Add the exec-spawning toggle from GrapheneOS

Tested working on 18.1/klte

TODO: backport to 16.0

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch

@@ -0,0 +1,167 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sat, 26 Mar 2022 20:35:37 -0400
+Subject: [PATCH] add exec spawning toggle
+
+---
+ res/values/strings.xml                        |   2 +
+ res/xml/security_dashboard_settings.xml       |   6 +
+ .../ExecSpawnPreferenceController.java        | 106 ++++++++++++++++++
+ .../settings/security/SecuritySettings.java   |   1 +
+ 4 files changed, 115 insertions(+)
+ create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java
+
+diff --git a/res/values/strings.xml b/res/values/strings.xml
+index fd3d1cde64..4b9b109d89 100644
+--- a/res/values/strings.xml
++++ b/res/values/strings.xml
+@@ -11316,6 +11316,8 @@
+     <!-- UI debug setting: Force enable "smart dark" UI rendering feature summary [CHAR LIMIT=NONE] -->
+     <string name="hwui_force_dark_summary">Overrides the force-dark feature to be always-on</string>
+ 
++    <string name="exec_spawn_title">Enable secure app spawning</string>
++    <string name="exec_spawn_summary">Launch apps in a more secure way than Android which takes slightly longer and increases memory usage by app processes.</string>
+     <string name="native_debug_title">Enable native code debugging</string>
+     <string name="native_debug_summary">Generate useful logs / bug reports from crashes and permit debugging native code.</string>
+ 
+diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
+index 2c7b006f8b..08328ad7b6 100644
+--- a/res/xml/security_dashboard_settings.xml
++++ b/res/xml/security_dashboard_settings.xml
+@@ -64,6 +64,12 @@
+             android:entries="@array/auto_reboot_entries"
+             android:entryValues="@array/auto_reboot_values" />
+ 
++        <SwitchPreference
++            android:key="exec_spawn"
++            android:title="@string/exec_spawn_title"
++            android:summary="@string/exec_spawn_summary"
++            android:persistent="false" />
++
+         <SwitchPreference
+             android:key="native_debug"
+             android:title="@string/native_debug_title"
+diff --git a/src/com/android/settings/security/ExecSpawnPreferenceController.java b/src/com/android/settings/security/ExecSpawnPreferenceController.java
+new file mode 100644
+index 0000000000..78f021210a
+--- /dev/null
++++ b/src/com/android/settings/security/ExecSpawnPreferenceController.java
+@@ -0,0 +1,106 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License
++ */
++
++package com.android.settings.security;
++
++import android.content.Context;
++
++import android.os.UserHandle;
++import android.os.UserManager;
++import android.os.SystemProperties;
++
++import android.provider.Settings;
++
++import androidx.preference.Preference;
++import androidx.preference.PreferenceCategory;
++import androidx.preference.PreferenceGroup;
++import androidx.preference.PreferenceScreen;
++import androidx.preference.TwoStatePreference;
++import androidx.preference.SwitchPreference;
++
++import com.android.internal.widget.LockPatternUtils;
++import com.android.settings.core.PreferenceControllerMixin;
++import com.android.settingslib.core.AbstractPreferenceController;
++import com.android.settingslib.core.lifecycle.events.OnResume;
++
++public class ExecSpawnPreferenceController extends AbstractPreferenceController
++        implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener {
++
++    private static final String SYS_KEY_EXEC_SPAWN = "persist.security.exec_spawn";
++    private static final String PREF_KEY_EXEC_SPAWN = "exec_spawn";
++    private static final String PREF_KEY_SECURITY_CATEGORY = "security_category";
++
++    private PreferenceCategory mSecurityCategory;
++    private SwitchPreference mExecSpawn;
++    private boolean mIsAdmin;
++    private UserManager mUm;
++
++    public ExecSpawnPreferenceController(Context context) {
++        super(context);
++        mUm = UserManager.get(context);
++    }
++
++    @Override
++    public void displayPreference(PreferenceScreen screen) {
++        super.displayPreference(screen);
++        mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY);
++        updatePreferenceState();
++    }
++
++    @Override
++    public boolean isAvailable() {
++        mIsAdmin = mUm.isAdminUser();
++        return mIsAdmin;
++    }
++
++    @Override
++    public String getPreferenceKey() {
++        return PREF_KEY_EXEC_SPAWN;
++    }
++
++    // TODO: should we use onCreatePreferences() instead?
++    private void updatePreferenceState() {
++        if (mSecurityCategory == null) {
++            return;
++        }
++
++        if (mIsAdmin) {
++            mExecSpawn = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_EXEC_SPAWN);
++            mExecSpawn.setChecked(SystemProperties.getBoolean(SYS_KEY_EXEC_SPAWN, true));
++        } else {
++            mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_EXEC_SPAWN));
++        }
++    }
++
++    @Override
++    public void onResume() {
++        updatePreferenceState();
++        if (mExecSpawn != null) {
++                boolean mode = mExecSpawn.isChecked();
++                SystemProperties.set(SYS_KEY_EXEC_SPAWN, Boolean.toString(mode));
++        }
++    }
++
++    @Override
++    public boolean onPreferenceChange(Preference preference, Object value) {
++        final String key = preference.getKey();
++        if (PREF_KEY_EXEC_SPAWN.equals(key)) {
++            final boolean mode = !mExecSpawn.isChecked();
++            SystemProperties.set(SYS_KEY_EXEC_SPAWN, Boolean.toString(mode));
++        }
++        return true;
++    }
++}
+diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
+index 7aa126b75c..a5e0add739 100644
+--- a/src/com/android/settings/security/SecuritySettings.java
++++ b/src/com/android/settings/security/SecuritySettings.java
+@@ -121,6 +121,7 @@ public class SecuritySettings extends DashboardFragment {
+         securityPreferenceControllers.add(new FingerprintStatusPreferenceController(context));
+         securityPreferenceControllers.add(new ChangeScreenLockPreferenceController(context, host));
+         securityPreferenceControllers.add(new AutoRebootPreferenceController(context));
++        securityPreferenceControllers.add(new ExecSpawnPreferenceController(context));
+         securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
+         controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
+                 .setChildren(securityPreferenceControllers));

Patches/LineageOS-18.1/android_build/0003-Exec_Based_Spawning.patch

@@ -1,4 +1,4 @@
-From a2b51906dece2ea351b5aa4b66fa8cdefbf37ff6 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Thu, 17 Sep 2020 10:53:00 -0400
 Subject: [PATCH] disable enforce RRO for mainline devices
@@ -12,10 +12,10 @@ exec-based spawning in GrapheneOS.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/target/product/mainline_system.mk b/target/product/mainline_system.mk
-index 1f22163c32..db2af7d1d2 100644
+index e9f9dde138..1199b78598 100644
 --- a/target/product/mainline_system.mk
 +++ b/target/product/mainline_system.mk
-@@ -115,7 +115,7 @@ PRODUCT_COPY_FILES += \
+@@ -118,7 +118,7 @@ PRODUCT_COPY_FILES += \
  # Enable dynamic partition size
  PRODUCT_USE_DYNAMIC_PARTITION_SIZE := true
  

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-1.patch

@@ -1,4 +1,4 @@
-From 14c3c1d4cd2df5dde69274e76a91b42fa383e577 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Sat, 14 Mar 2015 18:10:20 -0400
 Subject: [PATCH] add exec-based spawning support
@@ -135,7 +135,7 @@ diff --git a/core/java/com/android/internal/os/WrapperInit.java b/core/java/com/
 index 790d7f7ab694..4f7fd039ccd7 100644
 --- a/core/java/com/android/internal/os/WrapperInit.java
 +++ b/core/java/com/android/internal/os/WrapperInit.java
-@@ -185,7 +185,7 @@ private static Runnable wrapperInit(int targetSdkVersion, String[] argv) {
+@@ -185,7 +185,7 @@ public class WrapperInit {
       *       This is acceptable here as failure will leave the wrapped app with strictly less
       *       capabilities, which may make it crash, but not exceed its allowances.
       */
@@ -148,7 +148,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java
 index e6a3029c5b2b..a702e84813fa 100644
 --- a/core/java/com/android/internal/os/ZygoteConnection.java
 +++ b/core/java/com/android/internal/os/ZygoteConnection.java
-@@ -29,6 +29,7 @@
+@@ -29,6 +29,7 @@ import android.net.Credentials;
  import android.net.LocalSocket;
  import android.os.Parcel;
  import android.os.Process;
@@ -156,7 +156,7 @@ index e6a3029c5b2b..a702e84813fa 100644
  import android.os.Trace;
  import android.system.ErrnoException;
  import android.system.Os;
-@@ -501,6 +502,13 @@ private Runnable handleChildProc(ZygoteArguments parsedArgs,
+@@ -501,6 +502,13 @@ class ZygoteConnection {
              throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned");
          } else {
              if (!isZygote) {

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-10.patch

@@ -1,4 +1,4 @@
-From d414dcaa351e7a890d31c1da949421fb435ff168 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Wed, 11 Sep 2019 06:57:24 -0400
 Subject: [PATCH] disable preloading classloaders for exec spawning
@@ -11,7 +11,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/a
 index ad3b95ec67fc..0877a1668930 100644
 --- a/core/java/com/android/internal/os/ZygoteInit.java
 +++ b/core/java/com/android/internal/os/ZygoteInit.java
-@@ -135,9 +135,11 @@ static void preload(TimingsTraceLog bootTimingsTraceLog, boolean fullPreload) {
+@@ -135,9 +135,11 @@ public class ZygoteInit {
              preloadClasses();
              bootTimingsTraceLog.traceEnd(); // PreloadClasses
          }

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-11.patch

@@ -1,4 +1,4 @@
-From b4cd877e3a0c2384b8939d5d1e2b6b734bbd13b2 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Wed, 11 Sep 2019 06:58:51 -0400
 Subject: [PATCH] disable preloading HALs for exec spawning
@@ -11,7 +11,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/a
 index 0877a1668930..d19868ebd9ca 100644
 --- a/core/java/com/android/internal/os/ZygoteInit.java
 +++ b/core/java/com/android/internal/os/ZygoteInit.java
-@@ -145,9 +145,11 @@ static void preload(TimingsTraceLog bootTimingsTraceLog, boolean fullPreload) {
+@@ -145,9 +145,11 @@ public class ZygoteInit {
              preloadResources();
              bootTimingsTraceLog.traceEnd(); // PreloadResources
          }

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-12.patch

@@ -1,4 +1,4 @@
-From 98634286bbdffe967a9a03442e5aa324ec26986a Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: anupritaisno1 <www.anuprita804@gmail.com>
 Date: Fri, 30 Oct 2020 22:26:09 +0000
 Subject: [PATCH] pass through runtime flags for exec spawning and implement
@@ -16,7 +16,7 @@ diff --git a/core/java/com/android/internal/os/ExecInit.java b/core/java/com/and
 index 830e5b562a91..749c67abf389 100644
 --- a/core/java/com/android/internal/os/ExecInit.java
 +++ b/core/java/com/android/internal/os/ExecInit.java
-@@ -31,15 +31,20 @@ public static void main(String[] args) {
+@@ -31,15 +31,20 @@ public class ExecInit {
          // Parse our mandatory argument.
          int targetSdkVersion = Integer.parseInt(args[0], 10);
  
@@ -39,7 +39,7 @@ index 830e5b562a91..749c67abf389 100644
          r.run();
      }
  
-@@ -52,9 +57,9 @@ public static void main(String[] args) {
+@@ -52,9 +57,9 @@ public class ExecInit {
       * @param args Arguments for {@link RuntimeInit#main}.
       */
      public static void execApplication(String niceName, int targetSdkVersion,
@@ -51,7 +51,7 @@ index 830e5b562a91..749c67abf389 100644
          String[] argv = new String[baseArgs + args.length];
          if (VMRuntime.is64BitInstructionSet(instructionSet)) {
              argv[0] = "/system/bin/app_process64";
-@@ -68,6 +73,7 @@ public static void execApplication(String niceName, int targetSdkVersion,
+@@ -68,6 +73,7 @@ public class ExecInit {
          }
          argv[3 + niceArgs] = "com.android.internal.os.ExecInit";
          argv[4 + niceArgs] = Integer.toString(targetSdkVersion);
@@ -63,7 +63,7 @@ diff --git a/core/java/com/android/internal/os/Zygote.java b/core/java/com/andro
 index a7d9827855a2..aa874ad98a78 100644
 --- a/core/java/com/android/internal/os/Zygote.java
 +++ b/core/java/com/android/internal/os/Zygote.java
-@@ -1097,4 +1097,13 @@ static void appendQuotedShellArgs(StringBuilder command, String[] args) {
+@@ -1097,4 +1097,13 @@ public final class Zygote {
       * fully-feature Memory Tagging, rather than the static Tagged Pointers.
       */
      public static native boolean nativeSupportsTaggedPointers();
@@ -81,7 +81,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java
 index 9b4664178530..4ae69677f1dd 100644
 --- a/core/java/com/android/internal/os/ZygoteConnection.java
 +++ b/core/java/com/android/internal/os/ZygoteConnection.java
-@@ -505,7 +505,7 @@ private Runnable handleChildProc(ZygoteArguments parsedArgs,
+@@ -505,7 +505,7 @@ class ZygoteConnection {
                  if (SystemProperties.getBoolean("sys.spawn.exec", true) &&
                          (parsedArgs.mRuntimeFlags & ApplicationInfo.FLAG_DEBUGGABLE) == 0) {
                      ExecInit.execApplication(parsedArgs.mNiceName, parsedArgs.mTargetSdkVersion,

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-2.patch

@@ -1,4 +1,4 @@
-From ac1943345ec96411ecbac3ce9b15cb371cc03551 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Tue, 21 May 2019 23:54:20 -0400
 Subject: [PATCH] disable exec spawning when using debugging options
@@ -13,7 +13,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java
 index a702e84813fa..9b4664178530 100644
 --- a/core/java/com/android/internal/os/ZygoteConnection.java
 +++ b/core/java/com/android/internal/os/ZygoteConnection.java
-@@ -502,7 +502,8 @@ private Runnable handleChildProc(ZygoteArguments parsedArgs,
+@@ -502,7 +502,8 @@ class ZygoteConnection {
              throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned");
          } else {
              if (!isZygote) {

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-3.patch

@@ -1,4 +1,4 @@
-From 1abb8050413dae6ac6c1a082a38fb555c88534b9 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Tue, 14 May 2019 14:24:21 -0400
 Subject: [PATCH] add parameter for avoiding full preload with exec
@@ -12,7 +12,7 @@ diff --git a/core/java/com/android/internal/os/ExecInit.java b/core/java/com/and
 index 2adcab7fdbe6..830e5b562a91 100644
 --- a/core/java/com/android/internal/os/ExecInit.java
 +++ b/core/java/com/android/internal/os/ExecInit.java
-@@ -33,7 +33,7 @@ public static void main(String[] args) {
+@@ -33,7 +33,7 @@ public class ExecInit {
  
          // Mimic system Zygote preloading.
          ZygoteInit.preload(new TimingsTraceLog("ExecInitTiming",
@@ -25,7 +25,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/a
 index 2e32730a6ecb..b9460f56d003 100644
 --- a/core/java/com/android/internal/os/ZygoteInit.java
 +++ b/core/java/com/android/internal/os/ZygoteInit.java
-@@ -125,7 +125,7 @@
+@@ -125,7 +125,7 @@ public class ZygoteInit {
  
      private static boolean sPreloadComplete;
  
@@ -34,7 +34,7 @@ index 2e32730a6ecb..b9460f56d003 100644
          Log.d(TAG, "begin preload");
          bootTimingsTraceLog.traceBegin("BeginPreload");
          beginPreload();
-@@ -157,6 +157,10 @@ static void preload(TimingsTraceLog bootTimingsTraceLog) {
+@@ -157,6 +157,10 @@ public class ZygoteInit {
          sPreloadComplete = true;
      }
  

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-4.patch

@@ -1,4 +1,4 @@
-From 2e07ab8c242551e6847bffef84546ed5eaf345cf Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Wed, 11 Sep 2019 06:43:55 -0400
 Subject: [PATCH] pass through fullPreload to libcore
@@ -11,7 +11,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/a
 index b9460f56d003..467183355515 100644
 --- a/core/java/com/android/internal/os/ZygoteInit.java
 +++ b/core/java/com/android/internal/os/ZygoteInit.java
-@@ -128,7 +128,7 @@
+@@ -128,7 +128,7 @@ public class ZygoteInit {
      static void preload(TimingsTraceLog bootTimingsTraceLog, boolean fullPreload) {
          Log.d(TAG, "begin preload");
          bootTimingsTraceLog.traceBegin("BeginPreload");
@@ -20,7 +20,7 @@ index b9460f56d003..467183355515 100644
          bootTimingsTraceLog.traceEnd(); // BeginPreload
          bootTimingsTraceLog.traceBegin("PreloadClasses");
          preloadClasses();
-@@ -150,7 +150,7 @@ static void preload(TimingsTraceLog bootTimingsTraceLog, boolean fullPreload) {
+@@ -150,7 +150,7 @@ public class ZygoteInit {
          // Ask the WebViewFactory to do any initialization that must run in the zygote process,
          // for memory sharing purposes.
          WebViewFactory.prepareWebViewInZygote();
@@ -29,7 +29,7 @@ index b9460f56d003..467183355515 100644
          warmUpJcaProviders();
          Log.d(TAG, "end preload");
  
-@@ -168,14 +168,14 @@ public static void lazyPreload() {
+@@ -168,14 +168,14 @@ public class ZygoteInit {
          preload(new TimingsTraceLog("ZygoteInitTiming_lazy", Trace.TRACE_TAG_DALVIK));
      }
  

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-5.patch

@@ -1,4 +1,4 @@
-From 0044836677b9be153e04a91dddddcb74d9585643 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Tue, 14 May 2019 14:28:27 -0400
 Subject: [PATCH] disable OpenGL preloading for exec spawning
@@ -11,7 +11,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/a
 index 467183355515..e93e70443ee6 100644
 --- a/core/java/com/android/internal/os/ZygoteInit.java
 +++ b/core/java/com/android/internal/os/ZygoteInit.java
-@@ -142,9 +142,11 @@ static void preload(TimingsTraceLog bootTimingsTraceLog, boolean fullPreload) {
+@@ -142,9 +142,11 @@ public class ZygoteInit {
          Trace.traceBegin(Trace.TRACE_TAG_DALVIK, "PreloadAppProcessHALs");
          nativePreloadAppProcessHALs();
          Trace.traceEnd(Trace.TRACE_TAG_DALVIK);

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-6.patch

@@ -1,4 +1,4 @@
-From c561811fad950dce791ef9941753ef95076da4c0 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Tue, 14 May 2019 14:28:52 -0400
 Subject: [PATCH] disable resource preloading for exec spawning
@@ -11,7 +11,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/a
 index e93e70443ee6..2d1f301668a4 100644
 --- a/core/java/com/android/internal/os/ZygoteInit.java
 +++ b/core/java/com/android/internal/os/ZygoteInit.java
-@@ -136,9 +136,11 @@ static void preload(TimingsTraceLog bootTimingsTraceLog, boolean fullPreload) {
+@@ -136,9 +136,11 @@ public class ZygoteInit {
          bootTimingsTraceLog.traceBegin("CacheNonBootClasspathClassLoaders");
          cacheNonBootClasspathClassLoaders();
          bootTimingsTraceLog.traceEnd(); // CacheNonBootClasspathClassLoaders

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-7.patch

@@ -1,4 +1,4 @@
-From 7a848373efa0bd5b948af7ade19927a8706f9ea2 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Tue, 14 May 2019 14:30:59 -0400
 Subject: [PATCH] disable class preloading for exec spawning
@@ -11,7 +11,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/a
 index 2d1f301668a4..b7246d0ac5ce 100644
 --- a/core/java/com/android/internal/os/ZygoteInit.java
 +++ b/core/java/com/android/internal/os/ZygoteInit.java
-@@ -130,9 +130,11 @@ static void preload(TimingsTraceLog bootTimingsTraceLog, boolean fullPreload) {
+@@ -130,9 +130,11 @@ public class ZygoteInit {
          bootTimingsTraceLog.traceBegin("BeginPreload");
          beginPreload(fullPreload);
          bootTimingsTraceLog.traceEnd(); // BeginPreload

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-8.patch

@@ -1,4 +1,4 @@
-From 89646bdeb19463424158544c6942224320e9e180 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Tue, 14 May 2019 14:31:29 -0400
 Subject: [PATCH] disable WebView reservation for exec spawning
@@ -11,7 +11,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/a
 index b7246d0ac5ce..04a323254c72 100644
 --- a/core/java/com/android/internal/os/ZygoteInit.java
 +++ b/core/java/com/android/internal/os/ZygoteInit.java
-@@ -153,9 +153,11 @@ static void preload(TimingsTraceLog bootTimingsTraceLog, boolean fullPreload) {
+@@ -153,9 +153,11 @@ public class ZygoteInit {
          }
          preloadSharedLibraries();
          preloadTextResources();

Patches/LineageOS-18.1/android_frameworks_base/0018-Exec_Based_Spawning-9.patch

@@ -1,4 +1,4 @@
-From 2a70bbac4a8342175971498084494845b4f24546 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Tue, 14 May 2019 14:34:32 -0400
 Subject: [PATCH] disable JCA provider warm up for exec spawning
@@ -11,7 +11,7 @@ diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/a
 index 04a323254c72..ad3b95ec67fc 100644
 --- a/core/java/com/android/internal/os/ZygoteInit.java
 +++ b/core/java/com/android/internal/os/ZygoteInit.java
-@@ -159,7 +159,7 @@ static void preload(TimingsTraceLog bootTimingsTraceLog, boolean fullPreload) {
+@@ -159,7 +159,7 @@ public class ZygoteInit {
              WebViewFactory.prepareWebViewInZygote();
          }
          endPreload(fullPreload);
@@ -20,7 +20,7 @@ index 04a323254c72..ad3b95ec67fc 100644
          Log.d(TAG, "end preload");
  
          sPreloadComplete = true;
-@@ -229,7 +229,7 @@ private static void preloadTextResources() {
+@@ -229,7 +229,7 @@ public class ZygoteInit {
       * By doing it here we avoid that each app does it when requesting a service from the provider
       * for the first time.
       */
@@ -29,7 +29,7 @@ index 04a323254c72..ad3b95ec67fc 100644
          long startTime = SystemClock.uptimeMillis();
          Trace.traceBegin(
                  Trace.TRACE_TAG_DALVIK, "Starting installation of AndroidKeyStoreProvider");
-@@ -241,15 +241,17 @@ private static void warmUpJcaProviders() {
+@@ -241,15 +241,17 @@ public class ZygoteInit {
                  + (SystemClock.uptimeMillis() - startTime) + "ms.");
          Trace.traceEnd(Trace.TRACE_TAG_DALVIK);
  

Patches/LineageOS-18.1/android_libcore/0003-Exec_Based_Spawning-1.patch

@@ -1,4 +1,4 @@
-From 4c2635390c10512b0c79ee1f3658a25d6b671ca0 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Wed, 11 Sep 2019 06:46:38 -0400
 Subject: [PATCH] add parameter for avoiding full preload with exec
@@ -12,7 +12,7 @@ diff --git a/dalvik/src/main/java/dalvik/system/ZygoteHooks.java b/dalvik/src/ma
 index 7e8fe3651e..de5a056143 100644
 --- a/dalvik/src/main/java/dalvik/system/ZygoteHooks.java
 +++ b/dalvik/src/main/java/dalvik/system/ZygoteHooks.java
-@@ -48,7 +48,7 @@ private ZygoteHooks() {
+@@ -48,7 +48,7 @@ public final class ZygoteHooks {
       * Called when the zygote begins preloading classes and data.
       */
      @libcore.api.CorePlatformApi
@@ -21,7 +21,7 @@ index 7e8fe3651e..de5a056143 100644
          // Pin ICU data in memory from this point that would normally be held by soft references.
          // Without this, any references created immediately below or during class preloading
          // would be collected when the Zygote GC runs in gcAndFinalize().
-@@ -71,7 +71,7 @@ public static void onBeginPreload() {
+@@ -71,7 +71,7 @@ public final class ZygoteHooks {
       * Called when the zygote has completed preloading classes and data.
       */
      @libcore.api.CorePlatformApi

Patches/LineageOS-18.1/android_libcore/0003-Exec_Based_Spawning-2.patch

@@ -1,4 +1,4 @@
-From add34a4bc6aa69f21f012d62215b5af500bea551 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Daniel Micay <danielmicay@gmail.com>
 Date: Wed, 11 Sep 2019 06:47:11 -0400
 Subject: [PATCH] disable ICU cache pinning for exec spawning
@@ -11,7 +11,7 @@ diff --git a/dalvik/src/main/java/dalvik/system/ZygoteHooks.java b/dalvik/src/ma
 index de5a056143..e77cec2517 100644
 --- a/dalvik/src/main/java/dalvik/system/ZygoteHooks.java
 +++ b/dalvik/src/main/java/dalvik/system/ZygoteHooks.java
-@@ -49,15 +49,17 @@ private ZygoteHooks() {
+@@ -49,15 +49,17 @@ public final class ZygoteHooks {
       */
      @libcore.api.CorePlatformApi
      public static void onBeginPreload(boolean fullPreload) {
@@ -38,7 +38,7 @@ index de5a056143..e77cec2517 100644
          }
  
          // Framework's LocalLog is used during app start-up. It indirectly uses the current ICU time
-@@ -72,8 +74,10 @@ public static void onBeginPreload(boolean fullPreload) {
+@@ -72,8 +74,10 @@ public final class ZygoteHooks {
       */
      @libcore.api.CorePlatformApi
      public static void onEndPreload(boolean fullPreload) {

Patches/LineageOS-18.1/android_packages_apps_Settings/0009-Install_Restrictions.patch

@@ -10,7 +10,7 @@ Subject: [PATCH] UserManager app installation restrictions
  3 files changed, 44 insertions(+), 5 deletions(-)
 
 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index 87ef39ed10..66b27f3263 100644
+index b33a94d4a6..1cd05427d1 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
 @@ -7088,6 +7088,8 @@

Patches/LineageOS-18.1/android_packages_apps_Settings/0010-exec_spawning_toggle.patch

@@ -0,0 +1,167 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sat, 26 Mar 2022 20:35:37 -0400
+Subject: [PATCH] add exec spawning toggle
+
+---
+ res/values/strings.xml                        |   2 +
+ res/xml/security_dashboard_settings.xml       |   6 +
+ .../ExecSpawnPreferenceController.java        | 106 ++++++++++++++++++
+ .../settings/security/SecuritySettings.java   |   1 +
+ 4 files changed, 115 insertions(+)
+ create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java
+
+diff --git a/res/values/strings.xml b/res/values/strings.xml
+index 87ef39ed10..b33a94d4a6 100644
+--- a/res/values/strings.xml
++++ b/res/values/strings.xml
+@@ -11957,6 +11957,8 @@
+     <!-- UI debug setting: Force enable "smart dark" UI rendering feature summary [CHAR LIMIT=NONE] -->
+     <string name="hwui_force_dark_summary">Overrides the force-dark feature to be always-on</string>
+ 
++    <string name="exec_spawn_title">Enable secure app spawning</string>
++    <string name="exec_spawn_summary">Launch apps in a more secure way than Android which takes slightly longer and increases memory usage by app processes.</string>
+     <string name="native_debug_title">Enable native code debugging</string>
+     <string name="native_debug_summary">Generate useful logs / bug reports from crashes and permit debugging native code.</string>
+ 
+diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
+index 06b3511ceb..75cc0b261d 100644
+--- a/res/xml/security_dashboard_settings.xml
++++ b/res/xml/security_dashboard_settings.xml
+@@ -64,6 +64,12 @@
+             android:entries="@array/auto_reboot_entries"
+             android:entryValues="@array/auto_reboot_values" />
+ 
++        <SwitchPreference
++            android:key="exec_spawn"
++            android:title="@string/exec_spawn_title"
++            android:summary="@string/exec_spawn_summary"
++            android:persistent="false" />
++
+         <SwitchPreference
+             android:key="native_debug"
+             android:title="@string/native_debug_title"
+diff --git a/src/com/android/settings/security/ExecSpawnPreferenceController.java b/src/com/android/settings/security/ExecSpawnPreferenceController.java
+new file mode 100644
+index 0000000000..78f021210a
+--- /dev/null
++++ b/src/com/android/settings/security/ExecSpawnPreferenceController.java
+@@ -0,0 +1,106 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License
++ */
++
++package com.android.settings.security;
++
++import android.content.Context;
++
++import android.os.UserHandle;
++import android.os.UserManager;
++import android.os.SystemProperties;
++
++import android.provider.Settings;
++
++import androidx.preference.Preference;
++import androidx.preference.PreferenceCategory;
++import androidx.preference.PreferenceGroup;
++import androidx.preference.PreferenceScreen;
++import androidx.preference.TwoStatePreference;
++import androidx.preference.SwitchPreference;
++
++import com.android.internal.widget.LockPatternUtils;
++import com.android.settings.core.PreferenceControllerMixin;
++import com.android.settingslib.core.AbstractPreferenceController;
++import com.android.settingslib.core.lifecycle.events.OnResume;
++
++public class ExecSpawnPreferenceController extends AbstractPreferenceController
++        implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener {
++
++    private static final String SYS_KEY_EXEC_SPAWN = "persist.security.exec_spawn";
++    private static final String PREF_KEY_EXEC_SPAWN = "exec_spawn";
++    private static final String PREF_KEY_SECURITY_CATEGORY = "security_category";
++
++    private PreferenceCategory mSecurityCategory;
++    private SwitchPreference mExecSpawn;
++    private boolean mIsAdmin;
++    private UserManager mUm;
++
++    public ExecSpawnPreferenceController(Context context) {
++        super(context);
++        mUm = UserManager.get(context);
++    }
++
++    @Override
++    public void displayPreference(PreferenceScreen screen) {
++        super.displayPreference(screen);
++        mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY);
++        updatePreferenceState();
++    }
++
++    @Override
++    public boolean isAvailable() {
++        mIsAdmin = mUm.isAdminUser();
++        return mIsAdmin;
++    }
++
++    @Override
++    public String getPreferenceKey() {
++        return PREF_KEY_EXEC_SPAWN;
++    }
++
++    // TODO: should we use onCreatePreferences() instead?
++    private void updatePreferenceState() {
++        if (mSecurityCategory == null) {
++            return;
++        }
++
++        if (mIsAdmin) {
++            mExecSpawn = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_EXEC_SPAWN);
++            mExecSpawn.setChecked(SystemProperties.getBoolean(SYS_KEY_EXEC_SPAWN, true));
++        } else {
++            mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_EXEC_SPAWN));
++        }
++    }
++
++    @Override
++    public void onResume() {
++        updatePreferenceState();
++        if (mExecSpawn != null) {
++                boolean mode = mExecSpawn.isChecked();
++                SystemProperties.set(SYS_KEY_EXEC_SPAWN, Boolean.toString(mode));
++        }
++    }
++
++    @Override
++    public boolean onPreferenceChange(Preference preference, Object value) {
++        final String key = preference.getKey();
++        if (PREF_KEY_EXEC_SPAWN.equals(key)) {
++            final boolean mode = !mExecSpawn.isChecked();
++            SystemProperties.set(SYS_KEY_EXEC_SPAWN, Boolean.toString(mode));
++        }
++        return true;
++    }
++}
+diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
+index 6f939d3165..387814c406 100644
+--- a/src/com/android/settings/security/SecuritySettings.java
++++ b/src/com/android/settings/security/SecuritySettings.java
+@@ -119,6 +119,7 @@ public class SecuritySettings extends DashboardFragment {
+         securityPreferenceControllers.add(new FingerprintStatusPreferenceController(context));
+         securityPreferenceControllers.add(new ChangeScreenLockPreferenceController(context, host));
+         securityPreferenceControllers.add(new AutoRebootPreferenceController(context));
++        securityPreferenceControllers.add(new ExecSpawnPreferenceController(context));
+         securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
+         controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
+                 .setChildren(securityPreferenceControllers));

Patches/Linux

@@ -1 +1 @@
-Subproject commit 9a960526a5d73ec6b619d4fca0d4073829916a82
+Subproject commit 311413e58ad8e300a0ef858adc59c365dad5f6c7

Scripts/LineageOS-16.0/Patch.sh

@@ -154,6 +154,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning-7.patc
 applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning-8.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning-9.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning-10.patch";
+sed -i 's/sys.spawn.exec/persist.security.exec_spawn/' core/java/com/android/internal/os/ZygoteConnection.java;
 fi;
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)

Scripts/LineageOS-17.1/Patch.sh

@@ -147,6 +147,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning-9.patc
 applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning-10.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning-11.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning-12.patch";
+sed -i 's/sys.spawn.exec/persist.security.exec_spawn/' core/java/com/android/internal/os/ZygoteConnection.java;
 fi;
 applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
@@ -296,6 +297,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.p
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
 fi;
 if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
+if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-exec_spawning_toggle.patch"; fi; #Add exec spawning toggle (GrapheneOS)
 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length (GrapheneOS)
 sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/backup/PrivacySettingsUtils.java; fi; #microG doesn't support Backup, hide the options

Scripts/LineageOS-18.1/Functions.sh

@@ -122,7 +122,7 @@ buildAll() {
 	buildDevice coral avb;
 	buildDevice flame avb;
 	#buildDevice raphael avb; #unb + missing vendor
-	#buildDevice vayu avb; #broken vendor
+	buildDevice vayu avb; #needs init.qcom.sensors.sh
 	#SD765
 	buildDevice bramble avb;
 	buildDevice redfin avb;

Scripts/LineageOS-18.1/Patch.sh

@@ -89,7 +89,7 @@ if enterAndClear "build/make"; then
 git revert --no-edit def3f14af17ae92192d2cc7d22349cabfa906fd6; #Re-enable the downgrade check
 applyPatch "$DOS_PATCHES/android_build/0001-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_build/0002-OTA_Keys.patch"; #Add correct keys to recovery for OTA verification
-if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_build/0003-Exec_Based_Spawning.patch"; fi; #Add exec-based spawning support (GrapheneOS)
+#if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_build/0003-Exec_Based_Spawning.patch"; fi; #Add exec-based spawning support (GrapheneOS) #XXX: many devices depend on RROs and most override this anyway
 sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 if [ "$DOS_SILENCE_INCLUDED" = true ]; then sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/aosp_product.mk; fi; #Replace the Messaging app with Silence
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
@@ -160,6 +160,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-9.patc
 applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-10.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-11.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-12.patch";
+sed -i 's/sys.spawn.exec/persist.security.exec_spawn/' core/java/com/android/internal/os/ZygoteConnection.java;
 fi;
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
@@ -301,6 +302,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.p
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
 fi;
 if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
+if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-exec_spawning_toggle.patch"; fi; #Add exec spawning toggle (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-Install_Restrictions.patch"; #UserManager app installation restrictions (GrapheneOS)
 sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/backup/PrivacySettingsUtils.java; fi; #microG doesn't support Backup, hide the options