mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-28 08:59:40 -05:00
Backports
Adds ptrace_scope and timeout options to 17.1, tested working Also adds hardened_malloc to 15.1, but failing to compile: external/hardened_malloc/h_malloc.c:1688:18: error: use of undeclared identifier 'M_PURGE' if (param == M_PURGE) { ^ external/hardened_malloc/h_malloc.c:1743:30: error: missing field 'ordblks' initializer [-Werror,-Wmissing-field-initializers] struct mallinfo info = {0}; ^ Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
0c33d328b7
commit
a53062ca0b
@ -72,6 +72,11 @@
|
||||
<project path="external/chromium-webview" name="divested-mobile/mulch" groups="pdk" clone-depth="1" remote="gitlab" revision="master" />
|
||||
<!-- END OF BRANCH SWITCHING -->
|
||||
|
||||
<!-- START OF ADDITIONAL REPOS -->
|
||||
<!-- GrapheneOS
|
||||
<project path="external/hardened_malloc" name="GrapheneOS/hardened_malloc" remote="github" revision="464bfd4d829927f19fd5d2729a101ee241319d1e" /> -->
|
||||
<!-- END OF ADDITIONAL REPOS -->
|
||||
|
||||
<!-- START OF DEVICE REPOS -->
|
||||
<!-- Common -->
|
||||
<project path="packages/resources/devicesettings" name="LineageOS/android_packages_resources_devicesettings" remote="github" />
|
||||
|
@ -0,0 +1,66 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Thu, 28 May 2020 20:19:14 -0400
|
||||
Subject: [PATCH] workaround for audio service sorting bug
|
||||
|
||||
---
|
||||
h_malloc.c | 15 ++++++++++++---
|
||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/h_malloc.c b/h_malloc.c
|
||||
index 8d15ab2..dbedbd4 100644
|
||||
--- a/h_malloc.c
|
||||
+++ b/h_malloc.c
|
||||
@@ -85,6 +85,7 @@ static union {
|
||||
bool zero_on_free;
|
||||
bool purge_slabs;
|
||||
bool region_quarantine_protect;
|
||||
+ bool slot_randomize;
|
||||
};
|
||||
char padding[PAGE_SIZE];
|
||||
} ro __attribute__((aligned(PAGE_SIZE)));
|
||||
@@ -355,7 +356,7 @@ static u64 get_mask(size_t slots) {
|
||||
}
|
||||
|
||||
static size_t get_free_slot(struct random_state *rng, size_t slots, struct slab_metadata *metadata) {
|
||||
- if (SLOT_RANDOMIZE) {
|
||||
+ if (ro.slot_randomize) {
|
||||
// randomize start location for linear search (uniform random choice is too slow)
|
||||
unsigned random_index = get_random_u16_uniform(rng, slots);
|
||||
unsigned first_bitmap = random_index / 64;
|
||||
@@ -1061,17 +1062,24 @@ static inline void enforce_init(void) {
|
||||
}
|
||||
}
|
||||
|
||||
-COLD static void handle_hal_bugs(void) {
|
||||
+COLD static void handle_bugs(void) {
|
||||
char path[256];
|
||||
if (readlink("/proc/self/exe", path, sizeof(path)) == -1) {
|
||||
return;
|
||||
}
|
||||
+
|
||||
const char camera_provider[] = "/vendor/bin/hw/android.hardware.camera.provider@2.4-service_64";
|
||||
if (strcmp(camera_provider, path) == 0) {
|
||||
ro.zero_on_free = false;
|
||||
ro.purge_slabs = false;
|
||||
ro.region_quarantine_protect = false;
|
||||
}
|
||||
+
|
||||
+ // DeviceDescriptor sorting wrongly relies on malloc addresses
|
||||
+ const char audio_service[] = "/system/bin/audioserver";
|
||||
+ if (strcmp(audio_service, path) == 0) {
|
||||
+ ro.slot_randomize = false;
|
||||
+ }
|
||||
}
|
||||
|
||||
COLD static void init_slow_path(void) {
|
||||
@@ -1100,7 +1108,8 @@ COLD static void init_slow_path(void) {
|
||||
ro.purge_slabs = true;
|
||||
ro.zero_on_free = ZERO_ON_FREE;
|
||||
ro.region_quarantine_protect = true;
|
||||
- handle_hal_bugs();
|
||||
+ ro.slot_randomize = SLOT_RANDOMIZE;
|
||||
+ handle_bugs();
|
||||
|
||||
if (sysconf(_SC_PAGESIZE) != PAGE_SIZE) {
|
||||
fatal_error("page size mismatch");
|
@ -0,0 +1,25 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Tue, 15 Mar 2022 22:18:26 -0400
|
||||
Subject: [PATCH] Expand workaround to all camera executables
|
||||
|
||||
Signed-off-by: Tad <tad@spotco.us>
|
||||
Change-Id: I23513ec0379bbb10829f989690334e9704fd20e2
|
||||
---
|
||||
h_malloc.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/h_malloc.c b/h_malloc.c
|
||||
index dbedbd4..d0cf881 100644
|
||||
--- a/h_malloc.c
|
||||
+++ b/h_malloc.c
|
||||
@@ -1069,7 +1069,8 @@ COLD static void handle_bugs(void) {
|
||||
}
|
||||
|
||||
const char camera_provider[] = "/vendor/bin/hw/android.hardware.camera.provider@2.4-service_64";
|
||||
- if (strcmp(camera_provider, path) == 0) {
|
||||
+ // Any camera executable on system partition
|
||||
+ if (strcmp(camera_provider, path) == 0 || (strstr(path, "camera") != NULL && (strncmp("/system", path, 7) == 0 || strncmp("/vendor", path, 7) == 0))) {
|
||||
ro.zero_on_free = false;
|
||||
ro.purge_slabs = false;
|
||||
ro.region_quarantine_protect = false;
|
123
Patches/LineageOS-15.1/android_bionic/0001-HM-Use_HM.patch
Normal file
123
Patches/LineageOS-15.1/android_bionic/0001-HM-Use_HM.patch
Normal file
@ -0,0 +1,123 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Wed, 5 Dec 2018 01:51:56 -0500
|
||||
Subject: [PATCH] add hardened_malloc library
|
||||
|
||||
---
|
||||
libc/Android.bp | 45 ++++++++++++++++++++++++++++-------
|
||||
libc/bionic/malloc_common.cpp | 5 ++++
|
||||
2 files changed, 41 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/libc/Android.bp b/libc/Android.bp
|
||||
index c339b0451..6b3066e07 100644
|
||||
--- a/libc/Android.bp
|
||||
+++ b/libc/Android.bp
|
||||
@@ -48,6 +48,8 @@ libc_common_flags = [
|
||||
"-Werror=int-to-pointer-cast",
|
||||
"-Werror=type-limits",
|
||||
"-Werror",
|
||||
+
|
||||
+ "-DH_MALLOC_PREFIX",
|
||||
]
|
||||
|
||||
// Define some common cflags
|
||||
@@ -61,9 +63,17 @@ cc_defaults {
|
||||
cppflags: [],
|
||||
include_dirs: [
|
||||
"bionic/libc/async_safe/include",
|
||||
- "external/jemalloc/include",
|
||||
],
|
||||
|
||||
+ multilib: {
|
||||
+ lib32: {
|
||||
+ include_dirs: ["external/jemalloc/include"],
|
||||
+ },
|
||||
+ lib64: {
|
||||
+ include_dirs: ["external/hardened_malloc/"],
|
||||
+ },
|
||||
+ },
|
||||
+
|
||||
stl: "none",
|
||||
system_shared_libs: [],
|
||||
sanitize: {
|
||||
@@ -1641,11 +1651,6 @@ cc_library_static {
|
||||
name: "libc_ndk",
|
||||
defaults: ["libc_defaults"],
|
||||
srcs: libc_common_src_files + ["bionic/malloc_common.cpp"],
|
||||
- multilib: {
|
||||
- lib32: {
|
||||
- srcs: libc_common_src_files_32,
|
||||
- },
|
||||
- },
|
||||
arch: {
|
||||
arm: {
|
||||
srcs: [
|
||||
@@ -1676,9 +1681,18 @@ cc_library_static {
|
||||
"libc_syscalls",
|
||||
"libc_tzcode",
|
||||
"libm",
|
||||
- "libjemalloc",
|
||||
"libstdc++",
|
||||
],
|
||||
+
|
||||
+ multilib: {
|
||||
+ lib32: {
|
||||
+ srcs: libc_common_src_files_32,
|
||||
+ whole_static_libs: ["libjemalloc"],
|
||||
+ },
|
||||
+ lib64: {
|
||||
+ whole_static_libs: ["libhardened_malloc"],
|
||||
+ },
|
||||
+ },
|
||||
}
|
||||
|
||||
// ========================================================
|
||||
@@ -1755,7 +1769,11 @@ cc_library_static {
|
||||
// ========================================================
|
||||
cc_library_static {
|
||||
defaults: ["libc_defaults"],
|
||||
- srcs: ["bionic/jemalloc_wrapper.cpp"],
|
||||
+ multilib: {
|
||||
+ lib32: {
|
||||
+ srcs: ["bionic/jemalloc_wrapper.cpp"],
|
||||
+ },
|
||||
+ },
|
||||
cflags: ["-fvisibility=hidden"],
|
||||
|
||||
name: "libc_malloc",
|
||||
@@ -1814,7 +1832,16 @@ cc_library {
|
||||
// you wanted!
|
||||
|
||||
shared_libs: ["libdl"],
|
||||
- whole_static_libs: ["libc_common", "libjemalloc"],
|
||||
+ whole_static_libs: ["libc_common"],
|
||||
+
|
||||
+ multilib: {
|
||||
+ lib32: {
|
||||
+ whole_static_libs: ["libjemalloc"],
|
||||
+ },
|
||||
+ lib64: {
|
||||
+ whole_static_libs: ["libhardened_malloc"],
|
||||
+ },
|
||||
+ },
|
||||
|
||||
nocrt: true,
|
||||
|
||||
diff --git a/libc/bionic/malloc_common.cpp b/libc/bionic/malloc_common.cpp
|
||||
index 1f201d1ca..06f85b40d 100644
|
||||
--- a/libc/bionic/malloc_common.cpp
|
||||
+++ b/libc/bionic/malloc_common.cpp
|
||||
@@ -46,8 +46,13 @@
|
||||
#include <private/bionic_globals.h>
|
||||
#include <private/bionic_malloc_dispatch.h>
|
||||
|
||||
+#ifdef __LP64__
|
||||
+#include "h_malloc.h"
|
||||
+#define Malloc(function) h_ ## function
|
||||
+#else
|
||||
#include "jemalloc.h"
|
||||
#define Malloc(function) je_ ## function
|
||||
+#endif
|
||||
|
||||
static constexpr MallocDispatch __libc_malloc_default_dispatch
|
||||
__attribute__((unused)) = {
|
@ -0,0 +1,33 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Wed, 5 Dec 2018 09:29:25 -0500
|
||||
Subject: [PATCH] avoid setting RLIMIT_AS with hardened malloc
|
||||
|
||||
This needs to be ported to a better mechanism like memory control groups
|
||||
in order to remain compatible with hardening mechanisms based on large
|
||||
PROT_NONE address space reservations.
|
||||
|
||||
Change-Id: Ibfb7164d764fcb9244055953bedc9a1c424cedcb
|
||||
---
|
||||
media/libmedia/MediaUtils.cpp | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/media/libmedia/MediaUtils.cpp b/media/libmedia/MediaUtils.cpp
|
||||
index bcdc3bdcfe..de217c70bf 100644
|
||||
--- a/media/libmedia/MediaUtils.cpp
|
||||
+++ b/media/libmedia/MediaUtils.cpp
|
||||
@@ -38,6 +38,14 @@ void limitProcessMemory(
|
||||
return;
|
||||
}
|
||||
|
||||
+#ifdef __LP64__
|
||||
+ // This needs to be ported to a better mechanism like memory control groups
|
||||
+ // in order to remain compatible with hardening mechanisms based on large
|
||||
+ // PROT_NONE address space reservations.
|
||||
+ ALOGW("Running with hardened malloc implementation, skip enforcing memory limitations.");
|
||||
+ return;
|
||||
+#endif
|
||||
+
|
||||
long pageSize = sysconf(_SC_PAGESIZE);
|
||||
long numPages = sysconf(_SC_PHYS_PAGES);
|
||||
size_t maxMem = SIZE_MAX;
|
@ -0,0 +1,22 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Thu, 13 Dec 2018 09:26:25 -0500
|
||||
Subject: [PATCH] increase max_map_count for hardened malloc
|
||||
|
||||
---
|
||||
rootdir/init.rc | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/rootdir/init.rc b/rootdir/init.rc
|
||||
index 7d618af63..f9eb3d198 100644
|
||||
--- a/rootdir/init.rc
|
||||
+++ b/rootdir/init.rc
|
||||
@@ -572,6 +572,8 @@ on boot
|
||||
chown root system /sys/module/lowmemorykiller/parameters/minfree
|
||||
chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
|
||||
|
||||
+ write /proc/sys/vm/max_map_count 524240
|
||||
+
|
||||
# Tweak background writeout
|
||||
write /proc/sys/vm/dirty_expire_centisecs 200
|
||||
write /proc/sys/vm/dirty_background_ratio 5
|
@ -11,23 +11,23 @@ Subject: [PATCH] automatically reboot device after timeout if set
|
||||
4 files changed, 46 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
|
||||
index 07779405bbf6..c1677042d9ea 100644
|
||||
index 07779405bbf6..89d736730a3e 100644
|
||||
--- a/core/java/android/provider/Settings.java
|
||||
+++ b/core/java/android/provider/Settings.java
|
||||
@@ -8215,6 +8215,13 @@ public final class Settings {
|
||||
public static final String LOCK_SCREEN_SHOW_SILENT_NOTIFICATIONS =
|
||||
"lock_screen_show_silent_notifications";
|
||||
|
||||
@@ -15120,6 +15120,13 @@ public final class Settings {
|
||||
*/
|
||||
public static final String POWER_BUTTON_SUPPRESSION_DELAY_AFTER_GESTURE_WAKE =
|
||||
"power_button_suppression_delay_after_gesture_wake";
|
||||
+
|
||||
+ /**
|
||||
+ * Whether to automatically reboot the device after a user defined timeout
|
||||
+ *
|
||||
+ * @hide
|
||||
+ */
|
||||
+ public static final String SETTINGS_REBOOT_AFTER_TIMEOUT = "settings_reboot_after_timeout";
|
||||
+
|
||||
/**
|
||||
* Indicates whether snooze options should be shown on notifications
|
||||
* <p>
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/data/etc/com.android.systemui.xml b/data/etc/com.android.systemui.xml
|
||||
index 2f5b5f3bf7b4..83779170d05c 100644
|
||||
--- a/data/etc/com.android.systemui.xml
|
||||
|
@ -9,12 +9,12 @@ Subject: [PATCH] Bluetooth auto turn off
|
||||
2 files changed, 82 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
|
||||
index c1677042d9ea..a7056de4ffb4 100644
|
||||
index 89d736730a3e..a91f3db2c133 100644
|
||||
--- a/core/java/android/provider/Settings.java
|
||||
+++ b/core/java/android/provider/Settings.java
|
||||
@@ -8215,6 +8215,12 @@ public final class Settings {
|
||||
public static final String LOCK_SCREEN_SHOW_SILENT_NOTIFICATIONS =
|
||||
"lock_screen_show_silent_notifications";
|
||||
@@ -15121,6 +15121,12 @@ public final class Settings {
|
||||
public static final String POWER_BUTTON_SUPPRESSION_DELAY_AFTER_GESTURE_WAKE =
|
||||
"power_button_suppression_delay_after_gesture_wake";
|
||||
|
||||
+ /**
|
||||
+ * The amount of time in milliseconds before bluetooth is turned off
|
||||
|
@ -9,10 +9,10 @@ Subject: [PATCH] Wi-Fi auto turn off
|
||||
2 files changed, 76 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
|
||||
index a7056de4ffb4..339ab91354e3 100644
|
||||
index a91f3db2c133..9afbe9750e94 100644
|
||||
--- a/core/java/android/provider/Settings.java
|
||||
+++ b/core/java/android/provider/Settings.java
|
||||
@@ -8221,6 +8221,12 @@ public final class Settings {
|
||||
@@ -15127,6 +15127,12 @@ public final class Settings {
|
||||
*/
|
||||
public static final String BLUETOOTH_OFF_TIMEOUT = "bluetooth_off_timeout";
|
||||
|
||||
|
@ -55,7 +55,7 @@ index b983f467df..5813bb18db 100644
|
||||
<item msgid="6490061470416867723">Small</item>
|
||||
<item msgid="3579015730662088893">Default</item>
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index 2180ea45f6..eeee1c039f 100644
|
||||
index 6f48171135..e2469b4734 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -810,6 +810,9 @@
|
||||
|
@ -67,7 +67,7 @@ index 5813bb18db..40d01907a4 100644
|
||||
<string-array name="screen_timeout_entries">
|
||||
<item>15 seconds</item>
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index eeee1c039f..c5287c4489 100644
|
||||
index e2469b4734..288dca24e0 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -25,6 +25,25 @@
|
||||
|
@ -67,7 +67,7 @@ index 40d01907a4..0a9a9a31e8 100644
|
||||
<string-array name="screen_timeout_entries">
|
||||
<item>15 seconds</item>
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index c5287c4489..0f254706ff 100644
|
||||
index 288dca24e0..dde0923463 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -44,6 +44,25 @@
|
||||
|
@ -0,0 +1,168 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: flawedworld <38294951+flawedworld@users.noreply.github.com>
|
||||
Date: Tue, 6 Apr 2021 01:15:32 +0100
|
||||
Subject: [PATCH] add native debugging setting
|
||||
|
||||
---
|
||||
res/values/strings.xml | 3 +
|
||||
res/xml/security_dashboard_settings.xml | 6 +
|
||||
.../NativeDebugPreferenceController.java | 106 ++++++++++++++++++
|
||||
.../settings/security/SecuritySettings.java | 1 +
|
||||
4 files changed, 116 insertions(+)
|
||||
create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java
|
||||
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index dde0923463..fd3d1cde64 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -11316,6 +11316,9 @@
|
||||
<!-- UI debug setting: Force enable "smart dark" UI rendering feature summary [CHAR LIMIT=NONE] -->
|
||||
<string name="hwui_force_dark_summary">Overrides the force-dark feature to be always-on</string>
|
||||
|
||||
+ <string name="native_debug_title">Enable native code debugging</string>
|
||||
+ <string name="native_debug_summary">Generate useful logs / bug reports from crashes and permit debugging native code.</string>
|
||||
+
|
||||
<!-- Title for the top level Privacy Settings [CHAR LIMIT=30]-->
|
||||
<string name="privacy_dashboard_title">Privacy</string>
|
||||
<!-- Summary for the top level Privacy Settings [CHAR LIMIT=NONE]-->
|
||||
diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
|
||||
index 1667943ba4..2c7b006f8b 100644
|
||||
--- a/res/xml/security_dashboard_settings.xml
|
||||
+++ b/res/xml/security_dashboard_settings.xml
|
||||
@@ -63,6 +63,12 @@
|
||||
android:persistent="false"
|
||||
android:entries="@array/auto_reboot_entries"
|
||||
android:entryValues="@array/auto_reboot_values" />
|
||||
+
|
||||
+ <SwitchPreference
|
||||
+ android:key="native_debug"
|
||||
+ android:title="@string/native_debug_title"
|
||||
+ android:summary="@string/native_debug_summary"
|
||||
+ android:persistent="false" />
|
||||
</PreferenceCategory>
|
||||
|
||||
<!-- work profile security section -->
|
||||
diff --git a/src/com/android/settings/security/NativeDebugPreferenceController.java b/src/com/android/settings/security/NativeDebugPreferenceController.java
|
||||
new file mode 100644
|
||||
index 0000000000..9271e6e21c
|
||||
--- /dev/null
|
||||
+++ b/src/com/android/settings/security/NativeDebugPreferenceController.java
|
||||
@@ -0,0 +1,106 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2020 The Android Open Source Project
|
||||
+ *
|
||||
+ * Licensed under the Apache License, Version 2.0 (the "License");
|
||||
+ * you may not use this file except in compliance with the License.
|
||||
+ * You may obtain a copy of the License at
|
||||
+ *
|
||||
+ * http://www.apache.org/licenses/LICENSE-2.0
|
||||
+ *
|
||||
+ * Unless required by applicable law or agreed to in writing, software
|
||||
+ * distributed under the License is distributed on an "AS IS" BASIS,
|
||||
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
+ * See the License for the specific language governing permissions and
|
||||
+ * limitations under the License
|
||||
+ */
|
||||
+
|
||||
+package com.android.settings.security;
|
||||
+
|
||||
+import android.content.Context;
|
||||
+
|
||||
+import android.os.UserHandle;
|
||||
+import android.os.UserManager;
|
||||
+import android.os.SystemProperties;
|
||||
+
|
||||
+import android.provider.Settings;
|
||||
+
|
||||
+import androidx.preference.Preference;
|
||||
+import androidx.preference.PreferenceCategory;
|
||||
+import androidx.preference.PreferenceGroup;
|
||||
+import androidx.preference.PreferenceScreen;
|
||||
+import androidx.preference.TwoStatePreference;
|
||||
+import androidx.preference.SwitchPreference;
|
||||
+
|
||||
+import com.android.internal.widget.LockPatternUtils;
|
||||
+import com.android.settings.core.PreferenceControllerMixin;
|
||||
+import com.android.settingslib.core.AbstractPreferenceController;
|
||||
+import com.android.settingslib.core.lifecycle.events.OnResume;
|
||||
+
|
||||
+public class NativeDebugPreferenceController extends AbstractPreferenceController
|
||||
+ implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener {
|
||||
+
|
||||
+ private static final String SYS_KEY_NATIVE_DEBUG = "persist.native_debug";
|
||||
+ private static final String PREF_KEY_NATIVE_DEBUG = "native_debug";
|
||||
+ private static final String PREF_KEY_SECURITY_CATEGORY = "security_category";
|
||||
+
|
||||
+ private PreferenceCategory mSecurityCategory;
|
||||
+ private SwitchPreference mNativeDebug;
|
||||
+ private boolean mIsAdmin;
|
||||
+ private UserManager mUm;
|
||||
+
|
||||
+ public NativeDebugPreferenceController(Context context) {
|
||||
+ super(context);
|
||||
+ mUm = UserManager.get(context);
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public void displayPreference(PreferenceScreen screen) {
|
||||
+ super.displayPreference(screen);
|
||||
+ mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY);
|
||||
+ updatePreferenceState();
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public boolean isAvailable() {
|
||||
+ mIsAdmin = mUm.isAdminUser();
|
||||
+ return mIsAdmin;
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public String getPreferenceKey() {
|
||||
+ return PREF_KEY_NATIVE_DEBUG;
|
||||
+ }
|
||||
+
|
||||
+ // TODO: should we use onCreatePreferences() instead?
|
||||
+ private void updatePreferenceState() {
|
||||
+ if (mSecurityCategory == null) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (mIsAdmin) {
|
||||
+ mNativeDebug = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_NATIVE_DEBUG);
|
||||
+ mNativeDebug.setChecked(SystemProperties.getBoolean(SYS_KEY_NATIVE_DEBUG, true));
|
||||
+ } else {
|
||||
+ mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_NATIVE_DEBUG));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public void onResume() {
|
||||
+ updatePreferenceState();
|
||||
+ if (mNativeDebug != null) {
|
||||
+ boolean mode = mNativeDebug.isChecked();
|
||||
+ SystemProperties.set(SYS_KEY_NATIVE_DEBUG, Boolean.toString(mode));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public boolean onPreferenceChange(Preference preference, Object value) {
|
||||
+ final String key = preference.getKey();
|
||||
+ if (PREF_KEY_NATIVE_DEBUG.equals(key)) {
|
||||
+ final boolean mode = !mNativeDebug.isChecked();
|
||||
+ SystemProperties.set(SYS_KEY_NATIVE_DEBUG, Boolean.toString(mode));
|
||||
+ }
|
||||
+ return true;
|
||||
+ }
|
||||
+}
|
||||
diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
|
||||
index b5d7814e4a..7aa126b75c 100644
|
||||
--- a/src/com/android/settings/security/SecuritySettings.java
|
||||
+++ b/src/com/android/settings/security/SecuritySettings.java
|
||||
@@ -121,6 +121,7 @@ public class SecuritySettings extends DashboardFragment {
|
||||
securityPreferenceControllers.add(new FingerprintStatusPreferenceController(context));
|
||||
securityPreferenceControllers.add(new ChangeScreenLockPreferenceController(context, host));
|
||||
securityPreferenceControllers.add(new AutoRebootPreferenceController(context));
|
||||
+ securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
|
||||
controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
|
||||
.setChildren(securityPreferenceControllers));
|
||||
controllers.addAll(securityPreferenceControllers);
|
@ -0,0 +1,27 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: flawedworld <38294951+flawedworld@users.noreply.github.com>
|
||||
Date: Mon, 5 Apr 2021 03:02:51 +0100
|
||||
Subject: [PATCH] add a property for controlling ptrace_scope
|
||||
|
||||
---
|
||||
rootdir/init.rc | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/rootdir/init.rc b/rootdir/init.rc
|
||||
index c175bc4ac..93030dc1b 100644
|
||||
--- a/rootdir/init.rc
|
||||
+++ b/rootdir/init.rc
|
||||
@@ -836,6 +836,13 @@ on property:sys.sysctl.extra_free_kbytes=*
|
||||
on property:sys.sysctl.tcp_def_init_rwnd=*
|
||||
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
|
||||
|
||||
+on property:persist.native_debug=true
|
||||
+ write /proc/sys/kernel/yama/ptrace_scope 0
|
||||
+
|
||||
+on property:persist.native_debug=false
|
||||
+ write /proc/sys/kernel/yama/ptrace_scope 2
|
||||
+
|
||||
+
|
||||
on property:security.perf_harden=0
|
||||
write /proc/sys/kernel/perf_event_paranoid 1
|
||||
write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000}
|
@ -0,0 +1,130 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: flawedworld <38294951+flawedworld@users.noreply.github.com>
|
||||
Date: Mon, 5 Apr 2021 02:26:20 +0100
|
||||
Subject: [PATCH] allow init to control kernel.yama.ptrace_scope
|
||||
|
||||
Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650
|
||||
---
|
||||
prebuilts/api/26.0/private/genfs_contexts | 1 +
|
||||
prebuilts/api/27.0/private/genfs_contexts | 1 +
|
||||
prebuilts/api/28.0/private/genfs_contexts | 1 +
|
||||
prebuilts/api/29.0/private/domain.te | 1 +
|
||||
prebuilts/api/29.0/private/genfs_contexts | 1 +
|
||||
prebuilts/api/29.0/public/init.te | 3 +++
|
||||
private/domain.te | 1 +
|
||||
private/genfs_contexts | 1 +
|
||||
public/init.te | 3 +++
|
||||
9 files changed, 13 insertions(+)
|
||||
|
||||
diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
|
||||
index 753cabf15..67203c998 100644
|
||||
--- a/prebuilts/api/26.0/private/genfs_contexts
|
||||
+++ b/prebuilts/api/26.0/private/genfs_contexts
|
||||
@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
|
||||
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
|
||||
diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
|
||||
index 606d46cbe..ac54e423a 100644
|
||||
--- a/prebuilts/api/27.0/private/genfs_contexts
|
||||
+++ b/prebuilts/api/27.0/private/genfs_contexts
|
||||
@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
|
||||
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
|
||||
diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
|
||||
index 44ca95fd5..89b55b28d 100644
|
||||
--- a/prebuilts/api/28.0/private/genfs_contexts
|
||||
+++ b/prebuilts/api/28.0/private/genfs_contexts
|
||||
@@ -58,6 +58,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
|
||||
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
|
||||
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
|
||||
index 1d26761d6..62cbb04a1 100644
|
||||
--- a/prebuilts/api/29.0/private/domain.te
|
||||
+++ b/prebuilts/api/29.0/private/domain.te
|
||||
@@ -86,6 +86,7 @@ userdebug_or_eng(`
|
||||
# with other UIDs to these whitelisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
+ -init
|
||||
-vold
|
||||
userdebug_or_eng(`-llkd')
|
||||
-dumpstate
|
||||
diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
|
||||
index e72803627..27828d91b 100644
|
||||
--- a/prebuilts/api/29.0/private/genfs_contexts
|
||||
+++ b/prebuilts/api/29.0/private/genfs_contexts
|
||||
@@ -71,6 +71,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
|
||||
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
|
||||
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
|
||||
index e7e5b6517..1ba495de3 100644
|
||||
--- a/prebuilts/api/29.0/public/init.te
|
||||
+++ b/prebuilts/api/29.0/public/init.te
|
||||
@@ -123,6 +123,9 @@ allow init self:global_capability_class_set sys_time;
|
||||
|
||||
allow init self:global_capability_class_set { sys_rawio mknod };
|
||||
|
||||
+# Set /proc/sys/kernel/yama/ptrace_scope
|
||||
+allow init self:capability { sys_ptrace };
|
||||
+
|
||||
# Mounting filesystems from block devices.
|
||||
allow init dev_type:blk_file r_file_perms;
|
||||
allowxperm init dev_type:blk_file ioctl BLKROSET;
|
||||
diff --git a/private/domain.te b/private/domain.te
|
||||
index 1d26761d6..62cbb04a1 100644
|
||||
--- a/private/domain.te
|
||||
+++ b/private/domain.te
|
||||
@@ -86,6 +86,7 @@ userdebug_or_eng(`
|
||||
# with other UIDs to these whitelisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
+ -init
|
||||
-vold
|
||||
userdebug_or_eng(`-llkd')
|
||||
-dumpstate
|
||||
diff --git a/private/genfs_contexts b/private/genfs_contexts
|
||||
index e72803627..27828d91b 100644
|
||||
--- a/private/genfs_contexts
|
||||
+++ b/private/genfs_contexts
|
||||
@@ -71,6 +71,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
|
||||
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
|
||||
diff --git a/public/init.te b/public/init.te
|
||||
index e7e5b6517..1ba495de3 100644
|
||||
--- a/public/init.te
|
||||
+++ b/public/init.te
|
||||
@@ -123,6 +123,9 @@ allow init self:global_capability_class_set sys_time;
|
||||
|
||||
allow init self:global_capability_class_set { sys_rawio mknod };
|
||||
|
||||
+# Set /proc/sys/kernel/yama/ptrace_scope
|
||||
+allow init self:capability { sys_ptrace };
|
||||
+
|
||||
# Mounting filesystems from block devices.
|
||||
allow init dev_type:blk_file r_file_perms;
|
||||
allowxperm init dev_type:blk_file ioctl BLKROSET;
|
@ -0,0 +1,73 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: flawedworld <38294951+flawedworld@users.noreply.github.com>
|
||||
Date: Mon, 5 Apr 2021 02:27:06 +0100
|
||||
Subject: [PATCH] allow system to use persist.native_debug
|
||||
|
||||
---
|
||||
prebuilts/api/26.0/private/property_contexts | 1 +
|
||||
prebuilts/api/27.0/private/property_contexts | 1 +
|
||||
prebuilts/api/28.0/private/property_contexts | 1 +
|
||||
prebuilts/api/29.0/private/property_contexts | 1 +
|
||||
private/property_contexts | 1 +
|
||||
5 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts
|
||||
index 4c27b35d6..c48ba4012 100644
|
||||
--- a/prebuilts/api/26.0/private/property_contexts
|
||||
+++ b/prebuilts/api/26.0/private/property_contexts
|
||||
@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
|
||||
diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts
|
||||
index 8eb2f28b2..237e6fcc1 100644
|
||||
--- a/prebuilts/api/27.0/private/property_contexts
|
||||
+++ b/prebuilts/api/27.0/private/property_contexts
|
||||
@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
|
||||
diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts
|
||||
index 32be0b377..afe0f70fe 100644
|
||||
--- a/prebuilts/api/28.0/private/property_contexts
|
||||
+++ b/prebuilts/api/28.0/private/property_contexts
|
||||
@@ -44,6 +44,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
ro.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
|
||||
index a63e0b4dc..bd8c4f183 100644
|
||||
--- a/prebuilts/api/29.0/private/property_contexts
|
||||
+++ b/prebuilts/api/29.0/private/property_contexts
|
||||
@@ -49,6 +49,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
ro.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
diff --git a/private/property_contexts b/private/property_contexts
|
||||
index a63e0b4dc..bd8c4f183 100644
|
||||
--- a/private/property_contexts
|
||||
+++ b/private/property_contexts
|
||||
@@ -49,6 +49,7 @@ service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
+persist.native_debug u:object_r:system_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
ro.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
@ -1 +1 @@
|
||||
Subproject commit 4472db7087a7da96df144ef2c6cb43e23b29d907
|
||||
Subproject commit d61df5a1f0c5b9a602e45cc9c62ba42e433853da
|
@ -57,6 +57,7 @@ cp -r "$DOS_PATCHES_COMMON""android_vendor_divested/." "$DOS_BUILD_BASE""vendor/
|
||||
|
||||
if enterAndClear "bionic"; then
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_bionic/0001-Wildcard_Hosts.patch"; #Support wildcards in cached hosts file (backport from 16.0+)
|
||||
#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "bootable/recovery"; then
|
||||
@ -95,10 +96,21 @@ if [ "$(type -t DOS_WEBVIEW_CHERRYPICK)" = "alias" ] ; then DOS_WEBVIEW_CHERRYPI
|
||||
if [ "$DOS_WEBVIEW_LFS" = true ]; then git lfs pull; fi; #Ensure the objects are available
|
||||
fi;
|
||||
|
||||
#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then
|
||||
#if enterAndClear "external/hardened_malloc"; then
|
||||
#applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
|
||||
#applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0002-Broken_Cameras.patch"; #Expand workaround to all camera executables
|
||||
#fi;
|
||||
#fi;
|
||||
|
||||
if enterAndClear "external/svox"; then
|
||||
git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
|
||||
fi;
|
||||
|
||||
#if enterAndClear "frameworks/av"; then
|
||||
#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
|
||||
#fi;
|
||||
|
||||
if enterAndClear "frameworks/base"; then
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/0005-Connectivity.patch"; #Change connectivity check URLs to ours
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
|
||||
@ -238,6 +250,7 @@ if enterAndClear "system/core"; then
|
||||
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
|
||||
git revert --no-edit a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4; #Always update recovery
|
||||
applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/sepolicy"; then
|
||||
|
@ -121,8 +121,8 @@ fi;
|
||||
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
|
||||
if enterAndClear "external/hardened_malloc"; then
|
||||
applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0002-Broken_Cameras.patch"; #Expand workaround to all camera executables
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0002-Broken_Cameras.patch"; #Expand workaround to all camera executables
|
||||
fi;
|
||||
fi;
|
||||
|
||||
|
@ -163,6 +163,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-7.patch";
|
||||
fi;
|
||||
if [ "$DOS_TIMEOUTS" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0016-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0017-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS)
|
||||
fi;
|
||||
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0018-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly
|
||||
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
|
||||
@ -285,6 +290,12 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Togg
|
||||
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
|
||||
if [ "$DOS_TIMEOUTS" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
|
||||
fi;
|
||||
if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
|
||||
sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length (GrapheneOS)
|
||||
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
|
||||
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/backup/PrivacySettingsUtils.java; fi; #microG doesn't support Backup, hide the options
|
||||
@ -330,6 +341,7 @@ git revert --no-edit bd4142eab8b3cead0c25a2e660b4b048d1315d3c; #Always update re
|
||||
applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0004-ptrace_scope.patch"; fi; #Add a property for controlling ptrace_scope (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/extras"; then
|
||||
@ -342,6 +354,10 @@ fi;
|
||||
|
||||
if enterAndClear "system/sepolicy"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-2.patch"; #Allow system to use persist.native_debug (GrapheneOS)
|
||||
fi;
|
||||
git am "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/29.0";
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch" --directory="prebuilts/api/28.0";
|
||||
|
@ -141,9 +141,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch";
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-7.patch";
|
||||
fi;
|
||||
if [ "$DOS_TIMEOUTS" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0016-WiFi_Timeout.patch"; #Timeout for Wi-Fi (GrapheneOS)
|
||||
fi;
|
||||
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0017-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_EXEC" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0018-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS)
|
||||
@ -293,9 +295,11 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Togg
|
||||
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
|
||||
if [ "$DOS_TIMEOUTS" = true ]; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0007-WiFi_Timeout.patch"; #Timeout for Wi-Fi (CalyxOS)
|
||||
fi;
|
||||
if [ "$DOS_GRAPHENE_PTRACE_SCOPE" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0008-ptrace_scope.patch"; fi; #Add native debugging setting (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0009-Install_Restrictions.patch"; #UserManager app installation restrictions (GrapheneOS)
|
||||
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
|
||||
|
@ -61,8 +61,9 @@ export DOS_GRAPHENE_BIONIC=true; #Enables the bionic hardening patchset on 16.0+
|
||||
export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' patchset on 16.0+17.1+18.1
|
||||
export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1
|
||||
export DOS_GRAPHENE_EXEC=false; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1 XXX: breaks things like VoLTE
|
||||
export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the ptrace_scope toggle patchset on 18.1
|
||||
export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the ptrace_scope toggle patchset on 17.1+18.1
|
||||
export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1
|
||||
export DOS_TIMEOUTS=true; #Enables the GrapheneOS/CalyxOS patchset for automatic timeouts of reboot/Wi-Fi/Bluetooth on 17.1+18.1
|
||||
export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
|
||||
export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: DNS66
|
||||
export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be in the format "127.0.0.1 bad.domain.tld"
|
||||
|
Loading…
Reference in New Issue
Block a user