mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-22 06:04:57 -05:00
7ba42f052a
Signed-off-by: Tad <tad@spotco.us>
853 lines
37 KiB
Bash
853 lines
37 KiB
Bash
#!/bin/bash
|
|
#DivestOS: A privacy focused mobile distribution
|
|
#Copyright (c) 2017-2021 Divested Computing Group
|
|
#
|
|
#This program is free software: you can redistribute it and/or modify
|
|
#it under the terms of the GNU General Public License as published by
|
|
#the Free Software Foundation, either version 3 of the License, or
|
|
#(at your option) any later version.
|
|
#
|
|
#This program is distributed in the hope that it will be useful,
|
|
#but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
#GNU General Public License for more details.
|
|
#
|
|
#You should have received a copy of the GNU General Public License
|
|
#along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
if [ "$DOS_NON_COMMERCIAL_USE_PATCHES" = true ]; then
|
|
echo -e "\e[0;33mWARNING: YOU HAVE ENABLED PATCHES THAT WHILE ARE OPEN SOURCE ARE ALSO ENCUMBERED BY RESTRICTIVE LICENSES\e[0m";
|
|
echo -e "\e[0;33mPLEASE SEE THE 'LICENSES' FILE AT THE ROOT OF THIS REPOSITORY FOR MORE INFORMATION\e[0m";
|
|
echo -e "\e[0;33mDISABLE THEM BY SETTING 'NON_COMMERCIAL_USE_PATCHES' TO 'false' IN 'Scripts/init.sh'\e[0m";
|
|
sleep 15;
|
|
fi;
|
|
|
|
startPatcher() {
|
|
java -jar "$DOS_BINARY_PATCHER" patch workspace "$DOS_BUILD_BASE" "$DOS_WORKSPACE_ROOT""Patches/Linux/" "$DOS_SCRIPTS_CVES" $1;
|
|
}
|
|
export -f startPatcher;
|
|
|
|
enter() {
|
|
echo "================================================================================================"
|
|
local dir="$1";
|
|
local dirReal="$DOS_BUILD_BASE$dir";
|
|
umask 0022;
|
|
if [ -d "$dirReal" ]; then
|
|
cd "$dirReal";
|
|
echo -e "\e[0;32m[ENTERING] $dir\e[0m";
|
|
return 0;
|
|
else
|
|
echo -e "\e[0;31m[ENTERING FAILED] $dir\e[0m";
|
|
return 1;
|
|
fi;
|
|
}
|
|
export -f enter;
|
|
|
|
enterAndClear() {
|
|
if enter "$1"; then gitReset; else return 1; fi;
|
|
}
|
|
export -f enterAndClear;
|
|
|
|
gitReset() {
|
|
git add -A && git reset --hard;
|
|
}
|
|
export -f gitReset;
|
|
|
|
applyPatchReal() {
|
|
currentWorkingPatch=$1;
|
|
firstLine=$(head -n1 "$currentWorkingPatch");
|
|
if [[ "$firstLine" = *"Mon Sep 17 00:00:00 2001"* ]] || [[ "$firstLine" = *"Thu Jan 1 00:00:00 1970"* ]]; then
|
|
git am "$@";
|
|
else
|
|
git apply "$@";
|
|
echo "Applying (as diff): $currentWorkingPatch";
|
|
fi;
|
|
}
|
|
export -f applyPatchReal;
|
|
|
|
applyPatch() {
|
|
currentWorkingPatch=$1;
|
|
if [ -f "$currentWorkingPatch" ]; then
|
|
git apply --check "$@" &> /dev/null;
|
|
if [ "$?" -eq 0 ]; then
|
|
applyPatchReal "$@";
|
|
else
|
|
git apply --reverse --check "$@" &> /dev/null;
|
|
if [ "$?" -eq 0 ]; then
|
|
echo "Already applied: $currentWorkingPatch";
|
|
else
|
|
git apply --check "$@" --3way &> /dev/null;
|
|
if [ "$?" -eq 0 ]; then
|
|
applyPatchReal "$@" --3way;
|
|
echo "Applied (as 3way): $currentWorkingPatch";
|
|
else
|
|
echo -e "\e[0;31mCannot apply: $currentWorkingPatch\e[0m";
|
|
fi;
|
|
fi;
|
|
fi;
|
|
else
|
|
echo -e "\e[0;31mPatch doesn't exist: $currentWorkingPatch\e[0m";
|
|
fi;
|
|
}
|
|
export -f applyPatch;
|
|
|
|
gpgVerifyDirectory() {
|
|
if [ -r "$HOME/.gnupg" ]; then
|
|
for sig in $1/*.asc; do
|
|
gpg --verify $sig &>/dev/null;
|
|
if [ "$?" -eq "0" ]; then
|
|
echo -e "\e[0;32mGPG Verified Successfully: $sig\e[0m";
|
|
else
|
|
echo -e "\e[0;31mWARNING: GPG Verification Failed: $sig\e[0m";
|
|
sleep 60;
|
|
fi;
|
|
done;
|
|
else
|
|
echo -e "\e[0;33mWARNING: ~/.gnupg is unavailable, GPG verification of $1 will not be performed!\e[0m";
|
|
fi;
|
|
}
|
|
export -f gpgVerifyDirectory;
|
|
|
|
scanForMalware() {
|
|
if [ -x /usr/bin/clamscan ] && [ -r /var/lib/clamav/main.c*d ]; then
|
|
echo -e "\e[0;32mStarting a malware scan...\e[0m";
|
|
local excludes="--exclude-dir=\".git\" --exclude-dir=\".repo\"";
|
|
local scanQueue="$2";
|
|
if [ "$1" = true ]; then
|
|
if [ "$DOS_MALWARE_SCAN_SETTING" != "quick" ] || [ "$DOS_MALWARE_SCAN_SETTING" = "extra" ]; then
|
|
scanQueue=$scanQueue" $DOS_BUILD_BASE/frameworks $DOS_BUILD_BASE/vendor";
|
|
fi;
|
|
if [ "$DOS_MALWARE_SCAN_SETTING" = "slow" ]; then
|
|
scanQueue=$scanQueue"$DOS_BUILD_BASE/external $DOS_BUILD_BASE/prebuilts $DOS_BUILD_BASE/toolchain $DOS_BUILD_BASE/tools";
|
|
fi;
|
|
if [ "$DOS_MALWARE_SCAN_SETTING" = "full" ]; then
|
|
scanQueue="$DOS_BUILD_BASE";
|
|
fi;
|
|
fi;
|
|
du -hsc $scanQueue;
|
|
/usr/bin/clamscan --recursive --detect-pua --infected --allmatch --max-filesize=4000M --max-scansize=4000M $excludes $scanQueue;
|
|
local clamscanExit="$?";
|
|
if [ "$clamscanExit" -eq "1" ]; then
|
|
echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
|
|
echo -e "\e[0;31mWARNING: MALWARE WAS FOUND! PLEASE INVESTIGATE!\e[0m";
|
|
echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
|
|
echo -e "\e[0;33mFalse positives such as the following are probably OK\e[0m";
|
|
echo -e "\e[0;33mPUAs: Ewind, Mobidash\e[0m";
|
|
echo -e "\e[0;31m----------------------------------------------------------------\e[0m";
|
|
sleep 60;
|
|
fi;
|
|
if [ "$clamscanExit" -eq "0" ]; then
|
|
echo -e "\e[0;32mNo malware found\e[0m";
|
|
fi;
|
|
if [ "$clamscanExit" -eq "2" ]; then
|
|
echo -e "\e[0;33m----------------------------------------------------------------\e[0m";
|
|
echo -e "\e[0;33mWARNING: AN ERROR OCCURED. PLEASE INVESTIGATE!\e[0m";
|
|
echo -e "\e[0;33m----------------------------------------------------------------\e[0m";
|
|
sleep 60;
|
|
fi;
|
|
else
|
|
echo -e "\e[0;33mWARNING: clamscan is unavailable, a malware scan will not be performed!\e[0m";
|
|
fi;
|
|
}
|
|
export -f scanForMalware;
|
|
|
|
generateBootAnimationMask() {
|
|
local text=$1;
|
|
local font=$2
|
|
local output=$3;
|
|
convert -background black -fill transparent -font "$font" -gravity center -size 512x128 label:"$text" "$output";
|
|
#optipng "$output"; #XXX: breaks boot animation on 14.1?
|
|
}
|
|
export -f generateBootAnimationMask;
|
|
|
|
generateBootAnimationShine() {
|
|
local color=$1;
|
|
local style=$2;
|
|
local output=$3;
|
|
#The colors need to be symmetrical in order to make the animation smooth and not have any noticble lines
|
|
convert -size 1024x128 -define gradient:angle=90 "$style":"$color" \( +clone -flop \) +append "$output";
|
|
#optipng "$output";
|
|
}
|
|
export -f generateBootAnimationShine;
|
|
|
|
audit2allowCurrent() {
|
|
adb logcat -b all -d | audit2allow -p "$OUT"/root/sepolicy;
|
|
}
|
|
export -f audit2allowCurrent;
|
|
|
|
audit2allowADB() {
|
|
adb pull /sys/fs/selinux/policy;
|
|
adb logcat -b all -d | audit2allow -p policy;
|
|
}
|
|
export -f audit2allowADB;
|
|
|
|
processRelease() {
|
|
#Reference (MIT): GrapheneOS
|
|
#https://github.com/GrapheneOS/script/blob/10/release.sh
|
|
local DEVICE="$1";
|
|
local BLOCK="$2";
|
|
local VERITY="$3";
|
|
|
|
local DATE=$(date -u '+%Y%m%d')
|
|
local KEY_DIR="$DOS_SIGNING_KEYS/$DEVICE";
|
|
local VERSION=$(echo $DOS_VERSION | cut -f2 -d "-");
|
|
local PREFIX="$DOS_BRANDING_ZIP_PREFIX-$VERSION-$DATE-dos-$DEVICE";
|
|
local ARCHIVE="$DOS_BUILDS/$DOS_VERSION/release_keys/";
|
|
local OUT_DIR="$DOS_BUILD_BASE/out/target/product/$DEVICE/";
|
|
|
|
local RELEASETOOLS_PREFIX="build/tools/releasetools/";
|
|
if [[ "$DOS_VERSION" == "LineageOS-18.1" ]]; then
|
|
local RELEASETOOLS_PREFIX="";
|
|
fi;
|
|
|
|
umask 0022;
|
|
|
|
echo -e "\e[0;32mProcessing release for $DEVICE\e[0m";
|
|
|
|
#Arguments
|
|
if [ "$BLOCK" != false ]; then
|
|
local BLOCK_SWITCHES="--block";
|
|
fi;
|
|
if [[ "$VERITY" == "verity" ]]; then
|
|
local VERITY_SWITCHES=(--replace_verity_public_key "$KEY_DIR/verity_key.pub" \
|
|
--replace_verity_private_key "$KEY_DIR/verity" \
|
|
--replace_verity_keyid "$KEY_DIR/verity.x509.pem");
|
|
echo -e "\e[0;32m\t+ Verified Boot 1.0\e[0m";
|
|
elif [[ "$VERITY" == "avb" ]]; then
|
|
#TODO: Verify if both SHA512 and RSA4096 is always supported
|
|
local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" \
|
|
--avb_vbmeta_algorithm SHA256_RSA4096 \
|
|
--avb_system_key "$KEY_DIR/avb.pem" \
|
|
--avb_system_algorithm SHA256_RSA4096);
|
|
local AVB_PKMD="$KEY_DIR/avb_pkmd.bin";
|
|
echo -e "\e[0;32m\t+ Verified Boot 2.0\e[0m";
|
|
fi;
|
|
|
|
#Malware Scan
|
|
if [ "$DOS_MALWARE_SCAN_BEFORE_SIGN" = true ]; then
|
|
echo -e "\e[0;32mScanning files for malware before signing\e[0m";
|
|
scanForMalware false $OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip;
|
|
fi;
|
|
|
|
#Target Files
|
|
echo -e "\e[0;32mSigning target files\e[0m";
|
|
"$RELEASETOOLS_PREFIX"sign_target_files_apks -o -d "$KEY_DIR" \
|
|
"${VERITY_SWITCHES[@]}" \
|
|
$OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip \
|
|
"$OUT_DIR/$PREFIX-target_files.zip";
|
|
sha512sum "$OUT_DIR/$PREFIX-target_files.zip" > "$OUT_DIR/$PREFIX-target_files.zip.sha512sum";
|
|
local INCREMENTAL_ID=$(grep "ro.build.version.incremental" $OUT_DIR/system/build.prop | cut -f2 -d "=" | sed 's/\.//g');
|
|
echo "$INCREMENTAL_ID" > "$OUT_DIR/$PREFIX-target_files.zip.id";
|
|
|
|
#Image
|
|
unzip -l $OUT_DIR/$PREFIX-target_files.zip | grep -q recovery.img;
|
|
local hasRecoveryImg="$?";
|
|
if [ "$hasRecoveryImg" == "1" ]; then
|
|
echo -e "\e[0;32mCreating fastboot image\e[0m";
|
|
"$RELEASETOOLS_PREFIX"img_from_target_files "$OUT_DIR/$PREFIX-target_files.zip" \
|
|
"$OUT_DIR/$PREFIX-fastboot.zip";
|
|
sha512sum "$OUT_DIR/$PREFIX-fastboot.zip" > "$OUT_DIR/$PREFIX-fastboot.zip.sha512sum";
|
|
fi
|
|
|
|
#OTA
|
|
echo -e "\e[0;32mCreating OTA\e[0m";
|
|
"$RELEASETOOLS_PREFIX"ota_from_target_files $BLOCK_SWITCHES -k "$KEY_DIR/releasekey" \
|
|
"$OUT_DIR/$PREFIX-target_files.zip" \
|
|
"$OUT_DIR/$PREFIX-ota.zip";
|
|
md5sum "$OUT_DIR/$PREFIX-ota.zip" > "$OUT_DIR/$PREFIX-ota.zip.md5sum";
|
|
sha512sum "$OUT_DIR/$PREFIX-ota.zip" > "$OUT_DIR/$PREFIX-ota.zip.sha512sum";
|
|
|
|
#Deltas
|
|
if [ "$DOS_GENERATE_DELTAS" = true ]; then
|
|
if [[ " ${DOS_GENERATE_DELTAS_DEVICES[@]} " =~ " ${DEVICE} " ]]; then
|
|
for LAST_TARGET_FILES in $ARCHIVE/target_files/$DOS_BRANDING_ZIP_PREFIX-$VERSION-*-dos-$DEVICE-target_files.zip; do
|
|
if [[ -f "$LAST_TARGET_FILES.id" ]]; then
|
|
local LAST_INCREMENTAL_ID=$(cat "$LAST_TARGET_FILES.id");
|
|
echo -e "\e[0;32mGenerating incremental OTA against $LAST_INCREMENTAL_ID\e[0m";
|
|
#TODO: Verify GPG signature and checksum of previous target-files first!
|
|
"$RELEASETOOLS_PREFIX"ota_from_target_files $BLOCK_SWITCHES -t 8 -k "$KEY_DIR/releasekey" -i \
|
|
"$LAST_TARGET_FILES" \
|
|
"$OUT_DIR/$PREFIX-target_files.zip" \
|
|
"$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip";
|
|
sha512sum "$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip" > "$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip.sha512sum";
|
|
fi;
|
|
done;
|
|
fi;
|
|
fi;
|
|
|
|
#Extract signed recovery
|
|
if [ "$hasRecoveryImg" == "0" ]; then
|
|
echo -e "\e[0;32mExtracting signed recovery.img\e[0m";
|
|
mkdir "$OUT_DIR/rec_tmp";
|
|
unzip "$OUT_DIR/$PREFIX-target_files.zip" "IMAGES/recovery.img" -d "$OUT_DIR/rec_tmp";
|
|
mv "$OUT_DIR/rec_tmp/IMAGES/recovery.img" "$OUT_DIR/$PREFIX-recovery.img";
|
|
sha512sum "$OUT_DIR/$PREFIX-recovery.img" > "$OUT_DIR/$PREFIX-recovery.img.sha512sum";
|
|
fi;
|
|
|
|
#File name fixes
|
|
sed -i "s|$OUT_DIR/||" $OUT_DIR/*.md5sum $OUT_DIR/*.sha512sum;
|
|
sed -i 's/-ota\././' $OUT_DIR/*.md5sum $OUT_DIR/*.sha512sum;
|
|
sed -i 's/-incremental_/-/' $OUT_DIR/*.md5sum $OUT_DIR/*.sha512sum;
|
|
|
|
#GPG signing
|
|
if [ "$DOS_GPG_SIGNING" = true ]; then
|
|
for checksum in $OUT_DIR/*.sha512sum; do
|
|
echo -e "\e[0;32mGPG signing $checksum\e[0m";
|
|
gpg --homedir "$DOS_SIGNING_GPG" --sign --local-user "$DOS_GPG_SIGNING_KEY" --clearsign "$checksum";
|
|
if [ "$?" -eq "0" ]; then
|
|
mv -f "$checksum.asc" "$checksum";
|
|
fi;
|
|
done;
|
|
fi;
|
|
|
|
#Copy to archive
|
|
if [ "$DOS_AUTO_ARCHIVE_BUILDS" = true ]; then
|
|
echo -e "\e[0;32mCopying files to archive\e[0m";
|
|
mkdir -vp $ARCHIVE;
|
|
mkdir -vp $ARCHIVE/target_files;
|
|
mkdir -vp $ARCHIVE/fastboot;
|
|
mkdir -vp $ARCHIVE/incrementals;
|
|
|
|
if [[ " ${DOS_GENERATE_DELTAS_DEVICES[@]} " =~ " ${DEVICE} " ]]; then cp -v $OUT_DIR/$PREFIX-target_files.zip* $ARCHIVE/target_files/; fi;
|
|
cp -v $OUT_DIR/$PREFIX-fastboot.zip* $ARCHIVE/fastboot/ || true;
|
|
cp -v $OUT_DIR/$PREFIX-ota.zip* $ARCHIVE/;
|
|
cp -v $OUT_DIR/$PREFIX-incremental_*.zip* $ARCHIVE/incrementals/ || true;
|
|
cp -v $OUT_DIR/$PREFIX-recovery.img* $ARCHIVE/ || true;
|
|
|
|
rename -- "-ota." "." $ARCHIVE/$PREFIX-ota.zip*;
|
|
rename -- "-incremental_" "-" $ARCHIVE/incrementals/$PREFIX-incremental_*.zip*;
|
|
sync;
|
|
|
|
#Remove to make space for next build
|
|
if [ "$DOS_REMOVE_AFTER" = true ]; then
|
|
echo -e "\e[0;32mRemoving to reclaim space\e[0m";
|
|
#TODO: add a sanity check
|
|
rm -rf "$OUT_DIR";
|
|
fi;
|
|
fi;
|
|
|
|
sync;
|
|
echo -e "\e[0;32mRelease processing complete\e[0m";
|
|
}
|
|
export -f processRelease;
|
|
|
|
pushToServer() {
|
|
rsync -Pau --no-perms --no-owner --no-group incrementals/divested-*-dos-$1-*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/incrementals/ || true;
|
|
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/ || true;
|
|
rsync -Pau --no-perms --no-owner --no-group divested-*-dos-$1-recovery.img root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/ || true;
|
|
rsync -Pau --no-perms --no-owner --no-group fastboot/divested-*-dos-$1-*.zip* root@divestos.org:/var/www/divestos.org/builds/LineageOS/$1/ || true;
|
|
}
|
|
export -f pushToServer;
|
|
|
|
removeBuildFingerprints() {
|
|
#Removes the stock/vendor fingerprint, allowing one to be generated instead
|
|
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/BUILD_FINGERPRINT/' {}" \;
|
|
find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/PRIVATE_BUILD_DESC/' {}" \;
|
|
echo "Removed stock build fingerprints";
|
|
}
|
|
export -f removeBuildFingerprints;
|
|
|
|
disableDexPreOpt() {
|
|
cd "$DOS_BUILD_BASE$1";
|
|
if [ -f BoardConfig.mk ]; then
|
|
sed -i "s/WITH_DEXPREOPT := true/WITH_DEXPREOPT := false/" BoardConfig.mk;
|
|
echo "Disabled dexpreopt";
|
|
fi;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f disableDexPreOpt;
|
|
|
|
compressRamdisks() {
|
|
if [ -f BoardConfig.mk ]; then
|
|
echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;
|
|
echo "Enabled ramdisk compression";
|
|
fi;
|
|
}
|
|
export -f compressRamdisks;
|
|
|
|
addVerity() {
|
|
echo 'ifeq ($(TARGET_BUILD_VARIANT),user)' >> device.mk;
|
|
echo 'PRODUCT_SYSTEM_VERITY_PARTITION := /dev/block/by-name/system' >> device.mk;
|
|
echo '$(call inherit-product, build/target/product/verity.mk)' >> device.mk;
|
|
echo 'endif' >> device.mk;
|
|
|
|
sed -i '/on init/a\\ verity_load_state' rootdir/etc/init."${PWD##*/}".rc;
|
|
sed -i '/on early-boot/a\\ verity_update_state' rootdir/etc/init."${PWD##*/}".rc;
|
|
}
|
|
export -f addVerity;
|
|
|
|
enableVerity() {
|
|
sed -i 's/--set_hashtree_disabled_flag//' *.mk;
|
|
sed -i 's/AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 3/AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/' *.mk;
|
|
sed -i '/\/system/{/verify/!s|wait|wait,verify|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
|
|
}
|
|
export -f enableVerity;
|
|
|
|
optimizeImagesRecursive() {
|
|
find "$1" -type f -name "*.jp*g" -print0 | xargs -0 -n1 -P 16 jpegoptim;
|
|
find "$1" -type f -name "*.png" -print0 | xargs -0 -n1 -P 16 optipng;
|
|
}
|
|
export -f optimizeImagesRecursive;
|
|
|
|
smallerSystem() {
|
|
echo "BOARD_SYSTEMIMAGE_JOURNAL_SIZE := 0" >> BoardConfig.mk;
|
|
echo "PRODUCT_MINIMIZE_JAVA_DEBUG_INFO := true" >> device.mk;
|
|
echo "EXCLUDE_SERIF_FONTS := true" >> BoardConfig.mk;
|
|
echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
|
|
#echo "MINIMAL_FONT_FOOTPRINT := true" >> BoardConfig.mk;
|
|
sed -i 's/common_full_phone.mk/common_mini_phone.mk/' *.mk &>/dev/null || true;
|
|
}
|
|
export -f smallerSystem;
|
|
|
|
deblobAudio() {
|
|
awk -i inplace '!/BOARD_SUPPORTS_SOUND_TRIGGER/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
|
|
awk -i inplace '!/android.hardware.soundtrigger/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
|
|
awk -i inplace '!/DOLBY_/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
|
|
#awk -i inplace '!/vendor.audio.dolby/' hardware/qcom/audio-caf/*/configs/*/*.mk &>/dev/null || true;
|
|
}
|
|
export -f deblobAudio;
|
|
|
|
imsAllowDiag() {
|
|
find device -name "ims.te" -type f -exec sh -c "echo 'diag_use(ims)' >> {}" \;
|
|
find device -name "hal_imsrtp.te" -type f -exec sh -c "echo 'diag_use(hal_imsrtp)' >> {}" \;
|
|
}
|
|
export -f imsAllowDiag;
|
|
|
|
extremeWiFiDeepSleep() {
|
|
sed -i 's/gEnablePowerSaveOffload=2/gEnablePowerSaveOffload=4/' $1;
|
|
}
|
|
export -f extremeWiFiDeepSleep;
|
|
|
|
volteOverride() {
|
|
cd "$DOS_BUILD_BASE$1";
|
|
if grep -sq "config_device_volte_available" "overlay/frameworks/base/core/res/res/values/config.xml"; then
|
|
if [ -f vendor.prop ] && ! grep -sq "volte_avail_ovr" "vendor.prop"; then
|
|
echo -e 'persist.dbg.volte_avail_ovr=1\npersist.dbg.vt_avail_ovr=1' >> vendor.prop;
|
|
echo "Set VoLTE override in vendor.prop for $1";
|
|
elif [ -f system.prop ] && ! grep -sq "volte_avail_ovr" "system.prop"; then
|
|
echo -e 'persist.dbg.volte_avail_ovr=1\npersist.dbg.vt_avail_ovr=1' >> system.prop;
|
|
echo "Set VoLTE override in system.prop for $1";
|
|
fi;
|
|
if [ -f vendor_prop.mk ] && ! grep -sq "volte_avail_ovr" "vendor_prop.mk"; then
|
|
echo -e '\nPRODUCT_PROPERTY_OVERRIDES += \\\n persist.dbg.volte_avail_ovr=1 \\\n persist.dbg.vt_avail_ovr=1' >> vendor_prop.mk;
|
|
echo "Set VoLTE override in vendor_prop.mk for $1";
|
|
fi;
|
|
#TODO: init/init*.cpp, device*.mk
|
|
fi;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f volteOverride;
|
|
|
|
hardenLocationConf() {
|
|
local gpsConfig=$1;
|
|
#Debugging: adb logcat -b all | grep -i -e locsvc -e izat -e gps -e gnss -e location -e xtra
|
|
#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 4|' "$gpsConfig" &> /dev/null || true;
|
|
#Enable GLONASS
|
|
if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
|
|
sed -i 's/#A_GLONASS_POS_PROTOCOL_SELECT =/A_GLONASS_POS_PROTOCOL_SELECT =/' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's/A_GLONASS_POS_PROTOCOL_SELECT = 0.*/A_GLONASS_POS_PROTOCOL_SELECT = 15/' "$gpsConfig" &>/dev/null || true;
|
|
fi;
|
|
#Change capabilities
|
|
sed -i 's|CAPABILITIES=.*|CAPABILITIES=0x13|' "$gpsConfig" &> /dev/null || true; #Disable MSA (privacy) and geofencing/ULP (both broken by deblobber)
|
|
sed -i 's/#SUPL_MODE=/SUPL_MODE=/' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's/SUPL_MODE=$/SUPL_MODE=1/' "$gpsConfig" &>/dev/null || true; #Set to MSB if blank (to prevent MSA+MSB default)
|
|
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" "$gpsConfig" &> /dev/null || true; #Disable MSA (privacy)
|
|
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
|
|
sed -i 's/#SUPL_ES=/SUPL_ES=/' "$gpsConfig" &>/dev/null || true;
|
|
sed -i "s|SUPL_ES=0|SUPL_ES=1|" "$gpsConfig" &> /dev/null || true;
|
|
#Change servers
|
|
sed -i "s|SUPL_HOST=.*|SUPL_HOST=$DOS_GPS_SUPL_HOST|" "$gpsConfig" &> /dev/null || true;
|
|
sed -i "s|NTP_SERVER=.*|NTP_SERVER=$DOS_GPS_NTP_SERVER|" "$gpsConfig" &> /dev/null || true;
|
|
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
|
|
#XTRA: Only use specified URLs
|
|
sed -i 's|XTRA_SERVER_QUERY=1|XTRA_SERVER_QUERY=0|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|#XTRA_SERVER|XTRA_SERVER|' "$gpsConfig" &>/dev/null || true;
|
|
#Switch gpsOneXtra to IZatCloud (invalid certificate)
|
|
sed -i '/xtrapath/!s|://xtra|://xtrapath|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|gpsonextra.net|izatcloud.net|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|xtrapath1|xtrapath4|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|xtrapath2|xtrapath5|' "$gpsConfig" &>/dev/null || true;
|
|
sed -i 's|xtrapath3|xtrapath6|' "$gpsConfig" &>/dev/null || true;
|
|
#Enable HTTPS (IZatCloud supports HTTPS)
|
|
sed -i 's|http://xtrapath|https://xtrapath|' "$gpsConfig" &>/dev/null || true;
|
|
#sed -i 's|http://gllto|https://gllto|' "$gpsConfig" &>/dev/null || true; XXX: GLPals has an invaid certificate
|
|
echo "Enhanced location services for $gpsConfig";
|
|
}
|
|
export -f hardenLocationConf;
|
|
|
|
hardenLocationFWB() {
|
|
local dir=$1;
|
|
#Enable GLONASS
|
|
if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
|
|
sed -i 's|A_GLONASS_POS_PROTOCOL_SELECT=0.*</item>|A_GLONASS_POS_PROTOCOL_SELECT=15</item>|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
fi;
|
|
#Change capabilities
|
|
sed -i "s|SUPL_MODE=3|SUPL_MODE=1|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true; #Disable MSA (privacy)
|
|
#CVE-2018-9526 - See: https://android.googlesource.com/device/google/marlin/+/fa7f7382e8b39f7ca209824f97788ab25c44f6a3
|
|
sed -i "s|SUPL_ES=0|SUPL_ES=1|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
|
|
#Change servers
|
|
sed -i "s|NTP_SERVER=.*</item>|NTP_SERVER=$DOS_GPS_NTP_SERVER</item>|" "$dir"/frameworks/base/core/res/res/values*/*.xml &> /dev/null || true;
|
|
#CVE-2016-5341 - See: https://wwws.nightwatchcybersecurity.com/2016/12/05/cve-2016-5341/
|
|
#Switch gpsOneXtra to IZatCloud (invalid certificate)
|
|
sed -i '/xtrapath/!s|://xtra|://xtrapath|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
sed -i 's|gpsonextra.net|izatcloud.net|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
sed -i 's|xtrapath1|xtrapath4|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
sed -i 's|xtrapath2|xtrapath5|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
sed -i 's|xtrapath3|xtrapath6|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
#Enable HTTPS (IZatCloud supports HTTPS)
|
|
sed -i 's|http://xtrapath|https://xtrapath|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
|
|
#sed -i 's|http://gllto|https://gllto|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true; XXX: GLPals has an invaid certificate
|
|
echo "Enhanced location services for $dir";
|
|
}
|
|
export -f hardenLocationFWB;
|
|
|
|
enableZram() {
|
|
cd "$DOS_BUILD_BASE$1";
|
|
sed -i 's|#/dev/block/zram0|/dev/block/zram0|' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
|
|
echo "Enabled zram for $1";
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f enableZram;
|
|
|
|
hardenUserdata() {
|
|
cd "$DOS_BUILD_BASE$1";
|
|
|
|
#awk -i inplace '!/f2fs/' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
|
|
|
|
#Remove latemount to allow selinux contexts be restored upon /cache wipe
|
|
#Fixes broken OTA updater and broken /recovery updater
|
|
sed -i '/\/cache/s|latemount,||' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
|
|
|
|
#TODO: Ensure: noatime,nosuid,nodev
|
|
sed -i '/\/data/{/discard/!s|nosuid|discard,nosuid|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
|
|
if [ "$1" != "device/samsung/tuna" ] && [ "$1" != "device/amazon/hdx-common" ]; then #tuna needs first boot to init, hdx-c has broken encryption
|
|
sed -i 's|encryptable=/|forceencrypt=/|' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
|
|
fi;
|
|
echo "Hardened /data for $1";
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f hardenUserdata;
|
|
|
|
hardenBootArgs() {
|
|
cd "$DOS_BUILD_BASE$1";
|
|
sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := slub_debug=FZP /' BoardConfig*.mk */BoardConfig*.mk &>/dev/null || true; #TODO: inline this
|
|
echo "Hardened kernel command line arguments for $1";
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f hardenBootArgs;
|
|
|
|
disableAPEX() {
|
|
cd "$DOS_BUILD_BASE$1";
|
|
awk -i inplace '!/DEXPREOPT_GENERATE_APEX_IMAGE/' *.mk &>/dev/null || true;
|
|
awk -i inplace '!/updatable_apex.mk/' *.mk &>/dev/null || true;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f disableAPEX;
|
|
|
|
enableStrongEncryption() {
|
|
cd "$DOS_BUILD_BASE$1";
|
|
if [ -f BoardConfig.mk ]; then
|
|
echo "TARGET_WANTS_STRONG_ENCRYPTION := true" >> BoardConfig.mk;
|
|
echo "Enabled AES-256 encryption for $1";
|
|
fi;
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f enableStrongEncryption;
|
|
|
|
addAdbKey() {
|
|
if [ -f ~/.android/adbkey.pub ]; then
|
|
cp ~/.android/adbkey.pub "$DOS_BUILD_BASE/vendor/divested/";
|
|
echo "PRODUCT_ADB_KEYS := vendor/divested/adbkey.pub" >> "$DOS_BUILD_BASE/vendor/divested/divestos.mk";
|
|
fi;
|
|
}
|
|
export -f addAdbKey;
|
|
|
|
changeDefaultDNS() {
|
|
local dnsPrimary="";
|
|
local dnsPrimaryV6="";
|
|
local dnsSecondary="";
|
|
local dnsSecondaryV6="";
|
|
if [ ! -z "$DOS_DEFAULT_DNS_PRESET" ]; then
|
|
if [[ "$DOS_DEFAULT_DNS_PRESET" == "AdGuard" ]]; then #https://adguard.com/en/adguard-dns/overview.html
|
|
dnsPrimary="176.103.130.130";
|
|
dnsPrimaryV6="2a00:5a60::ad1:0ff";
|
|
dnsSecondary="176.103.130.131";
|
|
dnsSecondaryV6="2a00:5a60::ad2:0ff";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "AdGuard-NOBL" ]]; then #https://adguard.com/en/adguard-dns/overview.html
|
|
dnsPrimary="176.103.130.136";
|
|
dnsPrimaryV6="2a00:5a60::01:ff";
|
|
dnsSecondary="176.103.130.137";
|
|
dnsSecondaryV6="2a00:5a60::02:ff";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "CensurfriDNS" ]]; then #https://uncensoreddns.org
|
|
dnsPrimary="91.239.100.100";
|
|
dnsPrimaryV6="2001:67c:28a4::";
|
|
dnsSecondary="89.233.43.71";
|
|
dnsSecondaryV6="2a01:3a0:53:53::";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Cloudflare" ]]; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
|
|
dnsPrimary="1.0.0.1";
|
|
dnsPrimaryV6="2606:4700:4700::1001";
|
|
dnsSecondary="1.1.1.1";
|
|
dnsSecondaryV6="2606:4700:4700::1111";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Cloudflare-BL" ]]; then #https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy
|
|
dnsPrimary="1.0.0.2";
|
|
dnsPrimaryV6="2606:4700:4700::1002";
|
|
dnsSecondary="1.1.1.2";
|
|
dnsSecondaryV6="2606:4700:4700::1112";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "OpenNIC" ]]; then #https://servers.opennicproject.org/edit.php?srv=ns3.any.dns.opennic.glue
|
|
dnsPrimary="169.239.202.202"; #FIXME
|
|
dnsPrimaryV6="2a05:dfc7:5353::53";
|
|
dnsSecondary="185.121.177.177";
|
|
dnsSecondaryV6="2a05:dfc7:5::53";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "DNSWATCH" ]]; then #https://dns.watch
|
|
dnsPrimary="84.200.69.80";
|
|
dnsPrimaryV6="2001:1608:10:25::1c04:b12f";
|
|
dnsSecondary="84.200.70.40";
|
|
dnsSecondaryV6="2001:1608:10:25::9249:d69b";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Google" ]]; then #https://developers.google.com/speed/public-dns/privacy
|
|
dnsPrimary="8.8.8.8";
|
|
dnsPrimaryV6="2001:4860:4860::8888";
|
|
dnsSecondary="8.8.4.4";
|
|
dnsSecondaryV6="2001:4860:4860::8844";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Neustar" ]]; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
|
|
dnsPrimary="156.154.70.2";
|
|
dnsPrimaryV6="2610:a1:1018::2";
|
|
dnsSecondary="156.154.71.2";
|
|
dnsSecondaryV6="2610:a1:1019::2";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Neustar-NOBL" ]]; then #https://www.security.neustar/digital-performance/dns-services/recursive-dns
|
|
dnsPrimary="156.154.70.5";
|
|
dnsPrimaryV6="2610:a1:1018::5";
|
|
dnsSecondary="156.154.71.5";
|
|
dnsSecondaryV6="2610:a1:1019::5";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "NixNet" ]]; then #https://docs.nixnet.services/DNS
|
|
dnsPrimary="198.251.90.114";
|
|
dnsPrimaryV6="2605:6400:20:e6d::1";
|
|
dnsSecondary="198.251.90.114";
|
|
dnsSecondaryV6="2605:6400:30:f881::1";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "OpenDNS" ]]; then #https://www.cisco.com/c/en/us/about/legal/privacy-full.html
|
|
dnsPrimary="208.67.222.222";
|
|
dnsPrimaryV6="2620:0:ccc::2";
|
|
dnsSecondary="208.67.220.220";
|
|
dnsSecondaryV6="2620:0:ccd::2";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Quad9" ]]; then #https://www.quad9.net/privacy
|
|
dnsPrimary="9.9.9.9";
|
|
dnsPrimaryV6="2620:fe::fe";
|
|
dnsSecondary="149.112.112.112";
|
|
dnsSecondaryV6="2620:fe::9";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Quad9-EDNS" ]]; then #https://www.quad9.net/privacy
|
|
dnsPrimary="9.9.9.11";
|
|
dnsPrimaryV6="2620:fe::11";
|
|
dnsSecondary="149.112.112.11";
|
|
dnsSecondaryV6="2620:fe::fe:11";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Quad9-NOBL" ]]; then #https://www.quad9.net/privacy
|
|
dnsPrimary="9.9.9.10";
|
|
dnsPrimaryV6="2620:fe::10";
|
|
dnsSecondary="149.112.112.10";
|
|
dnsSecondaryV6="2620:fe::fe:10";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Verisign" ]]; then #https://www.verisign.com/en_US/security-services/public-dns/terms-of-service/index.xhtml
|
|
dnsPrimary="64.6.64.6";
|
|
dnsPrimaryV6="2620:74:1b::1:1";
|
|
dnsSecondary="64.6.65.6";
|
|
dnsSecondaryV6="2620:74:1c::2:2";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Yandex" ]]; then #https://dns.yandex.com/advanced
|
|
dnsPrimary="77.88.8.88";
|
|
dnsPrimaryV6="2a02:6b8::feed:bad";
|
|
dnsSecondary="77.88.8.2";
|
|
dnsSecondaryV6="2a02:6b8:0:1::feed:bad";
|
|
elif [[ "$DOS_DEFAULT_DNS_PRESET" == "Yandex-NOBL" ]]; then #https://dns.yandex.com/advanced
|
|
dnsPrimary="77.88.8.8";
|
|
dnsPrimaryV6="2a02:6b8::feed:0ff";
|
|
dnsSecondary="77.88.8.1";
|
|
dnsSecondaryV6="2a02:6b8:0:1::feed:0ff";
|
|
fi;
|
|
else
|
|
echo "You must first set a preset via the DOS_DEFAULT_DNS_PRESET variable in init.sh!";
|
|
fi;
|
|
|
|
local files="core/res/res/values/config.xml packages/SettingsLib/res/values/strings.xml services/core/java/com/android/server/connectivity/NetworkDiagnostics.java services/core/java/com/android/server/connectivity/Tethering.java services/core/java/com/android/server/connectivity/tethering/TetheringConfiguration.java services/java/com/android/server/connectivity/Tethering.java packages/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java core/java/android/net/util/DnsUtils.java";
|
|
sed -i "s/8\.8\.8\.8/$dnsPrimary/" $files &>/dev/null || true;
|
|
sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/" $files &>/dev/null || true;
|
|
sed -i "s/8\.8\.4\.4/$dnsSecondary/" $files &>/dev/null || true;
|
|
sed -i "s/4\.4\.4\.4/$dnsSecondary/" $files &>/dev/null || true;
|
|
sed -i "s/2001:4860:4860::8844/$dnsSecondaryV6/" $files &>/dev/null || true;
|
|
}
|
|
export -f changeDefaultDNS;
|
|
|
|
editKernelLocalversion() {
|
|
local defconfigPath=$(getDefconfig)
|
|
sed -i 's/CONFIG_LOCALVERSION=".*"/CONFIG_LOCALVERSION="'"$1"'"/' $defconfigPath &>/dev/null || true;
|
|
sed -zi '/CONFIG_LOCALVERSION="'"$1"'"/!s/$/\nCONFIG_LOCALVERSION="'"$1"'"/' $defconfigPath &>/dev/null;
|
|
}
|
|
export -f editKernelLocalversion;
|
|
|
|
getDefconfig() {
|
|
if ls arch/arm/configs/lineage*defconfig 1> /dev/null 2>&1; then
|
|
local defconfigPath="arch/arm/configs/lineage*defconfig";
|
|
elif ls arch/arm64/configs/lineage*defconfig 1> /dev/null 2>&1; then
|
|
local defconfigPath="arch/arm64/configs/lineage*defconfig";
|
|
else
|
|
#grep TARGET_KERNEL_CONFIG /mnt/dos/Build/*/device/ -Rih | sed 's|TARGET_KERNEL_CONFIG .= |arch/arm\*/configs/|' | grep -v lineage | sort -u
|
|
local defconfigPath="arch/arm*/configs/lineage*defconfig arch/arm*/configs/aura_defconfig arch/arm*/configs/beryllium_defconfig arch/arm*/configs/clark_defconfig arch/arm*/configs/enchilada_defconfig arch/arm*/configs/exynos8890-herolte_defconfig arch/arm*/configs/floral_defconfig arch/arm*/configs/griffin_defconfig arch/arm*/configs/grouper_defconfig arch/arm*/configs/m7_defconfig arch/arm*/configs/m8_defconfig arch/arm*/configs/msm8974-hdx_defconfig arch/arm*/configs/msm8974-hdx-perf_defconfig arch/arm*/configs/oneplus2_defconfig arch/arm*/configs/osprey_defconfig arch/arm*/configs/redbull_defconfig arch/arm*/configs/samsung_serrano_defconfig arch/arm*/configs/samsung_serrano_usa_defconfig arch/arm*/configs/shamu_defconfig arch/arm*/configs/sunfish_defconfig arch/arm*/configs/surnia_defconfig arch/arm*/configs/tuna_defconfig arch/arm*/configs/twrp_defconfig arch/arm*/configs/vendor/alioth_defconfig arch/arm*/configs/vendor/lineage_davinci_defconfig arch/arm*/configs/vendor/lito-perf_defconfig arch/arm*/configs/vendor/lmi_defconfig arch/arm*/configs/vendor/raphael_defconfig arch/arm*/configs/vendor/sm8150-perf_defconfig arch/arm*/configs/vendor/vayu_defconfig arch/arm*/configs/yellowstone_defconfig arch/arm*/configs/Z00T_defconfig arch/arm*/configs/z2_plus_defconfig arch/arm*/configs/zenfone3-perf_defconfig";
|
|
fi;
|
|
echo $defconfigPath;
|
|
}
|
|
export -f getDefconfig;
|
|
|
|
hardenDefconfig() {
|
|
cd "$DOS_BUILD_BASE$1";
|
|
|
|
#Attempts to enable/disable supported options to increase security
|
|
#See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
|
|
#and (GPL-3.0) https://github.com/a13xp0p0v/kconfig-hardened-check/blob/master/kconfig_hardened_check/__init__.py
|
|
|
|
local defconfigPath=$(getDefconfig)
|
|
|
|
#Enable supported options
|
|
#Linux <3.0
|
|
declare -a optionsYes=("BUG" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "SLUB_DEBUG" "STRICT_DEVMEM" "SYN_COOKIES");
|
|
#Disabled: DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
|
|
|
|
#Linux 3.4
|
|
optionsYes+=("SECURITY_YAMA");
|
|
|
|
#Linux 3.5
|
|
optionsYes+=("PANIC_ON_OOPS" "SECCOMP_FILTER");
|
|
|
|
#Linux 3.7
|
|
optionsYes+=("ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "SECURITY_YAMA_STACKED" "X509_CERTIFICATE_PARSER");
|
|
|
|
#Linux 3.13
|
|
optionsYes+=("SYSTEM_TRUSTED_KEYRING");
|
|
|
|
#Linux 3.14
|
|
optionsYes+=("CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG");
|
|
|
|
#Linux 3.17
|
|
optionsYes+=("PKCS7_MESSAGE_PARSER");
|
|
|
|
#Linux 3.18
|
|
optionsYes+=("HARDENED_USERCOPY" "SCHED_STACK_END_CHECK");
|
|
|
|
#Linux 4.3
|
|
optionsYes+=("ARM64_PAN" "CPU_SW_DOMAIN_PAN");
|
|
|
|
#Linux 4.4
|
|
optionsYes+=("LEGACY_VSYSCALL_NONE");
|
|
|
|
#Linux 4.5
|
|
optionsYes+=("IO_STRICT_DEVMEM");
|
|
|
|
#Linux 4.6
|
|
optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ENABLE_DEFAULT" "PAGE_POISONING_NO_SANITY");
|
|
|
|
#Linux 4.7
|
|
optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM");
|
|
|
|
#Linux 4.8
|
|
optionsYes+=("RANDOMIZE_MEMORY");
|
|
|
|
#Linux 4.9
|
|
optionsYes+=("THREAD_INFO_IN_TASK" "VMAP_STACK");
|
|
|
|
#Linux 4.10
|
|
optionsYes+=("ARM64_SW_TTBR0_PAN" "BUG_ON_DATA_CORRUPTION");
|
|
|
|
#Linux 4.11
|
|
optionsYes+=("STRICT_KERNEL_RWX" "STRICT_MODULE_RWX");
|
|
|
|
#Linux 4.13
|
|
optionsYes+=("FORTIFY_SOURCE" "REFCOUNT_FULL");
|
|
|
|
#Linux 4.14
|
|
optionsYes+=("SLAB_FREELIST_HARDENED");
|
|
|
|
#Linux 4.15
|
|
optionsYes+=("PAGE_TABLE_ISOLATION" "RETPOLINE");
|
|
|
|
#Linux 4.16
|
|
optionsYes+=("UNMAP_KERNEL_AT_EL0");
|
|
|
|
#Linux 4.17
|
|
optionsYes+=("HARDEN_EL2_VECTORS");
|
|
|
|
#Linux 4.18
|
|
optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG");
|
|
|
|
#Linux 4.19
|
|
optionsYes+=("PAGE_POISONING_ZERO");
|
|
|
|
#Linux 5.0
|
|
optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK");
|
|
|
|
#Linux 5.2
|
|
optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR");
|
|
|
|
#Linux 5.3
|
|
optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON");
|
|
|
|
#Linux 5.8
|
|
optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX");
|
|
|
|
#Linux 5.9
|
|
optionsYes+=("INIT_STACK_ALL_ZERO");
|
|
|
|
#Linux 5.10
|
|
optionsYes+=("ARM64_MTE");
|
|
|
|
#Linux 5.13
|
|
optionsYes+=("ARM64_EPAN" "RANDOMIZE_KSTACK_OFFSET_DEFAULT");
|
|
|
|
#GCC Plugins - 4.19 - 5.2
|
|
#optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
|
|
|
|
#GrapheneOS Patches
|
|
optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
|
|
#Disabled: SLAB_CANARY (breakage?)
|
|
|
|
#out of tree or renamed or removed ?
|
|
optionsYes+=("KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX");
|
|
|
|
#Time hardware
|
|
#if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("RTC_DRV_MSM" "RTC_DRV_PM8XXX" "RTC_DRV_MSM7X00A" "RTC_DRV_QPNP"); fi;
|
|
|
|
#Hardware enablement #XXX: This needs a better home
|
|
optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER");
|
|
|
|
for option in "${optionsYes[@]}"
|
|
do
|
|
#If the option is disabled, enable it
|
|
sed -i 's/# CONFIG_'"$option"' is not set/CONFIG_'"$option"'=y/' $defconfigPath &>/dev/null || true;
|
|
if [[ "$1" != *"kernel/oneplus/msm8996"* ]]; then
|
|
#If the option isn't present, add it enabled
|
|
sed -zi '/CONFIG_'"$option"'=y/!s/$/\nCONFIG_'"$option"'=y/' $defconfigPath &>/dev/null || true;
|
|
fi;
|
|
done
|
|
#Disable supported options
|
|
#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile), PROC_PAGE_MONITOR (breaks memory stats)
|
|
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BLK_DEV_FD" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "HARDENED_USERCOPY_FALLBACK" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT");
|
|
|
|
if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi;
|
|
optionsNo+=("WIREGUARD"); #Requires root access, which we do not provide
|
|
|
|
for option in "${optionsNo[@]}"
|
|
do
|
|
#If the option is enabled, disable it
|
|
sed -i 's/CONFIG_'"$option"'=y/CONFIG_'"$option"'=n/' $defconfigPath &>/dev/null || true;
|
|
#If the option isn't present, add it disabled
|
|
sed -zi '/CONFIG_'"$option"'=n/!s/$/\nCONFIG_'"$option"'=n/' $defconfigPath &>/dev/null || true;
|
|
done
|
|
|
|
#Extras
|
|
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' $defconfigPath &>/dev/null || true;
|
|
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' $defconfigPath &>/dev/null || true;
|
|
sed -i 's/CONFIG_DEFAULT_MMAP_MIN_ADDR=4096/CONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
|
|
sed -zi '/CONFIG_DEFAULT_MMAP_MIN_ADDR/!s/$/\nCONFIG_DEFAULT_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
|
|
sed -i 's/CONFIG_LSM_MMAP_MIN_ADDR=4096/CONFIG_LSM_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
|
|
sed -zi '/CONFIG_LSM_MMAP_MIN_ADDR/!s/$/\nCONFIG_LSM_MMAP_MIN_ADDR=32768/' $defconfigPath &>/dev/null || true;
|
|
|
|
editKernelLocalversion "-dos";
|
|
|
|
echo "Hardened defconfig for $1";
|
|
cd "$DOS_BUILD_BASE";
|
|
}
|
|
export -f hardenDefconfig;
|