mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-29 01:16:26 -05:00
Many changes
- Add a variable to control inclusion of patches under a restrictive license - Fix F-Droid building - Add a buildDeviceDebug function that disables signing - Misc tweaks/cleanup - 15.1: Revert trust_interface cherry picks until official
This commit is contained in:
parent
f041047983
commit
28600556b4
9
Misc/audit2allow-mako.txt
Normal file
9
Misc/audit2allow-mako.txt
Normal file
@ -0,0 +1,9 @@
|
||||
#============= install_recovery ==============
|
||||
allow install_recovery unlabeled:dir { add_name remove_name write };
|
||||
allow install_recovery unlabeled:file { create open setattr unlink write };
|
||||
|
||||
#============= kickstart ==============
|
||||
allow kickstart usbfs:dir search;
|
||||
|
||||
#============= vold ==============
|
||||
allow vold persist_file:dir { ioctl open read };
|
@ -0,0 +1,27 @@
|
||||
From 3c31c1f1188e1c550f02d838daa8e7c2e55e6f56 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Mon, 23 Apr 2018 02:39:35 -0400
|
||||
Subject: [PATCH] deny all new usb devices until after boot
|
||||
|
||||
Change-Id: I7a3dad49610eb4010dc13a3acaffb6fd91cdc89c
|
||||
---
|
||||
rootdir/init.rc | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/rootdir/init.rc b/rootdir/init.rc
|
||||
index c1bd58eba..38f3bab9f 100644
|
||||
--- a/rootdir/init.rc
|
||||
+++ b/rootdir/init.rc
|
||||
@@ -18,6 +18,9 @@ on early-init
|
||||
# Disable sysrq from keyboard
|
||||
write /proc/sys/kernel/sysrq 0
|
||||
|
||||
+ # Deny all new USB devices until after boot
|
||||
+ write /proc/sys/kernel/deny_new_usb 1
|
||||
+
|
||||
# Set the security context of /adb_keys if present.
|
||||
restorecon /adb_keys
|
||||
|
||||
--
|
||||
2.17.0
|
||||
|
@ -38,13 +38,15 @@ export ANDROID_HOME="/home/$USER/Android/Sdk";
|
||||
export KBUILD_BUILD_USER=emy
|
||||
export KBUILD_BUILD_HOST=dosbm
|
||||
|
||||
export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation"
|
||||
export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}"
|
||||
export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation";
|
||||
export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}";
|
||||
|
||||
export GRADLE_OPTS=-Xmx2048m
|
||||
|
||||
source $scriptsCommon"/Functions.sh"
|
||||
source $scripts"/Functions.sh"
|
||||
export NON_COMMERCIAL_USE_PATCHES=true; #Switch to false to prevent inclusion of non-commercial use patches
|
||||
|
||||
source $scriptsCommon"/Functions.sh";
|
||||
source $scripts"/Functions.sh";
|
||||
|
||||
unalias cp
|
||||
unalias mv
|
||||
|
@ -30,6 +30,13 @@ buildDevice() {
|
||||
}
|
||||
export -f buildDevice;
|
||||
|
||||
buildDeviceDebug() {
|
||||
unset SIGNING_KEY_DIR;
|
||||
unset OTA_PACKAGE_SIGNING_KEY;
|
||||
brunch lineage_$1-eng;
|
||||
}
|
||||
export -f buildDeviceDebug;
|
||||
|
||||
buildAll() {
|
||||
#Select devices are userdebug due to SELinux policy issues
|
||||
#TODO: Add victara, griffin, athene, us997, us996, pme, t0lte, hlte
|
||||
|
@ -27,9 +27,8 @@ sed -i 's|config_wifi_fast_bss_transition_enabled">false|config_wifi_fast_bss_tr
|
||||
sed -i 's|config_wifi_enable_wifi_firmware_debugging">true|config_wifi_enable_wifi_firmware_debugging">false|' core/res/res/values/config.xml;
|
||||
sed -i 's|config_wifi_supplicant_scan_interval">15000|config_wifi_supplicant_scan_interval">120000|' core/res/res/values/config.xml;
|
||||
sed -i 's|config_autoBrightnessLightSensorRate">250|config_autoBrightnessLightSensorRate">1000|' core/res/res/values/config.xml;
|
||||
#sed -i 's|config_buttonLightOnKeypressOnly">false|config_buttonLightOnKeypressOnly">true|' core/res/res/values/config.xml;
|
||||
sed -i 's|config_recents_use_hardware_layers">false|config_recents_use_hardware_layers">true|' packages/SystemUI/res/values/config.xml;
|
||||
sed -i 's|config_recents_fake_shadows">false|config_recents_fake_shadows">true|' packages/SystemUI/res/values/config.xml;
|
||||
#sed -i 's|config_recents_fake_shadows">false|config_recents_fake_shadows">true|' packages/SystemUI/res/values/config.xml;
|
||||
sed -i 's|config_notifications_round_rect_clipping">true|config_notifications_round_rect_clipping">false|' packages/SystemUI/res/values/config.xml;
|
||||
sed -i 's|config_showTemperatureWarning">0|config_showTemperatureWarning">1|' packages/SystemUI/res/values/config.xml; #XXX: Doesn't seem to work?
|
||||
#sed -i 's|||'
|
||||
|
@ -108,6 +108,7 @@ sed -i 's/ext.androidBuildVersionTools = "24.0.3"/ext.androidBuildVersionTools =
|
||||
|
||||
enterAndClear "packages/apps/FDroid"
|
||||
cp $patches"android_packages_apps_FDroid/default_repos.xml" app/src/main/res/values/default_repos.xml; #Add extra repos
|
||||
sed -i 's|outputs/apk/|outputs/apk/release/' Android.mk;
|
||||
sed -i 's|gradle|./gradlew|' Android.mk; #Gradle 4.0 fix
|
||||
sed -i 's|/$(fdroid_dir) \&\&| \&\&|' Android.mk; #One line wouldn't work... no matter what I tried.
|
||||
#TODO: Change the package ID until https://gitlab.com/fdroid/fdroidclient/issues/843 is implemented
|
||||
@ -155,10 +156,10 @@ enterAndClear "packages/inputmethods/LatinIME"
|
||||
patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key
|
||||
|
||||
enterAndClear "packages/services/Telephony"
|
||||
patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. Disclaimer: From CopperheadOS before their LICENSE was added
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch"; fi; #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
|
||||
enterAndClear "system/core"
|
||||
cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then cat /tmp/ar/hosts >> rootdir/etc/hosts; fi; #Merge in our HOSTS file XXX: Switch to /hsc for release
|
||||
git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f2cd81645b15f #Always update recovery XXX: This doesn't seem to work
|
||||
patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0
|
||||
|
||||
|
@ -38,13 +38,15 @@ export ANDROID_HOME="/home/$USER/Android/Sdk";
|
||||
export KBUILD_BUILD_USER=emy
|
||||
export KBUILD_BUILD_HOST=dosbm
|
||||
|
||||
export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation"
|
||||
export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}"
|
||||
export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation";
|
||||
export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}";
|
||||
|
||||
export GRADLE_OPTS=-Xmx2048m
|
||||
|
||||
source $scriptsCommon"/Functions.sh"
|
||||
source $scripts"/Functions.sh"
|
||||
export NON_COMMERCIAL_USE_PATCHES=true; #Switch to false to prevent inclusion of non-commercial use patches
|
||||
|
||||
source $scriptsCommon"/Functions.sh";
|
||||
source $scripts"/Functions.sh";
|
||||
|
||||
unalias cp
|
||||
unalias mv
|
||||
|
@ -30,6 +30,13 @@ buildDevice() {
|
||||
}
|
||||
export -f buildDevice;
|
||||
|
||||
buildDeviceDebug() {
|
||||
unset SIGNING_KEY_DIR;
|
||||
unset OTA_PACKAGE_SIGNING_KEY;
|
||||
brunch lineage_$1-eng;
|
||||
}
|
||||
export -f buildDeviceDebug;
|
||||
|
||||
buildAll() {
|
||||
#Select devices are userdebug due to SELinux policy issues
|
||||
#TODO: Add victara, griffin, athene, us997, us996, pme, t0lte, hlte
|
||||
@ -57,8 +64,8 @@ patchWorkspace() {
|
||||
repopick -f 206123; #bionic: Sort and cache hosts file data for fast lookup
|
||||
repopick -f 209030; #ContactsProvider: Prevent device contact being deleted.
|
||||
repopick 211404 211405 211406 211407 211408 211409; #d852 cherry picks
|
||||
repopick 205021; #d855 cherry picks
|
||||
repopick -t trust_interface;
|
||||
repopick 205021 211396; #d855 cherry picks
|
||||
#repopick -t trust_interface;
|
||||
|
||||
source $scripts/Patch.sh;
|
||||
source $scripts/Defaults.sh;
|
||||
|
@ -28,7 +28,7 @@ sed -i 's|config_wifi_enable_wifi_firmware_debugging">true|config_wifi_enable_wi
|
||||
sed -i 's|config_wifi_supplicant_scan_interval">15000|config_wifi_supplicant_scan_interval">120000|' core/res/res/values/config.xml;
|
||||
sed -i 's|config_autoBrightnessLightSensorRate">250|config_autoBrightnessLightSensorRate">1000|' core/res/res/values/config.xml;
|
||||
sed -i 's|config_recents_use_hardware_layers">false|config_recents_use_hardware_layers">true|' packages/SystemUI/res/values/config.xml;
|
||||
sed -i 's|config_recents_fake_shadows">false|config_recents_fake_shadows">true|' packages/SystemUI/res/values/config.xml;
|
||||
#sed -i 's|config_recents_fake_shadows">false|config_recents_fake_shadows">true|' packages/SystemUI/res/values/config.xml;
|
||||
sed -i 's|config_notifications_round_rect_clipping">true|config_notifications_round_rect_clipping">false|' packages/SystemUI/res/values/config.xml;
|
||||
sed -i 's|config_showTemperatureWarning">0|config_showTemperatureWarning">1|' packages/SystemUI/res/values/config.xml; #XXX: Doesn't seem to work?
|
||||
#sed -i 's|||'
|
||||
|
@ -60,7 +60,7 @@ cp -r $prebuiltApps"android_vendor_FDroid_PrebuiltApps/." $base"vendor/fdroid_pr
|
||||
|
||||
enterAndClear "build/make"
|
||||
patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automated build signing. Disclaimer: From CopperheadOS 13.0
|
||||
patch -p1 < $patches"android_build/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_build/0002-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
|
||||
sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
|
||||
|
||||
@ -78,7 +78,7 @@ sed -i 's|config_permissionReviewRequired">false|config_permissionReviewRequired
|
||||
patch -p1 < $patches"android_frameworks_base/0002-Signature_Spoofing.patch" #Allow packages to spoof their signature (microG)
|
||||
patch -p1 < $patches"android_frameworks_base/0003-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key
|
||||
patch -p1 < $patches"android_frameworks_base/0004-OpenNIC.patch" #Change fallback and tethering DNS servers to OpenNIC AnyCast
|
||||
patch -p1 < $patches"android_frameworks_base/0005-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_frameworks_base/0005-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
||||
rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig
|
||||
|
||||
@ -104,6 +104,7 @@ sed -i 's/ext.androidBuildVersionTools = "24.0.3"/ext.androidBuildVersionTools =
|
||||
|
||||
enterAndClear "packages/apps/FDroid"
|
||||
cp $patches"android_packages_apps_FDroid/default_repos.xml" app/src/main/res/values/default_repos.xml; #Add extra repos
|
||||
sed -i 's|outputs/apk/|outputs/apk/release/' Android.mk;
|
||||
sed -i 's|gradle|./gradlew|' Android.mk; #Gradle 4.0 fix
|
||||
sed -i 's|/$(fdroid_dir) \&\&| \&\&|' Android.mk; #One line wouldn't work... no matter what I tried.
|
||||
#TODO: Change the package ID until https://gitlab.com/fdroid/fdroidclient/issues/843 is implemented
|
||||
@ -123,14 +124,15 @@ sed -i 's/ext.androidBuildVersionTools = "24.0.3"/ext.androidBuildVersionTools =
|
||||
enterAndClear "packages/apps/LineageParts"
|
||||
rm -rf src/org/lineageos/lineageparts/lineagestats/ res/xml/anonymous_stats.xml res/xml/preview_data.xml #Nuke part of the analytics
|
||||
sed -i 's|config_showWeatherMenu">true|config_showWeatherMenu">false|' res/values/config.xml; #Disable Weather
|
||||
patch -p1 < $patches"android_packages_apps_LineageParts/0001-Remove_Analytics.patch" #Remove analytics
|
||||
patch -p1 < $patches"android_packages_apps_LineageParts/0001-Remove_Analytics-Pre_Trust.patch" #Remove analytics
|
||||
rm AndroidManifest.xml.orig res/values/*.xml.orig;
|
||||
|
||||
enterAndClear "packages/apps/Settings"
|
||||
git revert a96df110e84123fe1273bff54feca3b4ca484dcd #don't hide oem unlock
|
||||
patch -p1 < $patches"android_packages_apps_Settings/0003-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
patch -p1 < $patches"android_packages_apps_Settings/0002-Remove_Analytics.patch" #Remove analytics
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_packages_apps_Settings/0003-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length
|
||||
sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options
|
||||
rm res/values/strings.xml.orig;
|
||||
|
||||
enterAndClear "packages/apps/SetupWizard"
|
||||
patch -p1 < $patches"android_packages_apps_SetupWizard/0001-Remove_Analytics.patch" #Remove analytics
|
||||
@ -152,17 +154,18 @@ enterAndClear "packages/inputmethods/LatinIME"
|
||||
patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key
|
||||
|
||||
enterAndClear "packages/services/Telephony"
|
||||
patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch"; fi; #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
|
||||
enterAndClear "system/core"
|
||||
cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then cat /tmp/ar/hosts >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
|
||||
git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4 #Always update recovery
|
||||
patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0
|
||||
patch -p1 < $patches"android_system_core/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_system_core/0002-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
|
||||
enterAndClear "system/sepolicy"
|
||||
patch -p1 < $patches"android_system_sepolicy/0001-LGE_Fixes.patch" #Fix -user builds for LGE devices
|
||||
patch -p1 < $patches"android_system_sepolicy/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_system_sepolicy/0002-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_system_sepolicy/0003-Deny_USB-Aggressive.patch"; fi; #Deny USB on boot
|
||||
|
||||
enterAndClear "system/vold"
|
||||
patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption
|
||||
|
Loading…
Reference in New Issue
Block a user