diff --git a/Patches/LineageOS-16.0/android_device_motorola_clark/privapp-permissions-qti.xml b/Patches/LineageOS-16.0/android_device_motorola_clark/privapp-permissions-qti.xml
new file mode 100644
index 00000000..87d58fdf
--- /dev/null
+++ b/Patches/LineageOS-16.0/android_device_motorola_clark/privapp-permissions-qti.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/* Copyright (c) 2017, The Linux Foundation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ * * Neither the name of The Linux Foundation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+ * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+-->
+<!--
+This XML file declares which signature|privileged permissions should be
+granted to privileged applications on Qualcomm devices.
+It allows additional grants on top of privapp-permissions-platform.xml
+-->
+<permissions>
+    <privapp-permissions package="com.quicinc.cne.CNEService">
+        <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+        <permission name="android.permission.PACKET_KEEPALIVE_OFFLOAD"/>
+    </privapp-permissions>
+
+    <privapp-permissions package="com.qti.dpmserviceapp">
+        <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+    </privapp-permissions>
+
+    <privapp-permissions package="com.qualcomm.location">
+        <permission name="android.permission.CONTROL_LOCATION_UPDATES"/>
+    </privapp-permissions>
+
+    <privapp-permissions package="com.qualcomm.location.XT">
+        <permission name="android.permission.WRITE_SECURE_SETTINGS"/>
+    </privapp-permissions>
+
+    <privapp-permissions package="com.qualcomm.qcrilmsgtunnel">
+        <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+    </privapp-permissions>
+
+    <privapp-permissions package="com.qualcomm.atfwd">
+        <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+    </privapp-permissions>
+</permissions>
\ No newline at end of file
diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh
index c694b7d5..fce04ddb 100644
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@@ -549,7 +549,7 @@ hardenDefconfig() {
 	done
 	#Disable supported options
 	#Disabled: CONFIG_MSM_SMP2P_TEST (breaks compile on many kernels)
-	declare -a optionsNo=("CONFIG_ACPI_APEI_EINJ" "CONFIG_ACPI_CUSTOM_METHOD" "CONFIG_ACPI_TABLE_UPGRADE" "CONFIG_BINFMT_AOUT" "CONFIG_BINFMT_MISC" "CONFIG_BPF_SYSCALL" "CONFIG_CHECKPOINT_RESTORE" "CONFIG_COMPAT_BRK" "CONFIG_COMPAT_VDSO" "CONFIG_CP_ACCESS64" "CONFIG_DEBUG_FS" "CONFIG_DEBUG_KMEMLEAK" "CONFIG_DEVKMEM" "CONFIG_DEVMEM" "CONFIG_DEVPORT" "CONFIG_EARJACK_DEBUGGER" "CONFIG_FTRACE" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_GENERIC_TRACER" "CONFIG_HARDENED_USERCOPY_FALLBACK" "CONFIG_HIBERNATION" "CONFIG_HWPOISON_INJECT" "CONFIG_IA32_EMULATION" "CONFIG_IKCONFIG" "CONFIG_INET_DIAG" "CONFIG_IOMMU_NON_SECURE" "CONFIG_IP_DCCP" "CONFIG_IP_SCTP" "CONFIG_KALLSYMS" "CONFIG_KEXEC" "CONFIG_KEXEC_FILE" "CONFIG_KPROBES" "CONFIG_KSM" "CONFIG_LDISC_AUTOLOAD" "CONFIG_LEGACY_PTYS" "CONFIG_LIVEPATCH" "CONFIG_MAGIC_SYSRQ" "CONFIG_MEM_SOFT_DIRTY" "CONFIG_MMIOTRACE" "CONFIG_MMIOTRACE_TEST" "CONFIG_MODIFY_LDT_SYSCALL" "CONFIG_MSM_BUSPM_DEV" "CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG" "CONFIG_NOTIFIER_ERROR_INJECTION" "CONFIG_OABI_COMPAT" "CONFIG_PAGE_OWNER" "CONFIG_PROC_KCORE" "CONFIG_PROC_PAGE_MONITOR" "CONFIG_PROC_VMCORE" "CONFIG_PROFILING" "CONFIG_RDS" "CONFIG_RDS_TCP" "CONFIG_SECURITY_SELINUX_DISABLE" "CONFIG_SLAB_MERGE_DEFAULT" "CONFIG_TIMER_STATS" "CONFIG_TSC" "CONFIG_TSPP2" "CONFIG_UKSM" "CONFIG_UPROBES" "CONFIG_USELIB" "CONFIG_USERFAULTFD" "CONFIG_WLAN_FEATURE_MEMDUMP" "CONFIG_X86_PTDUMP" "CONFIG_X86_VSYSCALL_EMULATION" "CONFIG_ZSMALLOC_STAT");
+	declare -a optionsNo=("CONFIG_ACPI_APEI_EINJ" "CONFIG_ACPI_CUSTOM_METHOD" "CONFIG_ACPI_TABLE_UPGRADE" "CONFIG_BINFMT_AOUT" "CONFIG_BINFMT_MISC" "CONFIG_CHECKPOINT_RESTORE" "CONFIG_COMPAT_BRK" "CONFIG_COMPAT_VDSO" "CONFIG_CP_ACCESS64" "CONFIG_DEBUG_KMEMLEAK" "CONFIG_DEVKMEM" "CONFIG_DEVMEM" "CONFIG_DEVPORT" "CONFIG_EARJACK_DEBUGGER" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_HARDENED_USERCOPY_FALLBACK" "CONFIG_HIBERNATION" "CONFIG_HWPOISON_INJECT" "CONFIG_IA32_EMULATION" "CONFIG_IKCONFIG" "CONFIG_INET_DIAG" "CONFIG_IOMMU_NON_SECURE" "CONFIG_IP_DCCP" "CONFIG_IP_SCTP" "CONFIG_KALLSYMS" "CONFIG_KEXEC" "CONFIG_KEXEC_FILE" "CONFIG_KPROBES" "CONFIG_KSM" "CONFIG_LDISC_AUTOLOAD" "CONFIG_LEGACY_PTYS" "CONFIG_LIVEPATCH" "CONFIG_MAGIC_SYSRQ" "CONFIG_MEM_SOFT_DIRTY" "CONFIG_MMIOTRACE" "CONFIG_MMIOTRACE_TEST" "CONFIG_MODIFY_LDT_SYSCALL" "CONFIG_MSM_BUSPM_DEV" "CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG" "CONFIG_NOTIFIER_ERROR_INJECTION" "CONFIG_OABI_COMPAT" "CONFIG_PAGE_OWNER" "CONFIG_PROC_KCORE" "CONFIG_PROC_PAGE_MONITOR" "CONFIG_PROC_VMCORE" "CONFIG_RDS" "CONFIG_RDS_TCP" "CONFIG_SECURITY_SELINUX_DISABLE" "CONFIG_SLAB_MERGE_DEFAULT" "CONFIG_TIMER_STATS" "CONFIG_TSC" "CONFIG_TSPP2" "CONFIG_UKSM" "CONFIG_UPROBES" "CONFIG_USELIB" "CONFIG_USERFAULTFD" "CONFIG_WLAN_FEATURE_MEMDUMP" "CONFIG_X86_PTDUMP" "CONFIG_X86_VSYSCALL_EMULATION" "CONFIG_ZSMALLOC_STAT");
 	if [[ "$1" != *"kernel/htc/msm8994"* ]] && [[ "$1" != *"kernel/samsung/smdk4412"* ]] && [[ "$1" != *"kernel/htc/flounder"* ]] && [[ "$1" != *"kernel/amazon/hdx-common"* ]]; then
 		optionsNo+=("CONFIG_DIAG_CHAR" "CONFIG_DIAG_OVER_USB" "CONFIG_USB_QCOM_DIAG_BRIDGE" "CONFIG_DIAGFWD_BRIDGE_CODE" "CONFIG_DIAG_SDIO_PIPE" "CONFIG_DIAG_HSIC_PIPE");
 	fi;
diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh
index 38bd2710..e8bc0ad8 100644
--- a/Scripts/LineageOS-14.1/Functions.sh
+++ b/Scripts/LineageOS-14.1/Functions.sh
@@ -116,8 +116,6 @@ patchWorkspace() {
 	#repopick 212799; #alt: 212827 flac extractor CVE-2017-0592
 	#repopick 214125; #spellchecker: enable more wordlists
 	repopick -it n_asb_09-2018-qcom;
-	repopick -it n-tzdata-2019c;
-	repopick -it n-asb-2019-10;
 
 	export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails
 
diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_motorola_msm8992.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_motorola_msm8992.sh
index f2fad585..71c9f539 100644
--- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_motorola_msm8992.sh
+++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_motorola_msm8992.sh
@@ -84,6 +84,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18203/^4.14.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18255/^4.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18306/3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18360/^4.11.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18595/^4.14.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-6345/^4.9.13/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-7533/3.10/0002.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-7533/3.10/0003.patch
@@ -165,6 +166,8 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15212/^5.1.8/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15213/^5.2.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15926/^5.2.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-17052/^5.3.2/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2001/^3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2101/ANY/0002.patch
@@ -175,5 +178,5 @@ git apply $DOS_PATCHES_LINUX_CVES/LVT-2017-0003/3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6693/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p175"
+editKernelLocalversion "-dos.p178"
 cd "$DOS_BUILD_BASE"
diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh
index 42c872e8..8723d20d 100644
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@@ -230,13 +230,18 @@ echo "allow system_server sensors_data_file:dir r_file_perms;" >> sepolicy/syste
 sed -i 's/1333788672/880803840/' BoardConfig.mk; #don't touch partitions! DOS -user fits with 40M free
 awk -i inplace '!/TARGET_RELEASETOOLS_EXTENSIONS/' BoardConfig.mk;
 
-enterAndClear "device/moto/shamu";
+#enterAndClear "device/moto/shamu";
 #git revert 05fb49518049440f90423341ff25d4f75f10bc0c; #restore releasetools #TODO
 
 #enterAndClear "device/motorola/clark";
 #git revert fc6cf83; #disable nfc for now
-#awk -i '!/nfc/' device.mk;
+#awk -i inplace '!/nfc/' device.mk;
+#awk -i inplace '!/Nfc/' device.mk;
+#awk -i inplace '!/Tag/' device.mk;
 #patch -p1 < "$DOS_PATCHES/android_device_motorola_clark/0001-audit2allow.patch"; #audit2allow sepolicy
+#mkdir permissions;
+#cp "$DOS_PATCHES/android_device_motorola_clark/privapp-permissions-qti.xml" permissions/; #Fix privapp permissions, Credit: @Fabiett83
+#echo "PRODUCT_COPY_FILES += device/motorola/clark/permissions/privapp-permissions-qti.xml:system/etc/permissions/privapp-permissions-qti.xml" >> device.mk;
 #sed -i 's/androidboot.selinux=permissive//' BoardConfig.mk; #enforce sepolicy
 #rm configs/Android.mk; #fix compile
 #rm setup-makefiles.sh; #broken, deblobber will still function