mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 05:35:54 +00:00
30859d2c08
new (internal used) functions: - _exit - _exit_report - _exit_sigint these are used to fix several (wrong) error handlings. new environment variable: - UNATTENDED_PATCHING by default we assume unattended patching, i.e. if an error occurs during the patch, reset or any other process we will report the error and auto close the shell. this is needed as we source functions and code and so cannot simply terminate a master process. instead the whole shell will be terminated so if an error occurs nothing else will be executed (and you should notice easily that something is wrong). without that a (serious) error can still continue the rest of a function and you likely not even noticing the error itself. you can use: export UNATTENDED_PATCHING=0 before or after sourcing init.sh and it will *NOT* auto-close the shell. that way you can check the output and fix any issues. Signed-off-by: steadfasterX <steadfasterX@gmail.com>
1250 lines
64 KiB
Bash
1250 lines
64 KiB
Bash
#!/bin/bash
|
|
#DivestOS: A privacy focused mobile distribution
|
|
#Copyright (c) 2017-2022 Divested Computing Group
|
|
#
|
|
#This program is free software: you can redistribute it and/or modify
|
|
#it under the terms of the GNU General Public License as published by
|
|
#the Free Software Foundation, either version 3 of the License, or
|
|
#(at your option) any later version.
|
|
#
|
|
#This program is distributed in the hope that it will be useful,
|
|
#but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
#GNU General Public License for more details.
|
|
#
|
|
#You should have received a copy of the GNU General Public License
|
|
#along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
umask 0022;
|
|
|
|
_fetchError(){
|
|
local last_status="$1";
|
|
local error_line_number="$2";
|
|
local last_func="$3";
|
|
local file=$(echo "$4" | sed "s#$DOS_WORKSPACE_ROOT#\$DOS_WORKSPACE_ROOT#g");
|
|
|
|
# ignore when pressing TAB or sim.
|
|
if [[ "$file" =~ .*bash_completion ]];then return; fi
|
|
case $last_func in
|
|
command_not_found_handle|_filedir) return;;
|
|
esac
|
|
|
|
if [ ! -z "$last_func" ] && [ ! -z "$file" ];then
|
|
echo -e "\e[0;31mERROR: $file -> ${last_func}() ended with status >${last_status}< at line >$((error_line_number -1))<\e[0m";
|
|
elif [ ! -z "$last_func" ];then
|
|
echo -e "\e[0;31mERROR: ${last_func}() ended with status >${last_status}< at line >$((error_line_number -1))<\e[0m";
|
|
else
|
|
echo -e "\e[0;31mERROR: last command ended with status >${last_status}< at line >$((error_line_number -1))<\e[0m";
|
|
fi
|
|
export TR_ERR=$last_status
|
|
_exit_report
|
|
}
|
|
export -f _fetchError;
|
|
|
|
startPatcher() {
|
|
java -jar "$DOS_BINARY_PATCHER" patch workspace "$DOS_BUILD_BASE" "$DOS_WORKSPACE_ROOT""Patches/Linux/" "$DOS_SCRIPTS_CVES" $1;
|
|
}
|
|
export -f startPatcher;
|
|
|
|
resetWorkspace() {
|
|
umask 0022;
|
|
if [ "$1" == "local" ]; then local noNetwork="--local-only"; fi;
|
|
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync --jobs-network=6 --jobs-checkout=12 --force-sync --detach $noNetwork;
|
|
repo forall -v -c 'echo "$REPO_PATH $(git rev-parse HEAD)"' | sort -u > "$DOS_WORKSPACE_ROOT/Logs/resetWorkspace-$DOS_VERSION.txt";
|
|
}
|
|
export -f resetWorkspace;
|
|
|
|
patchWorkspace() {
|
|
patchWorkspaceReal; #|& tee "$DOS_WORKSPACE_ROOT/Logs/patchWorkspace-$DOS_VERSION.log";
|
|
}
|
|
export -f patchWorkspace;
|
|
|
|
verifyAllPlatformTags() {
|
|
repo forall -v -c 'sh -c "source $DOS_WORKSPACE_ROOT/Scripts/Common/Tag_Verifier.sh && verifyTagIfPlatform $REPO_PROJECT $REPO_PATH"';
|
|
}
|
|
export -f verifyAllPlatformTags;
|
|
|
|
enter() {
|
|
echo "================================================================================================"
|
|
local dir="$1";
|
|
local dirReal="$DOS_BUILD_BASE/$dir";
|
|
umask 0022;
|
|
if [ -d "$dirReal" ]; then
|
|
cd "$dirReal";
|
|
echo -e "\e[0;32m[ENTERING] $dir\e[0m";
|
|
return 0;
|
|
else
|
|
echo -e "\e[0;31m[ENTERING FAILED] $dir\e[0m";
|
|
return 1;
|
|
fi;
|
|
}
|
|
export -f enter;
|
|
|
|
enterAndClear() {
|
|
if enter "$1"; then gitReset; else return 1; fi;
|
|
}
|
|
export -f enterAndClear;
|
|
|
|
gitReset() {
|
|
(git add -A && git reset --hard) || true;
|
|
}
|
|
export -f gitReset;
|
|
|
|
applyPatchReal() {
|
|
currentWorkingPatch=$1;
|
|
firstLine=$(head -n1 "$currentWorkingPatch");
|
|
if [[ "$firstLine" = *"Mon Sep 17 00:00:00 2001"* ]] || [[ "$firstLine" = *"Thu Jan 1 00:00:00 1970"* ]]; then
|
|
if git am "$@"; then
|
|
if [ "$DOS_REFRESH_PATCHES" = true ]; then
|
|
if [[ "$currentWorkingPatch" == $DOS_PATCHES* ]]; then
|
|
git format-patch -1 HEAD --zero-commit --no-signature --output="$currentWorkingPatch";
|
|
fi;
|
|
fi;
|
|
else
|
|
echo "Applying (git am): $currentWorkingPatch - FAILED"
|
|
git am --abort || true
|
|
echo "Applying (patch fallback): $currentWorkingPatch"
|
|
patch -r - --no-backup-if-mismatch --forward --ignore-whitespace --verbose -p1 < $currentWorkingPatch
|
|
fi;
|
|
else
|
|
echo "Applying (as diff): $currentWorkingPatch";
|
|
git apply "$@";
|
|
fi;
|
|
}
|
|
export -f applyPatchReal;
|
|
|
|
applyPatch() {
|
|
currentWorkingPatch=$1;
|
|
set -E
|
|
if [ -f "$currentWorkingPatch" ]; then
|
|
if git apply --check "$@" &> /dev/null; then
|
|
applyPatchReal "$@";
|
|
else
|
|
if git apply --reverse --check "$@" &> /dev/null; then
|
|
echo "Already applied: $currentWorkingPatch";
|
|
else
|
|
if git apply --check "$@" --3way &> /dev/null; then
|
|
applyPatchReal "$@" --3way;
|
|
echo "Applied (as 3way): $currentWorkingPatch";
|
|
else
|
|
echo -e "\e[0;31mERROR: Cannot apply: $currentWorkingPatch\e[0m";
|
|
false
|
|
fi;
|
|
fi;
|
|
fi;
|
|
else
|
|
echo -e "\e[0;31mERROR: Patch doesn't exist: $currentWorkingPatch\e[0m";
|
|
false
|
|
fi;
|
|
}
|
|
export -f applyPatch;
|
|
|
|
gpgVerifyDirectory() {
|
|
if [ -r "$DOS_TMP_GNUPG/pubring.kbx" ]; then
|
|
for sig in $1/*.asc; do
|
|
if gpg --homedir "$DOS_TMP_GNUPG" --verify $sig &>/dev/null; then
|
|
echo -e "\e[0;32mGPG Verified Successfully: $sig\e[0m";
|
|
else
|
|
echo -e "\e[0;31mWARNING: GPG Verification Failed: $sig\e[0m";
|
|
sleep 60;
|
|
fi;
|
|
done;
|
|
else
|
|
echo -e "\e[0;33mWARNING: keyring is unavailable, GPG verification of $1 will not be performed!\e[0m";
|
|
fi;
|
|
}
|
|
export -f gpgVerifyDirectory;
|
|
|
|
scanForMalware() {
|
|
if [ -x /usr/bin/clamscan ] && [ -r /var/lib/clamav/main.c*d ]; then
|
|
echo -e "\e[0;32mStarting a malware scan...\e[0m";
|
|
local excludes="--exclude-dir=\".git\" --exclude-dir=\".repo\"";
|
|
local scanQueue="$2";
|
|
if [ "$1" = true ]; then
|
|
if [ "$DOS_MALWARE_SCAN_SETTING" != "quick" ] || [ "$DOS_MALWARE_SCAN_SETTING" = "extra" ]; then
|
|
scanQueue=$scanQueue" $DOS_BUILD_BASE/frameworks $DOS_BUILD_BASE/vendor";
|
|
fi;
|
|
if [ "$DOS_MALWARE_SCAN_SETTING" = "slow" ]; then
|
|
scanQueue=$scanQueue"$DOS_BUILD_BASE/external $DOS_BUILD_BASE/prebuilts $DOS_BUILD_BASE/toolchain $DOS_BUILD_BASE/tools";
|
|
fi;
|
|
if [ "$DOS_MALWARE_SCAN_SETTING" = "full" ]; then
|
|
scanQueue="$DOS_BUILD_BASE";
|
|
fi;
|
|
fi;
|
|
du -hsc $scanQueue;
|
|
/usr/bin/clamscan --recursive --detect-pua --infected --allmatch --max-filesize=4000M --max-scansize=4000M $excludes $scanQueue;
|
|
local clamscanExit="$?";
|
|
if [ "$clamscanExit" -eq "1" ]; then
|
|
echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
|
|
echo -e "\e[0;31mWARNING: MALWARE WAS FOUND! PLEASE INVESTIGATE!\e[0m";
|
|
echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
|
|
echo -e "\e[0;33mFalse positives such as the following are probably OK\e[0m";
|
|
echo -e "\e[0;33mPUAs: Ewind, Mobidash\e[0m";
|
|
echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
|
|
sleep 60;
|
|
fi;
|
|
if [ "$clamscanExit" -eq "0" ]; then
|
|
echo -e "\e[0;32mNo malware found\e[0m";
|
|
fi;
|
|
if [ "$clamscanExit" -eq "2" ]; then
|
|
echo -e "\e[0;33m----------------------------------------------------------------\e[0m";
|
|
echo -e "\e[0;33mWARNING: AN ERROR OCCURED. PLEASE INVESTIGATE!\e[0m";
|
|
echo -e "\e[0;33m----------------------------------------------------------------\e[0m";
|
|
sleep 60;
|
|
fi;
|
|
else
|
|
echo -e "\e[0;33mWARNING: clamscan is unavailable, a malware scan will not be performed!\e[0m";
|
|
fi;
|
|
}
|
|
export -f scanForMalware;
|
|
|
|
generateBootAnimationMask() {
|
|
local text=$1;
|
|
local font=$2
|
|
local output=$3;
|
|
convert -depth 8 -background black -fill transparent -font "$font" -gravity center -size 512x128 label:"$text" "PNG32:$output";
|
|
}
|
|
export -f generateBootAnimationMask;
|
|
|
|
generateBootAnimationShine() {
|
|
local color=$1;
|
|
local style=$2;
|
|
local output=$3;
|
|
#The colors need to be symmetrical in order to make the animation smooth and not have any noticeable lines
|
|
convert -depth 8 -size 1024x128 -define gradient:angle=90 "$style":"$color" \( +clone -flop \) +append "PNG24:$output";
|
|
}
|
|
export -f generateBootAnimationShine;
|
|
|
|
audit2allowCurrent() {
|
|
adb logcat -b all -d | audit2allow -p "$OUT/root/sepolicy";
|
|
}
|
|
export -f audit2allowCurrent;
|
|
|
|
audit2allowADB() {
|
|
adb pull /sys/fs/selinux/policy;
|
|
adb logcat -b all -d | audit2allow -p policy;
|
|
}
|
|
export -f audit2allowADB;
|
|
|
|
processRelease() {
|
|
#Reference (MIT): GrapheneOS
|
|
#https://github.com/GrapheneOS/script/blob/13/release.sh
|
|
local DEVICE="$1";
|
|
local BLOCK="$2";
|
|
local VERITY="$3";
|
|
|
|
local DATE=$(date -u '+%Y%m%d')
|
|
local KEY_DIR="$DOS_SIGNING_KEYS/$DEVICE";
|
|
local VERSION=$(echo $DOS_VERSION | cut -f2 -d "-");
|
|
local PREFIX="$DOS_BRANDING_ZIP_PREFIX-$VERSION-$DATE-dos-$DEVICE";
|
|
local ARCHIVE="$DOS_BUILDS/$DOS_VERSION/release_keys/";
|
|
local OUT_DIR="$DOS_BUILD_BASE/out/target/product/$DEVICE/";
|
|
|
|
local RELEASETOOLS_PREFIX="build/tools/releasetools/";
|
|
if [[ "$DOS_VERSION" == "LineageOS-18.1" ]] || [[ "$DOS_VERSION" == "LineageOS-19.1" ]] || [[ "$DOS_VERSION" == "LineageOS-20.0" ]]; then
|
|
local RELEASETOOLS_PREFIX="";
|
|
fi;
|
|
|
|
umask 0022;
|
|
|
|
echo -e "\e[0;32mProcessing release for $DEVICE\e[0m";
|
|
|
|
#Arguments
|
|
if [ "$BLOCK" != false ]; then
|
|
local BLOCK_SWITCHES="--block";
|
|
fi;
|
|
if [[ "$VERITY" == "verity" ]]; then
|
|
local VERITY_SWITCHES=(--replace_verity_public_key "$KEY_DIR/verity_key.pub" \
|
|
--replace_verity_private_key "$KEY_DIR/verity" \
|
|
--replace_verity_keyid "$KEY_DIR/verity.x509.pem");
|
|
echo -e "\e[0;32m\t+ Verified Boot 1.0\e[0m";
|
|
elif [[ "$VERITY" == "avb" ]]; then
|
|
local AVB_PKMD="$KEY_DIR/avb_pkmd.bin";
|
|
local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" --avb_vbmeta_algorithm SHA256_RSA4096);
|
|
echo -e "\e[0;32m\t+ Verified Boot 2.0 with VBMETA and NOCHAIN\e[0m";
|
|
fi;
|
|
|
|
#XXX: --extra_apks Bluetooth.apk="$KEY_DIR/bluetooth" \
|
|
local APK_SWITCHES=(--extra_apks AdServicesApk.apk="$KEY_DIR/releasekey" \
|
|
--extra_apks HalfSheetUX.apk="$KEY_DIR/releasekey" \
|
|
--extra_apks OsuLogin.apk="$KEY_DIR/releasekey" \
|
|
--extra_apks SafetyCenterResources.apk="$KEY_DIR/releasekey" \
|
|
--extra_apks ServiceConnectivityResources.apk="$KEY_DIR/releasekey" \
|
|
--extra_apks ServiceUwbResources.apk="$KEY_DIR/releasekey" \
|
|
--extra_apks ServiceWifiResources.apk="$KEY_DIR/releasekey" \
|
|
--extra_apks WifiDialog.apk="$KEY_DIR/releasekey");
|
|
if [[ "$DOS_VERSION" == "LineageOS-20.0" ]]; then
|
|
local APK_SWITCHES_EXTRA=(--extra_apks Bluetooth.apk="$KEY_DIR/bluetooth");
|
|
fi;
|
|
if [[ "$DOS_VERSION" == "LineageOS-17.1" ]] || [[ "$DOS_VERSION" == "LineageOS-18.1" ]] || [[ "$DOS_VERSION" == "LineageOS-19.1" ]] || [[ "$DOS_VERSION" == "LineageOS-20.0" ]]; then
|
|
local APEX_SWITCHES=(--extra_apks com.android.adbd.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.adbd.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.adservices.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.adservices.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.adservices.api.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.adservices.api.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.apex.cts.shim.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.apex.cts.shim.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.appsearch.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.appsearch.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.art.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.art.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.art.debug.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.art.debug.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.btservices.apex="$KEY_DIR/bluetooth" \
|
|
--extra_apex_payload_key com.android.btservices.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.cellbroadcast.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.cellbroadcast.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.compos.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.compos.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.configinfrastructure.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.configinfrastructure.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.connectivity.resources.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.connectivity.resources.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.conscrypt.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.conscrypt.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.devicelock.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.devicelock.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.extservices.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.extservices.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.graphics.pdf.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.graphics.pdf.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.hardware.biometrics.face.virtual.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.hardware.biometrics.face.virtual.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.hardware.biometrics.fingerprint.virtual.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.hardware.biometrics.fingerprint.virtual.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.hardware.cas.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.hardware.cas.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.hardware.wifi.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.hardware.wifi.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.healthfitness.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.healthfitness.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.hotspot2.osulogin.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.hotspot2.osulogin.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.i18n.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.i18n.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.ipsec.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.ipsec.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.media.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.media.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.mediaprovider.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.mediaprovider.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.media.swcodec.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.media.swcodec.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.nearby.halfsheet.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.nearby.halfsheet.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.networkstack.tethering.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.networkstack.tethering.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.neuralnetworks.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.neuralnetworks.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.ondevicepersonalization.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.ondevicepersonalization.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.os.statsd.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.os.statsd.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.permission.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.permission.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.resolv.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.resolv.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.rkpd.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.rkpd.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.runtime.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.runtime.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.safetycenter.resources.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.safetycenter.resources.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.scheduling.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.scheduling.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.sdkext.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.sdkext.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.support.apexer.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.support.apexer.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.telephony.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.telephony.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.telephonymodules.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.telephonymodules.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.tethering.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.tethering.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.tzdata.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.tzdata.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.uwb.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.uwb.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.uwb.resources.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.uwb.resources.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.vibrator.drv2624.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.vibrator.drv2624.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.vibrator.sunfish.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.vibrator.sunfish.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.virt.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.virt.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.vndk.current.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.vndk.current.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.vndk.current.on_vendor.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.vndk.current.on_vendor.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.wifi.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.wifi.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.wifi.dialog.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.wifi.dialog.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.android.wifi.resources.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.android.wifi.resources.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.google.pixel.camera.hal.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.google.pixel.camera.hal.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.google.pixel.vibrator.hal.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.google.pixel.vibrator.hal.apex="$KEY_DIR/avb.pem" \
|
|
--extra_apks com.qorvo.uwb.apex="$KEY_DIR/releasekey" \
|
|
--extra_apex_payload_key com.qorvo.uwb.apex="$KEY_DIR/avb.pem");
|
|
fi;
|
|
|
|
#Malware Scan
|
|
if [ "$DOS_MALWARE_SCAN_BEFORE_SIGN" = true ]; then
|
|
echo -e "\e[0;32mScanning files for malware before signing\e[0m";
|
|
scanForMalware false $OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip;
|
|
fi;
|
|
|
|
#Target Files
|
|
echo -e "\e[0;32mSigning target files\e[0m";
|
|
"$RELEASETOOLS_PREFIX"sign_target_files_apks -o -d "$KEY_DIR" \
|
|
"${APK_SWITCHES[@]}" \
|
|
"${APK_SWITCHES_EXTRA[@]}" \
|
|
"${APEX_SWITCHES[@]}" \
|
|
"${VERITY_SWITCHES[@]}" \
|
|
$OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip \
|
|
"$OUT_DIR/$PREFIX-target_files.zip";
|
|
sha512sum "$OUT_DIR/$PREFIX-target_files.zip" > "$OUT_DIR/$PREFIX-target_files.zip.sha512sum";
|
|
local INCREMENTAL_ID=$(grep "ro.build.version.incremental" $OUT_DIR/system/build.prop | cut -f2 -d "=" | sed 's/\.//g');
|
|
echo "$INCREMENTAL_ID" > "$OUT_DIR/$PREFIX-target_files.zip.id";
|
|
|
|
#Image
|
|
unzip -l $OUT_DIR/$PREFIX-target_files.zip | grep -q recovery.img || true;
|
|
local hasRecoveryImg="$?";
|
|
unzip -l $OUT_DIR/$PREFIX-target_files.zip | grep -q dtbo.img;
|
|
local hasDtboImg="$?";
|
|
if [ "$hasRecoveryImg" == "1" ] || [ "$hasDtboImg" == "0" ]; then
|
|
echo -e "\e[0;32mCreating fastboot image\e[0m";
|
|
"$RELEASETOOLS_PREFIX"img_from_target_files "$OUT_DIR/$PREFIX-target_files.zip" \
|
|
"$OUT_DIR/$PREFIX-fastboot.zip";
|
|
sha512sum "$OUT_DIR/$PREFIX-fastboot.zip" > "$OUT_DIR/$PREFIX-fastboot.zip.sha512sum";
|
|
fi
|
|
|
|
#OTA
|
|
echo -e "\e[0;32mCreating OTA\e[0m";
|
|
"$RELEASETOOLS_PREFIX"ota_from_target_files $BLOCK_SWITCHES -k "$KEY_DIR/releasekey" \
|
|
"$OUT_DIR/$PREFIX-target_files.zip" \
|
|
"$OUT_DIR/$PREFIX-ota.zip";
|
|
sha512sum "$OUT_DIR/$PREFIX-ota.zip" > "$OUT_DIR/$PREFIX-ota.zip.sha512sum";
|
|
|
|
#Deltas
|
|
#grep update_engine Build/*/device/*/*/*.mk -l
|
|
local DOS_GENERATE_DELTAS_DEVICES=('akari' 'akatsuki' 'alioth' 'Amber' 'aura' 'aurora' 'avicii' 'barbet' 'bluejay' 'blueline' 'bonito' 'bramble' 'cheetah' 'cheryl' 'coral' 'crosshatch' 'davinci' 'discovery' 'enchilada' 'fajita' 'flame' 'FP3' 'FP4' 'guacamole' 'guacamoleb' 'hotdog' 'hotdogb' 'instantnoodle' 'instantnoodlep' 'kebab' 'kirin' 'lemonade' 'lemonadep' 'lemonades' 'marlin' 'mata' 'mermaid' 'oriole' 'panther' 'pioneer' 'pro1' 'pro1x' 'raven' 'redfin' 'sailfish' 'sargo' 'sunfish' 'taimen' 'vayu' 'voyager' 'walleye' 'xz2c'); #TODO: check lmi/alioth/apollon
|
|
if [ "$DOS_GENERATE_DELTAS" = true ]; then
|
|
if [[ " ${DOS_GENERATE_DELTAS_DEVICES[@]} " =~ " ${DEVICE} " ]]; then
|
|
for LAST_TARGET_FILES in $ARCHIVE/target_files/$DOS_BRANDING_ZIP_PREFIX-$VERSION-*-dos-$DEVICE-target_files.zip; do
|
|
if [[ -f "$LAST_TARGET_FILES.id" ]]; then
|
|
local LAST_INCREMENTAL_ID=$(cat "$LAST_TARGET_FILES.id");
|
|
echo -e "\e[0;32mGenerating incremental OTA against $LAST_INCREMENTAL_ID\e[0m";
|
|
#TODO: Verify GPG signature and checksum of previous target-files first!
|
|
"$RELEASETOOLS_PREFIX"ota_from_target_files $BLOCK_SWITCHES -t 8 -k "$KEY_DIR/releasekey" -i \
|
|
"$LAST_TARGET_FILES" \
|
|
"$OUT_DIR/$PREFIX-target_files.zip" \
|
|
"$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip";
|
|
sha512sum "$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip" > "$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip.sha512sum";
|
|
fi;
|
|
done;
|
|
fi;
|
|
fi;
|
|
|
|
#Extract signed recovery
|
|
if [ "$hasRecoveryImg" == "0" ] && [ "$hasDtboImg" == "1" ]; then
|
|
echo -e "\e[0;32mExtracting signed recovery.img\e[0m";
|
|
mkdir "$OUT_DIR/rec_tmp";
|
|
unzip "$OUT_DIR/$PREFIX-target_files.zip" "IMAGES/recovery.img" -d "$OUT_DIR/rec_tmp";
|
|
mv "$OUT_DIR/rec_tmp/IMAGES/recovery.img" "$OUT_DIR/$PREFIX-recovery.img";
|
|
sha512sum "$OUT_DIR/$PREFIX-recovery.img" > "$OUT_DIR/$PREFIX-recovery.img.sha512sum";
|
|
fi;
|
|
|
|
#File name fixes
|
|
sed -i "s|$OUT_DIR/||" $OUT_DIR/*.sha512sum;
|
|
sed -i 's/-ota\././' $OUT_DIR/*.sha512sum;
|
|
sed -i 's/-incremental_/-/' $OUT_DIR/*.sha512sum;
|
|
|
|
#GPG signing
|
|
if [ "$DOS_GPG_SIGNING" = true ]; then
|
|
for checksum in $OUT_DIR/*.sha512sum; do
|
|
echo -e "\e[0;32mGPG signing $checksum\e[0m";
|
|
if gpg --homedir "$DOS_SIGNING_GPG" --sign --local-user "$DOS_GPG_SIGNING_KEY" --clearsign "$checksum"; then
|
|
mv -f "$checksum.asc" "$checksum";
|
|
fi;
|
|
done;
|
|
fi;
|
|
|
|
pkill java && sleep 10; #XXX: ugly hack
|
|
|
|
#Copy to archive
|
|
if [ "$DOS_AUTO_ARCHIVE_BUILDS" = true ]; then
|
|
echo -e "\e[0;32mCopying files to archive\e[0m";
|
|
mkdir -vp $ARCHIVE;
|
|
mkdir -vp $ARCHIVE/target_files;
|
|
mkdir -vp $ARCHIVE/fastboot;
|
|
mkdir -vp $ARCHIVE/incrementals;
|
|
|
|
cp -v $OUT_DIR/$PREFIX-ota.zip* $ARCHIVE/ || true;
|
|
rename -- "-ota." "." $ARCHIVE/$PREFIX-ota.zip*;
|
|
if [ "$hasRecoveryImg" == "1" ] || [ "$hasDtboImg" == "0" ]; then cp -v $OUT_DIR/$PREFIX-fastboot.zip* $ARCHIVE/fastboot/ || true; fi;
|
|
if [ "$hasRecoveryImg" == "0" ] && [ "$hasDtboImg" == "1" ]; then cp -v $OUT_DIR/$PREFIX-recovery.img* $ARCHIVE/ || true; fi;
|
|
if [ "$DOS_GENERATE_DELTAS" = true ]; then
|
|
if [[ " ${DOS_GENERATE_DELTAS_DEVICES[@]} " =~ " ${DEVICE} " ]]; then
|
|
cp -v $OUT_DIR/$PREFIX-target_files.zip* $ARCHIVE/target_files/ || true;
|
|
cp -v $OUT_DIR/$PREFIX-incremental_*.zip* $ARCHIVE/incrementals/ || true;
|
|
rename -- "-incremental_" "-" $ARCHIVE/incrementals/$PREFIX-incremental_*.zip* || true;
|
|
fi;
|
|
fi;
|
|
|
|
sync;
|
|
|
|
#Remove to make space for next build
|
|
if [ "$DOS_REMOVE_AFTER" = true ]; then
|
|
echo -e "\e[0;32mRemoving to reclaim space\e[0m";
|
|
#TODO: add a sanity check
|
|
rm -rf --one-file-system "$OUT_DIR";
|
|
if [ "$DOS_REMOVE_AFTER_FULL" = true ]; then rm -rf --one-file-system "$DOS_BUILD_BASE/out"; fi; #clobber entire workspace
|
|
sync;
|
|
fi;
|
|
fi;
|
|
|
|
sync;
|
|
echo -e "\e[0;32mRelease processing complete\e[0m";
|
|
}
|
|
export -f processRelease;
|
|
|
|
pushToServer() {
|
|
#Examples
|
|
rsync -Pau --no-perms --no-owner --no-group incrementals/divested-*-dos-$1-*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/incrementals/ || true;
|
|
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/ || true;
|
|
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1-recovery.img root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/ || true;
|
|
rsync -Pau --no-perms --no-owner --no-group fastboot/divested-*-dos-$1-*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/ || true;
|
|
}
|
|
export -f pushToServer;
|
|
|
|
removeBuildFingerprints() {
|
|
#Removes the stock/vendor fingerprint, allowing one to be generated instead
|
|
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/BUILD_FINGERPRINT/' {}" \;
|
|
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/PRIVATE_BUILD_DESC/' {}" \;
|
|
echo "Removed stock build fingerprints";
|
|
}
|
|
export -f removeBuildFingerprints;
|
|
|
|
removeUntrustedCerts() {
|
|
cd "$DOS_BUILD_BASE/system/ca-certificates/files";
|
|
rm -fv 7c302982.0 c2c1704e.0 d0cddf45.0; #TrustCor
|
|
rm -fv cb156124.0; #E-Turga
|
|
cd "$DOS_BUILD_BASE";
|
|
echo "Removed untrusted certificate authorities";
|
|
}
|
|
export -f removeUntrustedCerts;
|
|
|
|
compressRamdisks() {
|
|
if [ -f BoardConfig.mk ]; then
|
|
echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;
|
|
echo "Enabled ramdisk compression";
|
|
fi;
|
|
}
|
|
export -f compressRamdisks;
|
|
|
|
smallerSystem() {
|
|
echo "BOARD_SYSTEMIMAGE_JOURNAL_SIZE := 0" >> BoardConfig.mk;
|
|
echo "PRODUCT_MINIMIZE_JAVA_DEBUG_INFO := true" >> device.mk;
|
|
echo "EXCLUDE_SERIF_FONTS := true" >> BoardConfig.mk;
|
|
echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
|
|
#echo "MINIMAL_FONT_FOOTPRINT := true" >> BoardConfig.mk;
|
|
sed -i 's/common_full_phone.mk/common_mini_phone.mk/' *.mk &>/dev/null || true;
|
|
echo "Set smaller system args for $PWD";
|
|
}
|
|
export -f smallerSystem;
|
|
|
|
deblobAudio() {
|
|
awk -i inplace '!/BOARD_SUPPORTS_SOUND_TRIGGER/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
|
|
awk -i inplace '!/android.hardware.soundtrigger/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
|
|
if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then
|
|
awk -i inplace '!/DOLBY_/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
|
|
#awk -i inplace '!/vendor.audio.dolby/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
|
|
fi;
|
|
echo "Deblobbed audio!";
|
|
}
|
|
export -f deblobAudio;
|
|
|
|
volteOverride() {
|
|
cd "$DOS_BUILD_BASE/$1";
|
|
if grep -sq "config_device_volte_available" "overlay/frameworks/base/core/res/res/values/config.xml"; then
|
|
if [ -f vendor.prop ] && ! grep -sq "volte_avail_ovr" "vendor.prop"; then
|
|
echo -e 'persist.dbg.volte_avail_ovr=1' >> vendor.prop;
|
|
echo "Set VoLTE override in vendor.prop for $1";
|
|
elif [ -f system.prop ] && ! grep -sq "volte_avail_ovr" "system.prop"; then
|
|
echo -e 'persist.dbg.volte_avail_ovr=1' >> system.prop;
|
|
echo "Set VoLTE override in system.prop for $1";
|
|
fi;
|
|
if [ -f vendor_prop.mk ] && ! grep -sq "volte_avail_ovr" "vendor_prop.mk"; then
|
|
echo -e '\nPRODUCT_PROPERTY_OVERRIDES += \\\n persist.dbg.volte_avail_ovr=1' >> vendor_prop.mk;
|
|
echo "Set VoLTE override in vendor_prop.mk for $1";
|
|
fi;
|
|
#TODO: init/init*.cpp, device*.mk
|
|
fi;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f volteOverride;
|
|
|
|
hardenLocationSerials() {
|
|
#Prevent Qualcomm location stack from sending chipset serial number
|
|
|
|
#Devices using blob xtra-daemon (which Deblob.sh removes)
|
|
if [[ "$DOS_VERSION" != "LineageOS-20.0" ]]; then #20.0 has sysfs_soc_sensitive label
|
|
find device -name "hal_gnss*.te" -type f -exec sh -c "awk -i inplace '!/sysfs_soc/' {}" \;
|
|
find device -name "location.te" -type f -exec sh -c "awk -i inplace '!/sysfs_soc/' {}" \;
|
|
fi;
|
|
|
|
#Devices using source built libloc, these ones typically have broad /sys access
|
|
## Null out the User-Agent header
|
|
find device -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's/userAgent, strlen(userAgent)/\"-\", 1/' {}" \;
|
|
find hardware -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's/userAgent, strlen(userAgent)/\"-\", 1/' {}" \;
|
|
## Prevent reading the serial number
|
|
find device -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's|soc0/serial_number|soc0/invalid|' {}" \;
|
|
find hardware -name "LocEngAdapter.cpp" -type f -exec sh -c "sed -i 's|soc0/serial_number|soc0/invalid|' {}" \;
|
|
|
|
echo "Removed serial number access to Qualcomm location stacks";
|
|
}
|
|
export -f hardenLocationSerials;
|
|
|
|
hardenLocationConf() {
|
|
local gpsConfig=$1;
|
|
#Debugging: adb logcat -b all | grep -i -e locsvc -e izat -e gps -e gnss -e location -e xtra
|
|
#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 4|' "$gpsConfig" &> /dev/null || true; #Debug
|
|
#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 2|' "$gpsConfig" &> /dev/null || true; #Warning
|
|
#Enable GLONASS
|
|
if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
|
|
sed -i 's/#A_GLONASS_POS_PROTOCOL_SELECT =/A_GLONASS_POS_PROTOCOL_SELECT =/' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's/A_GLONASS_POS_PROTOCOL_SELECT = 0.*/A_GLONASS_POS_PROTOCOL_SELECT = 15/' "$gpsConfig" &>/dev/null || true;
|
|
fi;
|
|
#Change capabilities
|
|
sed -i 's|CAPABILITIES=.*|CAPABILITIES=0x13|' "$gpsConfig" &> /dev/null || true; #Disable MSA (privacy) and geofencing/ULP (both broken by deblobber)
|
|
sed -i 's|CAPABILITIES = .*|CAPABILITIES = 0x13|' "$gpsConfig" &> /dev/null || true;
|
|
sed -i 's/#SUPL_MODE=/SUPL_MODE=/' "$gpsConfig" &>/dev/null || true; #Uncomment
|
|
sed -i 's/#SUPL_MODE = /SUPL_MODE = /' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's/SUPL_MODE=$/SUPL_MODE=1/' "$gpsConfig" &>/dev/null || true; #Set to MSB if blank (to prevent MSA+MSB default)
|
|
sed -i 's/SUPL_MODE = $/SUPL_MODE = 1/' "$gpsConfig" &>/dev/null || true;
|
|
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" "$gpsConfig" &> /dev/null || true; #Disable MSA (privacy)
|
|
sed -i "s|SUPL_MODE = 3|SUPL_MODE = 1|" "$gpsConfig" &> /dev/null || true;
|
|
sed -i 's/#LPP_PROFILE=/LPP_PROFILE=/' "$gpsConfig" &>/dev/null || true; #Uncomment
|
|
sed -i 's/#LPP_PROFILE = /LPP_PROFILE = /' "$gpsConfig" &>/dev/null || true;
|
|
sed -i "s|LPP_PROFILE=.*|LPP_PROFILE=0|" "$gpsConfig" &> /dev/null || true; #Disable LPP (privacy)
|
|
sed -i "s|LPP_PROFILE = .*|LPP_PROFILE = 0|" "$gpsConfig" &> /dev/null || true;
|
|
sed -i "s|LPPE_CP_TECHNOLOGY=.*|LPPE_CP_TECHNOLOGY=0|" "$gpsConfig" &> /dev/null || true;
|
|
sed -i "s|LPPE_CP_TECHNOLOGY = .*|LPPE_CP_TECHNOLOGY = 0|" "$gpsConfig" &> /dev/null || true;
|
|
sed -i "s|LPPE_UP_TECHNOLOGY=.*|LPPE_UP_TECHNOLOGY=0|" "$gpsConfig" &> /dev/null || true;
|
|
sed -i "s|LPPE_UP_TECHNOLOGY = .*|LPPE_UP_TECHNOLOGY = 0|" "$gpsConfig" &> /dev/null || true;
|
|
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
|
|
sed -i 's/#SUPL_ES=/SUPL_ES=/' "$gpsConfig" &>/dev/null || true;
|
|
sed -i "s|SUPL_ES=0|SUPL_ES=1|" "$gpsConfig" &> /dev/null || true;
|
|
#Change servers
|
|
sed -i "s|SUPL_HOST=.*|SUPL_HOST=$DOS_GPS_SUPL_HOST|" "$gpsConfig" &> /dev/null || true;
|
|
sed -i "s|SUPL_HOST = .*|SUPL_HOST = $DOS_GPS_SUPL_HOST|" "$gpsConfig" &> /dev/null || true;
|
|
sed -i "s|NTP_SERVER=.*|NTP_SERVER=$DOS_GPS_NTP_SERVER|" "$gpsConfig" &> /dev/null || true;
|
|
sed -i "s|NTP_SERVER = .*|NTP_SERVER = $DOS_GPS_NTP_SERVER|" "$gpsConfig" &> /dev/null || true;
|
|
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
|
|
#XTRA: Only use specified URLs
|
|
sed -i 's|XTRA_SERVER_QUERY=1|XTRA_SERVER_QUERY=0|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|XTRA_SERVER_QUERY = 1|XTRA_SERVER_QUERY = 0|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|#XTRA_SERVER|XTRA_SERVER|' "$gpsConfig" &>/dev/null || true;
|
|
#Switch gpsOneXtra to IZatCloud (invalid certificate)
|
|
sed -i '/xtrapath/!s|://xtra|://xtrapath|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|gpsonextra.net|izatcloud.net|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|xtrapath1|xtrapath4|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|xtrapath2|xtrapath5|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|xtrapath3|xtrapath6|' "$gpsConfig" &>/dev/null || true;
|
|
#Enable HTTPS (IZatCloud supports HTTPS)
|
|
sed -i 's|http://xtrapath|https://xtrapath|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|http://gllto|https://gllto|' "$gpsConfig" &>/dev/null || true;
|
|
echo "Enhanced location services for $gpsConfig";
|
|
}
|
|
export -f hardenLocationConf;
|
|
|
|
hardenLocationFWB() {
|
|
local dir=$1;
|
|
#Enable GLONASS
|
|
if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
|
|
sed -i 's|A_GLONASS_POS_PROTOCOL_SELECT=0.*</item>|A_GLONASS_POS_PROTOCOL_SELECT=15</item>|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
fi;
|
|
#Change capabilities
|
|
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true; #Disable MSA (privacy)
|
|
sed -i "s|LPP_PROFILE=.*</item>|LPP_PROFILE=0</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true; #Disable LPP (privacy)
|
|
sed -i "s|LPPE_CP_TECHNOLOGY=.*</item>|LPPE_CP_TECHNOLOGY=0</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true
|
|
sed -i "s|LPPE_UP_TECHNOLOGY=.*</item>|LPPE_UP_TECHNOLOGY=0</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
|
|
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
|
|
sed -i "s|SUPL_ES=0|SUPL_ES=1|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
|
|
#Change servers
|
|
sed -i "s|NTP_SERVER=.*</item>|NTP_SERVER=$DOS_GPS_NTP_SERVER</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
|
|
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
|
|
#Switch gpsOneXtra to IZatCloud (invalid certificate)
|
|
sed -i '/xtrapath/!s|://xtra|://xtrapath|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
sed -i 's|gpsonextra.net|izatcloud.net|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
sed -i 's|xtrapath1|xtrapath4|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
sed -i 's|xtrapath2|xtrapath5|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
sed -i 's|xtrapath3|xtrapath6|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
#Enable HTTPS (IZatCloud supports HTTPS)
|
|
sed -i 's|http://xtrapath|https://xtrapath|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
sed -i 's|http://gllto|https://gllto|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
echo "Enhanced location services for $dir";
|
|
}
|
|
export -f hardenLocationFWB;
|
|
|
|
hardenUserdata() {
|
|
cd "$DOS_BUILD_BASE/$1";
|
|
|
|
#Remove latemount to allow selinux contexts be restored upon /cache wipe
|
|
#Fixes broken OTA updater and broken /recovery updater
|
|
sed -i '/\/cache/s|latemount,||' *fstab* */*fstab* */*/*fstab* &>/dev/null || true;
|
|
|
|
#TODO: Ensure: noatime,nosuid,nodev
|
|
sed -i '/\/data/{/discard/!s|nosuid|discard,nosuid|}' *fstab* */*fstab* */*/*fstab* &>/dev/null || true;
|
|
if [ "$1" != "device/samsung/tuna" ] && [ "$1" != "device/amazon/hdx-common" ] && [ "$1" != "device/motorola/athene" ] && [[ "$DOS_VERSION" != "LineageOS-20.0" ]]; then #tuna needs first boot to init, hdx-c has broken encryption
|
|
sed -i 's|encryptable=/|forceencrypt=/|' *fstab* */*fstab* */*/*fstab* &>/dev/null || true;
|
|
fi;
|
|
echo "Hardened /data for $1";
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f hardenUserdata;
|
|
|
|
enableAutoVarInit() {
|
|
#grep TARGET_KERNEL_CLANG_COMPILE Build/*/device/*/*/*.mk -l
|
|
#but exclude: grep INIT_STACK_ALL_ZERO Build/*/kernel/*/*/security/Kconfig.hardening -l
|
|
#already supported: fairphone/sm7225, fxtec/sm6115, google/bluejay, google/gs101, google/gs201, google/msm-4.14, google/raviole, google/redbull, oneplus/sm8250, oneplus/sm8350
|
|
local DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'samsung/exynos9810' 'samsung/universal9810' 'sony/sdm660' 'sony/sdm845' 'xiaomi/msm8937' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/vayu' 'xiaomi/sm8250' 'zuk/msm8996');
|
|
cd "$DOS_BUILD_BASE";
|
|
echo "auto-var-init: Starting!";
|
|
for kernel in "${DOS_AUTOVARINIT_KERNELS[@]}"
|
|
do
|
|
if [ -d "$DOS_BUILD_BASE/kernel/$kernel" ]; then
|
|
cd "$DOS_BUILD_BASE/kernel/$kernel";
|
|
if git apply --check "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init.patch" &> /dev/null; then
|
|
if git apply "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init.patch" &> /dev/null; then #(GrapheneOS)
|
|
echo "auto-var-init: Enabled for $kernel";
|
|
else
|
|
echo "auto-var-init: Failed to enable for $kernel";
|
|
fi;
|
|
elif git apply --check --reverse "$DOS_PATCHES_COMMON/android_kernel_common/0001-auto_var_init.patch" &> /dev/null; then
|
|
echo "auto-var-init: Already enabled for $kernel";
|
|
elif grep -q "trivial-auto-var-init=pattern" Makefile; then
|
|
sed -i 's/ftrivial-auto-var-init=pattern/ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang/' Makefile; #(GrapheneOS)
|
|
grep -q "trivial-auto-var-init=pattern" Makefile;
|
|
if [ $? -eq 0 ]; then
|
|
echo "auto-var-init: Failed to switch from pattern to zero on $kernel";
|
|
else
|
|
echo "auto-var-init: Switched from pattern to zero on $kernel";
|
|
fi;
|
|
elif grep -q "trivial-auto-var-init=zero" Makefile; then
|
|
echo "auto-var-init: Already enabled for $kernel";
|
|
else
|
|
echo "auto-var-init: Could not enable for $kernel";
|
|
fi;
|
|
# else
|
|
# echo "auto-var-init: $kernel not in tree";
|
|
fi;
|
|
done;
|
|
echo "auto-var-init: Finished!";
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f enableAutoVarInit;
|
|
|
|
updateRegDb() {
|
|
cd "$DOS_BUILD_BASE/$1";
|
|
#Latest database cannot be used due to differing flags, only update supported kernels
|
|
#md5sum Build/*/kernel/*/*/net/wireless/genregdb.awk | sort
|
|
if echo "d9ef5910b573c634fa7845bb6511ba89 net/wireless/genregdb.awk" | md5sum --check --quiet &>/dev/null; then
|
|
#cp "$DOS_PATCHES_COMMON/wireless-regdb/db.txt" "net/wireless/db.txt";
|
|
#echo "regdb: updated for $1";
|
|
echo "regdb: skipping regdb update for $1";
|
|
fi;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f updateRegDb;
|
|
|
|
fixupCarrierConfigs() {
|
|
cd "$DOS_BUILD_BASE";
|
|
local pathsToFixup="packages/apps/CarrierConfig/assets/*.xml device/*/*/overlay/packages/apps/CarrierConfig/res/xml/vendor.xml device/*/*/overlay/CarrierConfigResCommon/res/xml/vendor.xml device/*/*/rro_overlays/CarrierConfigOverlay/res/xml/vendor.xml";
|
|
#Things we don't want
|
|
#Reference (BSD-3-Clause): https://github.com/GrapheneOS/carriersettings-extractor/blob/13/carriersettings_extractor.py
|
|
local ccLines="allow_adding_apns_bool|apn_expand_bool|hide_ims_apn_bool|hide_preset_apn_details_bool|hide_enable_2g_bool|gps.lpp_profile|gps.persist_lpp_mode_bool";
|
|
sed -i -E "/($ccLines)/d" $pathsToFixup;
|
|
local ccArrays="read_only_apn_fields_string_array|read_only_apn_types_string_array";
|
|
sed -i -E "/("$ccArrays").*num=\"0\"/d" $pathsToFixup; #ugly hack because next line is very greedy
|
|
perl -0777 -pe 's,(<string-array.*?>.*?</string-array>),$1 =~ /'$ccArrays'/?"":$1,gse' -i $pathsToFixup; #Credit: https://unix.stackexchange.com/a/72160
|
|
sed -i "/^ $/d" $pathsToFixup;
|
|
sed -i "/^ $/d" $pathsToFixup;
|
|
#sed -i '/^[[:space:]]*$/d' *.xml;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f fixupCarrierConfigs;
|
|
|
|
disableEnforceRRO() {
|
|
cd "$DOS_BUILD_BASE/$1";
|
|
awk -i inplace '!/PRODUCT_ENFORCE_RRO_TARGETS .= framework-res/' *.mk &>/dev/null || true;
|
|
awk -i inplace '!/PRODUCT_ENFORCE_RRO_TARGETS .= \*/' *.mk &>/dev/null || true;
|
|
sed -i '/PRODUCT_ENFORCE_RRO_TARGETS .= \\/,+1 d' *.mk &>/dev/null || true;
|
|
echo "Disabled enforced RRO for $1";
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f disableEnforceRRO;
|
|
|
|
disableAPEX() {
|
|
cd "$DOS_BUILD_BASE/$1";
|
|
if [[ "$1" != *"device/google/gs101"* ]] && [[ "$1" != *"device/google/gs201"* ]] && [[ "$1" != *"device/google/oriole"* ]] && [[ "$1" != *"device/google/raven"* ]] && [[ "$1" != *"device/google/raviole"* ]] && [[ "$1" != *"device/google/bluejay"* ]] && [[ "$1" != *"device/google/panther"* ]] && [[ "$1" != *"device/google/cheetah"* ]] && [[ "$1" != *"device/google/pantah"* ]]; then
|
|
awk -i inplace '!/DEXPREOPT_GENERATE_APEX_IMAGE/' *.mk &>/dev/null || true;
|
|
awk -i inplace '!/updatable_apex.mk/' *.mk &>/dev/null || true;
|
|
echo "Disabled APEX for $1";
|
|
else
|
|
echo "Skipped disabling APEX for $1";
|
|
fi;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f disableAPEX;
|
|
|
|
includeOE() {
|
|
cd "$DOS_BUILD_BASE/$1";
|
|
#Skip: Pixel 2 series (only supports Google Fi), Pixel 3/a series (broken on 20.0)
|
|
if [[ "$1" != *"device/google/bonito"* ]] && [[ "$1" != *"device/google/crosshatch"* ]] && [[ "$1" != *"device/google/wahoo"* ]]; then
|
|
if [ -f device.mk ]; then
|
|
if grep -sq "euicc.xml" device.mk; then
|
|
echo -e "\nPRODUCT_PACKAGES += OpenEUICC" >> device.mk;
|
|
echo "Enabled OpenEUICC inclusion for $1";
|
|
fi;
|
|
fi;
|
|
if [ -f device-lineage.mk ]; then
|
|
if grep -sq "euicc.xml" device-lineage.mk; then
|
|
echo -e "\nPRODUCT_PACKAGES += OpenEUICC" >> device-lineage.mk;
|
|
echo "Enabled OpenEUICC inclusion for $1";
|
|
fi;
|
|
fi;
|
|
fi;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f includeOE;
|
|
|
|
enableStrongEncryption() {
|
|
cd "$DOS_BUILD_BASE/$1";
|
|
if [ -f BoardConfig.mk ]; then
|
|
echo "TARGET_WANTS_STRONG_ENCRYPTION := true" >> BoardConfig.mk;
|
|
echo "Enabled AES-256 encryption for $1";
|
|
fi;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f enableStrongEncryption;
|
|
|
|
addAdbKey() {
|
|
if [ -f ~/.android/adbkey.pub ]; then
|
|
cp ~/.android/adbkey.pub "$DOS_BUILD_BASE/vendor/divested/";
|
|
echo "PRODUCT_ADB_KEYS := vendor/divested/adbkey.pub" >> "$DOS_BUILD_BASE/vendor/divested/divestos.mk";
|
|
fi;
|
|
}
|
|
export -f addAdbKey;
|
|
|
|
changeDefaultDNS() {
|
|
local dnsPrimary="";
|
|
local dnsPrimaryV6="";
|
|
local dnsSecondary="";
|
|
local dnsSecondaryV6="";
|
|
if [ ! -z "$DOS_DEFAULT_DNS_PRESET" ]; then
|
|
if [[ "$DOS_DEFAULT_DNS_PRESET" == "AdGuard" ]]; then #https://adguard.com/en/adguard-dns/overview.html
|
|
dnsHex="0xb0678282L";
|
|
dnsPrimary="176.103.130.130";
|
|
dnsPrimaryV6="2a00:5a60::ad1:0ff";
|
|
dnsSecondary="176.103.130.131";
|
|
dnsSecondaryV6="2a00:5a60::ad2:0ff";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "AdGuard-NOBL" ]]; then #https://adguard.com/en/adguard-dns/overview.html
|
|
dnsHex="0xb0678288L";
|
|
dnsPrimary="176.103.130.136";
|
|
dnsPrimaryV6="2a00:5a60::01:ff";
|
|
dnsSecondary="176.103.130.137";
|
|
dnsSecondaryV6="2a00:5a60::02:ff";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "CensurfriDNS" ]]; then #https://uncensoreddns.org
|
|
dnsHex="0x5bef6464L";
|
|
dnsPrimary="91.239.100.100";
|
|
dnsPrimaryV6="2001:67c:28a4::";
|
|
dnsSecondary="89.233.43.71";
|
|
dnsSecondaryV6="2a01:3a0:53:53::";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Cloudflare" ]]; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
|
|
dnsHex="0x01000001L";
|
|
dnsPrimary="1.0.0.1";
|
|
dnsPrimaryV6="2606:4700:4700::1001";
|
|
dnsSecondary="1.1.1.1";
|
|
dnsSecondaryV6="2606:4700:4700::1111";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Cloudflare-BL" ]]; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
|
|
dnsHex="0x01000002L";
|
|
dnsPrimary="1.0.0.2";
|
|
dnsPrimaryV6="2606:4700:4700::1002";
|
|
dnsSecondary="1.1.1.2";
|
|
dnsSecondaryV6="2606:4700:4700::1112";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "DNSWATCH" ]]; then #https://dns.watch
|
|
dnsHex="0x54c84550L";
|
|
dnsPrimary="84.200.69.80";
|
|
dnsPrimaryV6="2001:1608:10:25::1c04:b12f";
|
|
dnsSecondary="84.200.70.40";
|
|
dnsSecondaryV6="2001:1608:10:25::9249:d69b";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Google" ]]; then #https://developers.google.com/speed/public-dns/privacy
|
|
dnsHex="0x08080808L";
|
|
dnsPrimary="8.8.8.8";
|
|
dnsPrimaryV6="2001:4860:4860::8888";
|
|
dnsSecondary="8.8.4.4";
|
|
dnsSecondaryV6="2001:4860:4860::8844";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Neustar" ]]; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
|
|
dnsHex="0x9c9a4602L";
|
|
dnsPrimary="156.154.70.2";
|
|
dnsPrimaryV6="2610:a1:1018::2";
|
|
dnsSecondary="156.154.71.2";
|
|
dnsSecondaryV6="2610:a1:1019::2";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Neustar-NOBL" ]]; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
|
|
dnsHex="0x9c9a4605L";
|
|
dnsPrimary="156.154.70.5";
|
|
dnsPrimaryV6="2610:a1:1018::5";
|
|
dnsSecondary="156.154.71.5";
|
|
dnsSecondaryV6="2610:a1:1019::5";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "OpenDNS" ]]; then #https://www.cisco.com/c/en/us/about/legal/privacy-full.html
|
|
dnsHex="0xd043dedeL";
|
|
dnsPrimary="208.67.222.222";
|
|
dnsPrimaryV6="2620:0:ccc::2";
|
|
dnsSecondary="208.67.220.220";
|
|
dnsSecondaryV6="2620:0:ccd::2";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Quad9" ]]; then #https://www.quad9.net/privacy
|
|
dnsHex="0x09090909L";
|
|
dnsPrimary="9.9.9.9";
|
|
dnsPrimaryV6="2620:fe::fe";
|
|
dnsSecondary="149.112.112.112";
|
|
dnsSecondaryV6="2620:fe::9";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Quad9-EDNS" ]]; then #https://www.quad9.net/privacy
|
|
dnsHex="0x0909090bL";
|
|
dnsPrimary="9.9.9.11";
|
|
dnsPrimaryV6="2620:fe::11";
|
|
dnsSecondary="149.112.112.11";
|
|
dnsSecondaryV6="2620:fe::fe:11";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Quad9-NOBL" ]]; then #https://www.quad9.net/privacy
|
|
dnsHex="0x0909090aL";
|
|
dnsPrimary="9.9.9.10";
|
|
dnsPrimaryV6="2620:fe::10";
|
|
dnsSecondary="149.112.112.10";
|
|
dnsSecondaryV6="2620:fe::fe:10";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Verisign" ]]; then #https://www.verisign.com/en_US/security-services/public-dns/terms-of-service/index.xhtml
|
|
dnsHex="0x40064006L";
|
|
dnsPrimary="64.6.64.6";
|
|
dnsPrimaryV6="2620:74:1b::1:1";
|
|
dnsSecondary="64.6.65.6";
|
|
dnsSecondaryV6="2620:74:1c::2:2";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Yandex" ]]; then #https://dns.yandex.com/advanced
|
|
dnsHex="0x4d580858L";
|
|
dnsPrimary="77.88.8.88";
|
|
dnsPrimaryV6="2a02:6b8::feed:bad";
|
|
dnsSecondary="77.88.8.2";
|
|
dnsSecondaryV6="2a02:6b8:0:1::feed:bad";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Yandex-NOBL" ]]; then #https://dns.yandex.com/advanced
|
|
dnsHex="0x4d580808L";
|
|
dnsPrimary="77.88.8.8";
|
|
dnsPrimaryV6="2a02:6b8::feed:0ff";
|
|
dnsSecondary="77.88.8.1";
|
|
dnsSecondaryV6="2a02:6b8:0:1::feed:0ff";
|
|
fi;
|
|
else
|
|
echo "You must first set a preset via the DOS_DEFAULT_DNS_PRESET variable in init.sh!";
|
|
fi;
|
|
|
|
local files="bionic/libc/dns/net/getaddrinfo.c frameworks/base/core/java/android/net/util/DnsUtils.java frameworks/base/core/java/com/android/internal/net/VpnProfile.java frameworks/base/core/res/res/values/config.xml frameworks/base/packages/SettingsLib/res/values/strings.xml frameworks/base/packages/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java frameworks/base/services/core/java/com/android/server/connectivity/NetworkDiagnostics.java frameworks/base/services/core/java/com/android/server/connectivity/Tethering.java frameworks/base/services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java frameworks/base/services/java/com/android/server/connectivity/Tethering.java packages/apps/Dialer/java/com/android/voicemail/impl/sync/VvmNetworkRequestCallback.java packages/modules/Connectivity/framework/src/android/net/util/DnsUtils.java packages/modules/Connectivity/service/native/libs/libclat/clatutils_test.cpp packages/modules/Connectivity/service/ServiceConnectivityResources/res/values/config.xml packages/modules/Connectivity/service/src/com/android/server/connectivity/ClatCoordinator.java packages/modules/Connectivity/service/src/com/android/server/connectivity/NetworkDiagnostics.java packages/modules/Connectivity/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java packages/modules/DnsResolver/DnsResolver/doh.rs packages/modules/DnsResolver/DnsResolver/getaddrinfo.cpp packages/modules/DnsResolver/getaddrinfo.cpp";
|
|
#TODO: handle packages/modules/DnsResolver/PrivateDnsConfiguration.h maybe? or just leave as is
|
|
sed -i "s/8\.8\.8\.8/$dnsPrimary/g" $files &>/dev/null || true;
|
|
sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/g" $files &>/dev/null || true;
|
|
sed -i "s/8\.8\.4\.4/$dnsSecondary/g" $files &>/dev/null || true;
|
|
sed -i "s/4\.4\.4\.4/$dnsSecondary/g" $files &>/dev/null || true;
|
|
sed -i "s/2001:4860:4860::8844/$dnsSecondaryV6/g" $files &>/dev/null || true;
|
|
sed -i "s/0x08080808L/$dnsHex/g" $files &>/dev/null || true;
|
|
}
|
|
export -f changeDefaultDNS;
|
|
|
|
editKernelLocalversion() {
|
|
local defconfigPath=$(getDefconfig)
|
|
local replacement=$1;
|
|
if [ "$DOS_SNET" = true ]; then local replacement="-oink"; fi;
|
|
sed -i 's/CONFIG_LOCALVERSION=".*"/CONFIG_LOCALVERSION="'"$replacement"'"/' $defconfigPath &>/dev/null || true;
|
|
sed -zi '/CONFIG_LOCALVERSION="'"$replacement"'"/!s/$/\nCONFIG_LOCALVERSION="'"$replacement"'"/' $defconfigPath &>/dev/null;
|
|
}
|
|
export -f editKernelLocalversion;
|
|
|
|
getDefconfig() {
|
|
if ls private/gs-google/arch/arm64/configs/*_gki_defconfig 1> /dev/null 2>&1; then
|
|
local defconfigPath="private/gs-google/arch/arm64/configs/cloudripper_gki_defconfig private/gs-google/arch/arm64/configs/slider_gki_defconfig";
|
|
elif ls arch/arm64/configs/lineage*defconfig 1> /dev/null 2>&1; then
|
|
local defconfigPath="arch/arm64/configs/lineage*defconfig";
|
|
elif ls arch/arm/configs/lineage*defconfig 1> /dev/null 2>&1; then
|
|
local defconfigPath="arch/arm/configs/lineage*defconfig";
|
|
else
|
|
#grep TARGET_KERNEL_CONFIG Build/*/device/ -Rih | sed 's|TARGET_KERNEL_CONFIG .= |arch/arm\*/configs/|' | grep -v lineage | sort -u
|
|
#grep TARGET_KERNEL_VARIANT_CONFIG Build/*/device/ -Rih | sed 's|TARGET_KERNEL_VARIANT_CONFIG .= |arch/arm\*/configs/|' | grep -v lineage | sort -u
|
|
local defconfigPath="arch/arm*/configs/lineage*defconfig arch/arm*/configs/vendor/lineage*defconfig arch/arm*/configs/apollo_defconfig arch/arm*/configs/apq8084_sec_defconfig arch/arm*/configs/apq8084_sec_kccat6_eur_defconfig arch/arm*/configs/apq8084_sec_lentislte_skt_defconfig arch/arm*/configs/athene_defconfig arch/arm*/configs/aura_defconfig arch/arm*/configs/b1c1_defconfig arch/arm*/configs/beryllium_defconfig arch/arm*/configs/bonito_defconfig arch/arm*/configs/clark_defconfig arch/arm*/configs/cloudripper_gki_defconfig arch/arm*/configs/discovery_defconfig arch/arm*/configs/enchilada_defconfig arch/arm*/configs/exynos8890-hero2lte_defconfig arch/arm*/configs/exynos8890-herolte_defconfig arch/arm*/configs/exynos9810-crownlte_defconfig arch/arm*/configs/exynos9810-star2lte_defconfig arch/arm*/configs/exynos9810-starlte_defconfig arch/arm*/configs/floral_defconfig arch/arm*/configs/FP4_defconfig arch/arm*/configs/griffin_defconfig arch/arm*/configs/grouper_defconfig arch/arm*/configs/harpia_defconfig arch/arm*/configs/jactive_eur_defconfig arch/arm*/configs/jf_att_defconfig arch/arm*/configs/jf_eur_defconfig arch/arm*/configs/jf_spr_defconfig arch/arm*/configs/jfve_eur_defconfig arch/arm*/configs/jf_vzw_defconfig arch/arm*/configs/kirin_defconfig arch/arm*/configs/lavender_defconfig arch/arm*/configs/m1s1_defconfig arch/arm*/configs/m7_defconfig arch/arm*/configs/m8_defconfig arch/arm*/configs/m8dug_defconfig arch/arm*/configs/merlin_defconfig arch/arm*/configs/mermaid_defconfig arch/arm*/configs/msm8930_serrano_eur_3g_defconfig arch/arm*/configs/msm8930_serrano_eur_lte_defconfig arch/arm*/configs/msm8974-hdx_defconfig arch/arm*/configs/msm8974-hdx-perf_defconfig arch/arm*/configs/oneplus2_defconfig arch/arm*/configs/osprey_defconfig arch/arm*/configs/pioneer_defconfig arch/arm*/configs/platina_defconfig arch/arm*/configs/redbull_defconfig arch/arm*/configs/samsung_serrano_defconfig arch/arm*/configs/samsung_serrano_usa_defconfig arch/arm*/configs/shamu_defconfig arch/arm*/configs/slider_gki_defconfig arch/arm*/configs/sunfish_defconfig arch/arm*/configs/surnia_defconfig arch/arm*/configs/tama_akari_defconfig arch/arm*/configs/tama_akatsuki_defconfig arch/arm*/configs/tama_apollo_defconfig arch/arm*/configs/tama_aurora_defconfig arch/arm*/configs/thor_defconfig arch/arm*/configs/tulip_defconfig arch/arm*/configs/tuna_defconfig arch/arm*/configs/twrp_defconfig arch/arm*/configs/vendor/alioth_defconfig arch/arm*/configs/vendor/apollo_defconfig arch/arm*/configs/vendor/davinci.config arch/arm*/configs/vendor/fairphone/FP4.config arch/arm*/configs/vendor/kona-perf_defconfig arch/arm*/configs/vendor/lahaina-qgki_defconfig arch/arm*/configs/vendor/lito-perf_defconfig arch/arm*/configs/vendor/lmi_defconfig arch/arm*/configs/vendor/msm8937-perf_defconfig arch/arm*/configs/vendor/raphael_defconfig arch/arm*/configs/vendor/sdmsteppe-perf_defconfig arch/arm*/configs/vendor/sm8150-perf_defconfig arch/arm*/configs/vendor/vayu_defconfig arch/arm*/configs/vendor/vendor/fairphone/FP4.config arch/arm*/configs/vendor/vendor/xiaomi/sm8150-common.config arch/arm*/configs/vendor/vendor/xiaomi/sm8250-common.config arch/arm*/configs/vendor/xiaomi/alioth.config arch/arm*/configs/vendor/xiaomi/apollo.config arch/arm*/configs/vendor/xiaomi/beryllium.config arch/arm*/configs/vendor/xiaomi/dipper.config arch/arm*/configs/vendor/xiaomi/equuleus.config arch/arm*/configs/vendor/xiaomi/lmi.config arch/arm*/configs/vendor/xiaomi/mi845_defconfig arch/arm*/configs/vendor/xiaomi/polaris.config arch/arm*/configs/vendor/xiaomi/sm8150-common.config arch/arm*/configs/vendor/xiaomi/sm8250-common.config arch/arm*/configs/vendor/xiaomi/ursa.config arch/arm*/configs/vendor/xiaomi/vayu.config arch/arm*/configs/voyager_defconfig arch/arm*/configs/wayne_defconfig arch/arm*/configs/whyred_defconfig arch/arm*/configs/yellowstone_defconfig arch/arm*/configs/Z00T_defconfig arch/arm*/configs/z2_plus_defconfig arch/arm*/configs/zenfone3-perf_defconfig";
|
|
fi;
|
|
echo $defconfigPath;
|
|
}
|
|
export -f getDefconfig;
|
|
|
|
hardenDefconfig() {
|
|
cd "$DOS_BUILD_BASE/$1";
|
|
|
|
#Attempts to enable/disable supported options to increase security
|
|
#See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
|
|
#and (GPL-3.0) https://github.com/a13xp0p0v/kconfig-hardened-check/blob/master/kconfig_hardened_check/__init__.py
|
|
|
|
local defconfigPath=$(getDefconfig);
|
|
local kernelVersion="0.0.0";
|
|
if [ -f "Makefile" ]; then
|
|
local kernelVersion=$(head -n5 "Makefile" | sed '/# SPDX-License-Identifier: GPL-2.0/d;/EXTRAVERSION/d;/NAME/d' | sed 's/.*= //;s/\n//' | sed -e :a -e N -e '$!ba' -e 's/\n/ /g' | sed 's/\ /./g');
|
|
fi;
|
|
|
|
#Enable supported options
|
|
#Linux <3.0
|
|
declare -a optionsYes=("BUG" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "STRICT_DEVMEM" "SYN_COOKIES");
|
|
optionsYes+=("DEBUG_KERNEL" "DEBUG_CREDENTIALS" "DEBUG_LIST" "DEBUG_VIRTUAL");
|
|
optionsYes+=("DEBUG_RODATA" "DEBUG_SET_MODULE_RONX");
|
|
#optionsYes+=("DEBUG_SG"); #bootloops - https://patchwork.kernel.org/patch/8989981
|
|
|
|
if [ "$DOS_USE_KSM" = true ] && [ -f "mm/ksm.c" ]; then
|
|
if [[ $kernelVersion == "3."* ]] || [[ $kernelVersion == "4.4"* ]] || [[ $kernelVersion == "4.9"* ]]; then
|
|
optionsYes+=("KSM");
|
|
sed -i 's/unsigned int ksm_run = KSM_RUN_STOP;/unsigned int ksm_run = KSM_RUN_MERGE;/' mm/ksm.c &>/dev/null || true;
|
|
sed -i 's/unsigned long ksm_run = KSM_RUN_STOP;/unsigned long ksm_run = KSM_RUN_MERGE;/' mm/ksm.c &>/dev/null || true;
|
|
else
|
|
local ksmNotNeeded=true;
|
|
sed -i 's/unsigned int ksm_run = KSM_RUN_MERGE;/unsigned int ksm_run = KSM_RUN_STOP;/' mm/ksm.c &>/dev/null || true;
|
|
sed -i 's/unsigned long ksm_run = KSM_RUN_MERGE;/unsigned long ksm_run = KSM_RUN_STOP;/' mm/ksm.c &>/dev/null || true;
|
|
fi;
|
|
fi;
|
|
|
|
if [[ $kernelVersion == "3."* ]] || [[ $kernelVersion == "4.4"* ]] || [[ $kernelVersion == "4.9"* ]]; then
|
|
optionsYes+=("DEBUG_NOTIFIERS"); #(https://github.com/GrapheneOS/os-issue-tracker/issues/681)
|
|
fi;
|
|
|
|
#Linux 3.4
|
|
optionsYes+=("SECURITY_YAMA");
|
|
|
|
#Linux 3.5
|
|
optionsYes+=("PANIC_ON_OOPS" "SECCOMP_FILTER");
|
|
|
|
#Linux 3.7
|
|
optionsYes+=("ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "SECURITY_YAMA_STACKED" "X509_CERTIFICATE_PARSER");
|
|
|
|
#Linux 3.13
|
|
optionsYes+=("SYSTEM_TRUSTED_KEYRING");
|
|
|
|
#Linux 3.14
|
|
optionsYes+=("CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG");
|
|
|
|
#Linux 3.17
|
|
optionsYes+=("PKCS7_MESSAGE_PARSER");
|
|
|
|
#Linux 3.18
|
|
optionsYes+=("HARDENED_USERCOPY" "SCHED_STACK_END_CHECK");
|
|
|
|
#Linux 4.3
|
|
optionsYes+=("ARM64_PAN" "CPU_SW_DOMAIN_PAN");
|
|
|
|
#Linux 4.4
|
|
optionsYes+=("LEGACY_VSYSCALL_NONE");
|
|
|
|
#Linux 4.5
|
|
optionsYes+=("IO_STRICT_DEVMEM");
|
|
|
|
#Linux 4.6
|
|
optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ZERO" "PAGE_POISONING_NO_SANITY");
|
|
|
|
#Linux 4.7
|
|
optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM");
|
|
|
|
#Linux 4.8
|
|
optionsYes+=("RANDOMIZE_MEMORY");
|
|
|
|
#Linux 4.9
|
|
optionsYes+=("THREAD_INFO_IN_TASK" "VMAP_STACK");
|
|
|
|
#Linux 4.10
|
|
optionsYes+=("ARM64_SW_TTBR0_PAN" "BUG_ON_DATA_CORRUPTION");
|
|
|
|
#Linux 4.11
|
|
optionsYes+=("STRICT_KERNEL_RWX" "STRICT_MODULE_RWX");
|
|
|
|
#Linux 4.13
|
|
optionsYes+=("FORTIFY_SOURCE" "REFCOUNT_FULL");
|
|
|
|
#Linux 4.14
|
|
optionsYes+=("SLAB_FREELIST_HARDENED");
|
|
#optionsYes+=("LTO_CLANG" "CFI_CLANG");
|
|
#optionsYes+=("RESET_ATTACK_MITIGATION"); #EFI only
|
|
|
|
#Linux 4.15
|
|
optionsYes+=("PAGE_TABLE_ISOLATION" "RETPOLINE");
|
|
|
|
#Linux 4.16
|
|
optionsYes+=("UNMAP_KERNEL_AT_EL0");
|
|
|
|
#Linux 4.17
|
|
optionsYes+=("HARDEN_EL2_VECTORS");
|
|
|
|
#Linux 4.18
|
|
optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG");
|
|
|
|
#Linux 5.0
|
|
optionsYes+=("ARM64_PTR_AUTH"); #can stall CPUs on boot if missing support
|
|
optionsYes+=("RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK");
|
|
|
|
#Linux 5.2
|
|
optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR");
|
|
|
|
#Linux 5.8
|
|
optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX");
|
|
|
|
#Linux 5.9
|
|
optionsYes+=("INIT_STACK_ALL_ZERO");
|
|
|
|
#Linux 5.10
|
|
optionsYes+=("ARM64_MTE");
|
|
|
|
#Linux 5.12
|
|
#optionsYes+=("KFENCE"); #useless?
|
|
|
|
#Linux 5.13
|
|
optionsYes+=("ARM64_EPAN" "RANDOMIZE_KSTACK_OFFSET_DEFAULT");
|
|
|
|
#Linux 5.15
|
|
optionsYes+=("IOMMU_DEFAULT_DMA_STRICT" "ZERO_CALL_USED_REGS");
|
|
#optionsYes+=("WERROR");
|
|
|
|
#Linux 5.17
|
|
optionsYes+=("HARDEN_BRANCH_HISTORY" "MITIGATE_SPECTRE_BRANCH_HISTORY");
|
|
|
|
#Linux 5.18
|
|
#optionsYes+=("SHADOW_CALL_STACK" "SHADOW_CALL_STACK_VMAP");
|
|
|
|
#GCC Plugins - 4.19 - 5.2
|
|
#optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STACKLEAK" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
|
|
#AOSP uses Clang, not GCC
|
|
|
|
#GrapheneOS Patches
|
|
optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
|
|
#Disabled: SLAB_CANARY (https://github.com/GrapheneOS/os-issue-tracker/issues/124)
|
|
|
|
#out of tree or renamed or removed ?
|
|
optionsYes+=("KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX");
|
|
|
|
#Hardware enablement #XXX: This needs a better home
|
|
optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER");
|
|
|
|
#grep INIT_ON_ALLOC_DEFAULT_ON Build/*/kernel/*/*/security/Kconfig.hardening -l
|
|
modernKernels=('fairphone/sm7225' 'fxtec/sm6115' 'google/barbet' 'google/bluejay' 'google/coral' 'google/gs101' 'google/gs201' 'google/msm-4.14' 'google/raviole' 'google/redbull' 'google/sunfish' 'oneplus/sm8150' 'oneplus/sm8250' 'oneplus/sm8350' 'xiaomi/sm8150' 'xiaomi/sm8250' 'xiaomi/vayu');
|
|
for kernelModern in "${modernKernels[@]}"; do
|
|
if [[ "$1" == *"/$kernelModern"* ]]; then
|
|
optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON");
|
|
fi;
|
|
done;
|
|
|
|
#excluding above: grep PAGE_POISONING_ENABLE_DEFAULT Build/*/kernel/*/*/mm/Kconfig.debug -l
|
|
oldKernels=('essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/msm-4.9' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/msm8937' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'yandex/sdm660' 'zuk/msm8996');
|
|
for kernelOld in "${oldKernels[@]}"; do
|
|
if [[ "$1" == *"/$kernelOld"* ]]; then
|
|
optionsYes+=("PAGE_POISONING_ENABLE_DEFAULT");
|
|
fi;
|
|
done;
|
|
|
|
for option in "${optionsYes[@]}"
|
|
do
|
|
#If the option is disabled, enable it
|
|
sed -i 's/# CONFIG_'"$option"' is not set/CONFIG_'"$option"'=y/' $defconfigPath &>/dev/null || true;
|
|
if [[ "$1" != *"kernel/oneplus/msm8996"* ]] && [[ "$1" != *"kernel/xiaomi/msm8937"* ]]; then
|
|
#If the option isn't present, add it enabled
|
|
sed -zi '/CONFIG_'"$option"'=y/!s/$/\nCONFIG_'"$option"'=y/' $defconfigPath &>/dev/null || true;
|
|
fi;
|
|
done
|
|
#Disable supported options
|
|
#debugging
|
|
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE");
|
|
optionsNo+=("CHECKPOINT_RESTORE" "MEM_SOFT_DIRTY");
|
|
optionsNo+=("CP_ACCESS64" "WLAN_FEATURE_MEMDUMP");
|
|
optionsNo+=("DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "PROC_KCORE" "PROC_VMCORE" "X86_PTDUMP");
|
|
optionsNo+=("HWPOISON_INJECT" "NOTIFIER_ERROR_INJECTION");
|
|
optionsNo+=("INPUT_EVBUG");
|
|
optionsNo+=("LOG_BUF_MAGIC");
|
|
optionsNo+=("L2TP_DEBUGFS");
|
|
optionsNo+=("PAGE_OWNER");
|
|
optionsNo+=("TIMER_STATS" "ZSMALLOC_STAT");
|
|
optionsNo+=("UPROBES");
|
|
#optionsNo+=("SLUB_DEBUG" "SLUB_DEBUG_ON");
|
|
#optionsNo+=("STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE"); #GCC only
|
|
#optionsNo+=("MMIOTRACE" "MMIOTRACE_TEST");
|
|
#optionsNo+=("IOMMU_DEBUG" "IOMMU_DEBUG_TRACKING" "IOMMU_NON_SECURE" "IOMMU_TESTS");
|
|
#optionsNo+=("DEBUG_ATOMIC_SLEEP" "DEBUG_BUS_VOTER" "DEBUG_MUTEXES" "DEBUG_KMEMLEAK" "DEBUG_PAGEALLOC" "DEBUG_STACK_USAGE" "DEBUG_SPINLOCK");
|
|
#if [[ $kernelVersion == "4."* ]] || [[ $kernelVersion == "5."* ]]; then
|
|
# #optionsNo+=("DEBUG_FS");
|
|
# optionsNo+=("FTRACE" "KPROBE_EVENTS" "UPROBE_EVENTS" "GENERIC_TRACER" "FUNCTION_TRACER" "STACK_TRACER" "HIST_TRIGGERS" "BLK_DEV_IO_TRACE" "FAIL_FUTEX" "DYNAMIC_DEBUG" "PREEMPT_TRACER");
|
|
#fi;
|
|
#if [[ "$1" != *"kernel/oneplus/sm8250"* ]]; then
|
|
# optionsNo+=("CORESIGHT_CSR" "CORESIGHT_CTI_SAVE_DISABLE" "CORESIGHT_CTI" "CORESIGHT_DBGUI" "CORESIGHT_ETM" "CORESIGHT_ETMV4" "CORESIGHT_EVENT" "CORESIGHT_FUNNEL" "CORESIGHT_FUSE" "CORESIGHT_HWEVENT" "CORESIGHT_QPDI" "CORESIGHT_REMOTE_ETM" "CORESIGHT_REPLICATOR" "CORESIGHT_STM_DEFAULT_ENABLE" "CORESIGHT_STM" "CORESIGHT_TMC" "CORESIGHT_TPDA" "CORESIGHT_TPDM_DEFAULT_ENABLE" "CORESIGHT_TPDM" "CORESIGHT_TPIU" "CORESIGHT" "OF_CORESIGHT");
|
|
#fi;
|
|
#legacy
|
|
optionsNo+=("BINFMT_AOUT" "BINFMT_MISC");
|
|
optionsNo+=("COMPAT_BRK" "COMPAT_VDSO");
|
|
optionsNo+=("LDISC_AUTOLOAD" "LEGACY_PTYS");
|
|
optionsNo+=("MODIFY_LDT_SYSCALL");
|
|
optionsNo+=("OABI_COMPAT");
|
|
optionsNo+=("USELIB");
|
|
optionsNo+=("X86_IOPL_IOPERM" "X86_VSYSCALL_EMULATION");
|
|
#unnecessary
|
|
optionsNo+=("BLK_DEV_FD" "BT_HS" "IO_URING" "IP_DCCP" "IP_SCTP" "VIDEO_VIVID" "FB_VIRTUAL" "RDS" "RDS_TCP");
|
|
optionsNo+=("HIBERNATION");
|
|
optionsNo+=("KEXEC" "KEXEC_FILE");
|
|
optionsNo+=("UKSM");
|
|
if [ "$DOS_USE_KSM" = false ] || [ "$ksmNotNeeded" = true ]; then optionsNo+=("KSM"); fi;
|
|
optionsNo+=("LIVEPATCH");
|
|
optionsNo+=("WIREGUARD"); #Requires root access, which we do not provide
|
|
if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi;
|
|
#unsafe
|
|
optionsNo+=("GCC_PLUGIN_RANDSTRUCT_PERFORMANCE");
|
|
optionsNo+=("HARDENED_USERCOPY_FALLBACK");
|
|
optionsNo+=("SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS");
|
|
if [ "$DOS_USE_KSM" = false ]; then optionsNo+=("SLAB_MERGE_DEFAULT"); fi;
|
|
if [[ "$DOS_VERSION" != "LineageOS-20.0" ]]; then optionsNo+=("USERFAULTFD"); fi;
|
|
#optionsNo+=("CFI_PERMISSIVE");
|
|
#misc
|
|
optionsNo+=("FB_MSM_MDSS_XLOG_DEBUG" "MSM_BUSPM_DEV" "MSMB_CAMERA_DEBUG" "MSM_CAMERA_DEBUG" "MSM_SMD_DEBUG");
|
|
optionsNo+=("NEEDS_SYSCALL_FOR_CMPXCHG");
|
|
optionsNo+=("TSC" "TSPP2");
|
|
#breakage
|
|
optionsNo+=("HARDENED_USERCOPY_PAGESPAN");
|
|
#optionsNo+=("IKCONFIG"); #breaks recovery
|
|
#optionsNo+=("KALLSYMS"); #breaks boot on select devices
|
|
#optionsNo+=("MAGIC_SYSRQ"); #breaks compile
|
|
#optionsNo+=("MSM_DLOAD_MODE"); #breaks compile
|
|
#optionsNo+=("MSM_SMP2P_TEST" "INET_DIAG");
|
|
#optionsNo+=("PROC_PAGE_MONITOR"); #breaks memory stats
|
|
#optionsNo+=("SCHED_DEBUG"); #breaks compile
|
|
|
|
if [ "$DOS_DEFCONFIG_DISABLER" = true ]; then
|
|
for option in "${optionsNo[@]}"
|
|
do
|
|
#If the option is enabled, disable it
|
|
sed -i 's/CONFIG_'"$option"'=y/CONFIG_'"$option"'=n/' $defconfigPath &>/dev/null || true;
|
|
#If the option isn't present, add it disabled
|
|
sed -zi '/CONFIG_'"$option"'=n/!s/$/\nCONFIG_'"$option"'=n/' $defconfigPath &>/dev/null || true;
|
|
done
|
|
fi;
|
|
|
|
#Extras
|
|
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' $defconfigPath &>/dev/null || true;
|
|
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' $defconfigPath &>/dev/null || true;
|
|
sed -i 's/CONFIG_DEFAULT_MMAP_MIN_ADDR=4096/CONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
|
|
sed -zi '/CONFIG_DEFAULT_MMAP_MIN_ADDR/!s/$/\nCONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
|
|
sed -i 's/CONFIG_LSM_MMAP_MIN_ADDR=4096/CONFIG_LSM_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
|
|
sed -zi '/CONFIG_LSM_MMAP_MIN_ADDR/!s/$/\nCONFIG_LSM_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
|
|
|
|
editKernelLocalversion "-dos";
|
|
|
|
echo "Hardened defconfig for $1";
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f hardenDefconfig;
|