Keeping your port secure
One of Omni's goal is to bring the best security to your devices. Besides the changes we can do at framework-level, there is a bunch of changes needed in device trees/kernels that we cannot do automatically.
Please make sure that your device trees and kernels follows the indications here.
Check your init permissions
Make sure your init.*.rc files don't set unnecessary permissions. Compare them against a stock ROM. Nothing should EVER have '777'.
Please make sure your kernels have the following security patches from mainline kernel:
To cherry-pick those patches into your kernel:
git remote add linux https://github.com/torvalds/linux git fetch linux git cherry-pick <commit>
where commit can be 'c95eb3184ea1a3a2551df57190c81da695e2144b' for example for the first patch. If you get merge errors, it is likely the patch has already been applied. However you should make sure it really is, by checking the merge markers.
Another method that can be used (and in general allows reasonably easy cherry-picking from github):
wget https://github.com/torvalds/linux/commit/c95eb3184ea1a3a2551df57190c81da695e2144b.patch git am c95eb3184ea1a3a2551df57190c81da695e2144b.patch wget https://github.com/torvalds/linux/commit/6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0.patch git am 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0.patch
In addition, please also ensure you apply the following patches from CAF:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=76565e3d786bed66f247c682bd9f591098522483 (more information available at https://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-api-cve-2013-6282)