mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 23:19:31 -05:00
15.1: Initial deny new usb support from CopperheadOS
This is an extremely powerful security feature with minimal downsides. Original credit goes to Grsecurity Android port goes to Copperhead
This commit is contained in:
parent
28de039beb
commit
f041047983
22
Patches/LineageOS-15.1/android_build/0002-Deny_USB.patch
Normal file
22
Patches/LineageOS-15.1/android_build/0002-Deny_USB.patch
Normal file
@ -0,0 +1,22 @@
|
||||
From d0d489b8380cb06a7738e9b7276056d9d7479d44 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Fri, 17 Jun 2016 07:13:49 -0400
|
||||
Subject: [PATCH] set deny_new_usb feature to dynamic by default
|
||||
|
||||
Change-Id: Ied8e75e6c7f8cc5e1483fe93281a32fe799638c3
|
||||
---
|
||||
core/main.mk | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/core/main.mk b/core/main.mk
|
||||
index af98b548c..e2c90d2d0 100644
|
||||
--- a/core/main.mk
|
||||
+++ b/core/main.mk
|
||||
@@ -244,6 +244,7 @@ ifneq (,$(user_variant))
|
||||
# Target is secure in user builds.
|
||||
ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
|
||||
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
|
||||
+ ADDITIONAL_DEFAULT_PROPERTIES += persist.security.deny_new_usb=dynamic
|
||||
|
||||
ifeq ($(user_variant),user)
|
||||
ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
|
@ -0,0 +1,32 @@
|
||||
From 7b811853c5d2b05ec5db11786ab3f4b6a079e1a1 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Thu, 16 Jun 2016 01:19:53 -0400
|
||||
Subject: [PATCH] dynamic deny_new_usb toggle
|
||||
|
||||
Change-Id: Ie05bf2aaebd8660ec3ff9d823be93cd1202e22db
|
||||
---
|
||||
.../java/com/android/server/policy/keyguard/KeyguardStateMonitor.java | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
|
||||
index 941cd4441e2..80b79bd04da 100644
|
||||
--- a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
|
||||
+++ b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
|
||||
@@ -19,6 +19,7 @@
|
||||
import android.app.ActivityManager;
|
||||
import android.content.Context;
|
||||
import android.os.RemoteException;
|
||||
+import android.os.SystemProperties;
|
||||
import android.util.Slog;
|
||||
|
||||
import com.android.internal.policy.IKeyguardService;
|
||||
@@ -85,6 +86,9 @@ public boolean hasLockscreenWallpaper() {
|
||||
|
||||
@Override // Binder interface
|
||||
public void onShowingStateChanged(boolean showing) {
|
||||
+ if ("dynamic".equals(SystemProperties.get("persist.security.deny_new_usb"))) {
|
||||
+ SystemProperties.set("security.deny_new_usb", showing ? "1" : "0");
|
||||
+ }
|
||||
mIsShowing = showing;
|
||||
}
|
||||
|
@ -0,0 +1,238 @@
|
||||
From 8d6cd259a90a009167c11a2f135cb9845a8f3e7f Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Thu, 14 Apr 2016 20:44:06 -0400
|
||||
Subject: [PATCH] add deny_new_usb setting
|
||||
|
||||
Change-Id: If4ee98d636e1876ba546f8a5d562859e8ab7b931
|
||||
---
|
||||
res/values/arrays.xml | 16 +++++++++++++
|
||||
res/values/strings.xml | 3 +++
|
||||
res/xml/security_settings_chooser.xml | 8 +++++++
|
||||
res/xml/security_settings_lockscreen.xml | 8 +++++++
|
||||
res/xml/security_settings_password.xml | 8 +++++++
|
||||
res/xml/security_settings_pattern.xml | 8 +++++++
|
||||
res/xml/security_settings_pin.xml | 8 +++++++
|
||||
src/com/android/settings/SecuritySettings.java | 31 +++++++++++++++++++++++++-
|
||||
8 files changed, 89 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/res/values/arrays.xml b/res/values/arrays.xml
|
||||
index 5e1a468f87..16a7300e96 100644
|
||||
--- a/res/values/arrays.xml
|
||||
+++ b/res/values/arrays.xml
|
||||
@@ -1038,4 +1038,20 @@
|
||||
<item>never</item>
|
||||
</string-array>
|
||||
|
||||
+ <!-- Security Settings -->
|
||||
+ <string-array name="deny_new_usb_entries">
|
||||
+ <item>Disallow new USB peripherals</item>
|
||||
+ <item>Allow new USB peripherals when unlocked</item>
|
||||
+ <item>Allow new USB peripherals</item>
|
||||
+ </string-array>
|
||||
+
|
||||
+ <!-- Do not translate. -->
|
||||
+ <string-array name="deny_new_usb_values" translatable="false">
|
||||
+ <!-- Do not translate. -->
|
||||
+ <item>enabled</item>
|
||||
+ <!-- Do not translate. -->
|
||||
+ <item>dynamic</item>
|
||||
+ <!-- Do not translate. -->
|
||||
+ <item>disabled</item>
|
||||
+ </string-array>
|
||||
</resources>
|
||||
diff --git a/res/values/strings.xml b/res/values/strings.xml
|
||||
index 8265475a98..84ebf5d10b 100644
|
||||
--- a/res/values/strings.xml
|
||||
+++ b/res/values/strings.xml
|
||||
@@ -9052,4 +9052,7 @@
|
||||
|
||||
<!-- Note displayed when certain features are not available on low ram devices. [CHAR LIMIT=NONE] -->
|
||||
<string name="disabled_low_ram_device">This feature is not available on this device</string>
|
||||
+
|
||||
+ <string name="deny_new_usb_title">USB accessories</string>
|
||||
+ <string name="deny_new_usb_summary">Control support for USB peripherals such as input (mice, keyboards, joysticks) and storage devices.</string>
|
||||
</resources>
|
||||
diff --git a/res/xml/security_settings_chooser.xml b/res/xml/security_settings_chooser.xml
|
||||
index 067ebaba0d..2ba2b41006 100644
|
||||
--- a/res/xml/security_settings_chooser.xml
|
||||
+++ b/res/xml/security_settings_chooser.xml
|
||||
@@ -33,6 +33,14 @@
|
||||
android:title="@string/lockscreen_settings_title"
|
||||
android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
|
||||
|
||||
+ <ListPreference
|
||||
+ android:key="deny_new_usb"
|
||||
+ android:title="@string/deny_new_usb_title"
|
||||
+ android:summary="@string/deny_new_usb_summary"
|
||||
+ android:persistent="false"
|
||||
+ android:entries="@array/deny_new_usb_entries"
|
||||
+ android:entryValues="@array/deny_new_usb_values" />
|
||||
+
|
||||
</PreferenceCategory>
|
||||
|
||||
</PreferenceScreen>
|
||||
diff --git a/res/xml/security_settings_lockscreen.xml b/res/xml/security_settings_lockscreen.xml
|
||||
index c141fb7c74..5181997c99 100644
|
||||
--- a/res/xml/security_settings_lockscreen.xml
|
||||
+++ b/res/xml/security_settings_lockscreen.xml
|
||||
@@ -29,6 +29,14 @@
|
||||
settings:keywords="@string/keywords_lockscreen"
|
||||
android:persistent="false"/>
|
||||
|
||||
+ <ListPreference
|
||||
+ android:key="deny_new_usb"
|
||||
+ android:title="@string/deny_new_usb_title"
|
||||
+ android:summary="@string/deny_new_usb_summary"
|
||||
+ android:persistent="false"
|
||||
+ android:entries="@array/deny_new_usb_entries"
|
||||
+ android:entryValues="@array/deny_new_usb_values" />
|
||||
+
|
||||
</PreferenceCategory>
|
||||
|
||||
</PreferenceScreen>
|
||||
diff --git a/res/xml/security_settings_password.xml b/res/xml/security_settings_password.xml
|
||||
index 7de65f7cc0..2e8361f470 100644
|
||||
--- a/res/xml/security_settings_password.xml
|
||||
+++ b/res/xml/security_settings_password.xml
|
||||
@@ -32,6 +32,14 @@
|
||||
android:title="@string/lockscreen_settings_title"
|
||||
android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
|
||||
|
||||
+ <ListPreference
|
||||
+ android:key="deny_new_usb"
|
||||
+ android:title="@string/deny_new_usb_title"
|
||||
+ android:summary="@string/deny_new_usb_summary"
|
||||
+ android:persistent="false"
|
||||
+ android:entries="@array/deny_new_usb_entries"
|
||||
+ android:entryValues="@array/deny_new_usb_values" />
|
||||
+
|
||||
</PreferenceCategory>
|
||||
|
||||
</PreferenceScreen>
|
||||
diff --git a/res/xml/security_settings_pattern.xml b/res/xml/security_settings_pattern.xml
|
||||
index 1585f016ee..9ce00d616e 100644
|
||||
--- a/res/xml/security_settings_pattern.xml
|
||||
+++ b/res/xml/security_settings_pattern.xml
|
||||
@@ -32,6 +32,14 @@
|
||||
android:title="@string/lockscreen_settings_title"
|
||||
android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
|
||||
|
||||
+ <ListPreference
|
||||
+ android:key="deny_new_usb"
|
||||
+ android:title="@string/deny_new_usb_title"
|
||||
+ android:summary="@string/deny_new_usb_summary"
|
||||
+ android:persistent="false"
|
||||
+ android:entries="@array/deny_new_usb_entries"
|
||||
+ android:entryValues="@array/deny_new_usb_values" />
|
||||
+
|
||||
</PreferenceCategory>
|
||||
|
||||
</PreferenceScreen>
|
||||
diff --git a/res/xml/security_settings_pin.xml b/res/xml/security_settings_pin.xml
|
||||
index f7705b7e9c..c291f118a2 100644
|
||||
--- a/res/xml/security_settings_pin.xml
|
||||
+++ b/res/xml/security_settings_pin.xml
|
||||
@@ -32,6 +32,14 @@
|
||||
android:title="@string/lockscreen_settings_title"
|
||||
android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
|
||||
|
||||
+ <ListPreference
|
||||
+ android:key="deny_new_usb"
|
||||
+ android:title="@string/deny_new_usb_title"
|
||||
+ android:summary="@string/deny_new_usb_summary"
|
||||
+ android:persistent="false"
|
||||
+ android:entries="@array/deny_new_usb_entries"
|
||||
+ android:entryValues="@array/deny_new_usb_values" />
|
||||
+
|
||||
</PreferenceCategory>
|
||||
|
||||
</PreferenceScreen>
|
||||
diff --git a/src/com/android/settings/SecuritySettings.java b/src/com/android/settings/SecuritySettings.java
|
||||
index 55f21fd22a..555b4a7c90 100644
|
||||
--- a/src/com/android/settings/SecuritySettings.java
|
||||
+++ b/src/com/android/settings/SecuritySettings.java
|
||||
@@ -38,11 +38,13 @@
|
||||
import android.os.UserHandle;
|
||||
import android.os.UserManager;
|
||||
import android.os.storage.StorageManager;
|
||||
+import android.os.SystemProperties;
|
||||
import android.provider.SearchIndexableResource;
|
||||
import android.provider.Settings;
|
||||
import android.service.trust.TrustAgentService;
|
||||
import android.support.annotation.VisibleForTesting;
|
||||
import android.support.v14.preference.SwitchPreference;
|
||||
+import android.support.v7.preference.ListPreference;
|
||||
import android.support.v7.preference.Preference;
|
||||
import android.support.v7.preference.Preference.OnPreferenceChangeListener;
|
||||
import android.support.v7.preference.PreferenceGroup;
|
||||
@@ -118,6 +120,10 @@
|
||||
private static final int UNUNIFY_LOCK_CONFIRM_DEVICE_REQUEST = 130;
|
||||
private static final String TAG_UNIFICATION_DIALOG = "unification_dialog";
|
||||
|
||||
+ private static final String KEY_DENY_NEW_USB = "deny_new_usb";
|
||||
+ private static final String DENY_NEW_USB_PROP = "security.deny_new_usb";
|
||||
+ private static final String DENY_NEW_USB_PERSIST_PROP = "persist.security.deny_new_usb";
|
||||
+
|
||||
// Misc Settings
|
||||
private static final String KEY_SIM_LOCK = "sim_lock_settings";
|
||||
private static final String KEY_SHOW_PASSWORD = "show_password";
|
||||
@@ -139,7 +145,7 @@
|
||||
|
||||
// These switch preferences need special handling since they're not all stored in Settings.
|
||||
private static final String SWITCH_PREFERENCE_KEYS[] = {
|
||||
- KEY_SHOW_PASSWORD, KEY_UNIFICATION, KEY_VISIBLE_PATTERN_PROFILE
|
||||
+ KEY_SHOW_PASSWORD, KEY_UNIFICATION, KEY_VISIBLE_PATTERN_PROFILE, KEY_DENY_NEW_USB
|
||||
};
|
||||
|
||||
// Only allow one trust agent on the platform.
|
||||
@@ -169,6 +175,8 @@
|
||||
|
||||
private int mProfileChallengeUserId;
|
||||
|
||||
+ private ListPreference mDenyNewUsb;
|
||||
+
|
||||
private String mCurrentDevicePassword;
|
||||
private String mCurrentProfilePassword;
|
||||
|
||||
@@ -324,6 +332,16 @@ private PreferenceScreen createPreferenceHierarchy() {
|
||||
|
||||
mIsAdmin = mUm.isAdminUser();
|
||||
|
||||
+ if (mIsAdmin) {
|
||||
+ mDenyNewUsb = (ListPreference) findPreference(KEY_DENY_NEW_USB);
|
||||
+ } else {
|
||||
+ PreferenceGroup securityCategory = (PreferenceGroup)
|
||||
+ root.findPreference(KEY_SECURITY_CATEGORY);
|
||||
+ if (securityCategory != null) {
|
||||
+ securityCategory.removePreference(securityCategory.findPreference(KEY_DENY_NEW_USB));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
// Fingerprint and trust agents
|
||||
int numberOfTrustAgent = 0;
|
||||
PreferenceGroup securityCategory = (PreferenceGroup)
|
||||
@@ -626,6 +644,10 @@ public void onResume() {
|
||||
}
|
||||
|
||||
mLocationcontroller.updateSummary();
|
||||
+
|
||||
+ if (mDenyNewUsb != null) {
|
||||
+ mDenyNewUsb.setValue(SystemProperties.get(DENY_NEW_USB_PERSIST_PROP, "disabled"));
|
||||
+ }
|
||||
}
|
||||
|
||||
private void updateUnificationPreference() {
|
||||
@@ -812,6 +834,13 @@ public boolean onPreferenceChange(Preference preference, Object value) {
|
||||
Settings.System.putInt(getContentResolver(), Settings.System.TEXT_SHOW_PASSWORD,
|
||||
((Boolean) value) ? 1 : 0);
|
||||
lockPatternUtils.setVisiblePasswordEnabled((Boolean) value, MY_USER_ID);
|
||||
+ } else if (KEY_DENY_NEW_USB.equals(key)) {
|
||||
+ String mode = (String) value;
|
||||
+ SystemProperties.set(DENY_NEW_USB_PERSIST_PROP, mode);
|
||||
+ // The dynamic mode defaults to the disabled state
|
||||
+ if (mode.equals("dynamic")) {
|
||||
+ SystemProperties.set(DENY_NEW_USB_PROP, "0");
|
||||
+ }
|
||||
}
|
||||
return result;
|
||||
}
|
@ -0,0 +1,36 @@
|
||||
From 808fb79d8171f26bc29332145df4edac1925e76e Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Sun, 22 Apr 2018 10:18:06 -0400
|
||||
Subject: [PATCH] add properties for controlling deny_new_usb
|
||||
|
||||
Change-Id: I0ead2254b7e379abaeab6f0f78a48680d40a8994
|
||||
---
|
||||
rootdir/init.rc | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/rootdir/init.rc b/rootdir/init.rc
|
||||
index 2a7333563..aa654c38f 100644
|
||||
--- a/rootdir/init.rc
|
||||
+++ b/rootdir/init.rc
|
||||
@@ -696,6 +696,18 @@ on property:sys.sysctl.extra_free_kbytes=*
|
||||
on property:sys.sysctl.tcp_def_init_rwnd=*
|
||||
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
|
||||
|
||||
+on property:persist.security.deny_new_usb=disabled
|
||||
+ write /proc/sys/kernel/deny_new_usb 0
|
||||
+
|
||||
+on property:persist.security.deny_new_usb=enabled
|
||||
+ write /proc/sys/kernel/deny_new_usb 1
|
||||
+
|
||||
+on property:persist.security.deny_new_usb=dynamic
|
||||
+ write /proc/sys/kernel/deny_new_usb 1
|
||||
+
|
||||
+on property:security.deny_new_usb=*
|
||||
+ write /proc/sys/kernel/deny_new_usb ${security.deny_new_usb}
|
||||
+
|
||||
on property:security.perf_harden=0
|
||||
write /proc/sys/kernel/perf_event_paranoid 1
|
||||
|
||||
--
|
||||
2.17.0
|
||||
|
@ -0,0 +1,22 @@
|
||||
From 9bd23222fab996016eb2d31772129b09594f4667 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Micay <danielmicay@gmail.com>
|
||||
Date: Thu, 16 Jun 2016 01:07:25 -0400
|
||||
Subject: [PATCH] allow system to set security.deny_new_usb
|
||||
|
||||
---
|
||||
private/property_contexts | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/private/property_contexts b/private/property_contexts
|
||||
index e524f54e..86b7d8a3 100644
|
||||
--- a/private/property_contexts
|
||||
+++ b/private/property_contexts
|
||||
@@ -66,6 +66,8 @@ ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
|
||||
ro.boot.serialno u:object_r:serialno_prop:s0
|
||||
ro.bt. u:object_r:bluetooth_prop:s0
|
||||
|
||||
+security.deny_new_usb u:object_r:system_prop:s0
|
||||
+
|
||||
# Boolean property set by system server upon boot indicating
|
||||
# if device owner is provisioned.
|
||||
ro.device_owner u:object_r:device_logging_prop:s0
|
@ -1 +1 @@
|
||||
Subproject commit 1c9bc188934f6db85124f82ed232f7f4c6c460dc
|
||||
Subproject commit 1007ddcf81da7615d14aeb23e87b85ddd8181358
|
@ -2,6 +2,7 @@
|
||||
cd $base"kernel/fairphone/msm8974"
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-3153/ANY/0002.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-3153/ANY/0004.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch
|
||||
@ -31,5 +32,5 @@ git apply $cvePatchesLinux/CVE-2017-6348/^4.9/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-7533/3.4/0001.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p31"
|
||||
editKernelLocalversion "-dos.p32"
|
||||
cd $base
|
||||
|
@ -34,6 +34,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0013.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch
|
||||
git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
|
||||
@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-14883/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p106"
|
||||
editKernelLocalversion "-dos.p107"
|
||||
cd $base
|
||||
|
@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
cd $base"kernel/google/msm"
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
|
||||
git apply $cvePatchesLinux/CVE-2013-4738/ANY/0002.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch
|
||||
@ -37,5 +38,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p37"
|
||||
editKernelLocalversion "-dos.p38"
|
||||
cd $base
|
||||
|
@ -14,6 +14,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001-Alt.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9892/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
|
||||
@ -70,5 +71,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch
|
||||
git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p70"
|
||||
editKernelLocalversion "-dos.p71"
|
||||
cd $base
|
||||
|
@ -2,6 +2,7 @@
|
||||
cd $base"kernel/htc/msm8974"
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-2443/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-7117/^4.5/0002.patch
|
||||
@ -29,5 +30,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p29"
|
||||
editKernelLocalversion "-dos.p30"
|
||||
cd $base
|
||||
|
@ -18,6 +18,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0003.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
|
||||
@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-15845/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p106"
|
||||
editKernelLocalversion "-dos.p107"
|
||||
cd $base
|
||||
|
@ -17,6 +17,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
|
||||
@ -95,5 +96,5 @@ git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p95"
|
||||
editKernelLocalversion "-dos.p96"
|
||||
cd $base
|
||||
|
@ -2,6 +2,7 @@
|
||||
cd $base"kernel/lge/g3"
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2015-6640/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch
|
||||
@ -32,5 +33,5 @@ git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-8246/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p32"
|
||||
editKernelLocalversion "-dos.p33"
|
||||
cd $base
|
||||
|
@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
cd $base"kernel/lge/hammerhead"
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9881/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9882/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9882/ANY/0002.patch
|
||||
@ -42,5 +43,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p42"
|
||||
editKernelLocalversion "-dos.p43"
|
||||
cd $base
|
||||
|
@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
cd $base"kernel/lge/mako"
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-3894/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-6828/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-7910/ANY/0001.patch
|
||||
@ -16,5 +17,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0005.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p16"
|
||||
editKernelLocalversion "-dos.p17"
|
||||
cd $base
|
||||
|
@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
cd $base"kernel/lge/msm8974"
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
|
||||
git apply $cvePatchesLinux/CVE-2015-8939/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-0806/prima/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-0806/prima/0006.patch
|
||||
@ -24,5 +25,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-7487/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p24"
|
||||
editKernelLocalversion "-dos.p25"
|
||||
cd $base
|
||||
|
@ -25,6 +25,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0045.patch
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0046.patch
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0050.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002-Alt2.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch
|
||||
git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
|
||||
@ -71,5 +72,5 @@ git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p71"
|
||||
editKernelLocalversion "-dos.p72"
|
||||
cd $base
|
||||
|
@ -2,6 +2,7 @@
|
||||
cd $base"kernel/oppo/msm8974"
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2014-9880/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch
|
||||
@ -48,5 +49,5 @@ git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-9706/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p48"
|
||||
editKernelLocalversion "-dos.p49"
|
||||
cd $base
|
||||
|
@ -2,6 +2,7 @@
|
||||
cd $base"kernel/samsung/msm8974"
|
||||
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-4578/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0611/3.4/0001.patch
|
||||
@ -23,5 +24,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch
|
||||
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
|
||||
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p23"
|
||||
editKernelLocalversion "-dos.p24"
|
||||
cd $base
|
||||
|
@ -54,13 +54,11 @@ export -f buildAll;
|
||||
|
||||
patchWorkspace() {
|
||||
source build/envsetup.sh;
|
||||
repopick 206123 211095; #cherry picks
|
||||
repopick 209030; #fix contacts being deleted
|
||||
repopick 209188; #g3-common cherry picks
|
||||
repopick -f 206123; #bionic: Sort and cache hosts file data for fast lookup
|
||||
repopick -f 209030; #ContactsProvider: Prevent device contact being deleted.
|
||||
repopick 211404 211405 211406 211407 211408 211409; #d852 cherry picks
|
||||
repopick 205021; #d855 cherry picks
|
||||
repopick -t trust_interface;
|
||||
#repopick -t calendar-o;
|
||||
|
||||
source $scripts/Patch.sh;
|
||||
source $scripts/Defaults.sh;
|
||||
|
@ -60,6 +60,7 @@ cp -r $prebuiltApps"android_vendor_FDroid_PrebuiltApps/." $base"vendor/fdroid_pr
|
||||
|
||||
enterAndClear "build/make"
|
||||
patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automated build signing. Disclaimer: From CopperheadOS 13.0
|
||||
patch -p1 < $patches"android_build/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
|
||||
sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
|
||||
|
||||
@ -77,6 +78,7 @@ sed -i 's|config_permissionReviewRequired">false|config_permissionReviewRequired
|
||||
patch -p1 < $patches"android_frameworks_base/0002-Signature_Spoofing.patch" #Allow packages to spoof their signature (microG)
|
||||
patch -p1 < $patches"android_frameworks_base/0003-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key
|
||||
patch -p1 < $patches"android_frameworks_base/0004-OpenNIC.patch" #Change fallback and tethering DNS servers to OpenNIC AnyCast
|
||||
patch -p1 < $patches"android_frameworks_base/0005-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
|
||||
rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig
|
||||
|
||||
@ -126,6 +128,7 @@ rm AndroidManifest.xml.orig res/values/*.xml.orig;
|
||||
|
||||
enterAndClear "packages/apps/Settings"
|
||||
git revert a96df110e84123fe1273bff54feca3b4ca484dcd #don't hide oem unlock
|
||||
patch -p1 < $patches"android_packages_apps_Settings/0003-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length
|
||||
sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options
|
||||
|
||||
@ -149,15 +152,17 @@ enterAndClear "packages/inputmethods/LatinIME"
|
||||
patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key
|
||||
|
||||
enterAndClear "packages/services/Telephony"
|
||||
patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. Disclaimer: From CopperheadOS before their LICENSE was added
|
||||
patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
|
||||
enterAndClear "system/core"
|
||||
cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
|
||||
git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4 #Always update recovery
|
||||
patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0
|
||||
patch -p1 < $patches"android_system_core/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
|
||||
enterAndClear "system/sepolicy"
|
||||
patch -p1 < $patches"android_system_sepolicy/0001-LGE_Fixes.patch" #Fix -user builds for LGE devices
|
||||
patch -p1 < $patches"android_system_sepolicy/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
|
||||
|
||||
enterAndClear "system/vold"
|
||||
patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption
|
||||
@ -191,7 +196,6 @@ echo "/dev/block/platform/msm_sdcc\.1/by-name/pad u:object_r:misc_block_devi
|
||||
|
||||
enterAndClear "device/lge/mako"
|
||||
cp $patches"android_device_lge_mako/proprietary-blobs.txt" proprietary-blobs.txt; #update that? nah
|
||||
echo "/dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_block_device:s0" >> sepolicy/file_contexts; #fix uncrypt denial
|
||||
|
||||
enterAndClear "device/oppo/msm8974-common"
|
||||
sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/
|
||||
|
Loading…
Reference in New Issue
Block a user