Commit Graph

415 Commits

Author SHA1 Message Date
Tad
163a162568 Fix boot animation + churn
Signed-off-by: Tad <tad@spotco.us>
2022-04-18 23:04:24 -04:00
Tad
486e358050 More (disabled) lowram tweaks for <2GB devices
The inprocess variants make very little reduction and likely reduce security.

Signed-off-by: Tad <tad@spotco.us>
2022-04-12 20:25:26 -04:00
Tad
42c9d22de9 Default disable exec spawning
Change the property too, so it takes effect next update.
Since 16.0 lacks a toggle, this effectively disables the feature for it.
Even devices with 4GB of RAM have usability severely impacted.

Plus some other tweaks/churn

Signed-off-by: Tad <tad@spotco.us>
2022-04-12 17:58:04 -04:00
Tad
30de608a61 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-04-12 02:51:44 -04:00
Tad
d078b24ddb lowram tweaks
Signed-off-by: Tad <tad@spotco.us>
2022-04-11 23:40:26 -04:00
Tad
d50a3a043b Switch 16.0/17.1/18.1 to the more robust GrapheneOS sensors permission patchset
Like done for 19.1

Signed-off-by: Tad <tad@spotco.us>
2022-04-10 21:12:03 -04:00
Tad
5431edd85b Fix boot issues on select devices after recent AVB changes
alioth, beryllium, davinci, vayu were tested working without this
lavender however would not boot
lmi was not tested

lavender, unlocked, managed to get into some weird broken state
that won't even boot after this, not even with Lineage or TWRP
:(

enchilada/fajita 18.1 use stock vendor and don't boot either
enchilada is tested booting again after this

Signed-off-by: Tad <tad@spotco.us>
2022-04-09 18:27:48 -04:00
Tad
a9e250afd9 Cleanup
Signed-off-by: Tad <tad@spotco.us>
2022-04-07 00:37:20 -04:00
Tad
b464106cc5 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-04-04 15:51:23 -04:00
Tad
6c5a65622c Page sanitization improvements
This ensures init_on_alloc/free is used instead of page poisioning where available.

3.4 through 3.18 have a patch without a toggle for page sanitization.

Signed-off-by: Tad <tad@spotco.us>
2022-04-02 12:57:17 -04:00
Tad
01900ca1c6 Reverts
WebView overlay is breaking boot on 15.1???

This reverts commit e61e288b4a.
2022-04-01 17:07:27 -04:00
Tad
3f9b346345 Fix boot breakage
On devices with quota enabled and impacted by this patch

Signed-off-by: Tad <tad@spotco.us>
2022-04-01 10:30:30 -04:00
Tad
1bbb6f9b4e Fix and enable exec_spawning feature
This is the missing puzzle piece :)

Signed-off-by: Tad <tad@spotco.us>
2022-03-28 22:02:52 -04:00
Tad
19b03c9ff4 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-28 17:43:48 -04:00
Tad
8a03e46c7e Add the exec-spawning toggle from GrapheneOS
Tested working on 18.1/klte

TODO: backport to 16.0

Signed-off-by: Tad <tad@spotco.us>
2022-03-28 16:14:37 -04:00
Tad
a53062ca0b Backports
Adds ptrace_scope and timeout options to 17.1, tested working

Also adds hardened_malloc to 15.1, but failing to compile:
external/hardened_malloc/h_malloc.c:1688:18: error: use of undeclared identifier 'M_PURGE'
    if (param == M_PURGE) {
                 ^
external/hardened_malloc/h_malloc.c:1743:30: error: missing field 'ordblks' initializer [-Werror,-Wmissing-field-initializers]
    struct mallinfo info = {0};
                             ^

Signed-off-by: Tad <tad@spotco.us>
2022-03-21 18:06:49 -04:00
Tad
0c33d328b7 Partially re-enable the bionic hardening patchset
These uncommented patches have been ruled out, leaving 7 more to test

shamu is tested booting with this

Signed-off-by: Tad <tad@spotco.us>
2022-03-19 20:25:24 -04:00
Tad
a56e3a3016 Disable the bionic hardening patchset to fix boot issues
10+4 devices tested working with bionic hardening patches enabled
but hammerhead and shamu do not boot...

2 of the patches were already found to have issues and disabled
3 other patches were ruled out:
- Stop implicitly marking mappings as mergeable
- Make __stack_chk_guard read-only at runtime
- On 64-bit, zero the leading stack canary byte
Leaves 11+1 patches remaining that need to be tested
But I don't have either of the two known impacted devices.

Signed-off-by: Tad <tad@spotco.us>
2022-03-19 16:19:00 -04:00
Tad
3207cde72e Small tweaks
Signed-off-by: Tad <tad@spotco.us>
2022-03-19 12:41:49 -04:00
Tad
09353cdcd2 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-18 00:07:18 -04:00
Tad
1603092c50 Not all kernels have (working) getrandom support
hammerhead 16.0 was reported not booting
and shamu 18.1 was reported to take ~15+ minutes to boot

hammerhead does not have getrandom so it failed immediately

shamu does have getrandom BUT it blocks during init
meaning it'll wait until the entropy pool slowly fills

In tested I did not discovery this
I tested on flox/mako/d852/klte/clark/sailfish/mata/cheeseburger/fajita
All the newer ones have working getrandom
All the older ones included a patch to make getrandom non blocking on init

Signed-off-by: Tad <tad@spotco.us>
2022-03-17 13:21:52 -04:00
Tad
a9f6672fed hardened_malloc fixes for broken devices
- enable the patchset for 18.1
- add an ugly patch that extends the Pixel 3* camera workaround to all camera executables

Signed-off-by: Tad <tad@spotco.us>
2022-03-16 02:01:19 -04:00
Tad
e002154486 Typo
Signed-off-by: Tad <tad@spotco.us>
2022-03-15 20:59:43 -04:00
Tad
1df7c7f1d4 Churn
Signed-off-by: Tad <tad@spotco.us>
2022-03-15 19:16:19 -04:00
Tad
181519cf38 Add bionic hardening patchsets from GrapheneOS
11 b3a0c2c5db
11 5412c37195 #explicit zero
11 31456ac632 #brk
11 58ebc243ea #random
11 5323b39f7e #undefined
11 6a91d9dddb #merge
11 a042b5a0ba #vla formatting
11 9ec639de1b #pthread
11 49571a0a49 #read only
11 149cc5ccb8 #zero
11 2e613ccbe7 #fork mmap
11 e239c7dff8 #memprot pthread
11 0b03d92b7f #xor
11 de08419b82 #junk
11 897d4903e2 #guard
11 648cd68ca3 #ptrhread guard
11 0bc4dbcbd2 #stack rand
10 aa9cc05d07
10 a8cdbb6352 #explicit zero
10 b28302c668 #brk
10 9f8be7d07c #random
10 cb91a7ee3a #undefined
10 08279e2fdd #merge
10 6a18bd565d #vla formatting
10 2f392c2d08 #pthread
10 8bbce1bc50 #read only
10 725f61db82 #zero
10 4cd257135f #fork mmap
10 9220cf622b #memprot pthread
10 8ef71d1ffd #memprot exit
10 0eaef1abbd #xor
10 64f1cc2148 #junk
10 5c42a527cf #guard
10 5cc8c34e60 #pthread guard
10 7f61cc8a1c #stack rand
9  abdf523d26
9  e4b9b31e6f #explicit zero
9  a3a22a63d2 #brk
9  7444dbc3cf #random
9  dcd3b72ac9 #undefined
9  543e1df342 #merge
9  611e5691f7 #vla formatting
9  8de97ce864 #pthread
9  a475717042 #read only
9  7f0947cc0e #zero
9  e9751d3370 #fork mmap
9  83cd86d0d5 #memprot pthread
9  1ebb165455 #memprot exit
9  488ba483cf #xor
9  f9351d884b #junk
9  85e5bca0a5 #move

Signed-off-by: Tad <tad@spotco.us>
2022-03-15 16:56:46 -04:00
Tad
1878cd19ab Fix/Add hardened malloc patchsets from GrapheneOS
11 8c0f3c0e04
11 4e6320c247
11 108754debb
10 818be3fc1d
10 010949662f
10 ede5e38f5b
9 80754c93bf
9 20160b8161

Signed-off-by: Tad <tad@spotco.us>
2022-03-15 16:24:56 -04:00
Tad
209481c53e Fix/Add exec based spawning patchsets from GrapheneOS
11 14c3c1d4cd
   ac1943345e
   1abb805041
   2e07ab8c24
   0044836677
   c561811fad
   7a848373ef
   89646bdeb1
   2a70bbac4a
   d414dcaa35
   b4cd877e3a
   98634286bb
11 4c2635390c
11 add34a4bc6
11 a2b51906de
10 527787f3c8
   ffde474ad7
   aa87e487c4
   c906fe9722
   c69c3eecd4
   b2303adccc
   5bb05db6f7
   536b497688
   24802a832b
   ce6dcc2368
   3d3d5c4d38
   2eda592b79
10 29f28b53c0
10 13a992c716
9  750efbf6bc
   ed563b6f26
   aad3c7d750
   da3180f9a8
   68773a29b7
   283b3fa09c
   f133136b65
   01a01ce5f6
   17c309c098
   8806ec3ef1

Signed-off-by: Tad <tad@spotco.us>
2022-03-15 15:55:13 -04:00
Tad
f015dd348f Add the JNINativeMethod table constification patchsets from GrapheneOS
11 63b9f96a12
11 d8a62b5156
11 e3a4d64f29
11 e41f1d7f8e
11 c34b037486
11 dce2d0f64f
11 c99c35cb2a
10 07071814db
10 a48ba29b98
10 157fa78115
10 b914409e05
10 20a51f508b
10 b8afb8af37
10 e1b6653db7
9 ff688b68a7
9 866f0df315
9 77c9fa981a
9 fbf620e59c
9 ceaf63c790
9 253247fc39
9 76bf4c46f0

Signed-off-by: Tad <tad@spotco.us>
2022-03-15 15:26:48 -04:00
Tad
ad579b6681 Misc hardening from GrapheneOS
11 62f81c237b

11 1f05db99ab

11 f242089d3f
10 abcf485dcf
9x c5db5a9f9e

Signed-off-by: Tad <tad@spotco.us>
2022-03-15 14:40:05 -04:00
Tad
e61e288b4a Optionally allow the official Bromite WebView to be used, credit @MSe1969
This also replaces the overrides for all versions
And should allow the Google WebView on 14/15/16
And lastly only leaves the bundled version as default

This is a merge of the LineageOS 14/15/16 and 17/18 overlay
With the addition of the Bromite signature from @MSe1969

Signed-off-by: Tad <tad@spotco.us>
2022-03-14 22:59:40 -04:00
Tad
f65c7a4ccd Tweaks
Signed-off-by: Tad <tad@spotco.us>
2022-03-12 11:48:23 -05:00
Tad
015799737e Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-09 17:16:47 -05:00
Tad
4f75a8272a Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-09 11:59:30 -05:00
Tad
902239e2b5 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-08 23:20:43 -05:00
Tad
de764885b3 Fixup
Signed-off-by: Tad <tad@spotco.us>
2022-03-08 12:56:52 -05:00
Tad
54dbcd9e43 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-07 19:12:10 -05:00
Tad
bda848a0a1 Fixup 057bedb6
Sadly this means the option was never enabled :(
Note: these options are only available on 4.4+ kernels

Signed-off-by: Tad <tad@spotco.us>
2022-03-06 23:05:13 -05:00
Tad
ac1e89f0c8 Update CVE patchers [the big fixup]
This removes many duplicately or wrongly applied patches.

Correctly removed:
- CVE-2011-4132 can apply infinitely
- CVE-2013-2891 can apply infinitely
- CVE-2014-9781 can apply once to fb_cmap_to_user correctly and incorrectly to fb_copy_cmap
- CVE-2015-0571 can apply incorrectly and was disabled in patch repo as a result
- CVE-2016-2475 can apply infinitely
- CVE-2017-0627 can apply infinitely
- CVE-2017-0750 can apply infinitely
- CVE-2017-14875 can apply infinitely
- CVE-2017-14883 can apply infinitely
- CVE-2020-11146 can apply infinitely
- CVE-2020-11608 can apply infinitely
- CVE-2021-42008 can apply infinitely

Questionable (might actually be beneficial to "incorrectly" apply again):
- CVE-2012-6544 can apply once to hci_sock_getsockopt correctly and incorrectly to hci_sock_setsockopt
- CVE-2013-2898 can apply once to sensor_hub_get_feature correctly and incorrectly to sensor_hub_set_feature
- CVE-2015-8575 can apply once to sco_sock_bind correctly and incorrectly to sco_sock_connect
- CVE-2017-8281 can apply once to diagchar_ioctl correctly and incorrectly to diagchar_compat_ioctl
- CVE-2019-10622 can apply once	to qdsp_cvp_callback correctly and incorrectly to qdsp_cvs_callback
- CVE-2019-14104 can apply once to cam_context_handle_start/stop_dev and incorrectly to cam_context_handle_crm_process_evt and cam_context_handle_flush_dev

Other notes:
- CVE-2016-6693 can be applied again if it was already applied in combination with CVE-2016-6696
  then the dupe check will fail and mark CVE-2016-6696 as already applied, effectively reverting it.
  This was seemingly fixed with a hand merged patch in patch repo.

Wrongly removed:
- CVE-2013-2147 is meant for cciss_ioctl32_passthru but is detected in cciss_ioctl32_big_passthru
- CVE-2015-8746 is meant for nfs_v4_2_minor_ops but is detected in nfs_v4_1_minor_ops
- CVE-2021-Misc2/ANY/0043.patch is meant for WLANTL_RxCachedFrames but is detected in WLANTL_RxFrames

Signed-off-by: Tad <tad@spotco.us>
2022-03-04 00:42:28 -05:00
Tad
0d59c18c85 Enable the NETWORK permission patchset for 16.0 too
Likely has issues with secondary users.
As in the permission affects all copies of the same app.

Signed-off-by: Tad <tad@spotco.us>
2022-02-28 01:27:38 -05:00
Tad
f4fbe65756 Various changes
- 15.1: asb picks
- 17.1: drop marlin, sailfish, z2_plus, m8
- 4.9 loose versioning fixes
2022-02-24 19:51:44 -05:00
Tad
8b39498b1c Initial loose versioning work for 4.9
This applies 4.9 patches to 4.4 and 3.18 now that 4.4 is EOL

Untested, but looks mild

Signed-off-by: Tad <tad@spotco.us>
2022-02-22 13:44:47 -05:00
Tad
5245109cc1 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-02-19 23:22:19 -05:00
Tad
2eda5086fc Tiny tweak
Signed-off-by: Tad <tad@spotco.us>
2022-02-13 23:57:59 -05:00
Tad
48b009a02e Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-02-12 06:56:28 -05:00
Tad
b6da59d24f Drop FairEmail, Vanilla, and their AOSP equivalents
Signed-off-by: Tad <tad@spotco.us>
2022-02-11 14:25:30 -05:00
Tad
c0aac415aa Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-01-29 09:35:59 -05:00
Tad
82cc1bc979 Tiny update
Signed-off-by: Tad <tad@spotco.us>
2022-01-28 09:09:10 -05:00
Tad
58b53de17a Multi user tweaks from GrapheneOS
Signed-off-by: Tad <tad@spotco.us>
2022-01-24 06:30:39 -05:00
Tad
2400cf0964 App updates
- Drops Calendar, Eleven, and Email
- Adds a variable for Silence inclusion
- Adds a NONE option for microG inclusion flag to disable NLP inclusion

Signed-off-by: Tad <tad@spotco.us>
2022-01-24 06:30:15 -05:00
Tad
6329922104 Disable the Hamper Analytics patches
Rely on the HOSTS to do any blocking.
With the last update this causes app crashes, due to boolean/string mismatch.
Need to figure out exactly how string in manifest can become a boolean when wanted.

Signed-off-by: Tad <tad@spotco.us>
2022-01-23 16:55:24 -05:00