From a7a0a678883488740281dd08f72831d740757d13 Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 14 Jan 2019 03:12:50 -0500 Subject: [PATCH] Many changes - Allow enabling accessibility services without disabling secure start-up - Disable overclocks - Update select CVE patchers - Update submodules - Support select downloads over Tor - Update defconfig enablers - Cherry pick security patches --- PrebuiltApps | 2 +- Scripts/Common/Functions.sh | 2 +- Scripts/LineageOS-11.0/Patch.sh | 2 +- .../CVE_Patchers/android_kernel_motorola_msm8916.sh | 4 +--- Scripts/LineageOS-14.1/Functions.sh | 1 + Scripts/LineageOS-14.1/Patch.sh | 3 ++- .../CVE_Patchers/android_kernel_google_dragon.sh | 3 +-- Scripts/LineageOS-15.1/Functions.sh | 2 +- Scripts/LineageOS-15.1/Patch.sh | 4 +++- Scripts/init.sh | 5 +++-- 10 files changed, 15 insertions(+), 13 deletions(-) diff --git a/PrebuiltApps b/PrebuiltApps index 965e15d8..9a3264c1 160000 --- a/PrebuiltApps +++ b/PrebuiltApps @@ -1 +1 @@ -Subproject commit 965e15d8d156bb1da2c024ea47ec6451ae4cdaf6 +Subproject commit 9a3264c1b8450ed4f49ceb883179451e98d36f74 diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index 8f3ef026..2b311f27 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -325,7 +325,7 @@ hardenDefconfig() { #Enable supported options #Disabled: CONFIG_DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981) - declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_IPV6_PRIVACY" "CONFIG_HARDEN_BRANCH_PREDICTOR" "CONFIG_IOMMU_API" "CONFIG_IOMMU_SUPPORT" "CONFIG_IOMMU_HELPER" "CONFIG_INTEL_IOMMU_DEFAULT_ON" "CONFIG_ARM_SMMU" "CONFIG_QCOM_IOMMU" "CONFIG_MSM_IOMMU" "CONFIG_MSM_TZ_SMMU" "CONFIG_KGSL_PER_PROCESS_PAGE_TABLE" "CONFIG_MSM_KGSL_MMU_PAGE_FAULT" "CONFIG_IOMMU_PGTABLES_L2" "CONFIG_TEGRA_IOMMU_SMMU" "CONFIG_TEGRA_IOMMU_GART" "CONFIG_MTK_IOMMU" "CONFIG_EXYNOS_IOMMU" "CONFIG_OMAP_IOMMU" "CONFIG_OF_IOMMU") + declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_STACKPROTECTOR" "CONFIG_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_IPV6_PRIVACY" "CONFIG_HARDEN_BRANCH_PREDICTOR" "CONFIG_IOMMU_API" "CONFIG_IOMMU_SUPPORT" "CONFIG_IOMMU_HELPER" "CONFIG_INTEL_IOMMU_DEFAULT_ON" "CONFIG_ARM_SMMU" "CONFIG_QCOM_IOMMU" "CONFIG_MSM_IOMMU" "CONFIG_MSM_TZ_SMMU" "CONFIG_KGSL_PER_PROCESS_PAGE_TABLE" "CONFIG_MSM_KGSL_MMU_PAGE_FAULT" "CONFIG_IOMMU_PGTABLES_L2" "CONFIG_TEGRA_IOMMU_SMMU" "CONFIG_TEGRA_IOMMU_GART" "CONFIG_MTK_IOMMU" "CONFIG_EXYNOS_IOMMU" "CONFIG_OMAP_IOMMU" "CONFIG_OF_IOMMU") for option in "${optionsYes[@]}" do sed -i 's/# '"$option"' is not set/'"$option"'=y/' $defconfigPath &>/dev/null || true; diff --git a/Scripts/LineageOS-11.0/Patch.sh b/Scripts/LineageOS-11.0/Patch.sh index 790213c2..eb0a12ea 100644 --- a/Scripts/LineageOS-11.0/Patch.sh +++ b/Scripts/LineageOS-11.0/Patch.sh @@ -41,7 +41,7 @@ # #Download some (non-executable) out-of-tree files for use later on cd "$DOS_TMP_DIR"; -if [ "$DOS_HOSTS_BLOCKING" = true ]; then wget "$DOS_HOSTS_BLOCKING_LIST" -N; fi; +if [ "$DOS_HOSTS_BLOCKING" = true ]; then $DOS_TOR_WRAPPER wget "$DOS_HOSTS_BLOCKING_LIST" -N; fi; cd "$DOS_BUILD_BASE"; #Accept all SDK licences, not normally needed but Gradle managed apps fail without it diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh index fbce9afa..921ca784 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh @@ -70,7 +70,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-6345/^4.9/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-6348/^4.9/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-7533/3.10/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-7541/3.10/0002.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-1068/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10877/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10879/3.10/0004.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10880/3.10/0002.patch @@ -83,7 +82,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-14634/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-3563/3.10/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5390/3.10/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5390/3.10/0002.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5904/3.10/0001.patch #git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9514/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9515/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-9516/ANY/0001.patch @@ -94,5 +92,5 @@ git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/1035495_0001-cnss-Add-NULL-ch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6693/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p94" +editKernelLocalversion "-dos.p92" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh index 88915639..048bd7ec 100644 --- a/Scripts/LineageOS-14.1/Functions.sh +++ b/Scripts/LineageOS-14.1/Functions.sh @@ -98,6 +98,7 @@ patchWorkspace() { if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi; source build/envsetup.sh; repopick -t n_asb_09-2018-qcom; + repopick -it n-asb-2019-01; source "$DOS_SCRIPTS/Patch.sh"; source "$DOS_SCRIPTS/Defaults.sh"; diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index fe99f949..8f1d9b8d 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -41,7 +41,7 @@ # #Download some (non-executable) out-of-tree files for use later on cd "$DOS_TMP_DIR"; -if [ "$DOS_HOSTS_BLOCKING" = true ]; then wget "$DOS_HOSTS_BLOCKING_LIST" -N; fi; +if [ "$DOS_HOSTS_BLOCKING" = true ]; then $DOS_TOR_WRAPPER wget "$DOS_HOSTS_BLOCKING_LIST" -N; fi; cd "$DOS_BUILD_BASE"; #Accept all SDK licences, not normally needed but Gradle managed apps fail without it @@ -112,6 +112,7 @@ enterAndClear "packages/apps/Settings"; git revert 2ebe6058c546194a301c1fd22963d6be4adbf961; #don't hide oem unlock patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks, credit @MSe1969 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/ChooseLockPassword.java; #Increase max password length +sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; fi; #microG doesn't support Backup, hide the options enterAndClear "packages/apps/SetupWizard"; diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_dragon.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_dragon.sh index 146b73ee..172a0b20 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_dragon.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_dragon.sh @@ -111,7 +111,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-7618/^4.10/0002.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-8240/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9242/^4.11/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9698/3.18/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10876/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10876/ANY/0002.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10881/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10883/ANY/0001.patch @@ -131,5 +130,5 @@ git apply $DOS_PATCHES_LINUX_CVES/Untracked-01/ANY/0007-USB-usbip-fix-potential- git apply $DOS_PATCHES_LINUX_CVES/Untracked-01/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-2475/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p131" +editKernelLocalversion "-dos.p130" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh index 76cda858..7da4403c 100644 --- a/Scripts/LineageOS-15.1/Functions.sh +++ b/Scripts/LineageOS-15.1/Functions.sh @@ -74,7 +74,7 @@ buildAll() { #brunch lineage_rpi3-user; #needs testing and special handling brunch lineage_sailfish-user; brunch lineage_shamu-user; #broken - needs synced proprietary-files.txt - brunch lineage_starlte-user; + brunch lineage_starlte-user; #broken - device/samsung/universal9810-common/audio: MODULE.TARGET.SHARED_LIBRARIES.libshim_audio_32 already defined by device/samsung/star-common/audio brunch lineage_us996-user; brunch lineage_us997-user; brunch lineage_victara-user; diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index b5c2697a..ee657578 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -41,7 +41,7 @@ # #Download some (non-executable) out-of-tree files for use later on cd "$DOS_TMP_DIR"; -if [ "$DOS_HOSTS_BLOCKING" = true ]; then wget "$DOS_HOSTS_BLOCKING_LIST" -N; fi; +if [ "$DOS_HOSTS_BLOCKING" = true ]; then $DOS_TOR_WRAPPER wget "$DOS_HOSTS_BLOCKING_LIST" -N; fi; cd "$DOS_BUILD_BASE"; #Accept all SDK licences, not normally needed but Gradle managed apps fail without it @@ -68,6 +68,7 @@ awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk; sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; enterAndClear "device/lineage/sepolicy"; +git revert 9c28a0dfb91bb468515e123b1aaf3fcfc007b82f; #neverallow violation git revert f1ad32105599a0b71702f840b2deeb6849f1ae80; #neverallow violation git revert c9b0d95630b82cd0ad1a0fc633c6d59c2cb8aad7 37422f7df389f3ae5a34ee3d6dd9354217f9c536; #neverallow violation @@ -114,6 +115,7 @@ git revert a96df110e84123fe1273bff54feca3b4ca484dcd; #don't hide oem unlock patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks, credit @MSe1969 patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/0004-PDB_Fixes.patch"; #Fix crashes when the PersistentDataBlockManager service isn't available sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length +sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; fi; #microG doesn't support Backup, hide the options enterAndClear "packages/apps/SetupWizard"; diff --git a/Scripts/init.sh b/Scripts/init.sh index 02d63f04..ae6e5ba5 100644 --- a/Scripts/init.sh +++ b/Scripts/init.sh @@ -21,12 +21,13 @@ export DOS_WORKSPACE_ROOT="/mnt/Drive-3/"; #XXX: THIS MUST BE CORRECT TO BUILD! export DOS_SIGNING_KEYS=$DOS_WORKSPACE_ROOT"Signing_Keys"; #export DOS_BINARY_PATCHER=""; +#export DOS_TOR_WRAPPER="torsocks"; #Uncomment to perform select build operations over Tor export DOS_DEBLOBBER_REMOVE_ACCESSORIES=true; #Set false to allow use of external accessories export DOS_DEBLOBBER_REMOVE_AUDIOFX=true; #Set true to remove AudioFX export DOS_DEBLOBBER_REMOVE_GRAPHICS=false; #Set true to remove all graphics blobs and use SwiftShader CPU renderer export DOS_DEBLOBBER_REMOVE_FP=false; #Set true to remove all fingerprint reader blobs -export DOS_DEBLOBBER_REMOVE_IMS=false; #Set true to remove all IMS blobs +export DOS_DEBLOBBER_REMOVE_IMS=false; #Set true to remove all IMS blobs XXX: Will break compat with select carriers export DOS_DEBLOBBER_REMOVE_IPA=false; #Set true to remove all IPA blobs export DOS_DEBLOBBER_REMOVE_IR=false; #Set true to remove all IR blobs export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Services with the open source Sony TimeKeep reimplementation #TODO: Needs work @@ -40,7 +41,7 @@ export DOS_MICROG_INCLUDED="NLP"; #Determines inclusion of microG. Options: NLP, export DOS_HOSTS_BLOCKING=true; #Switch to false to prevent inclusion of our HOSTS file export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: Blokada, DNS66 export DOS_HOSTS_BLOCKING_LIST="https://divestos.xyz/hosts"; #Must be in the format "127.0.0.1 bad.domain.tld" -export DOS_OVERCLOCKS_ENABLED=true; #Switch to false to disable overclocks #XXX: Most devices have their processors directly under their RAM, heatsinking is mostly into the ground plane, potentially inflicting damage to RAM and the processor itself +export DOS_OVERCLOCKS_ENABLED=false; #Switch to false to disable overclocks #XXX: Most devices have their processors directly under their RAM, heatsinking is mostly into the ground plane, potentially inflicting damage to RAM and the processor itself export DOS_LOWRAM_ENABLED=false; #Switch to true to enable low_ram on all devices export DOS_STRONG_ENCRYPTION_ENABLED=false; #Switch to true to enable AES-256bit encryption XXX: THIS WILL **DESTROY** EXISTING INSTALLS! export DOS_NON_COMMERCIAL_USE_PATCHES=false; #Switch to false to prevent inclusion of non-commercial use patches XXX: Unused, see 1dc9247