diff --git a/Patches/Common/android_vendor_divested/overlay/common/frameworks/base/core/res/res/values/config.xml b/Patches/Common/android_vendor_divested/overlay/common/frameworks/base/core/res/res/values/config.xml
index 8b7bb1f0..06d0b933 100644
--- a/Patches/Common/android_vendor_divested/overlay/common/frameworks/base/core/res/res/values/config.xml
+++ b/Patches/Common/android_vendor_divested/overlay/common/frameworks/base/core/res/res/values/config.xml
@@ -246,4 +246,7 @@
false
+
+ true
+
diff --git a/Patches/LineageOS-16.0/android_system_sepolicy/0001-LGE_Fixes.patch b/Patches/LineageOS-16.0/android_system_sepolicy/0001-LGE_Fixes.patch
index 470dec5e..c746cc42 100644
--- a/Patches/LineageOS-16.0/android_system_sepolicy/0001-LGE_Fixes.patch
+++ b/Patches/LineageOS-16.0/android_system_sepolicy/0001-LGE_Fixes.patch
@@ -16,8 +16,8 @@ index 883048fb..d0a9def1 100644
# No domains other than install_recovery or recovery can write to recovery.
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
-++# Select devices have policies prevented by the following neverallow
-++attribute misc_block_device_exception;
++# Select devices have policies prevented by the following neverallow
++attribute misc_block_device_exception;
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh
index c11cd9d3..627454aa 100644
--- a/Scripts/LineageOS-16.0/Functions.sh
+++ b/Scripts/LineageOS-16.0/Functions.sh
@@ -48,12 +48,12 @@ export -f buildDeviceDebug;
buildAll() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
- #userdebug because 16.0 is littered with neverallows
+ #devices using legacy qcom sepolicy must be userdebug due to neverallows
brunch lineage_mako-userdebug;
brunch lineage_bacon-userdebug;
- brunch lineage_griffin-userdebug;
+ brunch lineage_griffin-user;
brunch lineage_klte-userdebug;
- brunch lineage_shamu-userdebug; #broken - needs synced proprietary-files.txt
+ brunch lineage_shamu-user; #broken - needs synced proprietary-files.txt
}
export -f buildAll;
diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh
index 74a39a39..5382d442 100644
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@@ -169,6 +169,7 @@ if [ "$DOS_HOSTS_BLOCKING" = false ]; then echo "PRODUCT_PACKAGES += $DOS_HOSTS_
#
enterAndClear "device/lge/mako";
echo "allow kickstart usbfs:dir search;" >> sepolicy/kickstart.te; #Fix forceencrypt on first boot
+awk -i inplace '!/TARGET_RELEASETOOLS_EXTENSIONS/' BoardConfig.mk;
enterAndClear "device/oneplus/bacon";
sed -i 's/android.hardware.nfc@1.0-impl/android.hardware.nfc@1.0-impl.so/' device-proprietary-files.txt;
@@ -192,6 +193,7 @@ find "kernel" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenDefconfig "$0
cd "$DOS_BUILD_BASE";
#Fix broken options enabled by hardenDefconfig()
+sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/lge/mako/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/motorola/msm8996/arch/arm64/configs/*_defconfig; #Breaks on compile
#
#END OF DEVICE CHANGES