15.1: Initial deny new usb support from CopperheadOS

This is an extremely powerful security feature with minimal downsides.
Original credit goes to Grsecurity
Android port goes to Copperhead
This commit is contained in:
Tad 2018-04-22 11:23:08 -04:00
parent 28de039beb
commit f041047983
22 changed files with 387 additions and 21 deletions

View File

@ -0,0 +1,22 @@
From d0d489b8380cb06a7738e9b7276056d9d7479d44 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 17 Jun 2016 07:13:49 -0400
Subject: [PATCH] set deny_new_usb feature to dynamic by default
Change-Id: Ied8e75e6c7f8cc5e1483fe93281a32fe799638c3
---
core/main.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/core/main.mk b/core/main.mk
index af98b548c..e2c90d2d0 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -244,6 +244,7 @@ ifneq (,$(user_variant))
# Target is secure in user builds.
ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
+ ADDITIONAL_DEFAULT_PROPERTIES += persist.security.deny_new_usb=dynamic
ifeq ($(user_variant),user)
ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1

View File

@ -0,0 +1,32 @@
From 7b811853c5d2b05ec5db11786ab3f4b6a079e1a1 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Thu, 16 Jun 2016 01:19:53 -0400
Subject: [PATCH] dynamic deny_new_usb toggle
Change-Id: Ie05bf2aaebd8660ec3ff9d823be93cd1202e22db
---
.../java/com/android/server/policy/keyguard/KeyguardStateMonitor.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
index 941cd4441e2..80b79bd04da 100644
--- a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
+++ b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
@@ -19,6 +19,7 @@
import android.app.ActivityManager;
import android.content.Context;
import android.os.RemoteException;
+import android.os.SystemProperties;
import android.util.Slog;
import com.android.internal.policy.IKeyguardService;
@@ -85,6 +86,9 @@ public boolean hasLockscreenWallpaper() {
@Override // Binder interface
public void onShowingStateChanged(boolean showing) {
+ if ("dynamic".equals(SystemProperties.get("persist.security.deny_new_usb"))) {
+ SystemProperties.set("security.deny_new_usb", showing ? "1" : "0");
+ }
mIsShowing = showing;
}

View File

@ -0,0 +1,238 @@
From 8d6cd259a90a009167c11a2f135cb9845a8f3e7f Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Thu, 14 Apr 2016 20:44:06 -0400
Subject: [PATCH] add deny_new_usb setting
Change-Id: If4ee98d636e1876ba546f8a5d562859e8ab7b931
---
res/values/arrays.xml | 16 +++++++++++++
res/values/strings.xml | 3 +++
res/xml/security_settings_chooser.xml | 8 +++++++
res/xml/security_settings_lockscreen.xml | 8 +++++++
res/xml/security_settings_password.xml | 8 +++++++
res/xml/security_settings_pattern.xml | 8 +++++++
res/xml/security_settings_pin.xml | 8 +++++++
src/com/android/settings/SecuritySettings.java | 31 +++++++++++++++++++++++++-
8 files changed, 89 insertions(+), 1 deletion(-)
diff --git a/res/values/arrays.xml b/res/values/arrays.xml
index 5e1a468f87..16a7300e96 100644
--- a/res/values/arrays.xml
+++ b/res/values/arrays.xml
@@ -1038,4 +1038,20 @@
<item>never</item>
</string-array>
+ <!-- Security Settings -->
+ <string-array name="deny_new_usb_entries">
+ <item>Disallow new USB peripherals</item>
+ <item>Allow new USB peripherals when unlocked</item>
+ <item>Allow new USB peripherals</item>
+ </string-array>
+
+ <!-- Do not translate. -->
+ <string-array name="deny_new_usb_values" translatable="false">
+ <!-- Do not translate. -->
+ <item>enabled</item>
+ <!-- Do not translate. -->
+ <item>dynamic</item>
+ <!-- Do not translate. -->
+ <item>disabled</item>
+ </string-array>
</resources>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 8265475a98..84ebf5d10b 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -9052,4 +9052,7 @@
<!-- Note displayed when certain features are not available on low ram devices. [CHAR LIMIT=NONE] -->
<string name="disabled_low_ram_device">This feature is not available on this device</string>
+
+ <string name="deny_new_usb_title">USB accessories</string>
+ <string name="deny_new_usb_summary">Control support for USB peripherals such as input (mice, keyboards, joysticks) and storage devices.</string>
</resources>
diff --git a/res/xml/security_settings_chooser.xml b/res/xml/security_settings_chooser.xml
index 067ebaba0d..2ba2b41006 100644
--- a/res/xml/security_settings_chooser.xml
+++ b/res/xml/security_settings_chooser.xml
@@ -33,6 +33,14 @@
android:title="@string/lockscreen_settings_title"
android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
+ <ListPreference
+ android:key="deny_new_usb"
+ android:title="@string/deny_new_usb_title"
+ android:summary="@string/deny_new_usb_summary"
+ android:persistent="false"
+ android:entries="@array/deny_new_usb_entries"
+ android:entryValues="@array/deny_new_usb_values" />
+
</PreferenceCategory>
</PreferenceScreen>
diff --git a/res/xml/security_settings_lockscreen.xml b/res/xml/security_settings_lockscreen.xml
index c141fb7c74..5181997c99 100644
--- a/res/xml/security_settings_lockscreen.xml
+++ b/res/xml/security_settings_lockscreen.xml
@@ -29,6 +29,14 @@
settings:keywords="@string/keywords_lockscreen"
android:persistent="false"/>
+ <ListPreference
+ android:key="deny_new_usb"
+ android:title="@string/deny_new_usb_title"
+ android:summary="@string/deny_new_usb_summary"
+ android:persistent="false"
+ android:entries="@array/deny_new_usb_entries"
+ android:entryValues="@array/deny_new_usb_values" />
+
</PreferenceCategory>
</PreferenceScreen>
diff --git a/res/xml/security_settings_password.xml b/res/xml/security_settings_password.xml
index 7de65f7cc0..2e8361f470 100644
--- a/res/xml/security_settings_password.xml
+++ b/res/xml/security_settings_password.xml
@@ -32,6 +32,14 @@
android:title="@string/lockscreen_settings_title"
android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
+ <ListPreference
+ android:key="deny_new_usb"
+ android:title="@string/deny_new_usb_title"
+ android:summary="@string/deny_new_usb_summary"
+ android:persistent="false"
+ android:entries="@array/deny_new_usb_entries"
+ android:entryValues="@array/deny_new_usb_values" />
+
</PreferenceCategory>
</PreferenceScreen>
diff --git a/res/xml/security_settings_pattern.xml b/res/xml/security_settings_pattern.xml
index 1585f016ee..9ce00d616e 100644
--- a/res/xml/security_settings_pattern.xml
+++ b/res/xml/security_settings_pattern.xml
@@ -32,6 +32,14 @@
android:title="@string/lockscreen_settings_title"
android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
+ <ListPreference
+ android:key="deny_new_usb"
+ android:title="@string/deny_new_usb_title"
+ android:summary="@string/deny_new_usb_summary"
+ android:persistent="false"
+ android:entries="@array/deny_new_usb_entries"
+ android:entryValues="@array/deny_new_usb_values" />
+
</PreferenceCategory>
</PreferenceScreen>
diff --git a/res/xml/security_settings_pin.xml b/res/xml/security_settings_pin.xml
index f7705b7e9c..c291f118a2 100644
--- a/res/xml/security_settings_pin.xml
+++ b/res/xml/security_settings_pin.xml
@@ -32,6 +32,14 @@
android:title="@string/lockscreen_settings_title"
android:fragment="com.android.settings.security.LockscreenDashboardFragment"/>
+ <ListPreference
+ android:key="deny_new_usb"
+ android:title="@string/deny_new_usb_title"
+ android:summary="@string/deny_new_usb_summary"
+ android:persistent="false"
+ android:entries="@array/deny_new_usb_entries"
+ android:entryValues="@array/deny_new_usb_values" />
+
</PreferenceCategory>
</PreferenceScreen>
diff --git a/src/com/android/settings/SecuritySettings.java b/src/com/android/settings/SecuritySettings.java
index 55f21fd22a..555b4a7c90 100644
--- a/src/com/android/settings/SecuritySettings.java
+++ b/src/com/android/settings/SecuritySettings.java
@@ -38,11 +38,13 @@
import android.os.UserHandle;
import android.os.UserManager;
import android.os.storage.StorageManager;
+import android.os.SystemProperties;
import android.provider.SearchIndexableResource;
import android.provider.Settings;
import android.service.trust.TrustAgentService;
import android.support.annotation.VisibleForTesting;
import android.support.v14.preference.SwitchPreference;
+import android.support.v7.preference.ListPreference;
import android.support.v7.preference.Preference;
import android.support.v7.preference.Preference.OnPreferenceChangeListener;
import android.support.v7.preference.PreferenceGroup;
@@ -118,6 +120,10 @@
private static final int UNUNIFY_LOCK_CONFIRM_DEVICE_REQUEST = 130;
private static final String TAG_UNIFICATION_DIALOG = "unification_dialog";
+ private static final String KEY_DENY_NEW_USB = "deny_new_usb";
+ private static final String DENY_NEW_USB_PROP = "security.deny_new_usb";
+ private static final String DENY_NEW_USB_PERSIST_PROP = "persist.security.deny_new_usb";
+
// Misc Settings
private static final String KEY_SIM_LOCK = "sim_lock_settings";
private static final String KEY_SHOW_PASSWORD = "show_password";
@@ -139,7 +145,7 @@
// These switch preferences need special handling since they're not all stored in Settings.
private static final String SWITCH_PREFERENCE_KEYS[] = {
- KEY_SHOW_PASSWORD, KEY_UNIFICATION, KEY_VISIBLE_PATTERN_PROFILE
+ KEY_SHOW_PASSWORD, KEY_UNIFICATION, KEY_VISIBLE_PATTERN_PROFILE, KEY_DENY_NEW_USB
};
// Only allow one trust agent on the platform.
@@ -169,6 +175,8 @@
private int mProfileChallengeUserId;
+ private ListPreference mDenyNewUsb;
+
private String mCurrentDevicePassword;
private String mCurrentProfilePassword;
@@ -324,6 +332,16 @@ private PreferenceScreen createPreferenceHierarchy() {
mIsAdmin = mUm.isAdminUser();
+ if (mIsAdmin) {
+ mDenyNewUsb = (ListPreference) findPreference(KEY_DENY_NEW_USB);
+ } else {
+ PreferenceGroup securityCategory = (PreferenceGroup)
+ root.findPreference(KEY_SECURITY_CATEGORY);
+ if (securityCategory != null) {
+ securityCategory.removePreference(securityCategory.findPreference(KEY_DENY_NEW_USB));
+ }
+ }
+
// Fingerprint and trust agents
int numberOfTrustAgent = 0;
PreferenceGroup securityCategory = (PreferenceGroup)
@@ -626,6 +644,10 @@ public void onResume() {
}
mLocationcontroller.updateSummary();
+
+ if (mDenyNewUsb != null) {
+ mDenyNewUsb.setValue(SystemProperties.get(DENY_NEW_USB_PERSIST_PROP, "disabled"));
+ }
}
private void updateUnificationPreference() {
@@ -812,6 +834,13 @@ public boolean onPreferenceChange(Preference preference, Object value) {
Settings.System.putInt(getContentResolver(), Settings.System.TEXT_SHOW_PASSWORD,
((Boolean) value) ? 1 : 0);
lockPatternUtils.setVisiblePasswordEnabled((Boolean) value, MY_USER_ID);
+ } else if (KEY_DENY_NEW_USB.equals(key)) {
+ String mode = (String) value;
+ SystemProperties.set(DENY_NEW_USB_PERSIST_PROP, mode);
+ // The dynamic mode defaults to the disabled state
+ if (mode.equals("dynamic")) {
+ SystemProperties.set(DENY_NEW_USB_PROP, "0");
+ }
}
return result;
}

View File

@ -0,0 +1,36 @@
From 808fb79d8171f26bc29332145df4edac1925e76e Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 22 Apr 2018 10:18:06 -0400
Subject: [PATCH] add properties for controlling deny_new_usb
Change-Id: I0ead2254b7e379abaeab6f0f78a48680d40a8994
---
rootdir/init.rc | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 2a7333563..aa654c38f 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -696,6 +696,18 @@ on property:sys.sysctl.extra_free_kbytes=*
on property:sys.sysctl.tcp_def_init_rwnd=*
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
+on property:persist.security.deny_new_usb=disabled
+ write /proc/sys/kernel/deny_new_usb 0
+
+on property:persist.security.deny_new_usb=enabled
+ write /proc/sys/kernel/deny_new_usb 1
+
+on property:persist.security.deny_new_usb=dynamic
+ write /proc/sys/kernel/deny_new_usb 1
+
+on property:security.deny_new_usb=*
+ write /proc/sys/kernel/deny_new_usb ${security.deny_new_usb}
+
on property:security.perf_harden=0
write /proc/sys/kernel/perf_event_paranoid 1
--
2.17.0

View File

@ -0,0 +1,22 @@
From 9bd23222fab996016eb2d31772129b09594f4667 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Thu, 16 Jun 2016 01:07:25 -0400
Subject: [PATCH] allow system to set security.deny_new_usb
---
private/property_contexts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/private/property_contexts b/private/property_contexts
index e524f54e..86b7d8a3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -66,6 +66,8 @@ ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
ro.boot.serialno u:object_r:serialno_prop:s0
ro.bt. u:object_r:bluetooth_prop:s0
+security.deny_new_usb u:object_r:system_prop:s0
+
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
ro.device_owner u:object_r:device_logging_prop:s0

@ -1 +1 @@
Subproject commit 1c9bc188934f6db85124f82ed232f7f4c6c460dc Subproject commit 1007ddcf81da7615d14aeb23e87b85ddd8181358

View File

@ -2,6 +2,7 @@
cd $base"kernel/fairphone/msm8974" cd $base"kernel/fairphone/msm8974"
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
git apply $cvePatchesLinux/CVE-2014-3153/ANY/0002.patch git apply $cvePatchesLinux/CVE-2014-3153/ANY/0002.patch
git apply $cvePatchesLinux/CVE-2014-3153/ANY/0004.patch git apply $cvePatchesLinux/CVE-2014-3153/ANY/0004.patch
git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch
@ -31,5 +32,5 @@ git apply $cvePatchesLinux/CVE-2017-6348/^4.9/0001.patch
git apply $cvePatchesLinux/CVE-2017-7533/3.4/0001.patch git apply $cvePatchesLinux/CVE-2017-7533/3.4/0001.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p31" editKernelLocalversion "-dos.p32"
cd $base cd $base

View File

@ -34,6 +34,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0013.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0013.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002.patch
git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch
git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-14883/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-14883/ANY/0001.patch
editKernelLocalversion "-dos.p106" editKernelLocalversion "-dos.p107"
cd $base cd $base

View File

@ -1,6 +1,7 @@
#!/bin/bash #!/bin/bash
cd $base"kernel/google/msm" cd $base"kernel/google/msm"
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
git apply $cvePatchesLinux/CVE-2013-4738/ANY/0002.patch git apply $cvePatchesLinux/CVE-2013-4738/ANY/0002.patch
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch
@ -37,5 +38,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0001.patch
git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p37" editKernelLocalversion "-dos.p38"
cd $base cd $base

View File

@ -14,6 +14,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0011.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001-Alt.patch
git apply $cvePatchesLinux/CVE-2014-9892/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9892/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
@ -70,5 +71,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch
git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
editKernelLocalversion "-dos.p70" editKernelLocalversion "-dos.p71"
cd $base cd $base

View File

@ -2,6 +2,7 @@
cd $base"kernel/htc/msm8974" cd $base"kernel/htc/msm8974"
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-2443/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-2443/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-7117/^4.5/0002.patch git apply $cvePatchesLinux/CVE-2016-7117/^4.5/0002.patch
@ -29,5 +30,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p29" editKernelLocalversion "-dos.p30"
cd $base cd $base

View File

@ -18,6 +18,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0003.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0003.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch
git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch
git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
@ -106,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-15845/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-15845/ANY/0001.patch
editKernelLocalversion "-dos.p106" editKernelLocalversion "-dos.p107"
cd $base cd $base

View File

@ -17,6 +17,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.10/0001.patch
git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch git apply $cvePatchesLinux/CVE-2014-8160/^3.18/0002.patch
git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch git apply $cvePatchesLinux/CVE-2014-8173/3.9-^3.12/0001.patch
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
@ -95,5 +96,5 @@ git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
editKernelLocalversion "-dos.p95" editKernelLocalversion "-dos.p96"
cd $base cd $base

View File

@ -2,6 +2,7 @@
cd $base"kernel/lge/g3" cd $base"kernel/lge/g3"
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2015-6640/ANY/0001.patch git apply $cvePatchesLinux/CVE-2015-6640/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-3857/ANY/0001.patch
@ -32,5 +33,5 @@ git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-8246/3.4/0002.patch git apply $cvePatchesLinux/CVE-2017-8246/3.4/0002.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p32" editKernelLocalversion "-dos.p33"
cd $base cd $base

View File

@ -1,6 +1,7 @@
#!/bin/bash #!/bin/bash
cd $base"kernel/lge/hammerhead" cd $base"kernel/lge/hammerhead"
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
git apply $cvePatchesLinux/CVE-2014-9881/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9881/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2014-9882/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9882/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2014-9882/ANY/0002.patch git apply $cvePatchesLinux/CVE-2014-9882/ANY/0002.patch
@ -42,5 +43,5 @@ git apply $cvePatchesLinux/CVE-2017-9242/^4.11/0001.patch
git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p42" editKernelLocalversion "-dos.p43"
cd $base cd $base

View File

@ -1,6 +1,7 @@
#!/bin/bash #!/bin/bash
cd $base"kernel/lge/mako" cd $base"kernel/lge/mako"
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
git apply $cvePatchesLinux/CVE-2016-3894/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-3894/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-6828/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6828/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-7910/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-7910/ANY/0001.patch
@ -16,5 +17,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0005.patch
git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p16" editKernelLocalversion "-dos.p17"
cd $base cd $base

View File

@ -1,6 +1,7 @@
#!/bin/bash #!/bin/bash
cd $base"kernel/lge/msm8974" cd $base"kernel/lge/msm8974"
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
git apply $cvePatchesLinux/CVE-2015-8939/ANY/0001.patch git apply $cvePatchesLinux/CVE-2015-8939/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-0806/prima/0001.patch git apply $cvePatchesLinux/CVE-2016-0806/prima/0001.patch
git apply $cvePatchesLinux/CVE-2016-0806/prima/0006.patch git apply $cvePatchesLinux/CVE-2016-0806/prima/0006.patch
@ -24,5 +25,5 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch
git apply $cvePatchesLinux/CVE-2017-7487/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-7487/ANY/0001.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p24" editKernelLocalversion "-dos.p25"
cd $base cd $base

View File

@ -25,6 +25,7 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0045.patch
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0046.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0046.patch
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0050.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.18/0050.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.10+/0012.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.18/0002-Alt2.patch
git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9900/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch git apply $cvePatchesLinux/CVE-2015-2041/^3.19/0002.patch
git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch
@ -71,5 +72,5 @@ git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p71" editKernelLocalversion "-dos.p72"
cd $base cd $base

View File

@ -2,6 +2,7 @@
cd $base"kernel/oppo/msm8974" cd $base"kernel/oppo/msm8974"
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9781/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2014-9880/ANY/0001.patch git apply $cvePatchesLinux/CVE-2014-9880/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-0774/ANY/0001.patch
@ -48,5 +49,5 @@ git apply $cvePatchesLinux/CVE-2017-9684/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-9706/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-9706/ANY/0001.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p48" editKernelLocalversion "-dos.p49"
cd $base cd $base

View File

@ -2,6 +2,7 @@
cd $base"kernel/samsung/msm8974" cd $base"kernel/samsung/msm8974"
git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0001.patch
git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch git apply $cvePatchesLinux/0010-Accelerated_AES/3.4/0002.patch
git apply $cvePatchesLinux/0012-Copperhead-Deny_USB/3.4/3.4-Backport.patch
git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2016-4578/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-4578/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-0611/3.4/0001.patch git apply $cvePatchesLinux/CVE-2017-0611/3.4/0001.patch
@ -23,5 +24,5 @@ git apply $cvePatchesLinux/CVE-2017-8254/3.4/0002.patch
git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch
git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch
git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch
editKernelLocalversion "-dos.p23" editKernelLocalversion "-dos.p24"
cd $base cd $base

View File

@ -54,13 +54,11 @@ export -f buildAll;
patchWorkspace() { patchWorkspace() {
source build/envsetup.sh; source build/envsetup.sh;
repopick 206123 211095; #cherry picks repopick -f 206123; #bionic: Sort and cache hosts file data for fast lookup
repopick 209030; #fix contacts being deleted repopick -f 209030; #ContactsProvider: Prevent device contact being deleted.
repopick 209188; #g3-common cherry picks
repopick 211404 211405 211406 211407 211408 211409; #d852 cherry picks repopick 211404 211405 211406 211407 211408 211409; #d852 cherry picks
repopick 205021; #d855 cherry picks repopick 205021; #d855 cherry picks
repopick -t trust_interface; repopick -t trust_interface;
#repopick -t calendar-o;
source $scripts/Patch.sh; source $scripts/Patch.sh;
source $scripts/Defaults.sh; source $scripts/Defaults.sh;

View File

@ -60,6 +60,7 @@ cp -r $prebuiltApps"android_vendor_FDroid_PrebuiltApps/." $base"vendor/fdroid_pr
enterAndClear "build/make" enterAndClear "build/make"
patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automated build signing. Disclaimer: From CopperheadOS 13.0 patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automated build signing. Disclaimer: From CopperheadOS 13.0
patch -p1 < $patches"android_build/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk; awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
@ -77,6 +78,7 @@ sed -i 's|config_permissionReviewRequired">false|config_permissionReviewRequired
patch -p1 < $patches"android_frameworks_base/0002-Signature_Spoofing.patch" #Allow packages to spoof their signature (microG) patch -p1 < $patches"android_frameworks_base/0002-Signature_Spoofing.patch" #Allow packages to spoof their signature (microG)
patch -p1 < $patches"android_frameworks_base/0003-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key patch -p1 < $patches"android_frameworks_base/0003-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key
patch -p1 < $patches"android_frameworks_base/0004-OpenNIC.patch" #Change fallback and tethering DNS servers to OpenNIC AnyCast patch -p1 < $patches"android_frameworks_base/0004-OpenNIC.patch" #Change fallback and tethering DNS servers to OpenNIC AnyCast
patch -p1 < $patches"android_frameworks_base/0005-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig rm core/res/res/values/config.xml.orig core/res/res/values/strings.xml.orig
@ -126,6 +128,7 @@ rm AndroidManifest.xml.orig res/values/*.xml.orig;
enterAndClear "packages/apps/Settings" enterAndClear "packages/apps/Settings"
git revert a96df110e84123fe1273bff54feca3b4ca484dcd #don't hide oem unlock git revert a96df110e84123fe1273bff54feca3b4ca484dcd #don't hide oem unlock
patch -p1 < $patches"android_packages_apps_Settings/0003-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length
sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options
@ -149,15 +152,17 @@ enterAndClear "packages/inputmethods/LatinIME"
patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #Remove voice input key
enterAndClear "packages/services/Telephony" enterAndClear "packages/services/Telephony"
patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. Disclaimer: From CopperheadOS before their LICENSE was added patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #LTE only preferred network mode choice. XXX: NEEDS SIGNOFF FROM COPPERHEAD
enterAndClear "system/core" enterAndClear "system/core"
cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4 #Always update recovery git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4 #Always update recovery
patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0 patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0
patch -p1 < $patches"android_system_core/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
enterAndClear "system/sepolicy" enterAndClear "system/sepolicy"
patch -p1 < $patches"android_system_sepolicy/0001-LGE_Fixes.patch" #Fix -user builds for LGE devices patch -p1 < $patches"android_system_sepolicy/0001-LGE_Fixes.patch" #Fix -user builds for LGE devices
patch -p1 < $patches"android_system_sepolicy/0002-Deny_USB.patch" #Deny USB support XXX: NEEDS SIGNOFF FROM COPPERHEAD
enterAndClear "system/vold" enterAndClear "system/vold"
patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption
@ -191,7 +196,6 @@ echo "/dev/block/platform/msm_sdcc\.1/by-name/pad u:object_r:misc_block_devi
enterAndClear "device/lge/mako" enterAndClear "device/lge/mako"
cp $patches"android_device_lge_mako/proprietary-blobs.txt" proprietary-blobs.txt; #update that? nah cp $patches"android_device_lge_mako/proprietary-blobs.txt" proprietary-blobs.txt; #update that? nah
echo "/dev/block/platform/msm_sdcc\.1/by-name/misc u:object_r:misc_block_device:s0" >> sepolicy/file_contexts; #fix uncrypt denial
enterAndClear "device/oppo/msm8974-common" enterAndClear "device/oppo/msm8974-common"
sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/ sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/