From 3a0659b9d8bbe776012d65d663b5e33d1a69e562 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 5 Apr 2022 20:41:01 -0400
Subject: [PATCH] 19.1: more work, it compiles and boots!

- Add the manifest
- Add Pixel 2 series
- Add some missing patches
- More DNS files
- Drop Silence in 19.1

Signed-off-by: Tad <tad@spotco.us>
---
 Manifests/Manifest_LAOS-19.1.xml              |  69 ++++
 Misc/Features/GrapheneOS.txt                  | 130 ++++++-
 .../android_bionic/0001-HM-Use_HM.patch       |   1 +
 .../android_build/0002-OTA_Keys.patch         |   5 +-
 .../0003-Exec_Based_Spawning.patch            |   6 +-
 .../android_build_soong/0002-hm_apex.patch    |   2 +-
 .../0001-Broken_Cameras.patch                 |  25 ++
 .../0013-Network_Permission-4.patch           |  43 +++
 .../0013-Network_Permission-5.patch           |  35 ++
 ...patch => 0020-Location_Indicators-1.patch} |   0
 .../0020-Location_Indicators-2.patch          |  24 ++
 .../0001-Captive_Portal_Toggle.patch          |  20 +-
 .../0001-Network_Permission-1.patch           | 121 +++++++
 .../0001-Network_Permission-2.patch           | 320 ++++++++++++++++++
 .../0001-Network_Permission-3.patch           |  42 +++
 .../0002-Private_DNS.patch                    | 228 +++++++++++++
 PrebuiltApps                                  |   2 +-
 Scripts/Common/Deblob.sh                      |   1 +
 Scripts/Common/Functions.sh                   |   4 +-
 Scripts/Common/Post.sh                        |   3 +
 Scripts/LineageOS-17.1/Functions.sh           |   3 +-
 Scripts/LineageOS-18.1/Functions.sh           |   3 +-
 Scripts/LineageOS-18.1/Patch.sh               |   4 +-
 .../android_kernel_google_wahoo.sh            |  90 +++++
 Scripts/LineageOS-19.1/Functions.sh           |  10 +-
 Scripts/LineageOS-19.1/Patch.sh               |  31 +-
 Scripts/init.sh                               |  20 +-
 27 files changed, 1196 insertions(+), 46 deletions(-)
 create mode 100644 Manifests/Manifest_LAOS-19.1.xml
 create mode 100644 Patches/LineageOS-19.1/android_external_hardened_malloc/0001-Broken_Cameras.patch
 create mode 100644 Patches/LineageOS-19.1/android_frameworks_base/0013-Network_Permission-4.patch
 create mode 100644 Patches/LineageOS-19.1/android_frameworks_base/0013-Network_Permission-5.patch
 rename Patches/LineageOS-19.1/android_frameworks_base/{0020-Location_Indicators.patch => 0020-Location_Indicators-1.patch} (100%)
 create mode 100644 Patches/LineageOS-19.1/android_frameworks_base/0020-Location_Indicators-2.patch
 create mode 100644 Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-1.patch
 create mode 100644 Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-2.patch
 create mode 100644 Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-3.patch
 create mode 100644 Patches/LineageOS-19.1/android_packages_modules_Connectivity/0002-Private_DNS.patch
 create mode 100644 Scripts/LineageOS-19.1/CVE_Patchers/android_kernel_google_wahoo.sh

diff --git a/Manifests/Manifest_LAOS-19.1.xml b/Manifests/Manifest_LAOS-19.1.xml
new file mode 100644
index 00000000..540ab419
--- /dev/null
+++ b/Manifests/Manifest_LAOS-19.1.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<manifest>
+
+	<remote name="gitlab" fetch="https://gitlab.com/" />
+
+<!-- START OF UNNECESSARY REPO REMOVAL -->
+	<remove-project name="LineageOS/android_external_ant-wireless_ant_native" />
+	<remove-project name="LineageOS/android_external_ant-wireless_ant_service" />
+	<remove-project name="LineageOS/android_external_bash" />
+	<remove-project name="LineageOS/android_external_htop" />
+	<remove-project name="LineageOS/android_external_libncurses" />
+	<remove-project name="LineageOS/android_external_nano" />
+	<remove-project name="LineageOS/android_external_openssh" />
+	<remove-project name="LineageOS/android_external_vim" />
+	<remove-project name="LineageOS/android_packages_apps_Eleven" />
+	<remove-project name="LineageOS/android_packages_apps_Jelly" />
+	<remove-project name="LineageOS/android_packages_apps_Stk" />
+	<remove-project name="LineageOS/android_prebuilts_gcc_darwin-x86_aarch64_aarch64-linux-android-4.9" />
+	<remove-project name="LineageOS/android_prebuilts_gcc_darwin-x86_arm_arm-linux-androideabi-4.9" />
+	<remove-project name="LineageOS/android_prebuilts_gcc_darwin-x86_x86_x86_64-linux-android-4.9" />
+	<remove-project name="LineageOS/ansible" />
+	<remove-project name="LineageOS/charter" />
+	<remove-project name="LineageOS/cm_crowdin" />
+	<remove-project name="LineageOS/contributors-cloud-generator" />
+	<remove-project name="LineageOS/cve_tracker" />
+	<remove-project name="LineageOS/hudson" />
+	<remove-project name="LineageOS/lineage_wiki" />
+	<remove-project name="LineageOS/mirror" />
+	<remove-project name="LineageOS/scripts" />
+	<remove-project name="LineageOS/slackbot" />
+	<remove-project name="LineageOS/www" />
+	<remove-project name="platform/packages/apps/SampleLocationAttribution" />
+	<remove-project name="platform/prebuilts/clang/host/darwin-x86" />
+	<remove-project name="platform/prebuilts/gcc/darwin-x86/host/i686-apple-darwin-4.2.1" />
+	<remove-project name="platform/prebuilts/gdb/darwin-x86" />
+	<remove-project name="platform/prebuilts/go/darwin-x86" />
+	<remove-project name="platform/prebuilts/python/darwin-x86/2.7.5" />
+<!-- END OF UNNECESSARY REPO REMOVAL -->
+
+<!-- START OF BRANCH SWITCHING -->
+	<!--<remove-project name="platform/external/swiftshader" />
+	<project path="external/swiftshader" name="google/swiftshader" remote="github" revision="master" />-->
+
+	<!-- Switch to the Mulch WebView -->
+	<remove-project name="LineageOS/android_external_chromium-webview" />
+	<project path="external/chromium-webview" name="divested-mobile/mulch" groups="pdk" clone-depth="1" remote="gitlab" revision="master" />
+<!-- END OF BRANCH SWITCHING -->
+
+<!-- START OF ADDITIONAL REPOS -->
+	<!-- GrapheneOS -->
+	<project path="external/hardened_malloc" name="GrapheneOS/hardened_malloc" remote="github" revision="12.1" />
+<!-- END OF ADDITIONAL REPOS -->
+
+<!-- START OF DEVICE REPOS -->
+	<!-- Common -->
+	<project path="system/qcom" name="LineageOS/android_system_qcom" remote="github" />
+	<project path="external/bson" name="LineageOS/android_external_bson" remote="github" />
+	<project path="hardware/sony/macaddrsetup" name="LineageOS/android_hardware_sony_macaddrsetup" remote="github" />
+	<project path="hardware/sony/simdetect" name="LineageOS/android_hardware_sony_simdetect" remote="github" />
+	<project path="hardware/sony/SonyOpenTelephony" name="LineageOS/android_hardware_sony_SonyOpenTelephony" remote="github" />
+
+	<!-- Google Pixel 2 (taimen/walleye) -->
+	<project path="device/google/taimen" name="LineageOS/android_device_google_taimen" remote="github" />
+	<project path="device/google/muskie" name="LineageOS/android_device_google_muskie" remote="github" />
+	<project path="device/google/walleye" name="LineageOS/android_device_google_walleye" remote="github" />
+	<project path="device/google/wahoo" name="LineageOS/android_device_google_wahoo" remote="github" />
+	<project path="kernel/google/wahoo" name="LineageOS/android_kernel_google_wahoo" remote="github" />
+
+</manifest>
diff --git a/Misc/Features/GrapheneOS.txt b/Misc/Features/GrapheneOS.txt
index 306e3b7a..c939b3c5 100644
--- a/Misc/Features/GrapheneOS.txt
+++ b/Misc/Features/GrapheneOS.txt
@@ -3,6 +3,10 @@ QQ3A.200805.001.2020.09.11.14
 PQ3B.190801.002.2019.08.25.15
 
 https time
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/1d4e3f495b7b544f6314f04243e9d47b3f8e7102
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/2c04a077ec9f3ac6857885199f49f4845b70ec2e
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/4a90523abcacd1b2cb69e82b5622d33185aab044
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/88fa99ee2312fac5a0dbf50ac6f407be5700f785
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/940beb096b9dc078ec1a051ee8c73667885fa5a9
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/b92c2eb03ea574cd4a9def02bb81e99812068595
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/546c1099f2775391c86f996104d74f307a954a74
@@ -22,6 +26,10 @@ show passwords
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/83586f8b4e0e5075f9823d05158c893b23585eb1
 10 https://github.com/GrapheneOS/platform_frameworks_base/commit/63f3727cd9cb32c1195cfd83ff9b0d54d7d8dd7d
 
+power animation
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/ee97a8e97ac6feedb9acdec1945cc943b7477b2f
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/bd956da828fe5ffce6daf5b30fce7b942cfa6794
+
 preferred network mode
 11 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/286910c6cbc8c77153e7e230a4d02bea745ea571
 
@@ -53,11 +61,74 @@ nojit
 9  https://github.com/GrapheneOS/platform_build/commit/5b9927197e63593b9220d1a9280021252ef205e9
 9  https://github.com/GrapheneOS/platform_build/commit/e36c7aefaa78a1ed5b94c7f51d29277008eea232
 
+[implemented] user logout
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/93838b55c9b6460249a22be42f04026d8780fefc
+
+[implemented] recovery serial number
+12 https://github.com/GrapheneOS/platform_bootable_recovery/commit/bf7fe6fb6bf8211b0c5e1259fe5f6eee644fbf3a
+
+[implemented] google contacts
+12 https://github.com/GrapheneOS/platform_packages_apps_Contacts/commit/0911fca3386016a506308e0b1e1ecc527153194b
+12 https://github.com/GrapheneOS/platform_packages_apps_Contacts/commit/2e86c9a6e73bbaa26354ac04340c14643774e662
+
+[implemented] keyboard personalization
+12 https://github.com/GrapheneOS/platform_packages_inputmethods_LatinIME/commit/37abf03503ec25d62f3e38d24b5ef4ba31e94ae3
+
+[implemented] location indicators
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/9825dbc644360850b2cb87c8dcafc39101aec865
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/b5e18d97d2c35f7288f04050b13813fafaf65d5e
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/a5d43c015790e63d94ec252ce9cd2579903a39f2
+
+[implemented] browser location
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/648874c9785f8be251e5168314262f4af1f70766
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/248343df0fddd2703399c46eee7ef04d43350686
+
+[implemented] fbe padding
+12 https://github.com/GrapheneOS/platform_system_extras/commit/144930183585cec74882a5c0ffa321354ad9eb7e
+
+[implemented] special permissions
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/5bbbffa0d89d19a87a8de83b185cd8d58db31915
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/ddac53e6650955e465b585715cff792f5b68c807
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/f1898802c8fd7474f723f9a44a316142d940dfed
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/58c9f58bbde6789f944daf41d86acdc7b3e205f2
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/2d14a42f7bc285e141377018285dc4e3fd8f8f86
+
+[implemented] sensors permission
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/452c474dfae9a312f6e01db5b28de308dbb14cc2
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/daed8c4e3ff8bf94a2a9aa319d32ec2ff5653c8f
+12 https://github.com/GrapheneOS/platform_frameworks_native/commit/dcef490d7cab7bb9f96f8bfe19a8779ac140b26d
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/a949bd530bdbedf2078119a90a93d7c15bca6975
+
+[implemented] network permission
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/947744f753638c82775186a3876f2b2ffd7c0244
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/7f33d084d32a5f95f53d1919f92f5b14cd310d15
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/0a0fdab36ba9c582e9abafc6f42f4e761d1112b5
+12xhttps://github.com/GrapheneOS/platform_frameworks_base/commit/db5ed44bdd59df344347782e071d4dbd87597d2e
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/2f262ed47122e57283ee85c2cca138728559ef35
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/7205d5e18ca65893550363e1ad1753c45fb75f50
+12 https://github.com/GrapheneOS/platform_system_netd/commit/2ced788ce0003767de7df37852a604bac674045f
+12 https://github.com/GrapheneOS/platform_packages_providers_DownloadProvider/commit/fc7244e100c67f93defc4e6db7b30a1487b7957b
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/77c14f62402e9f8023240e72893ee66d4b63d873
+12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/7fe7eb594d03f701fcb8ff492486e773daee7b73
+12 https://github.com/GrapheneOS/platform_packages_modules_Connectivity/commit/9c4a5ac0cb34b751dbd8cda9f75f21f39b566681
+12 https://github.com/GrapheneOS/platform_packages_modules_Connectivity/commit/dbf6ae4cd96450a21be0a4dd85fb5addeba67462
+12 https://github.com/GrapheneOS/platform_packages_modules_Connectivity/commit/34cded990ebd8da8c47cab88f0b1ef523a05d122
+12 https://github.com/GrapheneOS/platform_libcore/commit/7110daa77503720bbd2f233df53be90b742ce85a
+
+[implemented] protected fifo/regular
+12 https://github.com/GrapheneOS/platform_system_core/commit/ddf48612c160b13552588af4d64bc7bb55571618
+12 https://github.com/GrapheneOS/platform_system_core/commit/fc8f654d4f905ee88c3cdd3494c6a65b2de6d5a1
+12 https://github.com/GrapheneOS/platform_system_sepolicy/commit/452bfdca38a4ffc3d3a2df9439694fcb8d0f9def
+
 [implemented] sensitive notifications
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/6e027c935088ae32c82b69ed4e072b1d2a8c08a9
 10 https://github.com/GrapheneOS/platform_frameworks_base/commit/12a3d6dc2b94af26e1be34ec81c2581ef17f1582
 
 [implemented] always random mac
+12 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/2e67bc8b420752bec795235ab6d5c27d0956b017
+12 https://github.com/GrapheneOS/platform_packages_modules_Wifi/commit/9a9e6eb3232720776230eebd70ab9816d5127c53
+12 https://github.com/GrapheneOS/platform_packages_modules_NetworkStack/commit/dbc7cd419cdddcae2fc0c10d3cef6b8cdb31e2c4
+12 https://github.com/GrapheneOS/platform_frameworks_opt_net_wifi/commit/776beebd3d221740ac1b77d8535f745415d171a0
 11 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/9bc33b2f1a94c5b801f2c7078b996478cd4d11ac
 11 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/bef63219dd362fb130bcaf5da123aeda0259525e
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/af41ef65b2eccd298787141fefdd6f63d2b425ee
@@ -69,6 +140,22 @@ nojit
 10 https://github.com/GrapheneOS/platform_frameworks_opt_net_wifi/commit/87ede685fec2f92b978891c2eed5776f5f2ca204
 
 [implemented] bionic hardening
+12 https://github.com/GrapheneOS/platform_bionic/commit/72dc351222621913b4350ae85fb836e0d6ce45a1 #explicit zero
+12 https://github.com/GrapheneOS/platform_bionic/commit/1912d38d17233cb5b6b4d0bd5cfc04d5da91fe18 #brk
+12 https://github.com/GrapheneOS/platform_bionic/commit/c6c9ea18bada95a07504440460e832a4e78c949c #random
+12 https://github.com/GrapheneOS/platform_bionic/commit/e1a6bc30b4bc7fa926d8a46cab25c690dc4aa9e7 #undefined
+12 https://github.com/GrapheneOS/platform_bionic/commit/30dbac8f2a08337cbddfc0e457b303e4804a6066 #merge
+12 https://github.com/GrapheneOS/platform_bionic/commit/4013cc337c8eb9644a9300792629dd2319273ced #vla formatting
+12 https://github.com/GrapheneOS/platform_bionic/commit/b0c09e61c1c1eb7b356f90201559af95cf2f31d7 #pthread
+12 https://github.com/GrapheneOS/platform_bionic/commit/cf53a97d763abbfdb7a815604604aa60d36617f2 #read only
+12 https://github.com/GrapheneOS/platform_bionic/commit/5caf27af9b90ede9a3f6ce059da886e0256e0c08 #zero
+12 https://github.com/GrapheneOS/platform_bionic/commit/9358db48a7eb46bcc5f5df09b22b0d48617d5604 #fork mmap
+12 https://github.com/GrapheneOS/platform_bionic/commit/b4aac37c639089dd43af597e013e7234c717ab1e #memprot pthread
+12 https://github.com/GrapheneOS/platform_bionic/commit/eac5de68f90a127cf86805a62162fd09042ac59a #xor
+12 https://github.com/GrapheneOS/platform_bionic/commit/74b34dcb984856c6bc0a9f92325857ac2088fddd #junk
+12 https://github.com/GrapheneOS/platform_bionic/commit/483f5ee420d4d0d2bbb94a005671d0d3fa697855 #guard
+12 https://github.com/GrapheneOS/platform_bionic/commit/96bf26c75842d93dc9ff954ab84e644a50f18ec5 #pthread guard
+12 https://github.com/GrapheneOS/platform_bionic/commit/4afc356e9f3953a9e1a75389d5b6279b385daaa7 #stack rand
 11 https://github.com/GrapheneOS/platform_system_core/commit/b3a0c2c5db28852b6d485542c8a4f1649a256892
 11 https://github.com/GrapheneOS/platform_bionic/commit/5412c371955014eee8b2246b386ae7f539bac09e #explicit zero
 11 https://github.com/GrapheneOS/platform_bionic/commit/31456ac632903235e14500af8b5d7dff2d25d724 #brk
@@ -122,24 +209,36 @@ nojit
 9  https://github.com/GrapheneOS/platform_bionic/commit/85e5bca0a525a1cb8142aa092286ae3424983dd5 #move
 
 [implemented] automatically reboot device after timeout if set
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/663efe46ab069c5121c729ebe9bb46503e36a813
+12 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/a33e2ac46038f8fcf096f4fd129a2f7cee23174b
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/3afe69fda4e6d89c90bb5d35e43ed2cc272e20dc
 11 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/607919bb5de5aa42558f73840a1f1c06fc5c04fd
 
-[implemented] Bluetooth auto turn off (CalyxOS)
+[implemented] Bluetooth auto turn off (partial CalyxOS?
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/6577307ef97cfeb4ba951d0c9e2696a21bd1237a
+12 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/cfc5b87c62cc67b5a242a3030eba7fff934871b5
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/e9d17cd4807dbfa837b16296b3a2e4434c060002
 11 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/43ca9fac87286bab5db3be5ee079e0047a469a66
 
-[implemented] Wi-Fi auto turn off (CalyxOS)
+[implemented] Wi-Fi auto turn off (partial CalyxOS?)
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/b008fb6e05af55577bad6046af4a91af4fccaeca
+12 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/0f8a16323cfe431da8146e5ae58972c42b4d32d6
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/423f3e151beae0c608881d4bf16b8dff22b5efc6
 11 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/ff9e9e0abf72b4df05d21bb462a305c8c09a8ba0
 
 [implemented] ptrace scope
+12 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/5856ae7235b4b7880eee747b36c555ed3dc18c15
+12 https://github.com/GrapheneOS/platform_system_core/commit/e3f9fc0f142294720e0cc69b6b80a336747def72
+12 https://github.com/GrapheneOS/platform_system_sepolicy/commit/1969d65929ce84a75f502cd4980ad8f10b10db0c
+12 https://github.com/GrapheneOS/platform_system_sepolicy/commit/5009524a0aa2930c51dba42390a73bb0da376851
 11 https://github.com/GrapheneOS/platform_system_core/commit/ad017fba58cf8918a2dfe05f90affd2e1abe6b6a
 11 https://github.com/GrapheneOS/platform_system_sepolicy/commit/3b896055810f2e38cde0095083811c35bc0a49c6
 11 https://github.com/GrapheneOS/platform_system_sepolicy/commit/8b0419ac044d5173b9c787cc66180a586c3a601b
 11 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/52ea603339c54d589009c8ee218509f3835ad011
 
 [implemented] fwrapv
+12 https://github.com/GrapheneOS/platform_build/commit/3f48705d28662a3e95d13f4e7fec6f49f59b34f3
+12 https://github.com/GrapheneOS/platform_build_soong/commit/428b9ac0dd158026a47b1d512cb6b13bf9995032
 11 https://github.com/GrapheneOS/platform_build_soong/commit/7c87660739544e1ab3bef757dae869894c01cb2e
 11 https://github.com/GrapheneOS/platform_build/commit/508c9f9cbd04cdb52806e4ac2e6dd48fd27254d6
 10 https://github.com/GrapheneOS/platform_build_soong/commit/6760a427250f7a8249fe45bfd5af35f54ed739b1
@@ -154,14 +253,23 @@ nojit
 11 https://github.com/GrapheneOS/platform_frameworks_native/commit/1f05db99ab42ee184c1c318f66bf6ee4b869ae5b
 
 [implemented] alloc_size
+12 https://github.com/GrapheneOS/platform_system_bt/commit/3ee1dde662b9b42c1a344fc9c6613b12e96b80cf
 11 https://github.com/GrapheneOS/platform_system_bt/commit/f242089d3fe68666cba509f005f0ff7d6c26a015
 10 https://github.com/GrapheneOS/platform_system_bt/commit/abcf485dcff6c7b06b0f241b4729fc8e2cf1d74f
 9x https://github.com/GrapheneOS/platform_system_bt/commit/c5db5a9f9e8c0b7fc0b96390f5a58089f8fbbe32
 
 [implemented] secondary user disable install
+12 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/2120c698b9146047a9a76a61cc9946a8be30c210
 11 https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/62f81c237b7f4a33fbb13752def9cbf3f5c9e0d4
 
 [implemented] constify
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/b3a5c3db7fa158619656871ba3c5e3a73ee73725
+12 https://github.com/GrapheneOS/platform_art/commit/290124f03583d79e9d444af3a047137d65d27870
+12 https://github.com/GrapheneOS/platform_packages_apps_Nfc/commit/862e68ca4e085bbb008196f2483f37ef4d0ed331
+12 https://github.com/GrapheneOS/platform_packages_apps_Bluetooth/commit/eecdcd777151732b6265dac81b900ebfe86bed96
+12 https://github.com/GrapheneOS/platform_libcore/commit/20c0c9bf60900ea3a1377f9e95427c849e3c441e
+12 https://github.com/GrapheneOS/platform_frameworks_ex/commit/b69c15ee1b05ee1d9e6fdbb2c5572e033fa8e3e6
+12 https://github.com/GrapheneOS/platform_external_conscrypt/commit/2dfc7fcb1fb2a661d48e7bb94bee9e5036090611
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/63b9f96a121648ce0815b4ff21a670af9d643203
 11 https://github.com/GrapheneOS/platform_packages_apps_Bluetooth/commit/d8a62b5156007c507e6de4ced1e0db8c271504ee
 11 https://github.com/GrapheneOS/platform_libcore/commit/e3a4d64f29c9a0cad11fe06af6ff378c9ea9dbea
@@ -189,6 +297,21 @@ nojit
 12 https://github.com/GrapheneOS/platform_frameworks_base/commit/f4b8f281032c4d69b22c6d1b47adec3123c526fc
 
 [implemented] exec spawning
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/0e356d803d9a4fe0cbc8fb41ed7622bea41d7deb
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/89dded236b1fee41914510840055b7cc4d6369cb
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/e3ffa598b29637f3d67bed71fac3b0c01f6bb881
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/47b79274d5ea0bf09a633b43bb72fef167261691
+12xhttps://github.com/GrapheneOS/platform_frameworks_base/commit/d11e5c8ad0f83e48b9dde21e12227e3dad17956d
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/fdc630db4ee0a4e8c6477d0f29d552af7f8089cd
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/08a12ec1affc5142f693552d8c3ea2d8422d098c
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/d5f04fad42492214df8f0239d9e7e6db186710e3
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/0c4a246842953ceb531f78f33de33b902ef2a3df
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/46b912e1646989a525b9f948711813beb445e9b6
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/067d641615de51032ee8e34d2939bcd4894c2e6d
+12 https://github.com/GrapheneOS/platform_frameworks_base/commit/8bc4887e3f0be372867537ae1e6b9bed86957412
+12 https://github.com/GrapheneOS/platform_build/commit/8e01dd93f29aba79e15a211084582afd9681e8ab
+12 https://github.com/GrapheneOS/platform_libcore/commit/c5ee98157523315b3829d0158082433f8b9f96a3
+12 https://github.com/GrapheneOS/platform_libcore/commit/7f186c7a6745e1ce9e407e10782086fa35ef746e
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/14c3c1d4cd2df5dde69274e76a91b42fa383e577
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/ac1943345ec96411ecbac3ce9b15cb371cc03551
 11 https://github.com/GrapheneOS/platform_frameworks_base/commit/1abb8050413dae6ac6c1a082a38fb555c88534b9
@@ -230,6 +353,9 @@ nojit
 9  https://github.com/GrapheneOS/platform_frameworks_base/commit/8806ec3ef166fe1fd1eeb690ace6dd5a7682195c
 
 [implemented] hardened_malloc
+12 https://github.com/GrapheneOS/platform_bionic/commit/e63d04c19cf13923165b30ad3b7cd499ad8f05e6
+12 https://github.com/GrapheneOS/platform_build_soong/commit/cc973e807d440a2cfe7bed420fbf7ae25985ddc1
+12 https://github.com/GrapheneOS/platform_system_core/commit/0b3bd63d593f3182ab6295695dc092f8a9b0eb20
 11 https://github.com/GrapheneOS/platform_system_core/commit/8c0f3c0e04d279daf9f0e9a338c698ed95a026b6
 11 https://github.com/GrapheneOS/platform_build_soong/commit/4e6320c247b78f456a83a0393360e7be1105eb5a
 11 https://github.com/GrapheneOS/platform_bionic/commit/108754debbfbaf19843aecc76679f302780c5686
diff --git a/Patches/LineageOS-19.1/android_bionic/0001-HM-Use_HM.patch b/Patches/LineageOS-19.1/android_bionic/0001-HM-Use_HM.patch
index 8ff0e913..7b87586a 100644
--- a/Patches/LineageOS-19.1/android_bionic/0001-HM-Use_HM.patch
+++ b/Patches/LineageOS-19.1/android_bionic/0001-HM-Use_HM.patch
@@ -5,6 +5,7 @@ Subject: [PATCH] use Scudo on 32-bit and hardened_malloc on 64-bit
 
 Co-authored-by: anupritaisno1 <www.anuprita804@gmail.com>
 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
+[tad@spotco.us]: kept Lineage's scudo 32-bit workaround
 ---
  libc/Android.bp                  | 39 +++++++++++-------------
  libc/bionic/h_malloc_wrapper.cpp | 51 ++++++++++++++++++++++++++++++++
diff --git a/Patches/LineageOS-19.1/android_build/0002-OTA_Keys.patch b/Patches/LineageOS-19.1/android_build/0002-OTA_Keys.patch
index c09d7f7e..e5c298a0 100644
--- a/Patches/LineageOS-19.1/android_build/0002-OTA_Keys.patch
+++ b/Patches/LineageOS-19.1/android_build/0002-OTA_Keys.patch
@@ -26,7 +26,6 @@ index 4b4ba3ccb8..dac79d1ff7 100644
  DEXPREOPT_DISABLED_MODULES :=
  # If a module has multiple setups, the first takes precedence.
 diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk
-index cedad5b490..7eea027506 100644
 --- a/target/product/security/Android.mk
 +++ b/target/product/security/Android.mk
 @@ -63,8 +63,15 @@ LOCAL_MODULE_CLASS := ETC
@@ -52,8 +51,8 @@ index cedad5b490..7eea027506 100644
  extra_recovery_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
  
 -$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
-++OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
-++
++OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
++
 +ifneq ($(OTA_KEY_OVERRIDE_DIR),)
 +    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
 +endif
diff --git a/Patches/LineageOS-19.1/android_build/0003-Exec_Based_Spawning.patch b/Patches/LineageOS-19.1/android_build/0003-Exec_Based_Spawning.patch
index d69dc1c8..f17d8fc8 100644
--- a/Patches/LineageOS-19.1/android_build/0003-Exec_Based_Spawning.patch
+++ b/Patches/LineageOS-19.1/android_build/0003-Exec_Based_Spawning.patch
@@ -1,4 +1,4 @@
-From 8e01dd93f29aba79e15a211084582afd9681e8ab Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Thu, 17 Sep 2020 10:53:00 -0400
 Subject: [PATCH] disable enforce RRO for mainline devices
@@ -14,10 +14,10 @@ Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/target/product/generic_system.mk b/target/product/generic_system.mk
-index d930957dfb..f0a9400b86 100644
+index f13c9db4d1..06126f5117 100644
 --- a/target/product/generic_system.mk
 +++ b/target/product/generic_system.mk
-@@ -113,7 +113,7 @@ PRODUCT_COPY_FILES += \
+@@ -116,7 +116,7 @@ PRODUCT_COPY_FILES += \
  # Enable dynamic partition size
  PRODUCT_USE_DYNAMIC_PARTITION_SIZE := true
  
diff --git a/Patches/LineageOS-19.1/android_build_soong/0002-hm_apex.patch b/Patches/LineageOS-19.1/android_build_soong/0002-hm_apex.patch
index 59606924..4241f435 100644
--- a/Patches/LineageOS-19.1/android_build_soong/0002-hm_apex.patch
+++ b/Patches/LineageOS-19.1/android_build_soong/0002-hm_apex.patch
@@ -1,4 +1,4 @@
-From cc973e807d440a2cfe7bed420fbf7ae25985ddc1 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: anupritaisno1 <www.anuprita804@gmail.com>
 Date: Sun, 13 Sep 2020 09:35:41 +0000
 Subject: [PATCH] make hardened malloc available to apexes
diff --git a/Patches/LineageOS-19.1/android_external_hardened_malloc/0001-Broken_Cameras.patch b/Patches/LineageOS-19.1/android_external_hardened_malloc/0001-Broken_Cameras.patch
new file mode 100644
index 00000000..f79b1cba
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_external_hardened_malloc/0001-Broken_Cameras.patch
@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Tue, 15 Mar 2022 22:18:26 -0400
+Subject: [PATCH] Expand workaround to all camera executables
+
+Signed-off-by: Tad <tad@spotco.us>
+Change-Id: I23513ec0379bbb10829f989690334e9704fd20e2
+---
+ h_malloc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/h_malloc.c b/h_malloc.c
+index 5fceaef..70a3e82 100644
+--- a/h_malloc.c
++++ b/h_malloc.c
+@@ -1082,7 +1082,8 @@ COLD static void handle_bugs(void) {
+ 
+     // Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL camera provider
+     const char camera_provider[] = "/vendor/bin/hw/android.hardware.camera.provider@2.4-service_64";
+-    if (strcmp(camera_provider, path) == 0) {
++    // Any camera executable on system partition
++    if (strcmp(camera_provider, path) == 0 || (strstr(path, "camera") != NULL && (strncmp("/system", path, 7) == 0 || strncmp("/vendor", path, 7) == 0))) {
+         ro.zero_on_free = false;
+         ro.purge_slabs = false;
+         ro.region_quarantine_protect = false;
diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0013-Network_Permission-4.patch b/Patches/LineageOS-19.1/android_frameworks_base/0013-Network_Permission-4.patch
new file mode 100644
index 00000000..2c5fcd7b
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_frameworks_base/0013-Network_Permission-4.patch
@@ -0,0 +1,43 @@
+From 2f262ed47122e57283ee85c2cca138728559ef35 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Mon, 10 Jan 2022 15:50:33 +0200
+Subject: [PATCH] make DownloadManager.enqueue() a no-op when INTERNET
+ permission is revoked
+
+---
+ core/java/android/app/DownloadManager.java | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/core/java/android/app/DownloadManager.java b/core/java/android/app/DownloadManager.java
+index 355092378279..cb4a16641953 100644
+--- a/core/java/android/app/DownloadManager.java
++++ b/core/java/android/app/DownloadManager.java
+@@ -16,6 +16,7 @@
+ 
+ package android.app;
+ 
++import android.Manifest;
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.annotation.RequiresPermission;
+@@ -31,6 +32,7 @@
+ import android.content.ContentUris;
+ import android.content.ContentValues;
+ import android.content.Context;
++import android.content.pm.PackageManager;
+ import android.database.Cursor;
+ import android.database.CursorWrapper;
+ import android.database.DatabaseUtils;
+@@ -1115,6 +1117,12 @@ public void onMediaStoreDownloadsDeleted(@NonNull LongSparseArray<String> idToMi
+      * calls related to this download.
+      */
+     public long enqueue(Request request) {
++        // don't crash apps that expect INTERNET permission to be always granted
++        Context ctx = ActivityThread.currentApplication();
++        if (ctx != null && ctx.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
++            // invalid id (DownloadProvider uses SQLite and returns a row id)
++            return -1;
++        }
+         ContentValues values = request.toContentValues(mPackageName);
+         Uri downloadUri = mResolver.insert(Downloads.Impl.CONTENT_URI, values);
+         long id = Long.parseLong(downloadUri.getLastPathSegment());
diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0013-Network_Permission-5.patch b/Patches/LineageOS-19.1/android_frameworks_base/0013-Network_Permission-5.patch
new file mode 100644
index 00000000..46cff73d
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_frameworks_base/0013-Network_Permission-5.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Sat, 5 Feb 2022 11:08:55 +0200
+Subject: [PATCH] make DownloadManager.query() a no-op when INTERNET permission
+ is revoked
+
+---
+ core/java/android/app/DownloadManager.java | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/core/java/android/app/DownloadManager.java b/core/java/android/app/DownloadManager.java
+index c209660f4197..2b141e17a80b 100644
+--- a/core/java/android/app/DownloadManager.java
++++ b/core/java/android/app/DownloadManager.java
+@@ -34,6 +34,7 @@ import android.content.Context;
+ import android.database.Cursor;
+ import android.database.CursorWrapper;
+ import android.database.DatabaseUtils;
++import android.database.MatrixCursor;
+ import android.net.ConnectivityManager;
+ import android.net.NetworkPolicyManager;
+ import android.net.Uri;
+@@ -1170,6 +1171,12 @@ public class DownloadManager {
+ 
+     /** @hide */
+     public Cursor query(Query query, String[] projection) {
++        // don't crash apps that expect INTERNET permission to be always granted
++        Context ctx = ActivityThread.currentApplication();
++        if (ctx != null && ctx.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
++            // underlying provider is protected by the INTERNET permission
++            return new MatrixCursor(projection);
++        }
+         Cursor underlyingCursor = query.runQuery(mResolver, projection, mBaseUri);
+         if (underlyingCursor == null) {
+             return null;
diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0020-Location_Indicators.patch b/Patches/LineageOS-19.1/android_frameworks_base/0020-Location_Indicators-1.patch
similarity index 100%
rename from Patches/LineageOS-19.1/android_frameworks_base/0020-Location_Indicators.patch
rename to Patches/LineageOS-19.1/android_frameworks_base/0020-Location_Indicators-1.patch
diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0020-Location_Indicators-2.patch b/Patches/LineageOS-19.1/android_frameworks_base/0020-Location_Indicators-2.patch
new file mode 100644
index 00000000..12d8f8a1
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_frameworks_base/0020-Location_Indicators-2.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: flawedworld <flawedworld@flawed.world>
+Date: Fri, 25 Feb 2022 01:02:26 +0000
+Subject: [PATCH] Exclude Bluetooth app from Location indicators
+
+---
+ core/res/res/values/config.xml | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
+index 7305ccc93e93..5114704eac33 100644
+--- a/core/res/res/values/config.xml
++++ b/core/res/res/values/config.xml
+@@ -1753,7 +1753,9 @@
+          set before. -->
+     <bool name="config_defaultAdasGnssLocationEnabled" translatable="false">false</bool>
+ 
+-    <string-array name="config_locationExtraPackageNames" translatable="false"></string-array>
++    <string-array name="config_locationExtraPackageNames" translatable="false">
++     <item>com.android.bluetooth</item>
++    </string-array>
+ 
+     <!-- The package name of the default network recommendation app.
+          A network recommendation provider must:
diff --git a/Patches/LineageOS-19.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch b/Patches/LineageOS-19.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
index d41977a7..c5a94a5a 100644
--- a/Patches/LineageOS-19.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
+++ b/Patches/LineageOS-19.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
@@ -17,21 +17,21 @@ Change-Id: Ibbffdb5f3930df74ca8b4ba93d451f7fad086989
  res/values-de/cm_strings.xml                  |  3 +
  res/values/cm_strings.xml                     |  5 ++
  res/xml/network_and_internet.xml              |  7 ++
- .../android/settings/ResetNetworkConfirm.java |  3 +
+ .../android/settings/ResetNetworkConfirm.java |  4 +
  ...CaptivePortalModePreferenceController.java | 82 +++++++++++++++++++
  .../network/CaptivePortalWarningDialog.java   | 74 +++++++++++++++++
  .../CaptivePortalWarningDialogHost.java       | 32 ++++++++
  .../network/NetworkDashboardFragment.java     | 17 +++-
- 8 files changed, 222 insertions(+), 1 deletion(-)
+ 8 files changed, 223 insertions(+), 1 deletion(-)
  create mode 100644 src/com/android/settings/network/CaptivePortalModePreferenceController.java
  create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialog.java
  create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialogHost.java
 
 diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml
-index 1669bf4fbf..0c3ebffd3e 100644
+index daf7a19a8f..326564d973 100644
 --- a/res/values-de/cm_strings.xml
 +++ b/res/values-de/cm_strings.xml
-@@ -23,6 +23,9 @@
+@@ -36,6 +36,9 @@
      <string name="volume_link_notification_title">Klingelton- und Benachrichtigungslautstärke verknüpfen</string>
      <string name="unlock_scramble_pin_layout_title">Zufällige Anordnung</string>
      <string name="unlock_scramble_pin_layout_summary">Bei jedem Entsperrversuch die Ziffernanordnung zufällig neu wählen</string>
@@ -74,10 +74,18 @@ index d842aad021..7f82235a2b 100644
 +
  </PreferenceScreen>
 diff --git a/src/com/android/settings/ResetNetworkConfirm.java b/src/com/android/settings/ResetNetworkConfirm.java
-index f79bdb2e36..aab19b4c73 100644
+index f79bdb2e36..58372582e1 100644
 --- a/src/com/android/settings/ResetNetworkConfirm.java
 +++ b/src/com/android/settings/ResetNetworkConfirm.java
-@@ -142,6 +142,9 @@ public class ResetNetworkConfirm extends InstrumentedFragment {
+@@ -37,6 +37,7 @@ import android.os.Looper;
+ import android.os.RecoverySystem;
+ import android.os.UserHandle;
+ import android.os.UserManager;
++import android.provider.Settings;
+ import android.telephony.SubscriptionManager;
+ import android.telephony.SubscriptionManager.OnSubscriptionsChangedListener;
+ import android.telephony.TelephonyManager;
+@@ -142,6 +143,9 @@ public class ResetNetworkConfirm extends InstrumentedFragment {
                  }
              }
  
diff --git a/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-1.patch b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-1.patch
new file mode 100644
index 00000000..3ef6ca9e
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-1.patch
@@ -0,0 +1,121 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Danny Lin <danny@kdrag0n.dev>
+Date: Tue, 5 Oct 2021 17:05:49 -0700
+Subject: [PATCH] Add callback for enforcing INTERNET permission changes
+
+Change-Id: Ic79b9c6a6cb35c69de16732ce5be0a3e6e81d066
+---
+ framework/api/system-current.txt                 |  1 +
+ .../src/android/net/ConnectivityManager.java     | 16 ++++++++++++++++
+ .../src/android/net/IConnectivityManager.aidl    |  2 ++
+ .../com/android/server/ConnectivityService.java  |  6 ++++++
+ .../server/connectivity/PermissionMonitor.java   |  5 +++++
+ 5 files changed, 30 insertions(+)
+
+diff --git a/framework/api/system-current.txt b/framework/api/system-current.txt
+index d1d51da15..09a678d9b 100644
+--- a/framework/api/system-current.txt
++++ b/framework/api/system-current.txt
+@@ -51,6 +51,7 @@ package android.net {
+     method @Deprecated @RequiresPermission(android.Manifest.permission.NETWORK_SETTINGS) public String getCaptivePortalServerUrl();
+     method @Deprecated @RequiresPermission(android.Manifest.permission.TETHER_PRIVILEGED) public void getLatestTetheringEntitlementResult(int, boolean, @NonNull java.util.concurrent.Executor, @NonNull android.net.ConnectivityManager.OnTetheringEntitlementResultListener);
+     method @Deprecated @RequiresPermission(anyOf={android.Manifest.permission.TETHER_PRIVILEGED, android.Manifest.permission.WRITE_SETTINGS}) public boolean isTetheringSupported();
++    method public void onPackagePermissionChanged(int);
+     method @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_FACTORY}) public int registerNetworkProvider(@NonNull android.net.NetworkProvider);
+     method public void registerQosCallback(@NonNull android.net.QosSocketInfo, @NonNull java.util.concurrent.Executor, @NonNull android.net.QosCallback);
+     method @Deprecated @RequiresPermission(android.Manifest.permission.TETHER_PRIVILEGED) public void registerTetheringEventCallback(@NonNull java.util.concurrent.Executor, @NonNull android.net.ConnectivityManager.OnTetheringEventCallback);
+diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
+index 2eb5fb72a..fd37a9746 100644
+--- a/framework/src/android/net/ConnectivityManager.java
++++ b/framework/src/android/net/ConnectivityManager.java
+@@ -16,6 +16,7 @@
+ package android.net;
+ 
+ import static android.annotation.SystemApi.Client.MODULE_LIBRARIES;
++import static android.annotation.SystemApi.Client.SYSTEM_SERVER;
+ import static android.net.NetworkRequest.Type.BACKGROUND_REQUEST;
+ import static android.net.NetworkRequest.Type.LISTEN;
+ import static android.net.NetworkRequest.Type.LISTEN_FOR_BEST;
+@@ -34,6 +35,7 @@ import android.annotation.SdkConstant.SdkConstantType;
+ import android.annotation.SuppressLint;
+ import android.annotation.SystemApi;
+ import android.annotation.SystemService;
++import android.annotation.UserIdInt;
+ import android.app.PendingIntent;
+ import android.app.admin.DevicePolicyManager;
+ import android.compat.annotation.UnsupportedAppUsage;
+@@ -5499,4 +5501,18 @@ public class ConnectivityManager {
+     public static Range<Integer> getIpSecNetIdRange() {
+         return new Range(TUN_INTF_NETID_START, TUN_INTF_NETID_START + TUN_INTF_NETID_RANGE - 1);
+     }
++
++    /**
++     * Notify ConnectivityService of a runtime permission change for the given package and user ID.
++     *
++     * @hide
++     */
++    @SystemApi
++    public void onPackagePermissionChanged(int uid) {
++        try {
++            mService.onPackagePermissionChanged(uid);
++        } catch (RemoteException e) {
++            throw e.rethrowFromSystemServer();
++        }
++    }
+ }
+diff --git a/framework/src/android/net/IConnectivityManager.aidl b/framework/src/android/net/IConnectivityManager.aidl
+index 50ec78120..2d09c0422 100644
+--- a/framework/src/android/net/IConnectivityManager.aidl
++++ b/framework/src/android/net/IConnectivityManager.aidl
+@@ -228,4 +228,6 @@ interface IConnectivityManager
+     void unofferNetwork(in INetworkOfferCallback callback);
+ 
+     void setTestAllowBadWifiUntil(long timeMs);
++
++    void onPackagePermissionChanged(int uid);
+ }
+diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
+index 418e9e33b..d4da9a42a 100644
+--- a/service/src/com/android/server/ConnectivityService.java
++++ b/service/src/com/android/server/ConnectivityService.java
+@@ -93,6 +93,7 @@ import static java.util.Map.Entry;
+ import android.Manifest;
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
++import android.annotation.UserIdInt;
+ import android.app.AppOpsManager;
+ import android.app.BroadcastOptions;
+ import android.app.PendingIntent;
+@@ -10346,4 +10347,9 @@ public class ConnectivityService extends IConnectivityManager.Stub
+             return createNetworkRequest(NetworkRequest.Type.REQUEST, netcap);
+         }
+     }
++
++    @Override
++    public void onPackagePermissionChanged(int uid) {
++        mPermissionMonitor.onInternetPermissionChanged(uid);
++    }
+ }
+diff --git a/service/src/com/android/server/connectivity/PermissionMonitor.java b/service/src/com/android/server/connectivity/PermissionMonitor.java
+index a49c0a6e8..a43ee18b3 100755
+--- a/service/src/com/android/server/connectivity/PermissionMonitor.java
++++ b/service/src/com/android/server/connectivity/PermissionMonitor.java
+@@ -32,6 +32,7 @@ import static android.os.Process.SYSTEM_UID;
+ import static com.android.net.module.util.CollectionUtils.toIntArray;
+ 
+ import android.annotation.NonNull;
++import android.annotation.UserIdInt;
+ import android.content.BroadcastReceiver;
+ import android.content.Context;
+ import android.content.Intent;
+@@ -278,6 +279,10 @@ public class PermissionMonitor {
+         sendPackagePermissionsToNetd(netdPermsUids);
+     }
+ 
++    public void onInternetPermissionChanged(int uid) {
++        sendPackagePermissionsForUid(UserHandle.getAppId(uid), getPermissionForUid(uid));
++    }
++
+     @VisibleForTesting
+     synchronized void updateUidsAllowedOnRestrictedNetworks(final Set<Integer> uids) {
+         mUidsAllowedOnRestrictedNetworks.clear();
diff --git a/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-2.patch b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-2.patch
new file mode 100644
index 00000000..6537a18d
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-2.patch
@@ -0,0 +1,320 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pratyush <codelab@pratyush.dev>
+Date: Wed, 13 Oct 2021 22:20:53 +0530
+Subject: [PATCH] use uid instead of app id
+
+---
+ .../connectivity/PermissionMonitor.java       | 142 +++++++++---------
+ 1 file changed, 68 insertions(+), 74 deletions(-)
+
+diff --git a/service/src/com/android/server/connectivity/PermissionMonitor.java b/service/src/com/android/server/connectivity/PermissionMonitor.java
+index a43ee18b3..8625f3c80 100755
+--- a/service/src/com/android/server/connectivity/PermissionMonitor.java
++++ b/service/src/com/android/server/connectivity/PermissionMonitor.java
+@@ -225,42 +225,44 @@ public class PermissionMonitor {
+         // mUidsAllowedOnRestrictedNetworks.
+         updateUidsAllowedOnRestrictedNetworks(mDeps.getUidsAllowedOnRestrictedNetworks(mContext));
+ 
+-        List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
+-                | MATCH_ANY_USER);
+-        if (apps == null) {
+-            loge("No apps");
+-            return;
+-        }
+-
+         SparseIntArray netdPermsUids = new SparseIntArray();
+ 
+-        for (PackageInfo app : apps) {
+-            int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
+-            if (uid < 0) {
++        mUsers.addAll(mUserManager.getUserHandles(true /* excludeDying */));
++
++        for(UserHandle user : mUsers){
++            PackageManager pmUser = mContext.createContextAsUser(user,0).getPackageManager();
++            List<PackageInfo> apps = pmUser.getInstalledPackages(GET_PERMISSIONS);
++            if (apps == null) {
++                loge("No apps");
+                 continue;
+             }
+-            mAllApps.add(UserHandle.getAppId(uid));
+ 
+-            boolean isNetwork = hasNetworkPermission(app);
+-            boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
++            for (PackageInfo app : apps) {
++                int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
++                if (uid < 0) {
++                    continue;
++                }
++                mAllApps.add(uid);
+ 
+-            if (isNetwork || hasRestrictedPermission) {
+-                Boolean permission = mApps.get(UserHandle.getAppId(uid));
+-                // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+-                // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+-                if (permission == null || permission == NETWORK) {
+-                    mApps.put(UserHandle.getAppId(uid), hasRestrictedPermission);
++                boolean isNetwork = hasNetworkPermission(app);
++                boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
++
++                if (isNetwork || hasRestrictedPermission) {
++                    Boolean permission = mApps.get(uid);
++                    // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
++                    // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
++                    if (permission == null || permission == NETWORK) {
++                        mApps.put(uid, hasRestrictedPermission);
++                    }
+                 }
+-            }
+ 
+-            //TODO: unify the management of the permissions into one codepath.
+-            int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
+-                    app.requestedPermissionsFlags);
+-            netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
++                //TODO: unify the management of the permissions into one codepath.
++                int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
++                        app.requestedPermissionsFlags);
++                netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
++            }
+         }
+ 
+-        mUsers.addAll(mUserManager.getUserHandles(true /* excludeDying */));
+-
+         final SparseArray<String> netdPermToSystemPerm = new SparseArray<>();
+         netdPermToSystemPerm.put(INetd.PERMISSION_INTERNET, INTERNET);
+         netdPermToSystemPerm.put(INetd.PERMISSION_UPDATE_DEVICE_STATS, UPDATE_DEVICE_STATS);
+@@ -280,7 +282,7 @@ public class PermissionMonitor {
+     }
+ 
+     public void onInternetPermissionChanged(int uid) {
+-        sendPackagePermissionsForUid(UserHandle.getAppId(uid), getPermissionForUid(uid));
++        sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+     }
+ 
+     @VisibleForTesting
+@@ -291,9 +293,7 @@ public class PermissionMonitor {
+         // is only installed on some users because the uid cannot match some other app – this uid is
+         // in effect not installed and can't be run.
+         // TODO (b/192431153): Change appIds back to uids.
+-        for (int uid : uids) {
+-            mUidsAllowedOnRestrictedNetworks.add(UserHandle.getAppId(uid));
+-        }
++        mUidsAllowedOnRestrictedNetworks.addAll(uids);
+     }
+ 
+     @VisibleForTesting
+@@ -315,7 +315,7 @@ public class PermissionMonitor {
+         if (appInfo == null) return false;
+         // Check whether package's uid is in allowed on restricted networks uid list. If so, this
+         // uid can have netd system permission.
+-        return mUidsAllowedOnRestrictedNetworks.contains(UserHandle.getAppId(appInfo.uid));
++        return mUidsAllowedOnRestrictedNetworks.contains(appInfo.uid);
+     }
+ 
+     @VisibleForTesting
+@@ -351,14 +351,14 @@ public class PermissionMonitor {
+         // networks. mApps contains the result of checks for both hasNetworkPermission and
+         // hasRestrictedNetworkPermission. If uid is in the mApps list that means uid has one of
+         // permissions at least.
+-        return mApps.containsKey(UserHandle.getAppId(uid));
++        return mApps.containsKey(uid);
+     }
+ 
+     /**
+      * Returns whether the given uid has permission to use restricted networks.
+      */
+     public synchronized boolean hasRestrictedNetworksPermission(int uid) {
+-        return Boolean.TRUE.equals(mApps.get(UserHandle.getAppId(uid)));
++        return Boolean.TRUE.equals(mApps.get(uid));
+     }
+ 
+     private void update(Set<UserHandle> users, Map<Integer, Boolean> apps, boolean add) {
+@@ -424,21 +424,17 @@ public class PermissionMonitor {
+      *             permission.
+      */
+     @VisibleForTesting
+-    protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
++    protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) {
+         if (currentPermission == SYSTEM) {
+             return currentPermission;
+         }
+-        try {
+-            final PackageInfo app = mPackageManager.getPackageInfo(name,
+-                    GET_PERMISSIONS | MATCH_ANY_USER);
++        final PackageInfo app = getPackageInfo(name, UserHandle.getUserHandleForUid(uid));
++        if(app != null){
+             final boolean isNetwork = hasNetworkPermission(app);
+             final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+             if (isNetwork || hasRestrictedPermission) {
+                 currentPermission = hasRestrictedPermission;
+             }
+-        } catch (NameNotFoundException e) {
+-            // App not found.
+-            loge("NameNotFoundException " + name);
+         }
+         return currentPermission;
+     }
+@@ -450,7 +446,7 @@ public class PermissionMonitor {
+         final String[] packages = mPackageManager.getPackagesForUid(uid);
+         if (packages != null && packages.length > 0) {
+             for (String name : packages) {
+-                final PackageInfo app = getPackageInfo(name);
++                PackageInfo app = getPackageInfo(name,  UserHandle.getUserHandleForUid(uid));
+                 if (app != null && app.requestedPermissions != null) {
+                     permission |= getNetdPermissionMask(app.requestedPermissions,
+                             app.requestedPermissionsFlags);
+@@ -474,17 +470,16 @@ public class PermissionMonitor {
+     public synchronized void onPackageAdded(@NonNull final String packageName, final int uid) {
+         // TODO: Netd is using appId for checking traffic permission. Correct the methods that are
+         //  using appId instead of uid actually
+-        sendPackagePermissionsForUid(UserHandle.getAppId(uid), getPermissionForUid(uid));
++        sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+ 
+         // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+         // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+-        final int appId = UserHandle.getAppId(uid);
+-        final Boolean permission = highestPermissionForUid(mApps.get(appId), packageName);
+-        if (permission != mApps.get(appId)) {
+-            mApps.put(appId, permission);
++        final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid);
++        if (permission != mApps.get(uid)) {
++            mApps.put(uid, permission);
+ 
+             Map<Integer, Boolean> apps = new HashMap<>();
+-            apps.put(appId, permission);
++            apps.put(uid, permission);
+             update(mUsers, apps, true);
+         }
+ 
+@@ -499,7 +494,7 @@ public class PermissionMonitor {
+                 updateVpnUids(vpn.getKey(), changedUids, true);
+             }
+         }
+-        mAllApps.add(appId);
++        mAllApps.add(uid);
+     }
+ 
+     private Boolean highestUidNetworkPermission(int uid) {
+@@ -509,7 +504,7 @@ public class PermissionMonitor {
+             for (String name : packages) {
+                 // If multiple packages have the same UID, give the UID all permissions that
+                 // any package in that UID has.
+-                permission = highestPermissionForUid(permission, name);
++                permission = highestPermissionForUid(permission, name, uid);
+                 if (permission == SYSTEM) {
+                     break;
+                 }
+@@ -529,7 +524,7 @@ public class PermissionMonitor {
+     public synchronized void onPackageRemoved(@NonNull final String packageName, final int uid) {
+         // TODO: Netd is using appId for checking traffic permission. Correct the methods that are
+         //  using appId instead of uid actually
+-        sendPackagePermissionsForUid(UserHandle.getAppId(uid), getPermissionForUid(uid));
++        sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+ 
+         // If the newly-removed package falls within some VPN's uid range, update Netd with it.
+         // This needs to happen before the mApps update below, since removeBypassingUids() depends
+@@ -544,11 +539,11 @@ public class PermissionMonitor {
+         }
+         // If the package has been removed from all users on the device, clear it form mAllApps.
+         if (mPackageManager.getNameForUid(uid) == null) {
+-            mAllApps.remove(UserHandle.getAppId(uid));
++            mAllApps.remove(uid);
+         }
+ 
+         Map<Integer, Boolean> apps = new HashMap<>();
+-        final Boolean permission = highestUidNetworkPermission(uid);
++        final Boolean permission = highestPermissionForUid(null, packageName,uid);
+         if (permission == SYSTEM) {
+             // An app with this UID still has the SYSTEM permission.
+             // Therefore, this UID must already have the SYSTEM permission.
+@@ -556,23 +551,22 @@ public class PermissionMonitor {
+             return;
+         }
+ 
+-        final int appId = UserHandle.getAppId(uid);
+-        if (permission == mApps.get(appId)) {
++        if (permission == mApps.get(uid)) {
+             // The permissions of this UID have not changed. Nothing to do.
+             return;
+         } else if (permission != null) {
+-            mApps.put(appId, permission);
+-            apps.put(appId, permission);
++            mApps.put(uid, permission);
++            apps.put(uid, permission);
+             update(mUsers, apps, true);
+         } else {
+-            mApps.remove(appId);
+-            apps.put(appId, NETWORK);  // doesn't matter which permission we pick here
++            mApps.remove(uid);
++            apps.put(uid, NETWORK);  // doesn't matter which permission we pick here
+             update(mUsers, apps, false);
+         }
+     }
+ 
+     private static int getNetdPermissionMask(String[] requestedPermissions,
+-                                             int[] requestedPermissionsFlags) {
++            int[] requestedPermissionsFlags) {
+         int permissions = 0;
+         if (requestedPermissions == null || requestedPermissionsFlags == null) return permissions;
+         for (int i = 0; i < requestedPermissions.length; i++) {
+@@ -588,11 +582,10 @@ public class PermissionMonitor {
+         return permissions;
+     }
+ 
+-    private PackageInfo getPackageInfo(String packageName) {
++    private PackageInfo getPackageInfo(String packageName, UserHandle user) {
+         try {
+-            PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
+-                    | MATCH_ANY_USER);
+-            return app;
++            return mContext.createContextAsUser(user, 0).getPackageManager()
++                    .getPackageInfo(packageName, GET_PERMISSIONS);
+         } catch (NameNotFoundException e) {
+             return null;
+         }
+@@ -681,7 +674,7 @@ public class PermissionMonitor {
+      */
+     private void removeBypassingUids(Set<Integer> uids, int vpnAppUid) {
+         uids.remove(vpnAppUid);
+-        uids.removeIf(uid -> mApps.getOrDefault(UserHandle.getAppId(uid), NETWORK) == SYSTEM);
++        uids.removeIf(uid -> mApps.getOrDefault(uid, NETWORK) == SYSTEM);
+     }
+ 
+     /**
+@@ -823,13 +816,12 @@ public class PermissionMonitor {
+         for (Integer uid : uidsToUpdate) {
+             final Boolean permission = highestUidNetworkPermission(uid);
+ 
+-            final int appId = UserHandle.getAppId(uid);
+             if (null == permission) {
+-                removedUids.put(appId, NETWORK); // Doesn't matter which permission is set here.
+-                mApps.remove(appId);
++                removedUids.put(uid, NETWORK); // Doesn't matter which permission is set here.
++                mApps.remove(uid);
+             } else {
+-                updatedUids.put(appId, permission);
+-                mApps.put(appId, permission);
++                updatedUids.put(uid, permission);
++                mApps.put(uid, permission);
+             }
+         }
+ 
+@@ -844,12 +836,14 @@ public class PermissionMonitor {
+             return;
+         }
+ 
+-        for (String app : pkgList) {
+-            final PackageInfo info = getPackageInfo(app);
+-            if (info == null || info.applicationInfo == null) continue;
++        for (UserHandle user : mUsers){
++            for (String app : pkgList) {
++                final PackageInfo info = getPackageInfo(app, user);
++                if (info == null || info.applicationInfo == null) continue;
+ 
+-            final int appId = info.applicationInfo.uid;
+-            onPackageAdded(app, appId); // Use onPackageAdded to add package one by one.
++                final int appId = info.applicationInfo.uid;
++                onPackageAdded(app, appId); // Use onPackageAdded to add package one by one.
++            }
+         }
+     }
+ 
diff --git a/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-3.patch b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-3.patch
new file mode 100644
index 00000000..4fe08981
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0001-Network_Permission-3.patch
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Tue, 14 Dec 2021 18:17:11 +0200
+Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
+
+---
+ framework/src/android/net/ConnectivityManager.java | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
+index fd37a9746..8857b7996 100644
+--- a/framework/src/android/net/ConnectivityManager.java
++++ b/framework/src/android/net/ConnectivityManager.java
+@@ -25,6 +25,7 @@ import static android.net.NetworkRequest.Type.TRACK_DEFAULT;
+ import static android.net.NetworkRequest.Type.TRACK_SYSTEM_DEFAULT;
+ import static android.net.QosCallback.QosCallbackRegistrationException;
+ 
++import android.Manifest;
+ import android.annotation.CallbackExecutor;
+ import android.annotation.IntDef;
+ import android.annotation.NonNull;
+@@ -42,6 +43,7 @@ import android.compat.annotation.UnsupportedAppUsage;
+ import android.content.ComponentName;
+ import android.content.Context;
+ import android.content.Intent;
++import android.content.pm.PackageManager;
+ import android.net.ConnectivityDiagnosticsManager.DataStallReport.DetectionMethod;
+ import android.net.IpSecManager.UdpEncapsulationSocket;
+ import android.net.SocketKeepalive.Callback;
+@@ -3139,6 +3141,12 @@ public class ConnectivityManager {
+      */
+     public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
+         printStackTrace();
++        if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
++            // ConnectivityService enforces this by throwing an unexpected SecurityException,
++            // which puts GMS into a crash loop. Also useful for other apps that don't expect that
++            // INTERNET permission might get revoked.
++            return;
++        }
+         try {
+             mService.reportNetworkConnectivity(network, hasConnectivity);
+         } catch (RemoteException e) {
diff --git a/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0002-Private_DNS.patch b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0002-Private_DNS.patch
new file mode 100644
index 00000000..2a83ae20
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0002-Private_DNS.patch
@@ -0,0 +1,228 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Thu, 21 Oct 2021 20:54:37 -0400
+Subject: [PATCH] Add more 'Private DNS' options
+
+This adds thirteen DNS providers as available presets.
+
+Credit: CalyxOS
+- Chirayu Desai <chirayudesai1@gmail.com>
+  https://review.calyxos.org/c/CalyxOS/platform_frameworks_base/+/446
+- Oliver Scott <olivercscott@gmail.com>
+  https://review.calyxos.org/c/CalyxOS/platform_frameworks_base/+/2327
+- Pavel Shirshov <pshirshov@eml.cc>
+  https://review.calyxos.org/c/CalyxOS/platform_frameworks_base/+/5356
+
+Signed-off-by: Tad <tad@spotco.us>
+Change-Id: Id75a774ce1ed109a83c6a5bf512536c643165d71
+---
+ .../java/android/net/ConnectivityManager.java | 104 ++++++++++++++++++
+ .../server/connectivity/DnsManager.java       |  66 +++++++++++
+ 2 files changed, 170 insertions(+)
+
+diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
+index ed03f5198d6f..7df32c10b16b 100644
+--- a/core/java/android/net/ConnectivityManager.java
++++ b/core/java/android/net/ConnectivityManager.java
+@@ -796,6 +796,58 @@ public class ConnectivityManager {
+      * @hide
+      */
+     public static final String PRIVATE_DNS_MODE_OFF = "off";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_ADGUARD = "adguard";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_APPLIEDPRIVACY = "appliedprivacy";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_CLEANBROWSING = "cleanbrowsing";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_CIRA = "cira";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_CZNIC = "cznic";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_CLOUDFLARE = "cloudflare";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_GOOGLE = "google";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_MULLVAD = "mullvad";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_QUADNINE = "quadnine";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_RESTENA = "restena";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_SWITCH = "switch";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_TWNIC = "twnic";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_MODE_UNCENSOREDDNS = "uncensoreddns";
+     /**
+      * @hide
+      */
+@@ -804,6 +856,58 @@ public class ConnectivityManager {
+      * @hide
+      */
+     public static final String PRIVATE_DNS_MODE_PROVIDER_HOSTNAME = "hostname";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_APPLIEDPRIVACY = "dot1.applied-privacy.net";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_ADGUARD = "dns.adguard.com";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_CIRA = "protected.canadianshield.cira.ca";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_CZNIC = "odvr.nic.cz";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_CLEANBROWSING = "security-filter-dns.cleanbrowsing.org";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_CLOUDFLARE = "security.cloudflare-dns.com";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_GOOGLE = "dns.google";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_MULLVAD = "adblock.doh.mullvad.net";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_QUADNINE = "dns.quad9.net";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_RESTENA = "kaitain.restena.lu";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_SWITCH = "dns.switch.ch";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_TWNIC = "101.101.101.101";
++    /**
++     * @hide
++     */
++    public static final String PRIVATE_DNS_SPECIFIER_UNCENSOREDDNS = "unicast.censurfridns.dk";
+     /**
+      * The default Private DNS mode.
+      *
+diff --git a/services/core/java/com/android/server/connectivity/DnsManager.java b/services/core/java/com/android/server/connectivity/DnsManager.java
+index cf6a7f6e8d70..5d3de9edc930 100644
+--- a/services/core/java/com/android/server/connectivity/DnsManager.java
++++ b/services/core/java/com/android/server/connectivity/DnsManager.java
+@@ -18,6 +18,32 @@ package com.android.server.connectivity;
+ 
+ import static android.net.ConnectivityManager.PRIVATE_DNS_DEFAULT_MODE_FALLBACK;
+ import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_OFF;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_ADGUARD;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_APPLIEDPRIVACY;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_CIRA;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_CLEANBROWSING;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_CLOUDFLARE;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_CZNIC;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_GOOGLE;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_MULLVAD;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_QUADNINE;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_RESTENA;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_SWITCH;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_TWNIC;
++import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_UNCENSOREDDNS;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_ADGUARD;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_APPLIEDPRIVACY;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_CIRA;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_CLEANBROWSING;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_CLOUDFLARE;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_CZNIC;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_GOOGLE;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_MULLVAD;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_QUADNINE;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_RESTENA;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_SWITCH;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_TWNIC;
++import static android.net.ConnectivityManager.PRIVATE_DNS_SPECIFIER_UNCENSOREDDNS;
+ import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_PROVIDER_HOSTNAME;
+ import static android.provider.Settings.Global.DNS_RESOLVER_MAX_SAMPLES;
+ import static android.provider.Settings.Global.DNS_RESOLVER_MIN_SAMPLES;
+@@ -136,6 +162,46 @@ public class DnsManager {
+             return new PrivateDnsConfig(specifier, null);
+         }
+ 
++        if (PRIVATE_DNS_MODE_ADGUARD.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_ADGUARD, null);
++        }
++        if (PRIVATE_DNS_MODE_APPLIEDPRIVACY.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_APPLIEDPRIVACY, null);
++        }
++        if (PRIVATE_DNS_MODE_CIRA.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_CIRA, null);
++        }
++        if (PRIVATE_DNS_MODE_CLEANBROWSING.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_CLEANBROWSING, null);
++        }
++        if (PRIVATE_DNS_MODE_CLOUDFLARE.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_CLOUDFLARE, null);
++        }
++        if (PRIVATE_DNS_MODE_CZNIC.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_CZNIC, null);
++        }
++        if (PRIVATE_DNS_MODE_GOOGLE.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_GOOGLE, null);
++        }
++        if (PRIVATE_DNS_MODE_MULLVAD.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_MULLVAD, null);
++        }
++        if (PRIVATE_DNS_MODE_QUADNINE.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_QUADNINE, null);
++        }
++        if (PRIVATE_DNS_MODE_RESTENA.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_RESTENA, null);
++        }
++        if (PRIVATE_DNS_MODE_SWITCH.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_SWITCH, null);
++        }
++        if (PRIVATE_DNS_MODE_TWNIC.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_TWNIC, null);
++        }
++        if (PRIVATE_DNS_MODE_UNCENSOREDDNS.equals(mode)) {
++            return new PrivateDnsConfig(PRIVATE_DNS_SPECIFIER_UNCENSOREDDNS, null);
++        }
++
+         return new PrivateDnsConfig(useTls);
+     }
+ 
diff --git a/PrebuiltApps b/PrebuiltApps
index d61df5a1..defba989 160000
--- a/PrebuiltApps
+++ b/PrebuiltApps
@@ -1 +1 @@
-Subproject commit d61df5a1f0c5b9a602e45cc9c62ba42e433853da
+Subproject commit defba989e7004809c1d67c2ba47952b66f9dd3cb
diff --git a/Scripts/Common/Deblob.sh b/Scripts/Common/Deblob.sh
index b3399047..1e465118 100644
--- a/Scripts/Common/Deblob.sh
+++ b/Scripts/Common/Deblob.sh
@@ -801,6 +801,7 @@ deblobVendorBp() {
 	#TODO make this work for more then these two blobs
 	#Credit: https://stackoverflow.com/a/26053127
 	sed -i ':a;N;s/\n/&/3;Ta;/manifest_android.hardware.drm@1.3-service.widevine.xml/!{P;D};:b;N;s/\n/&/8;Tb;d' "$bpfile";
+	sed -i ':a;N;s/\n/&/3;Ta;/manifest_android.hardware.drm@1.4-service.widevine.xml/!{P;D};:b;N;s/\n/&/8;Tb;d' "$bpfile";
 	sed -i ':a;N;s/\n/&/3;Ta;/vendor.qti.hardware.radio.atcmdfwd@1.0.xml/!{P;D};:b;N;s/\n/&/8;Tb;d' "$bpfile";
 }
 export -f deblobVendorBp;
diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh
index f55616f7..aa90fd6a 100644
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@@ -199,7 +199,7 @@ processRelease() {
 	local OUT_DIR="$DOS_BUILD_BASE/out/target/product/$DEVICE/";
 
 	local RELEASETOOLS_PREFIX="build/tools/releasetools/";
-	if [[ "$DOS_VERSION" == "LineageOS-18.1" ]]; then
+	if [[ "$DOS_VERSION" == "LineageOS-18.1" ]] || [[ "$DOS_VERSION" == "LineageOS-19.1" ]]; then
 		local RELEASETOOLS_PREFIX="";
 	fi;
 
@@ -724,7 +724,7 @@ changeDefaultDNS() {
 		echo "You must first set a preset via the DOS_DEFAULT_DNS_PRESET variable in init.sh!";
 	fi;
 
-	local files="$DOS_BUILD_BASE/bionic/libc/dns/net/getaddrinfo.c $DOS_BUILD_BASE/packages/apps/Dialer/java/com/android/voicemail/impl/sync/VvmNetworkRequestCallback.java $DOS_BUILD_BASE/packages/modules/Connectivity/framework/src/android/net/util/DnsUtils.java $DOS_BUILD_BASE/packages/modules/DnsResolver/getaddrinfo.cpp core/java/android/net/util/DnsUtils.java core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml packages/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java services/java/com/android/server/connectivity/Tethering.java tests/BandwidthTests/src/com/android/tests/bandwidthenforcement/BandwidthEnforcementTestService.java core/java/com/android/internal/net/VpnProfile.java";
+	local files="$DOS_BUILD_BASE/bionic/libc/dns/net/getaddrinfo.c $DOS_BUILD_BASE/packages/apps/Dialer/java/com/android/voicemail/impl/sync/VvmNetworkRequestCallback.java $DOS_BUILD_BASE/packages/modules/Connectivity/framework/src/android/net/util/DnsUtils.java $DOS_BUILD_BASE/packages/modules/Connectivity/service/src/com/android/server/connectivity/NetworkDiagnostics.java $DOS_BUILD_BASE/packages/modules/Connectivity/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java $DOS_BUILD_BASE/packages/modules/DnsResolver/DnsResolver/doh.rs $DOS_BUILD_BASE/packages/modules/DnsResolver/DnsResolver/getaddrinfo.cpp $DOS_BUILD_BASE/packages/modules/DnsResolver/getaddrinfo.cpp core/java/android/net/util/DnsUtils.java core/java/com/android/internal/net/VpnProfile.java core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml packages/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java services/java/com/android/server/connectivity/Tethering.java tests/BandwidthTests/src/com/android/tests/bandwidthenforcement/BandwidthEnforcementTestService.java";
 	sed -i "s/8\.8\.8\.8/$dnsPrimary/" $files &>/dev/null || true;
 	sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/" $files &>/dev/null || true;
 	sed -i "s/8\.8\.4\.4/$dnsSecondary/" $files &>/dev/null || true;
diff --git a/Scripts/Common/Post.sh b/Scripts/Common/Post.sh
index 5765637d..9f6dae7a 100644
--- a/Scripts/Common/Post.sh
+++ b/Scripts/Common/Post.sh
@@ -34,5 +34,8 @@ sed -i 's/static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MER
 #Commented as set by defconfig
 #sed -i 's/= IS_ENABLED(CONFIG_PAGE_POISONING_ENABLE_DEFAULT);/= true;/' kernel/*/*/mm/page_poison.c &>/dev/null || true; #4.4+ #XXX: shouldn't be enabled past 5.3
 
+#Build speedup
+sed -i 's/flags.Tidy = true/flags.Tidy = false/' build/soong/cc/tidy.go &>/dev/null || true; #Disable clang-tidy (GrapheneOS/kdrag0n)
+
 cd "$DOS_BUILD_BASE";
 echo -e "\e[0;32m[SCRIPT COMPLETE] Post tweaks complete\e[0m";
diff --git a/Scripts/LineageOS-17.1/Functions.sh b/Scripts/LineageOS-17.1/Functions.sh
index 354a571f..094b6fb0 100644
--- a/Scripts/LineageOS-17.1/Functions.sh
+++ b/Scripts/LineageOS-17.1/Functions.sh
@@ -91,8 +91,9 @@ patchWorkspace() {
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
 
-	#source build/envsetup.sh;
+	source build/envsetup.sh;
 	#repopick -it ten-firewall;
+	repopick -it Q_asb_2022-04;
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh
index 69f48c00..7e0a4110 100644
--- a/Scripts/LineageOS-18.1/Functions.sh
+++ b/Scripts/LineageOS-18.1/Functions.sh
@@ -142,13 +142,14 @@ patchWorkspace() {
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
 
-	#source build/envsetup.sh;
+	source build/envsetup.sh;
 	#repopick -it eleven-firewall;
 	#repopick -i 314130; #adbconnection: don't spin if adbd isn't running
 	#repopick -i 314453; #TaskViewTouchController: Null check current animation on drag
 	#repopick -i 320663; #Trebuchet: Don't hide home screen rotation setting
 	#repopick -i 321297; #fs_mgr: Don't enable clean_scratch_files on non-dynamic devices
 	#repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default
+	repopick -it R_asb_2022-04;
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh
index e1102ce3..03b42aa2 100644
--- a/Scripts/LineageOS-18.1/Patch.sh
+++ b/Scripts/LineageOS-18.1/Patch.sh
@@ -584,8 +584,8 @@ sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" ker
 
 sed -i 's/^YYLTYPE yylloc;/extern YYLTYPE yylloc;/' kernel/*/*/scripts/dtc/dtc-lexer.l*; #Fix builds with GCC 10
 rm -v kernel/*/*/drivers/staging/greybus/tools/Android.mk || true;
-awk -i inplace '!/config_wifi_batched_scan_supported/' device/*/*/overlay/frameworks/opt/net/wifi/service/res/values/config.xml; #deprecated
-awk -i inplace '!/config_wifi_batched_scan_supported/' device/*/*/overlay/frameworks/base/core/res/res/values/config.xml; #deprecated
+awk -i inplace '!/config_wifi_batched_scan_supported/' device/*/*/overlay/frameworks/opt/net/wifi/service/res/values/config.xml || true; #deprecated
+awk -i inplace '!/config_wifi_batched_scan_supported/' device/*/*/overlay/frameworks/base/core/res/res/values/config.xml || true; #deprecated
 #
 #END OF DEVICE CHANGES
 #
diff --git a/Scripts/LineageOS-19.1/CVE_Patchers/android_kernel_google_wahoo.sh b/Scripts/LineageOS-19.1/CVE_Patchers/android_kernel_google_wahoo.sh
new file mode 100644
index 00000000..ff284ed3
--- /dev/null
+++ b/Scripts/LineageOS-19.1/CVE_Patchers/android_kernel_google_wahoo.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+cd "$DOS_BUILD_BASE""kernel/google/wahoo"
+git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0005.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0006.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0007.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0008.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0009.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0010.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0011.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0012.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0013.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0014.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0015.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0016.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0017.patch
+#git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0019.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0020.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0021.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0022.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0023.patch
+git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2015-7837/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-1583/^4.6/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6187/^4.7/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-8394/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-10153/4.9/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16USB/ANY/0006.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16USB/ANY/0009.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0610/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0627/ANY/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9059/4.9/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9211/4.9/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9699/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11065/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13693/^4.12.9/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13694/^4.12.9/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14886/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-17052/4.9/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18061/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18174/^4.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18204/4.4/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-1000252/^4.13/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-3575/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5902/4.4/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5906/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9415/ANY/0005.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-16597/4.4/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^5.0/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12378/^5.1.5/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12456/^5.1.5/0002.patch
+#git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14047/ANY/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15291/4.4/0006.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-16994/4.9/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-19051/4.4/0012.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-19068/4.4/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-14386/3.10-^4.4/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-16119/^5.10/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-0935/4.9/0006.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-1963/ANY/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-4149/4.9/0006.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-20292/4.9/0004.patch
+#git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-30324/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-41864/4.9/0006.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-42739/4.9/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-44879/^5.16/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-0435/4.4/0008.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-0487/4.4/0008.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-0492/4.9/0007.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-1016/4.9/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-1199/4.9/0006.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-1199/4.9/0007.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-23037/4.9/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-23039/4.9/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-23040/4.9/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-23042/4.9/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-24958/4.4/0015.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-24958/4.4/0016.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-25258/4.4/0008.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-25375/4.4/0008.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-26966/4.4/0008.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-27223/4.4/0008.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-27950/^5.16/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-28356/4.9/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-GPZ2253/4.9/0007.patch
+editKernelLocalversion "-dos.p86"
+cd "$DOS_BUILD_BASE"
diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh
index 0d7154bd..86a09fbc 100644
--- a/Scripts/LineageOS-19.1/Functions.sh
+++ b/Scripts/LineageOS-19.1/Functions.sh
@@ -19,7 +19,7 @@ umask 0022;
 #Last verified: 2022-04-04
 
 patchAllKernels() {
-	startPatcher ""; #XXX 19REBASE
+	startPatcher "kernel_google_wahoo";
 }
 export -f patchAllKernels;
 
@@ -55,7 +55,9 @@ buildAll() {
 	cd "$DOS_BUILD_BASE";
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
 	if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi;
-	 #XXX 19REBASE
+	#SD835
+	buildDevice taimen avb;
+	#buildDevice walleye avb;
 }
 export -f buildAll;
 
@@ -65,7 +67,9 @@ patchWorkspace() {
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
 
-	#source build/envsetup.sh;
+	source build/envsetup.sh;
+	repopick -i 328251; #Scape apostrophes
+	#repopick -it S_asb_2022-04;
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh
index 1ba56a74..3d69da25 100644
--- a/Scripts/LineageOS-19.1/Patch.sh
+++ b/Scripts/LineageOS-19.1/Patch.sh
@@ -91,7 +91,6 @@ applyPatch "$DOS_PATCHES/android_build/0001-Enable_fwrapv.patch"; #Use -fwrapv a
 applyPatch "$DOS_PATCHES/android_build/0002-OTA_Keys.patch"; #Add correct keys to recovery for OTA verification
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_build/0003-Exec_Based_Spawning.patch"; fi; #Add exec-based spawning support (GrapheneOS) #XXX: most devices override this
 sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
-if [ "$DOS_SILENCE_INCLUDED" = true ]; then sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/aosp_product.mk; fi; #Replace the Messaging app with Silence
 awk -i inplace '!/updatable_apex.mk/' target/product/generic_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 fi;
@@ -111,9 +110,9 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_ex
 fi;
 
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
-#if enterAndClear "external/hardened_malloc"; then
-#applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Cameras.patch"; #Expand workaround to all camera executables #XXX 19REBASE
-#fi;
+if enterAndClear "external/hardened_malloc"; then
+applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Cameras.patch"; #Expand workaround to all camera executables
+fi;
 fi;
 
 if enterAndClear "frameworks/base"; then
@@ -124,11 +123,12 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Rev
 applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS)
-#applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS) #XXX 19REBASE: moved
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions.patch"; #Support new special runtime permissions (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Make INTERNET into a special runtime permission (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch"; #Add a NETWORK permission group for INTERNET (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch"; #net: Notify ConnectivityService of runtime permission changes (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch"; #Make DownloadManager.enqueue() a no-op when INTERNET permission is revoked (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch"; #Make DownloadManager.query() a no-op when INTERNET permission is revoked (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS)
 if [ "$DOS_TIMEOUTS" = true ]; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
@@ -151,7 +151,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-11.pat
 applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-12.patch";
 sed -i 's/sys.spawn.exec/persist.security.exec_spawn/' core/java/com/android/internal/os/ZygoteConnection.java;
 fi;
-applyPatch "$DOS_PATCHES/android_frameworks_base/0020-Location_Indicators.patch"; #SystemUI: Use new privacy indicators for location (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0020-Location_Indicators-1.patch"; #SystemUI: Use new privacy indicators for location (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0020-Location_Indicators-2.patch"; #Exclude Bluetooth app from Location indicators (GrapheneOS)
 hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
 changeDefaultDNS; #Change the default DNS servers
 sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)
@@ -171,7 +172,7 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_fr
 fi;
 
 if enterAndClear "frameworks/native"; then
-then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors_Permission.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors_Permission.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
 fi;
 
 if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
@@ -272,6 +273,13 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic
 applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
 fi;
 
+if enterAndClear "packages/modules/Connectivity"; then
+applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-1.patch"; #Add callback for enforcing INTERNET permission changes (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-2.patch"; #Use uid instead of app id (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-3.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS)
+#applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0002-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS) #XXX 19REBASE
+fi;
+
 if [ "$DOS_GRAPHENE_RANDOM_MAC" = true ]; then
 if enterAndClear "packages/modules/NetworkStack"; then
 applyPatch "$DOS_PATCHES/android_packages_modules_NetworkStack/0001-Random_MAC.patch"; #Avoid reusing DHCP state for full MAC randomization (GrapheneOS)
@@ -348,7 +356,6 @@ sed -i 's/LINEAGE_BUILDTYPE := UNOFFICIAL/LINEAGE_BUILDTYPE := dos/' config/*.mk
 if [ "$DOS_NON_COMMERCIAL_USE_PATCHES" = true ]; then sed -i 's/LINEAGE_BUILDTYPE := dos/LINEAGE_BUILDTYPE := dosNC/' config/*.mk; fi;
 echo 'include vendor/divested/divestos.mk' >> config/common.mk; #Include our customizations
 cp -f "$DOS_PATCHES_COMMON/apns-conf.xml" prebuilt/common/etc/apns-conf.xml; #Update APN list
-if [ "$DOS_SILENCE_INCLUDED" = true ]; then sed -i 's/messaging/Silence/' config/telephony.mk; fi; #Replace the Messaging app with Silence
 awk -i inplace '!/Eleven/' config/common_mobile.mk; #Remove Music Player
 fi;
 
@@ -367,7 +374,9 @@ fi;
 #
 #START OF DEVICE CHANGES
 #
-#none yet
+if enterAndClear "kernel/google/wahoo"; then
+sed -i 's/asm(SET_PSTATE_UAO(1));/asm(SET_PSTATE_UAO(1)); return 0;/' arch/arm64/mm/fault.c; #fix build with CONFIG_ARM64_UAO
+fi;
 
 #Make changes to all devices
 cd "$DOS_BUILD_BASE";
@@ -397,8 +406,8 @@ enableAutoVarInit || true;
 
 sed -i 's/^YYLTYPE yylloc;/extern YYLTYPE yylloc;/' kernel/*/*/scripts/dtc/dtc-lexer.l*; #Fix builds with GCC 10
 rm -v kernel/*/*/drivers/staging/greybus/tools/Android.mk || true;
-awk -i inplace '!/config_wifi_batched_scan_supported/' device/*/*/overlay/frameworks/opt/net/wifi/service/res/values/config.xml; #deprecated
-awk -i inplace '!/config_wifi_batched_scan_supported/' device/*/*/overlay/frameworks/base/core/res/res/values/config.xml; #deprecated
+#awk -i inplace '!/config_wifi_batched_scan_supported/' device/*/*/overlay/frameworks/opt/net/wifi/service/res/values/config.xml || true; #deprecated
+#awk -i inplace '!/config_wifi_batched_scan_supported/' device/*/*/overlay/frameworks/base/core/res/res/values/config.xml || true; #deprecated
 #
 #END OF DEVICE CHANGES
 #
diff --git a/Scripts/init.sh b/Scripts/init.sh
index 0f74b141..8c1663bc 100644
--- a/Scripts/init.sh
+++ b/Scripts/init.sh
@@ -57,14 +57,14 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv
 
 #Features
 export DOS_GPS_GLONASS_FORCED=false; #Enables GLONASS on all devices
-export DOS_GRAPHENE_BIONIC=true; #Enables the bionic hardening patchset on 16.0+17.1+18.1
-export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' patchset on 16.0+17.1+18.1
-export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1
-export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1
-export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the GrapheneOS ptrace_scope toggle patchset on 17.1+18.1
-export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1
-export DOS_GRAPHENE_RANDOM_MAC=true; #Enables the GrapheneOS always randomize Wi-Fi MAC patchset on 17.1+18.1
-export DOS_TIMEOUTS=true; #Enables the GrapheneOS/CalyxOS patchset for automatic timeouts of reboot/Wi-Fi/Bluetooth on 17.1+18.1
+export DOS_GRAPHENE_BIONIC=true; #Enables the bionic hardening patchset on 16.0+17.1+18.1+19.1
+export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' patchset on 16.0+17.1+18.1+19.1
+export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1+19.1
+export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1+19.1
+export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the GrapheneOS ptrace_scope toggle patchset on 17.1+18.1+19.1
+export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1, 19.1 has no toggle
+export DOS_GRAPHENE_RANDOM_MAC=true; #Enables the GrapheneOS always randomize Wi-Fi MAC patchset on 17.1+18.1+19.1
+export DOS_TIMEOUTS=true; #Enables the GrapheneOS/CalyxOS patchset for automatic timeouts of reboot/Wi-Fi/Bluetooth on 17.1+18.1+19.1
 export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
 export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: DNS66
 export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be in the format "127.0.0.1 bad.domain.tld"
@@ -73,8 +73,8 @@ export DOS_MICROG_INCLUDED="NLP"; #Determines inclusion of microG. Options: NONE
 export DOS_NON_COMMERCIAL_USE_PATCHES=false; #Set true to allow inclusion of non-commercial use patches XXX: Unused, see 1dc9247
 export DOS_OPTIMIZE_IMAGES=false; #Set true to apply lossless optimizations to image resources
 export DOS_SILENCE_INCLUDED=true; #Set false to disable inclusion of Silence SMS app
-export DOS_SENSORS_PERM=false; #Set true to provide a per-app sensors permission #XXX: can break things like camera
-export DOS_SENSORS_PERM_NEW=true;
+export DOS_SENSORS_PERM=false; #Set true to provide a per-app sensors permission for 14.1/15.1/16.0 #XXX: can break things like camera
+export DOS_SENSORS_PERM_NEW=true; #For 17.1+18.1
 export DOS_STRONG_ENCRYPTION_ENABLED=false; #Set true to enable AES 256-bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS!
 export DOS_WEBVIEW_LFS=true; #Whether to `git lfs pull` in the WebView repository
 #alias DOS_WEBVIEW_CHERRYPICK='git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/00/316600/2';