mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
18.1: add the ptrace_scope patchset from GrapheneOS
ad017fba583b896055818b0419ac0452ea603339Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad
parent
07bd5a3a0e
commit
844227a4f4
@ -0,0 +1,168 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: flawedworld <38294951+flawedworld@users.noreply.github.com>
|
||||
Date: Tue, 6 Apr 2021 01:15:32 +0100
|
||||
Subject: [PATCH] add native debugging setting
|
||||
|
||||
---
|
||||
res/values/strings.xml | 3 +
|
||||
res/xml/security_dashboard_settings.xml | 6 +
|
||||
.../NativeDebugPreferenceController.java | 106 ++++++++++++++++++
|
||||
.../settings/security/SecuritySettings.java | 1 +
|
||||
4 files changed, 116 insertions(+)
|
||||
create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java
|
||||
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index dbbc4ba758..87ef39ed10 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -11957,6 +11957,9 @@
|
||||
<!-- UI debug setting: Force enable "smart dark" UI rendering feature summary [CHAR LIMIT=NONE] -->
|
||||
<string name="hwui_force_dark_summary">Overrides the force-dark feature to be always-on</string>
|
||||
|
||||
+ <string name="native_debug_title">Enable native code debugging</string>
|
||||
+ <string name="native_debug_summary">Generate useful logs / bug reports from crashes and permit debugging native code.</string>
|
||||
+
|
||||
<!-- If blurs are supported on SurfaceFlinger. [CHAR LIMIT=60] -->
|
||||
<string name="enable_blurs_on_windows_title">Enable blurs</string>
|
||||
<!-- If blurs are supported on SurfaceFlinger, summary. [CHAR LIMIT=NONE] -->
|
||||
diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
|
||||
index dfb0db65e5..06b3511ceb 100644
|
||||
--- a/res/xml/security_dashboard_settings.xml
|
||||
+++ b/res/xml/security_dashboard_settings.xml
|
||||
@@ -63,6 +63,12 @@
|
||||
android:persistent="false"
|
||||
android:entries="@array/auto_reboot_entries"
|
||||
android:entryValues="@array/auto_reboot_values" />
|
||||
+
|
||||
+ <SwitchPreference
|
||||
+ android:key="native_debug"
|
||||
+ android:title="@string/native_debug_title"
|
||||
+ android:summary="@string/native_debug_summary"
|
||||
+ android:persistent="false" />
|
||||
</PreferenceCategory>
|
||||
|
||||
<!-- work profile security section -->
|
||||
diff --git a/src/com/android/settings/security/NativeDebugPreferenceController.java b/src/com/android/settings/security/NativeDebugPreferenceController.java
|
||||
new file mode 100644
|
||||
index 0000000000..9271e6e21c
|
||||
--- /dev/null
|
||||
+++ b/src/com/android/settings/security/NativeDebugPreferenceController.java
|
||||
@@ -0,0 +1,106 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2020 The Android Open Source Project
|
||||
+ *
|
||||
+ * Licensed under the Apache License, Version 2.0 (the "License");
|
||||
+ * you may not use this file except in compliance with the License.
|
||||
+ * You may obtain a copy of the License at
|
||||
+ *
|
||||
+ * http://www.apache.org/licenses/LICENSE-2.0
|
||||
+ *
|
||||
+ * Unless required by applicable law or agreed to in writing, software
|
||||
+ * distributed under the License is distributed on an "AS IS" BASIS,
|
||||
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
+ * See the License for the specific language governing permissions and
|
||||
+ * limitations under the License
|
||||
+ */
|
||||
+
|
||||
+package com.android.settings.security;
|
||||
+
|
||||
+import android.content.Context;
|
||||
+
|
||||
+import android.os.UserHandle;
|
||||
+import android.os.UserManager;
|
||||
+import android.os.SystemProperties;
|
||||
+
|
||||
+import android.provider.Settings;
|
||||
+
|
||||
+import androidx.preference.Preference;
|
||||
+import androidx.preference.PreferenceCategory;
|
||||
+import androidx.preference.PreferenceGroup;
|
||||
+import androidx.preference.PreferenceScreen;
|
||||
+import androidx.preference.TwoStatePreference;
|
||||
+import androidx.preference.SwitchPreference;
|
||||
+
|
||||
+import com.android.internal.widget.LockPatternUtils;
|
||||
+import com.android.settings.core.PreferenceControllerMixin;
|
||||
+import com.android.settingslib.core.AbstractPreferenceController;
|
||||
+import com.android.settingslib.core.lifecycle.events.OnResume;
|
||||
+
|
||||
+public class NativeDebugPreferenceController extends AbstractPreferenceController
|
||||
+ implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener {
|
||||
+
|
||||
+ private static final String SYS_KEY_NATIVE_DEBUG = "persist.native_debug";
|
||||
+ private static final String PREF_KEY_NATIVE_DEBUG = "native_debug";
|
||||
+ private static final String PREF_KEY_SECURITY_CATEGORY = "security_category";
|
||||
+
|
||||
+ private PreferenceCategory mSecurityCategory;
|
||||
+ private SwitchPreference mNativeDebug;
|
||||
+ private boolean mIsAdmin;
|
||||
+ private UserManager mUm;
|
||||
+
|
||||
+ public NativeDebugPreferenceController(Context context) {
|
||||
+ super(context);
|
||||
+ mUm = UserManager.get(context);
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public void displayPreference(PreferenceScreen screen) {
|
||||
+ super.displayPreference(screen);
|
||||
+ mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY);
|
||||
+ updatePreferenceState();
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public boolean isAvailable() {
|
||||
+ mIsAdmin = mUm.isAdminUser();
|
||||
+ return mIsAdmin;
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public String getPreferenceKey() {
|
||||
+ return PREF_KEY_NATIVE_DEBUG;
|
||||
+ }
|
||||
+
|
||||
+ // TODO: should we use onCreatePreferences() instead?
|
||||
+ private void updatePreferenceState() {
|
||||
+ if (mSecurityCategory == null) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (mIsAdmin) {
|
||||
+ mNativeDebug = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_NATIVE_DEBUG);
|
||||
+ mNativeDebug.setChecked(SystemProperties.getBoolean(SYS_KEY_NATIVE_DEBUG, true));
|
||||
+ } else {
|
||||
+ mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_NATIVE_DEBUG));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public void onResume() {
|
||||
+ updatePreferenceState();
|
||||
+ if (mNativeDebug != null) {
|
||||
+ boolean mode = mNativeDebug.isChecked();
|
||||
+ SystemProperties.set(SYS_KEY_NATIVE_DEBUG, Boolean.toString(mode));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public boolean onPreferenceChange(Preference preference, Object value) {
|
||||
+ final String key = preference.getKey();
|
||||
+ if (PREF_KEY_NATIVE_DEBUG.equals(key)) {
|
||||
+ final boolean mode = !mNativeDebug.isChecked();
|
||||
+ SystemProperties.set(SYS_KEY_NATIVE_DEBUG, Boolean.toString(mode));
|
||||
+ }
|
||||
+ return true;
|
||||
+ }
|
||||
+}
|
||||
diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
|
||||
index 953012f9e7..6f939d3165 100644
|
||||
--- a/src/com/android/settings/security/SecuritySettings.java
|
||||
+++ b/src/com/android/settings/security/SecuritySettings.java
|
||||
@@ -119,6 +119,7 @@ public class SecuritySettings extends DashboardFragment {
|
||||
securityPreferenceControllers.add(new FingerprintStatusPreferenceController(context));
|
||||
securityPreferenceControllers.add(new ChangeScreenLockPreferenceController(context, host));
|
||||
securityPreferenceControllers.add(new AutoRebootPreferenceController(context));
|
||||
+ securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
|
||||
controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
|
||||
.setChildren(securityPreferenceControllers));
|
||||
controllers.addAll(securityPreferenceControllers);
|
||||
@ -0,0 +1,26 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: flawedworld <38294951+flawedworld@users.noreply.github.com>
|
||||
Date: Mon, 5 Apr 2021 03:02:51 +0100
|
||||
Subject: [PATCH] add a property for controlling ptrace_scope
|
||||
|
||||
---
|
||||
rootdir/init.rc | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/rootdir/init.rc b/rootdir/init.rc
|
||||
index f19b7484d..23800b021 100644
|
||||
--- a/rootdir/init.rc
|
||||
+++ b/rootdir/init.rc
|
||||
@@ -1005,6 +1005,12 @@ on property:sys.sysctl.extra_free_kbytes=*
|
||||
on property:sys.sysctl.tcp_def_init_rwnd=*
|
||||
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
|
||||
|
||||
+on property:persist.native_debug=true
|
||||
+ write /proc/sys/kernel/yama/ptrace_scope 0
|
||||
+
|
||||
+on property:persist.native_debug=false
|
||||
+ write /proc/sys/kernel/yama/ptrace_scope 2
|
||||
+
|
||||
# perf_event_open syscall security:
|
||||
# Newer kernels have the ability to control the use of the syscall via SELinux
|
||||
# hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the
|
||||
@ -0,0 +1,143 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: flawedworld <38294951+flawedworld@users.noreply.github.com>
|
||||
Date: Mon, 5 Apr 2021 02:26:20 +0100
|
||||
Subject: [PATCH] allow init to control kernel.yama.ptrace_scope
|
||||
|
||||
Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650
|
||||
---
|
||||
prebuilts/api/26.0/private/genfs_contexts | 1 +
|
||||
prebuilts/api/27.0/private/genfs_contexts | 1 +
|
||||
prebuilts/api/28.0/private/genfs_contexts | 1 +
|
||||
prebuilts/api/29.0/private/genfs_contexts | 1 +
|
||||
prebuilts/api/30.0/private/domain.te | 1 +
|
||||
prebuilts/api/30.0/private/genfs_contexts | 1 +
|
||||
prebuilts/api/30.0/public/init.te | 3 +++
|
||||
private/domain.te | 1 +
|
||||
private/genfs_contexts | 1 +
|
||||
public/init.te | 3 +++
|
||||
10 files changed, 14 insertions(+)
|
||||
|
||||
diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
|
||||
index 753cabf15..67203c998 100644
|
||||
--- a/prebuilts/api/26.0/private/genfs_contexts
|
||||
+++ b/prebuilts/api/26.0/private/genfs_contexts
|
||||
@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
|
||||
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
|
||||
diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
|
||||
index 606d46cbe..ac54e423a 100644
|
||||
--- a/prebuilts/api/27.0/private/genfs_contexts
|
||||
+++ b/prebuilts/api/27.0/private/genfs_contexts
|
||||
@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
|
||||
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
|
||||
diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
|
||||
index 44ca95fd5..89b55b28d 100644
|
||||
--- a/prebuilts/api/28.0/private/genfs_contexts
|
||||
+++ b/prebuilts/api/28.0/private/genfs_contexts
|
||||
@@ -58,6 +58,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
|
||||
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
|
||||
diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
|
||||
index 804996685..22a1ebf8d 100644
|
||||
--- a/prebuilts/api/29.0/private/genfs_contexts
|
||||
+++ b/prebuilts/api/29.0/private/genfs_contexts
|
||||
@@ -68,6 +68,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
|
||||
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
|
||||
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
|
||||
index 7116dadfd..55264d01a 100644
|
||||
--- a/prebuilts/api/30.0/private/domain.te
|
||||
+++ b/prebuilts/api/30.0/private/domain.te
|
||||
@@ -125,6 +125,7 @@ allow domain boringssl_self_test_marker:dir search;
|
||||
# with other UIDs to these whitelisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
+ -init
|
||||
-vold
|
||||
userdebug_or_eng(`-llkd')
|
||||
-dumpstate
|
||||
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
|
||||
index c5f43c74a..c34705788 100644
|
||||
--- a/prebuilts/api/30.0/private/genfs_contexts
|
||||
+++ b/prebuilts/api/30.0/private/genfs_contexts
|
||||
@@ -73,6 +73,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
|
||||
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
|
||||
diff --git a/prebuilts/api/30.0/public/init.te b/prebuilts/api/30.0/public/init.te
|
||||
index 374c0c1f4..5698d53fd 100644
|
||||
--- a/prebuilts/api/30.0/public/init.te
|
||||
+++ b/prebuilts/api/30.0/public/init.te
|
||||
@@ -144,6 +144,9 @@ allow init self:global_capability_class_set sys_time;
|
||||
|
||||
allow init self:global_capability_class_set { sys_rawio mknod };
|
||||
|
||||
+# Set /proc/sys/kernel/yama/ptrace_scope
|
||||
+allow init self:capability { sys_ptrace };
|
||||
+
|
||||
# Mounting filesystems from block devices.
|
||||
allow init dev_type:blk_file r_file_perms;
|
||||
allowxperm init dev_type:blk_file ioctl BLKROSET;
|
||||
diff --git a/private/domain.te b/private/domain.te
|
||||
index 7116dadfd..55264d01a 100644
|
||||
--- a/private/domain.te
|
||||
+++ b/private/domain.te
|
||||
@@ -125,6 +125,7 @@ allow domain boringssl_self_test_marker:dir search;
|
||||
# with other UIDs to these whitelisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
+ -init
|
||||
-vold
|
||||
userdebug_or_eng(`-llkd')
|
||||
-dumpstate
|
||||
diff --git a/private/genfs_contexts b/private/genfs_contexts
|
||||
index c5f43c74a..c34705788 100644
|
||||
--- a/private/genfs_contexts
|
||||
+++ b/private/genfs_contexts
|
||||
@@ -73,6 +73,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
|
||||
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
|
||||
diff --git a/public/init.te b/public/init.te
|
||||
index 374c0c1f4..5698d53fd 100644
|
||||
--- a/public/init.te
|
||||
+++ b/public/init.te
|
||||
@@ -144,6 +144,9 @@ allow init self:global_capability_class_set sys_time;
|
||||
|
||||
allow init self:global_capability_class_set { sys_rawio mknod };
|
||||
|
||||
+# Set /proc/sys/kernel/yama/ptrace_scope
|
||||
+allow init self:capability { sys_ptrace };
|
||||
+
|
||||
# Mounting filesystems from block devices.
|
||||
allow init dev_type:blk_file r_file_perms;
|
||||
allowxperm init dev_type:blk_file ioctl BLKROSET;
|
||||
@ -0,0 +1,86 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: flawedworld <38294951+flawedworld@users.noreply.github.com>
|
||||
Date: Mon, 5 Apr 2021 02:27:06 +0100
|
||||
Subject: [PATCH] allow system to use persist.native_debug
|
||||
|
||||
---
|
||||
prebuilts/api/26.0/private/property_contexts | 1 +
|
||||
prebuilts/api/27.0/private/property_contexts | 1 +
|
||||
prebuilts/api/28.0/private/property_contexts | 1 +
|
||||
prebuilts/api/29.0/private/property_contexts | 1 +
|
||||
prebuilts/api/30.0/private/property_contexts | 1 +
|
||||
private/property_contexts | 1 +
|
||||
6 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts
|
||||
index 4c27b35d6..c48ba4012 100644
|
||||
--- a/prebuilts/api/26.0/private/property_contexts
|
||||
+++ b/prebuilts/api/26.0/private/property_contexts
|
||||
@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
|
||||
diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts
|
||||
index 8eb2f28b2..237e6fcc1 100644
|
||||
--- a/prebuilts/api/27.0/private/property_contexts
|
||||
+++ b/prebuilts/api/27.0/private/property_contexts
|
||||
@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
|
||||
diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts
|
||||
index 32be0b377..afe0f70fe 100644
|
||||
--- a/prebuilts/api/28.0/private/property_contexts
|
||||
+++ b/prebuilts/api/28.0/private/property_contexts
|
||||
@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
ro.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
|
||||
index cb81ba693..f1fbfebd0 100644
|
||||
--- a/prebuilts/api/29.0/private/property_contexts
|
||||
+++ b/prebuilts/api/29.0/private/property_contexts
|
||||
@@ -49,6 +49,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
ro.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
|
||||
index a4fab1f22..1a9571360 100644
|
||||
--- a/prebuilts/api/30.0/private/property_contexts
|
||||
+++ b/prebuilts/api/30.0/private/property_contexts
|
||||
@@ -56,6 +56,7 @@ persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.nfc_cfg. u:object_r:nfc_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
ro.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
diff --git a/private/property_contexts b/private/property_contexts
|
||||
index a4fab1f22..1a9571360 100644
|
||||
--- a/private/property_contexts
|
||||
+++ b/private/property_contexts
|
||||
@@ -56,6 +56,7 @@ persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.nfc_cfg. u:object_r:nfc_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
ro.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
@ -225,6 +225,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch";
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
|
||||
if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
|
||||
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
|
||||
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/backup/PrivacySettingsUtils.java; fi; #microG doesn't support Backup, hide the options
|
||||
fi;
|
||||
@ -271,6 +272,7 @@ if enterAndClear "system/core"; then
|
||||
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
|
||||
git revert --no-edit e8dcabaf6b55ec55eb73c4585501ddbafc04fc9b 79f606ece6b74652d374eb4f79de309a0aa81360; #insanity
|
||||
applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/extras"; then
|
||||
@ -282,7 +284,11 @@ if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/androi
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/sepolicy"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS)
|
||||
fi;
|
||||
git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/30.0";
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0";
|
||||
|
||||
@ -59,6 +59,7 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv
|
||||
export DOS_GPS_GLONASS_FORCED=false; #Enables GLONASS on all devices
|
||||
export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1
|
||||
export DOS_GRAPHENE_EXEC=false; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1 XXX: broken (just on 17.1?)
|
||||
export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the ptrace_scope toggle patchset on 18.1
|
||||
export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1
|
||||
export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
|
||||
export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: DNS66
|
||||
@ -85,7 +86,7 @@ export DOS_GENERATE_DELTAS=true; #Creates deltas from existing target_files in $
|
||||
export DOS_GENERATE_DELTAS_DEVICES=('akari' 'alioth' 'Amber' 'aura' 'aurora' 'avicii' 'blueline' 'bonito' 'bramble' 'cheryl' 'coral' 'crosshatch' 'davinci' 'discovery' 'enchilada' 'fajita' 'flame' 'FP3' 'guacamole' 'guacamoleb' 'hotdog' 'hotdogb' 'marlin' 'mata' 'pioneer' 'pro1' 'redfin' 'sailfish' 'sargo' 'sunfish' 'taimen' 'vayu' 'voyager' 'walleye' 'xz2c'); #List of devices deltas will be generated for
|
||||
export DOS_AUTO_ARCHIVE_BUILDS=true; #Copies files to $DOS_BUILDS after signing
|
||||
export DOS_REMOVE_AFTER=true; #Removes device OUT directory after complete to reclaim space. Requires AUTO_ARCHIVE_BUILDS=true
|
||||
export DOS_REMOVE_AFTER_FULL=true; #Removes the entire OUT directory
|
||||
export DOS_REMOVE_AFTER_FULL=false; #Removes the entire OUT directory
|
||||
export DOS_GPG_SIGNING=true;
|
||||
export DOS_GPG_SIGNING_KEY="B8744D67F9F1E14E145DFD8E7F627E920F316994";
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user