" -name "gps\.conf" -type f -exec bash -c 'hardenLocationConf "$0"' {} \;;
+find "device" -type d -name "overlay" -mindepth 2 -exec bash -c 'hardenLocationDir "$0"' {} \;;
 find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableDexPreOpt "$0"' {} \;;
 find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenUserdata "$0"' {} \;;
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableStrongEncryption "$0"' {} \;; fi;
diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh
index 1b013978..8c1e3ba6 100644
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@@ -79,6 +79,7 @@ enterAndClear "external/svox";
 git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
 
 enterAndClear "frameworks/base";
+hardenLocationDir "$DOS_BUILD_BASE";
 #git revert https://review.lineageos.org/#/c/202875/ #re-enable doze on devices without gms
 sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
@@ -201,8 +202,9 @@ echo "" > atv/atv-common.mk;
 #Make changes to all devices
 cd "$DOS_BUILD_BASE";
 if [ "$DOS_LOWRAM_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableLowRam "$0"' {} \;; fi;
-find "hardware/qcom/gps" -name "gps\.conf" -type f -exec bash -c 'hardenLocation "$0"' {} \;;
-find "device" -name "gps\.conf" -type f -exec bash -c 'hardenLocation "$0"' {} \;;
+find "hardware/qcom/gps" -name "gps\.conf" -type f -exec bash -c 'hardenLocationConf "$0"' {} \;;
+find "device" -name "gps\.conf" -type f -exec bash -c 'hardenLocationConf "$0"' {} \;;
+find "device" -type d -name "overlay" -mindepth 2 -exec bash -c 'hardenLocationDir "$0"' {} \;;
 find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableDexPreOpt "$0"' {} \;;
 find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenUserdata "$0"' {} \;;
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableStrongEncryption "$0"' {} \;; fi;