Possibly integrate Tad's automated Kernel CVE patcher for downstream kernels
Remember the automatic patch shotgun approach, that we discussed at one point?
Tad (@IratePorcupine) has implemented something similar, but for CVE patches.
He wrote:
Today I am releasing my Android oriented automated CVE patcher along with a large set of patches.
I have been using this for over a year now with little issue. Some patches it tries to apply will need to be disabled here and there for some devices, but for the most part it if applies it boots. It is far from perfect, it doesn't magically solve the ancient kernel issue, but it definitely helps.
The tool was made to be part the rest of my build system, but I've been sitting on this all too long. So it is a bit rough and you'll probably need to modify it a bit for your use.
I already messaged some others (LineageOS, microG, and Replicant) earlier today, but I think pmOS might also be interested in this.
Here is the program (GPLv3): https://gitlab.com/divested-mobile/cve_checker you'll need to compile it
Here are the kernel patches (GPLv2): https://gitlab.com/divested-mobile/kernel_patches/blob/master/Kernel_CVE_Patch_List.txt you can trust my repo or you can use the download function. some patches from oz have probably been removed, so you'll have to piece them together.
and in a follow up mail:
The build "system" is a single repo with the patches and scripts to apply them. It is fairly generic and currently supports LineageOS' cm-11.0, cm-14.1, lineage-15.1, and lineage-16.0 branches with close parity. Any other "base" can be easily added with a few hours of work. But LineageOS is chosen for its vast device compatibility and relative sanity.
The checker as is outputs scripts which is what actually gets used. This is to make it more reproducible and increase workspace patching speed. Some examples of the current output:
Of course this is not as good as mainlining, but it might be a good idea to apply these patches to downstream kernels in postmarketOS too. We would need to figure out how to integrate such a huge amount of patches neatly in our build system though, and how to make it convenient for users to figure out which patches apply to their kernel and which ones don't. Tad's tool is written in Java (which makes sense in the Android build environment context), pmbootstrap is written in Python - so maybe we would re-implement the part that figures out which patches apply properly. I think this can be done in few lines of code anyway, and the big gain here is the already collected amount of security related patches.
- What do you think folks?
- Anybody interested in working on this?