From 98fd9fc5ac8eb13e3447e4eab24fd27c34b8482c Mon Sep 17 00:00:00 2001
From: Crimson Hawk <crimson.hawk@suyu.dev>
Date: Fri, 12 Jul 2024 20:39:19 +0800
Subject: [PATCH] added seucurity patches and patch files

---
 .gitignore             |  1 +
 README.md              | 10 ++++++++
 config                 | 17 +++++++------
 patches/security.patch | 55 ++++++++++++++++++++++++++++++++++++++++++
 patches/waydroid.patch | 13 ++++++++++
 5 files changed, 88 insertions(+), 8 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 patches/security.patch
 create mode 100644 patches/waydroid.patch

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..60f0b0b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+!patches/
\ No newline at end of file
diff --git a/README.md b/README.md
index ddcb3cf..df2ee6c 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,11 @@
 patches folder contains all the patches. files shipped are already prepatched 
+
+patch order:
+
+1. waydroid.patch
+2. security.patch
+
+sources: 
+
+waydroid.patch: https://wiki.archlinux.org/title/Waydroid
+security.patch: selected from https://www.kicksecure.com/wiki/Hardened-kernel
\ No newline at end of file
diff --git a/config b/config
index d2e8fb8..9c53a98 100644
--- a/config
+++ b/config
@@ -4662,8 +4662,8 @@ CONFIG_SSIF_IPMI_BMC=m
 CONFIG_IPMB_DEVICE_INTERFACE=m
 CONFIG_HW_RANDOM=y
 CONFIG_HW_RANDOM_TIMERIOMEM=m
-CONFIG_HW_RANDOM_INTEL=m
-CONFIG_HW_RANDOM_AMD=m
+CONFIG_HW_RANDOM_INTEL=y
+CONFIG_HW_RANDOM_AMD=y
 CONFIG_HW_RANDOM_BA431=m
 CONFIG_HW_RANDOM_VIA=m
 CONFIG_HW_RANDOM_VIRTIO=m
@@ -9386,7 +9386,7 @@ CONFIG_AMD_IOMMU=y
 CONFIG_DMAR_TABLE=y
 CONFIG_INTEL_IOMMU=y
 CONFIG_INTEL_IOMMU_SVM=y
-# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
 CONFIG_INTEL_IOMMU_FLOPPY_WA=y
 CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON=y
 CONFIG_INTEL_IOMMU_PERF_EVENTS=y
@@ -10935,7 +10935,7 @@ CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y
 # Hardening of kernel data structures
 #
 CONFIG_LIST_HARDENED=y
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Hardening of kernel data structures
 
 CONFIG_RANDSTRUCT_NONE=y
@@ -11525,7 +11525,7 @@ CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y
 # CONFIG_DEBUG_VM is not set
 # CONFIG_DEBUG_VM_PGTABLE is not set
 CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y
-# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_VIRTUA=y
 CONFIG_DEBUG_MEMORY_INIT=y
 # CONFIG_DEBUG_PER_CPU_MAPS is not set
 CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y
@@ -11613,10 +11613,11 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_PLIST is not set
-# CONFIG_DEBUG_SG is not set
-# CONFIG_DEBUG_NOTIFIERS is not set
+CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_DEBUG_CREDENTIALS=y
 # CONFIG_DEBUG_CLOSURES is not set
 # CONFIG_DEBUG_MAPLE_TREE is not set
 # end of Debug kernel data structures
diff --git a/patches/security.patch b/patches/security.patch
new file mode 100644
index 0000000..f0fccc9
--- /dev/null
+++ b/patches/security.patch
@@ -0,0 +1,55 @@
+--- a/config	2024-07-11 19:47:36.660974102 +0800
++++ b/config	2024-07-12 20:17:48.323530281 +0800
+@@ -4662,8 +4662,8 @@
+ CONFIG_IPMB_DEVICE_INTERFACE=m
+ CONFIG_HW_RANDOM=y
+ CONFIG_HW_RANDOM_TIMERIOMEM=m
+-CONFIG_HW_RANDOM_INTEL=m
+-CONFIG_HW_RANDOM_AMD=m
++CONFIG_HW_RANDOM_INTEL=y
++CONFIG_HW_RANDOM_AMD=y
+ CONFIG_HW_RANDOM_BA431=m
+ CONFIG_HW_RANDOM_VIA=m
+ CONFIG_HW_RANDOM_VIRTIO=m
+@@ -9386,7 +9386,7 @@
+ CONFIG_DMAR_TABLE=y
+ CONFIG_INTEL_IOMMU=y
+ CONFIG_INTEL_IOMMU_SVM=y
+-# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
++CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+ CONFIG_INTEL_IOMMU_FLOPPY_WA=y
+ CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON=y
+ CONFIG_INTEL_IOMMU_PERF_EVENTS=y
+@@ -10935,7 +10935,7 @@
+ # Hardening of kernel data structures
+ #
+ CONFIG_LIST_HARDENED=y
+-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
++CONFIG_BUG_ON_DATA_CORRUPTION=y
+ # end of Hardening of kernel data structures
+ 
+ CONFIG_RANDSTRUCT_NONE=y
+@@ -11525,7 +11525,7 @@
+ # CONFIG_DEBUG_VM is not set
+ # CONFIG_DEBUG_VM_PGTABLE is not set
+ CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y
+-# CONFIG_DEBUG_VIRTUAL is not set
++CONFIG_DEBUG_VIRTUA=y
+ CONFIG_DEBUG_MEMORY_INIT=y
+ # CONFIG_DEBUG_PER_CPU_MAPS is not set
+ CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y
+@@ -11613,10 +11613,11 @@
+ #
+ # Debug kernel data structures
+ #
+-# CONFIG_DEBUG_LIST is not set
++CONFIG_DEBUG_LIST=y
+ # CONFIG_DEBUG_PLIST is not set
+-# CONFIG_DEBUG_SG is not set
+-# CONFIG_DEBUG_NOTIFIERS is not set
++CONFIG_DEBUG_SG=y
++CONFIG_DEBUG_NOTIFIERS=y
++CONFIG_DEBUG_CREDENTIALS=y
+ # CONFIG_DEBUG_CLOSURES is not set
+ # CONFIG_DEBUG_MAPLE_TREE is not set
+ # end of Debug kernel data structures
diff --git a/patches/waydroid.patch b/patches/waydroid.patch
new file mode 100644
index 0000000..7895161
--- /dev/null
+++ b/patches/waydroid.patch
@@ -0,0 +1,13 @@
+--- a/config	2024-07-11 15:01:26.249996763 +0800
++++ b/config	2024-07-11 15:09:27.942552038 +0800
+@@ -10310,6 +10310,10 @@
+ #
+ # Android
+ #
++CONFIG_ANDROID=y
++CONFIG_ANDROID_BINDER_IPC=m
++CONFIG_ANDROID_BINDERFS=n
++CONFIG_ANDROID_BINDER_DEVICES="binder,hwbinder,vndbinder"
+ # CONFIG_ANDROID_BINDER_IPC is not set
+ # end of Android
+