AtaraxiaDev/divestos-build
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Page sanitization improvements

Browse Source 
This ensures init_on_alloc/free is used instead of page poisioning where available.

3.4 through 3.18 have a patch without a toggle for page sanitization.

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-04-02 02:18:30 -04:00
parent 01900ca1c6
commit 6c5a65622c
7 changed files with 40 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
Scripts/Common/Functions.sh
View File

@ -540,6 +540,7 @@ hardenBootArgs() {
export -f hardenBootArgs; export -f hardenBootArgs;
enableAutoVarInit() { enableAutoVarInit() {
DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/sm8250' 'zuk/msm8996'); #redbull already supports init_stack_all_zero
cd "$DOS_BUILD_BASE"; cd "$DOS_BUILD_BASE";
echo "auto-var-init: Starting!"; echo "auto-var-init: Starting!";
for kernel in "${DOS_AUTOVARINIT_KERNELS[@]}" for kernel in "${DOS_AUTOVARINIT_KERNELS[@]}"
@ -567,8 +568,8 @@ enableAutoVarInit() {
else else
echo "auto-var-init: Could not enable for $kernel"; echo "auto-var-init: Could not enable for $kernel";
fi; fi;
else # else
echo "auto-var-init: $kernel not in tree"; # echo "auto-var-init: $kernel not in tree";
fi; fi;
done; done;
echo "auto-var-init: Finished!"; echo "auto-var-init: Finished!";
@ -799,7 +800,8 @@ hardenDefconfig() {
optionsYes+=("IO_STRICT_DEVMEM"); optionsYes+=("IO_STRICT_DEVMEM");
#Linux 4.6 #Linux 4.6
optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ENABLE_DEFAULT" "PAGE_POISONING_NO_SANITY"); optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ZERO");
#Disabled: PAGE_POISONING_NO_SANITY
#Linux 4.7 #Linux 4.7
optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM"); optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM");
@ -834,18 +836,12 @@ hardenDefconfig() {
#Linux 4.18 #Linux 4.18
optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG"); optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG");
#Linux 4.19
optionsYes+=("PAGE_POISONING_ZERO");
#Linux 5.0 #Linux 5.0
optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK"); optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK");
#Linux 5.2 #Linux 5.2
optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR"); optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR");
#Linux 5.3
optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON");
#Linux 5.8 #Linux 5.8
optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX"); optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX");
@ -862,7 +858,7 @@ hardenDefconfig() {
#optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL"); #optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
#GrapheneOS Patches #GrapheneOS Patches
optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY"); optionsYes+=("SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
#Disabled: SLAB_CANARY (breakage?) #Disabled: SLAB_CANARY (breakage?)
#out of tree or renamed or removed ? #out of tree or renamed or removed ?
@ -874,6 +870,28 @@ hardenDefconfig() {
#Hardware enablement #XXX: This needs a better home #Hardware enablement #XXX: This needs a better home
optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER"); optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER");
modernKernels=('google/coral' 'google/redbull' 'google/sunfish' 'oneplus/sm8150' 'xiaomi/sm8150' 'xiaomi/sm8250');
for kernelModern in "${modernKernels[@]}"; do
if [[ "$1" == *"/$kernelModern"* ]]; then
optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" "PAGE_SANITIZE_VERIFY");
#TODO: also disable slub_debug=P for these devices
fi;
done;
oldKernels=('essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/msm-4.9' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'yandex/sdm660' 'zuk/msm8996');
for kernelOld in "${oldKernels[@]}"; do
if [[ "$1" == *"/$kernelOld"* ]]; then
optionsYes+=("PAGE_POISONING_ENABLE_DEFAULT");
fi;
done;
weirdKernels=('google/wahoo');
for kernelWeird in "${weirdKernels[@]}"; do
if [[ "$1" == *"/$kernelWeird"* ]]; then
optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY");
fi;
done;
for option in "${optionsYes[@]}" for option in "${optionsYes[@]}"
do do
#If the option is disabled, enable it #If the option is disabled, enable it

4
Scripts/LineageOS-14.1/Patch.sh
View File

@ -411,8 +411,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
cd "$DOS_BUILD_BASE"; cd "$DOS_BUILD_BASE";
deblobAudio; deblobAudio || true;
removeBuildFingerprints; removeBuildFingerprints || true;
#Tweaks for <2GB RAM devices #Tweaks for <2GB RAM devices
enableLowRam "device/asus/grouper"; enableLowRam "device/asus/grouper";

4
Scripts/LineageOS-15.1/Patch.sh
View File

@ -332,8 +332,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
cd "$DOS_BUILD_BASE"; cd "$DOS_BUILD_BASE";
deblobAudio; deblobAudio || true;
removeBuildFingerprints; removeBuildFingerprints || true;
#Fix broken options enabled by hardenDefconfig() #Fix broken options enabled by hardenDefconfig()
sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile

4
Scripts/LineageOS-16.0/Patch.sh
View File

@ -403,8 +403,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi; if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi;
cd "$DOS_BUILD_BASE"; cd "$DOS_BUILD_BASE";
deblobAudio; deblobAudio || true;
removeBuildFingerprints; removeBuildFingerprints || true;
#Fix broken options enabled by hardenDefconfig() #Fix broken options enabled by hardenDefconfig()
sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/asus/msm8953/arch/arm64/configs/*_defconfig; #Breaks on compile sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/asus/msm8953/arch/arm64/configs/*_defconfig; #Breaks on compile

6
Scripts/LineageOS-17.1/Patch.sh
View File

@ -484,9 +484,9 @@ find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {}
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"'; find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"';
if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi; if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi;
cd "$DOS_BUILD_BASE"; cd "$DOS_BUILD_BASE";
deblobAudio; deblobAudio || true;
removeBuildFingerprints; removeBuildFingerprints || true;
enableAutoVarInit; enableAutoVarInit || true;
#Tweaks for <2GB RAM devices #Tweaks for <2GB RAM devices
#enableLowRam "device/motorola/harpia"; #enableLowRam "device/motorola/harpia";

6
Scripts/LineageOS-18.1/Patch.sh
View File

@ -573,9 +573,9 @@ find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {}
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"'; find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"';
if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi; if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi;
cd "$DOS_BUILD_BASE"; cd "$DOS_BUILD_BASE";
deblobAudio; deblobAudio || true;
removeBuildFingerprints; removeBuildFingerprints || true;
enableAutoVarInit; enableAutoVarInit || true;
#Tweaks for <2GB RAM devices #Tweaks for <2GB RAM devices
#enableLowRam "device/samsung/serrano3gxx"; #enableLowRam "device/samsung/serrano3gxx";

1
Scripts/init.sh
View File

@ -78,7 +78,6 @@ export DOS_SENSORS_PERM_NEW=true;
export DOS_STRONG_ENCRYPTION_ENABLED=false; #Set true to enable AES 256-bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS! export DOS_STRONG_ENCRYPTION_ENABLED=false; #Set true to enable AES 256-bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS!
export DOS_WEBVIEW_LFS=true; #Whether to `git lfs pull` in the WebView repository export DOS_WEBVIEW_LFS=true; #Whether to `git lfs pull` in the WebView repository
#alias DOS_WEBVIEW_CHERRYPICK='git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/00/316600/2'; #alias DOS_WEBVIEW_CHERRYPICK='git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/00/316600/2';
export DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/sm8250' 'zuk/msm8996'); #redbull already supports init_stack_all_zero
#Servers #Servers
export DOS_DEFAULT_DNS_PRESET="Quad9"; #Sets default DNS. Options: See changeDefaultDNS() in Scripts/Common/Functions.sh export DOS_DEFAULT_DNS_PRESET="Quad9"; #Sets default DNS. Options: See changeDefaultDNS() in Scripts/Common/Functions.sh