From 6c4eadcdc74bb46a9ad41146c2e2990aa9f91479 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Thu, 20 Dec 2018 17:22:34 -0500
Subject: [PATCH] Manifest cleanup + always remove latemount from /cache

formatting/erasing /cache will result in selinux contexts being lost
these are normally restored by system/core/rootdir/init.rc in post-fs
but latemount causes /cache to not be mounted beforehand
preventing it from ever being fixed
result is broken ota and recovery updates
---
 Manifests/Manifest_LAOS-14.1.xml             |   1 -
 Manifests/Manifest_LAOS-15.1.xml             |   1 -
 Patches/LineageOS-11.0/android_build/1.patch | 104 +++++++++++++++++++
 PrebuiltApps                                 |   2 +-
 Scripts/Common/Functions.sh                  |  11 +-
 5 files changed, 113 insertions(+), 6 deletions(-)
 create mode 100644 Patches/LineageOS-11.0/android_build/1.patch

diff --git a/Manifests/Manifest_LAOS-14.1.xml b/Manifests/Manifest_LAOS-14.1.xml
index 6f3c2990..de6febf7 100644
--- a/Manifests/Manifest_LAOS-14.1.xml
+++ b/Manifests/Manifest_LAOS-14.1.xml
@@ -67,7 +67,6 @@
 
 	<!-- F-Droid -->
 	<remote name="fdroid" fetch="https://gitlab.com/fdroid/" />
-	<project path="packages/apps/FDroidPrivilegedExtension" name="privileged-extension.git" remote="fdroid" revision="refs/tags/0.2.8" />
 <!-- END OF ADDITIONAL REPOS -->
 
 <!-- START OF DEVICE REPOS -->
diff --git a/Manifests/Manifest_LAOS-15.1.xml b/Manifests/Manifest_LAOS-15.1.xml
index 4db08476..80a295b0 100644
--- a/Manifests/Manifest_LAOS-15.1.xml
+++ b/Manifests/Manifest_LAOS-15.1.xml
@@ -67,7 +67,6 @@
 <!-- START OF ADDITIONAL REPOS -->
 	<!-- F-Droid -->
 	<remote name="fdroid" fetch="https://gitlab.com/fdroid/" />
-	<project path="packages/apps/FDroidPrivilegedExtension" name="privileged-extension.git" remote="fdroid" revision="refs/tags/0.2.8" />
 <!-- END OF ADDITIONAL REPOS -->
 
 <!-- START OF DEVICE REPOS -->
diff --git a/Patches/LineageOS-11.0/android_build/1.patch b/Patches/LineageOS-11.0/android_build/1.patch
new file mode 100644
index 00000000..828de3de
--- /dev/null
+++ b/Patches/LineageOS-11.0/android_build/1.patch
@@ -0,0 +1,104 @@
+From 4eb4173b876ab4b4d71a5be541096d346649bbef Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sat, 30 May 2015 22:47:50 -0400
+Subject: [PATCH] add optional automated signing
+
+---
+ core/Makefile | 48 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 40 insertions(+), 8 deletions(-)
+
+diff --git a/core/Makefile b/core/Makefile
+index 7eca2db..82006c9 100644
+--- a/core/Makefile
++++ b/core/Makefile
+@@ -408,6 +408,11 @@ ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
+     DEFAULT_KEY_CERT_PAIR := $(OTA_PACKAGE_SIGNING_KEY)
+ endif
+ 
++ifneq ($(SIGNING_KEY_DIR),)
++    KEY_CERT_DIR := $(SIGNING_KEY_DIR)
++    DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey
++endif
++
+ # Rules that need to be present for the all targets, even
+ # if they don't do anything.
+ .PHONY: systemimage
+@@ -943,13 +948,18 @@ endif
+ # substitute other keys for this one.
+ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ 
+-ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
+-    OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
+-    PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
++ifneq ($(SIGNING_KEY_DIR),)
++    OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem
++    PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra
+ else
+-    PRODUCT_EXTRA_RECOVERY_KEYS += \
+-        build/target/product/security/cm \
+-        build/target/product/security/cm-devkey
++    ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
++	OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
++	PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
++    else
++	PRODUCT_EXTRA_RECOVERY_KEYS += \
++	    build/target/product/security/cm \
++	    build/target/product/security/cm-devkey
++    endif
+ endif
+ 
+ # Generate a file containing the keys that will be read by the
+@@ -1593,6 +1603,12 @@ BUILT_TARGET_FILES_PACKAGE := $(intermediates)/$(name).zip
+ $(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates)
+ $(BUILT_TARGET_FILES_PACKAGE): \
+ 		zip_root := $(intermediates)/$(name)
++SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip
++MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE)
++
++ifneq ($(SIGNING_KEY_DIR),)
++  MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE)
++endif
+ 
+ # $(1): Directory to copy
+ # $(2): Location to copy it to
+@@ -1868,6 +1884,12 @@ else
+     OTA_FROM_TARGET_SCRIPT := $(TARGET_RELEASETOOL_OTA_FROM_TARGET_SCRIPT)
+ endif
+ 
++ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),)
++    SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks
++else
++    SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT)
++endif
++
+ ifeq ($(WITH_GMS),true)
+     $(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false
+ else
+@@ -1895,7 +1917,17 @@ ifneq ($(BLOCK_BASED_OTA),false)
+     $(INTERNAL_OTA_PACKAGE_TARGET): block_based := --block
+ endif
+ 
+-$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS)
++$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS)
++	@echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path
++	@echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@"
++	$(hide) $(SIGN_TARGET_SCRIPT) \
++	   -d $(KEY_CERT_DIR) \
++	   -o \
++	   -e SMSSecure.apk,Orbot.apk,Android-IMSI-Catcher-Detector.apk,FreeOTP.apk,F-Droid.apk= \
++	   $(BUILT_TARGET_FILES_PACKAGE) \
++	   $(SIGNED_TARGET_FILES_PACKAGE)
++
++$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $(DISTTOOLS)
+ 	@echo "$(OTA_FROM_TARGET_SCRIPT)" > $(PRODUCT_OUT)/ota_script_path
+ 	@echo "$(override_device)" > $(PRODUCT_OUT)/ota_override_device
+ 	@echo -e ${CL_YLW}"Package OTA:"${CL_RST}" $@"
+@@ -1907,7 +1939,7 @@ $(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS)
+ 	   --backup=$(backuptool) \
+ 	   --override_device=$(override_device) $(override_prop) \
+ 	   $(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \
+-	   $(BUILT_TARGET_FILES_PACKAGE) $@
++	   $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@
+ 
+ CM_TARGET_PACKAGE := $(PRODUCT_OUT)/cm-$(CM_VERSION).zip
+ 
diff --git a/PrebuiltApps b/PrebuiltApps
index 8cccc645..4f224d0e 160000
--- a/PrebuiltApps
+++ b/PrebuiltApps
@@ -1 +1 @@
-Subproject commit 8cccc645af2911c40643ebd38f720faaae16f52a
+Subproject commit 4f224d0eca2ff2c89c409ba8b86c101bccdb582f
diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh
index 364d9ab6..10b0c3c1 100644
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@@ -206,7 +206,7 @@ export -f hardenLocation;
 
 enableZram() {
 	cd "$DOS_BUILD_BASE$1";
-	sed -i 's|#/dev/block/zram0|/dev/block/zram0|' fstab.* root/fstab.* rootdir/fstab.* rootdir/etc/fstab.* &>/dev/null || true;
+	sed -i 's|#/dev/block/zram0|/dev/block/zram0|' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
 	echo "Enabled zram for $1";
 	cd "$DOS_BUILD_BASE";
 }
@@ -214,9 +214,14 @@ export -f enableZram;
 
 hardenUserdata() {
 	cd "$DOS_BUILD_BASE$1";
+
+	#Remove latemount to allow selinux contexts be restored upon /cache wipe
+	#Fixes broken OTA updater and broken /recovery updater
+	sed -i '/\/cache/s|latemount,||' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+
 	#TODO: Ensure: noatime,nosuid,nodev
-	sed -i '/\/data/{/discard/!s|nosuid|discard,nosuid|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/etc/fstab.* &>/dev/null || true;
-	sed -i 's|encryptable=/|forceencrypt=/|' fstab.* root/fstab.* rootdir/fstab.* rootdir/etc/fstab.* &>/dev/null || true;
+	sed -i '/\/data/{/discard/!s|nosuid|discard,nosuid|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+	sed -i 's|encryptable=/|forceencrypt=/|' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
 	echo "Hardened /data for $1";
 	cd "$DOS_BUILD_BASE";
 }