Small additions + churn

- 18.1+: Disable NTP fully when automatic time is off, credit GrapheneOS
- 20.0: Handle Tor-over-Orbot when killswitch enabled, credit CalyxOS, BROKEN

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-02-18 11:10:50 -05:00
parent 9f82763c53
commit b08bf0356f
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
10 changed files with 188 additions and 12 deletions

View File

@ -46,7 +46,7 @@
<!-- START OF ADDITIONAL REPOS -->
<!-- GrapheneOS -->
<project path="external/hardened_malloc" name="GrapheneOS/hardened_malloc" remote="github" revision="13" />
<project path="external/hardened_malloc" name="GrapheneOS/hardened_malloc" remote="github" revision="2250130c537fda373a4362cf7727562287eb1168" />
<project path="external/SecureCamera" name="GrapheneOS/platform_external_Camera" remote="github" revision="13" />
<!-- END OF ADDITIONAL REPOS -->

View File

@ -4,13 +4,14 @@ QQ3A.200805.001.2020.09.11.14
PQ3B.190801.002.2019.08.25.15
https time
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/1d4e3f495b7b544f6314f04243e9d47b3f8e7102
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/2c04a077ec9f3ac6857885199f49f4845b70ec2e
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/4a90523abcacd1b2cb69e82b5622d33185aab044
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/88fa99ee2312fac5a0dbf50ac6f407be5700f785
13 https://github.com/GrapheneOS/platform_frameworks_base/commit/2cd879a68511da741cff663c50e3e8489b50ef0f
13 https://github.com/GrapheneOS/platform_frameworks_base/commit/dc650862f0941750c0c1da6e6ba5855586b67a7a
13 https://github.com/GrapheneOS/platform_frameworks_base/commit/ad7e8988562cc0421d2f70a857fd8a5f2b8347d2
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/ae51cdbf9ff5dd0796c800753288b65e55c24864
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/001d5db924bb2d409494a07fdf69bc91aaf5f86f
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/227ddba2bd897da03cc2f95f79f2317a4465bf8d
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/940beb096b9dc078ec1a051ee8c73667885fa5a9
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/b92c2eb03ea574cd4a9def02bb81e99812068595
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/546c1099f2775391c86f996104d74f307a954a74
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/ec7b5ee8caa40b9100ec5842a6a63aea3b68eae0
10 https://github.com/GrapheneOS/platform_frameworks_base/commit/961eaeb2220d073b8de325f8d5d5927dbf905645
@ -56,6 +57,12 @@ nojit
9 https://github.com/GrapheneOS/platform_build/commit/5b9927197e63593b9220d1a9280021252ef205e9
9 https://github.com/GrapheneOS/platform_build/commit/e36c7aefaa78a1ed5b94c7f51d29277008eea232
[partially implemented] disable forced ntp checks
13 https://github.com/GrapheneOS/platform_frameworks_base/commit/4c8a4469a56fad03de58996ccf719b098436f987
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/723fb336f7246585ee1595dd1bf1633528265a8b
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/546c1099f2775391c86f996104d74f307a954a74
10 https://github.com/GrapheneOS/platform_frameworks_base/commit/9300e141fe843876876401fda6beab13d40c78d5
[implemented] strict package verification
13 https://github.com/GrapheneOS/platform_frameworks_base/commit/6cd9eb28a755c520a398f6ed7b0f2e58ff4ccff2
13 https://github.com/GrapheneOS/platform_frameworks_base/commit/48f947b0466ce9646d590d5078802cac809460dd

View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Renlord <me@renlord.com>
Date: Tue, 30 Jun 2020 11:52:43 +1000
Subject: [PATCH] dont ping server when nitz time update is toggled off
---
core/java/android/util/NtpTrustedTime.java | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/core/java/android/util/NtpTrustedTime.java b/core/java/android/util/NtpTrustedTime.java
index 0892c94d5bec..17162d65159f 100644
--- a/core/java/android/util/NtpTrustedTime.java
+++ b/core/java/android/util/NtpTrustedTime.java
@@ -141,6 +141,15 @@ public class NtpTrustedTime implements TrustedTime {
@UnsupportedAppUsage
public boolean forceRefresh() {
synchronized (this) {
+ final ContentResolver resolver = mContext.getContentResolver();
+
+ final boolean networkPollTime = Settings.Global.getInt(resolver,
+ Settings.Global.AUTO_TIME, 1) != 0;
+ if (!networkPollTime) {
+ Log.d(TAG, "forceRefresh: nitzTimeUpdate disabled bailing early");
+ return false;
+ }
+
NtpConnectionInfo connectionInfo = getNtpConnectionInfo();
if (connectionInfo == null) {
// missing server config, so no trusted time available

View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Renlord <me@renlord.com>
Date: Tue, 30 Jun 2020 11:52:43 +1000
Subject: [PATCH] dont ping server when nitz time update is toggled off
Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
---
core/java/android/util/NtpTrustedTime.java | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/core/java/android/util/NtpTrustedTime.java b/core/java/android/util/NtpTrustedTime.java
index 4ac3178ecb4c..518cfed6e326 100644
--- a/core/java/android/util/NtpTrustedTime.java
+++ b/core/java/android/util/NtpTrustedTime.java
@@ -142,6 +142,15 @@ public class NtpTrustedTime implements TrustedTime {
@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
public boolean forceRefresh() {
synchronized (this) {
+ final ContentResolver resolver = mContext.getContentResolver();
+
+ final boolean networkPollTime = Settings.Global.getInt(resolver,
+ Settings.Global.AUTO_TIME, 1) != 0;
+ if (!networkPollTime) {
+ Log.d(TAG, "forceRefresh: nitzTimeUpdate disabled bailing early");
+ return false;
+ }
+
NtpConnectionInfo connectionInfo = getNtpConnectionInfo();
if (connectionInfo == null) {
// missing server config, so no trusted time available

View File

@ -0,0 +1,81 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Oliver Scott <olivercscott@gmail.com>
Date: Thu, 5 Jan 2023 19:42:40 -0500
Subject: [PATCH] Always add Briar and Tor Browser to Orbot's lockdown
allowlist
Change-Id: I62c2553c8877b946d7e7e1ca4ef113f963d3f8eb
---
.../com/android/server/connectivity/Vpn.java | 35 +++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index 8510de4ef201..3e5724d36f44 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -47,9 +47,11 @@ import android.content.Intent;
import android.content.IntentFilter;
import android.content.ServiceConnection;
import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.PackageManager.NameNotFoundException;
import android.content.pm.ResolveInfo;
+import android.content.pm.Signature;
import android.content.pm.UserInfo;
import android.net.ConnectivityManager;
import android.net.DnsResolver;
@@ -121,6 +123,7 @@ import android.system.keystore2.KeyPermission;
import android.text.TextUtils;
import android.util.ArraySet;
import android.util.Log;
+import android.util.Pair;
import android.util.Range;
import com.android.internal.R;
@@ -140,6 +143,7 @@ import com.android.server.vcn.util.PersistableBundleUtils;
import libcore.io.IoUtils;
+import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileDescriptor;
import java.io.IOException;
@@ -891,6 +895,37 @@ public class Vpn {
return false;
}
+ final String ORBOT_PACKAGE_NAME = "org.torproject.android";
+ if (ORBOT_PACKAGE_NAME.equals(packageName)) {
+ if (lockdownAllowlist == null) {
+ lockdownAllowlist = new ArrayList<>();
+
+ }
+ final Set<Pair<String, String>> ORBOT_LOCKDOWN_ALLOWLIST = Set.of(
+ new Pair<>("org.torproject.torbrowser", "308205953082037DA003020102020900BA2DF613084D2BFD300D06092A864886F70D01010B0500305C3114301206035504030C0B546F722042726F7773657231183016060355040A0C0F54686520546F722050726F6A6563743110300E06035504070C0753656174746C65310B300906035504080C025741310B3009060355040613025553301E170D3139303531383231353834325A170D3334303531343231353834325A305C3114301206035504030C0B546F722042726F7773657231183016060355040A0C0F54686520546F722050726F6A6563743110300E06035504070C0753656174746C65310B300906035504080C025741310B300906035504061302555330820222300D06092A864886F70D01010105000382020F003082020A0282020100F3EE231D69CE435F324AD4AA398AEF3131876AE74563428B61F6AD8C65C522FDDF6EDCC24F6E615AD978598F8C595C632F2D51DF8225EC26742AF7479D8B45EEA379AC7C21E8665BDFB2AC8F0008C0B47A2BA89CAA39C581C0827D35599DA3D6E0FD4045DD4EBDEEDE39790BE6DD630B6BA7908BEB39E20EAA9C42DBCC5BB7B4F7A43F0E2F9DD91E076E2C7CDCC2F8F9B626628F366831EB917D2E54DEF859DF042084460AADCB1D53FF8114F8D666494992B260AF2B7F4CDD80B7733296B79E8831CBC8BA54B028CF3202DFDA84855540567C62AED813F32BAEE137CE3FC149A109B0A36E32FCB28A2A8D2E7C2F67D9B189FFD2E53FFF8EDDADE9D05D3E33560E73ECBF1F8C582077272AE7B5E9D16E0376A0AB39606B2089E78CBC4A37DA4D85F5965DB420CB6D77717348A21B49358F0C34742DA74B69F6746A2988EB815E2910A7F492F52E14DCC17414BE735594E6B6AD62BF0A701D3A3DD27457050101E568CF32536A4E7FD069908BACCF2197BB9C4C2585446DF2BDA23C4EDDA671CF1A881803959951071F8D03AC8DFF38AB00ABF88C87CD3783815032F9288169194EAD8EA0A28A518CD8EC0A0CD5C60800DE1683A0436B09A026524ABEDFF94E0D7AC6EF3E06F8865C780BC1818C64134389FF30D4331053EA2591D65808215C6878D1FB3E4FE7627B926FB9C1031A778F6FFE87BBFE35141B36F271B05075E75F0203010001A35A305830090603551D1304023000300B0603551D0F040403020780301D0603551D0E041604146D96FBE7BED0BD62CBB0C2607B6EDA93EDB69455301F0603551D230418301680146D96FBE7BED0BD62CBB0C2607B6EDA93EDB69455300D06092A864886F70D01010B0500038202010027C7E940533A854AEFCE955438A5344BD366CD2DD8C24E8DDC990D31D3AD5C5331EABCB2F01ED5517A19CC5AD5439DD8193F94D5474D76131762647DAE91EDB59EE90A84CEC2DFC61DDAEB12B88BCC58ED6736AA650AE0DB72372BC70E2651029D240D8993A18482B88881920FD50E023F7FFDE705B723CEB6F5E6AFA969A96B1C9531C9443694BFE504610E208C852E7C0B2CCD063E39DD5CCA83B3E901B1A3372DA55E4C854607D4C35673348A511B5929B825BF058F8BD3ABA2961C4C273AA124D24144D9A24961A6135B3BB8CDE2290A54271BECE02E0CBAF6ABD4AF13FF1D7C4A5192CF577A1DE47A51030308940F900BFBACACAB85F0D08B0606364415070CF851E630C8516656E8324B86DAACF482D571C1FD3865264E091D189D07171695E424E78FE91ABD25A993B6014C5A97647CC963C2A2602632299C471C8E29312592CDBC84E6DD275E8F008651192F197B969701A276DAF0672FCD3B5D734328D53B910F0931FA11A176EC00EAB73C813F30C33BF4E2E347F15BFD30701FBB0353410F991AE2C5B4492E51E0C439F517F4F34791D4CED1A362F3D1FB47AD3EDE2B41C1D038A2DD79B2AB344B2F1C7BEF3E339BA6DCED49461EF7DF58B18090FC1A50DFA3F6F058F561B2C909F61F0FBB351B79ABFFD7553D14B568284A863B5CD373F0F69C23DB81456F3F2F9DCEADDE55670E9D04D870E5A06BEC2BCAEE5D"),
+ new Pair<>("org.briarproject.briar.android", "308202D5308201BDA00302010202040B7BA025300D06092A864886F70D01010B0500301B31193017060355040A1310627269617270726F6A6563742E6F7267301E170D3138303432353135323735365A170D3435303931303135323735365A301B31193017060355040A1310627269617270726F6A6563742E6F726730820122300D06092A864886F70D01010105000382010F003082010A0282010100887D49815638C3E01B08FA5CD80A62FE2640DAB155E848EBC0CF18ABD61618CE1B17632143D612D3AF282DC6B477E43286E5CD559E0DEB5AE951532A1347E95C2A9BC064FBE06E21528A0DDD3AB734679FEF9E31A49042694BF8C4E2DA66F820F6D2BF1F9D5180C409152F80FFD5EAB39B5423F8F09127A8B89D92B0F588284F783356B8812FC35893A526671573B8DDC3A85BAB46DC60DEA13351A2091728C037F20929DD668E757E905F98CC31D7B8B95E9E5D103A33320C71282CD0C797961C99B65CD33F478551FB28F51D5D2A3D636897AC87C1EB5D25323831526424014719136A7104BF8B60A6A30882C526056FB7D5372EA79371CAEAC7C92BC14B050203010001A321301F301D0603551D0E04160414E76D3580725F8DBD28912FF4DF18375F60B49211300D06092A864886F70D01010B050003820101002BAAA21FDF7301562EC3597705B4989B77114428619E84A8288032DB95251CFBB938DDE28BEACBFC63C6A52DE1520973EF19E8355534732139C374B320BEF56E8EF2CA2129307C589D99912317F57CA8639427B7B20225DAB64D12112B57510081A3E6B33EBEE96CAC80E13CDBC73C41BD1F4E0125B6376B95A71411223C15DD8AA1A5734029713097C27073EBCC325688991EF3A46D4CD03E48FD46749937F641C618B783AC7FF0D428E0443EBE36A3D23D82014EA95758344EBFA2A041253CEB7EE6B687857956EE69840E0DA71A6529D33F3674C78C3BAFFBD9724858EA82CB651B58D4D8A0607E763BD0F37D145C3EE705F7D41322AA1A00D5A36F1275EA")
+ );
+ for (Pair<String, String> pair : ORBOT_LOCKDOWN_ALLOWLIST) {
+ try {
+ PackageInfo packageInfo = mUserIdContext.getPackageManager()
+ .getPackageInfo(pair.first, PackageManager.PackageInfoFlags.of(
+ PackageManager.GET_SIGNING_CERTIFICATES));
+ ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ for (Signature signature : packageInfo.signingInfo.getApkContentsSigners()) {
+ outputStream.write(signature.toByteArray());
+ }
+ if (!Signature.areEffectiveMatch(new Signature(outputStream.toByteArray()), new Signature(pair.second))) {
+ throw new SecurityException(pair.first + " signature does not match allowlisted signature");
+ }
+ if (!lockdownAllowlist.contains(pair.first)) {
+ lockdownAllowlist.add(pair.first);
+ }
+ } catch (NameNotFoundException | IOException | CertificateException e) {
+ Log.w(TAG, "Failed to add " + pair.first + " to lockdown allowlist", e);
+ }
+ }
+ }
+
if (lockdownAllowlist != null) {
for (String pkg : lockdownAllowlist) {
if (pkg.contains(",")) {

View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Renlord <me@renlord.com>
Date: Tue, 30 Jun 2020 11:52:43 +1000
Subject: [PATCH] dont ping server when nitz time update is toggled off
Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
---
core/java/android/util/NtpTrustedTime.java | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/core/java/android/util/NtpTrustedTime.java b/core/java/android/util/NtpTrustedTime.java
index 4e7b3a51d758..06a8322fe5de 100644
--- a/core/java/android/util/NtpTrustedTime.java
+++ b/core/java/android/util/NtpTrustedTime.java
@@ -179,6 +179,15 @@ public class NtpTrustedTime implements TrustedTime {
@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
public boolean forceRefresh() {
synchronized (this) {
+ final ContentResolver resolver = mContext.getContentResolver();
+
+ final boolean networkPollTime = Settings.Global.getInt(resolver,
+ Settings.Global.AUTO_TIME, 1) != 0;
+ if (!networkPollTime) {
+ Log.d(TAG, "forceRefresh: nitzTimeUpdate disabled bailing early");
+ return false;
+ }
+
NtpConnectionInfo connectionInfo = getNtpConnectionInfo();
if (connectionInfo == null) {
// missing server config, so no NTP time available

View File

@ -162,6 +162,7 @@ fi;
applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; #Add option of always randomizing MAC addresses (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0020-Burnin_Protection.patch"; #SystemUI: add burnIn protection (arter97)
applyPatch "$DOS_PATCHES/android_frameworks_base/0021-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0022-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly (DivestOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
hardenLocationConf services/core/java/com/android/server/location/gps_debug.conf; #Harden the default GPS config

View File

@ -172,6 +172,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0026-Crash_Details.patch"; #Add
applyPatch "$DOS_PATCHES/android_frameworks_base/0027-appops_reset_fix-1.patch"; #Revert "Null safe package name in AppOps writeState" (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0027-appops_reset_fix-2.patch"; #appops: skip ops for invalid null package during state serialization (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0028-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)

View File

@ -66,7 +66,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-1679/4.14/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-2153/^5.17/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-2153/^5.17/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-3061/^5.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-3424/4.9/0004.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-4382/^6.2/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-20148/^5.15/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-20369/4.14/0006.patch
@ -76,15 +75,11 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-25722/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-27950/^5.16/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-28388/4.14/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-33225/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-36280/4.9/0004.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2022-45934/4.9/0004.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2023-0045/4.14/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2023-0394/4.14/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2023-0615/4.9/0005.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2023-23559/4.14/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening-fortify/4.9/0003.patch
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening-ro/4.9/0016.patch
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening-ro/4.9/0029.patch
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening-slab/4.9/0005.patch
editKernelLocalversion "-dos.p86"
editKernelLocalversion "-dos.p81"
cd "$DOS_BUILD_BASE"

View File

@ -181,6 +181,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0030-agnss.goog_override.patch"
applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-1.patch"; #Revert "Null safe package name in AppOps writeState" (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0031-appops_reset_fix-2.patch"; #appops: skip ops for invalid null package during state serialization (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0032-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0033-Ugly_Orbot_Workaround.patch"; #Always add Briar and Tor Browser to Orbot's lockdown allowlist (CalyxOS) XXX: BREAKS BOOT
applyPatch "$DOS_PATCHES/android_frameworks_base/0034-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
sed -i 's/DEFAULT_USE_COMPACTION = false;/DEFAULT_USE_COMPACTION = true;/' services/core/java/com/android/server/am/CachedAppOptimizer.java; #Enable app compaction by default (GrapheneOS)
sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox internal logging service