diff --git a/Misc/audit2allow-mako.txt b/Misc/audit2allow-mako.txt
new file mode 100644
index 00000000..e2de841d
--- /dev/null
+++ b/Misc/audit2allow-mako.txt
@@ -0,0 +1,9 @@
+#============= install_recovery ==============
+allow install_recovery unlabeled:dir { add_name remove_name write };
+allow install_recovery unlabeled:file { create open setattr unlink write };
+
+#============= kickstart ==============
+allow kickstart usbfs:dir search;
+
+#============= vold ==============
+allow vold persist_file:dir { ioctl open read };
diff --git a/Patches/LineageOS-15.1/android_system_core/0003-Deny_USB-Aggressive.patch b/Patches/LineageOS-15.1/android_system_core/0003-Deny_USB-Aggressive.patch
new file mode 100644
index 00000000..5a2904bf
--- /dev/null
+++ b/Patches/LineageOS-15.1/android_system_core/0003-Deny_USB-Aggressive.patch
@@ -0,0 +1,27 @@
+From 3c31c1f1188e1c550f02d838daa8e7c2e55e6f56 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Mon, 23 Apr 2018 02:39:35 -0400
+Subject: [PATCH] deny all new usb devices until after boot
+
+Change-Id: I7a3dad49610eb4010dc13a3acaffb6fd91cdc89c
+---
+ rootdir/init.rc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/rootdir/init.rc b/rootdir/init.rc
+index c1bd58eba..38f3bab9f 100644
+--- a/rootdir/init.rc
++++ b/rootdir/init.rc
+@@ -18,6 +18,9 @@ on early-init
+     # Disable sysrq from keyboard
+     write /proc/sys/kernel/sysrq 0
+ 
++    # Deny all new USB devices until after boot
++    write /proc/sys/kernel/deny_new_usb 1
++
+     # Set the security context of /adb_keys if present.
+     restorecon /adb_keys
+ 
+-- 
+2.17.0
+
diff --git a/Scripts/LineageOS-14.1/00init.sh b/Scripts/LineageOS-14.1/00init.sh
index 2336704c..95dd1239 100644
--- a/Scripts/LineageOS-14.1/00init.sh
+++ b/Scripts/LineageOS-14.1/00init.sh
@@ -38,13 +38,15 @@ export ANDROID_HOME="/home/$USER/Android/Sdk";
 export KBUILD_BUILD_USER=emy
 export KBUILD_BUILD_HOST=dosbm
 
-export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation"
-export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}"
+export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation";
+export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}";
 
 export GRADLE_OPTS=-Xmx2048m
 
-source $scriptsCommon"/Functions.sh"
-source $scripts"/Functions.sh"
+export NON_COMMERCIAL_USE_PATCHES=true; #Switch to false to prevent inclusion of non-commercial use patches
+
+source $scriptsCommon"/Functions.sh";
+source $scripts"/Functions.sh";
 
 unalias cp
 unalias mv
diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh
index a7c0b76e..f809d97b 100644
--- a/Scripts/LineageOS-14.1/Functions.sh
+++ b/Scripts/LineageOS-14.1/Functions.sh
@@ -30,6 +30,13 @@ buildDevice() {
 }
 export -f buildDevice;
 
+buildDeviceDebug() {
+	unset SIGNING_KEY_DIR;
+	unset OTA_PACKAGE_SIGNING_KEY;
+	brunch lineage_$1-eng;
+}
+export -f buildDeviceDebug;
+
 buildAll() {
 #Select devices are userdebug due to SELinux policy issues
 #TODO: Add victara, griffin, athene, us997, us996, pme, t0lte, hlte
diff --git a/Scripts/LineageOS-14.1/Optimize.sh b/Scripts/LineageOS-14.1/Optimize.sh
index 34fe51de..91caeac2 100644
--- a/Scripts/LineageOS-14.1/Optimize.sh
+++ b/Scripts/LineageOS-14.1/Optimize.sh
@@ -27,9 +27,8 @@ sed -i 's|config_wifi_fast_bss_transition_enabled">false|config_wifi_fast_bss_tr
 sed -i 's|config_wifi_enable_wifi_firmware_debugging">true|config_wifi_enable_wifi_firmware_debugging">false|' core/res/res/values/config.xml;
 sed -i 's|config_wifi_supplicant_scan_interval">15000|config_wifi_supplicant_scan_interval">120000|' core/res/res/values/config.xml;
 sed -i 's|config_autoBrightnessLightSensorRate">250|config_autoBrightnessLightSensorRate">1000|' core/res/res/values/config.xml;
-#sed -i 's|config_buttonLightOnKeypressOnly">false|config_buttonLightOnKeypressOnly">true|' core/res/res/values/config.xml;
 sed -i 's|config_recents_use_hardware_layers">false|config_recents_use_hardware_layers">true|' packages/SystemUI/res/values/config.xml;
-sed -i 's|config_recents_fake_shadows">false|config_recents_fake_shadows">true|' packages/SystemUI/res/values/config.xml;
+#sed -i 's|config_recents_fake_shadows">false|config_recents_fake_shadows">true|' packages/SystemUI/res/values/config.xml;
 sed -i 's|config_notifications_round_rect_clipping">true|config_notifications_round_rect_clipping">false|' packages/SystemUI/res/values/config.xml;
 sed -i 's|config_showTemperatureWarning">0|config_showTemperatureWarning">1|' packages/SystemUI/res/values/config.xml; #XXX: Doesn't seem to work?
 #sed -i 's|||'
diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh
index bbd3327b..c143e485 100755
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@@ -108,6 +108,7 @@ sed -i 's/ext.androidBuildVersionTools = "24.0.3"/ext.androidBuildVersionTools =
 
 enterAndClear "packages/apps/FDroid"
 cp $patches"android_packages_apps_FDroid/default_repos.xml" app/src/main/res/values/default_repos.xml; #Add extra repos
+sed -i 's|outputs/apk/|outputs/apk/release/' Android.mk;
 sed -i 's|gradle|./gradlew|' Android.mk; #Gradle 4.0 fix
 sed -i 's|/$(fdroid_dir) \&\&| \&\&|' Android.mk; #One line wouldn't work... no matter what I tried.
 #TODO: Change the package ID until https://gitlab.com/fdroid/fdroidclient/issues/843 is implemented
@@ -155,10 +156,10 @@ enterAndClear "packages/inputmethods/LatinIME"
 patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key
 
 enterAndClear "packages/services/Telephony"
-patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. Disclaimer: From CopperheadOS before their LICENSE was added
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch"; fi; #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
 
 enterAndClear "system/core"
-cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then cat /tmp/ar/hosts >> rootdir/etc/hosts; fi; #Merge in our HOSTS file XXX: Switch to /hsc for release
 git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f2cd81645b15f #Always update recovery XXX: This doesn't seem to work
 patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0
 
diff --git a/Scripts/LineageOS-15.1/00init.sh b/Scripts/LineageOS-15.1/00init.sh
index 991fb27e..8d70e521 100644
--- a/Scripts/LineageOS-15.1/00init.sh
+++ b/Scripts/LineageOS-15.1/00init.sh
@@ -38,13 +38,15 @@ export ANDROID_HOME="/home/$USER/Android/Sdk";
 export KBUILD_BUILD_USER=emy
 export KBUILD_BUILD_HOST=dosbm
 
-export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation"
-export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}"
+export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation";
+export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}";
 
 export GRADLE_OPTS=-Xmx2048m
 
-source $scriptsCommon"/Functions.sh"
-source $scripts"/Functions.sh"
+export NON_COMMERCIAL_USE_PATCHES=true; #Switch to false to prevent inclusion of non-commercial use patches
+
+source $scriptsCommon"/Functions.sh";
+source $scripts"/Functions.sh";
 
 unalias cp
 unalias mv
diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh
index 6b04a451..25b449cd 100644
--- a/Scripts/LineageOS-15.1/Functions.sh
+++ b/Scripts/LineageOS-15.1/Functions.sh
@@ -30,6 +30,13 @@ buildDevice() {
 }
 export -f buildDevice;
 
+buildDeviceDebug() {
+	unset SIGNING_KEY_DIR;
+	unset OTA_PACKAGE_SIGNING_KEY;
+	brunch lineage_$1-eng;
+}
+export -f buildDeviceDebug;
+
 buildAll() {
 #Select devices are userdebug due to SELinux policy issues
 #TODO: Add victara, griffin, athene, us997, us996, pme, t0lte, hlte
@@ -57,8 +64,8 @@ patchWorkspace() {
 	repopick -f 206123; #bionic: Sort and cache hosts file data for fast lookup
 	repopick -f 209030; #ContactsProvider: Prevent device contact being deleted.
 	repopick 211404 211405 211406 211407 211408 211409; #d852 cherry picks
-	repopick 205021; #d855 cherry picks
-	repopick -t trust_interface;
+	repopick 205021 211396; #d855 cherry picks
+	#repopick -t trust_interface;
 
 	source $scripts/Patch.sh;
 	source $scripts/Defaults.sh;
diff --git a/Scripts/LineageOS-15.1/Optimize.sh b/Scripts/LineageOS-15.1/Optimize.sh
index f98ba4d6..98b84841 100644
--- a/Scripts/LineageOS-15.1/Optimize.sh
+++ b/Scripts/LineageOS-15.1/Optimize.sh
@@ -28,7 +28,7 @@ sed -i 's|config_wifi_enable_wifi_firmware_debugging">true|config_wifi_enable_wi
 sed -i 's|config_wifi_supplicant_scan_interval">15000|config_wifi_supplicant_scan_interval">120000|' core/res/res/values/config.xml;
 sed -i 's|config_autoBrightnessLightSensorRate">250|config_autoBrightnessLightSensorRate">1000|' core/res/res/values/config.xml;
 sed -i 's|config_recents_use_hardware_layers">false|config_recents_use_hardware_layers">true|' packages/SystemUI/res/values/config.xml;
-sed -i 's|config_recents_fake_shadows">false|config_recents_fake_shadows">true|' packages/SystemUI/res/values/config.xml;
+#sed -i 's|config_recents_fake_shadows">false|config_recents_fake_shadows">true|' packages/SystemUI/res/values/config.xml;
 sed -i 's|config_notifications_round_rect_clipping">true|config_notifications_round_rect_clipping">false|' packages/SystemUI/res/values/config.xml;
 sed -i 's|config_showTemperatureWarning">0|config_showTemperatureWarning">1|' packages/SystemUI/res/values/config.xml; #XXX: Doesn't seem to work?
 #sed -i 's|||'
diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh
index a0aae881..90ef5181 100755
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@@ -60,7 +60,7 @@ cp -r $prebuiltApps"android_vendor_FDroid_PrebuiltApps/." $base"vendor/fdroid_pr
 
 enterAndClear "build/make"
 patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automated build signing. Disclaimer: From CopperheadOS 13.0
-patch -p1 < $patches"android_build/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_build/0002-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
 sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
 
@@ -78,7 +78,7 @@ sed -i 's|config_permissionReviewRequired">false|config_permissionReviewRequired
 patch -p1 < $patches"android_frameworks_base/0002-Signature_Spoofing.patch" #Allow packages to spoof their signature (microG)
 patch -p1 < $patches"android_frameworks_base/0003-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key
 patch -p1 < $patches"android_frameworks_base/0004-OpenNIC.patch" #Change fallback and tethering DNS servers to OpenNIC AnyCast
-patch -p1 < $patches"android_frameworks_base/0005-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_frameworks_base/0005-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
 rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig
 
@@ -104,6 +104,7 @@ sed -i 's/ext.androidBuildVersionTools = "24.0.3"/ext.androidBuildVersionTools =
 
 enterAndClear "packages/apps/FDroid"
 cp $patches"android_packages_apps_FDroid/default_repos.xml" app/src/main/res/values/default_repos.xml; #Add extra repos
+sed -i 's|outputs/apk/|outputs/apk/release/' Android.mk;
 sed -i 's|gradle|./gradlew|' Android.mk; #Gradle 4.0 fix
 sed -i 's|/$(fdroid_dir) \&\&| \&\&|' Android.mk; #One line wouldn't work... no matter what I tried.
 #TODO: Change the package ID until https://gitlab.com/fdroid/fdroidclient/issues/843 is implemented
@@ -123,14 +124,15 @@ sed -i 's/ext.androidBuildVersionTools = "24.0.3"/ext.androidBuildVersionTools =
 enterAndClear "packages/apps/LineageParts"
 rm -rf src/org/lineageos/lineageparts/lineagestats/ res/xml/anonymous_stats.xml res/xml/preview_data.xml #Nuke part of the analytics
 sed -i 's|config_showWeatherMenu">true|config_showWeatherMenu">false|' res/values/config.xml; #Disable Weather
-patch -p1 < $patches"android_packages_apps_LineageParts/0001-Remove_Analytics.patch" #Remove analytics
+patch -p1 < $patches"android_packages_apps_LineageParts/0001-Remove_Analytics-Pre_Trust.patch" #Remove analytics
 rm AndroidManifest.xml.orig res/values/*.xml.orig;
 
 enterAndClear "packages/apps/Settings"
-git revert a96df110e84123fe1273bff54feca3b4ca484dcd #don't hide oem unlock
-patch -p1 < $patches"android_packages_apps_Settings/0003-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
+patch -p1 < $patches"android_packages_apps_Settings/0002-Remove_Analytics.patch" #Remove analytics
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_packages_apps_Settings/0003-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length
 sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options
+rm res/values/strings.xml.orig;
 
 enterAndClear "packages/apps/SetupWizard"
 patch -p1 < $patches"android_packages_apps_SetupWizard/0001-Remove_Analytics.patch" #Remove analytics
@@ -152,17 +154,18 @@ enterAndClear "packages/inputmethods/LatinIME"
 patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key
 
 enterAndClear "packages/services/Telephony"
-patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch"; fi; #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
 
 enterAndClear "system/core"
-cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then cat /tmp/ar/hosts >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4 #Always update recovery
 patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0
-patch -p1 < $patches"android_system_core/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_system_core/0002-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 
 enterAndClear "system/sepolicy"
 patch -p1 < $patches"android_system_sepolicy/0001-LGE_Fixes.patch" #Fix -user builds for LGE devices
-patch -p1 < $patches"android_system_sepolicy/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_system_sepolicy/0002-Deny_USB.patch"; fi; #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
+if [ "$NON_COMMERCIAL_USE_PATCHES" = true ]; then patch -p1 < $patches"android_system_sepolicy/0003-Deny_USB-Aggressive.patch"; fi; #Deny USB on boot
 
 enterAndClear "system/vold"
 patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption