diff --git a/Manifests/Manifest_LAOS-15.1.xml b/Manifests/Manifest_LAOS-15.1.xml
index 780b1e5b..60df5f9f 100644
--- a/Manifests/Manifest_LAOS-15.1.xml
+++ b/Manifests/Manifest_LAOS-15.1.xml
@@ -130,10 +130,6 @@
-
-
-
-
diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh
index f013e815..71585377 100644
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@@ -87,6 +87,17 @@ scanForMalware() {
}
export -f scanForMalware;
+audit2allowCurrent() {
+ adb shell dmesg | grep denied | audit2allow -p "$ANDROID_PRODUCT_OUT"/root/sepolicy;
+}
+export -f audit2allowCurrent;
+
+audit2allowADB() {
+ adb pull /sys/fs/selinux/policy;
+ adb logcat -b all -d | audit2allow -p policy;
+}
+export -f audit2allowADB;
+
disableDexPreOpt() {
cd $base$1;
if [ -f BoardConfig.mk ]; then
@@ -190,7 +201,7 @@ hardenDefconfig() {
#Enable supported options
#Disabled: CONFIG_DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
- declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_PARTIALRESUME" "CONFIG_CRYPTO_PCRYPT" "CONFIG_CRYPTO_CRYPTD" "CONFIG_CRYPTO_DEV_QCRYPTO" "CONFIG_CRYPTO_AES_ARM" "CONFIG_CRYPTO_AES_ARM_BS")
+ declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE")
for option in "${optionsYes[@]}"
do
sed -i 's/# '$option' is not set/'$option'=y/' $defconfigPath &>/dev/null || true;
@@ -203,7 +214,7 @@ hardenDefconfig() {
done
#Disable supported options
#TODO: Disable earjack/uart debugger
- declare -a optionsNo=("CONFIG_ACPI_CUSTOM_METHOD" "CONFIG_BINFMT_MISC" "CONFIG_COMPAT_BRK" "CONFIG_COMPAT_VDSO" "CONFIG_CP_ACCESS64" "CONFIG_DEVKMEM" "CONFIG_DEVMEM" "CONFIG_DEVPORT" "CONFIG_HIBERNATION" "CONFIG_INET_DIAG" "CONFIG_KEXEC" "CONFIG_LEGACY_PTYS" "CONFIG_MSM_BUSPM_DEV" "CONFIG_OABI_COMPAT" "CONFIG_PROC_KCORE" "CONFIG_PROC_VMCORE" "CONFIG_SECURITY_SELINUX_DISABLE" "CONFIG_SLAB_MERGE_DEFAULT" "CONFIG_WLAN_FEATURE_MEMDUMP" "CONFIG_CRYPTO_DEV_QCEDEV" "CONFIG_CRYPTO_DEV_OTA_CRYPTO")
+ declare -a optionsNo=("CONFIG_ACPI_CUSTOM_METHOD" "CONFIG_BINFMT_MISC" "CONFIG_COMPAT_BRK" "CONFIG_COMPAT_VDSO" "CONFIG_CP_ACCESS64" "CONFIG_DEVKMEM" "CONFIG_DEVMEM" "CONFIG_DEVPORT" "CONFIG_HIBERNATION" "CONFIG_INET_DIAG" "CONFIG_KEXEC" "CONFIG_LEGACY_PTYS" "CONFIG_MSM_BUSPM_DEV" "CONFIG_OABI_COMPAT" "CONFIG_PROC_KCORE" "CONFIG_PROC_VMCORE" "CONFIG_SECURITY_SELINUX_DISABLE" "CONFIG_SLAB_MERGE_DEFAULT" "CONFIG_WLAN_FEATURE_MEMDUMP")
for option in "${optionsNo[@]}"
do
sed -i 's/'$option'=y/# '$option' is not set/' $defconfigPath &>/dev/null || true;
diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh
index 65752182..99ead905 100755
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@@ -236,8 +236,6 @@ cd $base;
#Fixes
#Fix broken options enabled by hardenDefconfig()
sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile
-sed -i "s/CONFIG_PARTIALRESUME=y/# CONFIG_PARTIALRESUME is not set/" kernel/motorola/msm8992/arch/arm64/configs/*defconfig; #Breaks on compile
-sed -i "s/CONFIG_CRYPTO_DEV_QCRYPTO=y/# CONFIG_CRYPTO_DEV_QCRYPTO is not set/" kernel/samsung/jf/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
#
#END OF DEVICE CHANGES
#
diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_motorola_msm8992.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_motorola_msm8992.sh
deleted file mode 100644
index ea80b5f4..00000000
--- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_motorola_msm8992.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/bash
-cd $base"kernel/motorola/msm8992"
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0004-No_dir-relax.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0005.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0006.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0007.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0008.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0009.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0010.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0011.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0013.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0014.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0015.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch
-git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
-git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch
-git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
-git apply $cvePatchesLinux/CVE-2014-9904/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2016-6672/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2016-8394/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-0648/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-0861/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-0862/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-1000410/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-11473/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-11600/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-13163/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-13168/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-13216/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-13218/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-13218/3.10/0002.patch
-git apply $cvePatchesLinux/CVE-2017-13218/3.10/0003.patch
-git apply $cvePatchesLinux/CVE-2017-13218/3.10/0004.patch
-git apply $cvePatchesLinux/CVE-2017-13245/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-13246/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16526/^4.13/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16531/^4.13/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16532/^4.13/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16533/^4.13/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16534/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16535/^4.13/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16537/^4.13/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16538/^4.13/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16538/^4.13/0002.patch
-git apply $cvePatchesLinux/CVE-2017-16643/3.5+/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16645/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16650/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16939/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0003.patch
-git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
-git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-17762/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-17806/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-6345/^4.9/0001.patch
-git apply $cvePatchesLinux/CVE-2017-7533/3.10/0002.patch
-git apply $cvePatchesLinux/CVE-2017-7533/3.10/0003.patch
-git apply $cvePatchesLinux/CVE-2017-8243/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-8281/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2017-8281/3.10/0003.patch
-git apply $cvePatchesLinux/CVE-2017-9723/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2018-3563/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2018-3584/ANY/0001.patch
-#git apply $cvePatchesLinux/CVE-2018-3585/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2018-5825/3.10/0001.patch
-git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch
-git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
-git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p72"
-cd $base
diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh
index 3d931e72..244ebd2a 100644
--- a/Scripts/LineageOS-15.1/Functions.sh
+++ b/Scripts/LineageOS-15.1/Functions.sh
@@ -18,7 +18,7 @@
#Last verified: 2018-04-27
patchAllKernels() {
- startPatcher "kernel_google_marlin kernel_google_msm kernel_htc_flounder kernel_htc_msm8974 kernel_huawei_angler kernel_lge_bullhead kernel_lge_g3 kernel_lge_hammerhead kernel_lge_mako kernel_lge_msm8974 kernel_lge_msm8996 kernel_moto_shamu kernel_motorola_msm8992 kernel_motorola_msm8996 kernel_nextbit_msm8992 kernel_oppo_msm8974 kernel_samsung_msm8974";
+ startPatcher "kernel_google_marlin kernel_google_msm kernel_htc_flounder kernel_htc_msm8974 kernel_huawei_angler kernel_lge_bullhead kernel_lge_g3 kernel_lge_hammerhead kernel_lge_mako kernel_lge_msm8974 kernel_lge_msm8996 kernel_moto_shamu kernel_motorola_msm8996 kernel_nextbit_msm8992 kernel_oppo_msm8974 kernel_samsung_msm8974";
}
export -f patchAllKernels;
@@ -53,7 +53,6 @@ buildAll() {
brunch lineage_d852-user;
brunch lineage_bacon-user;
brunch lineage_mako-user;
- #brunch lineage_clark-user; #requires blobs from https://androidfilehost.com/?w=files&flid=244563 and permissive and broken
brunch lineage_angler-user;
brunch lineage_bullhead-user;
brunch lineage_d802-user; #broken upstream - error: 'vendor/lge/g2-common/proprietary/vendor/etc/acdbdata/Bluetooth_cal.acdb'
diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh
index afe462d8..ee032b89 100755
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@@ -238,7 +238,6 @@ cd $base;
#Fix broken options enabled by hardenDefconfig()
sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
-sed -i "s/CONFIG_CRYPTO_DEV_QCRYPTO=y/# CONFIG_CRYPTO_DEV_QCRYPTO is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile
sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/motorola/msm8996/arch/arm64/configs/*_defconfig; #Breaks on compile
#