Move many old cherry picks in tree for archival/support purposes

Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh

@@ -191,6 +191,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18203/^4.14.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18255/^4.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18306/3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18360/^4.11.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18595/^4.14.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-2618/3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-2671/^4.10.8/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-5669/^4.9.12/0001.patch
@@ -322,5 +323,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-1000111/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-15845/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-8281/3.10/0003.patch
-editKernelLocalversion "-dos.p322"
+editKernelLocalversion "-dos.p323"
 cd "$DOS_BUILD_BASE"

Scripts/LineageOS-14.1/Functions.sh

@@ -113,19 +113,9 @@ export -f buildAll;
 patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi;
 	source build/envsetup.sh;
-	#repopick 192923; #su memory leak fixes
-	repopick -it wl12xx-krack-fw-4; #ti wlan firmware with krack fixes
 	#repopick 212799; #alt: 212827 flac extractor CVE-2017-0592
 	#repopick 214125; #spellchecker: enable more wordlists
 	repopick -it n_asb_09-2018-qcom;
-	repopick -it bt-sbc-hd-dualchannel-nougat;
-	repopick 201113; #wifi country code fix
-	repopick 242134; #AVRCP off-by-one fix
-	repopick 244387 244388; #loopback fixes
-	repopick -it CVE-2019-2033;
-	repopick 248599; #restrict SET_TIME_ZONE permission
-	repopick 248600 248649; #/proc hardening
-	repopick -it nougat-mr2-security-release-residue;
 	repopick -it n-tzdata-2019c;
 	repopick -it n-asb-2019-10;
 

Scripts/LineageOS-14.1/Patch.sh

@@ -71,6 +71,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 
 enterAndClear "device/qcom/sepolicy";
+patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/248649.patch"; #msm_irqbalance: Allow read for stats and interrupts
 patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/0001-Camera_Fix.patch"; #Fix camera on user builds XXX: REMOVE THIS TRASH
 
 enterAndClear "external/sqlite";
@@ -84,6 +85,7 @@ hardenLocationFWB "$DOS_BUILD_BASE";
 git revert 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #re-enable doze on devices without gms
 sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
 sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL
+patch -p1 < "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
@@ -110,6 +112,11 @@ awk -i inplace '!/com.android.internal.R.bool.config_permissionReviewRequired/'
 enterAndClear "hardware/ti/omap4";
 patch -p1 < "$DOS_PATCHES/android_hardware_ti_omap4/0001-tuna-camera.patch"; #fix camera on tuna
 
+enterAndClear "hardware/ti/wlan";
+#krack fixes
+git apply "$DOS_PATCHES/android_hardware_ti_wlan/209209.patch"; #wl12xx: Update SR and MR firmwares versions
+git apply "$DOS_PATCHES/android_hardware_ti_wlan/209210.patch"; #wl12xx: Update SR PLT firmwares
+
 if enter "kernel/wireguard"; then
 if [ "$DOS_WIREGUARD_INCLUDED" = false ]; then rm Android.mk; fi;
 #Remove system information from HTTP requests
@@ -127,6 +134,7 @@ patch -p1 < "$DOS_PATCHES/android_packages_apps_PackageInstaller/64d8b44.diff";
 
 enterAndClear "packages/apps/Settings";
 git revert 2ebe6058c546194a301c1fd22963d6be4adbf961; #don't hide oem unlock
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code
 patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe)
 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/ChooseLockPassword.java; #Increase max password length (GrapheneOS)
 sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
@@ -156,6 +164,11 @@ enterAndClear "packages/services/Telephony";
 patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch";
 patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
 
+enterAndClear "system/bt";
+patch -p1 < "$DOS_PATCHES/android_system_bt/229574.patch"; #Increase maximum Bluetooth SBC codec bitrate for SBC HD
+patch -p1 < "$DOS_PATCHES/android_system_bt/229575.patch"; #Explicit SBC Dual Channel (SBC HD) support
+patch -p1 < "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one
+
 enterAndClear "system/core";
 sed -i 's/!= 2048/< 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
@@ -163,7 +176,16 @@ git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f
 patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
 
+enterAndClear "system/netd";
+#loopback fixes
+patch -p1 < "$DOS_PATCHES/android_system_netd/244387.patch"; #Really always allow networking on loopback.
+patch -p1 < "$DOS_PATCHES/android_system_netd/244388.patch"; #Avoid netlink socket address conflict
+#CVE-2019-2033
+patch -p1 < "$DOS_PATCHES/android_system_netd/245690.patch"; #Fix fortify_fatal issue during DNSServiceProcessResult()
+patch -p1 < "$DOS_PATCHES/android_system_netd/245691.patch"; #Clear Element.mRef immediately after deallocating it
+
 enterAndClear "system/sepolicy";
+patch -p1 < "$DOS_PATCHES/android_system_sepolicy/248600.patch"; #restrict access to timing information in /proc
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
 
 enterAndClear "system/vold";

Scripts/LineageOS-16.0/Functions.sh

@@ -110,8 +110,9 @@ export -f buildAll;
 patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
 
-	source build/envsetup.sh;
-	repopick -f 254249; #g3 nfc
+	#source build/envsetup.sh;
+	#repopick -it marlin_cve_2019-09;
+	#repopick -it marlin_cve_2019-10;
 
 	source "$DOS_SCRIPTS/Patch.sh";
 	source "$DOS_SCRIPTS/Defaults.sh";

Scripts/LineageOS-16.0/Patch.sh

@@ -211,6 +211,7 @@ enterAndClear "device/lge/g2-common";
 sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te;
 
 enterAndClear "device/lge/g3-common";
+patch -p1 < "$DOS_PATCHES/android_device_lge_g3-common/254249.patch"; #g3-common: Add NFC HAL to proprietary-files
 sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te;
 sed -i '1itypeattribute wcnss_service misc_block_device_exception;' sepolicy/wcnss_service.te;