mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 23:19:31 -05:00
Fixes
This commit is contained in:
parent
8eeb02eaeb
commit
61fd3702ce
@ -1,4 +1,4 @@
|
||||
From 104095f3a7590ccbd60f2b6dc4fc5242198469c5 Mon Sep 17 00:00:00 2001
|
||||
From 69ccfefd7b6d37b0b103a29095465fa4d29a3429 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Wed, 28 Jun 2017 08:03:36 -0400
|
||||
Subject: [PATCH] Harden IPv4/6
|
||||
@ -9,14 +9,14 @@ Credit: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-harde
|
||||
|
||||
Change-Id: I6941a9b418112ffeb68b4749b803b6e5558db039
|
||||
---
|
||||
rootdir/init.rc | 44 +++++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 41 insertions(+), 3 deletions(-)
|
||||
rootdir/init.rc | 41 ++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 38 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/rootdir/init.rc b/rootdir/init.rc
|
||||
index da2071b15..5676edbff 100644
|
||||
index 0de027bf1..80dd9a437 100644
|
||||
--- a/rootdir/init.rc
|
||||
+++ b/rootdir/init.rc
|
||||
@@ -141,9 +141,47 @@ on init
|
||||
@@ -140,9 +140,44 @@ on init
|
||||
# set fwmark on accepted sockets
|
||||
write /proc/sys/net/ipv4/tcp_fwmark_accept 1
|
||||
|
||||
@ -28,19 +28,16 @@ index da2071b15..5676edbff 100644
|
||||
+ write /proc/net/net/ipv4/conf/all/accept_source_route 0
|
||||
+ write /proc/net/net/ipv4/conf/all/log_martians 1
|
||||
+ write /proc/net/net/ipv4/conf/all/rp_filter 1
|
||||
+ write /proc/net/net/ipv4/conf/all/secure_redirects 0
|
||||
+ write /proc/net/net/ipv4/conf/all/send_redirects 0
|
||||
+ write /proc/net/net/ipv4/conf/all/secure_redirects 1
|
||||
+ write /proc/net/net/ipv4/conf/default/accept_redirects 0
|
||||
+ write /proc/net/net/ipv4/conf/default/accept_source_route 0
|
||||
+ write /proc/net/net/ipv4/conf/default/log_martians 1
|
||||
+ write /proc/net/net/ipv4/conf/default/rp_filter 1
|
||||
+ write /proc/net/net/ipv4/conf/default/secure_redirects 0
|
||||
+ write /proc/net/net/ipv4/conf/default/send_redirects 0
|
||||
+ write /proc/net/net/ipv4/conf/default/secure_redirects 1
|
||||
+ write /proc/net/net/ipv4/icmp_echo_ignore_all 0
|
||||
+ write /proc/net/net/ipv4/icmp_echo_ignore_broadcasts 1
|
||||
+ write /proc/net/net/ipv4/icmp_errors_use_inbound_ifaddr 0
|
||||
+ write /proc/net/net/ipv4/icmp_ignore_bogus_error_responses 1
|
||||
+ write /proc/net/net/ipv4/ip_forward 0
|
||||
+ write /proc/net/net/ipv4/tcp_rfc1337 1
|
||||
+ write /proc/net/net/ipv4/tcp_syncookies 1
|
||||
+ write /proc/net/net/ipv4/tcp_timestamps 1
|
||||
@ -68,5 +65,5 @@ index da2071b15..5676edbff 100644
|
||||
# Create cgroup mount points for process groups
|
||||
mkdir /dev/cpuctl
|
||||
--
|
||||
2.13.2
|
||||
2.14.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a93c335e6eaed29e1537c63514b8bd94a79ba552 Mon Sep 17 00:00:00 2001
|
||||
From c028b9979836c64764bebde8c330680952d0ece4 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Wed, 28 Jun 2017 12:30:56 -0400
|
||||
Subject: [PATCH] Harden network via iptables
|
||||
@ -9,7 +9,7 @@ Change-Id: I42392ed3dcd7d2f42c312bb36f65ccb12914d13b
|
||||
1 file changed, 35 insertions(+)
|
||||
|
||||
diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
|
||||
index b16da18..5247878 100755
|
||||
index b16da18..2fcc696 100755
|
||||
--- a/server/CommandListener.cpp
|
||||
+++ b/server/CommandListener.cpp
|
||||
@@ -230,6 +230,41 @@ CommandListener::CommandListener() :
|
||||
@ -20,7 +20,7 @@ index b16da18..5247878 100755
|
||||
+ //Drop invalid packets
|
||||
+ execIptables(V4V6, "-w", "-I", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
|
||||
+ execIptables(V4V6, "-w", "-I", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
|
||||
+ execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
|
||||
+ //execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
|
||||
+ //Credit: https://javapipe.com/iptables46-ddos-protection
|
||||
+ //Drop TCP packets that are new and are not SYN
|
||||
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL);
|
||||
@ -55,5 +55,5 @@ index b16da18..5247878 100755
|
||||
setupOemIptablesHook();
|
||||
|
||||
--
|
||||
2.13.2
|
||||
2.14.1
|
||||
|
||||
|
@ -88,9 +88,9 @@ patch -p1 < $patches"android_external_svox/94d2ddb.diff" #Fix garbled output See
|
||||
enter "frameworks/base"
|
||||
git revert 0326bb5e41219cf502727c3aa44ebf2daa19a5b3 #re-enable doze on devices without gms
|
||||
git fetch https://review.lineageos.org/LineageOS/android_frameworks_base refs/changes/75/151975/35 && git cherry-pick FETCH_HEAD #network traffic
|
||||
git fetch https://review.lineageos.org/LineageOS/android_frameworks_base refs/changes/53/184653/10 && git cherry-pick FETCH_HEAD #profiles tile
|
||||
git fetch https://review.lineageos.org/LineageOS/android_frameworks_base refs/changes/53/184653/14 && git cherry-pick FETCH_HEAD #profiles tile
|
||||
sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
|
||||
sed -i '0,/wifi,cell,battery/s/wifi,cell,battery,dnd,flashlight,rotation,bt,airplane,profiles/wifi,cell,bt,dnd,flashlight,rotation,battery,profiles,location,airplane,saver,hotspot,nfc/' packages/SystemUI/res/values/config.xml;
|
||||
sed -i '0,/wifi,cell,battery/s/wifi,cell,battery,dnd,flashlight,rotation,bt,airplane/wifi,cell,bt,dnd,flashlight,rotation,battery,profiles,location,airplane,saver,hotspot,nfc/' packages/SystemUI/res/values/config.xml;
|
||||
sed -i 's/ScaleSetting = 1.0f;/ScaleSetting = 0.5f;/' services/core/java/com/android/server/wm/WindowManagerService.java; #Speedup animation scale
|
||||
patch -p1 < $patches"android_frameworks_base/0003-Signature_Spoofing.patch" #Allow packages to spoof their signature (MicroG)
|
||||
patch -p1 < $patches"android_frameworks_base/0005-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key
|
||||
|
Loading…
Reference in New Issue
Block a user