mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-26 16:09:23 -05:00
11.0: More work
This commit is contained in:
parent
5716c58485
commit
966f4a5baf
@ -0,0 +1,27 @@
|
|||||||
|
From de55e0158ad3a6f89718c1d9fb19d336dea34937 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Micay <danielmicay@gmail.com>
|
||||||
|
Date: Tue, 10 Jul 2018 08:09:29 -0400
|
||||||
|
Subject: [PATCH] Enable secure_delete by default
|
||||||
|
|
||||||
|
Change-Id: Iad6cea9f6489759faee04926213163a56dab1b9b
|
||||||
|
---
|
||||||
|
dist/Android.mk | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/dist/Android.mk b/dist/Android.mk
|
||||||
|
index 96e3035..4692f3f 100644
|
||||||
|
--- a/dist/Android.mk
|
||||||
|
+++ b/dist/Android.mk
|
||||||
|
@@ -28,7 +28,8 @@ common_sqlite_flags := \
|
||||||
|
-DSQLITE_OMIT_COMPILEOPTION_DIAGS \
|
||||||
|
-DSQLITE_OMIT_LOAD_EXTENSION \
|
||||||
|
-DSQLITE_DEFAULT_FILE_PERMISSIONS=0600 \
|
||||||
|
- -Dfdatasync=fdatasync
|
||||||
|
+ -Dfdatasync=fdatasync \
|
||||||
|
+ -DSQLITE_SECURE_DELETE
|
||||||
|
|
||||||
|
common_src_files := sqlite3.c
|
||||||
|
|
||||||
|
--
|
||||||
|
2.18.0
|
||||||
|
|
@ -0,0 +1,66 @@
|
|||||||
|
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
|
||||||
|
index e6da288..66684d3 100644
|
||||||
|
--- a/core/java/android/content/pm/PackageParser.java
|
||||||
|
+++ b/core/java/android/content/pm/PackageParser.java
|
||||||
|
@@ -447,10 +447,23 @@ public class PackageParser {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ((flags&PackageManager.GET_SIGNATURES) != 0) {
|
||||||
|
- int N = (p.mSignatures != null) ? p.mSignatures.length : 0;
|
||||||
|
- if (N > 0) {
|
||||||
|
- pi.signatures = new Signature[N];
|
||||||
|
- System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N);
|
||||||
|
+ boolean handledFakeSignature = false;
|
||||||
|
+ try {
|
||||||
|
+ if (p.requestedPermissions.contains("android.permission.FAKE_PACKAGE_SIGNATURE") && p.mAppMetaData != null
|
||||||
|
+ && p.mAppMetaData.get("fake-signature") instanceof String) {
|
||||||
|
+ pi.signatures = new Signature[] {new Signature(p.mAppMetaData.getString("fake-signature"))};
|
||||||
|
+ handledFakeSignature = true;
|
||||||
|
+ }
|
||||||
|
+ } catch (Throwable t) {
|
||||||
|
+ // We should never die because of any failures, this is system code!
|
||||||
|
+ Log.w("PackageParser.FAKE_PACKAGE_SIGNATURE", t);
|
||||||
|
+ }
|
||||||
|
+ if (!handledFakeSignature) {
|
||||||
|
+ int N = (p.mSignatures != null) ? p.mSignatures.length : 0;
|
||||||
|
+ if (N > 0) {
|
||||||
|
+ pi.signatures = new Signature[N];
|
||||||
|
+ System.arraycopy(p.mSignatures, 0, pi.signatures, 0, N);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return pi;
|
||||||
|
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||||
|
index 558a475..4e7aa65 100644
|
||||||
|
--- a/core/res/AndroidManifest.xml
|
||||||
|
+++ b/core/res/AndroidManifest.xml
|
||||||
|
@@ -1562,6 +1562,13 @@
|
||||||
|
android:label="@string/permlab_getPackageSize"
|
||||||
|
android:description="@string/permdesc_getPackageSize" />
|
||||||
|
|
||||||
|
+ <!-- Allows an application to change the package signature as seen by applications -->
|
||||||
|
+ <permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
|
||||||
|
+ android:permissionGroup="android.permission-group.SYSTEM_TOOLS"
|
||||||
|
+ android:protectionLevel="dangerous"
|
||||||
|
+ android:label="@string/permlab_fakePackageSignature"
|
||||||
|
+ android:description="@string/permdesc_fakePackageSignature" />
|
||||||
|
+
|
||||||
|
<!-- @deprecated No longer useful, see
|
||||||
|
{@link android.content.pm.PackageManager#addPackageToPreferred}
|
||||||
|
for details. -->
|
||||||
|
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
|
||||||
|
index 790e166..8e66470 100644
|
||||||
|
--- a/core/res/res/values/strings.xml
|
||||||
|
+++ b/core/res/res/values/strings.xml
|
||||||
|
@@ -1135,6 +1135,11 @@
|
||||||
|
<string name="permdesc_getPackageSize">Allows the app to retrieve its code, data, and cache sizes</string>
|
||||||
|
|
||||||
|
<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
|
||||||
|
+ <string name="permlab_fakePackageSignature">mimic package signature</string>
|
||||||
|
+ <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
|
||||||
|
+ <string name="permdesc_fakePackageSignature">Allows the app to use mimic another app\'s package signature.</string>
|
||||||
|
+
|
||||||
|
+ <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
|
||||||
|
<string name="permlab_installPackages">directly install apps</string>
|
||||||
|
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
|
||||||
|
<string name="permdesc_installPackages">Allows the app to install new or updated
|
@ -0,0 +1,26 @@
|
|||||||
|
From 79c65fa6741cecda0b38a4881a07ec54a4896b69 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tad <tad@spotco.us>
|
||||||
|
Date: Tue, 10 Jul 2018 08:13:23 -0400
|
||||||
|
Subject: [PATCH] Harden signature spoofing
|
||||||
|
|
||||||
|
Change-Id: Iad362df358cb9cdf6e2ce9d511f09ee6b77a90e2
|
||||||
|
---
|
||||||
|
core/res/AndroidManifest.xml | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
|
||||||
|
index 1e5a7ad1f9..224fea23c8 100644
|
||||||
|
--- a/core/res/AndroidManifest.xml
|
||||||
|
+++ b/core/res/AndroidManifest.xml
|
||||||
|
@@ -1598,7 +1598,7 @@
|
||||||
|
<!-- Allows an application to change the package signature as seen by applications -->
|
||||||
|
<permission android:name="android.permission.FAKE_PACKAGE_SIGNATURE"
|
||||||
|
android:permissionGroup="android.permission-group.SYSTEM_TOOLS"
|
||||||
|
- android:protectionLevel="dangerous"
|
||||||
|
+ android:protectionLevel="signature"
|
||||||
|
android:label="@string/permlab_fakePackageSignature"
|
||||||
|
android:description="@string/permdesc_fakePackageSignature" />
|
||||||
|
|
||||||
|
--
|
||||||
|
2.18.0
|
||||||
|
|
@ -0,0 +1,30 @@
|
|||||||
|
From f19ab3bce2115c6ddf24528885305c3ba038f29b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Micay <danielmicay@gmail.com>
|
||||||
|
Date: Tue, 10 Jul 2018 08:22:08 -0400
|
||||||
|
Subject: [PATCH] Harden mounts
|
||||||
|
|
||||||
|
Change-Id: I2db94882224672cac3e54f7d8422d1e036828378
|
||||||
|
---
|
||||||
|
init/init.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/init/init.c b/init/init.c
|
||||||
|
index 53e0dae1..d022253b 100644
|
||||||
|
--- a/init/init.c
|
||||||
|
+++ b/init/init.c
|
||||||
|
@@ -1136,9 +1136,9 @@ int main(int argc, char **argv)
|
||||||
|
mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");
|
||||||
|
mkdir("/dev/pts", 0755);
|
||||||
|
mkdir("/dev/socket", 0755);
|
||||||
|
- mount("devpts", "/dev/pts", "devpts", 0, NULL);
|
||||||
|
- mount("proc", "/proc", "proc", 0, NULL);
|
||||||
|
- mount("sysfs", "/sys", "sysfs", 0, NULL);
|
||||||
|
+ mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL);
|
||||||
|
+ mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL);
|
||||||
|
+ mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL);
|
||||||
|
|
||||||
|
/* indicate that booting is in progress to background fw loaders, etc */
|
||||||
|
close(open("/dev/.booting", O_WRONLY | O_CREAT, 0000));
|
||||||
|
--
|
||||||
|
2.18.0
|
||||||
|
|
@ -252,7 +252,7 @@ changeDefaultDNS() {
|
|||||||
echo "You must first set a preset via the DEFAULT_DNS_PRESET variable in init.sh!";
|
echo "You must first set a preset via the DEFAULT_DNS_PRESET variable in init.sh!";
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
files="core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java";
|
files="core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java services/java/com/android/server/connectivity/Tethering.java";
|
||||||
sed -i "s/8\.8\.8\.8/$dnsPrimary/" $files &>/dev/null || true;
|
sed -i "s/8\.8\.8\.8/$dnsPrimary/" $files &>/dev/null || true;
|
||||||
sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/" $files &>/dev/null || true;
|
sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/" $files &>/dev/null || true;
|
||||||
sed -i "s/8\.8\.4\.4/$dnsSecondary/" $files &>/dev/null || true;
|
sed -i "s/8\.8\.4\.4/$dnsSecondary/" $files &>/dev/null || true;
|
||||||
|
@ -60,9 +60,6 @@ echo -e "\n84831b9409646a918e30573bab4c9c91346d8abd" > "$ANDROID_HOME/licenses/a
|
|||||||
cp -r "$DOS_PREBUILT_APPS""Fennec_DOS-Shim" "$DOS_BUILD_BASE""packages/apps/"; #Add a shim to install Fennec DOS without actually including the large APK
|
cp -r "$DOS_PREBUILT_APPS""Fennec_DOS-Shim" "$DOS_BUILD_BASE""packages/apps/"; #Add a shim to install Fennec DOS without actually including the large APK
|
||||||
cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps
|
cp -r "$DOS_PREBUILT_APPS""android_vendor_FDroid_PrebuiltApps/." "$DOS_BUILD_BASE""vendor/fdroid_prebuilt/"; #Add the prebuilt apps
|
||||||
|
|
||||||
enterAndClear "bootable/recovery";
|
|
||||||
#patch -p1 < "$DOS_PATCHES/android_bootable_recovery/0001-Squash_Menus.patch"; #What's a back button? #TODO
|
|
||||||
|
|
||||||
enterAndClear "build";
|
enterAndClear "build";
|
||||||
#patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) #TODO
|
#patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) #TODO
|
||||||
#sed -i 's/Mms/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
|
#sed -i 's/Mms/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
|
||||||
@ -70,15 +67,15 @@ sed -i 's/ro.secure=0/ro.secure=1/' core/main.mk;
|
|||||||
#sed -i 's/ro.adb.secure=0/ro.adb.secure=1/' core/main.mk;
|
#sed -i 's/ro.adb.secure=0/ro.adb.secure=1/' core/main.mk;
|
||||||
|
|
||||||
enterAndClear "external/sqlite";
|
enterAndClear "external/sqlite";
|
||||||
#patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0) #TODO
|
patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0)
|
||||||
|
|
||||||
enterAndClear "frameworks/base";
|
enterAndClear "frameworks/base";
|
||||||
#sed -i 's/com.android.mms/org.smssecure.smssecure/' core/res/res/values/config.xml; #Change default SMS app to Silence
|
#sed -i 's/com.android.mms/org.smssecure.smssecure/' core/res/res/values/config.xml; #Change default SMS app to Silence
|
||||||
sed -i 's|db_default_journal_mode">PERSIST|db_default_journal_mode">TRUNCATE|' core/res/res/values/config.xml; #Mirror SQLite secure_delete
|
sed -i 's|db_default_journal_mode">PERSIST|db_default_journal_mode">TRUNCATE|' core/res/res/values/config.xml; #Mirror SQLite secure_delete
|
||||||
#if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG) #TODO
|
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0001-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
|
||||||
#if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0005-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key #TODO
|
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
|
||||||
if [ "$DOS_MICROG_INCLUDED" = "NLP" ]; then sed -i '/<item>com.android.location.fused<\/item>/a \ \ \ \ \ \ \ \ <item>org.microg.nlp</item>' core/res/res/values/config.xml; fi; #Add UnifiedNLP to location providers
|
if [ "$DOS_MICROG_INCLUDED" = "NLP" ]; then sed -i '/<item>com.android.location.fused<\/item>/a \ \ \ \ \ \ \ \ <item>org.microg.nlp</item>' core/res/res/values/config.xml; fi; #Add UnifiedNLP to location providers
|
||||||
changeDefaultDNS; #TODO
|
changeDefaultDNS;
|
||||||
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries #TODO
|
#patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries #TODO
|
||||||
rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig;
|
rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig;
|
||||||
|
|
||||||
@ -123,17 +120,14 @@ enterAndClear "packages/apps/Trebuchet";
|
|||||||
#cp -r "$DOS_PATCHES_COMMON/android_packages_apps_Trebuchet/default_workspace/." "res/xml/"; #TODO
|
#cp -r "$DOS_PATCHES_COMMON/android_packages_apps_Trebuchet/default_workspace/." "res/xml/"; #TODO
|
||||||
sed -i 's/mCropView.setTouchEnabled(touchEnabled);/mCropView.setTouchEnabled(true);/' WallpaperPicker/src/com/android/launcher3/WallpaperCropActivity.java;
|
sed -i 's/mCropView.setTouchEnabled(touchEnabled);/mCropView.setTouchEnabled(true);/' WallpaperPicker/src/com/android/launcher3/WallpaperCropActivity.java;
|
||||||
|
|
||||||
enterAndClear "packages/inputmethods/LatinIME";
|
|
||||||
#patch -p1 < "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voice.patch"; #Remove voice input key #TODO
|
|
||||||
|
|
||||||
enterAndClear "system/core";
|
enterAndClear "system/core";
|
||||||
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
|
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
|
||||||
#patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0) #TODO
|
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)
|
||||||
|
|
||||||
enterAndClear "vendor/cm";
|
enterAndClear "vendor/cm";
|
||||||
rm -rf terminal;
|
rm -rf terminal;
|
||||||
awk -i inplace '!/50-cm.sh/' config/common.mk; #Make sure our hosts is always used
|
awk -i inplace '!/50-cm.sh/' config/common.mk; #Make sure our hosts is always used
|
||||||
#sed -i '3iinclude vendor/cm/config/sce.mk' config/common.mk; #Include extra apps #TODO
|
#sed -i '3iinclude vendor/cm/config/sce.mk' config/common.mk; #Include extra apps
|
||||||
if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then
|
if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then
|
||||||
awk -i inplace '!/DSPManager/' config/common.mk;
|
awk -i inplace '!/DSPManager/' config/common.mk;
|
||||||
fi;
|
fi;
|
||||||
@ -159,24 +153,23 @@ patch -p1 < "$DOS_PATCHES/android_device_zte_nex/0001-Fixes.patch"; #Build fixes
|
|||||||
sed -i 's/ro.sf.lcd_density=240/ro.sf.lcd_density=180/' system.prop;
|
sed -i 's/ro.sf.lcd_density=240/ro.sf.lcd_density=180/' system.prop;
|
||||||
mv cm.mk lineage.mk;
|
mv cm.mk lineage.mk;
|
||||||
sed -i 's/cm_/lineage_/' lineage.mk vendorsetup.sh;
|
sed -i 's/cm_/lineage_/' lineage.mk vendorsetup.sh;
|
||||||
|
awk -i inplace '!/WCNSS_qcom_wlan_nv_2.bin/' proprietary-files.txt;
|
||||||
#In nex-vendor-blobs.mk
|
#In nex-vendor-blobs.mk
|
||||||
# "system/lib/libtime_genoff.so" -> "obj/lib/libtime_genoff.so"
|
# "system/lib/libtime_genoff.so" -> "obj/lib/libtime_genoff.so"
|
||||||
# Remove "WCNSS_qcom_wlan_nv_2.bin"
|
|
||||||
|
|
||||||
enter "kernel/zte/msm8930"
|
enterAndClear "kernel/zte/msm8930"
|
||||||
patch -p1 < $patches"android_kernel_zte_msm8930/0001-MDP-Fix.patch";
|
patch -p1 < $patches"android_kernel_zte_msm8930/0001-MDP-Fix.patch";
|
||||||
|
|
||||||
#Make changes to all devices
|
#Make changes to all devices
|
||||||
cd "$DOS_BUILD_BASE";
|
cd "$DOS_BUILD_BASE";
|
||||||
find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enhanceLocation "$0"' {} \;
|
find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enhanceLocation "$0"' {} \;
|
||||||
find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableForcedEncryption "$0"' {} \;
|
find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableForcedEncryption "$0"' {} \;
|
||||||
#if [ "$STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableStrongEncryption "$0"' {} \; fi;
|
|
||||||
find "kernel" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenDefconfig "$0"' {} \;
|
find "kernel" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenDefconfig "$0"' {} \;
|
||||||
cd "$DOS_BUILD_BASE";
|
cd "$DOS_BUILD_BASE";
|
||||||
|
|
||||||
#Fixes
|
#Fixes
|
||||||
#Fix broken options enabled by hardenDefconfig()
|
#Fix broken options enabled by hardenDefconfig()
|
||||||
sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
|
#sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
|
||||||
#
|
#
|
||||||
#END OF DEVICE CHANGES
|
#END OF DEVICE CHANGES
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user