From 844227a4f443bda1b729299273d2e9401cb29598 Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 15 Mar 2022 14:29:33 -0400 Subject: [PATCH] 18.1: add the ptrace_scope patchset from GrapheneOS https://github.com/GrapheneOS/platform_system_core/commit/ad017fba58cf8918a2dfe05f90affd2e1abe6b6a https://github.com/GrapheneOS/platform_system_sepolicy/commit/3b896055810f2e38cde0095083811c35bc0a49c6 https://github.com/GrapheneOS/platform_system_sepolicy/commit/8b0419ac044d5173b9c787cc66180a586c3a601b https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/52ea603339c54d589009c8ee218509f3835ad011 Signed-off-by: Tad --- .../0008-ptrace_scope.patch | 168 ++++++++++++++++++ .../0002-ptrace_scope.patch | 26 +++ .../0003-ptrace_scope-1.patch | 143 +++++++++++++++ .../0003-ptrace_scope-2.patch | 86 +++++++++ Scripts/LineageOS-18.1/Patch.sh | 8 +- Scripts/init.sh | 3 +- 6 files changed, 432 insertions(+), 2 deletions(-) create mode 100644 Patches/LineageOS-18.1/android_packages_apps_Settings/0008-ptrace_scope.patch create mode 100644 Patches/LineageOS-18.1/android_system_core/0002-ptrace_scope.patch create mode 100644 Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch create mode 100644 Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/0008-ptrace_scope.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/0008-ptrace_scope.patch new file mode 100644 index 00000000..ed426a3e --- /dev/null +++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/0008-ptrace_scope.patch @@ -0,0 +1,168 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Tue, 6 Apr 2021 01:15:32 +0100 +Subject: [PATCH] add native debugging setting + +--- + res/values/strings.xml | 3 + + res/xml/security_dashboard_settings.xml | 6 + + .../NativeDebugPreferenceController.java | 106 ++++++++++++++++++ + .../settings/security/SecuritySettings.java | 1 + + 4 files changed, 116 insertions(+) + create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java + +diff --git a/res/values/strings.xml b/res/values/strings.xml +index dbbc4ba758..87ef39ed10 100644 +--- a/res/values/strings.xml ++++ b/res/values/strings.xml +@@ -11957,6 +11957,9 @@ + + Overrides the force-dark feature to be always-on + ++ Enable native code debugging ++ Generate useful logs / bug reports from crashes and permit debugging native code. ++ + + Enable blurs + +diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml +index dfb0db65e5..06b3511ceb 100644 +--- a/res/xml/security_dashboard_settings.xml ++++ b/res/xml/security_dashboard_settings.xml +@@ -63,6 +63,12 @@ + android:persistent="false" + android:entries="@array/auto_reboot_entries" + android:entryValues="@array/auto_reboot_values" /> ++ ++ + + + +diff --git a/src/com/android/settings/security/NativeDebugPreferenceController.java b/src/com/android/settings/security/NativeDebugPreferenceController.java +new file mode 100644 +index 0000000000..9271e6e21c +--- /dev/null ++++ b/src/com/android/settings/security/NativeDebugPreferenceController.java +@@ -0,0 +1,106 @@ ++/* ++ * Copyright (C) 2020 The Android Open Source Project ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License ++ */ ++ ++package com.android.settings.security; ++ ++import android.content.Context; ++ ++import android.os.UserHandle; ++import android.os.UserManager; ++import android.os.SystemProperties; ++ ++import android.provider.Settings; ++ ++import androidx.preference.Preference; ++import androidx.preference.PreferenceCategory; ++import androidx.preference.PreferenceGroup; ++import androidx.preference.PreferenceScreen; ++import androidx.preference.TwoStatePreference; ++import androidx.preference.SwitchPreference; ++ ++import com.android.internal.widget.LockPatternUtils; ++import com.android.settings.core.PreferenceControllerMixin; ++import com.android.settingslib.core.AbstractPreferenceController; ++import com.android.settingslib.core.lifecycle.events.OnResume; ++ ++public class NativeDebugPreferenceController extends AbstractPreferenceController ++ implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener { ++ ++ private static final String SYS_KEY_NATIVE_DEBUG = "persist.native_debug"; ++ private static final String PREF_KEY_NATIVE_DEBUG = "native_debug"; ++ private static final String PREF_KEY_SECURITY_CATEGORY = "security_category"; ++ ++ private PreferenceCategory mSecurityCategory; ++ private SwitchPreference mNativeDebug; ++ private boolean mIsAdmin; ++ private UserManager mUm; ++ ++ public NativeDebugPreferenceController(Context context) { ++ super(context); ++ mUm = UserManager.get(context); ++ } ++ ++ @Override ++ public void displayPreference(PreferenceScreen screen) { ++ super.displayPreference(screen); ++ mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY); ++ updatePreferenceState(); ++ } ++ ++ @Override ++ public boolean isAvailable() { ++ mIsAdmin = mUm.isAdminUser(); ++ return mIsAdmin; ++ } ++ ++ @Override ++ public String getPreferenceKey() { ++ return PREF_KEY_NATIVE_DEBUG; ++ } ++ ++ // TODO: should we use onCreatePreferences() instead? ++ private void updatePreferenceState() { ++ if (mSecurityCategory == null) { ++ return; ++ } ++ ++ if (mIsAdmin) { ++ mNativeDebug = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_NATIVE_DEBUG); ++ mNativeDebug.setChecked(SystemProperties.getBoolean(SYS_KEY_NATIVE_DEBUG, true)); ++ } else { ++ mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_NATIVE_DEBUG)); ++ } ++ } ++ ++ @Override ++ public void onResume() { ++ updatePreferenceState(); ++ if (mNativeDebug != null) { ++ boolean mode = mNativeDebug.isChecked(); ++ SystemProperties.set(SYS_KEY_NATIVE_DEBUG, Boolean.toString(mode)); ++ } ++ } ++ ++ @Override ++ public boolean onPreferenceChange(Preference preference, Object value) { ++ final String key = preference.getKey(); ++ if (PREF_KEY_NATIVE_DEBUG.equals(key)) { ++ final boolean mode = !mNativeDebug.isChecked(); ++ SystemProperties.set(SYS_KEY_NATIVE_DEBUG, Boolean.toString(mode)); ++ } ++ return true; ++ } ++} +diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java +index 953012f9e7..6f939d3165 100644 +--- a/src/com/android/settings/security/SecuritySettings.java ++++ b/src/com/android/settings/security/SecuritySettings.java +@@ -119,6 +119,7 @@ public class SecuritySettings extends DashboardFragment { + securityPreferenceControllers.add(new FingerprintStatusPreferenceController(context)); + securityPreferenceControllers.add(new ChangeScreenLockPreferenceController(context, host)); + securityPreferenceControllers.add(new AutoRebootPreferenceController(context)); ++ securityPreferenceControllers.add(new NativeDebugPreferenceController(context)); + controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY) + .setChildren(securityPreferenceControllers)); + controllers.addAll(securityPreferenceControllers); diff --git a/Patches/LineageOS-18.1/android_system_core/0002-ptrace_scope.patch b/Patches/LineageOS-18.1/android_system_core/0002-ptrace_scope.patch new file mode 100644 index 00000000..d8cdbfd7 --- /dev/null +++ b/Patches/LineageOS-18.1/android_system_core/0002-ptrace_scope.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Mon, 5 Apr 2021 03:02:51 +0100 +Subject: [PATCH] add a property for controlling ptrace_scope + +--- + rootdir/init.rc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/rootdir/init.rc b/rootdir/init.rc +index f19b7484d..23800b021 100644 +--- a/rootdir/init.rc ++++ b/rootdir/init.rc +@@ -1005,6 +1005,12 @@ on property:sys.sysctl.extra_free_kbytes=* + on property:sys.sysctl.tcp_def_init_rwnd=* + write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} + ++on property:persist.native_debug=true ++ write /proc/sys/kernel/yama/ptrace_scope 0 ++ ++on property:persist.native_debug=false ++ write /proc/sys/kernel/yama/ptrace_scope 2 ++ + # perf_event_open syscall security: + # Newer kernels have the ability to control the use of the syscall via SELinux + # hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the diff --git a/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch new file mode 100644 index 00000000..91a6ef41 --- /dev/null +++ b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-1.patch @@ -0,0 +1,143 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Mon, 5 Apr 2021 02:26:20 +0100 +Subject: [PATCH] allow init to control kernel.yama.ptrace_scope + +Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650 +--- + prebuilts/api/26.0/private/genfs_contexts | 1 + + prebuilts/api/27.0/private/genfs_contexts | 1 + + prebuilts/api/28.0/private/genfs_contexts | 1 + + prebuilts/api/29.0/private/genfs_contexts | 1 + + prebuilts/api/30.0/private/domain.te | 1 + + prebuilts/api/30.0/private/genfs_contexts | 1 + + prebuilts/api/30.0/public/init.te | 3 +++ + private/domain.te | 1 + + private/genfs_contexts | 1 + + public/init.te | 3 +++ + 10 files changed, 14 insertions(+) + +diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts +index 753cabf15..67203c998 100644 +--- a/prebuilts/api/26.0/private/genfs_contexts ++++ b/prebuilts/api/26.0/private/genfs_contexts +@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0 + genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 + genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 + genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts +index 606d46cbe..ac54e423a 100644 +--- a/prebuilts/api/27.0/private/genfs_contexts ++++ b/prebuilts/api/27.0/private/genfs_contexts +@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0 + genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 + genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 + genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts +index 44ca95fd5..89b55b28d 100644 +--- a/prebuilts/api/28.0/private/genfs_contexts ++++ b/prebuilts/api/28.0/private/genfs_contexts +@@ -58,6 +58,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts +index 804996685..22a1ebf8d 100644 +--- a/prebuilts/api/29.0/private/genfs_contexts ++++ b/prebuilts/api/29.0/private/genfs_contexts +@@ -68,6 +68,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te +index 7116dadfd..55264d01a 100644 +--- a/prebuilts/api/30.0/private/domain.te ++++ b/prebuilts/api/30.0/private/domain.te +@@ -125,6 +125,7 @@ allow domain boringssl_self_test_marker:dir search; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + userdebug_or_eng(`-llkd') + -dumpstate +diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts +index c5f43c74a..c34705788 100644 +--- a/prebuilts/api/30.0/private/genfs_contexts ++++ b/prebuilts/api/30.0/private/genfs_contexts +@@ -73,6 +73,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/prebuilts/api/30.0/public/init.te b/prebuilts/api/30.0/public/init.te +index 374c0c1f4..5698d53fd 100644 +--- a/prebuilts/api/30.0/public/init.te ++++ b/prebuilts/api/30.0/public/init.te +@@ -144,6 +144,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + allowxperm init dev_type:blk_file ioctl BLKROSET; +diff --git a/private/domain.te b/private/domain.te +index 7116dadfd..55264d01a 100644 +--- a/private/domain.te ++++ b/private/domain.te +@@ -125,6 +125,7 @@ allow domain boringssl_self_test_marker:dir search; + # with other UIDs to these whitelisted domains. + neverallow { + domain ++ -init + -vold + userdebug_or_eng(`-llkd') + -dumpstate +diff --git a/private/genfs_contexts b/private/genfs_contexts +index c5f43c74a..c34705788 100644 +--- a/private/genfs_contexts ++++ b/private/genfs_contexts +@@ -73,6 +73,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 + genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 + genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0 + genfscon proc /sys/net u:object_r:proc_net:s0 + genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 + genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +diff --git a/public/init.te b/public/init.te +index 374c0c1f4..5698d53fd 100644 +--- a/public/init.te ++++ b/public/init.te +@@ -144,6 +144,9 @@ allow init self:global_capability_class_set sys_time; + + allow init self:global_capability_class_set { sys_rawio mknod }; + ++# Set /proc/sys/kernel/yama/ptrace_scope ++allow init self:capability { sys_ptrace }; ++ + # Mounting filesystems from block devices. + allow init dev_type:blk_file r_file_perms; + allowxperm init dev_type:blk_file ioctl BLKROSET; diff --git a/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch new file mode 100644 index 00000000..85467c28 --- /dev/null +++ b/Patches/LineageOS-18.1/android_system_sepolicy/0003-ptrace_scope-2.patch @@ -0,0 +1,86 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Mon, 5 Apr 2021 02:27:06 +0100 +Subject: [PATCH] allow system to use persist.native_debug + +--- + prebuilts/api/26.0/private/property_contexts | 1 + + prebuilts/api/27.0/private/property_contexts | 1 + + prebuilts/api/28.0/private/property_contexts | 1 + + prebuilts/api/29.0/private/property_contexts | 1 + + prebuilts/api/30.0/private/property_contexts | 1 + + private/property_contexts | 1 + + 6 files changed, 6 insertions(+) + +diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts +index 4c27b35d6..c48ba4012 100644 +--- a/prebuilts/api/26.0/private/property_contexts ++++ b/prebuilts/api/26.0/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 + persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts +index 8eb2f28b2..237e6fcc1 100644 +--- a/prebuilts/api/27.0/private/property_contexts ++++ b/prebuilts/api/27.0/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 + persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts +index 32be0b377..afe0f70fe 100644 +--- a/prebuilts/api/28.0/private/property_contexts ++++ b/prebuilts/api/28.0/private/property_contexts +@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 +diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts +index cb81ba693..f1fbfebd0 100644 +--- a/prebuilts/api/29.0/private/property_contexts ++++ b/prebuilts/api/29.0/private/property_contexts +@@ -49,6 +49,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0 + persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 +diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts +index a4fab1f22..1a9571360 100644 +--- a/prebuilts/api/30.0/private/property_contexts ++++ b/prebuilts/api/30.0/private/property_contexts +@@ -56,6 +56,7 @@ persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.nfc_cfg. u:object_r:nfc_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 +diff --git a/private/property_contexts b/private/property_contexts +index a4fab1f22..1a9571360 100644 +--- a/private/property_contexts ++++ b/private/property_contexts +@@ -56,6 +56,7 @@ persist.audio. u:object_r:audio_prop:s0 + persist.bluetooth. u:object_r:bluetooth_prop:s0 + persist.nfc_cfg. u:object_r:nfc_prop:s0 + persist.debug. u:object_r:persist_debug_prop:s0 ++persist.native_debug u:object_r:system_prop:s0 + persist.logd. u:object_r:logd_prop:s0 + ro.logd. u:object_r:logd_prop:s0 + persist.logd.security u:object_r:device_logging_prop:s0 diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index f5885f66..7851a8c6 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -225,6 +225,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS) +if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS) sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/backup/PrivacySettingsUtils.java; fi; #microG doesn't support Backup, hide the options fi; @@ -271,6 +272,7 @@ if enterAndClear "system/core"; then if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file git revert --no-edit e8dcabaf6b55ec55eb73c4585501ddbafc04fc9b 79f606ece6b74652d374eb4f79de309a0aa81360; #insanity applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS) +if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS) fi; if enterAndClear "system/extras"; then @@ -282,7 +284,11 @@ if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/androi fi; if enterAndClear "system/sepolicy"; then -applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS) +applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS) +if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then +applyPatch "$DOS_PATCHES/android_system_sepolicy/003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS) +applyPatch "$DOS_PATCHES/android_system_sepolicy/003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS) +fi; git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/30.0"; patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0"; diff --git a/Scripts/init.sh b/Scripts/init.sh index 77974de4..9ddb8280 100644 --- a/Scripts/init.sh +++ b/Scripts/init.sh @@ -59,6 +59,7 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv export DOS_GPS_GLONASS_FORCED=false; #Enables GLONASS on all devices export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1 export DOS_GRAPHENE_EXEC=false; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1 XXX: broken (just on 17.1?) +export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the ptrace_scope toggle patchset on 18.1 export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1 export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: DNS66 @@ -85,7 +86,7 @@ export DOS_GENERATE_DELTAS=true; #Creates deltas from existing target_files in $ export DOS_GENERATE_DELTAS_DEVICES=('akari' 'alioth' 'Amber' 'aura' 'aurora' 'avicii' 'blueline' 'bonito' 'bramble' 'cheryl' 'coral' 'crosshatch' 'davinci' 'discovery' 'enchilada' 'fajita' 'flame' 'FP3' 'guacamole' 'guacamoleb' 'hotdog' 'hotdogb' 'marlin' 'mata' 'pioneer' 'pro1' 'redfin' 'sailfish' 'sargo' 'sunfish' 'taimen' 'vayu' 'voyager' 'walleye' 'xz2c'); #List of devices deltas will be generated for export DOS_AUTO_ARCHIVE_BUILDS=true; #Copies files to $DOS_BUILDS after signing export DOS_REMOVE_AFTER=true; #Removes device OUT directory after complete to reclaim space. Requires AUTO_ARCHIVE_BUILDS=true -export DOS_REMOVE_AFTER_FULL=true; #Removes the entire OUT directory +export DOS_REMOVE_AFTER_FULL=false; #Removes the entire OUT directory export DOS_GPG_SIGNING=true; export DOS_GPG_SIGNING_KEY="B8744D67F9F1E14E145DFD8E7F627E920F316994";