diff --git a/Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch b/Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch index b96582d6..ba4cf25b 100644 --- a/Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch +++ b/Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch @@ -1,4 +1,4 @@ -From 104095f3a7590ccbd60f2b6dc4fc5242198469c5 Mon Sep 17 00:00:00 2001 +From 69ccfefd7b6d37b0b103a29095465fa4d29a3429 Mon Sep 17 00:00:00 2001 From: Tad Date: Wed, 28 Jun 2017 08:03:36 -0400 Subject: [PATCH] Harden IPv4/6 @@ -9,14 +9,14 @@ Credit: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-harde Change-Id: I6941a9b418112ffeb68b4749b803b6e5558db039 --- - rootdir/init.rc | 44 +++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 41 insertions(+), 3 deletions(-) + rootdir/init.rc | 41 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/rootdir/init.rc b/rootdir/init.rc -index da2071b15..5676edbff 100644 +index 0de027bf1..80dd9a437 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc -@@ -141,9 +141,47 @@ on init +@@ -140,9 +140,44 @@ on init # set fwmark on accepted sockets write /proc/sys/net/ipv4/tcp_fwmark_accept 1 @@ -28,19 +28,16 @@ index da2071b15..5676edbff 100644 + write /proc/net/net/ipv4/conf/all/accept_source_route 0 + write /proc/net/net/ipv4/conf/all/log_martians 1 + write /proc/net/net/ipv4/conf/all/rp_filter 1 -+ write /proc/net/net/ipv4/conf/all/secure_redirects 0 -+ write /proc/net/net/ipv4/conf/all/send_redirects 0 ++ write /proc/net/net/ipv4/conf/all/secure_redirects 1 + write /proc/net/net/ipv4/conf/default/accept_redirects 0 + write /proc/net/net/ipv4/conf/default/accept_source_route 0 + write /proc/net/net/ipv4/conf/default/log_martians 1 + write /proc/net/net/ipv4/conf/default/rp_filter 1 -+ write /proc/net/net/ipv4/conf/default/secure_redirects 0 -+ write /proc/net/net/ipv4/conf/default/send_redirects 0 ++ write /proc/net/net/ipv4/conf/default/secure_redirects 1 + write /proc/net/net/ipv4/icmp_echo_ignore_all 0 + write /proc/net/net/ipv4/icmp_echo_ignore_broadcasts 1 + write /proc/net/net/ipv4/icmp_errors_use_inbound_ifaddr 0 + write /proc/net/net/ipv4/icmp_ignore_bogus_error_responses 1 -+ write /proc/net/net/ipv4/ip_forward 0 + write /proc/net/net/ipv4/tcp_rfc1337 1 + write /proc/net/net/ipv4/tcp_syncookies 1 + write /proc/net/net/ipv4/tcp_timestamps 1 @@ -68,5 +65,5 @@ index da2071b15..5676edbff 100644 # Create cgroup mount points for process groups mkdir /dev/cpuctl -- -2.13.2 +2.14.1 diff --git a/Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch b/Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch index d243fbe3..be1325b0 100644 --- a/Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch +++ b/Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch @@ -1,4 +1,4 @@ -From a93c335e6eaed29e1537c63514b8bd94a79ba552 Mon Sep 17 00:00:00 2001 +From c028b9979836c64764bebde8c330680952d0ece4 Mon Sep 17 00:00:00 2001 From: Tad Date: Wed, 28 Jun 2017 12:30:56 -0400 Subject: [PATCH] Harden network via iptables @@ -9,7 +9,7 @@ Change-Id: I42392ed3dcd7d2f42c312bb36f65ccb12914d13b 1 file changed, 35 insertions(+) diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp -index b16da18..5247878 100755 +index b16da18..2fcc696 100755 --- a/server/CommandListener.cpp +++ b/server/CommandListener.cpp @@ -230,6 +230,41 @@ CommandListener::CommandListener() : @@ -20,7 +20,7 @@ index b16da18..5247878 100755 + //Drop invalid packets + execIptables(V4V6, "-w", "-I", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL); + execIptables(V4V6, "-w", "-I", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL); -+ execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL); ++ //execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL); + //Credit: https://javapipe.com/iptables46-ddos-protection + //Drop TCP packets that are new and are not SYN + execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL); @@ -55,5 +55,5 @@ index b16da18..5247878 100755 setupOemIptablesHook(); -- -2.13.2 +2.14.1 diff --git a/Scripts/LAOS-14.1_Patches.sh b/Scripts/LAOS-14.1_Patches.sh index f34ba44d..e3b76df7 100755 --- a/Scripts/LAOS-14.1_Patches.sh +++ b/Scripts/LAOS-14.1_Patches.sh @@ -88,9 +88,9 @@ patch -p1 < $patches"android_external_svox/94d2ddb.diff" #Fix garbled output See enter "frameworks/base" git revert 0326bb5e41219cf502727c3aa44ebf2daa19a5b3 #re-enable doze on devices without gms git fetch https://review.lineageos.org/LineageOS/android_frameworks_base refs/changes/75/151975/35 && git cherry-pick FETCH_HEAD #network traffic -git fetch https://review.lineageos.org/LineageOS/android_frameworks_base refs/changes/53/184653/10 && git cherry-pick FETCH_HEAD #profiles tile +git fetch https://review.lineageos.org/LineageOS/android_frameworks_base refs/changes/53/184653/14 && git cherry-pick FETCH_HEAD #profiles tile sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox -sed -i '0,/wifi,cell,battery/s/wifi,cell,battery,dnd,flashlight,rotation,bt,airplane,profiles/wifi,cell,bt,dnd,flashlight,rotation,battery,profiles,location,airplane,saver,hotspot,nfc/' packages/SystemUI/res/values/config.xml; +sed -i '0,/wifi,cell,battery/s/wifi,cell,battery,dnd,flashlight,rotation,bt,airplane/wifi,cell,bt,dnd,flashlight,rotation,battery,profiles,location,airplane,saver,hotspot,nfc/' packages/SystemUI/res/values/config.xml; sed -i 's/ScaleSetting = 1.0f;/ScaleSetting = 0.5f;/' services/core/java/com/android/server/wm/WindowManagerService.java; #Speedup animation scale patch -p1 < $patches"android_frameworks_base/0003-Signature_Spoofing.patch" #Allow packages to spoof their signature (MicroG) patch -p1 < $patches"android_frameworks_base/0005-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key