clark: experimental 16.0

LICENSE

@@ -14,7 +14,7 @@ Patches/
 		[Everything Else] - Apache-2.0
 	Linux - See COPYING included (GPLv2)
 	Overclocks - GPLv2
-	Wallpapers - See LICENSE included
+	Wallpapers - See LICENSE included (Unsplash)
 PrebuiltApps - See LICENSE included
 Scripts - GPLv3
 

Manifests/Manifest_LAOS-16.0.xml

@@ -144,6 +144,10 @@
 	<project path="device/motorola/victara" name="LineageOS/android_device_motorola_victara" remote="github" />
 	<project path="kernel/motorola/msm8974" name="LineageOS/android_kernel_motorola_msm8974" remote="github" />
 
+	<!-- Moto X Pure Edition (clark)
+	<project path="device/motorola/clark" name="randomblame/android_device_motorola_clark" remote="github" />
+	<project path="kernel/motorola/msm8992" name="randomblame/android_kernel_motorola_msm8992" remote="github" /> -->
+
 	<!-- Moto Z (griffin) -->
 	<project path="device/motorola/griffin" name="LineageOS/android_device_motorola_griffin" remote="github" />
 	<project path="kernel/motorola/msm8996" name="LineageOS/android_kernel_motorola_msm8996" remote="github" />

Patches/LineageOS-16.0/android_device_motorola_clark/0001-audit2allow.patch

@@ -0,0 +1,193 @@
+From f882d4f46b119d05ed02bfb35d03507abe65df94 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Sat, 28 Sep 2019 10:57:48 -0400
+Subject: [PATCH] audit2allow sepolicy
+
+Change-Id: Ia1e82d78c0f6a59216ce62274ec678258a807ed7
+---
+ sepolicy/hal-nfc_default.te       |  2 ++
+ sepolicy/hal_bluetooth_default.te |  1 +
+ sepolicy/hal_keymaster_default.te |  1 +
+ sepolicy/healthd.te               |  1 +
+ sepolicy/init-power-sh.te         |  5 +++++
+ sepolicy/init.te                  | 13 +++++++++++++
+ sepolicy/mm-qcamerad.te           |  4 ++++
+ sepolicy/qtelephony.te            |  2 ++
+ sepolicy/rild.te                  |  4 ++++
+ sepolicy/rmt_storage.te           |  1 +
+ sepolicy/sensors.te               |  1 +
+ sepolicy/servicemanager.te        |  3 +++
+ sepolicy/system_app.te            |  3 +++
+ sepolicy/system_server.te         |  3 +++
+ sepolicy/toolbox.te               |  1 +
+ sepolicy/ueventd.te               |  1 +
+ 16 files changed, 46 insertions(+)
+ create mode 100644 sepolicy/hal-nfc_default.te
+ create mode 100644 sepolicy/hal_bluetooth_default.te
+ create mode 100644 sepolicy/hal_keymaster_default.te
+ create mode 100644 sepolicy/qtelephony.te
+ create mode 100644 sepolicy/servicemanager.te
+
+diff --git a/sepolicy/hal-nfc_default.te b/sepolicy/hal-nfc_default.te
+new file mode 100644
+index 0000000..f4d0b78
+--- /dev/null
++++ b/sepolicy/hal-nfc_default.te
+@@ -0,0 +1,2 @@
++allow hal_nfc_default nfc_data_file:dir { add_name write };
++allow hal_nfc_default nfc_data_file:file { create open read write };
+diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
+new file mode 100644
+index 0000000..ec949d1
+--- /dev/null
++++ b/sepolicy/hal_bluetooth_default.te
+@@ -0,0 +1 @@
++allow hal_bluetooth_default mnt_vendor_file:file { open read };
+diff --git a/sepolicy/hal_keymaster_default.te b/sepolicy/hal_keymaster_default.te
+new file mode 100644
+index 0000000..3aad282
+--- /dev/null
++++ b/sepolicy/hal_keymaster_default.te
+@@ -0,0 +1 @@
++allow hal_keymaster_default unlabeled:file { getattr open read };
+diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te
+index 114e7b7..74a252e 100644
+--- a/sepolicy/healthd.te
++++ b/sepolicy/healthd.te
+@@ -1,3 +1,4 @@
+ allow healthd sysfs_thermal:dir search;
+ allow healthd sysfs_thermal:file { open read };
+ allow healthd device:dir r_dir_perms;
++allow healthd sysfs:file { getattr open read };
+diff --git a/sepolicy/init-power-sh.te b/sepolicy/init-power-sh.te
+index c24dd3c..ba3cd05 100644
+--- a/sepolicy/init-power-sh.te
++++ b/sepolicy/init-power-sh.te
+@@ -31,3 +31,8 @@ allow init-power-sh rootfs:file { getattr open read };
+ allow init-power-sh sysfs:dir { open read };
+ allow init-power-sh sysfs:file getattr;
+ allow init-power-sh sysfs:lnk_file getattr;
++
++allow init-power-sh file_contexts_file:file read;
++allow init-power-sh sysfs_cpu_boost:dir search;
++allow init-power-sh sysfs_cpu_boost:file { open write };
++allow init-power-sh sysfs_net:dir search;
+diff --git a/sepolicy/init.te b/sepolicy/init.te
+index 5ea8334..8424ed2 100644
+--- a/sepolicy/init.te
++++ b/sepolicy/init.te
+@@ -14,3 +14,16 @@ allow init sysfs_lowmemorykiller:file getattr;
+ allow init sysfs_light:file setattr;
+ allow init sysfs_power:file setattr;
+ allow init system_data_file:file { rename append };
++allow init atfwd_service:service_manager find;
++allow init debugfs_rmt:dir relabelfrom;
++allow init debugfs_rmt:file relabelfrom;
++allow init hal_drm_hwservice:hwservice_manager add;
++allow init hal_light_hwservice:hwservice_manager add;
++allow init hidl_base_hwservice:hwservice_manager add;
++allow init mnt_vendor_file:dir mounton;
++allow init qmuxd:unix_stream_socket connectto;
++allow init qmuxd_socket:sock_file write;
++allow init servicemanager:binder call;
++allow init sysfs:file { open setattr write };
++allow init sysfs_devices_system_cpu:file write;
++allow init sysfs_graphics:file { open write };
+diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
+index 79059bb..990fb2c 100644
+--- a/sepolicy/mm-qcamerad.te
++++ b/sepolicy/mm-qcamerad.te
+@@ -3,3 +3,7 @@ allow mm-qcamerad init:unix_stream_socket connectto;
+ allow mm-qcamerad persist_file:dir { getattr open read search  };
+ allow mm-qcamerad persist_file:file { read open getattr };
+ allow mm-qcamerad property_socket:sock_file write;
++allow mm-qcamerad mnt_vendor_file:dir search;
++allow mm-qcamerad mnt_vendor_file:file { getattr open read };
++allow mm-qcamerad vendor_data_file:dir { add_name remove_name write };
++allow mm-qcamerad vendor_data_file:sock_file { create unlink };
+diff --git a/sepolicy/qtelephony.te b/sepolicy/qtelephony.te
+new file mode 100644
+index 0000000..c9d5a74
+--- /dev/null
++++ b/sepolicy/qtelephony.te
+@@ -0,0 +1,2 @@
++allow qtelephony atfwd_service:service_manager add;
++allow qtelephony radio_service:service_manager find;
+diff --git a/sepolicy/rild.te b/sepolicy/rild.te
+index 732d94c..9970af5 100644
+--- a/sepolicy/rild.te
++++ b/sepolicy/rild.te
+@@ -10,3 +10,7 @@ allow rild rmt_storage_prop:file { getattr open read };
+ allow rild sensors_device:chr_file { ioctl open read write };
+ allow rild system_data_file:dir { write remove_name  add_name };
+ allow rild system_data_file:sock_file { create setattr unlink };
++allow rild proc:file read;
++allow rild system_data_file:dir { open read };
++allow rild system_file:file execute_no_trans;
++allow rild unlabeled:dir getattr;
+diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
+index cf637ca..67cec68 100644
+--- a/sepolicy/rmt_storage.te
++++ b/sepolicy/rmt_storage.te
+@@ -10,3 +10,4 @@ allow rmt_storage fsg_file:file r_file_perms;
+ allow rmt_storage init:unix_stream_socket connectto;
+ allow rmt_storage property_socket:sock_file write;
+ allow rmt_storage rmt_storage_prop:property_service set;
++allow rmt_storage unlabeled:file { open read };
+diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
+index a07201b..196ed1a 100644
+--- a/sepolicy/sensors.te
++++ b/sepolicy/sensors.te
+@@ -1,3 +1,4 @@
+ allow sensors init:unix_stream_socket connectto;
+ allow sensors property_socket:sock_file write;
+ allow sensors sensors_prop:property_service set;
++allow sensors firmware_file:file { getattr open read };
+diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
+new file mode 100644
+index 0000000..8ef184e
+--- /dev/null
++++ b/sepolicy/servicemanager.te
+@@ -0,0 +1,3 @@
++allow servicemanager init:dir search;
++allow servicemanager init:file { open read };
++allow servicemanager init:process getattr;
+diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
+index d0dbdfa..92d225c 100644
+--- a/sepolicy/system_app.te
++++ b/sepolicy/system_app.te
+@@ -1 +1,4 @@
+ allow system_app sensors_device:chr_file { read write open ioctl };
++allow system_app proc_pagetypeinfo:file { getattr open read };
++allow system_app sysfs_zram:dir search;
++allow system_app sysfs_zram:file { getattr open read };
+diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
+index c082b93..8f81c08 100644
+--- a/sepolicy/system_server.te
++++ b/sepolicy/system_server.te
+@@ -5,3 +5,6 @@ allow system_server sysfs_dt2w:file rw_file_perms;
+ allow system_server sysfs_light:file rw_file_perms;
+ allow system_server sysfs_power:file rw_file_perms;
+ allow system_server user_profile_data_file:dir r_dir_perms;
++allow system_server block_device:blk_file { getattr ioctl open read write };
++allow system_server init:binder call;
++allow system_server sensors_device:chr_file ioctl;
+diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te
+index 0e64d66..7c57640 100644
+--- a/sepolicy/toolbox.te
++++ b/sepolicy/toolbox.te
+@@ -3,3 +3,4 @@ allow toolbox hwrev_data_file:file { write unlink getattr setattr };
+ allow toolbox init:fifo_file { write read getattr };
+ allow toolbox self:capability chown;
+ allow toolbox sysfs:file setattr;
++allow toolbox sysfs:file { getattr open read };
+diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
+index d069fda..65a66b8 100644
+--- a/sepolicy/ueventd.te
++++ b/sepolicy/ueventd.te
+@@ -1 +1,2 @@
+ allow ueventd radio_data_file:chr_file { create setattr };
++allow ueventd unlabeled:file { getattr open read };
+-- 
+2.21.0
+

Patches/Linux

@@ -1 +1 @@
-Subproject commit 9a828784009d6f4b10692aa8cc79794f87921e89
+Subproject commit 21da5586597d91650ff76f05bdf012e5b146ec11

PrebuiltApps

@@ -1 +1 @@
-Subproject commit 22eb7004cc4f6bf25b61de4793975f2053f38147
+Subproject commit 7c4dabda0e38d849db0f8997def6b841bbd02bc2

Scripts/Common/Functions.sh

@@ -167,9 +167,9 @@ processRelease() {
 		echo -e "\e[0;32m\t+ Verified Boot 1.0\e[0m";
 	elif [[ "$VERITY" == "avb" ]]; then
 		local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" \
-			--avb_vbmeta_algorithm SHA256_RSA2048 \
+			--avb_vbmeta_algorithm SHA512_RSA4096 \
 			--avb_system_key "$KEY_DIR/avb.pem" \
-			--avb_system_algorithm SHA256_RSA2048);
+			--avb_system_algorithm SHA512_RSA4096);
 		local AVB_PKMD="$KEY_DIR/avb_pkmd.bin";
 		echo -e "\e[0;32m\t+ Verified Boot 2.0\e[0m";
 	fi;

Scripts/Generate_Signing_Keys.sh

@@ -12,7 +12,7 @@ mkdir $1; cd $1;
 desc="/O=Divested Computing Group/CN=DivestOS for $1/emailAddress=support@divestos.org";
 
 sed -i '/blank for none/,+1 d' "$DOS_BUILD_BASE"/development/tools/make_key;
-#sed -i 's/2048/4096/' "$DOS_BUILD_BASE"/development/tools/make_key;
+sed -i 's/2048/4096/' "$DOS_BUILD_BASE"/development/tools/make_key;
 "$DOS_BUILD_BASE"/development/tools/make_key extra "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key future-1 "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key future-2 "$desc" "$type";
@@ -27,7 +27,7 @@ sed -i 's/4096/2048/' "$DOS_BUILD_BASE"/development/tools/make_key;
 "$DOS_BUILD_BASE"/out/host/linux-x86/bin/generate_verity_key -convert verity.x509.pem verity_key;
 openssl x509 -outform der -in verity.x509.pem -out verifiedboot_relkeys.der.x509;
 
-openssl genrsa -out avb.pem 2048; #or 4096
+openssl genrsa -out avb.pem 4096;
 "$DOS_BUILD_BASE"/external/avb/avbtool extract_public_key --key avb.pem --output avb_pkmd.bin;
 
 cd "$DOS_BUILD_BASE";

Scripts/LineageOS-11.0/Patch.sh

@@ -99,7 +99,7 @@ enterAndClear "packages/apps/Trebuchet";
 sed -i 's/mCropView.setTouchEnabled(touchEnabled);/mCropView.setTouchEnabled(true);/' WallpaperPicker/src/com/android/launcher3/WallpaperCropActivity.java;
 
 enterAndClear "system/core";
-sed -i 's/!= 2048/>= 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
+sed -i 's/!= 2048/< 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)
 

Scripts/LineageOS-14.1/Functions.sh

@@ -126,7 +126,6 @@ patchWorkspace() {
 	repopick 248599; #restrict SET_TIME_ZONE permission
 	repopick 248600 248649; #/proc hardening
 	repopick -it nougat-mr2-security-release-residue;
-	repopick 255328; #update webview
 
 	export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails
 

Scripts/LineageOS-14.1/Patch.sh

@@ -157,7 +157,7 @@ patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle
 patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
 
 enterAndClear "system/core";
-sed -i 's/!= 2048/>= 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
+sed -i 's/!= 2048/< 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f2cd81645b15f; #Always update recovery XXX: This doesn't seem to work
 patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)

Scripts/LineageOS-15.1/Functions.sh

@@ -100,8 +100,7 @@ export -f buildAll;
 patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
 
-	source build/envsetup.sh;
-	repopick 255328; #update webview
+	#source build/envsetup.sh;
 
 	export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails
 

Scripts/LineageOS-15.1/Patch.sh

@@ -65,7 +65,7 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio
 
 enterAndClear "bootable/recovery";
 git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity
-sed -i 's/!= 2048/>= 2048/' tools/dumpkey/DumpPublicKey.java; #Allow 4096-bit keys
+sed -i 's/!= 2048/< 2048/' tools/dumpkey/DumpPublicKey.java; #Allow 4096-bit keys
 
 enterAndClear "build/make";
 patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification

Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_google_marlin.sh

@@ -142,7 +142,10 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15212/^5.1.8/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15213/^5.2.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15214/^5.0.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15666/^5.0.19/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15916/^5.0.1/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15926/^5.2.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2181/3.18/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2263/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2290/ANY/0001.patch
@@ -160,5 +163,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0610/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14883/ANY/0001.patch
-editKernelLocalversion "-dos.p162"
+editKernelLocalversion "-dos.p163"
 cd "$DOS_BUILD_BASE"

Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_lge_g3.sh

@@ -91,6 +91,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10142/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10491/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15926/^5.2.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2101/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-3459/^5.1/0001.patch

Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_lge_mako.sh

@@ -113,6 +113,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9516/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10142/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15926/^5.2.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2001/^3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2101/ANY/0001.patch
@@ -121,5 +122,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/797912_0001-usb-gadget-Fix-synchronization-issue-between-f_audio.patch
 git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/870057_0001-wcnss-add-null-check-in-pm_ops-unregister.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p121"
+editKernelLocalversion "-dos.p122"
 cd "$DOS_BUILD_BASE"

Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_motorola_msm8992.sh

@@ -0,0 +1,179 @@
+#!/bin/bash
+cd "$DOS_BUILD_BASE""kernel/motorola/msm8992"
+git apply $DOS_PATCHES_LINUX_CVES/0003-syzkaller-Misc2/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/0003-syzkaller-Misc2/ANY/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0004-No_dir-relax.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0005.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0006.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0007.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0008.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0009.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0010.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0011.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0013.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0014.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0015.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0016.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0017.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/3.10/0018.patch
+git apply $DOS_PATCHES_LINUX_CVES/0006-Copperhead-Kernel_Hardening/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/0007-Accelerated_AES/3.10+/0011.patch
+git apply $DOS_PATCHES_LINUX_CVES/0007-Accelerated_AES/3.10+/0012.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2013-2898/^3.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2013-4129/^3.10.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2013-4129/^3.10.3/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2013-4470/^3.12/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2014-9730/^3.18.2/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2014-9904/^3.17/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2015-1339/^4.4/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2015-5307/^4.2.6/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2015-6937/^4.2.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2015-8746/^4.2.2/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-5244/^4.6.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-5828/^4.6.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6672/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6693/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-8394/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0648/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0861/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0862/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-1000252/^4.13.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-1000410/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11176/^4.11.9/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11473/^4.12.2/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11600/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13163/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13168/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13218/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13218/3.10/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13218/3.10/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13218/3.10/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13245/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13246/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13305/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13694/^4.12.9/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13695/^4.12.9/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14489/^4.13.2/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-15837/ANY/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16526/^4.13.6/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16531/^4.13.6/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16532/^4.13.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16533/^4.13.8/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16534/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16535/^4.13.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16537/^4.13.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16538/^4.13.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16538/^4.13.11/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16643/3.5-^4.13.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16645/^4.13.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16650/^4.13.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16939/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16USB/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16USB/ANY/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16USB/ANY/0006.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-17450/^4.14.4/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-17558/^4.14.5/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-17762/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-17805/^4.14.8/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-17806/^4.14.8/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18079/^4.12.4/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18153/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18203/^4.14.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18255/^4.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18306/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18360/^4.11.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-6345/^4.9.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-7533/3.10/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-7533/3.10/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-8243/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-8281/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-8281/3.10/0003.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-8824/^4.14.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9711/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9723/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9984/^4.11.7/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-1000199/^3.18/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10021/^4.16/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10087/^4.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10124/^4.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10675/^4.12.9/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-1068/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-1068/ANY/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10877/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10879/3.10/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10880/3.10/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10881/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10882/3.10/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10883/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-1092/^4.15.15/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10940/^4.16.6/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11265/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11273/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11286/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11832/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11919/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11939/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11987/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-12011/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-13053/^4.17.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-13913/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-14634/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-14734/^4.17.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-15594/^4.18.1/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-16658/^4.18.6/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-18021/^4.18.12/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-18710/^4.19/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-20511/^4.18.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-20836/^4.20/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-3563/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-3584/ANY/0001.patch
+#git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-3585/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-3597/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5332/^4.14.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5333/^4.14.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5390/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5390/3.10/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5750/^4.14.15/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5825/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5858/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5864/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5897/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5897/ANY/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5904/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5908/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-7273/^4.15.4/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-7492/^4.14.7/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-7757/^4.15.7/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-8781/^4.15/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9383/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9389/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9416/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9439/ANY/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9516/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9518/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10142/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10491/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10519/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-11486/^5.0.8/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-11884/^5.0.15/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12456/^5.1.5/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-13631/^5.2.1/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15098/^5.2.8/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15212/^5.1.8/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15213/^5.2.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2001/^3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2101/ANY/0002.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2331/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-3459/^5.1/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/LVT-2017-0003/3.10/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6693/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
+editKernelLocalversion "-dos.p175"
+cd "$DOS_BUILD_BASE"

Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_oppo_msm8974.sh

@@ -113,6 +113,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10142/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10491/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15926/^5.2.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2001/^3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2101/ANY/0001.patch

Scripts/LineageOS-16.0/Functions.sh

@@ -18,7 +18,7 @@
 #Last verified: 2018-04-27
 
 patchAllKernels() {
-	startPatcher "kernel_asus_fugu kernel_cyanogen_msm8916 kernel_cyanogen_msm8974 kernel_essential_msm8998 kernel_fairphone_msm8974 kernel_google_bonito kernel_google_crosshatch kernel_google_marlin kernel_google_msm kernel_google_wahoo kernel_htc_msm8974 kernel_lge_g3 kernel_lge_hammerhead kernel_lge_mako kernel_lge_msm8974 kernel_moto_shamu kernel_motorola_msm8974 kernel_motorola_msm8996 kernel_nextbit_msm8992 kernel_oppo_msm8974 kernel_razer_msm8998 kernel_samsung_jf kernel_samsung_msm8974 kernel_samsung_smdk4412 kernel_zuk_msm8996";
+	startPatcher "kernel_asus_fugu kernel_cyanogen_msm8916 kernel_cyanogen_msm8974 kernel_essential_msm8998 kernel_fairphone_msm8974 kernel_google_bonito kernel_google_crosshatch kernel_google_marlin kernel_google_msm kernel_google_wahoo kernel_htc_msm8974 kernel_lge_g3 kernel_lge_hammerhead kernel_lge_mako kernel_lge_msm8974 kernel_moto_shamu kernel_motorola_msm8974 kernel_motorola_msm8992 kernel_motorola_msm8996 kernel_nextbit_msm8992 kernel_oppo_msm8974 kernel_razer_msm8998 kernel_samsung_jf kernel_samsung_msm8974 kernel_samsung_smdk4412 kernel_zuk_msm8996";
 }
 export -f patchAllKernels;
 
@@ -77,6 +77,7 @@ buildAll() {
 	#SD805
 	buildDevice shamu verity;
 	#SD808
+	#buildDeviceUserDebug clark; #permissive + needs manual patching - fwb xml: fused: dangling tag
 	buildDevice ether;
 	#SD615
 	buildDevice kipper; #broken
@@ -109,7 +110,6 @@ patchWorkspace() {
 
 	source build/envsetup.sh;
 	repopick -f 254249; #g3 nfc
-	repopick 255328; #update webview
 
 	source "$DOS_SCRIPTS/Patch.sh";
 	source "$DOS_SCRIPTS/Defaults.sh";

Scripts/LineageOS-16.0/Patch.sh

@@ -66,7 +66,7 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio
 enterAndClear "bootable/recovery";
 git revert 4d361ff13b5bd61d5a6a5e95063b24b8a37a24ab 37d729bf; #fix sideload
 git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity
-sed -i 's/!= 2048/>= 2048/' tools/dumpkey/DumpPublicKey.java; #Allow 4096-bit keys
+sed -i 's/!= 2048/< 2048/' tools/dumpkey/DumpPublicKey.java; #Allow 4096-bit keys
 
 enterAndClear "build/make";
 git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files
@@ -105,7 +105,7 @@ patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch";
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #always restrict access to Build.SERIAL (GrapheneOS)
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #don't grant location permission to system browsers (GrapheneOS)
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
-patch -p1 < "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning.patch"; #add exec-based spawning support (GrapheneOS)
+if [ "$DOS_GRAPHENE_EXEC" = true ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning.patch"; fi; #add exec-based spawning support (GrapheneOS)
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL (MSe)
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts (GrapheneOS)
 rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
@@ -228,6 +228,15 @@ awk -i inplace '!/TARGET_RELEASETOOLS_EXTENSIONS/' BoardConfig.mk;
 enterAndClear "device/moto/shamu";
 #git revert 05fb49518049440f90423341ff25d4f75f10bc0c; #restore releasetools #TODO
 
+#enterAndClear "device/motorola/clark";
+#git revert fc6cf83; #disable nfc for now
+#awk -i '!/nfc/' device.mk;
+#patch -p1 < "$DOS_PATCHES/android_device_motorola_clark/0001-audit2allow.patch"; #audit2allow sepolicy
+#sed -i 's/androidboot.selinux=permissive//' BoardConfig.mk; #enforce sepolicy
+#rm configs/Android.mk; #fix compile
+#rm setup-makefiles.sh; #broken, deblobber will still function
+#XXX: remove atfwd and cne from vendor makefiles
+
 enterAndClear "device/oppo/msm8974-common";
 sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/
 

Scripts/init.sh

@@ -19,7 +19,7 @@
 
 #START OF USER CONFIGURABLE OPTIONS
 export DOS_WORKSPACE_ROOT="/mnt/Drive-3/"; #XXX: THIS MUST BE CORRECT TO BUILD!
-export DOS_SIGNING_KEYS=$DOS_WORKSPACE_ROOT"Signing_Keys/2048";
+export DOS_SIGNING_KEYS=$DOS_WORKSPACE_ROOT"Signing_Keys/4096";
 #export DOS_BINARY_PATCHER="";
 #export DOS_TOR_WRAPPER="torsocks"; #Uncomment to perform select build operations over Tor
 
@@ -36,13 +36,14 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv
 export DOS_BUILDALL_SUPERSEDED=false; #Set true to build superseded devices when running buildAll()
 export DOS_GPS_GLONASS_FORCED=true; #Enables GLONASS on all devices
 export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms
+export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature
 export DOS_HOSTS_BLOCKING=true; #Switch to false to prevent inclusion of our HOSTS file
 export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: Blokada, DNS66
 export DOS_HOSTS_BLOCKING_LIST="https://divestos.org/hosts"; #Must be in the format "127.0.0.1 bad.domain.tld"
 export DOS_LOWRAM_ENABLED=false; #Switch to true to enable low_ram on all devices
 export DOS_MALWARE_SCAN_ENABLED=true; #Set true to perform a fast scan on patchWorkspace() and a through scan on buildAll()
 export DOS_MALWARE_SCAN_SETTING="quick"; #buildAll() scan speed. Options: quick, extra, slow, full
-export DOS_MICROG_INCLUDED="NLP"; #Determines inclusion of microG. Options: NLP, FULL
+export DOS_MICROG_INCLUDED="NLP"; #Determines inclusion of microG. Options: NONE, NLP, FULL
 export DOS_NON_COMMERCIAL_USE_PATCHES=false; #Switch to false to prevent inclusion of non-commercial use patches XXX: Unused, see 1dc9247
 export DOS_OPTIMIZE_IMAGES=false; #Set true to apply lossless optimizations to image resources
 export DOS_OVERCLOCKS_ENABLED=false; #Switch to false to disable overclocks #XXX: Most devices have their processors directly under their RAM, heatsinking is mostly into the ground plane, potentially inflicting damage to RAM and the processor itself