From fccc124868ca605f6974413c2499b20150b24755 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 13 Feb 2019 21:48:57 -0500
Subject: [PATCH] tuna fixes + fdroid priv changes

---
 Manifests/Manifest_LAOS-14.1.xml              |  5 +-
 .../android_vendor_divested/divestos.mk       |  6 +-
 ...rmissions_org.fdroid.fdroid.privileged.xml |  7 ++
 .../0005-fix_denial.patch                     | 84 +++++++++++++++++++
 PrebuiltApps                                  |  2 +-
 Scripts/Common/Deblob.sh                      |  8 +-
 Scripts/LineageOS-14.1/Functions.sh           |  7 +-
 Scripts/LineageOS-14.1/Patch.sh               | 13 ++-
 Scripts/LineageOS-15.1/Functions.sh           |  3 +-
 9 files changed, 123 insertions(+), 12 deletions(-)
 create mode 100644 Patches/Common/android_vendor_divested/prebuilts/etc/permissions_org.fdroid.fdroid.privileged.xml
 create mode 100644 Patches/LineageOS-14.1/android_device_samsung_tuna/0005-fix_denial.patch

diff --git a/Manifests/Manifest_LAOS-14.1.xml b/Manifests/Manifest_LAOS-14.1.xml
index 318e5111..276cb3c3 100644
--- a/Manifests/Manifest_LAOS-14.1.xml
+++ b/Manifests/Manifest_LAOS-14.1.xml
@@ -219,8 +219,11 @@
 	<project path="kernel/samsung/smdk4412" name="LineageOS/android_kernel_samsung_smdk4412" remote="github" />
 	<project path="packages/apps/SamsungServiceMode" name="LineageOS/android_packages_apps_SamsungServiceMode" remote="github" />
 
-	<!-- Samsung Galaxy Nexus Unified (maguro) -->
+	<!-- Samsung Galaxy Nexus (maguro/toro(plus)) -->
+	<project path="prebuilts/gcc/linux-x86/arm/arm-eabi-4.7" name="platform/prebuilts/gcc/linux-x86/arm/arm-eabi-4.7" remote="aosp" revision="refs/tags/android-4.4.4_r2" />
 	<project path="device/samsung/maguro" name="Galaxy-Nexus/android_device_samsung_maguro" remote="github" />
+	<project path="device/samsung/toro" name="LineageOS/android_device_samsung_toro" remote="github" revision="cm-13.0" />
+	<project path="device/samsung/toroplus" name="LineageOS/android_device_samsung_toroplus" remote="github" revision="cm-13.0" />
 	<project path="device/samsung/tuna" name="Galaxy-Nexus/android_device_samsung_tuna" remote="github" />
 	<project path="kernel/samsung/tuna" name="Galaxy-Nexus/android_kernel_samsung_tuna" remote="github" />
 
diff --git a/Patches/Common/android_vendor_divested/divestos.mk b/Patches/Common/android_vendor_divested/divestos.mk
index c2efcc56..2c0d70f2 100644
--- a/Patches/Common/android_vendor_divested/divestos.mk
+++ b/Patches/Common/android_vendor_divested/divestos.mk
@@ -16,11 +16,13 @@ PRODUCT_PROPERTY_OVERRIDES += \
     ro.config.alarm_alert=Alarm_Buzzer.ogg \
     keyguard.no_require_sim=true \
     ro.build.selinux=1 \
-    ro.storage_manager.enabled=true
+    ro.storage_manager.enabled=true \
+    ro.control_privapp_permissions=log
 
 #Copy extra files
 PRODUCT_COPY_FILES += \
-    vendor/divested/prebuilts/etc/additional_fdroid_repos.xml:system/etc/org.fdroid.fdroid/additional_repos.xml
+    vendor/divested/prebuilts/etc/additional_fdroid_repos.xml:system/etc/org.fdroid.fdroid/additional_repos.xml \
+    vendor/divested/prebuilts/etc/permissions_org.fdroid.fdroid.privileged.xml:system/etc/permissions/permissions_org.fdroid.fdroid.privileged.xml
 
 #Include packages
 #PRODUCT_PACKAGES += ModuleBlocker
diff --git a/Patches/Common/android_vendor_divested/prebuilts/etc/permissions_org.fdroid.fdroid.privileged.xml b/Patches/Common/android_vendor_divested/prebuilts/etc/permissions_org.fdroid.fdroid.privileged.xml
new file mode 100644
index 00000000..3a7d4426
--- /dev/null
+++ b/Patches/Common/android_vendor_divested/prebuilts/etc/permissions_org.fdroid.fdroid.privileged.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<permissions>
+    <privapp-permissions package="org.fdroid.fdroid.privileged">
+        <permission name="android.permission.DELETE_PACKAGES"/>
+        <permission name="android.permission.INSTALL_PACKAGES"/>
+    </privapp-permissions>
+</permissions>
diff --git a/Patches/LineageOS-14.1/android_device_samsung_tuna/0005-fix_denial.patch b/Patches/LineageOS-14.1/android_device_samsung_tuna/0005-fix_denial.patch
new file mode 100644
index 00000000..f940b2c8
--- /dev/null
+++ b/Patches/LineageOS-14.1/android_device_samsung_tuna/0005-fix_denial.patch
@@ -0,0 +1,84 @@
+From c11a7f1d4f05a13cacb8c6ebbaeee0400b6654e6 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Wed, 13 Feb 2019 21:14:04 -0500
+Subject: [PATCH] audit2allow sepolicies
+
+Change-Id: I8a43008d22b302ed54838251e328619de5c1f890
+---
+ sepolicy/init.te          | 3 +++
+ sepolicy/logd.te          | 1 +
+ sepolicy/netd.te          | 1 +
+ sepolicy/platform_app.te  | 1 +
+ sepolicy/rild.te          | 5 +++++
+ sepolicy/sysinit.te       | 1 +
+ sepolicy/system_server.te | 2 ++
+ 7 files changed, 14 insertions(+)
+ create mode 100644 sepolicy/logd.te
+ create mode 100644 sepolicy/netd.te
+ create mode 100644 sepolicy/sysinit.te
+
+diff --git a/sepolicy/init.te b/sepolicy/init.te
+index 13c8bd4..c0980a6 100644
+--- a/sepolicy/init.te
++++ b/sepolicy/init.te
+@@ -7,3 +7,6 @@ allow init tmpfs:lnk_file create;
+ 
+ # For 'cpuset' module requests
+ allow init kernel:system module_request;
++
++allow init block_device:lnk_file relabelfrom;
++allow init perfprofd_exec:file getattr;
+diff --git a/sepolicy/logd.te b/sepolicy/logd.te
+new file mode 100644
+index 0000000..2e9f1eb
+--- /dev/null
++++ b/sepolicy/logd.te
+@@ -0,0 +1 @@
++allow logd unlabeled:dir search;
+diff --git a/sepolicy/netd.te b/sepolicy/netd.te
+new file mode 100644
+index 0000000..af9fbc1
+--- /dev/null
++++ b/sepolicy/netd.te
+@@ -0,0 +1 @@
++allow netd kernel:system module_request;
+diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
+index 4d92e6b..dadb55e 100644
+--- a/sepolicy/platform_app.te
++++ b/sepolicy/platform_app.te
+@@ -1 +1,2 @@
+ allow platform_app nfc_service:service_manager find;
++allow platform_app system_app_data_file:dir getattr;
+diff --git a/sepolicy/rild.te b/sepolicy/rild.te
+index 7c72874..5e35cf9 100644
+--- a/sepolicy/rild.te
++++ b/sepolicy/rild.te
+@@ -19,3 +19,8 @@ allow rild logcat_exec:file { getattr read open execute execute_no_trans };
+ # Device-specific calls could be moved into their respective device trees
+ # in the future.
+ allowxperm rild self:unix_stream_socket ioctl { 0x89a0 0x89a2 0x89a3 0x89f0 };
++allow rild system_file:file execmod;
++allow rild toolbox_exec:file getattr;
++allow rild toolbox_exec:file execute;
++allow rild toolbox_exec:file { open read };
++allow rild toolbox_exec:file execute_no_trans;
+diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te
+new file mode 100644
+index 0000000..5cd8eb3
+--- /dev/null
++++ b/sepolicy/sysinit.te
+@@ -0,0 +1 @@
++allow sysinit userinit_exec:file execute;
+diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
+index e59d7c6..d78ffbb 100644
+--- a/sepolicy/system_server.te
++++ b/sepolicy/system_server.te
+@@ -1,3 +1,5 @@
+ # system_server
+ 
+ # Needed for /system/vendor/lib/hw/gps.omap4.so
++
++allow system_server wifi_log_prop:property_service set;
+-- 
+2.20.1
+
diff --git a/PrebuiltApps b/PrebuiltApps
index 0add8d90..c36aabfb 160000
--- a/PrebuiltApps
+++ b/PrebuiltApps
@@ -1 +1 @@
-Subproject commit 0add8d90b47dce0fc13356146666405a9459ee89
+Subproject commit c36aabfba7d338166ea996167f24acb3d839f94c
diff --git a/Scripts/Common/Deblob.sh b/Scripts/Common/Deblob.sh
index 5ee71b5f..3499b29f 100644
--- a/Scripts/Common/Deblob.sh
+++ b/Scripts/Common/Deblob.sh
@@ -251,9 +251,12 @@ echo "Deblobbing..."
 	blobs=$blobs"|libHealthAuthClient.so|libHealthAuthJNI.so|libSampleAuthJNI.so|libSampleAuthJNIv1.so|libSampleExtAuthJNI.so|libSecureExtAuthJNI.so|libSecureSampleAuthClient.so|libsdedrm.so";
 
 	#[Sprint]
-	blobs=$blobs"|com.android.omadm.service.xml|ConnMO.apk|CQATest.apk|DCMO.apk|DiagMon.apk|DMConfigUpdate.apk|DMService.apk|GCS.apk|HiddenMenu.apk|libdmengine.so|libdmjavaplugin.so|LifetimeData.apk|SprintDM.apk|SprintHM.apk|whitelist_com.android.omadm.service.xml|LifeTimerService.apk";
+	blobs=$blobs"|com.android.omadm.service.xml|ConnMO.apk|CQATest.apk|DCMO.apk|DiagMon.apk|DMConfigUpdate.apk|DMService.apk|GCS.apk|HiddenMenu.apk|libdmengine.so|libdmjavaplugin.so|LifetimeData.apk|SprintDM.apk|SprintHM.apk|whitelist_com.android.omadm.service.xml|LifeTimerService.apk|SDM.apk|SecPhone.apk";
 	ipcSec=$ipcSec"|238:4294967295:1001:3004";
 
+	#SyncML
+	blobs=$blobs"|SyncMLSvc.apk|libsyncml_core.so|libsyncml_port.so";
+
 	#Thermal Throttling [Qualcomm]
 	#blobs=$blobs"|libthermalclient.so|libthermalioctl.so|thermal-engine";
 
@@ -269,7 +272,7 @@ echo "Deblobbing..."
 	#blobs=$blobs"|venus.b00|venus.b01|venus.b02|venus.b03|venus.b04|venus.mbn|venus.mdt";
 
 	#[Verizon]
-	blobs=$blobs"|appdirectedsmspermission.apk|com.qualcomm.location.vzw_library.jar|com.qualcomm.location.vzw_library.xml|com.verizon.apn.xml|com.verizon.embms.xml|com.verizon.hardware.telephony.ehrpd.jar|com.verizon.hardware.telephony.ehrpd.xml|com.verizon.hardware.telephony.lte.jar|com.verizon.hardware.telephony.lte.xml|com.verizon.ims.jar|com.verizon.ims.xml|com.verizon.provider.xml|com.vzw.vzwapnlib.xml|qti-vzw-ims-internal.jar|qti-vzw-ims-internal.xml|VerizonSSOEngine.apk|VerizonUnifiedSettings.jar|VZWAPNLib.apk|vzwapnpermission.apk|VZWAPNService.apk|VZWAVS.apk|VzwLcSilent.apk|vzw_msdc_api.apk|VzwOmaTrigger.apk|vzw_sso_permissions.xml|VerizonAuthDialog.apk";
+	blobs=$blobs"|appdirectedsmspermission.apk|com.qualcomm.location.vzw_library.jar|com.qualcomm.location.vzw_library.xml|com.verizon.apn.xml|com.verizon.embms.xml|com.verizon.hardware.telephony.ehrpd.jar|com.verizon.hardware.telephony.ehrpd.xml|com.verizon.hardware.telephony.lte.jar|com.verizon.hardware.telephony.lte.xml|com.verizon.ims.jar|com.verizon.ims.xml|com.verizon.provider.xml|com.vzw.vzwapnlib.xml|qti-vzw-ims-internal.jar|qti-vzw-ims-internal.xml|VerizonSSOEngine.apk|VerizonUnifiedSettings.jar|VZWAPNLib.apk|vzwapnpermission.apk|VZWAPNService.apk|VZWAVS.apk|VzwLcSilent.apk|vzw_msdc_api.apk|VzwOmaTrigger.apk|vzw_sso_permissions.xml|VerizonAuthDialog.apk|com.vzw.hardware.lte.xml|com.vzw.hardware.ehrpd.xml";
 
 	#Voice Recognition
 	blobs=$blobs"|aonvr1.bin|aonvr2.bin|audiomonitor|es305_fw.bin|HotwordEnrollment.apk|HotwordEnrollment.*.apk|libadpcmdec.so|liblistenhardware.so|liblistenjni.so|liblisten.so|liblistensoundmodel.so|libqvop-service.so|librecoglib.so|libsmwrapper.so|libsupermodel.so|libtrainingcheck.so|qvop-daemon|sound_trigger.primary.*.so|libgcs.*.so|vendor.qti.voiceprint.*";
@@ -280,6 +283,7 @@ echo "Deblobbing..."
 
 	#Widevine (DRM) [Google]
 	blobs=$blobs"|com.google.widevine.software.drm.jar|com.google.widevine.software.drm.xml|libdrmclearkeyplugin.so|libdrmwvmplugin.so|libmarlincdmplugin.so|libwvdrmengine.so|libwvdrm_L1.so|libwvdrm_L3.so|libwvhidl.so|libwvm.so|libWVphoneAPI.so|libWVStreamControlAPI_L1.so|libWVStreamControlAPI_L3.so|libdrmmtkutil.so";
+	#blobs=$blobs"|smc_pa_wvdrm.ift"; breaks toro boot
 	blobs=$blobs"|tzwidevine.*|tzwvcpybuf.*|widevine.*";
 	makes=$makes"|libshim_wvm";
 
diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh
index aa6417d6..9e30bd4a 100644
--- a/Scripts/LineageOS-14.1/Functions.sh
+++ b/Scripts/LineageOS-14.1/Functions.sh
@@ -50,7 +50,6 @@ buildAll() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
 	#Select devices are userdebug due to SELinux policy issues
 	brunch lineage_clark-user;
-	brunch lineage_maguro-user; #deprecated
 	brunch lineage_thor-userdebug; #deprecated
 	brunch lineage_grouper-user; #deprecated and needs manual patching (one-repo vendor blob patch)
 	brunch lineage_h815-user; #deprecated
@@ -59,9 +58,12 @@ buildAll() {
 	brunch lineage_i9100-userdebug;
 	brunch lineage_i9305-user; #deprecated?
 	brunch lineage_jfltexx-user;
+	brunch lineage_maguro-user; #deprecated
 	brunch lineage_manta-user; #deprecated
 	brunch lineage_n5110-user;
 	brunch lineage_osprey-user;
+	#brunch lineage_toro-user; #deprecated
+	#brunch lineage_toroplus-user; #deprecated
 	brunch lineage_Z00T-user; #deprecated
 
 	#The following are all superseded, and should only be enabled if the newer version is broken (not building/booting/etc.)
@@ -117,7 +119,8 @@ export -f patchWorkspace;
 
 enableDexPreOpt() {
 	cd "$DOS_BUILD_BASE$1";
-	if [ "$1" != "device/amazon/thor" ] && [ "$1" != "device/samsung/i9100" ] && [ "$1" != "device/lge/h850" ] && [ "$1" != "device/lge/mako" ] && [ "$1" != "device/asus/grouper" ]; then #Some devices won't compile, or have too small of a /system partition, or Wi-Fi breaks
+	#Some devices won't compile, or have too small of a /system partition, or Wi-Fi breaks
+	if [ "$1" != "device/amazon/thor" ] && [ "$1" != "device/samsung/i9100" ] && [ "$1" != "device/samsung/maguro" ] && [ "$1" != "device/samsung/toro" ] && [ "$1" != "device/samsung/toroplus" ] && [ "$1" != "device/samsung/tuna" ] && [ "$1" != "device/lge/h850" ] && [ "$1" != "device/lge/mako" ] && [ "$1" != "device/asus/grouper" ]; then
 		if [ -f BoardConfig.mk ]; then
 			echo "WITH_DEXPREOPT := true" >> BoardConfig.mk;
 			echo "WITH_DEXPREOPT_PIC := true" >> BoardConfig.mk;
diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh
index bc7a6692..4416752f 100644
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@@ -220,16 +220,18 @@ rm board-info.txt; #Never restrict installation
 enterAndClear "device/oneplus/bacon";
 sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/
 
+enterAndClear "device/samsung/toroplus";
+awk -i inplace '!/additional_system_update/' overlay/packages/apps/Settings/res/values/config.xml;
+
+enableLowRam "device/samsung/tuna";
 enterAndClear "device/samsung/tuna";
 rm setup-makefiles.sh; #broken, deblobber will still function
-sed -i 's/arm-eabi-4.7/arm-eabi-4.8/' BoardConfig.mk; #fix toolchain
 #See: https://review.lineageos.org/q/topic:%22tuna-sepolicies
 patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0001-fix_denial.patch";
 patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0002-fix_denial.patch";
 patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0003-fix_denial.patch";
 patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0004-fix_denial.patch";
-echo "allow rild system_file:file execmod;" >> sepolicy/rild.te;
-echo "allow rild toolbox_exec:file getattr;" >> sepolicy/rild.te;
+patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0005-fix_denial.patch";
 
 enter "vendor/google";
 echo "" > atv/atv-common.mk;
@@ -252,6 +254,11 @@ sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google
 sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile
 sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/motorola/msm8974/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
 sed -i "s/CONFIG_ARM_SMMU=y/# CONFIG_ARM_SMMU is not set/" kernel/motorola/msm8992/arch/arm64/configs/*defconfig; #Breaks on compile
+#tuna fixes
+awk -i inplace '!/nfc_enhanced.mk/' device/samsung/toro*/lineage.mk;
+awk -i inplace '!/TARGET_RECOVERY_UPDATER_LIBS/' device/samsung/toro*/BoardConfig.mk;
+awk -i inplace '!/TARGET_RELEASETOOLS_EXTENSIONS/' device/samsung/toro*/BoardConfig.mk;
+sed -i "s/forceencrypt/encryptable/" device/samsung/tuna/rootdir/fstab.tuna; #first-boot encryption doesn't work
 #
 #END OF DEVICE CHANGES
 #
diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh
index 07906c32..fd029d8b 100644
--- a/Scripts/LineageOS-15.1/Functions.sh
+++ b/Scripts/LineageOS-15.1/Functions.sh
@@ -101,7 +101,8 @@ export -f patchWorkspace;
 
 enableDexPreOpt() {
 	cd "$DOS_BUILD_BASE$1";
-	if [ "$1" != "device/amazon/thor" ] && [ "$1" != "device/samsung/i9100" ] && [ "$1" != "device/lge/h850" ] && [ "$1" != "device/lge/mako" ]; then #Some devices won't compile, or have too small of a /system partition
+	#Some devices won't compile, or have too small of a /system partition, or Wi-Fi breaks
+	if [ "$1" != "device/amazon/thor" ] && [ "$1" != "device/samsung/i9100" ] && [ "$1" != "device/samsung/maguro" ] && [ "$1" != "device/samsung/toro" ] && [ "$1" != "device/samsung/toroplus" ] && [ "$1" != "device/samsung/tuna" ] && [ "$1" != "device/lge/h850" ] && [ "$1" != "device/lge/mako" ] && [ "$1" != "device/asus/grouper" ]; then
 		if [ -f BoardConfig.mk ]; then
 			echo "WITH_DEXPREOPT := true" >> BoardConfig.mk;
 			echo "WITH_DEXPREOPT_PIC := true" >> BoardConfig.mk;