diff --git a/Patches/LineageOS-11.0/android_external_sqlite/0001-Secure_Delete.patch b/Patches/LineageOS-11.0/android_external_sqlite/0001-Secure_Delete.patch new file mode 100644 index 00000000..1f5c8e6d --- /dev/null +++ b/Patches/LineageOS-11.0/android_external_sqlite/0001-Secure_Delete.patch @@ -0,0 +1,27 @@ +From de55e0158ad3a6f89718c1d9fb19d336dea34937 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Tue, 10 Jul 2018 08:09:29 -0400 +Subject: [PATCH] Enable secure_delete by default + +Change-Id: Iad6cea9f6489759faee04926213163a56dab1b9b +--- + dist/Android.mk | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/dist/Android.mk b/dist/Android.mk +index 96e3035..4692f3f 100644 +--- a/dist/Android.mk ++++ b/dist/Android.mk +@@ -28,7 +28,8 @@ common_sqlite_flags := \ + -DSQLITE_OMIT_COMPILEOPTION_DIAGS \ + -DSQLITE_OMIT_LOAD_EXTENSION \ + -DSQLITE_DEFAULT_FILE_PERMISSIONS=0600 \ +- -Dfdatasync=fdatasync ++ -Dfdatasync=fdatasync \ ++ -DSQLITE_SECURE_DELETE + + common_src_files := sqlite3.c + +-- +2.18.0 + diff --git a/Patches/LineageOS-11.0/android_frameworks_base/0001-Signature_Spoofing.patch b/Patches/LineageOS-11.0/android_frameworks_base/0001-Signature_Spoofing.patch new file mode 100644 index 00000000..5571a587 --- /dev/null +++ b/Patches/LineageOS-11.0/android_frameworks_base/0001-Signature_Spoofing.patch @@ -0,0 +1,66 @@ +diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java +index e6da288..66684d3 100644 +--- a/core/java/android/content/pm/PackageParser.java ++++ b/core/java/android/content/pm/PackageParser.java +@@ -447,10 +447,23 @@ public class PackageParser { + } + } + if ((flags&PackageManager.GET_SIGNATURES) != 0) { +- int N = (p.mSignatures != null) ? p.mSignatures.length : 0; +- if (N > 0) { +- pi.signatures = new Signature[N]; +- System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N); ++ boolean handledFakeSignature = false; ++ try { ++ if (p.requestedPermissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") && p.mAppMetaData != null ++ && p.mAppMetaData.get("fake-signature") instanceof String) { ++ pi.signatures = new Signature[] {new Signature(p.mAppMetaData.getString("fake-signature"))}; ++ handledFakeSignature = true; ++ } ++ } catch (Throwable t) { ++ // We should never die because of any failures, this is system code! ++ Log.w("PackageParser.FAKE_PACKAGE_SIGNATURE", t); ++ } ++ if (!handledFakeSignature) { ++ int N = (p.mSignatures != null) ? p.mSignatures.length : 0; ++ if (N > 0) { ++ pi.signatures = new Signature[N]; ++ System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N); ++ } + } + } + return pi; +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index 558a475..4e7aa65 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -1562,6 +1562,13 @@ + android:label="@string/permlab_getPackageSize" + android:description="@string/permdesc_getPackageSize" /> + ++ ++ ++ + +diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml +index 790e166..8e66470 100644 +--- a/core/res/res/values/strings.xml ++++ b/core/res/res/values/strings.xml +@@ -1135,6 +1135,11 @@ + Allows the app to retrieve its code, data, and cache sizes + + ++ mimic package signature ++ ++ Allows the app to use mimic another app\'s package signature. ++ ++ + directly install apps + + Allows the app to install new or updated diff --git a/Patches/LineageOS-11.0/android_frameworks_base/0002-Harden_Sig_Spoofing.patch b/Patches/LineageOS-11.0/android_frameworks_base/0002-Harden_Sig_Spoofing.patch new file mode 100644 index 00000000..2a4976e9 --- /dev/null +++ b/Patches/LineageOS-11.0/android_frameworks_base/0002-Harden_Sig_Spoofing.patch @@ -0,0 +1,26 @@ +From 79c65fa6741cecda0b38a4881a07ec54a4896b69 Mon Sep 17 00:00:00 2001 +From: Tad +Date: Tue, 10 Jul 2018 08:13:23 -0400 +Subject: [PATCH] Harden signature spoofing + +Change-Id: Iad362df358cb9cdf6e2ce9d511f09ee6b77a90e2 +--- + core/res/AndroidManifest.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index 1e5a7ad1f9..224fea23c8 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -1598,7 +1598,7 @@ + + + +-- +2.18.0 + diff --git a/Patches/LineageOS-11.0/android_system_core/0001-Harden_Mounts.patch b/Patches/LineageOS-11.0/android_system_core/0001-Harden_Mounts.patch new file mode 100644 index 00000000..ac9ad436 --- /dev/null +++ b/Patches/LineageOS-11.0/android_system_core/0001-Harden_Mounts.patch @@ -0,0 +1,30 @@ +From f19ab3bce2115c6ddf24528885305c3ba038f29b Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Tue, 10 Jul 2018 08:22:08 -0400 +Subject: [PATCH] Harden mounts + +Change-Id: I2db94882224672cac3e54f7d8422d1e036828378 +--- + init/init.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/init/init.c b/init/init.c +index 53e0dae1..d022253b 100644 +--- a/init/init.c ++++ b/init/init.c +@@ -1136,9 +1136,9 @@ int main(int argc, char **argv) + mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755"); + mkdir("/dev/pts", 0755); + mkdir("/dev/socket", 0755); +- mount("devpts", "/dev/pts", "devpts", 0, NULL); +- mount("proc", "/proc", "proc", 0, NULL); +- mount("sysfs", "/sys", "sysfs", 0, NULL); ++ mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL); ++ mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL); ++ mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL); + + /* indicate that booting is in progress to background fw loaders, etc */ + close(open("/dev/.booting", O_WRONLY | O_CREAT, 0000)); +-- +2.18.0 + diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index a483ee71..6b149d00 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -252,7 +252,7 @@ changeDefaultDNS() { echo "You must first set a preset via the DEFAULT_DNS_PRESET variable in init.sh!"; fi; - files="core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java"; + files="core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java services/java/com/android/server/connectivity/Tethering.java"; sed -i "s/8\.8\.8\.8/$dnsPrimary/" $files &>/dev/null || true; sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/" $files &>/dev/null || true; sed -i "s/8\.8\.4\.4/$dnsSecondary/" $files &>/dev/null || true; diff --git a/Scripts/LineageOS-11.0/Patch.sh b/Scripts/LineageOS-11.0/Patch.sh index 897ca769..2cdb2e43 100755 --- a/Scripts/LineageOS-11.0/Patch.sh +++ b/Scripts/LineageOS-11.0/Patch.sh @@ -60,9 +60,6 @@ echo -e "\n84831b9409646a918e30573bab4c9c91346d8abd" > "$ANDROID_HOME/licenses/a cp -r "$DOS_PREBUILT_APPS""Fennec_DOS-Shim" "$DOS_BUILD_BASE""packages/apps/"; #Add a shim to install Fennec DOS without actually including the large APK cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps -enterAndClear "bootable/recovery"; -#patch -p1 < "$DOS_PATCHES/android_bootable_recovery/0001-Squash_Menus.patch"; #What's a back button? #TODO - enterAndClear "build"; #patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) #TODO #sed -i 's/Mms/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence @@ -70,15 +67,15 @@ sed -i 's/ro.secure=0/ro.secure=1/' core/main.mk; #sed -i 's/ro.adb.secure=0/ro.adb.secure=1/' core/main.mk; enterAndClear "external/sqlite"; -#patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0) #TODO +patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0) enterAndClear "frameworks/base"; #sed -i 's/com.android.mms/org.smssecure.smssecure/' core/res/res/values/config.xml; #Change default SMS app to Silence sed -i 's|db_default_journal_mode">PERSIST|db_default_journal_mode">TRUNCATE|' core/res/res/values/config.xml; #Mirror SQLite secure_delete -#if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG) #TODO -#if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key #TODO +if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0001-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG) +if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key if [ "$DOS_MICROG_INCLUDED" = "NLP" ]; then sed -i '/com.android.location.fused<\/item>/a \ \ \ \ \ \ \ \ org.microg.nlp' core/res/res/values/config.xml; fi; #Add UnifiedNLP to location providers -changeDefaultDNS; #TODO +changeDefaultDNS; #patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries #TODO rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig; @@ -123,17 +120,14 @@ enterAndClear "packages/apps/Trebuchet"; #cp -r "$DOS_PATCHES_COMMON/android_packages_apps_Trebuchet/default_workspace/." "res/xml/"; #TODO sed -i 's/mCropView.setTouchEnabled(touchEnabled);/mCropView.setTouchEnabled(true);/' WallpaperPicker/src/com/android/launcher3/WallpaperCropActivity.java; -enterAndClear "packages/inputmethods/LatinIME"; -#patch -p1 < "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voice.patch"; #Remove voice input key #TODO - enterAndClear "system/core"; if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file -#patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0) #TODO +patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0) enterAndClear "vendor/cm"; rm -rf terminal; awk -i inplace '!/50-cm.sh/' config/common.mk; #Make sure our hosts is always used -#sed -i '3iinclude vendor/cm/config/sce.mk' config/common.mk; #Include extra apps #TODO +#sed -i '3iinclude vendor/cm/config/sce.mk' config/common.mk; #Include extra apps if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/DSPManager/' config/common.mk; fi; @@ -159,24 +153,23 @@ patch -p1 < "$DOS_PATCHES/android_device_zte_nex/0001-Fixes.patch"; #Build fixes sed -i 's/ro.sf.lcd_density=240/ro.sf.lcd_density=180/' system.prop; mv cm.mk lineage.mk; sed -i 's/cm_/lineage_/' lineage.mk vendorsetup.sh; +awk -i inplace '!/WCNSS_qcom_wlan_nv_2.bin/' proprietary-files.txt; #In nex-vendor-blobs.mk # "system/lib/libtime_genoff.so" -> "obj/lib/libtime_genoff.so" -# Remove "WCNSS_qcom_wlan_nv_2.bin" -enter "kernel/zte/msm8930" +enterAndClear "kernel/zte/msm8930" patch -p1 < $patches"android_kernel_zte_msm8930/0001-MDP-Fix.patch"; #Make changes to all devices cd "$DOS_BUILD_BASE"; find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enhanceLocation "$0"' {} \; find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableForcedEncryption "$0"' {} \; -#if [ "$STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableStrongEncryption "$0"' {} \; fi; find "kernel" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenDefconfig "$0"' {} \; cd "$DOS_BUILD_BASE"; #Fixes #Fix broken options enabled by hardenDefconfig() -sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile +#sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile # #END OF DEVICE CHANGES #