Further improve malware scanner

Scripts/Common/Functions.sh

@@ -48,25 +48,20 @@ gitReset() {
 export -f gitReset;
 
 scanForMalware() {
-#This isn't perfect, but if it ever catches something be happy that it exists
-#Speed Goals (on a standard 7200 RPM drive):
-#	- quick: < 10 mins
-#	- extra: < 30 mins
-#	- slow: < 1 hour
-#TODO: Scan more of /frameworks and /packages
-	if [ -x /usr/bin/clamscan ] && [ -f /var/lib/clamav/main.cvd ]; then
-		echo -e "\e[0;32mStarting a malware scan, this might take a while...\e[0m";
-		$excludes="--exclude-dir=\".git\" --exclude-dir=\".repo\"";
-		scanQueue="$base/android $base/art $base/bionic $base/bootable $base/build $base/compatibility $base/dalvik $base/device $base/hardware $base/libcore $base/libnativehelper $base/lineage-sdk $base/pdk $base/platform_testing $base/sdk"; #top-level directories
-		scanQueue=$scanQueue" $base/frameworks/av $base/frameworks/native $base/packages/inputmethods $base/vendor/lineage";
-		if [ "$MALWARE_SCAN_SETTING" != "quick" ] || [ "$MALWARE_SCAN_SETTING" = "extra" ]; then
-			scanQueue=$scanQueue" $base/packages $base/vendor";
-		fi;
-		if [ "$MALWARE_SCAN_SETTING" = "slow" ]; then
-			scanQueue=$scanQueue"$base/external $base/frameworks $base/prebuilts $base/system $base/toolchain $base/tools";
-		fi;
-		if [ "$MALWARE_SCAN_SETTING" = "full" ]; then
-			scanQueue="$base";
+	if [ -x /usr/bin/clamscan ] && [ -r /var/lib/clamav/main.cvd ]; then
+		echo -e "\e[0;32mStarting a malware scan...\e[0m";
+		excludes="--exclude-dir=\".git\" --exclude-dir=\".repo\"";
+		scanQueue=$2;
+		if [ "$1" = true ]; then
+			if [ "$MALWARE_SCAN_SETTING" != "quick" ] || [ "$MALWARE_SCAN_SETTING" = "extra" ]; then
+				scanQueue=$scanQueue" $base/frameworks $base/vendor";
+			fi;
+			if [ "$MALWARE_SCAN_SETTING" = "slow" ]; then
+				scanQueue=$scanQueue"$base/external $base/prebuilts $base/toolchain $base/tools";
+			fi;
+			if [ "$MALWARE_SCAN_SETTING" = "full" ]; then
+				scanQueue="$base";
+			fi;
 		fi;
 		du -hsc $scanQueue;
 		/usr/bin/clamscan --recursive --detect-pua --infected $excludes $scanQueue;
@@ -79,7 +74,6 @@ scanForMalware() {
 		fi;
 		if [ "$clamscanExit" -eq "0" ]; then
 			echo -e "\e[0;32mNo malware found\e[0m";
-			sleep 15;
 		fi;
 		if [ "$clamscanExit" -eq "2" ]; then
 			echo -e "\e[0;33m----------------------------------------------------------------\e[0m";

Scripts/LineageOS-14.1/00init.sh

@@ -45,8 +45,8 @@ export GRADLE_OPTS="-Xmx2048m";
 
 export NON_COMMERCIAL_USE_PATCHES=false; #Switch to false to prevent inclusion of non-commercial use patches
 
-export MALWARE_SCAN_ON_PATCH=true; #Switch to true to perform a malware scan of certain directories before patching
-export MALWARE_SCAN_SETTING="quick"; #Options are quick, extra, slow, full
+export MALWARE_SCAN_ENABLED=true; #Set true to perform a fast scan on patchWorkspace() and a through scan on buildAll()
+export MALWARE_SCAN_SETTING="quick"; #buildAll() scan speed. Options are quick, extra, slow, full
 
 source $scriptsCommon"/Functions.sh";
 source $scripts"/Functions.sh";

Scripts/LineageOS-14.1/Functions.sh

@@ -27,6 +27,13 @@ resetWorkspace() {
 }
 export -f resetWorkspace;
 
+scanWorkspaceForMalware() {
+	scanQueue="$base/abi $base/android $base/art $base/bionic $base/bootable $base/build $base/dalvik $base/device $base/hardware $base/libcore $base/libnativehelper $base/ndk $base/packages $base/pdk $base/platform_testing $base/sdk $base/system";
+	scanQueue=$scanQueue" $base/vendor/cm $base/vendor/cmsdk";
+	scanForMalware true "$scanQueue";
+}
+export -f scanWorkspaceForMalware;
+
 buildDevice() {
 	brunch lineage_$1-user;
 }
@@ -40,6 +47,8 @@ buildDeviceDebug() {
 export -f buildDeviceDebug;
 
 buildAll() {
+	if [ "$MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
+
 #Select devices are userdebug due to SELinux policy issues
 #TODO: Add victara, athene, us997, us996, pme, t0lte, hlte
 	brunch lineage_thor-userdebug; #deprecated
@@ -62,8 +71,7 @@ buildAll() {
 export -f buildAll;
 
 patchWorkspace() {
-	if [ "$MALWARE_SCAN_ON_PATCH" = true ]; then scanForMalware; fi;
-
+	if [ "$MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$base/build $base/vendor/cm"; fi;
 	#source build/envsetup.sh;
 
 	source $scripts/Patch.sh;

Scripts/LineageOS-15.1/00init.sh

@@ -45,8 +45,8 @@ export GRADLE_OPTS="-Xmx2048m";
 
 export NON_COMMERCIAL_USE_PATCHES=false; #Switch to false to prevent inclusion of non-commercial use patches
 
-export MALWARE_SCAN_ON_PATCH=true; #Switch to true to perform a malware scan of certain directories before patching
-export MALWARE_SCAN_SETTING="quick"; #Options are quick, extra, slow, full
+export MALWARE_SCAN_ENABLED=true; #Set true to perform a fast scan on patchWorkspace() and a through scan on buildAll()
+export MALWARE_SCAN_SETTING="quick"; #buildAll() scan speed. Options are quick, extra, slow, full
 
 source $scriptsCommon"/Functions.sh";
 source $scripts"/Functions.sh";

Scripts/LineageOS-15.1/Functions.sh

@@ -27,6 +27,13 @@ resetWorkspace() {
 }
 export -f resetWorkspace;
 
+scanWorkspaceForMalware() {
+	scanQueue="$base/android $base/art $base/bionic $base/bootable $base/build $base/compatibility $base/dalvik $base/device $base/hardware $base/libcore $base/libnativehelper $base/packages $base/pdk $base/platform_testing $base/sdk $base/system";
+	scanQueue=$scanQueue" $base/lineage-sdk $base/vendor/lineage";
+	scanForMalware true "$scanQueue";
+}
+export -f scanWorkspaceForMalware;
+
 buildDevice() {
 	brunch lineage_$1-user;
 }
@@ -40,6 +47,7 @@ buildDeviceDebug() {
 export -f buildDeviceDebug;
 
 buildAll() {
+	if [ "$MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
 #Select devices are userdebug due to SELinux policy issues
 	brunch lineage_d852-user;
 	brunch lineage_bacon-user;
@@ -62,7 +70,7 @@ buildAll() {
 export -f buildAll;
 
 patchWorkspace() {
-	if [ "$MALWARE_SCAN_ON_PATCH" = true ]; then scanForMalware; fi;
+	if [ "$MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$base/build $base/vendor/lineage"; fi;
 
 	source build/envsetup.sh;
 	repopick -f 206123; #bionic: Sort and cache hosts file data for fast lookup

Scripts/LineageOS-15.1/Patch.sh

@@ -225,6 +225,7 @@ cd $base;
 #Fix broken options enabled by hardenDefconfig()
 sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
 sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile
+sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/motorola/msm8996/arch/arm64/configs/*_defconfig; #Breaks on compile
 #
 #END OF DEVICE CHANGES
 #