Backports

Adds ptrace_scope and timeout options to 17.1, tested working

Also adds hardened_malloc to 15.1, but failing to compile:
external/hardened_malloc/h_malloc.c:1688:18: error: use of undeclared identifier 'M_PURGE'
    if (param == M_PURGE) {
                 ^
external/hardened_malloc/h_malloc.c:1743:30: error: missing field 'ordblks' initializer [-Werror,-Wmissing-field-initializers]
    struct mallinfo info = {0};
                             ^

Signed-off-by: Tad <tad@spotco.us>

Manifests/Manifest_LAOS-15.1.xml

@@ -72,6 +72,11 @@
 	<project path="external/chromium-webview" name="divested-mobile/mulch" groups="pdk" clone-depth="1" remote="gitlab" revision="master" />
 <!-- END OF BRANCH SWITCHING -->
 
+<!-- START OF ADDITIONAL REPOS -->
+	<!-- GrapheneOS
+	<project path="external/hardened_malloc" name="GrapheneOS/hardened_malloc" remote="github" revision="464bfd4d829927f19fd5d2729a101ee241319d1e" /> -->
+<!-- END OF ADDITIONAL REPOS -->
+
 <!-- START OF DEVICE REPOS -->
 	<!-- Common -->
 	<project path="packages/resources/devicesettings" name="LineageOS/android_packages_resources_devicesettings" remote="github" />

Patches/Common/android_external_hardened_malloc/0001-Broken_Audio.patch

@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Thu, 28 May 2020 20:19:14 -0400
+Subject: [PATCH] workaround for audio service sorting bug
+
+---
+ h_malloc.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/h_malloc.c b/h_malloc.c
+index 8d15ab2..dbedbd4 100644
+--- a/h_malloc.c
++++ b/h_malloc.c
+@@ -85,6 +85,7 @@ static union {
+         bool zero_on_free;
+         bool purge_slabs;
+         bool region_quarantine_protect;
++        bool slot_randomize;
+     };
+     char padding[PAGE_SIZE];
+ } ro __attribute__((aligned(PAGE_SIZE)));
+@@ -355,7 +356,7 @@ static u64 get_mask(size_t slots) {
+ }
+ 
+ static size_t get_free_slot(struct random_state *rng, size_t slots, struct slab_metadata *metadata) {
+-    if (SLOT_RANDOMIZE) {
++    if (ro.slot_randomize) {
+         // randomize start location for linear search (uniform random choice is too slow)
+         unsigned random_index = get_random_u16_uniform(rng, slots);
+         unsigned first_bitmap = random_index / 64;
+@@ -1061,17 +1062,24 @@ static inline void enforce_init(void) {
+     }
+ }
+ 
+-COLD static void handle_hal_bugs(void) {
++COLD static void handle_bugs(void) {
+     char path[256];
+     if (readlink("/proc/self/exe", path, sizeof(path)) == -1) {
+         return;
+     }
++
+     const char camera_provider[] = "/vendor/bin/hw/android.hardware.camera.provider@2.4-service_64";
+     if (strcmp(camera_provider, path) == 0) {
+         ro.zero_on_free = false;
+         ro.purge_slabs = false;
+         ro.region_quarantine_protect = false;
+     }
++
++    // DeviceDescriptor sorting wrongly relies on malloc addresses
++    const char audio_service[] = "/system/bin/audioserver";
++    if (strcmp(audio_service, path) == 0) {
++        ro.slot_randomize = false;
++    }
+ }
+ 
+ COLD static void init_slow_path(void) {
+@@ -1100,7 +1108,8 @@ COLD static void init_slow_path(void) {
+     ro.purge_slabs = true;
+     ro.zero_on_free = ZERO_ON_FREE;
+     ro.region_quarantine_protect = true;
+-    handle_hal_bugs();
++    ro.slot_randomize = SLOT_RANDOMIZE;
++    handle_bugs();
+ 
+     if (sysconf(_SC_PAGESIZE) != PAGE_SIZE) {
+         fatal_error("page size mismatch");

Patches/Common/android_external_hardened_malloc/0002-Broken_Cameras.patch

@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Tue, 15 Mar 2022 22:18:26 -0400
+Subject: [PATCH] Expand workaround to all camera executables
+
+Signed-off-by: Tad <tad@spotco.us>
+Change-Id: I23513ec0379bbb10829f989690334e9704fd20e2
+---
+ h_malloc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/h_malloc.c b/h_malloc.c
+index dbedbd4..d0cf881 100644
+--- a/h_malloc.c
++++ b/h_malloc.c
+@@ -1069,7 +1069,8 @@ COLD static void handle_bugs(void) {
+     }
+ 
+     const char camera_provider[] = "/vendor/bin/hw/android.hardware.camera.provider@2.4-service_64";
+-    if (strcmp(camera_provider, path) == 0) {
++    // Any camera executable on system partition
++    if (strcmp(camera_provider, path) == 0 || (strstr(path, "camera") != NULL && (strncmp("/system", path, 7) == 0 || strncmp("/vendor", path, 7) == 0))) {
+         ro.zero_on_free = false;
+         ro.purge_slabs = false;
+         ro.region_quarantine_protect = false;

Patches/LineageOS-15.1/android_bionic/0001-HM-Use_HM.patch

@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Wed, 5 Dec 2018 01:51:56 -0500
+Subject: [PATCH] add hardened_malloc library
+
+---
+ libc/Android.bp               | 45 ++++++++++++++++++++++++++++-------
+ libc/bionic/malloc_common.cpp |  5 ++++
+ 2 files changed, 41 insertions(+), 9 deletions(-)
+
+diff --git a/libc/Android.bp b/libc/Android.bp
+index c339b0451..6b3066e07 100644
+--- a/libc/Android.bp
++++ b/libc/Android.bp
+@@ -48,6 +48,8 @@ libc_common_flags = [
+     "-Werror=int-to-pointer-cast",
+     "-Werror=type-limits",
+     "-Werror",
++
++    "-DH_MALLOC_PREFIX",
+ ]
+ 
+ // Define some common cflags
+@@ -61,9 +63,17 @@ cc_defaults {
+     cppflags: [],
+     include_dirs: [
+         "bionic/libc/async_safe/include",
+-        "external/jemalloc/include",
+     ],
+ 
++    multilib: {
++        lib32: {
++            include_dirs: ["external/jemalloc/include"],
++        },
++        lib64: {
++            include_dirs: ["external/hardened_malloc/"],
++        },
++    },
++
+     stl: "none",
+     system_shared_libs: [],
+     sanitize: {
+@@ -1641,11 +1651,6 @@ cc_library_static {
+     name: "libc_ndk",
+     defaults: ["libc_defaults"],
+     srcs: libc_common_src_files + ["bionic/malloc_common.cpp"],
+-    multilib: {
+-        lib32: {
+-            srcs: libc_common_src_files_32,
+-        },
+-    },
+     arch: {
+         arm: {
+             srcs: [
+@@ -1676,9 +1681,18 @@ cc_library_static {
+         "libc_syscalls",
+         "libc_tzcode",
+         "libm",
+-        "libjemalloc",
+         "libstdc++",
+     ],
++
++    multilib: {
++        lib32: {
++            srcs: libc_common_src_files_32,
++            whole_static_libs: ["libjemalloc"],
++        },
++        lib64: {
++            whole_static_libs: ["libhardened_malloc"],
++        },
++    },
+ }
+ 
+ // ========================================================
+@@ -1755,7 +1769,11 @@ cc_library_static {
+ // ========================================================
+ cc_library_static {
+     defaults: ["libc_defaults"],
+-    srcs: ["bionic/jemalloc_wrapper.cpp"],
++    multilib: {
++        lib32: {
++            srcs: ["bionic/jemalloc_wrapper.cpp"],
++        },
++    },
+     cflags: ["-fvisibility=hidden"],
+ 
+     name: "libc_malloc",
+@@ -1814,7 +1832,16 @@ cc_library {
+     // you wanted!
+ 
+     shared_libs: ["libdl"],
+-    whole_static_libs: ["libc_common", "libjemalloc"],
++    whole_static_libs: ["libc_common"],
++
++    multilib: {
++        lib32: {
++            whole_static_libs: ["libjemalloc"],
++        },
++        lib64: {
++            whole_static_libs: ["libhardened_malloc"],
++        },
++    },
+ 
+     nocrt: true,
+ 
+diff --git a/libc/bionic/malloc_common.cpp b/libc/bionic/malloc_common.cpp
+index 1f201d1ca..06f85b40d 100644
+--- a/libc/bionic/malloc_common.cpp
++++ b/libc/bionic/malloc_common.cpp
+@@ -46,8 +46,13 @@
+ #include <private/bionic_globals.h>
+ #include <private/bionic_malloc_dispatch.h>
+ 
++#ifdef __LP64__
++#include "h_malloc.h"
++#define Malloc(function)  h_ ## function
++#else
+ #include "jemalloc.h"
+ #define Malloc(function)  je_ ## function
++#endif
+ 
+ static constexpr MallocDispatch __libc_malloc_default_dispatch
+   __attribute__((unused)) = {

Patches/LineageOS-15.1/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Wed, 5 Dec 2018 09:29:25 -0500
+Subject: [PATCH] avoid setting RLIMIT_AS with hardened malloc
+
+This needs to be ported to a better mechanism like memory control groups
+in order to remain compatible with hardening mechanisms based on large
+PROT_NONE address space reservations.
+
+Change-Id: Ibfb7164d764fcb9244055953bedc9a1c424cedcb
+---
+ media/libmedia/MediaUtils.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/media/libmedia/MediaUtils.cpp b/media/libmedia/MediaUtils.cpp
+index bcdc3bdcfe..de217c70bf 100644
+--- a/media/libmedia/MediaUtils.cpp
++++ b/media/libmedia/MediaUtils.cpp
+@@ -38,6 +38,14 @@ void limitProcessMemory(
+         return;
+     }
+ 
++#ifdef __LP64__
++    // This needs to be ported to a better mechanism like memory control groups
++    // in order to remain compatible with hardening mechanisms based on large
++    // PROT_NONE address space reservations.
++    ALOGW("Running with hardened malloc implementation, skip enforcing memory limitations.");
++    return;
++#endif
++
+     long pageSize = sysconf(_SC_PAGESIZE);
+     long numPages = sysconf(_SC_PHYS_PAGES);
+     size_t maxMem = SIZE_MAX;

Patches/LineageOS-15.1/android_system_core/0002-HM-Increase_vm_mmc.patch

@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Thu, 13 Dec 2018 09:26:25 -0500
+Subject: [PATCH] increase max_map_count for hardened malloc
+
+---
+ rootdir/init.rc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rootdir/init.rc b/rootdir/init.rc
+index 7d618af63..f9eb3d198 100644
+--- a/rootdir/init.rc
++++ b/rootdir/init.rc
+@@ -572,6 +572,8 @@ on boot
+     chown root system /sys/module/lowmemorykiller/parameters/minfree
+     chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
+ 
++    write /proc/sys/vm/max_map_count 524240
++
+     # Tweak background writeout
+     write /proc/sys/vm/dirty_expire_centisecs 200
+     write /proc/sys/vm/dirty_background_ratio  5

Patches/LineageOS-17.1/android_frameworks_base/0015-Automatic_Reboot.patch

@@ -11,23 +11,23 @@ Subject: [PATCH] automatically reboot device after timeout if set
  4 files changed, 46 insertions(+)
 
 diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
-index 07779405bbf6..c1677042d9ea 100644
+index 07779405bbf6..89d736730a3e 100644
 --- a/core/java/android/provider/Settings.java
 +++ b/core/java/android/provider/Settings.java
-@@ -8215,6 +8215,13 @@ public final class Settings {
-         public static final String LOCK_SCREEN_SHOW_SILENT_NOTIFICATIONS =
-                 "lock_screen_show_silent_notifications";
- 
+@@ -15120,6 +15120,13 @@ public final class Settings {
+          */
+         public static final String POWER_BUTTON_SUPPRESSION_DELAY_AFTER_GESTURE_WAKE =
+                 "power_button_suppression_delay_after_gesture_wake";
++
 +        /**
 +         * Whether to automatically reboot the device after a user defined timeout
 +         *
 +         * @hide
 +         */
 +        public static final String SETTINGS_REBOOT_AFTER_TIMEOUT = "settings_reboot_after_timeout";
-+
-         /**
-          * Indicates whether snooze options should be shown on notifications
-          * <p>
+     }
+ 
+     /**
 diff --git a/data/etc/com.android.systemui.xml b/data/etc/com.android.systemui.xml
 index 2f5b5f3bf7b4..83779170d05c 100644
 --- a/data/etc/com.android.systemui.xml

Patches/LineageOS-17.1/android_frameworks_base/0016-Bluetooth_Timeout.patch

@@ -9,12 +9,12 @@ Subject: [PATCH] Bluetooth auto turn off
  2 files changed, 82 insertions(+)
 
 diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
-index c1677042d9ea..a7056de4ffb4 100644
+index 89d736730a3e..a91f3db2c133 100644
 --- a/core/java/android/provider/Settings.java
 +++ b/core/java/android/provider/Settings.java
-@@ -8215,6 +8215,12 @@ public final class Settings {
-         public static final String LOCK_SCREEN_SHOW_SILENT_NOTIFICATIONS =
-                 "lock_screen_show_silent_notifications";
+@@ -15121,6 +15121,12 @@ public final class Settings {
+         public static final String POWER_BUTTON_SUPPRESSION_DELAY_AFTER_GESTURE_WAKE =
+                 "power_button_suppression_delay_after_gesture_wake";
  
 +        /**
 +         * The amount of time in milliseconds before bluetooth is turned off

Patches/LineageOS-17.1/android_frameworks_base/0017-WiFi_Timeout.patch

@@ -9,10 +9,10 @@ Subject: [PATCH] Wi-Fi auto turn off
  2 files changed, 76 insertions(+)
 
 diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
-index a7056de4ffb4..339ab91354e3 100644
+index a91f3db2c133..9afbe9750e94 100644
 --- a/core/java/android/provider/Settings.java
 +++ b/core/java/android/provider/Settings.java
-@@ -8221,6 +8221,12 @@ public final class Settings {
+@@ -15127,6 +15127,12 @@ public final class Settings {
           */
          public static final String BLUETOOTH_OFF_TIMEOUT = "bluetooth_off_timeout";
  

Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch

@@ -55,7 +55,7 @@ index b983f467df..5813bb18db 100644
          <item msgid="6490061470416867723">Small</item>
          <item msgid="3579015730662088893">Default</item>
 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index 2180ea45f6..eeee1c039f 100644
+index 6f48171135..e2469b4734 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
 @@ -810,6 +810,9 @@

Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch

@@ -67,7 +67,7 @@ index 5813bb18db..40d01907a4 100644
      <string-array name="screen_timeout_entries">
          <item>15 seconds</item>
 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index eeee1c039f..c5287c4489 100644
+index e2469b4734..288dca24e0 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
 @@ -25,6 +25,25 @@

Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch

@@ -67,7 +67,7 @@ index 40d01907a4..0a9a9a31e8 100644
      <string-array name="screen_timeout_entries">
          <item>15 seconds</item>
 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index c5287c4489..0f254706ff 100644
+index 288dca24e0..dde0923463 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
 @@ -44,6 +44,25 @@

Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch

@@ -0,0 +1,168 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: flawedworld <38294951+flawedworld@users.noreply.github.com>
+Date: Tue, 6 Apr 2021 01:15:32 +0100
+Subject: [PATCH] add native debugging setting
+
+---
+ res/values/strings.xml                        |   3 +
+ res/xml/security_dashboard_settings.xml       |   6 +
+ .../NativeDebugPreferenceController.java      | 106 ++++++++++++++++++
+ .../settings/security/SecuritySettings.java   |   1 +
+ 4 files changed, 116 insertions(+)
+ create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java
+
+diff --git a/res/values/strings.xml b/res/values/strings.xml
+index dde0923463..fd3d1cde64 100644
+--- a/res/values/strings.xml
++++ b/res/values/strings.xml
+@@ -11316,6 +11316,9 @@
+     <!-- UI debug setting: Force enable "smart dark" UI rendering feature summary [CHAR LIMIT=NONE] -->
+     <string name="hwui_force_dark_summary">Overrides the force-dark feature to be always-on</string>
+ 
++    <string name="native_debug_title">Enable native code debugging</string>
++    <string name="native_debug_summary">Generate useful logs / bug reports from crashes and permit debugging native code.</string>
++
+     <!-- Title for the top level Privacy Settings [CHAR LIMIT=30]-->
+     <string name="privacy_dashboard_title">Privacy</string>
+     <!-- Summary for the top level Privacy Settings [CHAR LIMIT=NONE]-->
+diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
+index 1667943ba4..2c7b006f8b 100644
+--- a/res/xml/security_dashboard_settings.xml
++++ b/res/xml/security_dashboard_settings.xml
+@@ -63,6 +63,12 @@
+             android:persistent="false"
+             android:entries="@array/auto_reboot_entries"
+             android:entryValues="@array/auto_reboot_values" />
++
++        <SwitchPreference
++            android:key="native_debug"
++            android:title="@string/native_debug_title"
++            android:summary="@string/native_debug_summary"
++            android:persistent="false" />
+     </PreferenceCategory>
+ 
+     <!-- work profile security section -->
+diff --git a/src/com/android/settings/security/NativeDebugPreferenceController.java b/src/com/android/settings/security/NativeDebugPreferenceController.java
+new file mode 100644
+index 0000000000..9271e6e21c
+--- /dev/null
++++ b/src/com/android/settings/security/NativeDebugPreferenceController.java
+@@ -0,0 +1,106 @@
++/*
++ * Copyright (C) 2020 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License
++ */
++
++package com.android.settings.security;
++
++import android.content.Context;
++
++import android.os.UserHandle;
++import android.os.UserManager;
++import android.os.SystemProperties;
++
++import android.provider.Settings;
++
++import androidx.preference.Preference;
++import androidx.preference.PreferenceCategory;
++import androidx.preference.PreferenceGroup;
++import androidx.preference.PreferenceScreen;
++import androidx.preference.TwoStatePreference;
++import androidx.preference.SwitchPreference;
++
++import com.android.internal.widget.LockPatternUtils;
++import com.android.settings.core.PreferenceControllerMixin;
++import com.android.settingslib.core.AbstractPreferenceController;
++import com.android.settingslib.core.lifecycle.events.OnResume;
++
++public class NativeDebugPreferenceController extends AbstractPreferenceController
++        implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener {
++
++    private static final String SYS_KEY_NATIVE_DEBUG = "persist.native_debug";
++    private static final String PREF_KEY_NATIVE_DEBUG = "native_debug";
++    private static final String PREF_KEY_SECURITY_CATEGORY = "security_category";
++
++    private PreferenceCategory mSecurityCategory;
++    private SwitchPreference mNativeDebug;
++    private boolean mIsAdmin;
++    private UserManager mUm;
++
++    public NativeDebugPreferenceController(Context context) {
++        super(context);
++        mUm = UserManager.get(context);
++    }
++
++    @Override
++    public void displayPreference(PreferenceScreen screen) {
++        super.displayPreference(screen);
++        mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY);
++        updatePreferenceState();
++    }
++
++    @Override
++    public boolean isAvailable() {
++        mIsAdmin = mUm.isAdminUser();
++        return mIsAdmin;
++    }
++
++    @Override
++    public String getPreferenceKey() {
++        return PREF_KEY_NATIVE_DEBUG;
++    }
++
++    // TODO: should we use onCreatePreferences() instead?
++    private void updatePreferenceState() {
++        if (mSecurityCategory == null) {
++            return;
++        }
++
++        if (mIsAdmin) {
++            mNativeDebug = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_NATIVE_DEBUG);
++            mNativeDebug.setChecked(SystemProperties.getBoolean(SYS_KEY_NATIVE_DEBUG, true));
++        } else {
++            mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_NATIVE_DEBUG));
++        }
++    }
++
++    @Override
++    public void onResume() {
++        updatePreferenceState();
++        if (mNativeDebug != null) {
++                boolean mode = mNativeDebug.isChecked();
++                SystemProperties.set(SYS_KEY_NATIVE_DEBUG, Boolean.toString(mode));
++        }
++    }
++
++    @Override
++    public boolean onPreferenceChange(Preference preference, Object value) {
++        final String key = preference.getKey();
++        if (PREF_KEY_NATIVE_DEBUG.equals(key)) {
++            final boolean mode = !mNativeDebug.isChecked();
++            SystemProperties.set(SYS_KEY_NATIVE_DEBUG, Boolean.toString(mode));
++        }
++        return true;
++    }
++}
+diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
+index b5d7814e4a..7aa126b75c 100644
+--- a/src/com/android/settings/security/SecuritySettings.java
++++ b/src/com/android/settings/security/SecuritySettings.java
+@@ -121,6 +121,7 @@ public class SecuritySettings extends DashboardFragment {
+         securityPreferenceControllers.add(new FingerprintStatusPreferenceController(context));
+         securityPreferenceControllers.add(new ChangeScreenLockPreferenceController(context, host));
+         securityPreferenceControllers.add(new AutoRebootPreferenceController(context));
++        securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
+         controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
+                 .setChildren(securityPreferenceControllers));
+         controllers.addAll(securityPreferenceControllers);

Patches/LineageOS-17.1/android_system_core/0004-ptrace_scope.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: flawedworld <38294951+flawedworld@users.noreply.github.com>
+Date: Mon, 5 Apr 2021 03:02:51 +0100
+Subject: [PATCH] add a property for controlling ptrace_scope
+
+---
+ rootdir/init.rc | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/rootdir/init.rc b/rootdir/init.rc
+index c175bc4ac..93030dc1b 100644
+--- a/rootdir/init.rc
++++ b/rootdir/init.rc
+@@ -836,6 +836,13 @@ on property:sys.sysctl.extra_free_kbytes=*
+ on property:sys.sysctl.tcp_def_init_rwnd=*
+     write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
+ 
++on property:persist.native_debug=true
++    write /proc/sys/kernel/yama/ptrace_scope 0
++
++on property:persist.native_debug=false
++    write /proc/sys/kernel/yama/ptrace_scope 2
++
++
+ on property:security.perf_harden=0
+     write /proc/sys/kernel/perf_event_paranoid 1
+     write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000}

Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-1.patch

@@ -0,0 +1,130 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: flawedworld <38294951+flawedworld@users.noreply.github.com>
+Date: Mon, 5 Apr 2021 02:26:20 +0100
+Subject: [PATCH] allow init to control kernel.yama.ptrace_scope
+
+Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650
+---
+ prebuilts/api/26.0/private/genfs_contexts | 1 +
+ prebuilts/api/27.0/private/genfs_contexts | 1 +
+ prebuilts/api/28.0/private/genfs_contexts | 1 +
+ prebuilts/api/29.0/private/domain.te      | 1 +
+ prebuilts/api/29.0/private/genfs_contexts | 1 +
+ prebuilts/api/29.0/public/init.te         | 3 +++
+ private/domain.te                         | 1 +
+ private/genfs_contexts                    | 1 +
+ public/init.te                            | 3 +++
+ 9 files changed, 13 insertions(+)
+
+diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
+index 753cabf15..67203c998 100644
+--- a/prebuilts/api/26.0/private/genfs_contexts
++++ b/prebuilts/api/26.0/private/genfs_contexts
+@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+ genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+ genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
+index 606d46cbe..ac54e423a 100644
+--- a/prebuilts/api/27.0/private/genfs_contexts
++++ b/prebuilts/api/27.0/private/genfs_contexts
+@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+ genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+ genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
+index 44ca95fd5..89b55b28d 100644
+--- a/prebuilts/api/28.0/private/genfs_contexts
++++ b/prebuilts/api/28.0/private/genfs_contexts
+@@ -58,6 +58,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+ genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
+index 1d26761d6..62cbb04a1 100644
+--- a/prebuilts/api/29.0/private/domain.te
++++ b/prebuilts/api/29.0/private/domain.te
+@@ -86,6 +86,7 @@ userdebug_or_eng(`
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
++  -init
+   -vold
+   userdebug_or_eng(`-llkd')
+   -dumpstate
+diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
+index e72803627..27828d91b 100644
+--- a/prebuilts/api/29.0/private/genfs_contexts
++++ b/prebuilts/api/29.0/private/genfs_contexts
+@@ -71,6 +71,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+ genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
+index e7e5b6517..1ba495de3 100644
+--- a/prebuilts/api/29.0/public/init.te
++++ b/prebuilts/api/29.0/public/init.te
+@@ -123,6 +123,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
++# Set /proc/sys/kernel/yama/ptrace_scope
++allow init self:capability { sys_ptrace };
++
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ allowxperm init dev_type:blk_file ioctl BLKROSET;
+diff --git a/private/domain.te b/private/domain.te
+index 1d26761d6..62cbb04a1 100644
+--- a/private/domain.te
++++ b/private/domain.te
+@@ -86,6 +86,7 @@ userdebug_or_eng(`
+ # with other UIDs to these whitelisted domains.
+ neverallow {
+   domain
++  -init
+   -vold
+   userdebug_or_eng(`-llkd')
+   -dumpstate
+diff --git a/private/genfs_contexts b/private/genfs_contexts
+index e72803627..27828d91b 100644
+--- a/private/genfs_contexts
++++ b/private/genfs_contexts
+@@ -71,6 +71,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+ genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
++genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
+ genfscon proc /sys/net u:object_r:proc_net:s0
+ genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+ genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+diff --git a/public/init.te b/public/init.te
+index e7e5b6517..1ba495de3 100644
+--- a/public/init.te
++++ b/public/init.te
+@@ -123,6 +123,9 @@ allow init self:global_capability_class_set sys_time;
+ 
+ allow init self:global_capability_class_set { sys_rawio mknod };
+ 
++# Set /proc/sys/kernel/yama/ptrace_scope
++allow init self:capability { sys_ptrace };
++
+ # Mounting filesystems from block devices.
+ allow init dev_type:blk_file r_file_perms;
+ allowxperm init dev_type:blk_file ioctl BLKROSET;

Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-2.patch

@@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: flawedworld <38294951+flawedworld@users.noreply.github.com>
+Date: Mon, 5 Apr 2021 02:27:06 +0100
+Subject: [PATCH] allow system to use persist.native_debug
+
+---
+ prebuilts/api/26.0/private/property_contexts | 1 +
+ prebuilts/api/27.0/private/property_contexts | 1 +
+ prebuilts/api/28.0/private/property_contexts | 1 +
+ prebuilts/api/29.0/private/property_contexts | 1 +
+ private/property_contexts                    | 1 +
+ 5 files changed, 5 insertions(+)
+
+diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts
+index 4c27b35d6..c48ba4012 100644
+--- a/prebuilts/api/26.0/private/property_contexts
++++ b/prebuilts/api/26.0/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
++persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+ persist.logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
+diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts
+index 8eb2f28b2..237e6fcc1 100644
+--- a/prebuilts/api/27.0/private/property_contexts
++++ b/prebuilts/api/27.0/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
++persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+ persist.logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
+diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts
+index 32be0b377..afe0f70fe 100644
+--- a/prebuilts/api/28.0/private/property_contexts
++++ b/prebuilts/api/28.0/private/property_contexts
+@@ -44,6 +44,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
++persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ ro.logd.                u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
+index a63e0b4dc..bd8c4f183 100644
+--- a/prebuilts/api/29.0/private/property_contexts
++++ b/prebuilts/api/29.0/private/property_contexts
+@@ -49,6 +49,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
++persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ ro.logd.                u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0
+diff --git a/private/property_contexts b/private/property_contexts
+index a63e0b4dc..bd8c4f183 100644
+--- a/private/property_contexts
++++ b/private/property_contexts
+@@ -49,6 +49,7 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
+ persist.audio.          u:object_r:audio_prop:s0
+ persist.bluetooth.      u:object_r:bluetooth_prop:s0
+ persist.debug.          u:object_r:persist_debug_prop:s0
++persist.native_debug    u:object_r:system_prop:s0
+ persist.logd.           u:object_r:logd_prop:s0
+ ro.logd.                u:object_r:logd_prop:s0
+ persist.logd.security   u:object_r:device_logging_prop:s0

PrebuiltApps

@@ -1 +1 @@
-Subproject commit 4472db7087a7da96df144ef2c6cb43e23b29d907
+Subproject commit d61df5a1f0c5b9a602e45cc9c62ba42e433853da

Scripts/LineageOS-15.1/Patch.sh

@@ -57,6 +57,7 @@ cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/
 
 if enterAndClear "bionic"; then
 applyPatch "$DOS_PATCHES_COMMON/android_bionic/0001-Wildcard_Hosts.patch"; #Support wildcards in cached hosts file (backport from 16.0+)
+#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS)
 fi;
 
 if enterAndClear "bootable/recovery"; then
@@ -95,10 +96,21 @@ if [ "$(type -t DOS_WEBVIEW_CHERRYPICK)" = "alias" ] ; then DOS_WEBVIEW_CHERRYPI
 if [ "$DOS_WEBVIEW_LFS" = true ]; then git lfs pull; fi; #Ensure the objects are available
 fi;
 
+#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then
+#if enterAndClear "external/hardened_malloc"; then
+#applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
+#applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0002-Broken_Cameras.patch"; #Expand workaround to all camera executables
+#fi;
+#fi;
+
 if enterAndClear "external/svox"; then
 git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
 fi;
 
+#if enterAndClear "frameworks/av"; then
+#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
+#fi;
+
 if enterAndClear "frameworks/base"; then
 #applyPatch "$DOS_PATCHES/android_frameworks_base/0005-Connectivity.patch"; #Change connectivity check URLs to ours
 #applyPatch "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
@@ -238,6 +250,7 @@ if enterAndClear "system/core"; then
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert --no-edit a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4; #Always update recovery
 applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
+if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
 fi;
 
 if enterAndClear "system/sepolicy"; then

Scripts/LineageOS-16.0/Patch.sh

@@ -121,8 +121,8 @@ fi;
 
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
 if enterAndClear "external/hardened_malloc"; then
-applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
-applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0002-Broken_Cameras.patch"; #Expand workaround to all camera executables
+applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
+applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0002-Broken_Cameras.patch"; #Expand workaround to all camera executables
 fi;
 fi;
 

Scripts/LineageOS-17.1/Patch.sh

@@ -163,6 +163,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch
 applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-7.patch";
 fi;
+if [ "$DOS_TIMEOUTS" = true ]; then
+applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0016-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_frameworks_base/0017-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS)
+fi;
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0018-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
@@ -285,6 +290,12 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Togg
 if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
+if [ "$DOS_TIMEOUTS" = true ]; then
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
+fi;
+if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length (GrapheneOS)
 sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/backup/PrivacySettingsUtils.java; fi; #microG doesn't support Backup, hide the options
@@ -330,6 +341,7 @@ git revert --no-edit bd4142eab8b3cead0c25a2e660b4b048d1315d3c; #Always update re
 applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
 if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS)
+if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0004-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS)
 fi;
 
 if enterAndClear "system/extras"; then
@@ -342,6 +354,10 @@ fi;
 
 if enterAndClear "system/sepolicy"; then
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
+if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then
+applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
+applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS)
+fi;
 git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0";
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/28.0";

Scripts/LineageOS-18.1/Patch.sh

@@ -141,9 +141,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch";
 applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-7.patch";
 fi;
+if [ "$DOS_TIMEOUTS" = true ]; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0016-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS)
+fi;
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0017-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS)
@@ -293,9 +295,11 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Togg
 if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
+if [ "$DOS_TIMEOUTS" = true ]; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
+fi;
 if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-Install_Restrictions.patch"; #UserManager app installation restrictions (GrapheneOS)
 sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service

Scripts/init.sh

@@ -61,8 +61,9 @@ export DOS_GRAPHENE_BIONIC=true; #Enables the bionic hardening patchset on 16.0+
 export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' patchset on 16.0+17.1+18.1
 export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1
 export DOS_GRAPHENE_EXEC=false; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1 XXX: breaks things like VoLTE
-export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the ptrace_scope toggle patchset on 18.1
+export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the ptrace_scope toggle patchset on 17.1+18.1
 export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1
+export DOS_TIMEOUTS=true; #Enables the GrapheneOS/CalyxOS patchset for automatic timeouts of reboot/Wi-Fi/Bluetooth on 17.1+18.1
 export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
 export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: DNS66
 export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be in the format "127.0.0.1 bad.domain.tld"