Minor tweaks

- 15.1+16.0: Replace in-line build signing patch with bash function
 - From GrapheneOS/script
- 15.1+16.0: Enable fingerprint failed lockout after 5 attempts
 - From GrapheneOS
This commit is contained in:
Tad 2019-08-27 13:13:48 -04:00
parent 68cdef8733
commit db348ab09c
14 changed files with 130 additions and 374 deletions

View File

@ -0,0 +1,22 @@
From 18853bf3e04be75ec8f06d5cb5d40bfb19c6c79d Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 12 Sep 2017 01:52:11 -0400
Subject: [PATCH] use permanent fingerprint lockout immediately
---
.../java/com/android/server/fingerprint/FingerprintService.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/fingerprint/FingerprintService.java b/services/core/java/com/android/server/fingerprint/FingerprintService.java
index 06329e571b4..7c7d7008172 100644
--- a/services/core/java/com/android/server/fingerprint/FingerprintService.java
+++ b/services/core/java/com/android/server/fingerprint/FingerprintService.java
@@ -126,7 +126,7 @@
private final AppOpsManager mAppOps;
private static final long FAIL_LOCKOUT_TIMEOUT_MS = 30*1000;
private static final int MAX_FAILED_ATTEMPTS_LOCKOUT_TIMED = 5;
- private static final int MAX_FAILED_ATTEMPTS_LOCKOUT_PERMANENT = 20;
+ private static final int MAX_FAILED_ATTEMPTS_LOCKOUT_PERMANENT = 5;
private static final long CANCEL_TIMEOUT_LIMIT = 3000; // max wait for onCancel() from HAL,in ms
private final String mKeyguardPackage;

View File

@ -1,104 +0,0 @@
From 4eb4173b876ab4b4d71a5be541096d346649bbef Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 30 May 2015 22:47:50 -0400
Subject: [PATCH] add optional automated signing
---
core/Makefile | 48 ++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 40 insertions(+), 8 deletions(-)
diff --git a/core/Makefile b/core/Makefile
index 7eca2db..82006c9 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -408,6 +408,11 @@ ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
DEFAULT_KEY_CERT_PAIR := $(OTA_PACKAGE_SIGNING_KEY)
endif
+ifneq ($(SIGNING_KEY_DIR),)
+ KEY_CERT_DIR := $(SIGNING_KEY_DIR)
+ DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey
+endif
+
# Rules that need to be present for the all targets, even
# if they don't do anything.
.PHONY: systemimage
@@ -943,13 +948,18 @@ endif
# substitute other keys for this one.
OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
-ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
- OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
- PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ifneq ($(SIGNING_KEY_DIR),)
+ OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem
+ PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra
else
- PRODUCT_EXTRA_RECOVERY_KEYS += \
- build/target/product/security/cm \
- build/target/product/security/cm-devkey
+ ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
+ OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ else
+ PRODUCT_EXTRA_RECOVERY_KEYS += \
+ build/target/product/security/cm \
+ build/target/product/security/cm-devkey
+ endif
endif
# Generate a file containing the keys that will be read by the
@@ -1593,6 +1603,12 @@ BUILT_TARGET_FILES_PACKAGE := $(intermediates)/$(name).zip
$(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates)
$(BUILT_TARGET_FILES_PACKAGE): \
zip_root := $(intermediates)/$(name)
+SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip
+MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE)
+
+ifneq ($(SIGNING_KEY_DIR),)
+ MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE)
+endif
# $(1): Directory to copy
# $(2): Location to copy it to
@@ -1868,6 +1884,12 @@ else
OTA_FROM_TARGET_SCRIPT := $(TARGET_RELEASETOOL_OTA_FROM_TARGET_SCRIPT)
endif
+ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),)
+ SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks
+else
+ SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT)
+endif
+
ifeq ($(WITH_GMS),true)
$(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false
else
@@ -1895,7 +1917,17 @@ ifneq ($(BLOCK_BASED_OTA),false)
$(INTERNAL_OTA_PACKAGE_TARGET): block_based := --block
endif
-$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS)
+$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS)
+ @echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path
+ @echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@"
+ $(hide) $(SIGN_TARGET_SCRIPT) \
+ -d $(KEY_CERT_DIR) \
+ -o \
+ -e SMSSecure.apk,Orbot.apk,Android-IMSI-Catcher-Detector.apk,FreeOTP.apk,F-Droid.apk= \
+ $(BUILT_TARGET_FILES_PACKAGE) \
+ $(SIGNED_TARGET_FILES_PACKAGE)
+
+$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $(DISTTOOLS)
@echo "$(OTA_FROM_TARGET_SCRIPT)" > $(PRODUCT_OUT)/ota_script_path
@echo "$(override_device)" > $(PRODUCT_OUT)/ota_override_device
@echo -e ${CL_YLW}"Package OTA:"${CL_RST}" $@"
@@ -1907,7 +1939,7 @@ $(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS)
--backup=$(backuptool) \
--override_device=$(override_device) $(override_prop) \
$(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \
- $(BUILT_TARGET_FILES_PACKAGE) $@
+ $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@
CM_TARGET_PACKAGE := $(PRODUCT_OUT)/cm-$(CM_VERSION).zip

View File

@ -1,103 +0,0 @@
From ca96d37d0d9d7fb74f6c72f74586f86f4b959d34 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 3 Apr 2018 14:12:55 -0400
Subject: [PATCH] Add optional automated signing
Change-Id: I9ebd044c4c2f76688f7921b991055c57ec574986
---
core/Makefile | 42 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 39 insertions(+), 3 deletions(-)
diff --git a/core/Makefile b/core/Makefile
index 1fb76cf44..034b5f791 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -504,6 +504,10 @@ $(call dist-for-goals,droidcore,$(SOONG_TO_CONVERT))
# exist with the suffixes ".x509.pem" and ".pk8".
DEFAULT_KEY_CERT_PAIR := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ifneq ($(SIGNING_KEY_DIR),)
+ KEY_CERT_DIR := $(SIGNING_KEY_DIR)
+ DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey
+endif
# Rules that need to be present for the all targets, even
# if they don't do anything.
@@ -1204,6 +1208,16 @@ endif
# substitute other keys for this one.
OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ifneq ($(SIGNING_KEY_DIR),)
+ OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem
+ PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra
+else
+ ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
+ OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ endif
+endif
+
# Generate a file containing the keys that will be read by the
# recovery binary.
RECOVERY_INSTALL_OTA_KEYS := \
@@ -2300,6 +2314,13 @@ $(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates)
$(BUILT_TARGET_FILES_PACKAGE): \
zip_root := $(intermediates)/$(name)
+SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip
+MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE)
+
+ifneq ($(SIGNING_KEY_DIR),)
+ MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE)
+endif
+
# $(1): Directory to copy
# $(2): Location to copy it to
# The "ls -A" is to prevent "acp s/* d" from failing if s is empty.
@@ -2758,6 +2779,12 @@ else
OTA_SCRIPT_OVERRIDE_DEVICE := $(TARGET_OTA_ASSERT_DEVICE)
endif
+ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),)
+ SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks
+else
+ SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT)
+endif
+
ifeq ($(WITH_GMS),true)
$(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false
else
@@ -2768,18 +2795,27 @@ else
endif
endif
-$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) \
+$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE) \
+ build/tools/releasetools/sign_target_files_apks
+ @echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path
+ @echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@"
+ $(hide) $(SIGN_TARGET_SCRIPT) \
+ -d $(KEY_CERT_DIR) \
+ -o \
+ $(BUILT_TARGET_FILES_PACKAGE) \
+ $(SIGNED_TARGET_FILES_PACKAGE)
+
+$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) \
build/tools/releasetools/ota_from_target_files
@echo "Package OTA: $@"
$(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH MKBOOTIMG=$(MKBOOTIMG) \
./build/tools/releasetools/ota_from_target_files -v \
--block \
- --extracted_input_target_files $(patsubst %.zip,%,$(BUILT_TARGET_FILES_PACKAGE)) \
-p $(HOST_OUT) \
-k $(KEY_CERT_PAIR) \
--backup=$(backuptool) \
$(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \
- $(BUILT_TARGET_FILES_PACKAGE) $@
+ $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@
.PHONY: otapackage
otapackage: $(INTERNAL_OTA_PACKAGE_TARGET)
--
2.16.3

View File

@ -1,103 +0,0 @@
From b5ad740f0a0930081b8056eaf6e83873fa0b41ef Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 3 Apr 2018 14:12:55 -0400
Subject: [PATCH] Add optional automated signing
Change-Id: I9ebd044c4c2f76688f7921b991055c57ec574986
---
core/Makefile | 42 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 39 insertions(+), 3 deletions(-)
diff --git a/core/Makefile b/core/Makefile
index 9498b47d4..a99677116 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -612,6 +612,10 @@ $(call dist-for-goals,droidcore,$(PGO_PROFILE_MISSING))
# exist with the suffixes ".x509.pem" and ".pk8".
DEFAULT_KEY_CERT_PAIR := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ifneq ($(SIGNING_KEY_DIR),)
+ KEY_CERT_DIR := $(SIGNING_KEY_DIR)
+ DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey
+endif
# Rules that need to be present for the all targets, even
# if they don't do anything.
@@ -1412,6 +1416,16 @@ endif
# substitute other keys for this one.
OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ifneq ($(SIGNING_KEY_DIR),)
+ OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem
+ PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra
+else
+ ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
+ OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ endif
+endif
+
# Generate a file containing the keys that will be read by the
# recovery binary.
RECOVERY_INSTALL_OTA_KEYS := \
@@ -2682,6 +2696,13 @@ $(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates)
$(BUILT_TARGET_FILES_PACKAGE): \
zip_root := $(intermediates)/$(name)
+SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip
+MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE)
+
+ifneq ($(SIGNING_KEY_DIR),)
+ MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE)
+endif
+
# $(1): Directory to copy
# $(2): Location to copy it to
# The "ls -A" is to prevent "acp s/* d" from failing if s is empty.
@@ -3148,6 +3169,12 @@ else
OTA_SCRIPT_OVERRIDE_DEVICE := $(TARGET_OTA_ASSERT_DEVICE)
endif
+ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),)
+ SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks
+else
+ SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT)
+endif
+
ifeq ($(WITH_GMS),true)
$(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false
else
@@ -3158,18 +3185,27 @@ else
endif
endif
-$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) \
+$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE) \
+ build/tools/releasetools/sign_target_files_apks
+ @echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path
+ @echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@"
+ $(hide) $(SIGN_TARGET_SCRIPT) \
+ -d $(KEY_CERT_DIR) \
+ -o \
+ $(BUILT_TARGET_FILES_PACKAGE) \
+ $(SIGNED_TARGET_FILES_PACKAGE)
+
+$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) \
build/make/tools/releasetools/ota_from_target_files
@echo "Package OTA: $@"
$(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH MKBOOTIMG=$(MKBOOTIMG) \
build/make/tools/releasetools/ota_from_target_files -v \
--block \
- --extracted_input_target_files $(patsubst %.zip,%,$(BUILT_TARGET_FILES_PACKAGE)) \
-p $(HOST_OUT) \
-k $(KEY_CERT_PAIR) \
--backup=$(backuptool) \
$(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \
- $(BUILT_TARGET_FILES_PACKAGE) $@
+ $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@
.PHONY: otapackage
otapackage: $(INTERNAL_OTA_PACKAGE_TARGET)
--
2.20.1

View File

@ -140,6 +140,39 @@ audit2allowADB() {
}
export -f audit2allowADB;
signRelease() {
#https://github.com/GrapheneOS/script/blob/pie/release.sh
DEVICE=$1;
VERITY=$2;
DATE=$(date '+%Y%m%d')
KEY_DIR=$DOS_SIGNING_KEYS;
PREFIX="lineage_";
VERSION=$(echo $DOS_VERSION | cut -f2 -d "-");
TARGET_FILES=divested-$VERSION-$DATE-dos-$DEVICE-target_files.zip;
if [ "$VERITY" = true ]; then
VERITY_SWITCHES=(--replace_verity_public_key "$KEY_DIR/verity_key.pub" \
--replace_verity_private_key "$KEY_DIR/verity" \
--replace_verity_keyid "$KEY_DIR/verity.x509.pem");
fi;
build/tools/releasetools/sign_target_files_apks -o -d "$KEY_DIR" \
"${VERITY_SWITCHES[@]}" \
out/target/product/$DEVICE/obj/PACKAGING/target_files_intermediates/$PREFIX$DEVICE-target_files-*.zip \
$OUT/$TARGET_FILES;
build/tools/releasetools/ota_from_target_files --block -k "$KEY_DIR/releasekey" \
$OUT/$TARGET_FILES \
$OUT/divested-$VERSION-$DATE-dos-$DEVICE-ota.zip;
md5sum $OUT/divested-$VERSION-$DATE-dos-$DEVICE-ota.zip > $OUT/divested-$VERSION-$DATE-dos-$DEVICE-ota.zip.md5sum;
#build/tools/releasetools/img_from_target_files $OUT/$TARGET_FILES \
# $OUT/divested-$VERSION-$DATE-dos-$DEVICE-img.zip || exit 1;
}
export -f signRelease;
disableDexPreOpt() {
cd "$DOS_BUILD_BASE$1";
if [ -f BoardConfig.mk ]; then

View File

@ -11,4 +11,6 @@ type='rsa'; #Options: rsa, ec
"$DOS_BUILD_BASE"/development/tools/make_key shared "$desc" "$type";
"$DOS_BUILD_BASE"/development/tools/make_key verity "$desc" "$type";
#https://grapheneos.org/build#generating-release-signing-keys
echo "Please copy created keys to your signing keys directory. Keep them safe!";

View File

@ -49,7 +49,6 @@ export -f buildDeviceDebug;
buildAll() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi;
#Select devices are userdebug due to SELinux policy issues
brunch lineage_nex-user;
}
export -f buildAll;

View File

@ -67,7 +67,6 @@ sed -i 's/LOCAL_DEX_PREOPT := false/LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACK
sed -i 's/LOCAL_DEX_PREOPT := false/LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)/' vendor/fdroid_prebuilt/Android.mk;
enterAndClear "build";
#patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) #TODO BACKPORT-11.0
sed -i 's/Mms/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
sed -i '497i$(LOCAL_INTERMEDIATE_TARGETS) : PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/base_rules.mk;
sed -i '80iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package.mk;

View File

@ -262,6 +262,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
#find "kernel" -maxdepth 3 -mindepth 2 -name "verifiedboot*.x509" -type f -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}"'; #"veri*keys.der.x509"
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
cd "$DOS_BUILD_BASE";
#Fixes

View File

@ -35,7 +35,7 @@ scanWorkspaceForMalware() {
export -f scanWorkspaceForMalware;
buildDevice() {
brunch "lineage_$1-user";
brunch "lineage_$1-user" && signRelease $1 $2;
}
export -f buildDevice;
@ -49,39 +49,39 @@ export -f buildDeviceDebug;
buildAll() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi;
brunch lineage_angler-user;
brunch lineage_axon7-user; #broken
brunch lineage_bullhead-user;
brunch lineage_dragon-user;
brunch lineage_flo-user;
brunch lineage_flounder-user;
brunch lineage_h850-user;
brunch lineage_starlte-user; #broken - device/samsung/universal9810-common/audio: MODULE.TARGET.SHARED_LIBRARIES.libshim_audio_32 already defined by device/samsung/star-common/audio
brunch lineage_us996-user;
brunch lineage_us997-user;
brunch lineage_victara-user;
buildDevice angler true;
buildDevice axon7; #broken
buildDevice bullhead true;
buildDevice dragon true;
buildDevice flo;
buildDevice flounder true;
buildDevice h850;
buildDevice starlte; #broken - device/samsung/universal9810-common/audio: MODULE.TARGET.SHARED_LIBRARIES.libshim_audio_32 already defined by device/samsung/star-common/audio
buildDevice us996;
buildDevice us997;
buildDevice victara;
#The following are all superseded, and should only be enabled if the newer version is broken (not building/booting/etc.)
brunch lineage_fugu-user;
brunch lineage_hammerhead-user;
buildDevice fugu;
buildDevice hammerhead;
if [ "$DOS_BUILDALL_SUPERSEDED" = true ]; then
brunch lineage_bacon-user;
brunch lineage_crackling-user;
brunch lineage_d802-user;
brunch lineage_d852-user;
brunch lineage_d855-user;
brunch lineage_ether-user;
brunch lineage_FP2-user;
brunch lineage_griffin-user;
brunch lineage_ham-user;
brunch lineage_kipper-user;
brunch lineage_klte-user;
brunch lineage_m8-user;
brunch lineage_mako-user;
brunch lineage_marlin-user;
brunch lineage_mata-user;
brunch lineage_sailfish-user;
brunch lineage_shamu-user;
buildDevice bacon;
buildDevice crackling;
buildDevice d802;
buildDevice d852;
buildDevice d855;
buildDevice ether;
buildDevice FP2;
buildDevice griffin;
buildDevice ham;
buildDevice kipper;
buildDevice klte;
buildDevice m8;
buildDevice mako;
buildDevice marlin true;
buildDevice mata true;
buildDevice sailfish true;
buildDevice shamu true;
fi;
}
export -f buildAll;

View File

@ -69,8 +69,6 @@ enterAndClear "bootable/recovery";
git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity
enterAndClear "build/make";
patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0)
awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
enterAndClear "device/lineage/sepolicy";
@ -93,6 +91,7 @@ sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/
sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL
sed -i 's/entry == null/entry == null || true/' core/java/android/os/RecoverySystem.java; #Skip update compatibiltity check XXX: TEMPORARY FIX
sed -i 's/!Build.isBuildConsistent()/false/' services/core/java/com/android/server/am/ActivityManagerService.java; #Disable fingerprint mismatch warning XXX: TEMPORARY FIX
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
changeDefaultDNS;
@ -100,6 +99,7 @@ changeDefaultDNS;
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #don't grant location permission to system browsers
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
@ -228,6 +228,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
#find "kernel" -maxdepth 3 -mindepth 2 -name "verifiedboot*.x509" -type f -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}"'; #"veri*keys.der.x509"
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
cd "$DOS_BUILD_BASE";
#Fix broken options enabled by hardenDefconfig()

View File

@ -35,7 +35,7 @@ scanWorkspaceForMalware() {
export -f scanWorkspaceForMalware;
buildDevice() {
brunch "lineage_$1-user";
brunch "lineage_$1-user" && signRelease $1 $2;
}
export -f buildDevice;
@ -49,35 +49,36 @@ export -f buildDeviceDebug;
buildAll() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi;
brunch lineage_mako-user;
brunch lineage_bacon-user;
brunch lineage_cheryl-user; #broken
brunch lineage_crackling-user; #broken
brunch lineage_d802-user;
brunch lineage_d852-user;
brunch lineage_d855-user;
brunch lineage_ether-user;
brunch lineage_FP2-user;
brunch lineage_fugu-user; #broken
brunch lineage_griffin-user;
brunch lineage_ham-user;
brunch lineage_hammerhead-user; #broken
brunch lineage_jfltexx-user;
brunch lineage_kipper-user; #broken
brunch lineage_klte-user;
brunch lineage_m8-user;
brunch lineage_marlin-user;
brunch lineage_mata-user;
brunch lineage_sailfish-user;
brunch lineage_shamu-user;
brunch lineage_z2_plus-user; #broken
buildDevice mako;
buildDevice bacon;
buildDevice cheryl; #broken
buildDevice crackling; #broken
buildDevice d802;
buildDevice d852;
buildDevice d855;
buildDevice ether;
buildDevice FP2;
buildDevice fugu; #broken
buildDevice griffin;
buildDevice ham;
buildDevice hammerhead; #broken
buildDevice jfltexx;
buildDevice kipper; #broken
buildDevice klte;
buildDevice m8;
buildDevice marlin true;
buildDevice mata true;
buildDevice sailfish true;
buildDevice shamu true;
buildDevice z2_plus true; #broken
}
export -f buildAll;
patchWorkspace() {
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
#source build/envsetup.sh;
source build/envsetup.sh;
repopick -f 254249; #g3 nfc
source "$DOS_SCRIPTS/Patch.sh";
source "$DOS_SCRIPTS/Defaults.sh";

View File

@ -70,8 +70,6 @@ git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity
enterAndClear "build/make";
git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files
patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0)
awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
enterAndClear "device/qcom/sepolicy-legacy";
@ -93,6 +91,7 @@ sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/
sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL
sed -i 's/entry == null/entry == null || true/' core/java/android/os/RecoverySystem.java; #Skip update compatibiltity check XXX: TEMPORARY FIX
sed -i 's/!Build.isBuildConsistent()/false/' services/core/java/com/android/server/am/ActivityManagerService.java; #Disable fingerprint mismatch warning XXX: TEMPORARY FIX
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
changeDefaultDNS;
@ -101,6 +100,7 @@ patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch";
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #always restrict access to Build.SERIAL
patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #don't grant location permission to system browsers
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
@ -173,7 +173,6 @@ patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi;
enterAndClear "system/sepolicy";
#git revert 4c9031e4e2f45db3531d0bc602b2d9c9407a2d16; #neverallow
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignoring neverallows under -user
@ -208,6 +207,12 @@ enterAndClear "device/lge/g3-common";
sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te;
sed -i '1itypeattribute wcnss_service misc_block_device_exception;' sepolicy/wcnss_service.te;
enterAndClear "device/lge/d852";
git revert dbebbce20b2b303fe13f7078ef54154f9dd5d9e2; #fix nfc path
enterAndClear "device/lge/d855";
git revert 9a5739e66d0a44347881807c0cc44d7c318c02b8; #fix nfc path
enterAndClear "device/lge/mako";
git revert 218f7442874f7b7d494f265286a2151e2f81bb6e; #disable dexpreopt full and switch back to -mini
echo "allow kickstart usbfs:dir search;" >> sepolicy/kickstart.te; #Fix forceencrypt on first boot
@ -232,6 +237,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
#find "kernel" -maxdepth 3 -mindepth 2 -name "verifiedboot*.x509" -type f -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}"'; #"veri*keys.der.x509"
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
cd "$DOS_BUILD_BASE";
#Fix broken options enabled by hardenDefconfig()

View File

@ -35,7 +35,7 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv
export DOS_BUILDALL_SUPERSEDED=false; #Set true to build superseded devices when running buildAll()
export DOS_GPS_GLONASS_FORCED=true; #Enables GLONASS on all devices
export DOS_GRAPHENE_MALLOC=false; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms
export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms
export DOS_HOSTS_BLOCKING=true; #Switch to false to prevent inclusion of our HOSTS file
export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: Blokada, DNS66
export DOS_HOSTS_BLOCKING_LIST="https://divestos.org/hosts"; #Must be in the format "127.0.0.1 bad.domain.tld"
@ -127,7 +127,6 @@ fi;
export DOS_SCRIPTS_CVES=$DOS_SCRIPTS"CVE_Patchers/";
export SIGNING_KEY_DIR=$DOS_SIGNING_KEYS;
export OTA_PACKAGE_SIGNING_KEY=$SIGNING_KEY_DIR"/releasekey";
export KBUILD_BUILD_USER="emy";
export KBUILD_BUILD_HOST="dosbm";