diff --git a/Manifests/Manifest_LAOS-17.1.xml b/Manifests/Manifest_LAOS-17.1.xml index 51c2cade..f3485fc8 100644 --- a/Manifests/Manifest_LAOS-17.1.xml +++ b/Manifests/Manifest_LAOS-17.1.xml @@ -75,7 +75,7 @@ - + diff --git a/Patches/LineageOS-14.1/android_system_core/0001-Harden.patch b/Patches/LineageOS-14.1/android_system_core/0001-Harden.patch index fb911f0d..620be786 100644 --- a/Patches/LineageOS-14.1/android_system_core/0001-Harden.patch +++ b/Patches/LineageOS-14.1/android_system_core/0001-Harden.patch @@ -27,22 +27,24 @@ index 7a370596e..35bf44a7b 100755 } // We must have some place other than / to create the device nodes for -diff --git a/rootdir/init.rc b/rootdir/init.rc -index 498203c83..4875ff54b 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc -@@ -126,6 +126,14 @@ on init +@@ -126,7 +126,18 @@ on init write /proc/sys/kernel/sched_child_runs_first 0 write /proc/sys/kernel/randomize_va_space 2 ++ write /proc/sys/kernel/dmesg_restrict 1 + write /proc/sys/fs/protected_hardlinks 1 + write /proc/sys/fs/protected_symlinks 1 + write /proc/sys/fs/protected_fifos 1 + write /proc/sys/fs/protected_regular 1 + write /proc/sys/net/ipv4/tcp_sack 0 + write /proc/sys/net/ipv6/conf/all/use_tempaddr 2 ++ write /proc/sys/net/ipv6/conf/all/max_addresses 128 ++ write /proc/sys/net/ipv6/conf/all/temp_prefered_lft 21600 + write /proc/sys/net/ipv6/conf/default/use_tempaddr 2 -+ write /proc/sys/kernel/dmesg_restrict 1 ++ write /proc/sys/net/ipv6/conf/default/max_addresses 128 ++ write /proc/sys/net/ipv6/conf/default/temp_prefered_lft 21600 write /proc/sys/kernel/kptr_restrict 2 write /proc/sys/vm/mmap_min_addr 32768 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" diff --git a/Patches/LineageOS-15.1/android_system_core/0001-Harden.patch b/Patches/LineageOS-15.1/android_system_core/0001-Harden.patch index 4cd19ce5..91461300 100644 --- a/Patches/LineageOS-15.1/android_system_core/0001-Harden.patch +++ b/Patches/LineageOS-15.1/android_system_core/0001-Harden.patch @@ -31,23 +31,24 @@ index 35fc442d0..b65686f93 100644 mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL); mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11)); mknod("/dev/random", S_IFCHR | 0666, makedev(1, 8)); -diff --git a/rootdir/init.rc b/rootdir/init.rc -index f9cb4a3ef..c3cea4eb6 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc -@@ -124,6 +124,15 @@ on init +@@ -124,6 +124,18 @@ on init write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 write /proc/sys/kernel/sched_child_runs_first 0 + write /proc/sys/kernel/dmesg_restrict 1 -+ write /proc/sys/kernel/kptr_restrict 2 + write /proc/sys/fs/protected_hardlinks 1 + write /proc/sys/fs/protected_symlinks 1 + write /proc/sys/fs/protected_fifos 1 + write /proc/sys/fs/protected_regular 1 + write /proc/sys/net/ipv4/tcp_sack 0 + write /proc/sys/net/ipv6/conf/all/use_tempaddr 2 ++ write /proc/sys/net/ipv6/conf/all/max_addresses 128 ++ write /proc/sys/net/ipv6/conf/all/temp_prefered_lft 21600 + write /proc/sys/net/ipv6/conf/default/use_tempaddr 2 ++ write /proc/sys/net/ipv6/conf/default/max_addresses 128 ++ write /proc/sys/net/ipv6/conf/default/temp_prefered_lft 21600 write /proc/sys/kernel/randomize_va_space 2 write /proc/sys/vm/mmap_min_addr 32768 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" diff --git a/Patches/LineageOS-16.0/android_system_core/0001-Harden.patch b/Patches/LineageOS-16.0/android_system_core/0001-Harden.patch index 8c241a8e..756015c6 100644 --- a/Patches/LineageOS-16.0/android_system_core/0001-Harden.patch +++ b/Patches/LineageOS-16.0/android_system_core/0001-Harden.patch @@ -31,23 +31,24 @@ index eb9dd755b..504a6d13e 100644 mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL); mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11)); -diff --git a/rootdir/init.rc b/rootdir/init.rc -index 4a8a60a96..acd1d06d1 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc -@@ -121,6 +121,15 @@ on init +@@ -121,6 +121,18 @@ on init write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 write /proc/sys/kernel/sched_child_runs_first 0 + write /proc/sys/kernel/dmesg_restrict 1 -+ write /proc/sys/kernel/kptr_restrict 2 + write /proc/sys/fs/protected_hardlinks 1 + write /proc/sys/fs/protected_symlinks 1 + write /proc/sys/fs/protected_fifos 1 + write /proc/sys/fs/protected_regular 1 + write /proc/sys/net/ipv4/tcp_sack 0 + write /proc/sys/net/ipv6/conf/all/use_tempaddr 2 ++ write /proc/sys/net/ipv6/conf/all/max_addresses 128 ++ write /proc/sys/net/ipv6/conf/all/temp_prefered_lft 21600 + write /proc/sys/net/ipv6/conf/default/use_tempaddr 2 ++ write /proc/sys/net/ipv6/conf/default/max_addresses 128 ++ write /proc/sys/net/ipv6/conf/default/temp_prefered_lft 21600 write /proc/sys/kernel/randomize_va_space 2 write /proc/sys/vm/mmap_min_addr 32768 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" diff --git a/Patches/LineageOS-17.1/android_system_core/0001-Harden.patch b/Patches/LineageOS-17.1/android_system_core/0001-Harden.patch index f699db50..5904dd15 100644 --- a/Patches/LineageOS-17.1/android_system_core/0001-Harden.patch +++ b/Patches/LineageOS-17.1/android_system_core/0001-Harden.patch @@ -32,23 +32,24 @@ index 2b899408a..84c2735c2 100644 CHECKCALL(mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL)); CHECKCALL(mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11))); -diff --git a/rootdir/init.rc b/rootdir/init.rc -index 58a83e091..a28db476b 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc -@@ -140,6 +140,15 @@ on init +@@ -140,6 +140,18 @@ on init write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 write /proc/sys/kernel/sched_child_runs_first 0 + write /proc/sys/kernel/dmesg_restrict 1 -+ write /proc/sys/kernel/kptr_restrict 2 + write /proc/sys/fs/protected_hardlinks 1 + write /proc/sys/fs/protected_symlinks 1 + write /proc/sys/fs/protected_fifos 1 + write /proc/sys/fs/protected_regular 1 + write /proc/sys/net/ipv4/tcp_sack 0 + write /proc/sys/net/ipv6/conf/all/use_tempaddr 2 ++ write /proc/sys/net/ipv6/conf/all/max_addresses 128 ++ write /proc/sys/net/ipv6/conf/all/temp_prefered_lft 21600 + write /proc/sys/net/ipv6/conf/default/use_tempaddr 2 ++ write /proc/sys/net/ipv6/conf/default/max_addresses 128 ++ write /proc/sys/net/ipv6/conf/default/temp_prefered_lft 21600 write /proc/sys/kernel/randomize_va_space 2 write /proc/sys/vm/mmap_min_addr 32768 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" diff --git a/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_essential_msm8998.sh b/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_essential_msm8998.sh index 1b6fed4a..7a41fbdf 100644 --- a/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_essential_msm8998.sh +++ b/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_essential_msm8998.sh @@ -24,6 +24,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6187/^4.6.5/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6693/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-8394/ANY/0001.patch +git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-9919/^4.8.12/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0610/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-1000252/^4.13.3/0001.patch @@ -76,7 +77,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10614/ANY/0002.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10622/ANY/0002.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12378/^5.1.5/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12456/^5.1.5/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14038/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14040/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14041/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-16994/^5.0/0001.patch @@ -89,10 +89,11 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2264/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2333/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2341/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch +git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-8992/^5.5.3/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6693/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14875/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10622/ANY/0002.patch -editKernelLocalversion "-dos.p94" +editKernelLocalversion "-dos.p95" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-17.1/Functions.sh b/Scripts/LineageOS-17.1/Functions.sh index 0919d4f1..ce60f716 100644 --- a/Scripts/LineageOS-17.1/Functions.sh +++ b/Scripts/LineageOS-17.1/Functions.sh @@ -79,7 +79,7 @@ buildAll() { buildDevice cheryl; buildDevice mata verity; #SD660 - buildDevice Amber verity; #TimeKeep error + buildDevice Amber verity; } export -f buildAll;