Commit Graph

687 Commits

Author SHA1 Message Date
Tad
70b8485695 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-06-09 17:59:48 -04:00
Tad
2bf84a7643 Increase default max password length to 64, credit GrapheneOS
Closes https://github.com/Divested-Mobile/DivestOS-Build/pull/119
Closes https://github.com/Divested-Mobile/DivestOS-Build/issues/27

Signed-off-by: Tad <tad@spotco.us>
2022-06-07 15:33:38 -04:00
Tad
899ea17d4e Add the missing page sanitization to 3.18 kernels
All along they only had slub sanization :(

Signed-off-by: Tad <tad@spotco.us>
2022-06-04 12:00:01 -04:00
Tad
92c66447f8 Drop slub_debug
What is lost?
- sanity checks and redzoning on all devices
  - redzoning reportedly however causes issues on some devices such as the Pixel 3/4 and OnePlus 7
- slub sanization on 3.0, 3.4, 4.4 (except google/wahoo), xiaomi/sm6150, and oneplus/sm7250

Note: all 3.4+ devices still have page sanization

Signed-off-by: Tad <tad@spotco.us>
2022-06-03 13:58:17 -04:00
Tad
da63c9e571 Various small patches
7408144e1b
> extend Network/Sensors permission handling for legacy apps not targeting Android 6
> or above (API 23) to resolve a UI issue where the user choosing to grant the
> Network/Sensors permissions via the legacy permission review interface doesn't
> appear in the Settings app info page

22d32cb61b
suppresses https://github.com/Divested-Mobile/DivestOS-Build/discussions/112

66f406b979
3f69205d06
nice to have

Signed-off-by: Tad <tad@spotco.us>
2022-06-02 23:17:05 -04:00
Tad
6d95c231bc Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-05-31 21:29:22 -04:00
Tad
735c9e0de8 Revert 5d57bf13
I don't trust enabling MODULES won't cause weird inane breakage on these legacy devices

Signed-off-by: Tad <tad@spotco.us>
2022-05-27 23:46:57 -04:00
Tad
28724c4a6e Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-05-25 22:52:22 -04:00
Tad
2c4caa30a1 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-05-24 00:36:49 -04:00
Tad
e8bc36af04 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-05-20 17:16:29 -04:00
Tad
b2eb3c01b4 Update CVE patchers
Newly added CVE-2022-20009 is dupe with CVE-2022-25258 and CVE-2022-25375

Signed-off-by: Tad <tad@spotco.us>
2022-05-03 23:33:17 -04:00
Tad
65883d9bc4 2022
Signed-off-by: Tad <tad@spotco.us>
2022-05-01 01:13:49 -04:00
Tad
3316cc4824 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-04-27 07:46:22 -04:00
Tad
3457fd4151 Device cleanup
Drop long non-compiling devices:
- 14.1: n7100, jellypro
- 15.1: himaul, oneplus2
- 16.0: zenfone3, fugu
- 17.1: yellowstone, fugu
- 18.1: bonito, sargo

Drop in favor of 19.1:
- 17.1: bonito, sargo
- 18.1: pro1, aura, sunfish, coral, flame, bramble, redfin
(experimental, but these devices don't currently appear to have any users)

Signed-off-by: Tad <tad@spotco.us>
2022-04-26 15:19:57 -04:00
Tad
1f721c7845 Further credit patches
Signed-off-by: Tad <tad@spotco.us>
2022-04-19 23:52:10 -04:00
Tad
e666a4a891 Update CVE patchers
TODO: maybe split CVE-2022-23960/4.9 to get back?

Signed-off-by: Tad <tad@spotco.us>
2022-04-19 14:38:44 -04:00
Tad
d4dceffa60 Update supported kernels to latest wireless regulations database
Applies for ~43 kernel trees

Source: wireless-regdb-2022.04.08

Signed-off-by: Tad <tad@spotco.us>
2022-04-19 11:30:57 -04:00
Tad
163a162568 Fix boot animation + churn
Signed-off-by: Tad <tad@spotco.us>
2022-04-18 23:04:24 -04:00
Tad
4b6a86a473 Add missing device variants
Signed-off-by: Tad <tad@spotco.us>
2022-04-14 19:47:21 -04:00
Tad
42c9d22de9 Default disable exec spawning
Change the property too, so it takes effect next update.
Since 16.0 lacks a toggle, this effectively disables the feature for it.
Even devices with 4GB of RAM have usability severely impacted.

Plus some other tweaks/churn

Signed-off-by: Tad <tad@spotco.us>
2022-04-12 17:58:04 -04:00
Tad
30de608a61 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-04-12 02:51:44 -04:00
Tad
d078b24ddb lowram tweaks
Signed-off-by: Tad <tad@spotco.us>
2022-04-11 23:40:26 -04:00
Tad
a9e250afd9 Cleanup
Signed-off-by: Tad <tad@spotco.us>
2022-04-07 00:37:20 -04:00
Tad
b464106cc5 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-04-04 15:51:23 -04:00
Tad
6c5a65622c Page sanitization improvements
This ensures init_on_alloc/free is used instead of page poisioning where available.

3.4 through 3.18 have a patch without a toggle for page sanitization.

Signed-off-by: Tad <tad@spotco.us>
2022-04-02 12:57:17 -04:00
Tad
01900ca1c6 Reverts
WebView overlay is breaking boot on 15.1???

This reverts commit e61e288b4a.
2022-04-01 17:07:27 -04:00
Tad
3f9b346345 Fix boot breakage
On devices with quota enabled and impacted by this patch

Signed-off-by: Tad <tad@spotco.us>
2022-04-01 10:30:30 -04:00
Tad
19b03c9ff4 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-28 17:43:48 -04:00
Tad
a3266de8df Tiny fix
Signed-off-by: Tad <tad@spotco.us>
2022-03-21 18:25:48 -04:00
Tad
a53062ca0b Backports
Adds ptrace_scope and timeout options to 17.1, tested working

Also adds hardened_malloc to 15.1, but failing to compile:
external/hardened_malloc/h_malloc.c:1688:18: error: use of undeclared identifier 'M_PURGE'
    if (param == M_PURGE) {
                 ^
external/hardened_malloc/h_malloc.c:1743:30: error: missing field 'ordblks' initializer [-Werror,-Wmissing-field-initializers]
    struct mallinfo info = {0};
                             ^

Signed-off-by: Tad <tad@spotco.us>
2022-03-21 18:06:49 -04:00
Tad
a56e3a3016 Disable the bionic hardening patchset to fix boot issues
10+4 devices tested working with bionic hardening patches enabled
but hammerhead and shamu do not boot...

2 of the patches were already found to have issues and disabled
3 other patches were ruled out:
- Stop implicitly marking mappings as mergeable
- Make __stack_chk_guard read-only at runtime
- On 64-bit, zero the leading stack canary byte
Leaves 11+1 patches remaining that need to be tested
But I don't have either of the two known impacted devices.

Signed-off-by: Tad <tad@spotco.us>
2022-03-19 16:19:00 -04:00
Tad
3207cde72e Small tweaks
Signed-off-by: Tad <tad@spotco.us>
2022-03-19 12:41:49 -04:00
Tad
09353cdcd2 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-18 00:07:18 -04:00
Tad
e61e288b4a Optionally allow the official Bromite WebView to be used, credit @MSe1969
This also replaces the overrides for all versions
And should allow the Google WebView on 14/15/16
And lastly only leaves the bundled version as default

This is a merge of the LineageOS 14/15/16 and 17/18 overlay
With the addition of the Bromite signature from @MSe1969

Signed-off-by: Tad <tad@spotco.us>
2022-03-14 22:59:40 -04:00
Tad
f65c7a4ccd Tweaks
Signed-off-by: Tad <tad@spotco.us>
2022-03-12 11:48:23 -05:00
Tad
015799737e Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-09 17:16:47 -05:00
Tad
4f75a8272a Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-09 11:59:30 -05:00
Tad
902239e2b5 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-08 23:20:43 -05:00
Tad
de764885b3 Fixup
Signed-off-by: Tad <tad@spotco.us>
2022-03-08 12:56:52 -05:00
Tad
54dbcd9e43 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-03-07 19:12:10 -05:00
Tad
bda848a0a1 Fixup 057bedb6
Sadly this means the option was never enabled :(
Note: these options are only available on 4.4+ kernels

Signed-off-by: Tad <tad@spotco.us>
2022-03-06 23:05:13 -05:00
Tad
ac1e89f0c8 Update CVE patchers [the big fixup]
This removes many duplicately or wrongly applied patches.

Correctly removed:
- CVE-2011-4132 can apply infinitely
- CVE-2013-2891 can apply infinitely
- CVE-2014-9781 can apply once to fb_cmap_to_user correctly and incorrectly to fb_copy_cmap
- CVE-2015-0571 can apply incorrectly and was disabled in patch repo as a result
- CVE-2016-2475 can apply infinitely
- CVE-2017-0627 can apply infinitely
- CVE-2017-0750 can apply infinitely
- CVE-2017-14875 can apply infinitely
- CVE-2017-14883 can apply infinitely
- CVE-2020-11146 can apply infinitely
- CVE-2020-11608 can apply infinitely
- CVE-2021-42008 can apply infinitely

Questionable (might actually be beneficial to "incorrectly" apply again):
- CVE-2012-6544 can apply once to hci_sock_getsockopt correctly and incorrectly to hci_sock_setsockopt
- CVE-2013-2898 can apply once to sensor_hub_get_feature correctly and incorrectly to sensor_hub_set_feature
- CVE-2015-8575 can apply once to sco_sock_bind correctly and incorrectly to sco_sock_connect
- CVE-2017-8281 can apply once to diagchar_ioctl correctly and incorrectly to diagchar_compat_ioctl
- CVE-2019-10622 can apply once	to qdsp_cvp_callback correctly and incorrectly to qdsp_cvs_callback
- CVE-2019-14104 can apply once to cam_context_handle_start/stop_dev and incorrectly to cam_context_handle_crm_process_evt and cam_context_handle_flush_dev

Other notes:
- CVE-2016-6693 can be applied again if it was already applied in combination with CVE-2016-6696
  then the dupe check will fail and mark CVE-2016-6696 as already applied, effectively reverting it.
  This was seemingly fixed with a hand merged patch in patch repo.

Wrongly removed:
- CVE-2013-2147 is meant for cciss_ioctl32_passthru but is detected in cciss_ioctl32_big_passthru
- CVE-2015-8746 is meant for nfs_v4_2_minor_ops but is detected in nfs_v4_1_minor_ops
- CVE-2021-Misc2/ANY/0043.patch is meant for WLANTL_RxCachedFrames but is detected in WLANTL_RxFrames

Signed-off-by: Tad <tad@spotco.us>
2022-03-04 00:42:28 -05:00
Tad
f4fbe65756 Various changes
- 15.1: asb picks
- 17.1: drop marlin, sailfish, z2_plus, m8
- 4.9 loose versioning fixes
2022-02-24 19:51:44 -05:00
Tad
8b39498b1c Initial loose versioning work for 4.9
This applies 4.9 patches to 4.4 and 3.18 now that 4.4 is EOL

Untested, but looks mild

Signed-off-by: Tad <tad@spotco.us>
2022-02-22 13:44:47 -05:00
Tad
5245109cc1 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-02-19 23:22:19 -05:00
Tad
5283db6f05 Drop the broken PDB patch
Why'd past me write this trash?

Signed-off-by: Tad <tad@spotco.us>
2022-02-14 07:43:45 -05:00
Tad
48b009a02e Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-02-12 06:56:28 -05:00
Tad
b6da59d24f Drop FairEmail, Vanilla, and their AOSP equivalents
Signed-off-by: Tad <tad@spotco.us>
2022-02-11 14:25:30 -05:00
Tad
ee0bd8625f Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-02-07 14:43:05 -05:00
Tad
c0aac415aa Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-01-29 09:35:59 -05:00
Tad
82cc1bc979 Tiny update
Signed-off-by: Tad <tad@spotco.us>
2022-01-28 09:09:10 -05:00
Tad
2400cf0964 App updates
- Drops Calendar, Eleven, and Email
- Adds a variable for Silence inclusion
- Adds a NONE option for microG inclusion flag to disable NLP inclusion

Signed-off-by: Tad <tad@spotco.us>
2022-01-24 06:30:15 -05:00
Tad
6329922104 Disable the Hamper Analytics patches
Rely on the HOSTS to do any blocking.
With the last update this causes app crashes, due to boolean/string mismatch.
Need to figure out exactly how string in manifest can become a boolean when wanted.

Signed-off-by: Tad <tad@spotco.us>
2022-01-23 16:55:24 -05:00
Tad
6ec0c63126 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-01-13 11:08:22 -05:00
Tad
bfcf6b18b7 Fixup
Signed-off-by: Tad <tad@spotco.us>
2022-01-12 05:57:08 -05:00
Tad
ce6ee9d8e4 Update CVE patchers
CVE-2021-0961 should be fine now

Signed-off-by: Tad <tad@spotco.us>
2022-01-11 05:41:26 -05:00
Tad
b9c7839110 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-01-11 01:19:31 -05:00
Tad
b05823bb20 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2022-01-04 21:00:25 -05:00
Tad
e08349a202 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-12-29 11:51:58 -05:00
Tad
3c1931bcc9 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-12-19 05:15:32 -05:00
Tad
11141d3bc9 Small tweaks
Signed-off-by: Tad <tad@spotco.us>
2021-12-17 14:31:13 -05:00
Tad
8cf90d055e Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-12-11 01:12:41 -05:00
Tad
359ce4608f Small updates
Signed-off-by: Tad <tad@spotco.us>
2021-12-07 20:57:54 -05:00
Tad
ed1c151ce5 Update CVE patchers
CVE-2021-0961/ANY/0001.patch likely causes breakage

Signed-off-by: Tad <tad@spotco.us>
2021-12-06 17:43:34 -05:00
Tad
c5c3998593 Guess what? f̵͖̲̙̝̩̌̌̌̑͆̔͐̏͋̓̅̔̒̈́͠i̴͍̗̦͕̅̓̿͋̓̑̽͌͐͊͘͠͠s̵̡̬͙͚̃͑̓̊̌́̾́͠ḥ̴̬͓͚̹̱̰͕͚͈̞̳͒̊ ̵̢̟̞̖͈͖͕̥̙̤͉̮̍́̅̀̾b̵̛̹̝̙̖̱̲͉͚̝̪̲̓̿͛̔̆͋̎́͐̃͆̀̕͝u̸̞̺͓͎̰̦̯̘̺̬͔̬͆͛̋̍̂͒̓͛̐̈́̋̚͝ṫ̵̠t̶̻̳̜̪̗͖͛̂̒̃̑̏͝
Tested on 14.1 and 15.1 targets

Signed-off-by: Tad <tad@spotco.us>
2021-11-29 21:14:00 -05:00
Tad
67b5a166fc 16.0: extreme loose versioning work
Signed-off-by: Tad <tad@spotco.us>
2021-11-27 22:44:29 -05:00
Tad
de89333a03 15.1: extreme loose versioning work
Signed-off-by: Tad <tad@spotco.us>
2021-11-27 22:09:30 -05:00
Tad
9b84cebf92 17.1: loose versioning work
Signed-off-by: Tad <tad@spotco.us>
2021-11-27 15:50:11 -05:00
Tad
c153981b3f 15.1: loose versioning work
Signed-off-by: Tad <tad@spotco.us>
2021-11-26 22:40:07 -05:00
Tad
c95421b6d2 Fixup 9c105b79
Signed-off-by: Tad <tad@spotco.us>
2021-11-08 18:45:29 -05:00
Tad
9c105b799f O_asb_2021-11
Based off of:
https://review.lineageos.org/q/topic:P_asb_2021-11

Missing:
https://review.lineageos.org/c/LineageOS/android_packages_apps_Settings/+/318655

Maybe missing:
https://review.lineageos.org/c/LineageOS/android_hardware_nxp_nfc/+/318653

Doesn't exist:
https://review.lineageos.org/c/LineageOS/android_frameworks_native/+/318652

Untested

Signed-off-by: Tad <tad@spotco.us>
2021-11-08 17:19:50 -05:00
Tad
5c8250bbdd Disable the per-app sensor permission patches
Breaks camera on angler

Signed-off-by: Tad <tad@spotco.us>
2021-11-05 14:46:32 -04:00
Tad
621441349e Fixup the sensors permission patches on 7, 8, and 9.
Switch these patches to MODE_ALLOWED from MODE_ASK to fix breakage
of system services.

Also remove some code that adds a likely security issue.

Will need some extra regression testing.

Signed-off-by: Tad <tad@spotco.us>
2021-11-04 10:24:06 -04:00
Tad
f7295a0f74 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-11-02 23:50:35 -04:00
Tad
f3277f3c07 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-11-02 12:01:36 -04:00
Tad
809e03833e Verity enablement overhaul
No change to AVB devices except for enabling on more
Verity devices have the potential to regress by not booting
No change to non-verity/avb devices
Tested working on: mata, cheeseburger, fajita

Signed-off-by: Tad <tad@spotco.us>
2021-11-02 10:24:07 -04:00
Tad
bc77ca416c Verity fixups
Not sure how I missed all of these?

Signed-off-by: Tad <tad@spotco.us>
2021-11-01 20:55:22 -04:00
Tad
ec043e961e Update CVE patchers
CVE-2021-20317 might need to be disabled due to QC timer breakage.

Signed-off-by: Tad <tad@spotco.us>
2021-10-27 15:26:53 -04:00
Tad
5d7d710076 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-10-20 15:01:18 -04:00
Tad
b78944933c More fixes
Ensure new shells have the correct settings too.

Signed-off-by: Tad <tad@spotco.us>
2021-10-16 22:57:43 -04:00
Tad
042b9063d1 More fixes
Signed-off-by: Tad <tad@spotco.us>
2021-10-16 17:12:13 -04:00
Tad
256b1db98b Hard fail on error
Signed-off-by: Tad <tad@spotco.us>
2021-10-16 16:08:43 -04:00
Tad
a5cdb9ab58 Fix patch ordering
Signed-off-by: Tad <tad@spotco.us>
2021-10-16 15:21:22 -04:00
Tad
4ce35a3c60 Refresh most branch specific patches
Fixed up:
LineageOS-16.0/android_packages_apps_Backgrounds/308977.patch
LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
LineageOS-17.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch
LineageOS-18.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch

Must review again:
LineageOS-14.1/android_packages_apps_PackageInstaller/64d8b44.patch

Signed-off-by: Tad <tad@spotco.us>
2021-10-16 15:19:55 -04:00
Tad
f7194d1f13 Switch to applyPatch
Signed-off-by: Tad <tad@spotco.us>
2021-10-16 14:01:44 -04:00
Tad
7ba42f052a Small changes
Signed-off-by: Tad <tad@spotco.us>
2021-10-14 15:58:22 -04:00
Tad
d5d3846f2c Small tweaks
Signed-off-by: Tad <tad@spotco.us>
2021-10-10 19:44:59 -04:00
Tad
939c6aa7ed Small tweaks
Signed-off-by: Tad <tad@spotco.us>
2021-10-07 20:07:49 -04:00
Tad
2af0e1201e Re-enable the recovery downgrade check
Signed-off-by: Tad <tad@spotco.us>
2021-10-06 17:03:22 -04:00
Tad
f2e1d32eba Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-10-06 16:54:45 -04:00
Tad
7b28a193f1 Include the Support app
This is a very basic app with zero permissions and has quick links to
various related resources.

Signed-off-by: Tad <tad@spotco.us>
2021-10-06 06:21:38 -04:00
Tad
59bd09a807 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-10-05 14:44:23 -04:00
Tad
870382ff40 Switch to the Mulch WebView
Signed-off-by: Tad <tad@spotco.us>
2021-10-02 01:44:46 -04:00
Tad
025ca7df7f compile fixups
after the CVE-2021-Misc2 import and hardenDefconfig overhaul

also sync 18.1 DnsResovler patches with:
6332b25b87
f8490d024a

Signed-off-by: Tad <tad@spotco.us>
2021-10-01 12:34:22 -04:00
Tad
27fe558b76 Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-09-29 16:47:50 -04:00
Tad
84c7d230ab Permission for sensors access patches from @MSe1969
Signed-off-by: Tad <tad@spotco.us>
2021-09-24 23:35:33 -04:00
Tad
f5a58bd35f Update CVE patchers
Signed-off-by: Tad <tad@spotco.us>
2021-09-23 20:56:00 -04:00
Tad
c753abf1b2 Small update
Signed-off-by: Tad <tad@spotco.us>
2021-09-20 12:12:58 -04:00
Tad
4917af86cc Update copyright dates
Signed-off-by: Tad <tad@spotco.us>
2021-09-15 10:30:08 -04:00
Tad
cf3a12cb5a Move some changes into a new Post.sh
Signed-off-by: Tad <tad@spotco.us>
2021-09-15 10:26:37 -04:00