Build fixes + new blob blocker

This commit is contained in:
Tad 2019-03-21 17:13:26 -04:00
parent d3d924bd91
commit e344b17a36
10 changed files with 118 additions and 13 deletions

View File

@ -74,6 +74,7 @@
<!-- START OF DEVICE REPOS -->
<!-- Common -->
<project path="packages/resources/devicesettings" name="LineageOS/android_packages_resources_devicesettings" remote="github" />
<project path="system/qcom" name="LineageOS/android_system_qcom" remote="github" />
<project path="external/bson" name="LineageOS/android_external_bson" remote="github" />
<project path="external/sony/boringssl-compat" name="LineageOS/android_external_sony_boringssl-compat" remote="github" />
<project path="hardware/sony/thermanager" name="LineageOS/android_hardware_sony_thermanager" remote="github" />

View File

@ -0,0 +1,94 @@
include $(CLEAR_VARS)
# vendor makefiles often end up with these not being removed from Android.mk
# which causes build failures since their files were deleted
# override here to prevent breakage
LOCAL_MODULE := BlobBlocker
LOCAL_OVERRIDES_PACKAGES := \
a4wpservice \
appdirectedsmspermission \
AppDirectedSMSProxy \
ApplicationBar \
aptxui \
atfwd \
AtvRemoteService \
BuaContactAdapter \
CABLService \
CanvasPackageInstaller \
CarrierServices \
CNEService \
colorservice \
ConnMO \
CQATest \
DCMO \
DiagMon \
DMConfigUpdate \
DMService \
DolbyVisionService \
dpmserviceapp \
DragonKeyboardFirmwareUpdater \
DTVPlayer \
DTVService \
EasyAccessService \
embms \
FMRadioGooogle \
FmRadioTrampoline2 \
GamepadPairingService \
GCS \
GeminiInputDevices \
Gemini_Keyboard \
GlobalkeyInteceptor \
HiddenMenu \
HotwordEnrollment \
HWSarControlService \
imssettings \
LeanbackIme \
LeanbackLauncher \
LifetimeData \
LifeTimerService \
ModFmwkProxyService \
ModService \
MotCameraMod \
MotoDisplayFWProxy \
MotoSignatureApp \
MyVerizonServices \
OBDM_Permissions \
obdm_stub \
Overscan \
Perfdump \
PowerOffAlarm \
PPPreference \
ProjecterApp \
QtiTetherService \
QuickBoot \
RCSBootstraputil \
RcsImsBootstraputil \
RemoteControlService \
SDM \
SecPhone \
SecProtect \
SprintDM \
SprintHM \
SprintMenu \
SyncMLSvc \
SystemUpdateUI \
TriggerEnroll \
TriggerTrainingService \
Tycho \
uceShimService \
VerizonAuthDialog \
VerizonSSOEngine \
VerizonUnifiedSettings \
VZWAPNLib \
vzwapnpermission \
VZWAPNService \
VZWAVS \
VzwLcSilent \
vzw_msdc_api \
VzwOmaTrigger \
WfcActivation \
WfdService
include $(BUILD_PREBUILT)

View File

@ -16,8 +16,9 @@ PRODUCT_PROPERTY_OVERRIDES += \
ro.config.alarm_alert=Alarm_Buzzer.ogg \
keyguard.no_require_sim=true \
ro.build.selinux=1 \
ro.storage_manager.enabled=false \
ro.control_privapp_permissions=log
ro.storage_manager.enabled=false
# ro.control_privapp_permissions=log
# ro.control_privapp_permissions=enforce
#Copy extra files
PRODUCT_COPY_FILES += \
@ -25,5 +26,6 @@ PRODUCT_COPY_FILES += \
vendor/divested/prebuilts/etc/permissions_org.fdroid.fdroid.privileged.xml:system/etc/permissions/permissions_org.fdroid.fdroid.privileged.xml
#Include packages
#PRODUCT_PACKAGES += ModuleBlocker
PRODUCT_PACKAGES += BlobBlocker
PRODUCT_PACKAGES += ModuleBlocker
include vendor/divested/packages.mk

View File

@ -116,7 +116,7 @@ echo "Deblobbing..."
sepolicy=$sepolicy" hal_drm_default.te hal_drm.te hal_drm_widevine.te";
#eMBMS [Qualcomm]
blobs=$blobs"|embms.apk";
blobs=$blobs"|embms.apk|embmslibrary.jar";
#External Accessories
if [ "$DOS_DEBLOBBER_REMOVE_ACCESSORIES" = true ]; then
@ -180,7 +180,7 @@ echo "Deblobbing..."
#IMS (VoLTE/Wi-Fi Calling) [Qualcomm]
blobs=$blobs"|imscmlibrary.jar|imscmservice|imscm.xml|imsdatadaemon|imsqmidaemon|imssettings.apk|lib-imsdpl.so|lib-imscamera.so|libimscamera_jni.so|lib-imsqimf.so|lib-imsSDP.so|lib-imss.so|lib-imsvt.so|lib-imsxml.so"; #IMS
blobs=$blobs"|ims_rtp_daemon|lib-rtpcommon.so|lib-rtpcore.so|lib-rtpdaemoninterface.so|lib-rtpsl.so|vendor.qti.imsrtpservice.*.so"; #RTP
blobs=$blobs"|ims_rtp_daemon|lib-rtpcommon.so|lib-rtpcore.so|lib-rtpdaemoninterface.so|lib-rtpsl.so|vendor.qti.imsrtpservice.*"; #RTP
blobs=$blobs"|lib-dplmedia.so|librcc.so|libvcel.so|libvoice-svc.so|qti_permissions.xml"; #Misc.
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then #IMS (Core) (To support carriers that have phased out 2G)
blobs=$blobs"|ims.apk|ims.xml|libimsmedia_jni.so";
@ -254,7 +254,7 @@ echo "Deblobbing..."
blobs=$blobs"|libQtiTether.so|QtiTetherService.apk";
#RCS (Proprietary messaging protocol)
blobs=$blobs"|rcsimssettings.jar|rcsimssettings.xml|rcsservice.jar|rcsservice.xml|lib-imsrcscmclient.so|lib-ims-rcscmjni.so|lib-imsrcscmservice.so|lib-imsrcscm.so|lib-imsrcs.so|lib-rcsimssjni.so|lib-rcsjni.so|RCSBootstraputil.apk|RcsImsBootstraputil.apk|uceShimService.apk|CarrierServices.apk"; #RCS
blobs=$blobs"|rcsimssettings.jar|rcsimssettings.xml|rcsservice.jar|rcsservice.xml|lib-imsrcscmclient.so|lib-ims-rcscmjni.so|lib-imsrcscmservice.so|lib-imsrcscm.so|lib-imsrcs.so|lib-rcsimssjni.so|lib-rcsjni.so|RCSBootstraputil.apk|RcsImsBootstraputil.apk|uceShimService.apk|CarrierServices.apk|vendor.qti.ims.rcsconfig.*"; #RCS
makes=$makes"|rcs_service.*";
ipcSec=$ipcSec"|18:4294967295:1001:3004";
@ -268,7 +268,7 @@ echo "Deblobbing..."
blobs=$blobs"|libHealthAuthClient.so|libHealthAuthJNI.so|libSampleAuthJNI.so|libSampleAuthJNIv1.so|libSampleExtAuthJNI.so|libSecureExtAuthJNI.so|libSecureSampleAuthClient.so|libsdedrm.so";
#[Sprint]
blobs=$blobs"|com.android.omadm.service.xml|ConnMO.apk|CQATest.apk|DCMO.apk|DiagMon.apk|DMConfigUpdate.apk|DMService.apk|GCS.apk|HiddenMenu.apk|libdmengine.so|libdmjavaplugin.so|LifetimeData.apk|SprintDM.apk|SprintHM.apk|whitelist_com.android.omadm.service.xml|LifeTimerService.apk|SDM.apk|SecPhone.apk|SprintMenu.apk";
blobs=$blobs"|com.android.omadm.service.xml|ConnMO.apk|CQATest.apk|DCMO.apk|DiagMon.apk|DMConfigUpdate.apk|DMService.apk|GCS.apk|HiddenMenu.apk|libdmengine.so|libdmjavaplugin.so|LifetimeData.apk|SprintDM.apk|SprintHM.apk|whitelist_com.android.omadm.service.xml|LifeTimerService.apk|SDM.apk|SecPhone.apk|SprintMenu.apk|com.android.sdm.plugins.connmo.xml|com.android.sdm.plugins.sprintdm.xml";
ipcSec=$ipcSec"|238:4294967295:1001:3004";
#SyncML
@ -451,6 +451,7 @@ deblobDevice() {
rm -rf board/qcom-wipower.mk product/qcom-wipower.mk; #Remove WiPower makefiles
awk -i inplace '!/'$ipcSec'/' configs/sec_config &>/dev/null || true; #Remove all IPC security exceptions from sec_config
awk -i inplace '!/'$blobs'/' ./*proprietary*.txt &>/dev/null || true; #Remove all blob references from blob manifest
awk -i inplace '!/'$blobs'/' ./*/*proprietary*.txt &>/dev/null || true; #Remove all blob references from blob manifest location in subdirectory
if [ -f setup-makefiles.sh ]; then
bash -c "cd $DOS_BUILD_BASE$devicePath && ./setup-makefiles.sh"; #Update the makefiles
fi;

View File

@ -380,6 +380,7 @@ hardenDefconfig() {
#Enable supported options
#Disabled: CONFIG_DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_STACKPROTECTOR" "CONFIG_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_IPV6_PRIVACY" "CONFIG_HARDEN_BRANCH_PREDICTOR" "CONFIG_IOMMU_API" "CONFIG_IOMMU_SUPPORT" "CONFIG_IOMMU_HELPER" "CONFIG_INTEL_IOMMU_DEFAULT_ON" "CONFIG_ARM_SMMU" "CONFIG_QCOM_IOMMU" "CONFIG_MSM_IOMMU" "CONFIG_MSM_TZ_SMMU" "CONFIG_KGSL_PER_PROCESS_PAGE_TABLE" "CONFIG_MSM_KGSL_MMU_PAGE_FAULT" "CONFIG_IOMMU_PGTABLES_L2" "CONFIG_TEGRA_IOMMU_SMMU" "CONFIG_TEGRA_IOMMU_GART" "CONFIG_MTK_IOMMU" "CONFIG_EXYNOS_IOMMU" "CONFIG_OMAP_IOMMU" "CONFIG_OF_IOMMU")
#if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("CONFIG_RTC_DRV_MSM" "CONFIG_RTC_DRV_PM8XXX" "CONFIG_RTC_DRV_MSM7X00A" "CONFIG_RTC_DRV_QPNP"); fi;
for option in "${optionsYes[@]}"
do
sed -i 's/# '"$option"' is not set/'"$option"'=y/' $defconfigPath &>/dev/null || true;

View File

@ -60,10 +60,8 @@ buildAll() {
brunch lineage_fugu-user;
brunch lineage_h850-user;
brunch lineage_hammerhead-user;
brunch lineage_klte-user; #broken
brunch lineage_m8-user;
brunch lineage_mata-user;
brunch lineage_shamu-user;
brunch lineage_starlte-user; #broken - device/samsung/universal9810-common/audio: MODULE.TARGET.SHARED_LIBRARIES.libshim_audio_32 already defined by device/samsung/star-common/audio
brunch lineage_us996-user;
brunch lineage_us997-user;
@ -73,9 +71,11 @@ buildAll() {
#brunch lineage_bacon-user;
#brunch lineage_ether-user;
#brunch lineage_griffin-user;
#brunch lineage_klte-user;
#brunch lineage_mako-user;
#brunch lineage_marlin-user;
#brunch lineage_sailfish-user;
#brunch lineage_shamu-user;
}
export -f buildAll;

View File

@ -69,7 +69,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0866/3.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11034/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11036/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11039/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13162/3.18/0001.patch
#git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13162/3.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14883/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-15827/3.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16650/ANY/0001.patch

View File

@ -47,7 +47,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-GadgetFS/ANY/0009.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-GadgetFS/ANY/0010.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0610/ANY/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13162/3.18/0001.patch
#git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13162/3.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13218/3.18/0009.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13246/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14883/ANY/0001.patch

View File

@ -55,7 +55,7 @@ buildAll() {
brunch lineage_klte-user;
brunch lineage_marlin-user;
brunch lineage_sailfish-user;
brunch lineage_shamu-user; #broken - needs synced proprietary-files.txt
brunch lineage_shamu-user;
}
export -f buildAll;
@ -73,6 +73,11 @@ patchWorkspace() {
source "$DOS_SCRIPTS_COMMON/Deblob.sh";
source "$DOS_SCRIPTS_COMMON/Patch_CVE.sh";
source build/envsetup.sh;
#Deblobbing fixes
##setup-makefiles doesn't execute properly for some devices, running it twice seems to fix whatever is wrong
cd device/google/marlin/marlin && ./setup-makefiles.sh && cd "$DOS_BUILD_BASE";
cd device/google/marlin/sailfish && ./setup-makefiles.sh && cd "$DOS_BUILD_BASE";
}
export -f patchWorkspace;

View File

@ -152,6 +152,7 @@ if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/h
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)
enterAndClear "system/sepolicy";
git revert 4c9031e4e2f45db3531d0bc602b2d9c9407a2d16; #neverallow
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignoring neverallows under -user
@ -182,7 +183,7 @@ git revert 218f7442874f7b7d494f265286a2151e2f81bb6e 31a1cb251d5e35d8954cec6f3738
echo "allow kickstart usbfs:dir search;" >> sepolicy/kickstart.te; #Fix forceencrypt on first boot
echo "allow system_server sensors_data_file:dir search;" >> sepolicy/system_server.te; #Fix qcom_sensors log spam
echo "allow system_server sensors_data_file:dir r_file_perms;" >> sepolicy/system_server.te;
sed -i 's/1333788672/880803840/' BoardConfig.mk; #don't touch partitions! DOS -user fits with 60M free
sed -i 's/1333788672/880803840/' BoardConfig.mk; #don't touch partitions! DOS -user fits with 75M free
awk -i inplace '!/TARGET_RELEASETOOLS_EXTENSIONS/' BoardConfig.mk;
enterAndClear "device/oneplus/bacon";