From 1fa75dcb6562ee4490f24f0bfb2be2de4edffdf8 Mon Sep 17 00:00:00 2001 From: Tad Date: Thu, 12 Apr 2018 09:26:03 -0400 Subject: [PATCH] 15.1: More fixes --- Manifests/Manifest_LAOS-15.1.xml | 4 --- .../0001-LGE_Fixes.patch | 35 +++++++++++++++++++ Scripts/LineageOS-14.1/Patch.sh | 2 +- Scripts/LineageOS-15.1/Functions.sh | 4 +-- Scripts/LineageOS-15.1/Patch.sh | 10 ++++-- Scripts/LineageOS-15.1/Rebrand.sh | 1 + 6 files changed, 46 insertions(+), 10 deletions(-) create mode 100644 Patches/LineageOS-15.1/android_system_sepolicy/0001-LGE_Fixes.patch diff --git a/Manifests/Manifest_LAOS-15.1.xml b/Manifests/Manifest_LAOS-15.1.xml index de1e6e33..7b6585d6 100644 --- a/Manifests/Manifest_LAOS-15.1.xml +++ b/Manifests/Manifest_LAOS-15.1.xml @@ -67,10 +67,6 @@ - - - - diff --git a/Patches/LineageOS-15.1/android_system_sepolicy/0001-LGE_Fixes.patch b/Patches/LineageOS-15.1/android_system_sepolicy/0001-LGE_Fixes.patch new file mode 100644 index 00000000..4f9ad53b --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_sepolicy/0001-LGE_Fixes.patch @@ -0,0 +1,35 @@ +From b75779de1c7fd9f624d0523a8ff9020b91f918ed Mon Sep 17 00:00:00 2001 +From: Tad +Date: Thu, 12 Apr 2018 08:05:32 -0400 +Subject: [PATCH] Fix -user builds for many LGE devices + +Change-Id: I46c4191b1171055cbdb5b23e8714d24676fc48bb +--- + public/domain.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/public/domain.te b/public/domain.te +index 8640baaa..4b5b0bc6 100644 +--- a/public/domain.te ++++ b/public/domain.te +@@ -486,6 +486,9 @@ neverallow { domain -recovery -update_engine } system_block_device:blk_file writ + # No domains other than install_recovery or recovery can write to recovery. + neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; + ++# Select devices have policies prevented by the following neverallow ++attribute misc_block_device_exception; ++ + # No domains other than a select few can access the misc_block_device. This + # block device is reserved for OTA use. + # Do not assert this rule on userdebug/eng builds, due to some devices using +@@ -500,6 +503,7 @@ neverallow { + -vold + -recovery + -ueventd ++ -misc_block_device_exception + } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; + + # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager +-- +2.17.0 + diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index c377b963..c7e34d18 100755 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -66,7 +66,7 @@ patch -p1 < $patches"android_build/0001-Automated_Build_Signing.patch" #Automate sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence enterAndClear "device/qcom/sepolicy" -patch -p1 < $patches"android_device_qcom_sepolicy/0001-Camera_Fix.patch" #Fix camera on user builds +patch -p1 < $patches"android_device_qcom_sepolicy/0001-Camera_Fix.patch" #Fix camera on user builds XXX: REMOVE THIS TRASH enterAndClear "external/sqlite" patch -p1 < $patches"android_external_sqlite/0001-Secure_Delete.patch" #Enable secure_delete by default. Disclaimer: From CopperheadOS 13.0 diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh index c1916dfc..add5da9c 100644 --- a/Scripts/LineageOS-15.1/Functions.sh +++ b/Scripts/LineageOS-15.1/Functions.sh @@ -33,7 +33,7 @@ export -f buildDevice; buildAll() { #Select devices are userdebug due to SELinux policy issues #TODO: Add victara, griffin, athene, us997, us996, pme, t0lte, hlte - brunch lineage_d852-userdebug; + brunch lineage_d852-user; brunch lineage_bacon-user; brunch lineage_mako-user; #brunch lineage_clark-user; #requires blobs from https://androidfilehost.com/?w=files&flid=244563 and also broken @@ -43,7 +43,7 @@ buildAll() { brunch lineage_d855-userdebug; brunch lineage_flo-user; brunch lineage_flounder-user; - #brunch lineage_h850-userdebug; #prot_sect_kernel undefined + #brunch lineage_h850-userdebug; #brunch lineage_hammerhead-user; brunch lineage_marlin-user; brunch lineage_m8-user; diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index d4a78eb1..001049cc 100755 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -64,7 +64,7 @@ awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk; sed -i 's/messaging/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence enterAndClear "device/qcom/sepolicy" -patch -p1 < $patches"android_device_qcom_sepolicy/0001-Camera_Fix.patch" #Fix camera on -user builds +patch -p1 < $patches"android_device_qcom_sepolicy/0001-Camera_Fix.patch" #Fix camera on -user builds XXX: REMOVE THIS TRASH enterAndClear "external/svox" git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back makefiles @@ -157,6 +157,9 @@ cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file git revert a6a4ce8e9a6d63014047a447c6bb3ac1fa90b3f4 #Always update recovery patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0 +enterAndClear "system/sepolicy" +patch -p1 < $patches"android_system_sepolicy/0001-LGE_Fixes.patch" #Fix -user builds for LGE devices + enterAndClear "system/vold" patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption @@ -171,7 +174,6 @@ cp -r $patches"android_vendor_lineage/firmware_deblobber" .; cp $patches"android_vendor_lineage/firmware_deblobber.mk" build/tasks/firmware_deblobber.mk; sed -i 's/LINEAGE_BUILDTYPE := UNOFFICIAL/LINEAGE_BUILDTYPE := dos/' config/common.mk; #Change buildtype sed -i 's/messaging/Silence/' config/telephony.mk; #Replace AOSP Messaging app with Silence -sed -i 's/config_enableRecoveryUpdater">false/config_enableRecoveryUpdater">true/' overlay/common/packages/apps/Settings/res/values/config.xml; #Expose option to update recovery # #END OF ROM CHANGES # @@ -180,6 +182,8 @@ sed -i 's/config_enableRecoveryUpdater">false/config_enableRecoveryUpdater">true #START OF DEVICE CHANGES # enterAndClear "device/lge/g3-common" +sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te; +sed -i '1itypeattribute wcnss_service misc_block_device_exception;' sepolicy/wcnss_service.te; echo "allow wcnss_service block_device:dir search;" >> sepolicy/wcnss_service.te; #fix incorrect Wi-Fi MAC address echo "/dev/block/platform/msm_sdcc\.1/by-name/pad u:object_r:misc_block_device:s0" >> sepolicy/file_contexts; #fix uncrypt denial @@ -201,7 +205,7 @@ cd $base #Fix broken options enabled by hardenDefconfig() sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile -#sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile +sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile # #END OF DEVICE CHANGES # diff --git a/Scripts/LineageOS-15.1/Rebrand.sh b/Scripts/LineageOS-15.1/Rebrand.sh index f9cf92f8..81787b06 100644 --- a/Scripts/LineageOS-15.1/Rebrand.sh +++ b/Scripts/LineageOS-15.1/Rebrand.sh @@ -22,6 +22,7 @@ echo "Rebranding..." enter "bootable/recovery" sed -i 's|Android Recovery|DivestOS Recovery|' *_ui.cpp; sed -i 's|LineageOS|DivestOS|' ui.cpp; +#TODO: Rebrand the rest of the recovery enter "build/make" sed -i 's|echo "ro.build.user=$USER"|echo "ro.build.user=emy"|' tools/buildinfo.sh; #Override build user