mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 23:19:31 -05:00
Small tweaks
- disable disablement of PROC_PAGE_MONITOR to fix memory stats calculation - enable slub_nomerge, similar to slab_nomerge for pre 3.18 kernels slub_nomerge was already default enabled on many 3.10 devices via: 0006-AndroidHardening-Kernel_Hardening/3.10/0010.patch Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
2f8550d2ae
commit
bf5d9bc778
@ -46,7 +46,7 @@ commentPatches android_kernel_google_marlin.sh "0001-LinuxIncrementals/3.18/3.18
|
||||
commentPatches android_kernel_google_msm.sh "CVE-2017-11015/prima";
|
||||
commentPatches android_kernel_google_msm-4.9.sh "CVE-2019-19319" "CVE-2020-0067" "CVE-2020-1749" "CVE-2020-8992";
|
||||
commentPatches android_kernel_google_redbull.sh "CVE-2018-5873" "CVE-2021-3444" "CVE-2021-3600";
|
||||
commentPatches android_kernel_google_wahoo.sh "CVE-2019-14047/ANY/0002.patch" "CVE-2019-19319" "CVE-2020-1749" "CVE-2020-8992" "CVE-2020-16166";
|
||||
commentPatches android_kernel_google_wahoo.sh "0008-Graphene-Kernel_Hardening/4.4/0019.patch" "CVE-2019-14047/ANY/0002.patch" "CVE-2019-19319" "CVE-2020-1749" "CVE-2020-8992" "CVE-2020-16166";
|
||||
commentPatches android_kernel_google_yellowstone.sh "0001-LinuxIncrementals/3.10/3.10.0098-0099.patch" "CVE-2018-9514";
|
||||
commentPatches android_kernel_huawei_angler.sh "CVE-2014-8559";
|
||||
commentPatches android_kernel_htc_flounder.sh "CVE-2018-9514";
|
||||
|
@ -492,8 +492,9 @@ export -f hardenUserdata;
|
||||
|
||||
hardenBootArgs() {
|
||||
cd "$DOS_BUILD_BASE$1";
|
||||
#Unavailable: kpti=on pti=on page_alloc.shuffle=1 init_on_alloc=1 init_on_free=1 lockdown=confidentiality
|
||||
sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := slab_nomerge slub_debug=FZP page_poison=1 /' BoardConfig*.mk */BoardConfig*.mk &>/dev/null || true;
|
||||
#Unavailable: kpti=on pti=on (4.15) page_alloc.shuffle=1 (5.2) init_on_alloc=1 (5.3) init_on_free=1 (5.3) lockdown=confidentiality (5.4)
|
||||
# 3.18 4.4
|
||||
sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := slub_debug=FZP slub_nomerge slab_nomerge page_poison=1 /' BoardConfig*.mk */BoardConfig*.mk &>/dev/null || true;
|
||||
echo "Hardened kernel command line arguments for $1";
|
||||
cd "$DOS_BUILD_BASE";
|
||||
}
|
||||
@ -778,8 +779,8 @@ hardenDefconfig() {
|
||||
fi;
|
||||
done
|
||||
#Disable supported options
|
||||
#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile)
|
||||
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "HARDENED_USERCOPY_FALLBACK" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_PAGE_MONITOR" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT");
|
||||
#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile), PROC_PAGE_MONITOR (breaks memory stats)
|
||||
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "HARDENED_USERCOPY_FALLBACK" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT");
|
||||
|
||||
if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi;
|
||||
optionsNo+=("WIREGUARD"); #Requires root access, which we do not provide
|
||||
|
@ -382,13 +382,16 @@ removeBuildFingerprints;
|
||||
|
||||
#Tweaks for <2GB RAM devices
|
||||
enableLowRam "device/asus/grouper";
|
||||
enableLowRam "device/samsung/galaxys2-common";
|
||||
enableLowRam "device/samsung/i9100";
|
||||
enableLowRam "device/samsung/i9300";
|
||||
enableLowRam "device/samsung/i9305";
|
||||
enableLowRam "device/samsung/maguro";
|
||||
enableLowRam "device/samsung/manta";
|
||||
enableLowRam "device/samsung/smdk4412-common";
|
||||
enableLowRam "device/samsung/toro";
|
||||
enableLowRam "device/samsung/toroplus";
|
||||
enableLowRam "device/samsung/tuna";
|
||||
|
||||
#Fixes
|
||||
#Fix broken options enabled by hardenDefconfig()
|
||||
|
@ -71,6 +71,7 @@ patch -p1 < "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv
|
||||
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||
sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/treble_common.mk; #Replace the Messaging app with Silence
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
sed -i 's/2021-08-05/2021-09-05/' core/version_defaults.mk; #Bump Security String #P_asb_2021-09 #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
|
@ -68,6 +68,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
|
||||
sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/gsi_common.mk; #Replace the Messaging app with Silence
|
||||
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
sed -i 's/2021-08-05/2021-09-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2021-09 #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -163,6 +164,10 @@ if enterAndClear "hardware/qcom-caf/msm8998/audio"; then
|
||||
patch -p1 < "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-8998.patch"; #audio_extn: Fix unused parameter warning in utils.c
|
||||
fi;
|
||||
|
||||
if enterAndClear "hardware/qcom-caf/sm8150/audio"; then
|
||||
patch -p1 < "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-sm8150.patch"; #audio_extn: Fix unused parameter warning in utils.c
|
||||
fi;
|
||||
|
||||
if enterAndClear "libcore"; then
|
||||
if [ "$DOS_GRAPHENE_EXEC" = true ]; then patch -p1 < "$DOS_PATCHES/android_libcore/0001-Exec_Preload.patch"; fi; #Add exec-based spawning support (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_EXEC" = true ]; then patch -p1 < "$DOS_PATCHES/android_libcore/0002-Exec_Based_Spawning.patch"; fi;
|
||||
|
@ -19,7 +19,7 @@ git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0014.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0015.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0016.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0017.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0019.patch
|
||||
#git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0019.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0020.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0021.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0022.patch
|
||||
|
@ -129,7 +129,6 @@ patchWorkspace() {
|
||||
#source build/envsetup.sh;
|
||||
#repopick -i 314020; #systemui crash fix
|
||||
#repopick -it eleven-firewall;
|
||||
#repopick -it android-11.0.0_r43;
|
||||
|
||||
source "$DOS_SCRIPTS/Patch.sh";
|
||||
source "$DOS_SCRIPTS_COMMON/Copy_Keys.sh";
|
||||
|
@ -71,7 +71,7 @@ export DOS_GPS_SUPL_HOST="supl.google.com"; #Options: supl.{google,vodafone,sony
|
||||
#Release Processing
|
||||
export DOS_MALWARE_SCAN_BEFORE_SIGN=false; #Scan device files for malware before signing
|
||||
export DOS_GENERATE_DELTAS=true; #Creates deltas from existing target_files in $DOS_BUILDS
|
||||
export DOS_GENERATE_DELTAS_DEVICES=('Amber' 'alioth' 'avicii' 'blueline' 'bonito' 'bramble' 'cheryl' 'coral' 'crosshatch' 'enchilada' 'fajita' 'flame' 'FP3' 'guacamole' 'guacamoleb' 'marlin' 'mata' 'pro1' 'redfin' 'sailfish' 'sargo' 'sunfish' 'taimen' 'walleye'); #List of devices deltas will be generated for
|
||||
export DOS_GENERATE_DELTAS_DEVICES=('Amber' 'alioth' 'aura' 'avicii' 'blueline' 'bonito' 'bramble' 'cheryl' 'coral' 'crosshatch' 'davinci' 'enchilada' 'fajita' 'flame' 'FP3' 'guacamole' 'guacamoleb' 'marlin' 'mata' 'pro1' 'redfin' 'sailfish' 'sargo' 'sunfish' 'taimen' 'vayu' 'walleye'); #List of devices deltas will be generated for
|
||||
export DOS_AUTO_ARCHIVE_BUILDS=true; #Copies files to $DOS_BUILDS after signing
|
||||
export DOS_REMOVE_AFTER=true; #Removes device OUT directory after complete to reclaim space. Requires AUTO_ARCHIVE_BUILDS=true
|
||||
export DOS_GPG_SIGNING=true;
|
||||
|
Loading…
Reference in New Issue
Block a user