diff --git a/Manifests/Manifest_LAOS-14.1.xml b/Manifests/Manifest_LAOS-14.1.xml
index 80c98e8f..2ebfee13 100644
--- a/Manifests/Manifest_LAOS-14.1.xml
+++ b/Manifests/Manifest_LAOS-14.1.xml
@@ -67,6 +67,9 @@
+
+
+
diff --git a/Manifests/Manifest_LAOS-15.1.xml b/Manifests/Manifest_LAOS-15.1.xml
index 0d73b10c..eb6a5458 100644
--- a/Manifests/Manifest_LAOS-15.1.xml
+++ b/Manifests/Manifest_LAOS-15.1.xml
@@ -68,6 +68,9 @@
+
+
+
diff --git a/Manifests/Manifest_LAOS-16.0.xml b/Manifests/Manifest_LAOS-16.0.xml
index 9078008f..d1b2e572 100644
--- a/Manifests/Manifest_LAOS-16.0.xml
+++ b/Manifests/Manifest_LAOS-16.0.xml
@@ -66,6 +66,9 @@
+
+
+
diff --git a/Patches/Common/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch b/Patches/Common/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch
new file mode 100644
index 00000000..271bf26d
--- /dev/null
+++ b/Patches/Common/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch
@@ -0,0 +1,33 @@
+From 14800a3e7070240a314cbd695f71984a888cc90f Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Wed, 5 Dec 2018 09:29:25 -0500
+Subject: [PATCH] avoid setting RLIMIT_AS with hardened malloc
+
+This needs to be ported to a better mechanism like memory control groups
+in order to remain compatible with hardening mechanisms based on large
+PROT_NONE address space reservations.
+
+Change-Id: Ibfb7164d764fcb9244055953bedc9a1c424cedcb
+---
+ media/libmedia/MediaUtils.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/media/libmedia/MediaUtils.cpp b/media/libmedia/MediaUtils.cpp
+index bcdc3bdcf..de217c70b 100644
+--- a/media/libmedia/MediaUtils.cpp
++++ b/media/libmedia/MediaUtils.cpp
+@@ -38,6 +38,14 @@ void limitProcessMemory(
+ return;
+ }
+
++#ifdef __LP64__
++ // This needs to be ported to a better mechanism like memory control groups
++ // in order to remain compatible with hardening mechanisms based on large
++ // PROT_NONE address space reservations.
++ ALOGW("Running with hardened malloc implementation, skip enforcing memory limitations.");
++ return;
++#endif
++
+ long pageSize = sysconf(_SC_PAGESIZE);
+ long numPages = sysconf(_SC_PHYS_PAGES);
+ size_t maxMem = SIZE_MAX;
diff --git a/Patches/Common/android_system_core/0001-HM-Increase_vm_mmc.patch b/Patches/Common/android_system_core/0001-HM-Increase_vm_mmc.patch
new file mode 100644
index 00000000..ecc10d86
--- /dev/null
+++ b/Patches/Common/android_system_core/0001-HM-Increase_vm_mmc.patch
@@ -0,0 +1,22 @@
+From 17d64eda868006dc8c5596d27299143af8e45485 Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Thu, 13 Dec 2018 09:26:25 -0500
+Subject: [PATCH] increase max_map_count for hardened malloc
+
+---
+ rootdir/init.rc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rootdir/init.rc b/rootdir/init.rc
+index b9464e7fd8..2149abe2bd 100644
+--- a/rootdir/init.rc
++++ b/rootdir/init.rc
+@@ -597,6 +597,8 @@ on boot
+ chown root system /sys/module/lowmemorykiller/parameters/minfree
+ chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
+
++ write /proc/sys/vm/max_map_count 524240
++
+ # Tweak background writeout
+ write /proc/sys/vm/dirty_expire_centisecs 200
+ write /proc/sys/vm/dirty_background_ratio 5
diff --git a/Patches/LineageOS-14.1/android_bionic/0001-HM-Use_HM.patch b/Patches/LineageOS-14.1/android_bionic/0001-HM-Use_HM.patch
new file mode 100644
index 00000000..42da086e
--- /dev/null
+++ b/Patches/LineageOS-14.1/android_bionic/0001-HM-Use_HM.patch
@@ -0,0 +1,129 @@
+From f6ce62a62d47d3f8469ef6aa4749e07e644de5d0 Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Wed, 5 Dec 2018 01:51:56 -0500
+Subject: [PATCH] add hardened_malloc library
+
+---
+ libc/Android.bp | 48 ++++++++++++++++++++++++++++-------
+ libc/bionic/malloc_common.cpp | 5 ++++
+ 2 files changed, 44 insertions(+), 9 deletions(-)
+
+diff --git a/libc/Android.bp b/libc/Android.bp
+index c92acf70b..877ff7f4f 100644
+--- a/libc/Android.bp
++++ b/libc/Android.bp
+@@ -83,6 +83,8 @@ cc_defaults {
+ "-Werror=int-to-pointer-cast",
+ "-Werror=type-limits",
+ "-Werror",
++
++ "-DH_MALLOC_PREFIX",
+ ],
+ // TODO: split out the asflags.
+ asflags: [
+@@ -96,10 +98,21 @@ cc_defaults {
+ "-Werror=int-to-pointer-cast",
+ "-Werror=type-limits",
+ "-Werror",
++
++ "-DH_MALLOC_PREFIX",
+ ],
+ conlyflags: ["-std=gnu99"],
+ cppflags: [],
+- include_dirs: ["external/jemalloc/include"],
++ include_dirs: [],
++
++ multilib: {
++ lib32: {
++ include_dirs: ["external/jemalloc/include"],
++ },
++ lib64: {
++ include_dirs: ["external/hardened_malloc/"],
++ },
++ },
+
+ arch: {
+ // Clang/llvm has incompatible long double (fp128) for x86_64.
+@@ -1601,11 +1614,6 @@ cc_library_static {
+ name: "libc_ndk",
+ defaults: ["libc_defaults"],
+ srcs: libc_common_src_files + ["bionic/malloc_common.cpp"],
+- multilib: {
+- lib32: {
+- srcs: libc_common_src_files_32,
+- },
+- },
+ arch: {
+ arm: {
+ srcs: [
+@@ -1635,8 +1643,17 @@ cc_library_static {
+ "libc_syscalls",
+ "libc_tzcode",
+ "libm",
+- "libjemalloc",
+ ],
++
++ multilib: {
++ lib32: {
++ srcs: libc_common_src_files_32,
++ whole_static_libs: ["libjemalloc"],
++ },
++ lib64: {
++ whole_static_libs: ["libhardened_malloc"],
++ },
++ },
+ }
+
+ // ========================================================
+@@ -1714,7 +1731,11 @@ cc_library_static {
+ // ========================================================
+ cc_library_static {
+ defaults: ["libc_defaults"],
+- srcs: ["bionic/jemalloc_wrapper.cpp"],
++ multilib: {
++ lib32: {
++ srcs: ["bionic/jemalloc_wrapper.cpp"],
++ },
++ },
+ cflags: ["-fvisibility=hidden"],
+
+ name: "libc_malloc",
+@@ -1765,7 +1786,16 @@ cc_library {
+ // you wanted!
+
+ shared_libs: ["libdl"],
+- whole_static_libs: ["libc_common", "libjemalloc"],
++ whole_static_libs: ["libc_common"],
++
++ multilib: {
++ lib32: {
++ whole_static_libs: ["libjemalloc"],
++ },
++ lib64: {
++ whole_static_libs: ["libhardened_malloc"],
++ },
++ },
+
+ // We'd really like to do this for all architectures, but since this wasn't done
+ // before, these symbols must continue to be exported on LP32 for binary
+diff --git a/libc/bionic/malloc_common.cpp b/libc/bionic/malloc_common.cpp
+index e05061917..af544f3e1 100644
+--- a/libc/bionic/malloc_common.cpp
++++ b/libc/bionic/malloc_common.cpp
+@@ -46,8 +46,13 @@
+ #include
+ #include
+
++#ifdef __LP64__
++#include "h_malloc.h"
++#define Malloc(function) h_ ## function
++#else
+ #include "jemalloc.h"
+ #define Malloc(function) je_ ## function
++#endif
+
+ static constexpr MallocDispatch __libc_malloc_default_dispatch
+ __attribute__((unused)) = {
+--
+2.20.1
+
diff --git a/Patches/LineageOS-14.1/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch b/Patches/LineageOS-14.1/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch
new file mode 100644
index 00000000..b8e271d3
--- /dev/null
+++ b/Patches/LineageOS-14.1/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch
@@ -0,0 +1,36 @@
+From 0896379253e9f87f6bdf19147068b800d0a7ef76 Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Wed, 5 Dec 2018 09:29:25 -0500
+Subject: [PATCH] avoid setting RLIMIT_AS with hardened malloc
+
+This needs to be ported to a better mechanism like memory control groups
+in order to remain compatible with hardening mechanisms based on large
+PROT_NONE address space reservations.
+
+Change-Id: Ibfb7164d764fcb9244055953bedc9a1c424cedcb
+---
+ media/libmedia/MediaUtils.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/media/libmedia/MediaUtils.cpp b/media/libmedia/MediaUtils.cpp
+index a02ca65a7..bb93e3d27 100644
+--- a/media/libmedia/MediaUtils.cpp
++++ b/media/libmedia/MediaUtils.cpp
+@@ -31,6 +31,14 @@ void limitProcessMemory(
+ size_t numberOfBytes,
+ size_t percentageOfTotalMem) {
+
++#ifdef __LP64__
++ // This needs to be ported to a better mechanism like memory control groups
++ // in order to remain compatible with hardening mechanisms based on large
++ // PROT_NONE address space reservations.
++ ALOGW("Running with hardened malloc implementation, skip enforcing memory limitations.");
++ return;
++#endif
++
+ long pageSize = sysconf(_SC_PAGESIZE);
+ long numPages = sysconf(_SC_PHYS_PAGES);
+ size_t maxMem = SIZE_MAX;
+--
+2.20.1
+
diff --git a/Patches/LineageOS-15.1/android_bionic/0001-HM-Use_HM.patch b/Patches/LineageOS-15.1/android_bionic/0001-HM-Use_HM.patch
new file mode 100644
index 00000000..9fd999cf
--- /dev/null
+++ b/Patches/LineageOS-15.1/android_bionic/0001-HM-Use_HM.patch
@@ -0,0 +1,126 @@
+From 2fbd005f1c87938133f94b574b96caa5dbd8f3fd Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Wed, 5 Dec 2018 01:51:56 -0500
+Subject: [PATCH] add hardened_malloc library
+
+---
+ libc/Android.bp | 45 ++++++++++++++++++++++++++++-------
+ libc/bionic/malloc_common.cpp | 5 ++++
+ 2 files changed, 41 insertions(+), 9 deletions(-)
+
+diff --git a/libc/Android.bp b/libc/Android.bp
+index c339b0451..6b3066e07 100644
+--- a/libc/Android.bp
++++ b/libc/Android.bp
+@@ -48,6 +48,8 @@ libc_common_flags = [
+ "-Werror=int-to-pointer-cast",
+ "-Werror=type-limits",
+ "-Werror",
++
++ "-DH_MALLOC_PREFIX",
+ ]
+
+ // Define some common cflags
+@@ -61,9 +63,17 @@ cc_defaults {
+ cppflags: [],
+ include_dirs: [
+ "bionic/libc/async_safe/include",
+- "external/jemalloc/include",
+ ],
+
++ multilib: {
++ lib32: {
++ include_dirs: ["external/jemalloc/include"],
++ },
++ lib64: {
++ include_dirs: ["external/hardened_malloc/"],
++ },
++ },
++
+ stl: "none",
+ system_shared_libs: [],
+ sanitize: {
+@@ -1641,11 +1651,6 @@ cc_library_static {
+ name: "libc_ndk",
+ defaults: ["libc_defaults"],
+ srcs: libc_common_src_files + ["bionic/malloc_common.cpp"],
+- multilib: {
+- lib32: {
+- srcs: libc_common_src_files_32,
+- },
+- },
+ arch: {
+ arm: {
+ srcs: [
+@@ -1676,9 +1681,18 @@ cc_library_static {
+ "libc_syscalls",
+ "libc_tzcode",
+ "libm",
+- "libjemalloc",
+ "libstdc++",
+ ],
++
++ multilib: {
++ lib32: {
++ srcs: libc_common_src_files_32,
++ whole_static_libs: ["libjemalloc"],
++ },
++ lib64: {
++ whole_static_libs: ["libhardened_malloc"],
++ },
++ },
+ }
+
+ // ========================================================
+@@ -1755,7 +1769,11 @@ cc_library_static {
+ // ========================================================
+ cc_library_static {
+ defaults: ["libc_defaults"],
+- srcs: ["bionic/jemalloc_wrapper.cpp"],
++ multilib: {
++ lib32: {
++ srcs: ["bionic/jemalloc_wrapper.cpp"],
++ },
++ },
+ cflags: ["-fvisibility=hidden"],
+
+ name: "libc_malloc",
+@@ -1814,7 +1832,16 @@ cc_library {
+ // you wanted!
+
+ shared_libs: ["libdl"],
+- whole_static_libs: ["libc_common", "libjemalloc"],
++ whole_static_libs: ["libc_common"],
++
++ multilib: {
++ lib32: {
++ whole_static_libs: ["libjemalloc"],
++ },
++ lib64: {
++ whole_static_libs: ["libhardened_malloc"],
++ },
++ },
+
+ nocrt: true,
+
+diff --git a/libc/bionic/malloc_common.cpp b/libc/bionic/malloc_common.cpp
+index 1f201d1ca..06f85b40d 100644
+--- a/libc/bionic/malloc_common.cpp
++++ b/libc/bionic/malloc_common.cpp
+@@ -46,8 +46,13 @@
+ #include
+ #include
+
++#ifdef __LP64__
++#include "h_malloc.h"
++#define Malloc(function) h_ ## function
++#else
+ #include "jemalloc.h"
+ #define Malloc(function) je_ ## function
++#endif
+
+ static constexpr MallocDispatch __libc_malloc_default_dispatch
+ __attribute__((unused)) = {
+--
+2.20.1
+
diff --git a/Patches/LineageOS-16.0/android_bionic/0001-HM-Use_HM.patch b/Patches/LineageOS-16.0/android_bionic/0001-HM-Use_HM.patch
new file mode 100644
index 00000000..6d0103c4
--- /dev/null
+++ b/Patches/LineageOS-16.0/android_bionic/0001-HM-Use_HM.patch
@@ -0,0 +1,124 @@
+From a0f883810d372c01632846d9bb3bd90807498fba Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Wed, 5 Dec 2018 01:51:56 -0500
+Subject: [PATCH] add hardened_malloc library
+
+---
+ libc/Android.bp | 44 ++++++++++++++++++++++++++++-------
+ libc/bionic/malloc_common.cpp | 5 ++++
+ 2 files changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/libc/Android.bp b/libc/Android.bp
+index 6ba7cce9b..26ffc73b6 100644
+--- a/libc/Android.bp
++++ b/libc/Android.bp
+@@ -51,6 +51,8 @@ libc_common_flags = [
+ // Clang's exit-time destructor registration hides __dso_handle, but
+ // __dso_handle needs to have default visibility on ARM32. See b/73485611.
+ "-Wexit-time-destructors",
++
++ "-DH_MALLOC_PREFIX",
+ ]
+
+ // Define some common cflags
+@@ -64,9 +66,17 @@ cc_defaults {
+ cppflags: [],
+ include_dirs: [
+ "bionic/libc/async_safe/include",
+- "external/jemalloc/include",
+ ],
+
++ multilib: {
++ lib32: {
++ include_dirs: ["external/jemalloc/include"],
++ },
++ lib64: {
++ include_dirs: ["external/hardened_malloc/"],
++ },
++ },
++
+ stl: "none",
+ system_shared_libs: [],
+ sanitize: {
+@@ -1577,11 +1587,6 @@ cc_library_static {
+ name: "libc_ndk",
+ defaults: ["libc_defaults"],
+ srcs: libc_common_src_files + ["bionic/malloc_common.cpp"],
+- multilib: {
+- lib32: {
+- srcs: libc_common_src_files_32,
+- },
+- },
+ arch: {
+ arm: {
+ srcs: [
+@@ -1613,9 +1618,18 @@ cc_library_static {
+ "libc_syscalls",
+ "libc_tzcode",
+ "libm",
+- "libjemalloc",
+ "libstdc++",
+ ],
++
++ multilib: {
++ lib32: {
++ srcs: libc_common_src_files_32,
++ whole_static_libs: ["libjemalloc"],
++ },
++ lib64: {
++ whole_static_libs: ["libhardened_malloc"],
++ },
++ },
+ }
+
+ // ========================================================
+@@ -1705,7 +1719,11 @@ cc_library_static {
+ // ========================================================
+ cc_library_static {
+ defaults: ["libc_defaults"],
+- srcs: ["bionic/jemalloc_wrapper.cpp"],
++ multilib: {
++ lib32: {
++ srcs: ["bionic/jemalloc_wrapper.cpp"],
++ },
++ },
+ cflags: ["-fvisibility=hidden"],
+
+ name: "libc_malloc",
+@@ -1768,9 +1786,17 @@ cc_library {
+ ],
+ whole_static_libs: [
+ "libc_common",
+- "libjemalloc",
+ ],
+
++ multilib: {
++ lib32: {
++ whole_static_libs: ["libjemalloc"],
++ },
++ lib64: {
++ whole_static_libs: ["libhardened_malloc"],
++ },
++ },
++
+ nocrt: true,
+
+ arch: {
+diff --git a/libc/bionic/malloc_common.cpp b/libc/bionic/malloc_common.cpp
+index 1ea4ac1a3..c86fbdaea 100644
+--- a/libc/bionic/malloc_common.cpp
++++ b/libc/bionic/malloc_common.cpp
+@@ -46,8 +46,13 @@
+ #include
+ #include
+
++#ifdef __LP64__
++#include "h_malloc.h"
++#define Malloc(function) h_ ## function
++#else
+ #include "jemalloc.h"
+ #define Malloc(function) je_ ## function
++#endif
+
+ static constexpr MallocDispatch __libc_malloc_default_dispatch
+ __attribute__((unused)) = {
diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0007-Always_Restict_Serial.patch b/Patches/LineageOS-16.0/android_frameworks_base/0007-Always_Restict_Serial.patch
new file mode 100644
index 00000000..1d5ec9fb
--- /dev/null
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0007-Always_Restict_Serial.patch
@@ -0,0 +1,30 @@
+From 138790c0a2eba54f7ebb4c3b8fd5efac32559fea Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Wed, 6 Sep 2017 21:40:48 -0400
+Subject: [PATCH] always set deprecated Build.SERIAL to UNKNOWN
+
+Only support fetching the serial number via the new Build.getSerial()
+requiring the READ_PHONE_STATE permission.
+---
+ .../com/android/server/am/ActivityManagerService.java | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index a1d42c09133..b5b3c68d563 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -7762,13 +7762,7 @@ private final boolean attachApplicationLocked(IApplicationThread thread,
+ }
+ }
+
+- // We deprecated Build.SERIAL and it is not accessible to
+- // apps that target the v2 security sandbox and to apps that
+- // target APIs higher than O MR1. Since access to the serial
+- // is now behind a permission we push down the value.
+- final String buildSerial = (appInfo.targetSandboxVersion < 2
+- && appInfo.targetSdkVersion < Build.VERSION_CODES.P)
+- ? sTheRealBuildSerial : Build.UNKNOWN;
++ final String buildSerial = Build.UNKNOWN;
+
+ // Check if this is a secondary process that should be incorporated into some
+ // currently active instrumentation. (Note we do this AFTER all of the profiling
diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0008-Browser_No_Location.patch b/Patches/LineageOS-16.0/android_frameworks_base/0008-Browser_No_Location.patch
new file mode 100644
index 00000000..bc11cc1c
--- /dev/null
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0008-Browser_No_Location.patch
@@ -0,0 +1,31 @@
+From 1ddf24a6dafc98fba1dade12b3701a83a74e33bc Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Sun, 17 Mar 2019 19:54:30 -0400
+Subject: [PATCH] stop auto-granting location to system browsers
+
+---
+ .../server/pm/permission/DefaultPermissionGrantPolicy.java | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
+index 1ae59cbea45..0b8231b1669 100644
+--- a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
++++ b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
+@@ -643,7 +643,7 @@ private void grantDefaultSystemHandlerPermissions(int userId) {
+ }
+ if (browserPackage != null
+ && doesPackageSupportRuntimePermissions(browserPackage)) {
+- grantRuntimePermissions(browserPackage, LOCATION_PERMISSIONS, userId);
++ //grantRuntimePermissions(browserPackage, LOCATION_PERMISSIONS, userId);
+ }
+
+ // Voice interaction
+@@ -1053,7 +1053,7 @@ public void grantDefaultPermissionsToDefaultBrowser(String packageName, int user
+ PackageParser.Package browserPackage = getSystemPackage(packageName);
+ if (browserPackage != null
+ && doesPackageSupportRuntimePermissions(browserPackage)) {
+- grantRuntimePermissions(browserPackage, LOCATION_PERMISSIONS, false, false, userId);
++ //grantRuntimePermissions(browserPackage, LOCATION_PERMISSIONS, false, false, userId);
+ }
+ }
+
diff --git a/Patches/LineageOS-16.0/android_packages_apps_Contacts/0001-No_Google_Links.patch b/Patches/LineageOS-16.0/android_packages_apps_Contacts/0001-No_Google_Links.patch
new file mode 100644
index 00000000..89effd48
--- /dev/null
+++ b/Patches/LineageOS-16.0/android_packages_apps_Contacts/0001-No_Google_Links.patch
@@ -0,0 +1,77 @@
+From f20cd64f7015fde23744ff24a378505485a666b9 Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Thu, 27 Jul 2017 17:26:39 -0400
+Subject: [PATCH] remove useless no-op privacy policy / terms of use
+
+---
+ res/xml/preference_about.xml | 12 --------
+ .../preference/AboutPreferenceFragment.java | 28 -------------------
+ 2 files changed, 40 deletions(-)
+
+diff --git a/res/xml/preference_about.xml b/res/xml/preference_about.xml
+index a109db68e..6b31d238f 100644
+--- a/res/xml/preference_about.xml
++++ b/res/xml/preference_about.xml
+@@ -25,16 +25,4 @@
+ android:key="@string/pref_open_source_licenses_key"
+ android:title="@string/about_open_source_licenses"
+ android:summary="@string/about_open_source_licenses_summary"/>
+-
+-
+-
+-
+-
+-
+
+diff --git a/src/com/android/contacts/preference/AboutPreferenceFragment.java b/src/com/android/contacts/preference/AboutPreferenceFragment.java
+index 378948033..721ab0460 100644
+--- a/src/com/android/contacts/preference/AboutPreferenceFragment.java
++++ b/src/com/android/contacts/preference/AboutPreferenceFragment.java
+@@ -34,10 +34,6 @@
+ * This fragment shows the preferences for "about".
+ */
+ public class AboutPreferenceFragment extends PreferenceFragment {
+-
+- public static final String PRIVACY_POLICY_URL = "http://www.google.com/policies/privacy";
+- public static final String TERMS_OF_SERVICE_URL = "http://www.google.com/policies/terms";
+-
+ public static AboutPreferenceFragment newInstance() {
+ return new AboutPreferenceFragment();
+ }
+@@ -63,30 +59,6 @@ public void onCreate(Bundle savedInstanceState) {
+ final Preference licensePreference = findPreference(
+ getString(R.string.pref_open_source_licenses_key));
+ licensePreference.setIntent(new Intent(getActivity(), LicenseActivity.class));
+-
+- final Preference privacyPolicyPreference = findPreference("pref_privacy_policy");
+- final Preference termsOfServicePreference = findPreference("pref_terms_of_service");
+-
+- final Preference.OnPreferenceClickListener listener =
+- new Preference.OnPreferenceClickListener() {
+- @Override
+- public boolean onPreferenceClick(Preference preference) {
+- try {
+- if (preference == privacyPolicyPreference) {
+- startActivityForUrl(PRIVACY_POLICY_URL);
+- } else if (preference == termsOfServicePreference) {
+- startActivityForUrl(TERMS_OF_SERVICE_URL);
+- }
+- } catch (ActivityNotFoundException ex) {
+- Toast.makeText(getContext(), getString(R.string.url_open_error_toast),
+- Toast.LENGTH_SHORT).show();
+- }
+- return true;
+- }
+- };
+-
+- privacyPolicyPreference.setOnPreferenceClickListener(listener);
+- termsOfServicePreference.setOnPreferenceClickListener(listener);
+ }
+
+ @Override
diff --git a/Patches/LineageOS-16.0/android_system_extras/0001-ext4_pad_filenames.patch b/Patches/LineageOS-16.0/android_system_extras/0001-ext4_pad_filenames.patch
new file mode 100644
index 00000000..480416a4
--- /dev/null
+++ b/Patches/LineageOS-16.0/android_system_extras/0001-ext4_pad_filenames.patch
@@ -0,0 +1,66 @@
+From d0715a364f5a6f366cbd3582b01d21a22a0a0ca2 Mon Sep 17 00:00:00 2001
+From: Daniel Micay
+Date: Thu, 15 Dec 2016 17:22:41 -0500
+Subject: [PATCH] ext4_crypt: pad filenames to 32 bytes, not 16 or 4
+
+This is done in a way that's backwards compatible with old installations
+by leaving them with the previous padding settings until factory reset.
+---
+ ext4_utils/ext4_crypt.cpp | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/ext4_utils/ext4_crypt.cpp b/ext4_utils/ext4_crypt.cpp
+index 36fe11f7..c5d5fde2 100644
+--- a/ext4_utils/ext4_crypt.cpp
++++ b/ext4_utils/ext4_crypt.cpp
+@@ -133,7 +133,7 @@ static bool is_dir_empty(const char *dirname, bool *is_empty)
+ return true;
+ }
+
+-static uint8_t e4crypt_get_policy_flags(int filenames_encryption_mode) {
++static uint8_t e4crypt_get_policy_flags_old(int filenames_encryption_mode) {
+ if (filenames_encryption_mode == EXT4_ENCRYPTION_MODE_AES_256_CTS) {
+ // Use legacy padding with our original filenames encryption mode.
+ return EXT4_POLICY_FLAGS_PAD_4;
+@@ -145,6 +145,15 @@ static uint8_t e4crypt_get_policy_flags(int filenames_encryption_mode) {
+ return EXT4_POLICY_FLAGS_PAD_16;
+ }
+
++static uint8_t e4crypt_get_policy_flags(int filenames_encryption_mode) {
++ return EXT4_POLICY_FLAGS_PAD_32;
++}
++
++static bool e4crypt_policy_check(const char *directory, const char *policy,
++ size_t policy_length,
++ int contents_encryption_mode,
++ int filenames_encryption_mode);
++
+ static bool e4crypt_policy_set(const char *directory, const char *policy,
+ size_t policy_length,
+ int contents_encryption_mode,
+@@ -163,6 +172,14 @@ static bool e4crypt_policy_set(const char *directory, const char *policy,
+ }
+
+ ext4_encryption_policy eep;
++ memset(&eep, 0, sizeof(ext4_encryption_policy));
++
++ if (ioctl(fd, EXT4_IOC_GET_ENCRYPTION_POLICY, &eep) == 0) {
++ close(fd);
++ return e4crypt_policy_check(directory, policy, policy_length,
++ contents_encryption_mode, filenames_encryption_mode);
++ }
++
+ eep.version = 0;
+ eep.contents_encryption_mode = contents_encryption_mode;
+ eep.filenames_encryption_mode = filenames_encryption_mode;
+@@ -210,7 +227,9 @@ static bool e4crypt_policy_get(const char *directory, char *policy,
+ || (eep.contents_encryption_mode != contents_encryption_mode)
+ || (eep.filenames_encryption_mode != filenames_encryption_mode)
+ || (eep.flags !=
+- e4crypt_get_policy_flags(filenames_encryption_mode))) {
++ e4crypt_get_policy_flags(filenames_encryption_mode) &&
++ eep.flags !=
++ e4crypt_get_policy_flags_old(filenames_encryption_mode))) {
+ LOG(ERROR) << "Failed to find matching encryption policy for " << directory;
+ return false;
+ }
diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh
index 0cd42c9e..1bcac879 100644
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@@ -62,6 +62,9 @@ gpgVerifyDirectory "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/packa
cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps
cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/divested/"; #Add our vendor files
+enterAndClear "bionic";
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi;
+
enterAndClear "bootable/recovery";
patch -p1 < "$DOS_PATCHES/android_bootable_recovery/0001-Squash_Menus.patch"; #What's a back button?
@@ -76,6 +79,9 @@ patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/0001-Camera_Fix.patch"; #
enterAndClear "external/sqlite";
patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0)
+enterAndClear "frameworks/av";
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi;
+
enterAndClear "frameworks/base";
hardenLocationFWB "$DOS_BUILD_BASE";
git revert 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #re-enable doze on devices without gms
@@ -155,6 +161,7 @@ enterAndClear "system/core";
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f2cd81645b15f; #Always update recovery XXX: This doesn't seem to work
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi;
enterAndClear "system/sepolicy";
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh
index 1ad64f2f..1fa1f704 100644
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@@ -62,6 +62,9 @@ gpgVerifyDirectory "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/packa
cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps
cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/divested/"; #Add our vendor files
+enterAndClear "bionic";
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi;
+
enterAndClear "build/make";
patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0)
awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
@@ -78,6 +81,9 @@ patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/0001-Camera_Fix.patch"; #
enterAndClear "external/svox";
git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
+enterAndClear "frameworks/av";
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi;
+
enterAndClear "frameworks/base";
hardenLocationFWB "$DOS_BUILD_BASE";
sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
@@ -151,6 +157,7 @@ enterAndClear "system/core";
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4; #Always update recovery
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi;
enterAndClear "system/sepolicy";
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh
index 852d91f9..bb9ed801 100644
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@@ -62,6 +62,9 @@ gpgVerifyDirectory "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/packa
cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps
cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/divested/"; #Add our vendor files
+enterAndClear "bionic";
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi;
+
enterAndClear "build/make";
git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files
patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0)
@@ -78,6 +81,9 @@ sed -i '12iLOCAL_SDK_VERSION := current' pico/Android.mk; #Fix build under Pie
sed -i 's/about to delete/unable to delete/' pico/src/com/svox/pico/LangPackUninstaller.java;
awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.java;
+enterAndClear "frameworks/av";
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi;
+
enterAndClear "frameworks/base";
hardenLocationFWB "$DOS_BUILD_BASE";
sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
@@ -88,6 +94,8 @@ if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_f
changeDefaultDNS;
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Connectivity.patch"; #Change connectivity check URLs to ours
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
+patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #always restrict access to Build.SERIAL
+patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #don't grant location permission to system browsers
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
@@ -114,6 +122,9 @@ enterAndClear "lineage-sdk";
awk -i inplace '!/LineageWeatherManagerService/' lineage/res/res/values/config.xml; #Disable Weather
if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAudioService/' lineage/res/res/values/config.xml; fi;
+enterAndClear "packages/apps/Contacts";
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Contacts/0001-No_Google_Links.patch"; #Remove Privacy Policy and Terms of Service links
+
enterAndClear "packages/apps/LineageParts";
rm -rf src/org/lineageos/lineageparts/lineagestats/ res/xml/anonymous_stats.xml res/xml/preview_data.xml; #Nuke part of the analytics
patch -p1 < "$DOS_PATCHES/android_packages_apps_LineageParts/0001-Remove_Analytics.patch"; #Remove analytics
@@ -149,10 +160,14 @@ enterAndClear "packages/services/Telephony";
patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch";
patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
+enterAndClear "system/extras"
+patch -p1 < "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more
+
enterAndClear "system/core";
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
#git revert b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update recovery XXX: Wait until recovery-p topic is merged
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi;
enterAndClear "system/sepolicy";
git revert 4c9031e4e2f45db3531d0bc602b2d9c9407a2d16; #neverallow
diff --git a/Scripts/init.sh b/Scripts/init.sh
index 7ef08e8c..aca165f7 100644
--- a/Scripts/init.sh
+++ b/Scripts/init.sh
@@ -34,6 +34,7 @@ export DOS_DEBLOBBER_REMOVE_IPA=false; #Set true to remove all IPA blobs
export DOS_DEBLOBBER_REMOVE_IR=false; #Set true to remove all IR blobs
export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Services with the open source Sony TimeKeep reimplementation #TODO: Needs work
+export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms
export DOS_GPS_GLONASS_FORCED=true; #Enables GLONASS on all devices
export DOS_HOSTS_BLOCKING=true; #Switch to false to prevent inclusion of our HOSTS file
export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: Blokada, DNS66