Fixes

Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch

@@ -1,4 +1,4 @@
-From 104095f3a7590ccbd60f2b6dc4fc5242198469c5 Mon Sep 17 00:00:00 2001
+From 69ccfefd7b6d37b0b103a29095465fa4d29a3429 Mon Sep 17 00:00:00 2001
 From: Tad <tad@spotco.us>
 Date: Wed, 28 Jun 2017 08:03:36 -0400
 Subject: [PATCH] Harden IPv4/6
@@ -9,14 +9,14 @@ Credit: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-harde
 
 Change-Id: I6941a9b418112ffeb68b4749b803b6e5558db039
 ---
- rootdir/init.rc | 44 +++++++++++++++++++++++++++++++++++++++++---
+ rootdir/init.rc | 41 ++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 41 insertions(+), 3 deletions(-)
+ 1 file changed, 38 insertions(+), 3 deletions(-)
 
 diff --git a/rootdir/init.rc b/rootdir/init.rc
-index da2071b15..5676edbff 100644
+index 0de027bf1..80dd9a437 100644
 --- a/rootdir/init.rc
 +++ b/rootdir/init.rc
-@@ -141,9 +141,47 @@ on init
+@@ -140,9 +140,44 @@ on init
      # set fwmark on accepted sockets
      write /proc/sys/net/ipv4/tcp_fwmark_accept 1
  
@@ -28,19 +28,16 @@ index da2071b15..5676edbff 100644
 +    write /proc/net/net/ipv4/conf/all/accept_source_route 0
 +    write /proc/net/net/ipv4/conf/all/log_martians 1
 +    write /proc/net/net/ipv4/conf/all/rp_filter 1
-+    write /proc/net/net/ipv4/conf/all/secure_redirects 0
++    write /proc/net/net/ipv4/conf/all/secure_redirects 1
-+    write /proc/net/net/ipv4/conf/all/send_redirects 0
 +    write /proc/net/net/ipv4/conf/default/accept_redirects 0
 +    write /proc/net/net/ipv4/conf/default/accept_source_route 0
 +    write /proc/net/net/ipv4/conf/default/log_martians 1
 +    write /proc/net/net/ipv4/conf/default/rp_filter 1
-+    write /proc/net/net/ipv4/conf/default/secure_redirects 0
++    write /proc/net/net/ipv4/conf/default/secure_redirects 1
-+    write /proc/net/net/ipv4/conf/default/send_redirects 0
 +    write /proc/net/net/ipv4/icmp_echo_ignore_all 0
 +    write /proc/net/net/ipv4/icmp_echo_ignore_broadcasts 1
 +    write /proc/net/net/ipv4/icmp_errors_use_inbound_ifaddr 0
 +    write /proc/net/net/ipv4/icmp_ignore_bogus_error_responses 1
-+    write /proc/net/net/ipv4/ip_forward 0
 +    write /proc/net/net/ipv4/tcp_rfc1337 1
 +    write /proc/net/net/ipv4/tcp_syncookies 1
 +    write /proc/net/net/ipv4/tcp_timestamps 1
@@ -68,5 +65,5 @@ index da2071b15..5676edbff 100644
      # Create cgroup mount points for process groups
      mkdir /dev/cpuctl
 -- 
-2.13.2
+2.14.1
 

Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch

@@ -1,4 +1,4 @@
-From a93c335e6eaed29e1537c63514b8bd94a79ba552 Mon Sep 17 00:00:00 2001
+From c028b9979836c64764bebde8c330680952d0ece4 Mon Sep 17 00:00:00 2001
 From: Tad <tad@spotco.us>
 Date: Wed, 28 Jun 2017 12:30:56 -0400
 Subject: [PATCH] Harden network via iptables
@@ -9,7 +9,7 @@ Change-Id: I42392ed3dcd7d2f42c312bb36f65ccb12914d13b
  1 file changed, 35 insertions(+)
 
 diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
-index b16da18..5247878 100755
+index b16da18..2fcc696 100755
 --- a/server/CommandListener.cpp
 +++ b/server/CommandListener.cpp
 @@ -230,6 +230,41 @@ CommandListener::CommandListener() :
@@ -20,7 +20,7 @@ index b16da18..5247878 100755
 +    //Drop invalid packets
 +    execIptables(V4V6, "-w", "-I", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
 +    execIptables(V4V6, "-w", "-I", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
++    //execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
 +    //Credit: https://javapipe.com/iptables46-ddos-protection
 +    //Drop TCP packets that are new and are not SYN
 +    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL);
@@ -55,5 +55,5 @@ index b16da18..5247878 100755
      setupOemIptablesHook();
  
 -- 
-2.13.2
+2.14.1
 

Scripts/LAOS-14.1_Patches.sh

@@ -88,9 +88,9 @@ patch -p1 < $patches"android_external_svox/94d2ddb.diff" #Fix garbled output See
 enter "frameworks/base"
 git revert 0326bb5e41219cf502727c3aa44ebf2daa19a5b3 #re-enable doze on devices without gms
 git fetch https://review.lineageos.org/LineageOS/android_frameworks_base refs/changes/75/151975/35 && git cherry-pick FETCH_HEAD #network traffic
-git fetch https://review.lineageos.org/LineageOS/android_frameworks_base refs/changes/53/184653/10 && git cherry-pick FETCH_HEAD #profiles tile
+git fetch https://review.lineageos.org/LineageOS/android_frameworks_base refs/changes/53/184653/14 && git cherry-pick FETCH_HEAD #profiles tile
 sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
-sed -i '0,/wifi,cell,battery/s/wifi,cell,battery,dnd,flashlight,rotation,bt,airplane,profiles/wifi,cell,bt,dnd,flashlight,rotation,battery,profiles,location,airplane,saver,hotspot,nfc/' packages/SystemUI/res/values/config.xml;
+sed -i '0,/wifi,cell,battery/s/wifi,cell,battery,dnd,flashlight,rotation,bt,airplane/wifi,cell,bt,dnd,flashlight,rotation,battery,profiles,location,airplane,saver,hotspot,nfc/' packages/SystemUI/res/values/config.xml;
 sed -i 's/ScaleSetting = 1.0f;/ScaleSetting = 0.5f;/' services/core/java/com/android/server/wm/WindowManagerService.java; #Speedup animation scale
 patch -p1 < $patches"android_frameworks_base/0003-Signature_Spoofing.patch" #Allow packages to spoof their signature (MicroG)
 patch -p1 < $patches"android_frameworks_base/0005-Harden_Sig_Spoofing.patch" #Restrict signature spoofing to system apps signed with the platform key