diff --git a/Manifests/Manifest_LAOS-16.0.xml b/Manifests/Manifest_LAOS-16.0.xml
index c6a7332a..9078008f 100644
--- a/Manifests/Manifest_LAOS-16.0.xml
+++ b/Manifests/Manifest_LAOS-16.0.xml
@@ -74,6 +74,7 @@
+
diff --git a/Patches/Common/android_vendor_divested/blob_blocker.mk b/Patches/Common/android_vendor_divested/blob_blocker.mk
new file mode 100644
index 00000000..3dd68f01
--- /dev/null
+++ b/Patches/Common/android_vendor_divested/blob_blocker.mk
@@ -0,0 +1,94 @@
+include $(CLEAR_VARS)
+
+# vendor makefiles often end up with these not being removed from Android.mk
+# which causes build failures since their files were deleted
+# override here to prevent breakage
+
+LOCAL_MODULE := BlobBlocker
+
+LOCAL_OVERRIDES_PACKAGES := \
+ a4wpservice \
+ appdirectedsmspermission \
+ AppDirectedSMSProxy \
+ ApplicationBar \
+ aptxui \
+ atfwd \
+ AtvRemoteService \
+ BuaContactAdapter \
+ CABLService \
+ CanvasPackageInstaller \
+ CarrierServices \
+ CNEService \
+ colorservice \
+ ConnMO \
+ CQATest \
+ DCMO \
+ DiagMon \
+ DMConfigUpdate \
+ DMService \
+ DolbyVisionService \
+ dpmserviceapp \
+ DragonKeyboardFirmwareUpdater \
+ DTVPlayer \
+ DTVService \
+ EasyAccessService \
+ embms \
+ FMRadioGooogle \
+ FmRadioTrampoline2 \
+ GamepadPairingService \
+ GCS \
+ GeminiInputDevices \
+ Gemini_Keyboard \
+ GlobalkeyInteceptor \
+ HiddenMenu \
+ HotwordEnrollment \
+ HWSarControlService \
+ imssettings \
+ LeanbackIme \
+ LeanbackLauncher \
+ LifetimeData \
+ LifeTimerService \
+ ModFmwkProxyService \
+ ModService \
+ MotCameraMod \
+ MotoDisplayFWProxy \
+ MotoSignatureApp \
+ MyVerizonServices \
+ OBDM_Permissions \
+ obdm_stub \
+ Overscan \
+ Perfdump \
+ PowerOffAlarm \
+ PPPreference \
+ ProjecterApp \
+ QtiTetherService \
+ QuickBoot \
+ RCSBootstraputil \
+ RcsImsBootstraputil \
+ RemoteControlService \
+ SDM \
+ SecPhone \
+ SecProtect \
+ SprintDM \
+ SprintHM \
+ SprintMenu \
+ SyncMLSvc \
+ SystemUpdateUI \
+ TriggerEnroll \
+ TriggerTrainingService \
+ Tycho \
+ uceShimService \
+ VerizonAuthDialog \
+ VerizonSSOEngine \
+ VerizonUnifiedSettings \
+ VZWAPNLib \
+ vzwapnpermission \
+ VZWAPNService \
+ VZWAVS \
+ VzwLcSilent \
+ vzw_msdc_api \
+ VzwOmaTrigger \
+ WfcActivation \
+ WfdService
+
+include $(BUILD_PREBUILT)
diff --git a/Patches/Common/android_vendor_divested/divestos.mk b/Patches/Common/android_vendor_divested/divestos.mk
index c7869cae..b66460c5 100644
--- a/Patches/Common/android_vendor_divested/divestos.mk
+++ b/Patches/Common/android_vendor_divested/divestos.mk
@@ -16,8 +16,9 @@ PRODUCT_PROPERTY_OVERRIDES += \
ro.config.alarm_alert=Alarm_Buzzer.ogg \
keyguard.no_require_sim=true \
ro.build.selinux=1 \
- ro.storage_manager.enabled=false \
- ro.control_privapp_permissions=log
+ ro.storage_manager.enabled=false
+# ro.control_privapp_permissions=log
+# ro.control_privapp_permissions=enforce
#Copy extra files
PRODUCT_COPY_FILES += \
@@ -25,5 +26,6 @@ PRODUCT_COPY_FILES += \
vendor/divested/prebuilts/etc/permissions_org.fdroid.fdroid.privileged.xml:system/etc/permissions/permissions_org.fdroid.fdroid.privileged.xml
#Include packages
-#PRODUCT_PACKAGES += ModuleBlocker
+PRODUCT_PACKAGES += BlobBlocker
+PRODUCT_PACKAGES += ModuleBlocker
include vendor/divested/packages.mk
diff --git a/Scripts/Common/Deblob.sh b/Scripts/Common/Deblob.sh
index c76f3e6a..1fe17075 100644
--- a/Scripts/Common/Deblob.sh
+++ b/Scripts/Common/Deblob.sh
@@ -116,7 +116,7 @@ echo "Deblobbing..."
sepolicy=$sepolicy" hal_drm_default.te hal_drm.te hal_drm_widevine.te";
#eMBMS [Qualcomm]
- blobs=$blobs"|embms.apk";
+ blobs=$blobs"|embms.apk|embmslibrary.jar";
#External Accessories
if [ "$DOS_DEBLOBBER_REMOVE_ACCESSORIES" = true ]; then
@@ -180,7 +180,7 @@ echo "Deblobbing..."
#IMS (VoLTE/Wi-Fi Calling) [Qualcomm]
blobs=$blobs"|imscmlibrary.jar|imscmservice|imscm.xml|imsdatadaemon|imsqmidaemon|imssettings.apk|lib-imsdpl.so|lib-imscamera.so|libimscamera_jni.so|lib-imsqimf.so|lib-imsSDP.so|lib-imss.so|lib-imsvt.so|lib-imsxml.so"; #IMS
- blobs=$blobs"|ims_rtp_daemon|lib-rtpcommon.so|lib-rtpcore.so|lib-rtpdaemoninterface.so|lib-rtpsl.so|vendor.qti.imsrtpservice.*.so"; #RTP
+ blobs=$blobs"|ims_rtp_daemon|lib-rtpcommon.so|lib-rtpcore.so|lib-rtpdaemoninterface.so|lib-rtpsl.so|vendor.qti.imsrtpservice.*"; #RTP
blobs=$blobs"|lib-dplmedia.so|librcc.so|libvcel.so|libvoice-svc.so|qti_permissions.xml"; #Misc.
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then #IMS (Core) (To support carriers that have phased out 2G)
blobs=$blobs"|ims.apk|ims.xml|libimsmedia_jni.so";
@@ -254,7 +254,7 @@ echo "Deblobbing..."
blobs=$blobs"|libQtiTether.so|QtiTetherService.apk";
#RCS (Proprietary messaging protocol)
- blobs=$blobs"|rcsimssettings.jar|rcsimssettings.xml|rcsservice.jar|rcsservice.xml|lib-imsrcscmclient.so|lib-ims-rcscmjni.so|lib-imsrcscmservice.so|lib-imsrcscm.so|lib-imsrcs.so|lib-rcsimssjni.so|lib-rcsjni.so|RCSBootstraputil.apk|RcsImsBootstraputil.apk|uceShimService.apk|CarrierServices.apk"; #RCS
+ blobs=$blobs"|rcsimssettings.jar|rcsimssettings.xml|rcsservice.jar|rcsservice.xml|lib-imsrcscmclient.so|lib-ims-rcscmjni.so|lib-imsrcscmservice.so|lib-imsrcscm.so|lib-imsrcs.so|lib-rcsimssjni.so|lib-rcsjni.so|RCSBootstraputil.apk|RcsImsBootstraputil.apk|uceShimService.apk|CarrierServices.apk|vendor.qti.ims.rcsconfig.*"; #RCS
makes=$makes"|rcs_service.*";
ipcSec=$ipcSec"|18:4294967295:1001:3004";
@@ -268,7 +268,7 @@ echo "Deblobbing..."
blobs=$blobs"|libHealthAuthClient.so|libHealthAuthJNI.so|libSampleAuthJNI.so|libSampleAuthJNIv1.so|libSampleExtAuthJNI.so|libSecureExtAuthJNI.so|libSecureSampleAuthClient.so|libsdedrm.so";
#[Sprint]
- blobs=$blobs"|com.android.omadm.service.xml|ConnMO.apk|CQATest.apk|DCMO.apk|DiagMon.apk|DMConfigUpdate.apk|DMService.apk|GCS.apk|HiddenMenu.apk|libdmengine.so|libdmjavaplugin.so|LifetimeData.apk|SprintDM.apk|SprintHM.apk|whitelist_com.android.omadm.service.xml|LifeTimerService.apk|SDM.apk|SecPhone.apk|SprintMenu.apk";
+ blobs=$blobs"|com.android.omadm.service.xml|ConnMO.apk|CQATest.apk|DCMO.apk|DiagMon.apk|DMConfigUpdate.apk|DMService.apk|GCS.apk|HiddenMenu.apk|libdmengine.so|libdmjavaplugin.so|LifetimeData.apk|SprintDM.apk|SprintHM.apk|whitelist_com.android.omadm.service.xml|LifeTimerService.apk|SDM.apk|SecPhone.apk|SprintMenu.apk|com.android.sdm.plugins.connmo.xml|com.android.sdm.plugins.sprintdm.xml";
ipcSec=$ipcSec"|238:4294967295:1001:3004";
#SyncML
@@ -451,6 +451,7 @@ deblobDevice() {
rm -rf board/qcom-wipower.mk product/qcom-wipower.mk; #Remove WiPower makefiles
awk -i inplace '!/'$ipcSec'/' configs/sec_config &>/dev/null || true; #Remove all IPC security exceptions from sec_config
awk -i inplace '!/'$blobs'/' ./*proprietary*.txt &>/dev/null || true; #Remove all blob references from blob manifest
+ awk -i inplace '!/'$blobs'/' ./*/*proprietary*.txt &>/dev/null || true; #Remove all blob references from blob manifest location in subdirectory
if [ -f setup-makefiles.sh ]; then
bash -c "cd $DOS_BUILD_BASE$devicePath && ./setup-makefiles.sh"; #Update the makefiles
fi;
diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh
index a5399490..425140f8 100644
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@@ -380,6 +380,7 @@ hardenDefconfig() {
#Enable supported options
#Disabled: CONFIG_DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_STACKPROTECTOR" "CONFIG_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_IPV6_PRIVACY" "CONFIG_HARDEN_BRANCH_PREDICTOR" "CONFIG_IOMMU_API" "CONFIG_IOMMU_SUPPORT" "CONFIG_IOMMU_HELPER" "CONFIG_INTEL_IOMMU_DEFAULT_ON" "CONFIG_ARM_SMMU" "CONFIG_QCOM_IOMMU" "CONFIG_MSM_IOMMU" "CONFIG_MSM_TZ_SMMU" "CONFIG_KGSL_PER_PROCESS_PAGE_TABLE" "CONFIG_MSM_KGSL_MMU_PAGE_FAULT" "CONFIG_IOMMU_PGTABLES_L2" "CONFIG_TEGRA_IOMMU_SMMU" "CONFIG_TEGRA_IOMMU_GART" "CONFIG_MTK_IOMMU" "CONFIG_EXYNOS_IOMMU" "CONFIG_OMAP_IOMMU" "CONFIG_OF_IOMMU")
+ #if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("CONFIG_RTC_DRV_MSM" "CONFIG_RTC_DRV_PM8XXX" "CONFIG_RTC_DRV_MSM7X00A" "CONFIG_RTC_DRV_QPNP"); fi;
for option in "${optionsYes[@]}"
do
sed -i 's/# '"$option"' is not set/'"$option"'=y/' $defconfigPath &>/dev/null || true;
diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh
index 83b27ace..9b40a2e8 100644
--- a/Scripts/LineageOS-15.1/Functions.sh
+++ b/Scripts/LineageOS-15.1/Functions.sh
@@ -60,10 +60,8 @@ buildAll() {
brunch lineage_fugu-user;
brunch lineage_h850-user;
brunch lineage_hammerhead-user;
- brunch lineage_klte-user; #broken
brunch lineage_m8-user;
brunch lineage_mata-user;
- brunch lineage_shamu-user;
brunch lineage_starlte-user; #broken - device/samsung/universal9810-common/audio: MODULE.TARGET.SHARED_LIBRARIES.libshim_audio_32 already defined by device/samsung/star-common/audio
brunch lineage_us996-user;
brunch lineage_us997-user;
@@ -73,9 +71,11 @@ buildAll() {
#brunch lineage_bacon-user;
#brunch lineage_ether-user;
#brunch lineage_griffin-user;
+ #brunch lineage_klte-user;
#brunch lineage_mako-user;
#brunch lineage_marlin-user;
#brunch lineage_sailfish-user;
+ #brunch lineage_shamu-user;
}
export -f buildAll;
diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_google_marlin.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_google_marlin.sh
index 913dae67..248dc665 100644
--- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_google_marlin.sh
+++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_google_marlin.sh
@@ -69,7 +69,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0866/3.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11034/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11036/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11039/ANY/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13162/3.18/0001.patch
+#git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13162/3.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14883/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-15827/3.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16650/ANY/0001.patch
diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_motorola_msm8996.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_motorola_msm8996.sh
index 31c291b1..913c1691 100644
--- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_motorola_msm8996.sh
+++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_motorola_msm8996.sh
@@ -47,7 +47,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-GadgetFS/ANY/0009.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-GadgetFS/ANY/0010.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0610/ANY/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13162/3.18/0001.patch
+#git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13162/3.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13218/3.18/0009.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13246/ANY/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14883/ANY/0001.patch
diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh
index 483de84e..68ed151b 100644
--- a/Scripts/LineageOS-16.0/Functions.sh
+++ b/Scripts/LineageOS-16.0/Functions.sh
@@ -55,7 +55,7 @@ buildAll() {
brunch lineage_klte-user;
brunch lineage_marlin-user;
brunch lineage_sailfish-user;
- brunch lineage_shamu-user; #broken - needs synced proprietary-files.txt
+ brunch lineage_shamu-user;
}
export -f buildAll;
@@ -73,6 +73,11 @@ patchWorkspace() {
source "$DOS_SCRIPTS_COMMON/Deblob.sh";
source "$DOS_SCRIPTS_COMMON/Patch_CVE.sh";
source build/envsetup.sh;
+
+ #Deblobbing fixes
+ ##setup-makefiles doesn't execute properly for some devices, running it twice seems to fix whatever is wrong
+ cd device/google/marlin/marlin && ./setup-makefiles.sh && cd "$DOS_BUILD_BASE";
+ cd device/google/marlin/sailfish && ./setup-makefiles.sh && cd "$DOS_BUILD_BASE";
}
export -f patchWorkspace;
diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh
index 813165f4..63a31b97 100644
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@@ -152,6 +152,7 @@ if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/h
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)
enterAndClear "system/sepolicy";
+git revert 4c9031e4e2f45db3531d0bc602b2d9c9407a2d16; #neverallow
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignoring neverallows under -user
@@ -182,7 +183,7 @@ git revert 218f7442874f7b7d494f265286a2151e2f81bb6e 31a1cb251d5e35d8954cec6f3738
echo "allow kickstart usbfs:dir search;" >> sepolicy/kickstart.te; #Fix forceencrypt on first boot
echo "allow system_server sensors_data_file:dir search;" >> sepolicy/system_server.te; #Fix qcom_sensors log spam
echo "allow system_server sensors_data_file:dir r_file_perms;" >> sepolicy/system_server.te;
-sed -i 's/1333788672/880803840/' BoardConfig.mk; #don't touch partitions! DOS -user fits with 60M free
+sed -i 's/1333788672/880803840/' BoardConfig.mk; #don't touch partitions! DOS -user fits with 75M free
awk -i inplace '!/TARGET_RELEASETOOLS_EXTENSIONS/' BoardConfig.mk;
enterAndClear "device/oneplus/bacon";