15.1: Initial deny new usb support from CopperheadOS

This is an extremely powerful security feature with minimal downsides.
Original credit goes to Grsecurity
Android port goes to Copperhead

Patches/LineageOS-15.1/android_build/0002-Deny_USB.patch

@@ -0,0 +1,22 @@
+From d0d489b8380cb06a7738e9b7276056d9d7479d44 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Fri, 17 Jun 2016 07:13:49 -0400
+Subject: [PATCH] set deny_new_usb feature to dynamic by default
+
+Change-Id: Ied8e75e6c7f8cc5e1483fe93281a32fe799638c3
+---
+ core/main.mk | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/core/main.mk b/core/main.mk
+index af98b548c..e2c90d2d0 100644
+--- a/core/main.mk
++++ b/core/main.mk
+@@ -244,6 +244,7 @@ ifneq (,$(user_variant))
+   # Target is secure in user builds.
+   ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+   ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
++  ADDITIONAL_DEFAULT_PROPERTIES += persist.security.deny_new_usb=dynamic
+ 
+   ifeq ($(user_variant),user)
+     ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1

Patches/LineageOS-15.1/android_frameworks_base/0005-Deny_USB.patch

@@ -0,0 +1,32 @@
+From 7b811853c5d2b05ec5db11786ab3f4b6a079e1a1 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Thu, 16 Jun 2016 01:19:53 -0400
+Subject: [PATCH] dynamic deny_new_usb toggle
+
+Change-Id: Ie05bf2aaebd8660ec3ff9d823be93cd1202e22db
+---
+ .../java/com/android/server/policy/keyguard/KeyguardStateMonitor.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
+index 941cd4441e2..80b79bd04da 100644
+--- a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
++++ b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
+@@ -19,6 +19,7 @@
+ import android.app.ActivityManager;
+ import android.content.Context;
+ import android.os.RemoteException;
++import android.os.SystemProperties;
+ import android.util.Slog;
+ 
+ import com.android.internal.policy.IKeyguardService;
+@@ -85,6 +86,9 @@ public boolean hasLockscreenWallpaper() {
+ 
+     @Override // Binder interface
+     public void onShowingStateChanged(boolean showing) {
++        if ("dynamic".equals(SystemProperties.get("persist.security.deny_new_usb"))) {
++            SystemProperties.set("security.deny_new_usb", showing ? "1" : "0");
++        }
+         mIsShowing = showing;
+     }
+ 

Patches/LineageOS-15.1/android_packages_apps_Settings/0003-Deny_USB.patch

@@ -0,0 +1,238 @@
+From 8d6cd259a90a009167c11a2f135cb9845a8f3e7f Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Thu, 14 Apr 2016 20:44:06 -0400
+Subject: [PATCH] add deny_new_usb setting
+
+Change-Id: If4ee98d636e1876ba546f8a5d562859e8ab7b931
+---
+ res/values/arrays.xml                          | 16 +++++++++++++
+ res/values/strings.xml                         |  3 +++
+ res/xml/security_settings_chooser.xml          |  8 +++++++
+ res/xml/security_settings_lockscreen.xml       |  8 +++++++
+ res/xml/security_settings_password.xml         |  8 +++++++
+ res/xml/security_settings_pattern.xml          |  8 +++++++
+ res/xml/security_settings_pin.xml              |  8 +++++++
+ src/com/android/settings/SecuritySettings.java | 31 +++++++++++++++++++++++++-
+ 8 files changed, 89 insertions(+), 1 deletion(-)
+
+diff --git a/res/values/arrays.xml b/res/values/arrays.xml
+index 5e1a468f87..16a7300e96 100644
+--- a/res/values/arrays.xml
++++ b/res/values/arrays.xml
+@@ -1038,4 +1038,20 @@
+         <item>never</item>
+     </string-array>
+ 
++    <!-- Security Settings -->
++    <string-array name="deny_new_usb_entries">
++        <item>Disallow new USB peripherals</item>
++        <item>Allow new USB peripherals when unlocked</item>
++        <item>Allow new USB peripherals</item>
++    </string-array>
++
++    <!-- Do not translate. -->
++    <string-array name="deny_new_usb_values" translatable="false">
++        <!-- Do not translate. -->
++        <item>enabled</item>
++        <!-- Do not translate. -->
++        <item>dynamic</item>
++        <!-- Do not translate. -->
++        <item>disabled</item>
++    </string-array>
+ </resources>
+diff --git a/res/values/strings.xml b/res/values/strings.xml
+index 8265475a98..84ebf5d10b 100644
+--- a/res/values/strings.xml
++++ b/res/values/strings.xml
+@@ -9052,4 +9052,7 @@
+ 
+     <!-- Note displayed when certain features are not available on low ram devices. [CHAR LIMIT=NONE] -->
+     <string name="disabled_low_ram_device">This feature is not available on this device</string>
++
++    <string name="deny_new_usb_title">USB accessories</string>
++    <string name="deny_new_usb_summary">Control support for USB peripherals such as input (mice, keyboards, joysticks) and storage devices.</string>
+ </resources>
+diff --git a/res/xml/security_settings_chooser.xml b/res/xml/security_settings_chooser.xml
+index 067ebaba0d..2ba2b41006 100644
+--- a/res/xml/security_settings_chooser.xml
++++ b/res/xml/security_settings_chooser.xml
+@@ -33,6 +33,14 @@
+             android:title="@string/lockscreen_settings_title"
+             android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
+ 
++        <ListPreference
++            android:key="deny_new_usb"
++            android:title="@string/deny_new_usb_title"
++            android:summary="@string/deny_new_usb_summary"
++            android:persistent="false"
++            android:entries="@array/deny_new_usb_entries"
++            android:entryValues="@array/deny_new_usb_values" />
++
+     </PreferenceCategory>
+ 
+ </PreferenceScreen>
+diff --git a/res/xml/security_settings_lockscreen.xml b/res/xml/security_settings_lockscreen.xml
+index c141fb7c74..5181997c99 100644
+--- a/res/xml/security_settings_lockscreen.xml
++++ b/res/xml/security_settings_lockscreen.xml
+@@ -29,6 +29,14 @@
+             settings:keywords="@string/keywords_lockscreen"
+             android:persistent="false"/>
+ 
++        <ListPreference
++            android:key="deny_new_usb"
++            android:title="@string/deny_new_usb_title"
++            android:summary="@string/deny_new_usb_summary"
++            android:persistent="false"
++            android:entries="@array/deny_new_usb_entries"
++            android:entryValues="@array/deny_new_usb_values" />
++
+     </PreferenceCategory>
+ 
+ </PreferenceScreen>
+diff --git a/res/xml/security_settings_password.xml b/res/xml/security_settings_password.xml
+index 7de65f7cc0..2e8361f470 100644
+--- a/res/xml/security_settings_password.xml
++++ b/res/xml/security_settings_password.xml
+@@ -32,6 +32,14 @@
+             android:title="@string/lockscreen_settings_title"
+             android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
+ 
++        <ListPreference
++            android:key="deny_new_usb"
++            android:title="@string/deny_new_usb_title"
++            android:summary="@string/deny_new_usb_summary"
++            android:persistent="false"
++            android:entries="@array/deny_new_usb_entries"
++            android:entryValues="@array/deny_new_usb_values" />
++
+     </PreferenceCategory>
+ 
+ </PreferenceScreen>
+diff --git a/res/xml/security_settings_pattern.xml b/res/xml/security_settings_pattern.xml
+index 1585f016ee..9ce00d616e 100644
+--- a/res/xml/security_settings_pattern.xml
++++ b/res/xml/security_settings_pattern.xml
+@@ -32,6 +32,14 @@
+             android:title="@string/lockscreen_settings_title"
+             android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
+ 
++        <ListPreference
++            android:key="deny_new_usb"
++            android:title="@string/deny_new_usb_title"
++            android:summary="@string/deny_new_usb_summary"
++            android:persistent="false"
++            android:entries="@array/deny_new_usb_entries"
++            android:entryValues="@array/deny_new_usb_values" />
++
+     </PreferenceCategory>
+ 
+ </PreferenceScreen>
+diff --git a/res/xml/security_settings_pin.xml b/res/xml/security_settings_pin.xml
+index f7705b7e9c..c291f118a2 100644
+--- a/res/xml/security_settings_pin.xml
++++ b/res/xml/security_settings_pin.xml
+@@ -32,6 +32,14 @@
+             android:title="@string/lockscreen_settings_title"
+             android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
+ 
++        <ListPreference
++            android:key="deny_new_usb"
++            android:title="@string/deny_new_usb_title"
++            android:summary="@string/deny_new_usb_summary"
++            android:persistent="false"
++            android:entries="@array/deny_new_usb_entries"
++            android:entryValues="@array/deny_new_usb_values" />
++
+     </PreferenceCategory>
+ 
+ </PreferenceScreen>
+diff --git a/src/com/android/settings/SecuritySettings.java b/src/com/android/settings/SecuritySettings.java
+index 55f21fd22a..555b4a7c90 100644
+--- a/src/com/android/settings/SecuritySettings.java
++++ b/src/com/android/settings/SecuritySettings.java
+@@ -38,11 +38,13 @@
+ import android.os.UserHandle;
+ import android.os.UserManager;
+ import android.os.storage.StorageManager;
++import android.os.SystemProperties;
+ import android.provider.SearchIndexableResource;
+ import android.provider.Settings;
+ import android.service.trust.TrustAgentService;
+ import android.support.annotation.VisibleForTesting;
+ import android.support.v14.preference.SwitchPreference;
++import android.support.v7.preference.ListPreference;
+ import android.support.v7.preference.Preference;
+ import android.support.v7.preference.Preference.OnPreferenceChangeListener;
+ import android.support.v7.preference.PreferenceGroup;
+@@ -118,6 +120,10 @@
+     private static final int UNUNIFY_LOCK_CONFIRM_DEVICE_REQUEST = 130;
+     private static final String TAG_UNIFICATION_DIALOG = "unification_dialog";
+ 
++    private static final String KEY_DENY_NEW_USB = "deny_new_usb";
++    private static final String DENY_NEW_USB_PROP = "security.deny_new_usb";
++    private static final String DENY_NEW_USB_PERSIST_PROP = "persist.security.deny_new_usb";
++
+     // Misc Settings
+     private static final String KEY_SIM_LOCK = "sim_lock_settings";
+     private static final String KEY_SHOW_PASSWORD = "show_password";
+@@ -139,7 +145,7 @@
+ 
+     // These switch preferences need special handling since they're not all stored in Settings.
+     private static final String SWITCH_PREFERENCE_KEYS[] = {
+-            KEY_SHOW_PASSWORD, KEY_UNIFICATION, KEY_VISIBLE_PATTERN_PROFILE
++            KEY_SHOW_PASSWORD, KEY_UNIFICATION, KEY_VISIBLE_PATTERN_PROFILE, KEY_DENY_NEW_USB
+     };
+ 
+     // Only allow one trust agent on the platform.
+@@ -169,6 +175,8 @@
+ 
+     private int mProfileChallengeUserId;
+ 
++    private ListPreference mDenyNewUsb;
++
+     private String mCurrentDevicePassword;
+     private String mCurrentProfilePassword;
+ 
+@@ -324,6 +332,16 @@ private PreferenceScreen createPreferenceHierarchy() {
+ 
+         mIsAdmin = mUm.isAdminUser();
+ 
++        if (mIsAdmin) {
++            mDenyNewUsb = (ListPreference) findPreference(KEY_DENY_NEW_USB);
++        } else {
++            PreferenceGroup securityCategory = (PreferenceGroup)
++                    root.findPreference(KEY_SECURITY_CATEGORY);
++            if (securityCategory != null) {
++                securityCategory.removePreference(securityCategory.findPreference(KEY_DENY_NEW_USB));
++            }
++        }
++
+         // Fingerprint and trust agents
+         int numberOfTrustAgent = 0;
+         PreferenceGroup securityCategory = (PreferenceGroup)
+@@ -626,6 +644,10 @@ public void onResume() {
+         }
+ 
+         mLocationcontroller.updateSummary();
++
++        if (mDenyNewUsb != null) {
++            mDenyNewUsb.setValue(SystemProperties.get(DENY_NEW_USB_PERSIST_PROP, "disabled"));
++        }
+     }
+ 
+     private void updateUnificationPreference() {
+@@ -812,6 +834,13 @@ public boolean onPreferenceChange(Preference preference, Object value) {
+             Settings.System.putInt(getContentResolver(), Settings.System.TEXT_SHOW_PASSWORD,
+                     ((Boolean) value) ? 1 : 0);
+             lockPatternUtils.setVisiblePasswordEnabled((Boolean) value, MY_USER_ID);
++        } else if (KEY_DENY_NEW_USB.equals(key)) {
++            String mode = (String) value;
++            SystemProperties.set(DENY_NEW_USB_PERSIST_PROP, mode);
++            // The dynamic mode defaults to the disabled state
++            if (mode.equals("dynamic")) {
++                SystemProperties.set(DENY_NEW_USB_PROP, "0");
++            }
+         }
+         return result;
+     }

Patches/LineageOS-15.1/android_system_core/0002-Deny_USB.patch

@@ -0,0 +1,36 @@
+From 808fb79d8171f26bc29332145df4edac1925e76e Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Sun, 22 Apr 2018 10:18:06 -0400
+Subject: [PATCH] add properties for controlling deny_new_usb
+
+Change-Id: I0ead2254b7e379abaeab6f0f78a48680d40a8994
+---
+ rootdir/init.rc | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/rootdir/init.rc b/rootdir/init.rc
+index 2a7333563..aa654c38f 100644
+--- a/rootdir/init.rc
++++ b/rootdir/init.rc
+@@ -696,6 +696,18 @@ on property:sys.sysctl.extra_free_kbytes=*
+ on property:sys.sysctl.tcp_def_init_rwnd=*
+     write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
+ 
++on property:persist.security.deny_new_usb=disabled
++    write /proc/sys/kernel/deny_new_usb 0
++
++on property:persist.security.deny_new_usb=enabled
++    write /proc/sys/kernel/deny_new_usb 1
++
++on property:persist.security.deny_new_usb=dynamic
++    write /proc/sys/kernel/deny_new_usb 1
++
++on property:security.deny_new_usb=*
++    write /proc/sys/kernel/deny_new_usb ${security.deny_new_usb}
++
+ on property:security.perf_harden=0
+     write /proc/sys/kernel/perf_event_paranoid 1
+ 
+-- 
+2.17.0
+

Patches/LineageOS-15.1/android_system_sepolicy/0002-Deny_USB.patch

@@ -0,0 +1,22 @@
+From 9bd23222fab996016eb2d31772129b09594f4667 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Thu, 16 Jun 2016 01:07:25 -0400
+Subject: [PATCH] allow system to set security.deny_new_usb
+
+---
+ private/property_contexts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/private/property_contexts b/private/property_contexts
+index e524f54e..86b7d8a3 100644
+--- a/private/property_contexts
++++ b/private/property_contexts
+@@ -66,6 +66,8 @@ ro.boot.btmacaddr       u:object_r:bluetooth_prop:s0
+ ro.boot.serialno        u:object_r:serialno_prop:s0
+ ro.bt.                  u:object_r:bluetooth_prop:s0
+ 
++security.deny_new_usb   u:object_r:system_prop:s0
++
+ # Boolean property set by system server upon boot indicating
+ # if device owner is provisioned.
+ ro.device_owner         u:object_r:device_logging_prop:s0

Patches/Linux

@@ -1 +1 @@
-Subproject commit 1c9bc188934f6db85124f82ed232f7f4c6c460dc
+Subproject commit 1007ddcf81da7615d14aeb23e87b85ddd8181358

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/fairphone/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-3153/ANY/0002.patch
 git apply $cvePatchesLinux/CVE-2014-3153/ANY/0004.patch
 git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch
@@ -31,5 +32,5 @@ git apply $cvePatchesLinux/CVE-2017-6348/^4.9/0001.patch
 git apply $cvePatchesLinux/CVE-2017-7533/3.4/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p31"
+editKernelLocalversion "-dos.p32"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh

@@ -34,6 +34,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0013.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002.patch
 git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch
 git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
@@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-14883/ANY/0001.patch
-editKernelLocalversion "-dos.p106"
+editKernelLocalversion "-dos.p107"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_msm.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 cd $base"kernel/google/msm"
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2013-4738/ANY/0002.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch
@@ -37,5 +38,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0001.patch
 git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p37"
+editKernelLocalversion "-dos.p38"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_flounder.sh

@@ -14,6 +14,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001-Alt.patch
 git apply $cvePatchesLinux/CVE-2014-9892/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
@@ -70,5 +71,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch
 git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
-editKernelLocalversion "-dos.p70"
+editKernelLocalversion "-dos.p71"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_msm8974.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/htc/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-2443/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-7117/^4.5/0002.patch
@@ -29,5 +30,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
 git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p29"
+editKernelLocalversion "-dos.p30"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh

@@ -18,6 +18,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0003.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch
 git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch
 git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
@@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-15845/ANY/0001.patch
-editKernelLocalversion "-dos.p106"
+editKernelLocalversion "-dos.p107"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh

@@ -17,6 +17,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch
 git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch
 git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
@@ -95,5 +96,5 @@ git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
-editKernelLocalversion "-dos.p95"
+editKernelLocalversion "-dos.p96"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_g3.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/lge/g3"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2015-6640/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch
@@ -32,5 +33,5 @@ git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-8246/3.4/0002.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p32"
+editKernelLocalversion "-dos.p33"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_hammerhead.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 cd $base"kernel/lge/hammerhead"
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-9881/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9882/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9882/ANY/0002.patch
@@ -42,5 +43,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch
 git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p42"
+editKernelLocalversion "-dos.p43"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_mako.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 cd $base"kernel/lge/mako"
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2016-3894/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6828/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-7910/ANY/0001.patch
@@ -16,5 +17,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0005.patch
 git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p16"
+editKernelLocalversion "-dos.p17"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8974.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 cd $base"kernel/lge/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2015-8939/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-0806/prima/0001.patch
 git apply $cvePatchesLinux/CVE-2016-0806/prima/0006.patch
@@ -24,5 +25,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
 git apply $cvePatchesLinux/CVE-2017-7487/ANY/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p24"
+editKernelLocalversion "-dos.p25"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh

@@ -25,6 +25,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0045.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0046.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0050.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002-Alt2.patch
 git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch
 git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
@@ -71,5 +72,5 @@ git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p71"
+editKernelLocalversion "-dos.p72"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_oppo_msm8974.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/oppo/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9880/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch
@@ -48,5 +49,5 @@ git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-9706/ANY/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p48"
+editKernelLocalversion "-dos.p49"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_samsung_msm8974.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/samsung/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-4578/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0611/3.4/0001.patch
@@ -23,5 +24,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p23"
+editKernelLocalversion "-dos.p24"
 cd $base

Scripts/LineageOS-15.1/Functions.sh

@@ -54,13 +54,11 @@ export -f buildAll;
 
 patchWorkspace() {
 	source build/envsetup.sh;
-	repopick 206123 211095; #cherry picks
-	repopick 209030; #fix contacts being deleted
-	repopick 209188; #g3-common cherry picks
+	repopick -f 206123; #bionic: Sort and cache hosts file data for fast lookup
+	repopick -f 209030; #ContactsProvider: Prevent device contact being deleted.
 	repopick 211404 211405 211406 211407 211408 211409; #d852 cherry picks
 	repopick 205021; #d855 cherry picks
 	repopick -t trust_interface;
-	#repopick -t calendar-o;
 
 	source $scripts/Patch.sh;
 	source $scripts/Defaults.sh;

Scripts/LineageOS-15.1/Patch.sh

@@ -60,6 +60,7 @@ cp -r $prebuiltApps"android_vendor_FDroid_PrebuiltApps/." $base"vendor/fdroid_pr
 
 enterAndClear "build/make"
 patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automated build signing. Disclaimer: From CopperheadOS 13.0
+patch -p1 < $patches"android_build/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
 sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
 
@@ -77,6 +78,7 @@ sed -i 's|config_permissionReviewRequired">false|config_permissionReviewRequired
 patch -p1 < $patches"android_frameworks_base/0002-Signature_Spoofing.patch" #Allow packages to spoof their signature (microG)
 patch -p1 < $patches"android_frameworks_base/0003-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key
 patch -p1 < $patches"android_frameworks_base/0004-OpenNIC.patch" #Change fallback and tethering DNS servers to OpenNIC AnyCast
+patch -p1 < $patches"android_frameworks_base/0005-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
 rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig
 
@@ -126,6 +128,7 @@ rm AndroidManifest.xml.orig res/values/*.xml.orig;
 
 enterAndClear "packages/apps/Settings"
 git revert a96df110e84123fe1273bff54feca3b4ca484dcd #don't hide oem unlock
+patch -p1 < $patches"android_packages_apps_Settings/0003-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length
 sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options
 
@@ -149,15 +152,17 @@ enterAndClear "packages/inputmethods/LatinIME"
 patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key
 
 enterAndClear "packages/services/Telephony"
-patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. Disclaimer: From CopperheadOS before their LICENSE was added
+patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
 
 enterAndClear "system/core"
 cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
 git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4 #Always update recovery
 patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0
+patch -p1 < $patches"android_system_core/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 
 enterAndClear "system/sepolicy"
 patch -p1 < $patches"android_system_sepolicy/0001-LGE_Fixes.patch" #Fix -user builds for LGE devices
+patch -p1 < $patches"android_system_sepolicy/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 
 enterAndClear "system/vold"
 patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption
@@ -191,7 +196,6 @@ echo "/dev/block/platform/msm_sdcc\.1/by-name/pad     u:object_r:misc_block_devi
 
 enterAndClear "device/lge/mako"
 cp $patches"android_device_lge_mako/proprietary-blobs.txt" proprietary-blobs.txt; #update that? nah
-echo "/dev/block/platform/msm_sdcc\.1/by-name/misc     u:object_r:misc_block_device:s0" >> sepolicy/file_contexts; #fix uncrypt denial
 
 enterAndClear "device/oppo/msm8974-common"
 sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/