AtaraxiaDev/divestos-build
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Remove network hardening patches, disable mako LTE patch, add function to enable forceencrypt

Browse Source
This commit is contained in:
Tad 2017-10-30 17:38:00 -04:00
parent 53ae1c8103
commit 64d490d95e
4 changed files with 13 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch
View File

@ -1,69 +0,0 @@
From 69ccfefd7b6d37b0b103a29095465fa4d29a3429 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 28 Jun 2017 08:03:36 -0400
Subject: [PATCH] Harden IPv4/6
Credit: https://serverfault.com/a/811826
Credit: https://linux-audit.com/linux-security-guide-for-hardening-ipv6/
Credit: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
Change-Id: I6941a9b418112ffeb68b4749b803b6e5558db039
---
rootdir/init.rc | 41 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 38 insertions(+), 3 deletions(-)
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 0de027bf1..80dd9a437 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -140,9 +140,44 @@ on init
# set fwmark on accepted sockets
write /proc/sys/net/ipv4/tcp_fwmark_accept 1
- # disable icmp redirects
- write /proc/sys/net/ipv4/conf/all/accept_redirects 0
- write /proc/sys/net/ipv6/conf/all/accept_redirects 0
+ # network hardening
+ write /proc/net/net/ipv4/conf/all/accept_redirects 0
+ write /proc/net/net/ipv4/conf/all/accept_source_route 0
+ write /proc/net/net/ipv4/conf/all/log_martians 1
+ write /proc/net/net/ipv4/conf/all/rp_filter 1
+ write /proc/net/net/ipv4/conf/all/secure_redirects 1
+ write /proc/net/net/ipv4/conf/default/accept_redirects 0
+ write /proc/net/net/ipv4/conf/default/accept_source_route 0
+ write /proc/net/net/ipv4/conf/default/log_martians 1
+ write /proc/net/net/ipv4/conf/default/rp_filter 1
+ write /proc/net/net/ipv4/conf/default/secure_redirects 1
+ write /proc/net/net/ipv4/icmp_echo_ignore_all 0
+ write /proc/net/net/ipv4/icmp_echo_ignore_broadcasts 1
+ write /proc/net/net/ipv4/icmp_errors_use_inbound_ifaddr 0
+ write /proc/net/net/ipv4/icmp_ignore_bogus_error_responses 1
+ write /proc/net/net/ipv4/tcp_rfc1337 1
+ write /proc/net/net/ipv4/tcp_syncookies 1
+ write /proc/net/net/ipv4/tcp_timestamps 1
+ write /proc/net/net/ipv6/conf/all/accept_ra_defrtr 0
+ write /proc/net/net/ipv6/conf/all/accept_ra_pinfo 0
+ write /proc/net/net/ipv6/conf/all/accept_ra_rtr_pref 0
+ write /proc/net/net/ipv6/conf/all/accept_redirects 0
+ write /proc/net/net/ipv6/conf/all/autoconf 0
+ write /proc/net/net/ipv6/conf/all/dad_transmits 0
+ write /proc/net/net/ipv6/conf/all/max_addresses 1
+ write /proc/net/net/ipv6/conf/all/router_solicitations 0
+ write /proc/net/net/ipv6/conf/all/use_tempaddr 2
+ write /proc/net/net/ipv6/conf/default/accept_ra_defrtr 0
+ write /proc/net/net/ipv6/conf/default/accept_ra_pinfo 0
+ write /proc/net/net/ipv6/conf/default/accept_ra_rtr_pref 0
+ write /proc/net/net/ipv6/conf/default/accept_redirects 0
+ write /proc/net/net/ipv6/conf/default/autoconf 0
+ write /proc/net/net/ipv6/conf/default/dad_transmits 0
+ write /proc/net/net/ipv6/conf/default/max_addresses 1
+ write /proc/net/net/ipv6/conf/default/router_solicitations 0
+ write /proc/net/net/ipv6/conf/default/use_tempaddr 2
+ write /proc/net/net/netfilter/nf_conntrack_max 500000
+ write /proc/net/net/netfilter/nf_conntrack_tcp_loose 0
# Create cgroup mount points for process groups
mkdir /dev/cpuctl
--
2.14.1

59
Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch
View File

@ -1,59 +0,0 @@
From c028b9979836c64764bebde8c330680952d0ece4 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 28 Jun 2017 12:30:56 -0400
Subject: [PATCH] Harden network via iptables
Change-Id: I42392ed3dcd7d2f42c312bb36f65ccb12914d13b
---
server/CommandListener.cpp | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
index b16da18..2fcc696 100755
--- a/server/CommandListener.cpp
+++ b/server/CommandListener.cpp
@@ -230,6 +230,41 @@ CommandListener::CommandListener() :
createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);
createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);
+
+ //Drop invalid packets
+ execIptables(V4V6, "-w", "-I", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-I", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+ //execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+ //Credit: https://javapipe.com/iptables46-ddos-protection
+ //Drop TCP packets that are new and are not SYN
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL);
+ //Drop SYN packets with suspicious MSS value
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "536:65535", "-j", "DROP", NULL);
+ execIptables(V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "1220:65535", "-j", "DROP", NULL);
+ //Drop packets with bogus TCP flags
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN,RST,PSH,ACK,URG", "NONE", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN", "FIN,SYN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN,RST", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,FIN", "SYN,FIN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,RST", "FIN,RST", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,ACK", "FIN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,URG", "URG", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,FIN", "FIN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,PSH", "PSH", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "ALL", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "NONE", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "FIN,PSH,URG", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,FIN,PSH,URG", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,RST,ACK,FIN,URG", "-j", "DROP", NULL);
+ //Drop spoofed packets
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "0.0.0.0/8", "-j", "DROP", NULL);
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "127.0.0.0/8", "!", "-i", "lo", "-j", "DROP", NULL);
+ //Drop fragments
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-f", "-j", "DROP", NULL);
+ //Limit connections per source IP
+ execIptables(V4V6, "-w", "-A", "INPUT", "-p", "tcp", "-m", "connlimit", "--connlimit-above", "32", "!", "-i", "lo", "-j", "REJECT", NULL);
+
+
// Let each module setup their child chains
setupOemIptablesHook();
--
2.14.1

2
Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh
View File

@ -5,7 +5,7 @@ git apply $cvePatches/CVE-2014-9900/ANY/0.patch
git apply $cvePatches/CVE-2015-4177/ANY/0.patch
git apply $cvePatches/CVE-2015-7515/ANY/0.patch
git apply $cvePatches/CVE-2015-8944/ANY/0.patch
git apply $cvePatches/CVE-2016-0819/ANY/0.patch
#git apply $cvePatches/CVE-2016-0819/ANY/0.patch
git apply $cvePatches/CVE-2016-2475/ANY/0.patch
git apply $cvePatches/CVE-2016-8453/ANY/0.patch
git apply $cvePatches/CVE-2016-8464/3.10/0.patch

18
Scripts/LineageOS-14.1/Patch.sh
View File

@ -70,6 +70,7 @@ enhanceLocation() {
fi;
fi;
echo "Enhanced location services for $1";
cd $base;
}
export -f enhanceLocation;
@ -77,6 +78,14 @@ enableZram() {
sed -i 's|#/dev/block/zram0|/dev/block/zram0|' fstab.* rootdir/fstab.* rootdir/etc/fstab.* || true;
echo "Enabled zram";
}
enabledForcedEncryption() {
cd $base$1;
sed -i 's|encryptable=/|forceencrypt,encryptable=/|' fstab.* rootdir/fstab.* rootdir/etc/fstab.* || true;
echo "Enabled forceencrypt";
cd $base;
}
export -f enabledForcedEncryption;
#
#END OF PREPRATION
#
@ -190,10 +199,6 @@ patch -p1 < $patches"android_packages_services_Telephony/0001-LTE_Only.patch" #L
enter "system/core"
cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid
#patch -p1 < $patches"android_system_core/0002-Harden_Network.patch" #Harden network via sysctls FIXME: Tethering
#enter "system/netd"
#patch -p1 < $patches"android_system_netd/0001-Harden_Network.patch"; #Harden network via iptables FIXME: Tethering
enter "vendor/cm"
rm -rf overlay/common/vendor/cmsdk/packages #Remove analytics
@ -230,7 +235,7 @@ patch -p1 < $patches"android_kernel_oneplus_msm8974/0001-OverUnderClock-EXTREME.
enter "device/lge/mako"
disableDexPreOpt #bootloops
patch -p1 < $patches"android_device_lge_mako/0001-Enable_LTE.patch" #Enable LTE support (Requires LTE hybrid modem to be flashed) XXX: Doesn't seem to work under 7.x
#patch -p1 < $patches"android_device_lge_mako/0001-Enable_LTE.patch" #Enable LTE support (Requires LTE hybrid modem to be flashed) XXX: Doesn't seem to work under 7.x
enter "kernel/lge/hammerhead"
patch -p1 < $patches"android_kernel_lge_hammerhead/0001-OverUnderClock.patch" #2.26Ghz -> 2.95Ghz =+2.76Ghz
@ -238,9 +243,10 @@ patch -p1 < $patches"android_kernel_lge_hammerhead/0001-OverUnderClock.patch" #2
enter "kernel/motorola/msm8916"
patch -p1 < $patches"android_kernel_motorola_msm8916/0001-Overclock.patch" #1.36Ghz -> 1.88Ghz =+ 2.07Ghz
#Enhance and improve security of GPS for all devices
#Make changes to all devices
cd $base
find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enhanceLocation "$0"' {} \;
find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enabledForcedEncryption "$0"' {} \;
cd $base
#
#END OF DEVICE CHANGES