Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-02-02 18:34:46 -05:00
Code Issues Packages Projects Releases Wiki Activity

Drop slub_debug

Browse Source 
What is lost?
- sanity checks and redzoning on all devices
  - redzoning reportedly however causes issues on some devices such as the Pixel 3/4 and OnePlus 7
- slub sanization on 3.0, 3.4, 4.4 (except google/wahoo), xiaomi/sm6150, and oneplus/sm7250

Note: all 3.4+ devices still have page sanization

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-06-03 13:42:19 -04:00
parent d3cb12b41b
commit 92c66447f8
8 changed files with 42 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Misc/Features/Page_Sanizization.txt Normal file
View File

@ -0,0 +1,40 @@
3.10
0006-AndroidHardening-Kernel_Hardening/3.10/0007.patch:Subject: [PATCH] add page sanitization / verification
0006-AndroidHardening-Kernel_Hardening/3.10/0008.patch:Subject: [PATCH] add slub sanitization
0006-AndroidHardening-Kernel_Hardening/3.10/0009.patch:Subject: [PATCH] slub: add check for write-after-free
TODO
3.18
0006-AndroidHardening-Kernel_Hardening/3.18/0024.patch:Subject: [PATCH] add page sanitization / verification
0006-AndroidHardening-Kernel_Hardening/3.18/0025.patch:Subject: [PATCH] add slub sanitization
0006-AndroidHardening-Kernel_Hardening/3.18/0026.patch:Subject: [PATCH] slub: add check for write-after-free
DOES NOT SUPPORT page_posion=1: zte/msm8996, google/dragon, motorola/msm8996, lge/msm8996, samsung/universal8890, xiaomi/msm8937, oneplus/msm8996
4.4
0008-Graphene-Kernel_Hardening/4.4/0020.patch:Subject: [PATCH] add simpler page sanitization
0008-Graphene-Kernel_Hardening/4.4/0021.patch:Subject: [PATCH] add support for verifying page sanitization
0008-Graphene-Kernel_Hardening/4.4/0022.patch:Subject: [PATCH] slub: add basic full slab sanitization
0008-Graphene-Kernel_Hardening/4.4/0023.patch:Subject: [PATCH] slub: add support for verifying slab sanitization
NEEDS slub_debug=P and page_poison=1: yandex/sdm660, oneplus/msm8998, razer/msm8998, sony/sdm660, xiaomi/sdm660, essential/msm8998, fxtec/msm8998, zuk/msm8996
4.9
0008-Graphene-Kernel_Hardening/4.9/0035.patch:Subject: [PATCH] add simpler page sanitization
0008-Graphene-Kernel_Hardening/4.9/0036.patch:Subject: [PATCH] add support for verifying page sanitization
0008-Graphene-Kernel_Hardening/4.9/0037.patch:Subject: [PATCH] slub: add basic full slab sanitization
0008-Graphene-Kernel_Hardening/4.9/0038.patch:Subject: [PATCH] slub: add support for verifying slab sanitization
INIT_ON_ALLOC/INIT_ON_FREE
4.14
0008-Graphene-Kernel_Hardening/4.14/0063.patch:Subject: [PATCH] mm: add support for verifying page sanitization
0008-Graphene-Kernel_Hardening/4.14/0064.patch:Subject: [PATCH] slub: Extend init_on_free to slab caches with constructors
0008-Graphene-Kernel_Hardening/4.14/0065.patch:Subject: [PATCH] slub: Add support for verifying slab sanitization
0008-Graphene-Kernel_Hardening/4.14/0066.patch:Subject: [PATCH] slub: Extend init_on_alloc to slab caches with constructors
NEEDS slub_debug=P and page_poison=1: xiaomi/sm6150
4.19
0008-Graphene-Kernel_Hardening/4.19/0093.patch:Subject: [PATCH] mm: add support for verifying page sanitization
0008-Graphene-Kernel_Hardening/4.19/0094.patch:Subject: [PATCH] slub: Extend init_on_free to slab caches with constructors
0008-Graphene-Kernel_Hardening/4.19/0095.patch:Subject: [PATCH] slub: Add support for verifying slab sanitization
0008-Graphene-Kernel_Hardening/4.19/0096.patch:Subject: [PATCH] slub: Extend init_on_alloc to slab caches with constructors
NEEDS slub_debug=P and page_poison=1: oneplus/sm7250
MISSING: oneplus/sm8150, google/redbull

25
Scripts/Common/Functions.sh
View File

@ -531,28 +531,6 @@ hardenUserdata() {
}
export -f hardenUserdata;
hardenBootArgs() {
cd "$DOS_BUILD_BASE$1";
#These following devices have 0006-AndroidHardening-Kernel_Hardening/3.10/0008.patch
local NO_NEED_SLUB_POSION=(); #TODO
#These following devices have 0006-AndroidHardening-Kernel_Hardening/3.18/0025.patch
NO_NEED_SLUB_POISON+=('google/dragon' 'google/marlin' 'google/marlin/marlin' 'google/marlin/sailfish' 'lge/g5-common' 'lge/g6-common' 'lge/h830' 'lge/h850' 'lge/h870' 'lge/h910' 'lge/h918' 'lge/h990' 'lge/ls997' 'lge/msm8996-common' 'lge/rs988' 'lge/us996' 'lge/us997' 'lge/v20-common' 'lge/vs995' 'motorola/griffin' 'oneplus/oneplus3' 'samsung/hero2lte' 'samsung/hero-common' 'samsung/herolte' 'xiaomi/land' 'xiaomi/msm8937-common' 'xiaomi/santoni' 'zte/axon7');
#These following devices have 0008-Graphene-Kernel_Hardening/4.4/0022.patch
NO_NEED_SLUB_POISON+=('google/muskie' 'google/wahoo');
#These following devices have 0008-Graphene-Kernel_Hardening/4.9/0037.patch
NO_NEED_SLUB_POISON+=('fairphone/FP3' 'google/bonito' 'google/bonito/bonito' 'google/bonito/sargo' 'google/crosshatch' 'google/crosshatch/blueline' 'google/crosshatch/crosshatch' 'oneplus/enchilada' 'oneplus/fajita' 'oneplus/sdm845-common' 'razer/aura' 'sony/akari' 'sony/aurora' 'sony/tama-common' 'sony/xz2c' 'xiaomi/beryllium' 'xiaomi/sdm845-common');
#These following devices have INIT_ON_ALLOC/FREE
NO_NEED_SLUB_POSION+=('google/coral' 'google/coral/coral' 'google/coral/flame' 'google/flame' 'google/redbull' 'google/redfin' 'google/redfin/redfin' 'google/sunfish' 'google/sunfish/sunfish' 'oneplus/guacamole' 'oneplus/guacamoleb' 'oneplus/hotdog' 'oneplus/hotdogb' 'oneplus/instantnoodle' 'oneplus/instantnoodlep' 'oneplus/kebab' 'oneplus/lemonade' 'oneplus/lemonadep' 'oneplus/sm8150-common' 'oneplus/sm8250-common' 'oneplus/sm8350-common' 'xiaomi/alioth' 'xiaomi/lmi' 'xiaomi/sm8150-common' 'xiaomi/sm8250-common' 'xiaomi/vayu');
if [[ " ${NO_NEED_SLUB_POSION[@]} " =~ " ${1} " ]]; then
echo "Skipped kernel command line arguments for $1";
else
sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := slub_debug=P /' BoardConfig*.mk */BoardConfig*.mk &>/dev/null || true;
echo "Enabled slub_debug=P for $1";
fi;
cd "$DOS_BUILD_BASE";
}
export -f hardenBootArgs;
enableAutoVarInit() {
#grep TARGET_KERNEL_CLANG_COMPILE Build/*/device/*/*/*.mk -l
local DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/msm-4.14' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'oneplus/sm8250' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/sm8250' 'zuk/msm8996'); #redbull/lemonade* already supports init_stack_all_zero
@ -794,7 +772,7 @@ hardenDefconfig() {
#Enable supported options
#Linux <3.0
declare -a optionsYes=("BUG" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "SLUB_DEBUG" "STRICT_DEVMEM" "SYN_COOKIES");
declare -a optionsYes=("BUG" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "STRICT_DEVMEM" "SYN_COOKIES");
#optionsYes+=("DEBUG_SG"); #bootloops - https://patchwork.kernel.org/patch/8989981
#Linux 3.4
@ -940,6 +918,7 @@ hardenDefconfig() {
#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile), PROC_PAGE_MONITOR (breaks memory stats), SCHED_DEBUG (breaks compile), INET_DIAG
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BLK_DEV_FD" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "FB_VIRTUAL" "HARDENED_USERCOPY_FALLBACK" "HARDENED_USERCOPY_PAGESPAN" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT");
#optionsNo+=("CFI_PERMISSIVE");
optionsNo+=("SLUB_DEBUG");
if [[ $kernelVersion == "4."* ]] || [[ $kernelVersion == "5."* ]]; then
optionsNo+=("DEBUG_FS");
optionsNo+=("FTRACE" "KPROBE_EVENTS" "UPROBE_EVENTS" "GENERIC_TRACER" "FUNCTION_TRACER" "STACK_TRACER" "HIST_TRIGGERS" "BLK_DEV_IO_TRACE" "FAIL_FUTEX" "DYNAMIC_DEBUG");

1
Scripts/LineageOS-14.1/Patch.sh
View File

@ -399,7 +399,6 @@ find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = "false" ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'volteOverride "{}"'; fi;
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableDexPreOpt "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'updateRegDb "{}"';

1
Scripts/LineageOS-15.1/Patch.sh
View File

@ -323,7 +323,6 @@ find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = "false" ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'volteOverride "{}"'; fi;
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableDexPreOpt "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'updateRegDb "{}"';

1
Scripts/LineageOS-16.0/Patch.sh
View File

@ -384,7 +384,6 @@ find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = "false" ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'volteOverride "{}"'; fi;
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableDexPreOpt "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'updateRegDb "{}"';
if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi;

1
Scripts/LineageOS-17.1/Patch.sh
View File

@ -458,7 +458,6 @@ find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = "false" ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'volteOverride "{}"'; fi;
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableDexPreOpt "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'updateRegDb "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"';

1
Scripts/LineageOS-18.1/Patch.sh
View File

@ -558,7 +558,6 @@ find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = "false" ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'volteOverride "{}"'; fi;
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableDexPreOpt "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'updateRegDb "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"';

1
Scripts/LineageOS-19.1/Patch.sh
View File

@ -430,7 +430,6 @@ find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = "false" ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'volteOverride "{}"'; fi;
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableDexPreOpt "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'updateRegDb "{}"';
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"';