From 64d490d95e2c08618bf92b1e2215b069453030fe Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Mon, 30 Oct 2017 17:38:00 -0400
Subject: [PATCH] Remove network hardening patches, disable mako LTE patch, add
 function to enable forceencrypt

---
 .../0002-Harden_Network.patch                 | 69 -------------------
 .../0001-Harden_Network.patch                 | 59 ----------------
 .../android_kernel_htc_flounder.sh            |  2 +-
 Scripts/LineageOS-14.1/Patch.sh               | 18 +++--
 4 files changed, 13 insertions(+), 135 deletions(-)
 delete mode 100644 Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch
 delete mode 100644 Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch

diff --git a/Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch b/Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch
deleted file mode 100644
index ba4cf25b..00000000
--- a/Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 69ccfefd7b6d37b0b103a29095465fa4d29a3429 Mon Sep 17 00:00:00 2001
-From: Tad <tad@spotco.us>
-Date: Wed, 28 Jun 2017 08:03:36 -0400
-Subject: [PATCH] Harden IPv4/6
-
-Credit: https://serverfault.com/a/811826
-Credit: https://linux-audit.com/linux-security-guide-for-hardening-ipv6/
-Credit: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
-
-Change-Id: I6941a9b418112ffeb68b4749b803b6e5558db039
----
- rootdir/init.rc | 41 ++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 38 insertions(+), 3 deletions(-)
-
-diff --git a/rootdir/init.rc b/rootdir/init.rc
-index 0de027bf1..80dd9a437 100644
---- a/rootdir/init.rc
-+++ b/rootdir/init.rc
-@@ -140,9 +140,44 @@ on init
-     # set fwmark on accepted sockets
-     write /proc/sys/net/ipv4/tcp_fwmark_accept 1
- 
--    # disable icmp redirects
--    write /proc/sys/net/ipv4/conf/all/accept_redirects 0
--    write /proc/sys/net/ipv6/conf/all/accept_redirects 0
-+    # network hardening
-+    write /proc/net/net/ipv4/conf/all/accept_redirects 0
-+    write /proc/net/net/ipv4/conf/all/accept_source_route 0
-+    write /proc/net/net/ipv4/conf/all/log_martians 1
-+    write /proc/net/net/ipv4/conf/all/rp_filter 1
-+    write /proc/net/net/ipv4/conf/all/secure_redirects 1
-+    write /proc/net/net/ipv4/conf/default/accept_redirects 0
-+    write /proc/net/net/ipv4/conf/default/accept_source_route 0
-+    write /proc/net/net/ipv4/conf/default/log_martians 1
-+    write /proc/net/net/ipv4/conf/default/rp_filter 1
-+    write /proc/net/net/ipv4/conf/default/secure_redirects 1
-+    write /proc/net/net/ipv4/icmp_echo_ignore_all 0
-+    write /proc/net/net/ipv4/icmp_echo_ignore_broadcasts 1
-+    write /proc/net/net/ipv4/icmp_errors_use_inbound_ifaddr 0
-+    write /proc/net/net/ipv4/icmp_ignore_bogus_error_responses 1
-+    write /proc/net/net/ipv4/tcp_rfc1337 1
-+    write /proc/net/net/ipv4/tcp_syncookies 1
-+    write /proc/net/net/ipv4/tcp_timestamps 1
-+    write /proc/net/net/ipv6/conf/all/accept_ra_defrtr 0
-+    write /proc/net/net/ipv6/conf/all/accept_ra_pinfo 0
-+    write /proc/net/net/ipv6/conf/all/accept_ra_rtr_pref 0
-+    write /proc/net/net/ipv6/conf/all/accept_redirects 0
-+    write /proc/net/net/ipv6/conf/all/autoconf 0
-+    write /proc/net/net/ipv6/conf/all/dad_transmits 0
-+    write /proc/net/net/ipv6/conf/all/max_addresses 1
-+    write /proc/net/net/ipv6/conf/all/router_solicitations 0
-+    write /proc/net/net/ipv6/conf/all/use_tempaddr 2
-+    write /proc/net/net/ipv6/conf/default/accept_ra_defrtr 0
-+    write /proc/net/net/ipv6/conf/default/accept_ra_pinfo 0
-+    write /proc/net/net/ipv6/conf/default/accept_ra_rtr_pref 0
-+    write /proc/net/net/ipv6/conf/default/accept_redirects 0
-+    write /proc/net/net/ipv6/conf/default/autoconf 0
-+    write /proc/net/net/ipv6/conf/default/dad_transmits 0
-+    write /proc/net/net/ipv6/conf/default/max_addresses 1
-+    write /proc/net/net/ipv6/conf/default/router_solicitations 0
-+    write /proc/net/net/ipv6/conf/default/use_tempaddr 2
-+    write /proc/net/net/netfilter/nf_conntrack_max 500000
-+    write /proc/net/net/netfilter/nf_conntrack_tcp_loose 0
- 
-     # Create cgroup mount points for process groups
-     mkdir /dev/cpuctl
--- 
-2.14.1
-
diff --git a/Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch b/Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch
deleted file mode 100644
index be1325b0..00000000
--- a/Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From c028b9979836c64764bebde8c330680952d0ece4 Mon Sep 17 00:00:00 2001
-From: Tad <tad@spotco.us>
-Date: Wed, 28 Jun 2017 12:30:56 -0400
-Subject: [PATCH] Harden network via iptables
-
-Change-Id: I42392ed3dcd7d2f42c312bb36f65ccb12914d13b
----
- server/CommandListener.cpp | 35 +++++++++++++++++++++++++++++++++++
- 1 file changed, 35 insertions(+)
-
-diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
-index b16da18..2fcc696 100755
---- a/server/CommandListener.cpp
-+++ b/server/CommandListener.cpp
-@@ -230,6 +230,41 @@ CommandListener::CommandListener() :
-     createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);
-     createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);
- 
-+
-+    //Drop invalid packets
-+    execIptables(V4V6, "-w", "-I", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-I", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
-+    //execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
-+    //Credit: https://javapipe.com/iptables46-ddos-protection
-+    //Drop TCP packets that are new and are not SYN
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL);
-+    //Drop SYN packets with suspicious MSS value
-+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "536:65535", "-j", "DROP", NULL);
-+    execIptables(V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "1220:65535", "-j", "DROP", NULL);
-+    //Drop packets with bogus TCP flags
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN,RST,PSH,ACK,URG", "NONE", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN", "FIN,SYN", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN,RST", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,FIN", "SYN,FIN", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,RST", "FIN,RST", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,ACK", "FIN", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,URG", "URG", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,FIN", "FIN", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,PSH", "PSH", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "ALL", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "NONE", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "FIN,PSH,URG", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,FIN,PSH,URG", "-j", "DROP", NULL);
-+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,RST,ACK,FIN,URG", "-j", "DROP", NULL);
-+    //Drop spoofed packets
-+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "0.0.0.0/8", "-j", "DROP", NULL);
-+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "127.0.0.0/8", "!", "-i", "lo", "-j", "DROP", NULL);
-+    //Drop fragments
-+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-f", "-j", "DROP", NULL);
-+    //Limit connections per source IP
-+    execIptables(V4V6, "-w", "-A", "INPUT", "-p", "tcp", "-m", "connlimit", "--connlimit-above", "32", "!", "-i", "lo", "-j", "REJECT", NULL);
-+
-+
-     // Let each module setup their child chains
-     setupOemIptablesHook();
- 
--- 
-2.14.1
-
diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh
index c9f5934a..9aedcd8b 100644
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh
@@ -5,7 +5,7 @@ git apply $cvePatches/CVE-2014-9900/ANY/0.patch
 git apply $cvePatches/CVE-2015-4177/ANY/0.patch
 git apply $cvePatches/CVE-2015-7515/ANY/0.patch
 git apply $cvePatches/CVE-2015-8944/ANY/0.patch
-git apply $cvePatches/CVE-2016-0819/ANY/0.patch
+#git apply $cvePatches/CVE-2016-0819/ANY/0.patch
 git apply $cvePatches/CVE-2016-2475/ANY/0.patch
 git apply $cvePatches/CVE-2016-8453/ANY/0.patch
 git apply $cvePatches/CVE-2016-8464/3.10/0.patch
diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh
index 05cef6f7..d3f5e268 100755
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@@ -70,6 +70,7 @@ enhanceLocation() {
 		fi;
 	fi;
 	echo "Enhanced location services for $1";
+	cd $base;
 }
 export -f enhanceLocation;
 
@@ -77,6 +78,14 @@ enableZram() {
 	sed -i 's|#/dev/block/zram0|/dev/block/zram0|' fstab.* rootdir/fstab.* rootdir/etc/fstab.* || true;
 	echo "Enabled zram";
 }
+
+enabledForcedEncryption() {
+	cd $base$1;
+	sed -i 's|encryptable=/|forceencrypt,encryptable=/|' fstab.* rootdir/fstab.* rootdir/etc/fstab.* || true;
+	echo "Enabled forceencrypt";
+	cd $base;
+}
+export -f enabledForcedEncryption;
 #
 #END OF PREPRATION
 #
@@ -190,10 +199,6 @@ patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #L
 enter "system/core"
 cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
 patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid
-#patch -p1 < $patches"android_system_core/0002-Harden_Network.patch" #Harden network via sysctls FIXME: Tethering
-
-#enter "system/netd"
-#patch -p1 < $patches"android_system_netd/0001-Harden_Network.patch"; #Harden network via iptables FIXME: Tethering
 
 enter "vendor/cm"
 rm -rf overlay/common/vendor/cmsdk/packages #Remove analytics
@@ -230,7 +235,7 @@ patch -p1 < $patches"android_kernel_oneplus_msm8974/0001-OverUnderClock-EXTREME.
 
 enter "device/lge/mako"
 disableDexPreOpt #bootloops
-patch -p1 < $patches"android_device_lge_mako/0001-Enable_LTE.patch" #Enable LTE support (Requires LTE hybrid modem to be flashed) XXX: Doesn't seem to work under 7.x
+#patch -p1 < $patches"android_device_lge_mako/0001-Enable_LTE.patch" #Enable LTE support (Requires LTE hybrid modem to be flashed) XXX: Doesn't seem to work under 7.x
 
 enter "kernel/lge/hammerhead"
 patch -p1 < $patches"android_kernel_lge_hammerhead/0001-OverUnderClock.patch" #2.26Ghz -> 2.95Ghz	=+2.76Ghz
@@ -238,9 +243,10 @@ patch -p1 < $patches"android_kernel_lge_hammerhead/0001-OverUnderClock.patch" #2
 enter "kernel/motorola/msm8916"
 patch -p1 < $patches"android_kernel_motorola_msm8916/0001-Overclock.patch" #1.36Ghz -> 1.88Ghz	=+ 2.07Ghz
 
-#Enhance and improve security of GPS for all devices
+#Make changes to all devices
 cd $base
 find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enhanceLocation "$0"' {} \;
+find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enabledForcedEncryption "$0"' {} \;
 cd $base
 #
 #END OF DEVICE CHANGES