From c544c28b947b8483c4ae1563265fc0c211248fc3 Mon Sep 17 00:00:00 2001 From: Tad Date: Wed, 3 May 2023 21:39:48 -0400 Subject: [PATCH] Prevent Qualcomm location stack from reading chipset serial number The deblobber already removes xtra-daemon which is what actually performs the requests. This is just extra sanctity. Signed-off-by: Tad --- .../0001-Remove_Analytics.patch | 4 ++-- Scripts/Common/Functions.sh | 8 ++++++++ Scripts/LineageOS-14.1/Patch.sh | 1 + Scripts/LineageOS-15.1/Patch.sh | 1 + Scripts/LineageOS-16.0/Patch.sh | 1 + Scripts/LineageOS-17.1/Patch.sh | 1 + Scripts/LineageOS-18.1/Patch.sh | 1 + Scripts/LineageOS-19.1/Patch.sh | 1 + Scripts/LineageOS-20.0/Patch.sh | 1 + 9 files changed, 17 insertions(+), 2 deletions(-) diff --git a/Patches/LineageOS-20.0/android_packages_apps_LineageParts/0001-Remove_Analytics.patch b/Patches/LineageOS-20.0/android_packages_apps_LineageParts/0001-Remove_Analytics.patch index 3eea1659..d2758a5d 100644 --- a/Patches/LineageOS-20.0/android_packages_apps_LineageParts/0001-Remove_Analytics.patch +++ b/Patches/LineageOS-20.0/android_packages_apps_LineageParts/0001-Remove_Analytics.patch @@ -14,10 +14,10 @@ Change-Id: Ic01c97d6ceac8d324609763973639b41b4581a76 6 files changed, 59 deletions(-) diff --git a/AndroidManifest.xml b/AndroidManifest.xml -index 19bbbb8..042d969 100644 +index 5762dc3..e4e1608 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml -@@ -225,31 +225,6 @@ +@@ -240,31 +240,6 @@ android:resource="@string/summary_empty" /> diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index 28b14ee9..16f57e7a 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -492,6 +492,14 @@ volteOverride() { } export -f volteOverride; +hardenLocationSepolicy() { + #Prevent Qualcomm location stack from reading chipset serial number + find device -name "hal_gnss*.te" -type f -exec sh -c "awk -i inplace '!/sysfs_soc/' {}" \; + find device -name "location.te" -type f -exec sh -c "awk -i inplace '!/sysfs_soc/' {}" \; + echo "Removed serial number access to Qualcomm location stacks"; +} +export -f hardenLocationSepolicy; + hardenLocationConf() { local gpsConfig=$1; #Debugging: adb logcat -b all | grep -i -e locsvc -e izat -e gps -e gnss -e location -e xtra diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index ce9ff1c1..38e1aa2a 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -591,6 +591,7 @@ find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} cd "$DOS_BUILD_BASE"; deblobAudio; removeBuildFingerprints; +hardenLocationSepolicy || true; changeDefaultDNS; #Change the default DNS servers #Tweaks for <2GB RAM devices diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index cec5ed5e..ba6ed8da 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -502,6 +502,7 @@ find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} cd "$DOS_BUILD_BASE"; deblobAudio; removeBuildFingerprints; +hardenLocationSepolicy || true; changeDefaultDNS; #Change the default DNS servers #Tweaks for <2GB RAM devices diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index a7f37073..3aa6df77 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -412,6 +412,7 @@ if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 - cd "$DOS_BUILD_BASE"; deblobAudio; removeBuildFingerprints; +hardenLocationSepolicy || true; changeDefaultDNS; #Change the default DNS servers fixupCarrierConfigs || true; #Remove silly carrier restrictions cd "$DOS_BUILD_BASE"; diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 524ffedd..dcfc117c 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -555,6 +555,7 @@ if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 - cd "$DOS_BUILD_BASE"; deblobAudio; removeBuildFingerprints; +hardenLocationSepolicy || true; enableAutoVarInit || true; changeDefaultDNS; #Change the default DNS servers fixupCarrierConfigs || true; #Remove silly carrier restrictions diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index eb91b677..7f41c72a 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -561,6 +561,7 @@ if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 - cd "$DOS_BUILD_BASE"; deblobAudio; removeBuildFingerprints; +hardenLocationSepolicy || true; enableAutoVarInit || true; changeDefaultDNS; #Change the default DNS servers fixupCarrierConfigs || true; #Remove silly carrier restrictions diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index f4b51c08..a5c7a332 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -450,6 +450,7 @@ if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 - cd "$DOS_BUILD_BASE"; deblobAudio; removeBuildFingerprints; +hardenLocationSepolicy || true; enableAutoVarInit || true; changeDefaultDNS; #Change the default DNS servers fixupCarrierConfigs || true; #Remove silly carrier restrictions diff --git a/Scripts/LineageOS-20.0/Patch.sh b/Scripts/LineageOS-20.0/Patch.sh index 5dfa2677..20aa4bbe 100644 --- a/Scripts/LineageOS-20.0/Patch.sh +++ b/Scripts/LineageOS-20.0/Patch.sh @@ -504,6 +504,7 @@ if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 - cd "$DOS_BUILD_BASE"; deblobAudio; removeBuildFingerprints; +hardenLocationSepolicy || true; enableAutoVarInit || true; changeDefaultDNS; #Change the default DNS servers fixupCarrierConfigs || true; #Remove silly carrier restrictions