Netd: Harden using iptables, Build: Override build user/host, NFC: Disable NFC/NDEF

Patches/LineageOS-14.1/android_system_netd/0001-iptables.patch

@@ -0,0 +1,89 @@
+From 468c7af6d84d1b2c7bafd10c0a109d7ba8512c0b Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Mon, 29 May 2017 20:01:31 -0400
+Subject: [PATCH] Network hardening via iptables
+
+Change-Id: I4b7c330a50aa55ad9259e0ced8aee71d4acaf508
+
+Credit: https://javapipe.com/iptables-ddos-protection
+---
+ server/CommandListener.cpp | 51 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
+index b16da18..0a318fc 100755
+--- a/server/CommandListener.cpp
++++ b/server/CommandListener.cpp
+@@ -145,6 +145,12 @@ static const char* RAW_PREROUTING[] = {
+         NULL,
+ };
+ 
++static const char* MANGLE_PREROUTING[] = {
++        BandwidthController::LOCAL_MANGLE_PREROUTING,
++        IdletimerController::LOCAL_MANGLE_PREROUTING,
++        NULL,
++};
++
+ static const char* MANGLE_POSTROUTING[] = {
+         BandwidthController::LOCAL_MANGLE_POSTROUTING,
+         IdletimerController::LOCAL_MANGLE_POSTROUTING,
+@@ -225,11 +231,56 @@ CommandListener::CommandListener() :
+     createChildChains(V4V6, "filter", "FORWARD", FILTER_FORWARD);
+     createChildChains(V4V6, "filter", "OUTPUT", FILTER_OUTPUT);
+     createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING);
++    createChildChains(V4V6, "mangle", "PREROUTING", MANGLE_PREROUTING);
+     createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING);
+     createChildChains(V4V6, "mangle", "FORWARD", MANGLE_FORWARD);
+     createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);
+     createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);
+ 
++
++    //Credit: https://javapipe.com/iptables-ddos-protection
++    //Drop invalid packets
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-m" "conntrack" "--ctstate" "INVALID" "-j" "DROP", NULL);
++    //Drop TCP packets that are new and are not SYN
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "!" "--syn" "-m" "conntrack" "--ctstate" "NEW" "-j" "DROP", NULL);
++    //Drop SYN packets with suspicious MSS value
++    execIptables(V4, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "-m" "conntrack" "--ctstate" "NEW" "-m" "tcpmss" "!" "--mss" "536:65535" "-j" "DROP", NULL);
++    execIptables(V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "-m" "conntrack" "--ctstate" "NEW" "-m" "tcpmss" "!" "--mss" "1220:65535" "-j" "DROP", NULL);
++    //Drop packets with bogus TCP flags
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "FIN,SYN,RST,PSH,ACK,URG" "NONE" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "FIN,SYN" "FIN,SYN" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "SYN,RST" "SYN,RST" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "SYN,FIN" "SYN,FIN" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "FIN,RST" "FIN,RST" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "FIN,ACK" "FIN" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "ACK,URG" "URG" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "ACK,FIN" "FIN" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "ACK,PSH" "PSH" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "ALL" "ALL" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "ALL" "NONE" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "ALL" "FIN,PSH,URG" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "ALL" "SYN,FIN,PSH,URG" "-j" "DROP", NULL);
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-p" "tcp" "--tcp-flags" "ALL" "SYN,RST,ACK,FIN,URG" "-j" "DROP", NULL);
++    //Drop spoofed packets
++    execIptables(V4,  "-t" "mangle" "-A" "PREROUTING" "-s" "127.0.0.0/8" "!" "-i" "lo" "-j" "DROP", NULL);
++    //Drop ICMP packets
++    execIptables(V4,  "-t" "mangle" "-A" "PREROUTING" "-p" "icmp" "-j" "DROP", NULL);
++    //Drop fragments
++    execIptables(V4V6, "-t" "mangle" "-A" "PREROUTING" "-f" "-j" "DROP", NULL);
++    //Restrict IP addresses to 128 connections
++    execIptables(V4V6, "-A" "INPUT" "-p" "tcp" "-m" "connlimit" "--connlimit-above" "128" "-j" "DROP", NULL);
++    //Restrict RST packets to 2 per second
++    execIptables(V4V6, "-A" "INPUT" "-p" "tcp" "--tcp-flags" "RST" "RST" "-m" "limit" "--limit" "2/s" "--limit-burst" "2" "-j" "ACCEPT", NULL);
++    execIptables(V4V6, "-A" "INPUT" "-p" "tcp" "--tcp-flags" "RST" "RST" "-j" "DROP", NULL);
++    //Restrict TCP connections to 32 connections per second
++    execIptables(V4V6, "-A" "INPUT" "-p" "tcp" "-m" "conntrack" "--ctstate" "NEW" "-m" "limit" "--limit" "32/s" "--limit-burst" "20" "-j" "ACCEPT", NULL);
++    execIptables(V4V6, "-A" "INPUT" "-p" "tcp" "-m" "conntrack" "--ctstate" "NEW" "-j" "DROP", NULL);
++    //Port scanning protection
++    execIptables(V4V6, "-N" "port-scanning", NULL);
++    execIptables(V4V6, "-A" "port-scanning" "-p" "tcp" "--tcp-flags" "SYN,ACK,FIN,RST" "RST" "-m" "limit" "--limit" "1/s" "--limit-burst" "2" "-j" "RETURN", NULL);
++    execIptables(V4V6, "-A" "port-scanning" "-j" "DROP", NULL);
++
++
+     // Let each module setup their child chains
+     setupOemIptablesHook();
+ 
+-- 
+2.13.0
+

Scripts/LAOS-14.1_Patches.sh

@@ -6,7 +6,7 @@
 #repo forall -c 'git add -A && git reset --hard' && rm -rf build external/noto-fonts external/sqlite frameworks/base packages/apps/CMParts packages/apps/FakeStore packages/apps/FDroid packages/apps/FDroidPrivilegedExtension packages/apps/GmsCore packages/apps/GsfProxy packages/apps/IchnaeaNlpBackend packages/apps/SetupWizard system/core vendor/cm frameworks/opt/net/ims packages/apps/Settings out
 
 #Prepare a build
-#repo sync -j20 --force-sync && sh ../../Scripts/LAOS-14.1_Patches.sh && source ../../Scripts/Generic_Deblob.sh && source build/envsetup.sh && export ANDROID_HOME="/home/$USER/Android/Sdk" && export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation" && export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}" && export KBUILD_BUILD_USER=emy && export KBUILD_BUILD_HOST=dscbm1
+#repo sync -j20 --force-sync && sh ../../Scripts/LAOS-14.1_Patches.sh && source ../../Scripts/Generic_Deblob.sh && source build/envsetup.sh && export ANDROID_HOME="/home/$USER/Android/Sdk" && export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation" && export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}" && export KBUILD_BUILD_USER=emy && export KBUILD_BUILD_HOST=dscbm
 
 #Build!
 #brunch lineage_mako-user && export OTA_PACKAGE_SIGNING_KEY=../../Signing_Keys/releasekey && export SIGNING_KEY_DIR=../../Signing_Keys && brunch lineage_clark-user && brunch lineage_bacon-user && brunch lineage_hammerhead-user && brunch lineage_shamu-user && brunch lineage_bullhead-user && brunch lineage_angler-user && brunch lineage_flo-user && brunch lineage_marlin-user && brunch lineage_ether-user && brunch lineage_Z00T-user
@@ -15,7 +15,7 @@
 #START OF PREPRATION
 #
 #Set some variables for use later on
-base="/mnt/Drive-1/Development/Other/Android_ROMs/Build/LineageOS-14.1/";
+base="/mnt/Drive-1/Development/Other/Android_ROMs/Build/LineageOS-14.1/"
 patches="/mnt/Drive-1/Development/Other/Android_ROMs/Patches/LineageOS-14.1/"
 ANDROID_HOME="/home/$USER/Android/Sdk"
 
@@ -58,6 +58,8 @@ disableDexPreOpt() {
 enter "build"
 #git revert 6f9c2e115aeccd7090f92f1fb91bc6052522cdd1 #Enable dex pre-optimization by default again
 patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automated build signing
+sed -i 's|echo "ro.build.user=$USER"|echo "ro.build.user=emy"|' tools/buildinfo.sh; #Override build user
+sed -i 's|echo "ro.build.host=`hostname`"|echo "ro.build.host=dscbm"|' tools/buildinfo.sh; #Override build host
 
 enter "external/noto-fonts"
 cp /tmp/ar/emojione-android.ttf other/NotoColorEmoji.ttf #Change emoji font to EmojiOne
@@ -125,6 +127,13 @@ sed -i 's/CMSettings.System.ENABLE_FORWARD_LOOKUP, 1)/CMSettings.System.ENABLE_F
 sed -i 's/CMSettings.System.ENABLE_PEOPLE_LOOKUP, 1)/CMSettings.System.ENABLE_PEOPLE_LOOKUP, 0)/' src/com/android/dialer/lookup/LookupSettings.java; #Disable PLP by default
 #sed -i 's/CMSettings.System.ENABLE_REVERSE_LOOKUP, 1)/CMSettings.System.ENABLE_REVERSE_LOOKUP, 0)/' src/com/android/dialer/lookup/LookupSettings.java; #Disable RLP by default
 
+enter "packages/apps/Nfc"
+sed -i 's/static final boolean NFC_ON_DEFAULT = true;/static final boolean NFC_ON_DEFAULT = false;/' src/com/android/nfc/NfcService.java; #Disable NFC by default
+sed -i 's/static final boolean NDEF_PUSH_ON_DEFAULT = true;/static final boolean NDEF_PUSH_ON_DEFAULT = false;/' src/com/android/nfc/NfcService.java; #Disable NDEF Push by default
+
+#enter "system/netd"
+#patch -p1 < $patches"android_systemd_netd/0001-iptables.patch"; #Network hardening via iptables XXX: Untested
+
 enter "external/svox"
 git fetch https://android.googlesource.com/platform/external/svox refs/changes/72/302872/2 && git cherry-pick FETCH_HEAD #Fix garbled output See https://android-review.googlesource.com/#/c/302872/
 #