Adds ptrace_scope and timeout options to 17.1, tested working
Also adds hardened_malloc to 15.1, but failing to compile:
external/hardened_malloc/h_malloc.c:1688:18: error: use of undeclared identifier 'M_PURGE'
if (param == M_PURGE) {
^
external/hardened_malloc/h_malloc.c:1743:30: error: missing field 'ordblks' initializer [-Werror,-Wmissing-field-initializers]
struct mallinfo info = {0};
^
Signed-off-by: Tad <tad@spotco.us>
10+4 devices tested working with bionic hardening patches enabled
but hammerhead and shamu do not boot...
2 of the patches were already found to have issues and disabled
3 other patches were ruled out:
- Stop implicitly marking mappings as mergeable
- Make __stack_chk_guard read-only at runtime
- On 64-bit, zero the leading stack canary byte
Leaves 11+1 patches remaining that need to be tested
But I don't have either of the two known impacted devices.
Signed-off-by: Tad <tad@spotco.us>
hammerhead 16.0 was reported not booting
and shamu 18.1 was reported to take ~15+ minutes to boot
hammerhead does not have getrandom so it failed immediately
shamu does have getrandom BUT it blocks during init
meaning it'll wait until the entropy pool slowly fills
In tested I did not discovery this
I tested on flox/mako/d852/klte/clark/sailfish/mata/cheeseburger/fajita
All the newer ones have working getrandom
All the older ones included a patch to make getrandom non blocking on init
Signed-off-by: Tad <tad@spotco.us>
- enable the patchset for 18.1
- add an ugly patch that extends the Pixel 3* camera workaround to all camera executables
Signed-off-by: Tad <tad@spotco.us>
This also replaces the overrides for all versions
And should allow the Google WebView on 14/15/16
And lastly only leaves the bundled version as default
This is a merge of the LineageOS 14/15/16 and 17/18 overlay
With the addition of the Bromite signature from @MSe1969
Signed-off-by: Tad <tad@spotco.us>
- No patches were found with incorrect authorship/From: lines
- The older AndroidHardening patch repos are no longer available to verify CID.
- New GrapheneOS patches do not include a CID.
- *Signature_Spoofing.patch CID could not be found.
- Fixed CID of *Harden_Sig_Spoofing.patch to match 14.1
- Fixed CID of *LGE_Fixes.patch to match 14.1
- Fixed CID of *Harden.patch to match 14.1
- Added edit note to *Harden.patch
- Fixed CID of *PREREQ_Handle_All_Modes.patch to match 14.1
- Fixed CID of *More_Preferred_Network_Modes.patch to match 14.1
- Fixed CID of *AES256.patch to match 14.1
- Fixed CID of *0001-OTA_Keys.patch to match 18.1
- Fixed CID of *Camera_Fix.patch to match 15.1
- Fixed CID of *Connectivity.patch to match 14.1
- Fixed CID of *Fix_Calling.patch to match 14.1
- Fixed CID of *Remove_Analytics.patch to match 14.1
- Fixed CID of Unused-*.patch/audio_extn to match original
Signed-off-by: Tad <tad@spotco.us>
This removes many duplicately or wrongly applied patches.
Correctly removed:
- CVE-2011-4132 can apply infinitely
- CVE-2013-2891 can apply infinitely
- CVE-2014-9781 can apply once to fb_cmap_to_user correctly and incorrectly to fb_copy_cmap
- CVE-2015-0571 can apply incorrectly and was disabled in patch repo as a result
- CVE-2016-2475 can apply infinitely
- CVE-2017-0627 can apply infinitely
- CVE-2017-0750 can apply infinitely
- CVE-2017-14875 can apply infinitely
- CVE-2017-14883 can apply infinitely
- CVE-2020-11146 can apply infinitely
- CVE-2020-11608 can apply infinitely
- CVE-2021-42008 can apply infinitely
Questionable (might actually be beneficial to "incorrectly" apply again):
- CVE-2012-6544 can apply once to hci_sock_getsockopt correctly and incorrectly to hci_sock_setsockopt
- CVE-2013-2898 can apply once to sensor_hub_get_feature correctly and incorrectly to sensor_hub_set_feature
- CVE-2015-8575 can apply once to sco_sock_bind correctly and incorrectly to sco_sock_connect
- CVE-2017-8281 can apply once to diagchar_ioctl correctly and incorrectly to diagchar_compat_ioctl
- CVE-2019-10622 can apply once to qdsp_cvp_callback correctly and incorrectly to qdsp_cvs_callback
- CVE-2019-14104 can apply once to cam_context_handle_start/stop_dev and incorrectly to cam_context_handle_crm_process_evt and cam_context_handle_flush_dev
Other notes:
- CVE-2016-6693 can be applied again if it was already applied in combination with CVE-2016-6696
then the dupe check will fail and mark CVE-2016-6696 as already applied, effectively reverting it.
This was seemingly fixed with a hand merged patch in patch repo.
Wrongly removed:
- CVE-2013-2147 is meant for cciss_ioctl32_passthru but is detected in cciss_ioctl32_big_passthru
- CVE-2015-8746 is meant for nfs_v4_2_minor_ops but is detected in nfs_v4_1_minor_ops
- CVE-2021-Misc2/ANY/0043.patch is meant for WLANTL_RxCachedFrames but is detected in WLANTL_RxFrames
Signed-off-by: Tad <tad@spotco.us>
Some patches were ported from 12 to 10/11
Some patches from 11 were ported to 10
This 10/11 port should be very close to 12
BOUNS: 16.0 patches, disabled
Signed-off-by: Tad <tad@spotco.us>
- Drops Calendar, Eleven, and Email
- Adds a variable for Silence inclusion
- Adds a NONE option for microG inclusion flag to disable NLP inclusion
Signed-off-by: Tad <tad@spotco.us>
- 16.0: drop wallpaper optimization patch, questionable source
- deblobber: don't remove libmmparser_lite.so, potentially used by camera
- 17.1: pick Q_asb_2021-12, excluding a broken patch
- clark 17.1: some camera denial fixes
- alioth: unmark broken
- 17.1: switch to upstream glibc fix
- 17.1/18.1: disable per app sensors permission patchset, potential camera issues
Signed-off-by: Tad <tad@spotco.us>
Camera works in OpenCamera, but it can't actually take pictures.
Switch to Camera2 instead, tested pictures and videos working.
Also fixup compile issue with oneplus/msm8998-common
And refresh some patchers
Signed-off-by: Tad <tad@spotco.us>
Switch these patches to MODE_ALLOWED from MODE_ASK to fix breakage
of system services.
Also remove some code that adds a likely security issue.
Will need some extra regression testing.
Signed-off-by: Tad <tad@spotco.us>
No change to AVB devices except for enabling on more
Verity devices have the potential to regress by not booting
No change to non-verity/avb devices
Tested working on: mata, cheeseburger, fajita
Signed-off-by: Tad <tad@spotco.us>
- Put more blobs behind flags for testing purposes
- Potential graphics fix for newer devices
- Removes more Wi-Fi display blobs
- Remove some misc blobs
Signed-off-by: Tad <tad@spotco.us>
Based off of patches from CalyxOS as noted in each included patch.
Tested and verified working on klte and mata 18.1
Signed-off-by: Tad <tad@spotco.us>
after the CVE-2021-Misc2 import and hardenDefconfig overhaul
also sync 18.1 DnsResovler patches with:
6332b25b87f8490d024a
Signed-off-by: Tad <tad@spotco.us>
This removes the hidden development 'Sensors off' tile from Settings app,
adds it back to SystemUI, and enables it by default.
Tested working on 18.1
Signed-off-by: Tad <tad@spotco.us>
I have a sneaking suspicion that the length of some device command lines is
causing boot issues.
eg. with the recent additions, klte boots fine, but recovery doesn't, maybe
bootloader is adding more flags, exceeding a limit?
Signed-off-by: Tad <tad@spotco.us>
- Include TalkBack
- Fixup hosts inclusion, due to path mismatch
- 14.1: bump patch level to match the picked ASB
- 14.1: m7-common: deblobber fix
Signed-off-by: Tad <tad@spotco.us>
- Update Settings and SetupWizard patches after the big SetupWizard UI update
- Use the latest captive portal patch, was also previously partially broken
due to mis-apply
Signed-off-by: Tad <tad@spotco.us>
LTE tested working with hybrid 33-107 modem.
Phone calls drop to HSPA as expected.
No issues if using stock modem either compared to without this patch.
In my area, without this patch, my makos are useless cell-wise.
Gives extra life to the Nexus 4.
Signed-off-by: Tad <tad@spotco.us>
- Remove some changes that have been commented for a while
- Don't remove the QCOM VR repos
- Adjust the default quick tiles
- Don't force hardware layers for recents
- Only generate deltas for update_engine devices
- Cherrypick: Update WebView to 90.0.4430.66
- Adjust yylloc sed line
- Add comments to 17.1 devices explaining why they aren't removed for 18.1 yet
PRODUCT_OTA_PUBLIC_KEYS is meant to be set by a vendor tree, something
we don't use.
Override it at the source and set it explicitely as well.
This ensures that the compiled recovery.img and the one generated by
sign_target_files_apks.py includes the real public keys for verification.
11.0 signing is ignored.
This will need to be extensively tested as breakage can mean brick on locked
devices.
Although in failure cases it seems test-keys are accepted.
--
After much testing there appears to be a deeper issue with how keys
are inserted into the recovery and handled
- Disable generation of unused OTA to reduce compile time
- 17.1+: Disable APEX, breaks signing, and is also useless since no Play Store.
- 18.1: Fixup signing
- Add m7 and avicii (untested)
- Use low_ram target on <2GB devices
Silly me, this never did anything due to the git reset...
- Update Chromium WebView cherrypick
- Functionality tested on mako and klte
- In-place upgrade from 17.1 tested working on klte
- Compile tested on bacon and klte
- Recovery OTA key patch missing, unsure if still needed.
- Deblobber needs support for removing vintf manifest paths from vendor Android.bp
- Launcher needs more default_workspace grid variants (eg. 4x5)
This should be most of it
also
- properly update webview, repopick doesn't seem to handle the branch
- always cd back to base, to prevent script breakage
- fixup CNE removal to disable Wi-Fi calling
- extend system.prop edits to cover all .props
- remove persist. and ro. from edits to cover all properties
- Remove leftover WireGuard repo missed in 31898834
- Enable the volteOverride, to ensure VoLTE enablement on supported devices on unknown carriers
- Extend volteOverride to support system.prop if vendor.prop doesn't exist (to cover eg. marlin/sailfish)
- Disable commenting of SOUND_TRIGGER flags.
sountrigger blobs are not removed due to boot breakage.
disable this and stop patching hardware/qcom/audio.
Intended to potentially fix phone call audio issues on mata
- Small CVE patcher updates
VoLTE tested working on mata/17.1!
VoWiFi tested working with DOS_DEBLOBBER_REMOVE_CNE=false
- Disable Graphene exec spawning feature, subtly breaks many apps
Maybe missing some patches?
- Build old versions for devices with broken IMS
- Ensure shell umask is always 0022
- fwb overlay: drop the MMS user-agent overrides
- Drop the BlobBlocker and ModuleBlocker
They were unused and unkempt.
- Put volteOverride behind DOS_DEBLOBBER_REMOVE_IMS and comment it
