Move many old cherry picks in tree for archival/support purposes

Patches/LineageOS-14.1/android_device_qcom_sepolicy/248649.patch

@@ -0,0 +1,25 @@
+From 334f543513c0cd2dbbf4b6450fb50d9f9a523385 Mon Sep 17 00:00:00 2001
+From: syphyr <syphyr@gmail.com>
+Date: Mon, 20 May 2019 00:04:28 +0200
+Subject: [PATCH] sepolicy: msm_irqbalance: Allow read for stats and interrupts
+
+After hardening /proc, msm_irqbalance requires additional sepolicy
+changes to read stats and interrupts.
+
+Fixes: restrict access to timing information in /proc
+Change-Id: I547f8dd13c6422f057884814e3187dc9ecebfe00
+---
+ common/msm_irqbalanced.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/common/msm_irqbalanced.te b/common/msm_irqbalanced.te
+index d4c3e57d..f9dd9004 100644
+--- a/common/msm_irqbalanced.te
++++ b/common/msm_irqbalanced.te
+@@ -5,5 +5,6 @@ init_daemon_domain(msm_irqbalanced)
+ 
+ allow msm_irqbalanced cgroup:dir { create add_name };
+ allow msm_irqbalanced { proc sysfs_devices_system_cpu }:file w_file_perms;
++allow msm_irqbalanced { proc_stat proc_interrupts }:file r_file_perms;
+ allow msm_irqbalanced self:capability { setuid setgid dac_override };
+ r_dir_file(msm_irqbalanced, sysfs_rqstats);

Patches/LineageOS-14.1/android_frameworks_base/248599.patch

@@ -0,0 +1,34 @@
+From d5e4955bce55bf742f888859bb8b3b217de5dd7f Mon Sep 17 00:00:00 2001
+From: Christopher Tate <ctate@google.com>
+Date: Wed, 26 Oct 2016 18:06:42 -0700
+Subject: [PATCH] Make SET_TIME_ZONE permission match SET_TIME
+
+That is, SET_TIME_ZONE is now signature|privileged.
+
+Bug 19129180
+
+Test: dumpsys package to verify assignment; clock app works
+Change-Id: Id0e16499a00e1f5cfb5bd4d9fb421f93bb283ee1
+---
+ core/res/AndroidManifest.xml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index 0f224dae3337..f6026a82ad72 100644
+--- a/core/res/AndroidManifest.xml
++++ b/core/res/AndroidManifest.xml
+@@ -1822,12 +1822,12 @@
+         android:protectionLevel="signature|privileged" />
+ 
+     <!-- Allows applications to set the system time zone.
+-         <p>Protection level: normal
++         <p>Not for use by third-party applications.
+     -->
+     <permission android:name="android.permission.SET_TIME_ZONE"
+         android:label="@string/permlab_setTimeZone"
+         android:description="@string/permdesc_setTimeZone"
+-        android:protectionLevel="normal" />
++        android:protectionLevel="signature|privileged" />
+ 
+     <!-- ==================================================== -->
+     <!-- Permissions related to changing status bar   -->

Patches/LineageOS-14.1/android_packages_apps_Settings/201113.patch

@@ -0,0 +1,39 @@
+From 04cfd27db79e5ca78e03c64c82144261f92cc365 Mon Sep 17 00:00:00 2001
+From: syphyr <syphyr@gmail.com>
+Date: Wed, 3 Jan 2018 20:15:17 +0100
+Subject: [PATCH] wifi: Add world regulatory domain country code
+
+The World Regulatory Domain is the default country code used
+for many wifi only devices. Adding this country code
+provides a way to reselect this option if it is changed in
+the wifi regional settings.
+
+Also, adding this regional wifi option will fix the issue with
+the wifi regional settings appearing to be "unselected" when
+World Regulatory Domain is the default.
+
+Change-Id: I2e519872954903575ac2fc47fa13d126bb5bac8e
+---
+ res/values/cm_arrays.xml | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/res/values/cm_arrays.xml b/res/values/cm_arrays.xml
+index 476b1c22ef..914c0b4fc3 100644
+--- a/res/values/cm_arrays.xml
++++ b/res/values/cm_arrays.xml
+@@ -268,6 +268,7 @@
+ 
+     <!-- Wi-Fi settings. Presented as a list dialog to the user to choose the Wi-Fi region code. -->
+     <string-array name="wifi_countrycode_entries">
++        <item>World Regulatory Domain</item>
+         <item>United States</item>
+         <item>Canada, Taiwan</item>
+         <item>Germany</item>
+@@ -283,6 +284,7 @@
+     </string-array>
+ 
+     <string-array name="wifi_countrycode_values" translatable="false">
++        <item>00</item>
+         <item>US</item>
+         <item>CA</item>
+         <item>DE</item>

Patches/LineageOS-14.1/android_system_bt/229574.patch

@@ -0,0 +1,50 @@
+From 0d87e15abda69a93df1cd4d854088e2ccac01033 Mon Sep 17 00:00:00 2001
+From: ValdikSS <iam@valdikss.org.ru>
+Date: Fri, 21 Sep 2018 13:53:11 +0300
+Subject: [PATCH] Increase maximum Bluetooth SBC codec bitrate for SBC HD
+
+This commit increases maximum possible bitrate to 452 kbit/s for 44.1 kHz,
+492 kbit/s for 48 kHz, which is optimal for both
+EDR 2 mbit/s (4 audio frames, 11.7 ms, 6 wasted bytes) and
+EDR 3 mbit/s (6 audio frames, 17.5 ms, 20 wasted bytes).
+
+It does not increase bitpool value and won't introduce higher bitrates for
+modes other than SBC Dual Channel.
+
+Test: manual, with various headphones, receivers, and speakers
+Change-Id: I5c9dec8848a8017da5b1fc6a5edfbbea5bdcb7eb
+---
+ btif/src/btif_media_task.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/btif/src/btif_media_task.c b/btif/src/btif_media_task.c
+index 977d2668d..cac0c2211 100644
+--- a/btif/src/btif_media_task.c
++++ b/btif/src/btif_media_task.c
+@@ -208,13 +208,13 @@ enum {
+ #endif
+ 
+ #ifdef BTA_AV_SPLIT_A2DP_DEF_FREQ_48KHZ
+-#define BTIF_A2DP_DEFAULT_BITRATE 345
++#define BTIF_A2DP_DEFAULT_BITRATE 496
+ 
+ #ifndef BTIF_A2DP_NON_EDR_MAX_RATE
+ #define BTIF_A2DP_NON_EDR_MAX_RATE 237
+ #endif
+ #else
+-#define BTIF_A2DP_DEFAULT_BITRATE 328
++#define BTIF_A2DP_DEFAULT_BITRATE 455
+ 
+ #ifndef BTIF_A2DP_NON_EDR_MAX_RATE
+ #define BTIF_A2DP_NON_EDR_MAX_RATE 229
+@@ -227,8 +227,8 @@ enum {
+ #else
+ #define A2DP_HDR_SIZE               1
+ #endif
+-#define MAX_SBC_HQ_FRAME_SIZE_44_1  119
+-#define MAX_SBC_HQ_FRAME_SIZE_48    115
++#define MAX_SBC_HQ_FRAME_SIZE_44_1  165
++#define MAX_SBC_HQ_FRAME_SIZE_48    165
+ 
+ /* 2DH5 payload size of 679 bytes - (4 bytes L2CAP Header + 12 bytes AVDTP Header) */
+ #define MAX_2MBPS_AVDTP_MTU         663

Patches/LineageOS-14.1/android_system_bt/229575.patch

@@ -0,0 +1,167 @@
+From d398566dd742fee9bd08d5ba0ac245aec1258afd Mon Sep 17 00:00:00 2001
+From: ValdikSS <iam@valdikss.org.ru>
+Date: Fri, 21 Sep 2018 21:43:14 +0300
+Subject: [PATCH] Explicit SBC Dual Channel (SBC HD) support
+
+Overwhelming majority of Bluetooth audio devices have SBC maximum bitpool value
+limited to 53, which prevents bitrates higher than 328 kbit/s to be used with
+the most common 44.1 kHz Joint Stereo, 8 subbands, 16 blocks profile. This
+limitation could be circumvented on any existing device to achieve higher audio
+quality, by using Dual Channel mode.
+Dual Channel encodes channels separately, using the entire bitpool for each
+channel. Forcing the device to use Dual Channel instead of Joint Stereo almost
+doubles maximum possible bitrate for the same bitpool value.
+
+A2DP specification v1.2, which was active from 2007 to 2015, requires all
+decoders to work correctly with bitrates up to 512 kbps. Newer specification
+does not have the limit at all. It is assumed that most modern headphones with
+EDR support can handle any SBC profile with maximum bitpool value, regardless
+of resulting bitrate.
+
+This commit defines optimal Dual Channel bitrate profiles:
+EDR 2mbit/s - 452 kbit/s for 44.1 kHz, 492 kbit/s for 48 kHz (bitpool 38,
+4 audio frames, 10.7 ms, 6 wasted bytes per packet)
+EDR 3mbit/s - 551.3 kbit/s for 44.1 kHz, 600 kbit/s for 48 kHz (bitpool 47,
+5 audio frames, 13.4 ms, 4 wasted bytes per packet)
+
+With 452 kbit/s, SBC outperforms aptX, with 551.3 kbit/s, on par or close to
+aptX HD.
+
+SBC HD is disabled by default and should be activated by setting
+"persist.bt.sbc_hd_enabled" property:
+$ setprop persist.bt.sbc_hd_enabled 1
+
+Bitrate could be increased further with "persist.bt.sbc_hd_higher_kbps"
+property. If the property is set, the following EDR 2mbit/s profile is used:
+595.4 kbit/s for 44.1 kHz, 648 kbit/s for 48 kHz (bitpool 51, 3 audio frames,
+8.8 ms, 14 wasted bytes per packet)
+
+53 out of 57 tested headphones, receivers and automotive head units were able
+to correctly receive and decode high bitrate Dual Channel audio.
+
+Test: manual, with various headphones, receivers, and speakers
+Change-Id: If74d9d46461c67b8aef39d63430b2f0187c9e714
+---
+ btif/co/bta_av_co.c        | 21 ++++++++++++++++++++-
+ btif/src/btif_media_task.c | 14 ++++++++++++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/btif/co/bta_av_co.c b/btif/co/bta_av_co.c
+index 39a8ebfa7..f205ddacc 100644
+--- a/btif/co/bta_av_co.c
++++ b/btif/co/bta_av_co.c
+@@ -43,6 +43,7 @@
+ #include "btif_av_co.h"
+ #include "btif_util.h"
+ #include "osi/include/mutex.h"
++#include "osi/include/properties.h"
+ 
+ #include "bt_utils.h"
+ #include "a2d_aptx.h"
+@@ -81,6 +82,7 @@
+ #else
+ #define BTA_AV_CO_SBC_MAX_BITPOOL  53
+ #endif
++#define A2DP_SBC_HD_ENABLE_PROP "persist.bt.sbc_hd_enabled"
+ 
+ /* SCMS-T protect info */
+ const UINT8 bta_av_co_cp_scmst[BTA_AV_CP_INFO_LEN] = "\x02\x02\x00";
+@@ -138,6 +140,18 @@ const tA2D_SBC_CIE btif_av_sbc_default_config =
+     A2D_SBC_IE_MIN_BITPOOL          /* min_bitpool */
+ };
+ 
++/* Alternative SBC codec configuration */
++const tA2D_SBC_CIE btif_av_sbc_alt_config =
++{
++    BTIF_AV_SBC_DEFAULT_SAMP_FREQ,   /* samp_freq */
++    A2D_SBC_IE_CH_MD_DUAL,          /* ch_mode */
++    A2D_SBC_IE_BLOCKS_16,           /* block_len */
++    A2D_SBC_IE_SUBBAND_8,           /* num_subbands */
++    A2D_SBC_IE_ALLOC_MD_L,          /* alloc_mthd */
++    BTA_AV_CO_SBC_MAX_BITPOOL,      /* max_bitpool */
++    A2D_SBC_IE_MIN_BITPOOL          /* min_bitpool */
++};
++
+ const tA2D_APTX_CIE bta_av_co_aptx_caps =
+ {
+     A2D_APTX_VENDOR_ID,
+@@ -566,7 +580,10 @@ void bta_av_build_src_cfg (UINT8 *p_pref_cfg, UINT8 *p_src_cap)
+     else if (src_cap.samp_freq & A2D_SBC_IE_SAMP_FREQ_44)
+         pref_cap.samp_freq = A2D_SBC_IE_SAMP_FREQ_44;
+ 
+-    if (src_cap.ch_mode & A2D_SBC_IE_CH_MD_JOINT)
++    if (property_get_int32(A2DP_SBC_HD_ENABLE_PROP, 0)
++            && (src_cap.ch_mode & A2D_SBC_IE_CH_MD_DUAL))
++        pref_cap.ch_mode = A2D_SBC_IE_CH_MD_DUAL;
++    else if (src_cap.ch_mode & A2D_SBC_IE_CH_MD_JOINT)
+         pref_cap.ch_mode = A2D_SBC_IE_CH_MD_JOINT;
+     else if (src_cap.ch_mode & A2D_SBC_IE_CH_MD_STEREO)
+         pref_cap.ch_mode = A2D_SBC_IE_CH_MD_STEREO;
+@@ -2209,6 +2226,8 @@ BOOLEAN bta_av_co_audio_set_codec(const tBTIF_AV_MEDIA_FEEDINGS *p_feeding, tBTI
+         new_cfg_sbc.id = BTIF_AV_CODEC_SBC;
+ 
+         sbc_config = btif_av_sbc_default_config;
++        if (property_get_int32(A2DP_SBC_HD_ENABLE_PROP, 0))
++            sbc_config = btif_av_sbc_alt_config;
+         if ((p_feeding->cfg.pcm.num_channel != 1) &&
+             (p_feeding->cfg.pcm.num_channel != 2))
+         {
+diff --git a/btif/src/btif_media_task.c b/btif/src/btif_media_task.c
+index cac0c2211..4c956bd3c 100644
+--- a/btif/src/btif_media_task.c
++++ b/btif/src/btif_media_task.c
+@@ -59,6 +59,7 @@
+ #include "osi/include/metrics.h"
+ #include "osi/include/mutex.h"
+ #include "osi/include/thread.h"
++#include "osi/include/properties.h"
+ #include "bt_utils.h"
+ #include "a2d_api.h"
+ #include "a2d_int.h"
+@@ -114,6 +115,8 @@ OI_INT16 pcmData[15*SBC_MAX_SAMPLES_PER_FRAME*SBC_MAX_CHANNELS];
+ #include "bta_api.h"
+ #endif
+ 
++#define A2DP_SBC_HD_PROP "persist.bt.sbc_hd_higher_kbps"
++
+ 
+ /*****************************************************************************
+  **  Constants
+@@ -209,12 +212,16 @@ enum {
+ 
+ #ifdef BTA_AV_SPLIT_A2DP_DEF_FREQ_48KHZ
+ #define BTIF_A2DP_DEFAULT_BITRATE 496
++#define BTIF_A2DP_3DH5_BITRATE 601
++#define BTIF_A2DP_2DH5_ALT_BITRATE 649
+ 
+ #ifndef BTIF_A2DP_NON_EDR_MAX_RATE
+ #define BTIF_A2DP_NON_EDR_MAX_RATE 237
+ #endif
+ #else
+ #define BTIF_A2DP_DEFAULT_BITRATE 455
++#define BTIF_A2DP_3DH5_BITRATE 552
++#define BTIF_A2DP_2DH5_ALT_BITRATE 596
+ 
+ #ifndef BTIF_A2DP_NON_EDR_MAX_RATE
+ #define BTIF_A2DP_NON_EDR_MAX_RATE 229
+@@ -232,6 +239,7 @@ enum {
+ 
+ /* 2DH5 payload size of 679 bytes - (4 bytes L2CAP Header + 12 bytes AVDTP Header) */
+ #define MAX_2MBPS_AVDTP_MTU         663
++#define MIN_3MBPS_AVDTP_SAFE_MTU    800
+ #define USEC_PER_SEC 1000000L
+ #define TPUT_STATS_INTERVAL_US (3000*1000)
+ 
+@@ -1252,6 +1260,12 @@ static UINT16 btif_media_task_get_sbc_rate(void)
+     {
+         rate = BTIF_A2DP_NON_EDR_MAX_RATE;
+         APPL_TRACE_DEBUG("non-edr a2dp sink detected, restrict rate to %d", rate);
++    } else if (btif_av_peer_supports_3mbps()
++               && btif_media_cb.TxAaMtuSize >= MIN_3MBPS_AVDTP_SAFE_MTU) {
++        rate = BTIF_A2DP_3DH5_BITRATE;
++    } else if (!btif_av_peer_supports_3mbps()
++               && property_get_int32(A2DP_SBC_HD_PROP, 0)) {
++        rate = BTIF_A2DP_2DH5_ALT_BITRATE;
+     }
+ 
+     return rate;

Patches/LineageOS-14.1/android_system_bt/242134.patch

@@ -0,0 +1,25 @@
+From b31e5b89a84b8ae992c818184fa3bb9d288db69d Mon Sep 17 00:00:00 2001
+From: cprhokie <cprhokie@gmail.com>
+Date: Fri, 22 Feb 2019 20:53:12 -0500
+Subject: [PATCH] avrc_bld_get_attrs_rsp - fix attribute length position off by
+ one
+
+Change-Id: I60c859ef9784cf39d390a22810be5777e1e5066c
+---
+ stack/avrc/avrc_bld_tg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/stack/avrc/avrc_bld_tg.c b/stack/avrc/avrc_bld_tg.c
+index 089dfa3ae..8c16e01a6 100644
+--- a/stack/avrc/avrc_bld_tg.c
++++ b/stack/avrc/avrc_bld_tg.c
+@@ -976,7 +976,8 @@ static tAVRC_STS avrc_bld_get_attrs_rsp (tAVRC_GET_ATTRS_RSP *p_rsp, BT_HDR *p_p
+     }
+     /* get the existing length, if any, and also the num attributes */
+     p_start = (uint8_t *)(p_pkt + 1) + p_pkt->offset;
+-    p_data = p_len = p_start + 1; /* pdu */
++    p_data = p_start + 1; /* pdu */
++    p_len = p_start + 2;
+     /* the existing len */
+     BE_STREAM_TO_UINT16(len, p_data);
+     p_num = p_data + 1;

Patches/LineageOS-14.1/android_system_netd/244387.patch

@@ -0,0 +1,134 @@
+From 5479a23bdb9fd2cbd92d7a1f35e5ecf193515d72 Mon Sep 17 00:00:00 2001
+From: Lorenzo Colitti <lorenzo@google.com>
+Date: Thu, 30 Mar 2017 02:50:09 +0900
+Subject: [PATCH] Really always allow networking on loopback.
+
+https://android-review.googlesource.com/#/c/294359/ attempted to
+allow networking on loopback, but actually does not do anything
+because no packet has both -i lo and -o lo: loopback packets have
+-i lo in INPUT and -o lo in OUTPUT.
+
+Test: bullhead builds, boots
+Test: netd_{unit,integration}_test pass
+Test: loopback traffic is matched by new "-i lo" and "-o lo" rules
+Test: originated and received traffic is not matched by new rules
+Bug: 34444781
+Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1
+---
+ server/FirewallController.cpp     |  3 ++-
+ server/FirewallControllerTest.cpp | 15 ++++++++++-----
+ tests/binder_test.cpp             | 16 ++++++++--------
+ 3 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
+index 826cf758..ffc99e16 100644
+--- a/server/FirewallController.cpp
++++ b/server/FirewallController.cpp
+@@ -301,7 +301,8 @@ std::string FirewallController::makeUidRules(IptablesTarget target, const char *
+     StringAppendF(&commands, "*filter\n:%s -\n", name);
+ 
+     // Always allow networking on loopback.
+-    StringAppendF(&commands, "-A %s -i lo -o lo -j RETURN\n", name);
++    StringAppendF(&commands, "-A %s -i lo -j RETURN\n", name);
++    StringAppendF(&commands, "-A %s -o lo -j RETURN\n", name);
+ 
+     // Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network
+     // access. Both incoming and outgoing RSTs are allowed.
+diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp
+index 7d96c61c..ba449db0 100644
+--- a/server/FirewallControllerTest.cpp
++++ b/server/FirewallControllerTest.cpp
+@@ -56,7 +56,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
+     std::vector<std::string> expectedRestore4 = {
+         "*filter",
+         ":fw_whitelist -",
+-        "-A fw_whitelist -i lo -o lo -j RETURN",
++        "-A fw_whitelist -i lo -j RETURN",
++        "-A fw_whitelist -o lo -j RETURN",
+         "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
+         "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
+         "-A fw_whitelist -j DROP",
+@@ -65,7 +66,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
+     std::vector<std::string> expectedRestore6 = {
+         "*filter",
+         ":fw_whitelist -",
+-        "-A fw_whitelist -i lo -o lo -j RETURN",
++        "-A fw_whitelist -i lo -j RETURN",
++        "-A fw_whitelist -o lo -j RETURN",
+         "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
+         "-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN",
+         "-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN",
+@@ -95,7 +97,8 @@ TEST_F(FirewallControllerTest, TestCreateBlacklistChain) {
+     std::vector<std::string> expectedRestore = {
+         "*filter",
+         ":fw_blacklist -",
+-        "-A fw_blacklist -i lo -o lo -j RETURN",
++        "-A fw_blacklist -i lo -j RETURN",
++        "-A fw_blacklist -o lo -j RETURN",
+         "-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN",
+         "COMMIT\n\x04"
+     };
+@@ -141,7 +144,8 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) {
+     std::string expected =
+             "*filter\n"
+             ":FW_whitechain -\n"
+-            "-A FW_whitechain -i lo -o lo -j RETURN\n"
++            "-A FW_whitechain -i lo -j RETURN\n"
++            "-A FW_whitechain -o lo -j RETURN\n"
+             "-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"
+             "-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n"
+             "-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n"
+@@ -168,7 +172,8 @@ TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) {
+     std::string expected =
+             "*filter\n"
+             ":FW_blackchain -\n"
+-            "-A FW_blackchain -i lo -o lo -j RETURN\n"
++            "-A FW_blackchain -i lo -j RETURN\n"
++            "-A FW_blackchain -o lo -j RETURN\n"
+             "-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n"
+             "-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n"
+             "-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n"
+diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
+index 5395f1d2..dcaf2302 100644
+--- a/tests/binder_test.cpp
++++ b/tests/binder_test.cpp
+@@ -176,31 +176,31 @@ TEST_F(BinderTest, TestFirewallReplaceUidChain) {
+         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), true, uids, &ret);
+     }
+     EXPECT_EQ(true, ret);
+-    EXPECT_EQ((int) uids.size() + 6, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+-    EXPECT_EQ((int) uids.size() + 12, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
++    EXPECT_EQ((int) uids.size() + 7, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
++    EXPECT_EQ((int) uids.size() + 13, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+     {
+         TimedOperation op("Clearing whitelist chain");
+         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
+     }
+     EXPECT_EQ(true, ret);
+-    EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+-    EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
++    EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
++    EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ 
+     {
+         TimedOperation op(StringPrintf("Programming %d-UID blacklist chain", kNumUids));
+         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, uids, &ret);
+     }
+     EXPECT_EQ(true, ret);
+-    EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+-    EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
++    EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
++    EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ 
+     {
+         TimedOperation op("Clearing blacklist chain");
+         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
+     }
+     EXPECT_EQ(true, ret);
+-    EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+-    EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
++    EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
++    EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ 
+     // Check that the call fails if iptables returns an error.
+     std::string veryLongStringName = "netd_binder_test_UnacceptablyLongIptablesChainName";

Patches/LineageOS-14.1/android_system_netd/244388.patch

@@ -0,0 +1,52 @@
+From 77894c5bfbafb8cacdefe9b60cff121e5fb88e3c Mon Sep 17 00:00:00 2001
+From: Joel Scherpelz <jscherpelz@google.com>
+Date: Wed, 14 Jun 2017 10:27:47 +0900
+Subject: [PATCH] BACKPORT: Avoid netlink socket address conflict
+
+NetlinkManager previously bound all netlink sockets with nl_pid =
+getpid(). Unfortunately only the first such socket is allowed to claim
+nl_pid = getpid(). The kernel is happy to assign this value
+automatically if nl_pid = 0. For more information on nl_pid see "man 7
+netlink".
+
+When NFLogListener was added, it created a socket with a kernel assigned
+nl_pid, unfortunately the kernel assigns getpid() to the first such
+socket and listener was initialized earlier in the startup process than
+NetlinkManager.
+
+This change alters NetlinkManager to request a kernel assigned nl_pid and
+defensively moves the initialization of NFLogListener later in the
+startup sequence to favor proper operation of existing code in
+NetlinkManager. Error logging is also slightly improved.
+
+Test: as follows
+    - built
+    - flashed
+    - booted
+    - "runtest -x .../netd_unit_test.cpp" passes
+    - "cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t
+       android.os.cts.StrictModeTest" passes
+Bug: 62353125
+
+[syphyr: Removed NFLogListener changes]
+Signed-off-by: L.W. Reek <syphyr@gmail.com>
+
+Change-Id: I9c1c76e5769de75ff624bf43634ac4061c447a72
+---
+ server/NetlinkManager.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/server/NetlinkManager.cpp b/server/NetlinkManager.cpp
+index 769a80ae..5e6eaba8 100644
+--- a/server/NetlinkManager.cpp
++++ b/server/NetlinkManager.cpp
+@@ -73,7 +73,8 @@ NetlinkHandler *NetlinkManager::setupSocket(int *sock, int netlinkFamily,
+ 
+     memset(&nladdr, 0, sizeof(nladdr));
+     nladdr.nl_family = AF_NETLINK;
+-    nladdr.nl_pid = getpid();
++    // Kernel will assign a unique nl_pid if set to zero.
++    nladdr.nl_pid = 0;
+     nladdr.nl_groups = groups;
+ 
+     if ((*sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, netlinkFamily)) < 0) {

Patches/LineageOS-14.1/android_system_netd/245690.patch

@@ -0,0 +1,68 @@
+From d6f2d210fe3f1b8c2c798066bfb32e2c9ec96ef4 Mon Sep 17 00:00:00 2001
+From: Sehee Park <sehee32.park@samsung.com>
+Date: Wed, 26 Dec 2018 07:28:23 +0900
+Subject: [PATCH] Fix fortify_fatal issue during DNSServiceProcessResult()
+
+fd was checked at beginnig of DNSServiceProcessResult()
+but fd was changed to -1. So, fortify_fatal was occured
+when FD_SET() was called.
+Abort message: 'FORTIFY: FD_SET: file descriptor -1 < 0'
+
+Test: Build
+Bug: 120910016
+Bug: 121327565
+Change-Id: Ib4c8dcc08223578fb53647637b44a20a4c221050
+Merged-In: Ib4c8dcc08223578fb53647637b44a20a4c221050
+Signed-off-by: Sehee Park <sehee32.park@samsung.com>
+(cherry picked from commit 3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b)
+---
+ server/MDnsSdListener.cpp | 10 +++++++++-
+ server/MDnsSdListener.h   |  1 +
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
+index 883fe815..e3fd66a0 100644
+--- a/server/MDnsSdListener.cpp
++++ b/server/MDnsSdListener.cpp
+@@ -146,7 +146,7 @@ void MDnsSdListener::Handler::stop(SocketClient *cli, int argc, char **argv, con
+         return;
+     }
+     if (VDBG) ALOGD("Stopping %s with ref %p", str, ref);
+-    DNSServiceRefDeallocate(*ref);
++    mMonitor->deallocateServiceRef(ref);
+     mMonitor->freeServiceRef(requestId);
+     char *msg;
+     asprintf(&msg, "%s stopped", str);
+@@ -617,7 +617,9 @@ void MDnsSdListener::Monitor::run() {
+                         ALOGD("Monitor found [%d].revents = %d - calling ProcessResults",
+                                 i, mPollFds[i].revents);
+                     }
++                    pthread_mutex_lock(&mHeadMutex);
+                     DNSServiceProcessResult(*(mPollRefs[i]));
++                    pthread_mutex_unlock(&mHeadMutex);
+                     mPollFds[i].revents = 0;
+                 }
+             }
+@@ -769,3 +771,9 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
+     }
+     pthread_mutex_unlock(&mHeadMutex);
+ }
++
++void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
++    pthread_mutex_lock(&mHeadMutex);
++    DNSServiceRefDeallocate(*ref);
++    pthread_mutex_unlock(&mHeadMutex);
++}
+\ No newline at end of file
+diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
+index e9c6066a..a107d3b8 100644
+--- a/server/MDnsSdListener.h
++++ b/server/MDnsSdListener.h
+@@ -76,6 +76,7 @@ class MDnsSdListener : public FrameworkListener {
+         static void *threadStart(void *handler);
+         int startService();
+         int stopService();
++        void deallocateServiceRef(DNSServiceRef* ref);
+     private:
+         void run();
+         int rescan(); // returns the number of elements in the poll

Patches/LineageOS-14.1/android_system_netd/245691.patch

@@ -0,0 +1,32 @@
+From 728b7617dc0ec0b017740f9a78e7dcefff1afc86 Mon Sep 17 00:00:00 2001
+From: Ken Chen <cken@google.com>
+Date: Sat, 26 Jan 2019 19:17:00 +0800
+Subject: [PATCH] Clear Element.mRef immediately after deallocating it
+
+DNSServiceRefDeallocate() and pointer dereferencing in request handler
+thread are protected by two separate lock/unlock pairs on mHeadMutex.
+If rescan() runs between these, it could dereference mRef, causing
+a heap-use-after-free bug.
+
+Solution: set mRef to null immediately after freeing it.
+
+Bug: 121327565
+Test: build
+Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7
+(cherry picked from commit 9762bc1964a37ec56091ee2b6070e19c5206f615)
+---
+ server/MDnsSdListener.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
+index e3fd66a0..563e0207 100644
+--- a/server/MDnsSdListener.cpp
++++ b/server/MDnsSdListener.cpp
+@@ -775,5 +775,6 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
+ void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
+     pthread_mutex_lock(&mHeadMutex);
+     DNSServiceRefDeallocate(*ref);
++    *ref = nullptr;
+     pthread_mutex_unlock(&mHeadMutex);
+ }
+\ No newline at end of file

Patches/LineageOS-14.1/android_system_sepolicy/248600.patch

@@ -0,0 +1,131 @@
+From 14f74809348227ad07d1d934d747f7218c7e21a3 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 29 Jul 2016 14:48:19 -0400
+Subject: [PATCH] restrict access to timing information in /proc
+
+These APIs expose sensitive information via timing side channels. This
+leaves access via the adb shell intact along with the current uses by
+dumpstate, init and system_server.
+
+The /proc/interrupts and /proc/stat files were covered in this paper:
+
+https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/
+
+The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
+also relevant.
+
+Access to /proc has been greatly restricted since then, with untrusted
+apps no longer having direct access to these, but stricter restrictions
+beyond that would be quite useful.
+
+Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
+---
+ dumpstate.te     | 1 +
+ file.te          | 3 +++
+ genfs_contexts   | 5 +++++
+ init.te          | 3 +++
+ shell.te         | 3 +++
+ system_server.te | 3 +++
+ 6 files changed, 18 insertions(+)
+
+diff --git a/dumpstate.te b/dumpstate.te
+index 0b1f97bd6..71c12461c 100644
+--- a/dumpstate.te
++++ b/dumpstate.te
+@@ -188,6 +188,7 @@ allow dumpstate debugfs_tracing:dir r_dir_perms;
+ allow dumpstate debugfs_tracing:file rw_file_perms;
+ allow dumpstate debugfs_trace_marker:file getattr;
+ allow dumpstate atrace_exec:file rx_file_perms;
++allow dumpstate proc_interrupts:file r_file_perms;
+ 
+ # Access to /data/media.
+ # This should be removed if sdcardfs is modified to alter the secontext for its
+diff --git a/file.te b/file.te
+index 446c1829c..6099eb581 100644
+--- a/file.te
++++ b/file.te
+@@ -13,10 +13,13 @@ type usermodehelper, fs_type, sysfs_type;
+ type qtaguid_proc, fs_type, mlstrustedobject;
+ type proc_bluetooth_writable, fs_type;
+ type proc_cpuinfo, fs_type;
++type proc_interrupts, fs_type;
+ type proc_iomem, fs_type;
+ type proc_meminfo, fs_type;
+ type proc_net, fs_type;
++type proc_stat, fs_type;
+ type proc_sysrq, fs_type;
++type proc_timer, fs_type;
+ type proc_uid_cputime_showstat, fs_type;
+ type proc_uid_cputime_removeuid, fs_type;
+ type selinuxfs, fs_type, mlstrustedobject;
+diff --git a/genfs_contexts b/genfs_contexts
+index 31794a1e8..612cc5b70 100644
+--- a/genfs_contexts
++++ b/genfs_contexts
+@@ -2,11 +2,14 @@
+ genfscon rootfs / u:object_r:rootfs:s0
+ # proc labeling can be further refined (longest matching prefix).
+ genfscon proc / u:object_r:proc:s0
++genfscon proc /interrupts u:object_r:proc_interrupts:s0
+ genfscon proc /iomem u:object_r:proc_iomem:s0
+ genfscon proc /meminfo u:object_r:proc_meminfo:s0
+ genfscon proc /net u:object_r:proc_net:s0
+ genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+ genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
++genfscon proc /softirqs u:object_r:proc_timer:s0
++genfscon proc /stat u:object_r:proc_stat:s0
+ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+ genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+ genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+@@ -23,6 +26,8 @@ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+ genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
++genfscon proc /timer_list u:object_r:proc_timer:s0
++genfscon proc /timer_stats u:object_r:proc_timer:s0
+ genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+ 
+diff --git a/init.te b/init.te
+index 9bc78d173..4e14d97e1 100644
+--- a/init.te
++++ b/init.te
+@@ -155,6 +155,9 @@ allow init self:capability net_admin;
+ # Write to /proc/sysrq-trigger.
+ allow init proc_sysrq:file w_file_perms;
+ 
++# Read /proc/stat for bootchart.
++allow init proc_stat:file r_file_perms;
++
+ # Reboot.
+ allow init self:capability sys_boot;
+ 
+diff --git a/shell.te b/shell.te
+index 3e95b4687..69e9c113a 100644
+--- a/shell.te
++++ b/shell.te
+@@ -96,7 +96,10 @@ allow shell { service_manager_type -gatekeeper_service -netd_service }:service_m
+ # allow shell to look through /proc/ for ps, top, netstat
+ r_dir_file(shell, proc)
+ r_dir_file(shell, proc_net)
++allow shell proc_interrupts:file r_file_perms;
+ allow shell proc_meminfo:file r_file_perms;
++allow shell proc_stat:file r_file_perms;
++allow shell proc_timer:file r_file_perms;
+ r_dir_file(shell, cgroup)
+ allow shell domain:dir { search open read getattr };
+ allow shell domain:{ file lnk_file } { open read getattr };
+diff --git a/system_server.te b/system_server.te
+index db59b6573..334cb9144 100644
+--- a/system_server.te
++++ b/system_server.te
+@@ -107,6 +107,9 @@ allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+ # Write to /proc/sysrq-trigger.
+ allow system_server proc_sysrq:file rw_file_perms;
+ 
++# Read /proc/stat for CPU usage statistics
++allow system_server proc_stat:file r_file_perms;
++
+ # Read /sys/kernel/debug/wakeup_sources.
+ allow system_server debugfs:file r_file_perms;
+ 

Patches/LineageOS-16.0/android_device_lge_g3-common/254249.patch

@@ -0,0 +1,21 @@
+From c8614262845ee9a0c096ca7da3ec66b9d3e3ce7d Mon Sep 17 00:00:00 2001
+From: Aleksander Gencel <johnnylittleplanet@gmail.com>
+Date: Thu, 22 Aug 2019 21:07:47 +0200
+Subject: [PATCH] g3-common: Add NFC HAL to proprietary-files
+
+Change-Id: I00397ccd3377ec3da3ac7efce70d417a6c5bf8e3
+---
+ proprietary-files.txt | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/proprietary-files.txt b/proprietary-files.txt
+index 9511cf21..cc580f89 100644
+--- a/proprietary-files.txt
++++ b/proprietary-files.txt
+@@ -216,3 +216,6 @@ vendor/firmware/wcnss.mdt
+ 
+ # Widevine - from angler - OPR6.170623.017 factory image
+ vendor/lib/mediadrm/libwvdrmengine.so|66ba66d047044f92eb0eada1faf6a5799ded90ab
++
++# NFC
++vendor/lib/hw/nfc_nci.msm8974.so|7dcb79a385dd1155cb9b6310a3e7b85b7dc8db13

Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh

@@ -191,6 +191,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18203/^4.14.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18255/^4.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18306/3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18360/^4.11.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18595/^4.14.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-2618/3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-2671/^4.10.8/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-5669/^4.9.12/0001.patch
@@ -322,5 +323,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-1000111/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-15845/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-8281/3.10/0003.patch
-editKernelLocalversion "-dos.p322"
+editKernelLocalversion "-dos.p323"
 cd "$DOS_BUILD_BASE"

Scripts/LineageOS-14.1/Functions.sh

@@ -113,19 +113,9 @@ export -f buildAll;
 patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi;
 	source build/envsetup.sh;
-	#repopick 192923; #su memory leak fixes
-	repopick -it wl12xx-krack-fw-4; #ti wlan firmware with krack fixes
 	#repopick 212799; #alt: 212827 flac extractor CVE-2017-0592
 	#repopick 214125; #spellchecker: enable more wordlists
 	repopick -it n_asb_09-2018-qcom;
-	repopick -it bt-sbc-hd-dualchannel-nougat;
-	repopick 201113; #wifi country code fix
-	repopick 242134; #AVRCP off-by-one fix
-	repopick 244387 244388; #loopback fixes
-	repopick -it CVE-2019-2033;
-	repopick 248599; #restrict SET_TIME_ZONE permission
-	repopick 248600 248649; #/proc hardening
-	repopick -it nougat-mr2-security-release-residue;
 	repopick -it n-tzdata-2019c;
 	repopick -it n-asb-2019-10;
 

Scripts/LineageOS-14.1/Patch.sh

@@ -71,6 +71,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 
 enterAndClear "device/qcom/sepolicy";
+patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/248649.patch"; #msm_irqbalance: Allow read for stats and interrupts
 patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/0001-Camera_Fix.patch"; #Fix camera on user builds XXX: REMOVE THIS TRASH
 
 enterAndClear "external/sqlite";
@@ -84,6 +85,7 @@ hardenLocationFWB "$DOS_BUILD_BASE";
 git revert 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #re-enable doze on devices without gms
 sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
 sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL
+patch -p1 < "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
@@ -110,6 +112,11 @@ awk -i inplace '!/com.android.internal.R.bool.config_permissionReviewRequired/'
 enterAndClear "hardware/ti/omap4";
 patch -p1 < "$DOS_PATCHES/android_hardware_ti_omap4/0001-tuna-camera.patch"; #fix camera on tuna
 
+enterAndClear "hardware/ti/wlan";
+#krack fixes
+git apply "$DOS_PATCHES/android_hardware_ti_wlan/209209.patch"; #wl12xx: Update SR and MR firmwares versions
+git apply "$DOS_PATCHES/android_hardware_ti_wlan/209210.patch"; #wl12xx: Update SR PLT firmwares
+
 if enter "kernel/wireguard"; then
 if [ "$DOS_WIREGUARD_INCLUDED" = false ]; then rm Android.mk; fi;
 #Remove system information from HTTP requests
@@ -127,6 +134,7 @@ patch -p1 < "$DOS_PATCHES/android_packages_apps_PackageInstaller/64d8b44.diff";
 
 enterAndClear "packages/apps/Settings";
 git revert 2ebe6058c546194a301c1fd22963d6be4adbf961; #don't hide oem unlock
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code
 patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe)
 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/ChooseLockPassword.java; #Increase max password length (GrapheneOS)
 sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
@@ -156,6 +164,11 @@ enterAndClear "packages/services/Telephony";
 patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch";
 patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
 
+enterAndClear "system/bt";
+patch -p1 < "$DOS_PATCHES/android_system_bt/229574.patch"; #Increase maximum Bluetooth SBC codec bitrate for SBC HD
+patch -p1 < "$DOS_PATCHES/android_system_bt/229575.patch"; #Explicit SBC Dual Channel (SBC HD) support
+patch -p1 < "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one
+
 enterAndClear "system/core";
 sed -i 's/!= 2048/< 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
@@ -163,7 +176,16 @@ git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f
 patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
 
+enterAndClear "system/netd";
+#loopback fixes
+patch -p1 < "$DOS_PATCHES/android_system_netd/244387.patch"; #Really always allow networking on loopback.
+patch -p1 < "$DOS_PATCHES/android_system_netd/244388.patch"; #Avoid netlink socket address conflict
+#CVE-2019-2033
+patch -p1 < "$DOS_PATCHES/android_system_netd/245690.patch"; #Fix fortify_fatal issue during DNSServiceProcessResult()
+patch -p1 < "$DOS_PATCHES/android_system_netd/245691.patch"; #Clear Element.mRef immediately after deallocating it
+
 enterAndClear "system/sepolicy";
+patch -p1 < "$DOS_PATCHES/android_system_sepolicy/248600.patch"; #restrict access to timing information in /proc
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
 
 enterAndClear "system/vold";

Scripts/LineageOS-16.0/Functions.sh

@@ -110,8 +110,9 @@ export -f buildAll;
 patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
 
-	source build/envsetup.sh;
-	repopick -f 254249; #g3 nfc
+	#source build/envsetup.sh;
+	#repopick -it marlin_cve_2019-09;
+	#repopick -it marlin_cve_2019-10;
 
 	source "$DOS_SCRIPTS/Patch.sh";
 	source "$DOS_SCRIPTS/Defaults.sh";

Scripts/LineageOS-16.0/Patch.sh

@@ -211,6 +211,7 @@ enterAndClear "device/lge/g2-common";
 sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te;
 
 enterAndClear "device/lge/g3-common";
+patch -p1 < "$DOS_PATCHES/android_device_lge_g3-common/254249.patch"; #g3-common: Add NFC HAL to proprietary-files
 sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te;
 sed -i '1itypeattribute wcnss_service misc_block_device_exception;' sepolicy/wcnss_service.te;