From 204285d7c86526445ed60895421ce9a40c0cad08 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Fri, 18 Oct 2019 18:50:48 -0400
Subject: [PATCH] kernel command line: enable hardening options

---
 Patches/Linux                                          |  2 +-
 Scripts/Common/Functions.sh                            | 10 +++++++++-
 Scripts/LineageOS-11.0/Patch.sh                        |  1 +
 Scripts/LineageOS-14.1/Patch.sh                        |  1 +
 Scripts/LineageOS-15.1/Patch.sh                        |  1 +
 .../CVE_Patchers/android_kernel_google_marlin.sh       |  4 +++-
 .../CVE_Patchers/android_kernel_nextbit_msm8992.sh     |  3 ++-
 Scripts/LineageOS-16.0/Patch.sh                        |  4 ++++
 8 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/Patches/Linux b/Patches/Linux
index a3b4a64f..1623bef1 160000
--- a/Patches/Linux
+++ b/Patches/Linux
@@ -1 +1 @@
-Subproject commit a3b4a64f91413ef8fedcb81bf0b5f2e2ca8016bb
+Subproject commit 1623bef18ea3dca5a18a55448d2ef2ec5e453b6d
diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh
index 796597cf..989fd464 100644
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@@ -402,6 +402,14 @@ hardenUserdata() {
 }
 export -f hardenUserdata;
 
+hardenBootArgs() {
+	cd "$DOS_BUILD_BASE$1";
+	sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := page_poison=1 slab_nomerge slub_debug=FZP page_alloc.shuffle=1 /' BoardConfig*.mk */BoardConfig*.mk &>/dev/null || true;
+	echo "Hardened kernel command line arguments for $1";
+	cd "$DOS_BUILD_BASE";
+}
+export -f hardenBootArgs;
+
 enableStrongEncryption() {
 	cd "$DOS_BUILD_BASE$1";
 	if [ -f BoardConfig.mk ]; then
@@ -524,7 +532,7 @@ hardenDefconfig() {
 
 	#Enable supported options
 	#Disabled: CONFIG_DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
-	declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_ARM64_UAO" "CONFIG_ARM_SMMU" "CONFIG_ASYMMETRIC_KEY_TYPE" "CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_DM_ANDROID_VERITY" "CONFIG_DM_VERITY" "CONFIG_DM_VERITY_FEC" "CONFIG_EXYNOS_IOMMU" "CONFIG_FORTIFY_SOURCE" "CONFIG_HARDEN_BRANCH_PREDICTOR" "CONFIG_HARDENED_USERCOPY" "CONFIG_INTEL_IOMMU_DEFAULT_ON" "CONFIG_IOMMU_API" "CONFIG_IOMMU_HELPER" "CONFIG_IOMMU_PGTABLES_L2" "CONFIG_IOMMU_SUPPORT" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_IPV6_PRIVACY" "CONFIG_KAISER" "CONFIG_KGSL_PER_PROCESS_PAGE_TABLE" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_MMC_SECDISCARD" "CONFIG_MSM_IOMMU" "CONFIG_MSM_KGSL_MMU_PAGE_FAULT" "CONFIG_MSM_TZ_SMMU" "CONFIG_MTK_IOMMU" "CONFIG_OF_IOMMU" "CONFIG_OMAP_IOMMU" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_PKCS7_MESSAGE_PARSER" "CONFIG_QCOM_IOMMU" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STACKPROTECTOR" "CONFIG_STACKPROTECTOR_STRONG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_SYSTEM_TRUSTED_KEYRING" "CONFIG_TEGRA_IOMMU_GART" "CONFIG_TEGRA_IOMMU_SMMU" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_X509_CERTIFICATE_PARSER")
+	declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_ARM64_UAO" "CONFIG_ARM_SMMU" "CONFIG_ASYMMETRIC_KEY_TYPE" "CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_DM_ANDROID_VERITY" "CONFIG_DM_VERITY" "CONFIG_DM_VERITY_FEC" "CONFIG_EXYNOS_IOMMU" "CONFIG_FORTIFY_SOURCE" "CONFIG_HARDEN_BRANCH_PREDICTOR" "CONFIG_HARDENED_USERCOPY" "CONFIG_INTEL_IOMMU_DEFAULT_ON" "CONFIG_IOMMU_API" "CONFIG_IOMMU_HELPER" "CONFIG_IOMMU_PGTABLES_L2" "CONFIG_IOMMU_SUPPORT" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_IPV6_PRIVACY" "CONFIG_KAISER" "CONFIG_KGSL_PER_PROCESS_PAGE_TABLE" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_MMC_SECDISCARD" "CONFIG_MSM_IOMMU" "CONFIG_MSM_KGSL_MMU_PAGE_FAULT" "CONFIG_MSM_TZ_SMMU" "CONFIG_MTK_IOMMU" "CONFIG_OF_IOMMU" "CONFIG_OMAP_IOMMU" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_PKCS7_MESSAGE_PARSER" "CONFIG_QCOM_IOMMU" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SHUFFLE_PAGE_ALLOCATOR" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STACKPROTECTOR" "CONFIG_STACKPROTECTOR_STRONG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_SYSTEM_TRUSTED_KEYRING" "CONFIG_TEGRA_IOMMU_GART" "CONFIG_TEGRA_IOMMU_SMMU" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_X509_CERTIFICATE_PARSER")
 	#optionsYes+=("CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
 	#optionsYes+=("CONFIG_PAGE_SANITIZE" "CONFIG_PAGE_SANITIZE_VERIFY" "CONFIG_SLAB_CANARY" "CONFIG_SLAB_SANITIZE" "CONFIG_SLAB_SANITIZE_VERIFY");
 	#if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("CONFIG_RTC_DRV_MSM" "CONFIG_RTC_DRV_PM8XXX" "CONFIG_RTC_DRV_MSM7X00A" "CONFIG_RTC_DRV_QPNP"); fi;
diff --git a/Scripts/LineageOS-11.0/Patch.sh b/Scripts/LineageOS-11.0/Patch.sh
index 24dfe852..9d7ba44b 100644
--- a/Scripts/LineageOS-11.0/Patch.sh
+++ b/Scripts/LineageOS-11.0/Patch.sh
@@ -145,6 +145,7 @@ find "hardware/qcom/gps" -name "gps\.conf" -type f -print0 | xargs -0 -n 1 -P 4
 find "device" -name "gps\.conf" -type f -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenLocationConf "{}"';
 find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenLocationFWB "{}"';
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
+find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
 cd "$DOS_BUILD_BASE";
 
diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh
index 3fa375fc..00d09831 100644
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@@ -268,6 +268,7 @@ find "device" -name "gps\.conf" -type f -print0 | xargs -0 -n 1 -P 4 -I {} bash
 find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenLocationFWB "{}"';
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableDexPreOpt "{}"';
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
+find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
 cd "$DOS_BUILD_BASE";
diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh
index e58af3c5..4fa377f5 100644
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@@ -239,6 +239,7 @@ find "device" -name "gps\.conf" -type f -print0 | xargs -0 -n 1 -P 4 -I {} bash
 find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenLocationFWB "{}"';
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableDexPreOpt "{}"';
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
+find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
 cd "$DOS_BUILD_BASE";
diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_google_marlin.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_google_marlin.sh
index 98e86545..2e9b7d41 100644
--- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_google_marlin.sh
+++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_google_marlin.sh
@@ -141,6 +141,8 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15666/^5.0.19/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15916/^5.0.1/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15926/^5.2.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15927/^4.20.2/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-16994/^5.0/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-17052/^5.3.2/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2215/^3.18/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2290/ANY/0001.patch
@@ -155,5 +157,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0610/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14883/ANY/0001.patch
-editKernelLocalversion "-dos.p155"
+editKernelLocalversion "-dos.p157"
 cd "$DOS_BUILD_BASE"
diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_nextbit_msm8992.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_nextbit_msm8992.sh
index 7a22ef93..f71b168b 100644
--- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_nextbit_msm8992.sh
+++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_nextbit_msm8992.sh
@@ -84,6 +84,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18203/^4.14.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18255/^4.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18306/3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18360/^4.11.3/0001.patch
+git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18595/^4.14.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-6345/^4.9.13/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-7533/3.10/0002.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-7533/3.10/0003.patch
@@ -177,5 +178,5 @@ git apply $DOS_PATCHES_LINUX_CVES/LVT-2017-0003/3.10/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6693/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p177"
+editKernelLocalversion "-dos.p178"
 cd "$DOS_BUILD_BASE"
diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh
index 803b5d56..8195909d 100644
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@@ -200,6 +200,9 @@ echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #All
 #
 #START OF DEVICE CHANGES
 #
+enterAndClear "device/asus/zenfone3";
+rm -rf libhidl; #breaks other devices
+
 enterAndClear "device/google/marlin";
 git revert eeb92c0f094f58b1bdfbaa775d239948f81e915b 8c729e4b016a5b35159992413a22c289ecf2c44c; #remove some carrier blobs
 patch -p1 < "$DOS_PATCHES/android_device_google_marlin/0001-Fix_MediaProvider_Deadlock.patch"; #Fix MediaProvider using 100% CPU (due to broken ppoll on functionfs?)
@@ -258,6 +261,7 @@ find "device" -name "gps\.conf" -type f -print0 | xargs -0 -n 1 -P 4 -I {} bash
 find "device" -type d -name "overlay" -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenLocationFWB "{}"';
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableDexPreOpt "{}"';
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
+find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenBootArgs "{}"';
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
 cd "$DOS_BUILD_BASE";