From f0410479834301297bc6e34308c3ab18113687ca Mon Sep 17 00:00:00 2001 From: Tad Date: Sun, 22 Apr 2018 11:23:08 -0400 Subject: [PATCH] 15.1: Initial deny new usb support from CopperheadOS This is an extremely powerful security feature with minimal downsides. Original credit goes to Grsecurity Android port goes to Copperhead --- .../android_build/0002-Deny_USB.patch | 22 ++ .../0005-Deny_USB.patch | 32 +++ .../0003-Deny_USB.patch | 238 ++++++++++++++++++ .../android_system_core/0002-Deny_USB.patch | 36 +++ .../0002-Deny_USB.patch | 22 ++ Patches/Linux | 2 +- .../android_kernel_fairphone_msm8974.sh | 3 +- .../android_kernel_google_marlin.sh | 3 +- .../CVE_Patchers/android_kernel_google_msm.sh | 3 +- .../android_kernel_htc_flounder.sh | 3 +- .../android_kernel_htc_msm8974.sh | 3 +- .../android_kernel_huawei_angler.sh | 3 +- .../android_kernel_lge_bullhead.sh | 3 +- .../CVE_Patchers/android_kernel_lge_g3.sh | 3 +- .../android_kernel_lge_hammerhead.sh | 3 +- .../CVE_Patchers/android_kernel_lge_mako.sh | 3 +- .../android_kernel_lge_msm8974.sh | 3 +- .../android_kernel_lge_msm8996.sh | 3 +- .../android_kernel_oppo_msm8974.sh | 3 +- .../android_kernel_samsung_msm8974.sh | 3 +- Scripts/LineageOS-15.1/Functions.sh | 6 +- Scripts/LineageOS-15.1/Patch.sh | 8 +- 22 files changed, 387 insertions(+), 21 deletions(-) create mode 100644 Patches/LineageOS-15.1/android_build/0002-Deny_USB.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/0005-Deny_USB.patch create mode 100644 Patches/LineageOS-15.1/android_packages_apps_Settings/0003-Deny_USB.patch create mode 100644 Patches/LineageOS-15.1/android_system_core/0002-Deny_USB.patch create mode 100644 Patches/LineageOS-15.1/android_system_sepolicy/0002-Deny_USB.patch diff --git a/Patches/LineageOS-15.1/android_build/0002-Deny_USB.patch b/Patches/LineageOS-15.1/android_build/0002-Deny_USB.patch new file mode 100644 index 00000000..8ac36924 --- /dev/null +++ b/Patches/LineageOS-15.1/android_build/0002-Deny_USB.patch @@ -0,0 +1,22 @@ +From d0d489b8380cb06a7738e9b7276056d9d7479d44 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Fri, 17 Jun 2016 07:13:49 -0400 +Subject: [PATCH] set deny_new_usb feature to dynamic by default + +Change-Id: Ied8e75e6c7f8cc5e1483fe93281a32fe799638c3 +--- + core/main.mk | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/core/main.mk b/core/main.mk +index af98b548c..e2c90d2d0 100644 +--- a/core/main.mk ++++ b/core/main.mk +@@ -244,6 +244,7 @@ ifneq (,$(user_variant)) + # Target is secure in user builds. + ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1 + ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1 ++ ADDITIONAL_DEFAULT_PROPERTIES += persist.security.deny_new_usb=dynamic + + ifeq ($(user_variant),user) + ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1 diff --git a/Patches/LineageOS-15.1/android_frameworks_base/0005-Deny_USB.patch b/Patches/LineageOS-15.1/android_frameworks_base/0005-Deny_USB.patch new file mode 100644 index 00000000..f347be60 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/0005-Deny_USB.patch @@ -0,0 +1,32 @@ +From 7b811853c5d2b05ec5db11786ab3f4b6a079e1a1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Thu, 16 Jun 2016 01:19:53 -0400 +Subject: [PATCH] dynamic deny_new_usb toggle + +Change-Id: Ie05bf2aaebd8660ec3ff9d823be93cd1202e22db +--- + .../java/com/android/server/policy/keyguard/KeyguardStateMonitor.java | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java +index 941cd4441e2..80b79bd04da 100644 +--- a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java ++++ b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java +@@ -19,6 +19,7 @@ + import android.app.ActivityManager; + import android.content.Context; + import android.os.RemoteException; ++import android.os.SystemProperties; + import android.util.Slog; + + import com.android.internal.policy.IKeyguardService; +@@ -85,6 +86,9 @@ public boolean hasLockscreenWallpaper() { + + @Override // Binder interface + public void onShowingStateChanged(boolean showing) { ++ if ("dynamic".equals(SystemProperties.get("persist.security.deny_new_usb"))) { ++ SystemProperties.set("security.deny_new_usb", showing ? "1" : "0"); ++ } + mIsShowing = showing; + } + diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/0003-Deny_USB.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/0003-Deny_USB.patch new file mode 100644 index 00000000..156dbf09 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/0003-Deny_USB.patch @@ -0,0 +1,238 @@ +From 8d6cd259a90a009167c11a2f135cb9845a8f3e7f Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Thu, 14 Apr 2016 20:44:06 -0400 +Subject: [PATCH] add deny_new_usb setting + +Change-Id: If4ee98d636e1876ba546f8a5d562859e8ab7b931 +--- + res/values/arrays.xml | 16 +++++++++++++ + res/values/strings.xml | 3 +++ + res/xml/security_settings_chooser.xml | 8 +++++++ + res/xml/security_settings_lockscreen.xml | 8 +++++++ + res/xml/security_settings_password.xml | 8 +++++++ + res/xml/security_settings_pattern.xml | 8 +++++++ + res/xml/security_settings_pin.xml | 8 +++++++ + src/com/android/settings/SecuritySettings.java | 31 +++++++++++++++++++++++++- + 8 files changed, 89 insertions(+), 1 deletion(-) + +diff --git a/res/values/arrays.xml b/res/values/arrays.xml +index 5e1a468f87..16a7300e96 100644 +--- a/res/values/arrays.xml ++++ b/res/values/arrays.xml +@@ -1038,4 +1038,20 @@ + never + + ++ ++ ++ Disallow new USB peripherals ++ Allow new USB peripherals when unlocked ++ Allow new USB peripherals ++ ++ ++ ++ ++ ++ enabled ++ ++ dynamic ++ ++ disabled ++ + +diff --git a/res/values/strings.xml b/res/values/strings.xml +index 8265475a98..84ebf5d10b 100644 +--- a/res/values/strings.xml ++++ b/res/values/strings.xml +@@ -9052,4 +9052,7 @@ + + + This feature is not available on this device ++ ++ USB accessories ++ Control support for USB peripherals such as input (mice, keyboards, joysticks) and storage devices. + +diff --git a/res/xml/security_settings_chooser.xml b/res/xml/security_settings_chooser.xml +index 067ebaba0d..2ba2b41006 100644 +--- a/res/xml/security_settings_chooser.xml ++++ b/res/xml/security_settings_chooser.xml +@@ -33,6 +33,14 @@ + android:title="@string/lockscreen_settings_title" + android:fragment="com.android.settings.security.LockscreenDashboardFragment"/> + ++ ++ + + + +diff --git a/res/xml/security_settings_lockscreen.xml b/res/xml/security_settings_lockscreen.xml +index c141fb7c74..5181997c99 100644 +--- a/res/xml/security_settings_lockscreen.xml ++++ b/res/xml/security_settings_lockscreen.xml +@@ -29,6 +29,14 @@ + settings:keywords="@string/keywords_lockscreen" + android:persistent="false"/> + ++ ++ + + + +diff --git a/res/xml/security_settings_password.xml b/res/xml/security_settings_password.xml +index 7de65f7cc0..2e8361f470 100644 +--- a/res/xml/security_settings_password.xml ++++ b/res/xml/security_settings_password.xml +@@ -32,6 +32,14 @@ + android:title="@string/lockscreen_settings_title" + android:fragment="com.android.settings.security.LockscreenDashboardFragment"/> + ++ ++ + + + +diff --git a/res/xml/security_settings_pattern.xml b/res/xml/security_settings_pattern.xml +index 1585f016ee..9ce00d616e 100644 +--- a/res/xml/security_settings_pattern.xml ++++ b/res/xml/security_settings_pattern.xml +@@ -32,6 +32,14 @@ + android:title="@string/lockscreen_settings_title" + android:fragment="com.android.settings.security.LockscreenDashboardFragment"/> + ++ ++ + + + +diff --git a/res/xml/security_settings_pin.xml b/res/xml/security_settings_pin.xml +index f7705b7e9c..c291f118a2 100644 +--- a/res/xml/security_settings_pin.xml ++++ b/res/xml/security_settings_pin.xml +@@ -32,6 +32,14 @@ + android:title="@string/lockscreen_settings_title" + android:fragment="com.android.settings.security.LockscreenDashboardFragment"/> + ++ ++ + + + +diff --git a/src/com/android/settings/SecuritySettings.java b/src/com/android/settings/SecuritySettings.java +index 55f21fd22a..555b4a7c90 100644 +--- a/src/com/android/settings/SecuritySettings.java ++++ b/src/com/android/settings/SecuritySettings.java +@@ -38,11 +38,13 @@ + import android.os.UserHandle; + import android.os.UserManager; + import android.os.storage.StorageManager; ++import android.os.SystemProperties; + import android.provider.SearchIndexableResource; + import android.provider.Settings; + import android.service.trust.TrustAgentService; + import android.support.annotation.VisibleForTesting; + import android.support.v14.preference.SwitchPreference; ++import android.support.v7.preference.ListPreference; + import android.support.v7.preference.Preference; + import android.support.v7.preference.Preference.OnPreferenceChangeListener; + import android.support.v7.preference.PreferenceGroup; +@@ -118,6 +120,10 @@ + private static final int UNUNIFY_LOCK_CONFIRM_DEVICE_REQUEST = 130; + private static final String TAG_UNIFICATION_DIALOG = "unification_dialog"; + ++ private static final String KEY_DENY_NEW_USB = "deny_new_usb"; ++ private static final String DENY_NEW_USB_PROP = "security.deny_new_usb"; ++ private static final String DENY_NEW_USB_PERSIST_PROP = "persist.security.deny_new_usb"; ++ + // Misc Settings + private static final String KEY_SIM_LOCK = "sim_lock_settings"; + private static final String KEY_SHOW_PASSWORD = "show_password"; +@@ -139,7 +145,7 @@ + + // These switch preferences need special handling since they're not all stored in Settings. + private static final String SWITCH_PREFERENCE_KEYS[] = { +- KEY_SHOW_PASSWORD, KEY_UNIFICATION, KEY_VISIBLE_PATTERN_PROFILE ++ KEY_SHOW_PASSWORD, KEY_UNIFICATION, KEY_VISIBLE_PATTERN_PROFILE, KEY_DENY_NEW_USB + }; + + // Only allow one trust agent on the platform. +@@ -169,6 +175,8 @@ + + private int mProfileChallengeUserId; + ++ private ListPreference mDenyNewUsb; ++ + private String mCurrentDevicePassword; + private String mCurrentProfilePassword; + +@@ -324,6 +332,16 @@ private PreferenceScreen createPreferenceHierarchy() { + + mIsAdmin = mUm.isAdminUser(); + ++ if (mIsAdmin) { ++ mDenyNewUsb = (ListPreference) findPreference(KEY_DENY_NEW_USB); ++ } else { ++ PreferenceGroup securityCategory = (PreferenceGroup) ++ root.findPreference(KEY_SECURITY_CATEGORY); ++ if (securityCategory != null) { ++ securityCategory.removePreference(securityCategory.findPreference(KEY_DENY_NEW_USB)); ++ } ++ } ++ + // Fingerprint and trust agents + int numberOfTrustAgent = 0; + PreferenceGroup securityCategory = (PreferenceGroup) +@@ -626,6 +644,10 @@ public void onResume() { + } + + mLocationcontroller.updateSummary(); ++ ++ if (mDenyNewUsb != null) { ++ mDenyNewUsb.setValue(SystemProperties.get(DENY_NEW_USB_PERSIST_PROP, "disabled")); ++ } + } + + private void updateUnificationPreference() { +@@ -812,6 +834,13 @@ public boolean onPreferenceChange(Preference preference, Object value) { + Settings.System.putInt(getContentResolver(), Settings.System.TEXT_SHOW_PASSWORD, + ((Boolean) value) ? 1 : 0); + lockPatternUtils.setVisiblePasswordEnabled((Boolean) value, MY_USER_ID); ++ } else if (KEY_DENY_NEW_USB.equals(key)) { ++ String mode = (String) value; ++ SystemProperties.set(DENY_NEW_USB_PERSIST_PROP, mode); ++ // The dynamic mode defaults to the disabled state ++ if (mode.equals("dynamic")) { ++ SystemProperties.set(DENY_NEW_USB_PROP, "0"); ++ } + } + return result; + } diff --git a/Patches/LineageOS-15.1/android_system_core/0002-Deny_USB.patch b/Patches/LineageOS-15.1/android_system_core/0002-Deny_USB.patch new file mode 100644 index 00000000..fee50730 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_core/0002-Deny_USB.patch @@ -0,0 +1,36 @@ +From 808fb79d8171f26bc29332145df4edac1925e76e Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Sun, 22 Apr 2018 10:18:06 -0400 +Subject: [PATCH] add properties for controlling deny_new_usb + +Change-Id: I0ead2254b7e379abaeab6f0f78a48680d40a8994 +--- + rootdir/init.rc | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/rootdir/init.rc b/rootdir/init.rc +index 2a7333563..aa654c38f 100644 +--- a/rootdir/init.rc ++++ b/rootdir/init.rc +@@ -696,6 +696,18 @@ on property:sys.sysctl.extra_free_kbytes=* + on property:sys.sysctl.tcp_def_init_rwnd=* + write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} + ++on property:persist.security.deny_new_usb=disabled ++ write /proc/sys/kernel/deny_new_usb 0 ++ ++on property:persist.security.deny_new_usb=enabled ++ write /proc/sys/kernel/deny_new_usb 1 ++ ++on property:persist.security.deny_new_usb=dynamic ++ write /proc/sys/kernel/deny_new_usb 1 ++ ++on property:security.deny_new_usb=* ++ write /proc/sys/kernel/deny_new_usb ${security.deny_new_usb} ++ + on property:security.perf_harden=0 + write /proc/sys/kernel/perf_event_paranoid 1 + +-- +2.17.0 + diff --git a/Patches/LineageOS-15.1/android_system_sepolicy/0002-Deny_USB.patch b/Patches/LineageOS-15.1/android_system_sepolicy/0002-Deny_USB.patch new file mode 100644 index 00000000..71b48e4f --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_sepolicy/0002-Deny_USB.patch @@ -0,0 +1,22 @@ +From 9bd23222fab996016eb2d31772129b09594f4667 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Thu, 16 Jun 2016 01:07:25 -0400 +Subject: [PATCH] allow system to set security.deny_new_usb + +--- + private/property_contexts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/private/property_contexts b/private/property_contexts +index e524f54e..86b7d8a3 100644 +--- a/private/property_contexts ++++ b/private/property_contexts +@@ -66,6 +66,8 @@ ro.boot.btmacaddr u:object_r:bluetooth_prop:s0 + ro.boot.serialno u:object_r:serialno_prop:s0 + ro.bt. u:object_r:bluetooth_prop:s0 + ++security.deny_new_usb u:object_r:system_prop:s0 ++ + # Boolean property set by system server upon boot indicating + # if device owner is provisioned. + ro.device_owner u:object_r:device_logging_prop:s0 diff --git a/Patches/Linux b/Patches/Linux index 1c9bc188..1007ddcf 160000 --- a/Patches/Linux +++ b/Patches/Linux @@ -1 +1 @@ -Subproject commit 1c9bc188934f6db85124f82ed232f7f4c6c460dc +Subproject commit 1007ddcf81da7615d14aeb23e87b85ddd8181358 diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh index 76cd3eb3..97688217 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh @@ -2,6 +2,7 @@ cd $base"kernel/fairphone/msm8974" git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch git apply $cvePatchesLinux/CVE-2014-3153/ANY/0002.patch git apply $cvePatchesLinux/CVE-2014-3153/ANY/0004.patch git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch @@ -31,5 +32,5 @@ git apply $cvePatchesLinux/CVE-2017-6348/^4.9/0001.patch git apply $cvePatchesLinux/CVE-2017-7533/3.4/0001.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p31" +editKernelLocalversion "-dos.p32" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh index 982a5d11..c1716db1 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh @@ -34,6 +34,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0013.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002.patch git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch @@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-14883/ANY/0001.patch -editKernelLocalversion "-dos.p106" +editKernelLocalversion "-dos.p107" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_msm.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_msm.sh index 5955493b..74dc53ca 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_msm.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_msm.sh @@ -1,6 +1,7 @@ #!/bin/bash cd $base"kernel/google/msm" git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch git apply $cvePatchesLinux/CVE-2013-4738/ANY/0002.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch @@ -37,5 +38,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0001.patch git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p37" +editKernelLocalversion "-dos.p38" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_flounder.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_flounder.sh index cf465a92..d44d562c 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_flounder.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_flounder.sh @@ -14,6 +14,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001-Alt.patch git apply $cvePatchesLinux/CVE-2014-9892/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch @@ -70,5 +71,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch -editKernelLocalversion "-dos.p70" +editKernelLocalversion "-dos.p71" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_msm8974.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_msm8974.sh index 692790db..42a39481 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_msm8974.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_msm8974.sh @@ -2,6 +2,7 @@ cd $base"kernel/htc/msm8974" git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-2443/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-7117/^4.5/0002.patch @@ -29,5 +30,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p29" +editKernelLocalversion "-dos.p30" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh index d208f5a4..8ed2b185 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh @@ -18,6 +18,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0003.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch @@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-15845/ANY/0001.patch -editKernelLocalversion "-dos.p106" +editKernelLocalversion "-dos.p107" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh index 097092ad..60144a8d 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh @@ -17,6 +17,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch @@ -95,5 +96,5 @@ git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch -editKernelLocalversion "-dos.p95" +editKernelLocalversion "-dos.p96" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_g3.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_g3.sh index efe0c59c..2c0cfec0 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_g3.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_g3.sh @@ -2,6 +2,7 @@ cd $base"kernel/lge/g3" git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2015-6640/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch @@ -32,5 +33,5 @@ git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-8246/3.4/0002.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p32" +editKernelLocalversion "-dos.p33" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_hammerhead.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_hammerhead.sh index 3c36c8d8..9f0398f4 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_hammerhead.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_hammerhead.sh @@ -1,6 +1,7 @@ #!/bin/bash cd $base"kernel/lge/hammerhead" git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch git apply $cvePatchesLinux/CVE-2014-9881/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9882/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9882/ANY/0002.patch @@ -42,5 +43,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p42" +editKernelLocalversion "-dos.p43" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_mako.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_mako.sh index e3220c6f..a00977d3 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_mako.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_mako.sh @@ -1,6 +1,7 @@ #!/bin/bash cd $base"kernel/lge/mako" git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch git apply $cvePatchesLinux/CVE-2016-3894/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6828/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-7910/ANY/0001.patch @@ -16,5 +17,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0005.patch git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p16" +editKernelLocalversion "-dos.p17" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8974.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8974.sh index 16a57cdf..8faafa8b 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8974.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8974.sh @@ -1,6 +1,7 @@ #!/bin/bash cd $base"kernel/lge/msm8974" git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch git apply $cvePatchesLinux/CVE-2015-8939/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-0806/prima/0001.patch git apply $cvePatchesLinux/CVE-2016-0806/prima/0006.patch @@ -24,5 +25,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch git apply $cvePatchesLinux/CVE-2017-7487/ANY/0001.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p24" +editKernelLocalversion "-dos.p25" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh index 192bb71c..20c92d61 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh @@ -25,6 +25,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0045.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0046.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0050.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002-Alt2.patch git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch @@ -71,5 +72,5 @@ git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p71" +editKernelLocalversion "-dos.p72" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_oppo_msm8974.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_oppo_msm8974.sh index cbfbb62a..646fd339 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_oppo_msm8974.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_oppo_msm8974.sh @@ -2,6 +2,7 @@ cd $base"kernel/oppo/msm8974" git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9880/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch @@ -48,5 +49,5 @@ git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-9706/ANY/0001.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p48" +editKernelLocalversion "-dos.p49" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_samsung_msm8974.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_samsung_msm8974.sh index 459f75dc..7d0da37c 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_samsung_msm8974.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_samsung_msm8974.sh @@ -2,6 +2,7 @@ cd $base"kernel/samsung/msm8974" git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch +git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-4578/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0611/3.4/0001.patch @@ -23,5 +24,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p23" +editKernelLocalversion "-dos.p24" cd $base diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh index 73f5f8d2..6b04a451 100644 --- a/Scripts/LineageOS-15.1/Functions.sh +++ b/Scripts/LineageOS-15.1/Functions.sh @@ -54,13 +54,11 @@ export -f buildAll; patchWorkspace() { source build/envsetup.sh; - repopick 206123 211095; #cherry picks - repopick 209030; #fix contacts being deleted - repopick 209188; #g3-common cherry picks + repopick -f 206123; #bionic: Sort and cache hosts file data for fast lookup + repopick -f 209030; #ContactsProvider: Prevent device contact being deleted. repopick 211404 211405 211406 211407 211408 211409; #d852 cherry picks repopick 205021; #d855 cherry picks repopick -t trust_interface; - #repopick -t calendar-o; source $scripts/Patch.sh; source $scripts/Defaults.sh; diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 1541ce46..a0aae881 100755 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -60,6 +60,7 @@ cp -r $prebuiltApps"android_vendor_FDroid_PrebuiltApps/." $base"vendor/fdroid_pr enterAndClear "build/make" patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automated build signing. Disclaimer: From CopperheadOS 13.0 +patch -p1 < $patches"android_build/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk; sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence @@ -77,6 +78,7 @@ sed -i 's|config_permissionReviewRequired">false|config_permissionReviewRequired patch -p1 < $patches"android_frameworks_base/0002-Signature_Spoofing.patch" #Allow packages to spoof their signature (microG) patch -p1 < $patches"android_frameworks_base/0003-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key patch -p1 < $patches"android_frameworks_base/0004-OpenNIC.patch" #Change fallback and tethering DNS servers to OpenNIC AnyCast +patch -p1 < $patches"android_frameworks_base/0005-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig @@ -126,6 +128,7 @@ rm AndroidManifest.xml.orig res/values/*.xml.orig; enterAndClear "packages/apps/Settings" git revert a96df110e84123fe1273bff54feca3b4ca484dcd #don't hide oem unlock +patch -p1 < $patches"android_packages_apps_Settings/0003-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options @@ -149,15 +152,17 @@ enterAndClear "packages/inputmethods/LatinIME" patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key enterAndClear "packages/services/Telephony" -patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. Disclaimer: From CopperheadOS before their LICENSE was added +patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD enterAndClear "system/core" cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4 #Always update recovery patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0 +patch -p1 < $patches"android_system_core/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD enterAndClear "system/sepolicy" patch -p1 < $patches"android_system_sepolicy/0001-LGE_Fixes.patch" #Fix -user builds for LGE devices +patch -p1 < $patches"android_system_sepolicy/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD enterAndClear "system/vold" patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption @@ -191,7 +196,6 @@ echo "/dev/block/platform/msm_sdcc\.1/by-name/pad u:object_r:misc_block_devi enterAndClear "device/lge/mako" cp $patches"android_device_lge_mako/proprietary-blobs.txt" proprietary-blobs.txt; #update that? nah -echo "/dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_block_device:s0" >> sepolicy/file_contexts; #fix uncrypt denial enterAndClear "device/oppo/msm8974-common" sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/