15.1: Initial deny new usb support from CopperheadOS

This is an extremely powerful security feature with minimal downsides.
Original credit goes to Grsecurity
Android port goes to Copperhead

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/fairphone/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-3153/ANY/0002.patch
 git apply $cvePatchesLinux/CVE-2014-3153/ANY/0004.patch
 git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch
@@ -31,5 +32,5 @@ git apply $cvePatchesLinux/CVE-2017-6348/^4.9/0001.patch
 git apply $cvePatchesLinux/CVE-2017-7533/3.4/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p31"
+editKernelLocalversion "-dos.p32"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh

@@ -34,6 +34,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0013.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002.patch
 git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch
 git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
@@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-14883/ANY/0001.patch
-editKernelLocalversion "-dos.p106"
+editKernelLocalversion "-dos.p107"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_msm.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 cd $base"kernel/google/msm"
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2013-4738/ANY/0002.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch
@@ -37,5 +38,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0001.patch
 git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p37"
+editKernelLocalversion "-dos.p38"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_flounder.sh

@@ -14,6 +14,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001-Alt.patch
 git apply $cvePatchesLinux/CVE-2014-9892/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
@@ -70,5 +71,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch
 git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
-editKernelLocalversion "-dos.p70"
+editKernelLocalversion "-dos.p71"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_htc_msm8974.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/htc/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-2443/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-7117/^4.5/0002.patch
@@ -29,5 +30,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
 git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p29"
+editKernelLocalversion "-dos.p30"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh

@@ -18,6 +18,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0003.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch
 git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch
 git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
@@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-15845/ANY/0001.patch
-editKernelLocalversion "-dos.p106"
+editKernelLocalversion "-dos.p107"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh

@@ -17,6 +17,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch
 git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch
 git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
@@ -95,5 +96,5 @@ git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
-editKernelLocalversion "-dos.p95"
+editKernelLocalversion "-dos.p96"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_g3.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/lge/g3"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2015-6640/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch
@@ -32,5 +33,5 @@ git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-8246/3.4/0002.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p32"
+editKernelLocalversion "-dos.p33"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_hammerhead.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 cd $base"kernel/lge/hammerhead"
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-9881/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9882/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9882/ANY/0002.patch
@@ -42,5 +43,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch
 git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p42"
+editKernelLocalversion "-dos.p43"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_mako.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 cd $base"kernel/lge/mako"
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2016-3894/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6828/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-7910/ANY/0001.patch
@@ -16,5 +17,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0005.patch
 git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p16"
+editKernelLocalversion "-dos.p17"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8974.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 cd $base"kernel/lge/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2015-8939/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-0806/prima/0001.patch
 git apply $cvePatchesLinux/CVE-2016-0806/prima/0006.patch
@@ -24,5 +25,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
 git apply $cvePatchesLinux/CVE-2017-7487/ANY/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p24"
+editKernelLocalversion "-dos.p25"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh

@@ -25,6 +25,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0045.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0046.patch
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0050.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002-Alt2.patch
 git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch
 git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
@@ -71,5 +72,5 @@ git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p71"
+editKernelLocalversion "-dos.p72"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_oppo_msm8974.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/oppo/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2014-9880/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch
@@ -48,5 +49,5 @@ git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-9706/ANY/0001.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p48"
+editKernelLocalversion "-dos.p49"
 cd $base

Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_samsung_msm8974.sh

@@ -2,6 +2,7 @@
 cd $base"kernel/samsung/msm8974"
 git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
 git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
+git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
 git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2016-4578/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0611/3.4/0001.patch
@@ -23,5 +24,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch
 git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
 git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p23"
+editKernelLocalversion "-dos.p24"
 cd $base

Scripts/LineageOS-15.1/Functions.sh

@@ -54,13 +54,11 @@ export -f buildAll;
 
 patchWorkspace() {
 	source build/envsetup.sh;
-	repopick 206123 211095; #cherry picks
-	repopick 209030; #fix contacts being deleted
-	repopick 209188; #g3-common cherry picks
+	repopick -f 206123; #bionic: Sort and cache hosts file data for fast lookup
+	repopick -f 209030; #ContactsProvider: Prevent device contact being deleted.
 	repopick 211404 211405 211406 211407 211408 211409; #d852 cherry picks
 	repopick 205021; #d855 cherry picks
 	repopick -t trust_interface;
-	#repopick -t calendar-o;
 
 	source $scripts/Patch.sh;
 	source $scripts/Defaults.sh;

Scripts/LineageOS-15.1/Patch.sh

@@ -60,6 +60,7 @@ cp -r $prebuiltApps"android_vendor_FDroid_PrebuiltApps/." $base"vendor/fdroid_pr
 
 enterAndClear "build/make"
 patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automated build signing. Disclaimer: From CopperheadOS 13.0
+patch -p1 < $patches"android_build/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
 sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
 
@@ -77,6 +78,7 @@ sed -i 's|config_permissionReviewRequired">false|config_permissionReviewRequired
 patch -p1 < $patches"android_frameworks_base/0002-Signature_Spoofing.patch" #Allow packages to spoof their signature (microG)
 patch -p1 < $patches"android_frameworks_base/0003-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key
 patch -p1 < $patches"android_frameworks_base/0004-OpenNIC.patch" #Change fallback and tethering DNS servers to OpenNIC AnyCast
+patch -p1 < $patches"android_frameworks_base/0005-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
 rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig
 
@@ -126,6 +128,7 @@ rm AndroidManifest.xml.orig res/values/*.xml.orig;
 
 enterAndClear "packages/apps/Settings"
 git revert a96df110e84123fe1273bff54feca3b4ca484dcd #don't hide oem unlock
+patch -p1 < $patches"android_packages_apps_Settings/0003-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length
 sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options
 
@@ -149,15 +152,17 @@ enterAndClear "packages/inputmethods/LatinIME"
 patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key
 
 enterAndClear "packages/services/Telephony"
-patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. Disclaimer: From CopperheadOS before their LICENSE was added
+patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
 
 enterAndClear "system/core"
 cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
 git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4 #Always update recovery
 patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0
+patch -p1 < $patches"android_system_core/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 
 enterAndClear "system/sepolicy"
 patch -p1 < $patches"android_system_sepolicy/0001-LGE_Fixes.patch" #Fix -user builds for LGE devices
+patch -p1 < $patches"android_system_sepolicy/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
 
 enterAndClear "system/vold"
 patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption
@@ -191,7 +196,6 @@ echo "/dev/block/platform/msm_sdcc\.1/by-name/pad     u:object_r:misc_block_devi
 
 enterAndClear "device/lge/mako"
 cp $patches"android_device_lge_mako/proprietary-blobs.txt" proprietary-blobs.txt; #update that? nah
-echo "/dev/block/platform/msm_sdcc\.1/by-name/misc     u:object_r:misc_block_device:s0" >> sepolicy/file_contexts; #fix uncrypt denial
 
 enterAndClear "device/oppo/msm8974-common"
 sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/