From 79aa32c5e2a6e480937d1131fa0038111d4dc683 Mon Sep 17 00:00:00 2001 From: Tad Date: Wed, 13 Jun 2018 19:48:53 -0400 Subject: [PATCH] Cleanup --- Manifests/Manifest_LAOS-15.1.xml | 4 - Scripts/Common/Functions.sh | 15 +++- Scripts/LineageOS-14.1/Patch.sh | 2 - .../android_kernel_motorola_msm8992.sh | 76 ------------------- Scripts/LineageOS-15.1/Functions.sh | 3 +- Scripts/LineageOS-15.1/Patch.sh | 1 - 6 files changed, 14 insertions(+), 87 deletions(-) delete mode 100644 Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_motorola_msm8992.sh diff --git a/Manifests/Manifest_LAOS-15.1.xml b/Manifests/Manifest_LAOS-15.1.xml index 780b1e5b..60df5f9f 100644 --- a/Manifests/Manifest_LAOS-15.1.xml +++ b/Manifests/Manifest_LAOS-15.1.xml @@ -130,10 +130,6 @@ - - - - diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index f013e815..71585377 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -87,6 +87,17 @@ scanForMalware() { } export -f scanForMalware; +audit2allowCurrent() { + adb shell dmesg | grep denied | audit2allow -p "$ANDROID_PRODUCT_OUT"/root/sepolicy; +} +export -f audit2allowCurrent; + +audit2allowADB() { + adb pull /sys/fs/selinux/policy; + adb logcat -b all -d | audit2allow -p policy; +} +export -f audit2allowADB; + disableDexPreOpt() { cd $base$1; if [ -f BoardConfig.mk ]; then @@ -190,7 +201,7 @@ hardenDefconfig() { #Enable supported options #Disabled: CONFIG_DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981) - declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_PARTIALRESUME" "CONFIG_CRYPTO_PCRYPT" "CONFIG_CRYPTO_CRYPTD" "CONFIG_CRYPTO_DEV_QCRYPTO" "CONFIG_CRYPTO_AES_ARM" "CONFIG_CRYPTO_AES_ARM_BS") + declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE") for option in "${optionsYes[@]}" do sed -i 's/# '$option' is not set/'$option'=y/' $defconfigPath &>/dev/null || true; @@ -203,7 +214,7 @@ hardenDefconfig() { done #Disable supported options #TODO: Disable earjack/uart debugger - declare -a optionsNo=("CONFIG_ACPI_CUSTOM_METHOD" "CONFIG_BINFMT_MISC" "CONFIG_COMPAT_BRK" "CONFIG_COMPAT_VDSO" "CONFIG_CP_ACCESS64" "CONFIG_DEVKMEM" "CONFIG_DEVMEM" "CONFIG_DEVPORT" "CONFIG_HIBERNATION" "CONFIG_INET_DIAG" "CONFIG_KEXEC" "CONFIG_LEGACY_PTYS" "CONFIG_MSM_BUSPM_DEV" "CONFIG_OABI_COMPAT" "CONFIG_PROC_KCORE" "CONFIG_PROC_VMCORE" "CONFIG_SECURITY_SELINUX_DISABLE" "CONFIG_SLAB_MERGE_DEFAULT" "CONFIG_WLAN_FEATURE_MEMDUMP" "CONFIG_CRYPTO_DEV_QCEDEV" "CONFIG_CRYPTO_DEV_OTA_CRYPTO") + declare -a optionsNo=("CONFIG_ACPI_CUSTOM_METHOD" "CONFIG_BINFMT_MISC" "CONFIG_COMPAT_BRK" "CONFIG_COMPAT_VDSO" "CONFIG_CP_ACCESS64" "CONFIG_DEVKMEM" "CONFIG_DEVMEM" "CONFIG_DEVPORT" "CONFIG_HIBERNATION" "CONFIG_INET_DIAG" "CONFIG_KEXEC" "CONFIG_LEGACY_PTYS" "CONFIG_MSM_BUSPM_DEV" "CONFIG_OABI_COMPAT" "CONFIG_PROC_KCORE" "CONFIG_PROC_VMCORE" "CONFIG_SECURITY_SELINUX_DISABLE" "CONFIG_SLAB_MERGE_DEFAULT" "CONFIG_WLAN_FEATURE_MEMDUMP") for option in "${optionsNo[@]}" do sed -i 's/'$option'=y/# '$option' is not set/' $defconfigPath &>/dev/null || true; diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 65752182..99ead905 100755 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -236,8 +236,6 @@ cd $base; #Fixes #Fix broken options enabled by hardenDefconfig() sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile -sed -i "s/CONFIG_PARTIALRESUME=y/# CONFIG_PARTIALRESUME is not set/" kernel/motorola/msm8992/arch/arm64/configs/*defconfig; #Breaks on compile -sed -i "s/CONFIG_CRYPTO_DEV_QCRYPTO=y/# CONFIG_CRYPTO_DEV_QCRYPTO is not set/" kernel/samsung/jf/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile # #END OF DEVICE CHANGES # diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_motorola_msm8992.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_motorola_msm8992.sh deleted file mode 100644 index ea80b5f4..00000000 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_motorola_msm8992.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash -cd $base"kernel/motorola/msm8992" -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0004-No_dir-relax.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0005.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0006.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0007.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0008.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0009.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0010.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0011.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0013.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0014.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0015.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch -git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch -git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch -git apply $cvePatchesLinux/CVE-2014-9904/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2016-6672/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2016-8394/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-0648/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-0861/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-0862/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-1000410/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-11473/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-11600/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-13163/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-13168/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-13216/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-13218/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-13218/3.10/0002.patch -git apply $cvePatchesLinux/CVE-2017-13218/3.10/0003.patch -git apply $cvePatchesLinux/CVE-2017-13218/3.10/0004.patch -git apply $cvePatchesLinux/CVE-2017-13245/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-13246/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-16526/^4.13/0001.patch -git apply $cvePatchesLinux/CVE-2017-16531/^4.13/0001.patch -git apply $cvePatchesLinux/CVE-2017-16532/^4.13/0001.patch -git apply $cvePatchesLinux/CVE-2017-16533/^4.13/0001.patch -git apply $cvePatchesLinux/CVE-2017-16534/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-16535/^4.13/0001.patch -git apply $cvePatchesLinux/CVE-2017-16537/^4.13/0001.patch -git apply $cvePatchesLinux/CVE-2017-16538/^4.13/0001.patch -git apply $cvePatchesLinux/CVE-2017-16538/^4.13/0002.patch -git apply $cvePatchesLinux/CVE-2017-16643/3.5+/0001.patch -git apply $cvePatchesLinux/CVE-2017-16645/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-16650/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-16939/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0003.patch -git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch -git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-17762/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-17806/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-6345/^4.9/0001.patch -git apply $cvePatchesLinux/CVE-2017-7533/3.10/0002.patch -git apply $cvePatchesLinux/CVE-2017-7533/3.10/0003.patch -git apply $cvePatchesLinux/CVE-2017-8243/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-8281/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2017-8281/3.10/0003.patch -git apply $cvePatchesLinux/CVE-2017-9723/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2018-3563/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2018-3584/ANY/0001.patch -#git apply $cvePatchesLinux/CVE-2018-3585/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2018-5825/3.10/0001.patch -git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch -git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p72" -cd $base diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh index 3d931e72..244ebd2a 100644 --- a/Scripts/LineageOS-15.1/Functions.sh +++ b/Scripts/LineageOS-15.1/Functions.sh @@ -18,7 +18,7 @@ #Last verified: 2018-04-27 patchAllKernels() { - startPatcher "kernel_google_marlin kernel_google_msm kernel_htc_flounder kernel_htc_msm8974 kernel_huawei_angler kernel_lge_bullhead kernel_lge_g3 kernel_lge_hammerhead kernel_lge_mako kernel_lge_msm8974 kernel_lge_msm8996 kernel_moto_shamu kernel_motorola_msm8992 kernel_motorola_msm8996 kernel_nextbit_msm8992 kernel_oppo_msm8974 kernel_samsung_msm8974"; + startPatcher "kernel_google_marlin kernel_google_msm kernel_htc_flounder kernel_htc_msm8974 kernel_huawei_angler kernel_lge_bullhead kernel_lge_g3 kernel_lge_hammerhead kernel_lge_mako kernel_lge_msm8974 kernel_lge_msm8996 kernel_moto_shamu kernel_motorola_msm8996 kernel_nextbit_msm8992 kernel_oppo_msm8974 kernel_samsung_msm8974"; } export -f patchAllKernels; @@ -53,7 +53,6 @@ buildAll() { brunch lineage_d852-user; brunch lineage_bacon-user; brunch lineage_mako-user; - #brunch lineage_clark-user; #requires blobs from https://androidfilehost.com/?w=files&flid=244563 and permissive and broken brunch lineage_angler-user; brunch lineage_bullhead-user; brunch lineage_d802-user; #broken upstream - error: 'vendor/lge/g2-common/proprietary/vendor/etc/acdbdata/Bluetooth_cal.acdb' diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index afe462d8..ee032b89 100755 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -238,7 +238,6 @@ cd $base; #Fix broken options enabled by hardenDefconfig() sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile -sed -i "s/CONFIG_CRYPTO_DEV_QCRYPTO=y/# CONFIG_CRYPTO_DEV_QCRYPTO is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/motorola/msm8996/arch/arm64/configs/*_defconfig; #Breaks on compile #