Legacy changelog

These are the old changelogs for production releases of GrapheneOS. See the current releases changelog for more recent releases.

The release notes before the Nougat 2016.12.06.05.21.23 release should be taken with a grain of salt since we weren't really publishing them yet so it wasn't being done very carefully.

GrapheneOS started in 2014 based on Android KitKat but we only started keeping more user friendly changelogs late in the Marshmallow era.

The Nexus 9 maintenance branch is not included. It split off when the other devices moved to nougat-mr2-release and continued after the other devices moved to Oreo-based releases. It may be included here in the future but we wanted to avoid confusion.

Since Pixels, there are separate release channels including the public Stable and Beta channels. Each Stable release made it through the Beta channel and our internal Testing channel. The Nexus 5X and 6P moved to the current update system with release channels with the Oreo-based 2017.09.24.15.

Experimental releases are not listed here.

Oreo

2018.06.05.00

Changes since 2018.05.15.17:

2018-06-01 security patch level including recommended updates
2018-06-05 security patch level including recommended updates
2018-06 Pixel/Nexus functional updates
Pixel 2, Pixel 2 XL: increase rollback index for 2018-06-05 patch level
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.108 to 3.18.109
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.109 to 3.18.110
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.110 to 3.18.111
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.111 to 3.18.112
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.131 to 4.4.132
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.132 to 4.4.133
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.133 to 4.4.134
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.134 to 4.4.135
Chromium: update from 66.0.3359.158 to 67.0.3396.68

2018.05.15.17

Changes since 2018.05.08.01:

Chromium: update from 66.0.3359.126 to 66.0.3359.158
add back Nexus 6P support now that the kernel tag is available

2018.05.08.01

Changes since 2018.04.19.04:

2018-05-01 security patch level including recommended updates
2018-05-05 security patch level including recommended updates
2018-05 Pixel/Nexus functional updates
Pixel 2, Pixel 2 XL: increase rollback index for 2018-05-05 patch level
Chromium: prevent popular sites field trial from overriding changed default
Chromium: prevent non-secure origin field trial from overriding changed default
Chromium: update from 66.0.3359.106 to 66.0.3359.126
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.105 to 3.18.106
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.106 to 3.18.107
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.107 to 3.18.108
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.128 to 4.4.129
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.129 to 4.4.130
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.130 to 4.4.131
Silence: update from 0.15.12 to 0.15.13
Net Monitor: update from 1.2 to 2.0
F-Droid: update from 1.1 to 1.2 (held back earlier due to bugs)
F-Droid: update from 1.2 to 1.2.1 (held back earlier due to bugs)
F-Droid: update from 1.2.1 to 1.2.2

2018.04.19.04

Changes since 2018.04.02.21:

Settings: expose audio recording user restriction
Settings: expose install apps user restriction
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.102 to 3.18.103
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.103 to 3.18.104
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.104 to 3.18.105
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.126 to 4.4.127
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.127 to 4.4.128
Nexus 5X, Nexus 6P: fix ro.control_privapp_permissions=enforce setup (works fine on Pixels already)
use Cloudflare DNS as the default fallback: Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS so it won't be a downgrade when Android ships one of them
tethering: use Cloudflare DNS servers as the default fallbacks
NetworkDiagnostics: switch to Cloudflare DNS
SettingsLib: use Cloudflare DNS servers as hints
Chromium: update from 65.0.3325.109 to 66.0.3359.106

2018.04.02.21

Changes since 2018.03.27.11:

2018-04-01 security patch level including recommended updates
2018-04-05 security patch level including recommended updates
2018-04 Pixel/Nexus functional updates
Pixel 2, Pixel 2 XL: increase rollback index for 2018-04-05 patch level
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.124 to 4.4.125
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.125 to 4.4.126

2018.03.27.11

Changes since 2018.03.13.20:

include TalkBack and Switch Access accessibility services since they're now open source
switch dummy values for ro.build.user/ro.build.host from user/host to the OS name
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.121 to 4.4.122
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.122 to 4.4.123
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.123 to 4.4.124
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.99 to 3.18.100
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.100 to 3.18.101
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.101 to 3.18.102
PDF Viewer: make prerendering work again after refactoring
PDF Viewer: fix prerendering previous page
PDF Viewer: switch from getTextContent to streamTextContent
PDF Viewer: move maybeRenderNextPage check earlier
PDF Viewer: use a single task variable
PDF Viewer: overhaul document properties and parsing (from @Tommy-Geenexus)
PDF Viewer: switch to Java 8
PDF Viewer: improve error logging
PDF Viewer: update version to 3
F-Droid: update to 1.1

2018.03.13.20

Changes since 2018.03.10.15:

Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.120 to 4.4.121
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.98 to 3.18.99
PDF Viewer: use CSS scaling while waiting for zoomed rendering
PDF Viewer: implement Least Recently Used (LRU) rendering cache
PDF Viewer: prerender the next page
PDF Viewer: use an opaque canvas for performance
PDF Viewer: add basic render logging
PDF Viewer: add error logging for promises
PDF Viewer: only use offscreen rendering
PDF Viewer: prerender the previous page too
PDF Viewer: reset scroll position for new pages
Pixel 2 only (not Pixel 2 XL): include the right default APN database

2018.03.10.15

Chromium: disable showing popular sites by default
Chromium: disable article suggestions feature by default (not supported by us and wastes UI space)
Chromium: fix the default value displayed for the hyperlink auditing flag
Chromium: update to 65.0.3325.109
Updater: add support for testing streaming updates (not in a useful way yet)
SELinux policy: fix overly noisy app_data_file execute auditallow for third party apps (untrusted_app rather than untrusted_base_app) where it's still permitted
Pixel 2 XL: kernel: fix upstream bug in lge_battery module breaking fast charging with a monolithic kernel build (found by @nathanchance)
Launcher3: stop disabling icon normalization
Launcher3: stop wrapping legacy icons into adaptive icons
base frameworks: use round adaptive icon mask and parse round icons

2018.03.05.23

Changes since 2018.03.01.14:

2018-03-01 security patch level including recommended updates
2018-03-05 security patch level including recommended updates
2018-03 Pixel/Nexus functional updates
Pixel 2, Pixel 2 XL: increase rollback index to 3 for 2018-03-05 patch level
Settings: update_engine downgrade attack we reported is now fixed upstream, remove from extra security patches field
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.119 to 4.4.120
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.97 to 3.18.98
Pixel 2, Pixel 2 XL: kernel: enable KPTI (already enabled for the Pixel and Pixel XL in AOSP, Google disabled it for the Pixel 2 and Pixel 2 XL since it's not crucial on the Snapdragon 835 but it's still useful hardening and fixes a known way to leak system registers)

2018.03.01.14

Changes since 2018.02.18.00:

Pixel, Pixel XL, Pixel 2, Pixel 2 XL: drop unused google_camera_app SELinux domain: Google Camera isn't available in a useful way so exposing the Hexagon DSP tech stack as attack surface via Google Camera is unnecessary. HDR+ is provided via the Pixel Visual Core to compatible apps already on the Pixel 2 and Pixel 2 XL.
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.116 to 4.4.117
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.117 to 4.4.118
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.118 to 4.4.119
Pixel 2, Pixel 2 XL: kernel: backport "staging: android: ashmem: Fix possible deadlock in ashmem_ioctl" fix for "staging: android: ashmem: Fix a race condition in pin ioctls" commit in 4.4.118
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.95 to 3.18.96
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.96 to 3.18.97
include Stk package for all devices, not just the Pixel and Pixel XL
Pixel 2, Pixel 2 XL: kernel: disable unnecessary ramdisk compression support (bzip2, lzma)
Pixel 2, Pixel 2 XL: kernel: disable FTRACE support in production builds
F-Droid: update to 1.0.3
Silence: update to 0.15.12

2018.02.18.00

Changes since 2018.02.05.23:

Pixel, Pixel XL, Pixel 2, Pixel 2 XL: kernel: fix uninitialized scatterlist in qce detected by DEBUG_SG
Pixel, Pixel XL, Pixel 2, Pixel 2 XL: kernel: enable DEBUG_SG
Pixel, Pixel XL: kernel: reduce one DEBUG_SG check to a warning for now
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.93 to 3.18.94
Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.94 to 3.18.95
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.115 to 4.4.116
Pixel 2, Pixel 2 XL: kernel: Revert "ANDROID: Revert "arm64: move ELF_ET_DYN_BASE to 4GB / 4MB"" (spotted by @nathanchance)
lower pid_max to 1/4 of the default to guarantee a 4x higher max_map_count is theoretically safe despite the kernel being broken (not enough memory on real devices to matter but still)
Pixel 2, Pixel 2 XL: android-prepare-vendor: fix vendor.img AB_OTA_PARTITIONS inclusion
Settings: sort applications in sensors and clipboard background permission toggle lists (@rascarlo noticed the sorting code in the location/audio lists was missing for these)
Updater: add generated icons
Updater: bump version
PDF Viewer: replace launcher icon
PDF Viewer: bump version
Camera app: properly handle INFO_SUPPORTED_HARDWARE_LEVEL_3 (enables support for Zero-Shutter-Lag on the Nexus 5X, Nexus 6P, Pixel, Pixel XL, Pixel 2 and Pixel 2 XL)

2018.02.05.23

Changes since 2018.01.26.22:

2018-02-01 security patch level including recommended updates
2018-02-05 security patch level including recommended updates
2018-02 Pixel/Nexus functional updates
Pixel 2, Pixel 2 XL: increase rollback index to 2 for 2018-02-05 patch level
Silence: update to v0.15.11
Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel changes up to 4.4.115
Pixel, Pixel XL: kernel: cherry-pick stable kernel changes up to 3.18.93
Nexus 5X, Nexus 6P, Pixel, Pixel XL, Pixel 2, Pixel 2 XL: kernel: switch user / host for reproducible builds from 'user' and 'host' to OS name
Pixel, Pixel XL: kernel: use a more targeted workaround for bogus GCC warning
improvements to repository management scripting
Chromium: icon recolor
Chromium: update to 64.0.3282.123 from 64.0.3282.116
Chromium: update to 64.0.3282.137 from 64.0.3282.123

2018.01.26.22

Changes since 2018.01.25.17:

move isAppForeground check outside of the AppOpsService lock scope to avoid occasional deadlocks between ActivityService and AppOpsService

2018.01.25.17

Changes since 2018.01.23.20:

Chromium: update to 64.0.3282.116
remove separate WebView again
add per-app setting to disallow background location access
add per-app setting to disallow background sensors access
Pixel 2, Pixel 2 XL: increase rollback index

2018.01.23.20

Changes since 2018.01.03.02:

android-prepare-vendor changes for Pixel 2 and Pixel 2 XL support
add Alpha quality Pixel 2 and Pixel 2 XL support
add AVB (Android Verified Boot 2.0) support to the release signing script for taimen and walleye
Pixel 2, Pixel 2 XL: use custom boot logo
Pixel 2, Pixel 2 XL: use SHA256_RSA2048 as the AVB algorithm for test keys to match production
Pixel 2, Pixel 2 XL: use sane value for PRODUCT_MODEL
Pixel 2, Pixel 2 XL: add Updater app
Pixel 2, Pixel 2 XL: remove messaging app
Pixel 2, Pixel 2 XL: disable the system_other odex split
Pixel 2, Pixel 2 XL: add release signing script support
Pixel 2, Pixel 2 XL: update for proc_net split
Pixel 2, Pixel 2 XL: update for isolated_app split
Pixel 2, Pixel 2 XL: fix enabled_networks_values / enabled_networks_except_gsm_values
Pixel 2, Pixel 2 XL: adjust for LTE only addition
Pixel 2, Pixel 2 XL: switch to in-tree kernel builds
Pixel 2, Pixel 2 XL: make kernel builds reproducible
Pixel 2, Pixel 2 XL: split wahoo kernel configuration
Pixel 2, Pixel 2 XL: build in device-specific kernel modules instead of loading them from vendor.img
Pixel 2, Pixel 2 XL: strip out infrastructure for modular kernel builds
Pixel 2, Pixel 2 XL: switch to clang-compiled kernels
Pixel 2, Pixel 2 XL: kernel: enable the custom Clang -fsanitize=local-init feature
Pixel 2, Pixel 2 XL: split debug and production kernel configuration
Pixel 2, Pixel 2 XL: kernel: disable SECURITY_SELINUX_DEVELOP for user builds
Pixel 2, Pixel 2 XL: kernel: enable SLUB_DEBUG_ON for debug kernels
Pixel 2, Pixel 2 XL: kernel: replace SECURITY_SMACK with SECURITY_NETWORK
Pixel 2, Pixel 2 XL: kernel: enable SECURITY_YAMA
Pixel 2, Pixel 2 XL: kernel: disable ptrace_scope by default
Pixel 2, Pixel 2 XL: kernel: enable protected_{symlinks,hardlinks} by default
Pixel 2, Pixel 2 XL: kernel: disable AIO
Pixel 2, Pixel 2 XL: kernel: enable DEBUG_LIST
Pixel 2, Pixel 2 XL: kernel: enable DEBUG_CREDENTIALS
Pixel 2, Pixel 2 XL: kernel: remove module build support
Pixel 2, Pixel 2 XL: kernel: wcnss: fix 3 byte buffer overflow on MAC change
Pixel 2, Pixel 2 XL: kernel: disable brk system call
Pixel 2, Pixel 2 XL: kernel: backport "init/main.c: extract early boot entropy from the passed cmdline" which was upstreamed by us
Pixel 2, Pixel 2 XL: kernel: gather extra early boot entropy
Pixel 2, Pixel 2 XL: kernel: backport "mm/slab.c: fix SLAB freelist randomization duplicate entries" to fix Google's disabled FREELIST_RANDOM backport
Pixel 2, Pixel 2 XL: kernel: backport "mm/slub.c: fix random_seq offset destruction" to fix Google's disabled FREELIST_RANDOM backport
Pixel 2, Pixel 2 XL: kernel: enable SLAB_FREELIST_RANDOM
Pixel 2, Pixel 2 XL: kernel: backport "mm/slub: query dynamic DEBUG_PAGEALLOC setting" to make other changes apply cleanly
Pixel 2, Pixel 2 XL: kernel: backport "mm: add SLUB free list pointer obfuscation" including the per-slab randomization upstreamed by us
Pixel 2, Pixel 2 XL: kernel: backport "mm/slub.c: add a naive detection of double free or corruption"
Pixel 2, Pixel 2 XL: kernel: enable SLAB_FREELIST_HARDENED
Pixel 2, Pixel 2 XL: kernel: backport "mm: allow slab_nomerge to be set at build time"
Pixel 2, Pixel 2 XL: kernel: disable SLAB_MERGE_DEFAULT
Pixel 2, Pixel 2 XL: kernel: add a SLAB_HARDENED configuration option
Pixel 2, Pixel 2 XL: kernel: add missing cache_from_obj !PageSlab check
Pixel 2, Pixel 2 XL: kernel: real slab_equal_or_root check for !MEMCG_KMEM
Pixel 2, Pixel 2 XL: kernel: bug on kmem_cache_free with the wrong cache
Pixel 2, Pixel 2 XL: kernel: always perform cache_from_obj consistency checks
Pixel 2, Pixel 2 XL: kernel: bug on !PageSlab && !PageCompound in ksize
Pixel 2, Pixel 2 XL: kernel: backport "mm/mmap.c: mark protection_map as __ro_after_init"
Pixel 2, Pixel 2 XL: kernel: backport "mark most percpu globals as __ro_after_init" including the extensions by us
Pixel 2, Pixel 2 XL: kernel: randomize lower bits of the argument block
Pixel 2, Pixel 2 XL: kernel: restrict device side channels
Pixel 2, Pixel 2 XL: kernel: add toggle for disabling newly added USB devices
Pixel 2, Pixel 2 XL: kernel: backport "arm64: vdso: add __init section marker to alloc_vectors_page"
Pixel 2, Pixel 2 XL: kernel: backport "arm64: vdso: constify vm_special_mapping used for aarch32 vectors page"
Pixel 2, Pixel 2 XL: kernel: backport "arm64: apply __ro_after_init to some objects"
Pixel 2, Pixel 2 XL: kernel: backport "arm64, vdso: Define vdso_{start,end} as array"
Pixel 2, Pixel 2 XL: kernel: add kmalloc/krealloc alloc_size attributes
Pixel 2, Pixel 2 XL: kernel: add vmalloc alloc_size attributes
Pixel 2, Pixel 2 XL: kernel: add percpu alloc_size attributes
Pixel 2, Pixel 2 XL: kernel: add alloc_pages_exact alloc_size attributes
Pixel 2, Pixel 2 XL: kernel: backport "include/linux/string.h: add the option of fortified string.h functions" which was upstreamed by us
Pixel 2, Pixel 2 XL: kernel: backport "replace incorrect strscpy use in FORTIFY_SOURCE" which was upstreamed by us
Pixel 2, Pixel 2 XL: kernel: enable FORTIFY_SOURCE
Pixel 2, Pixel 2 XL: kernel: backport "random,stackprotect: introduce get_random_canary function"
Pixel 2, Pixel 2 XL: kernel: backport "arm64: ascii armor the arm64 boot init stack canary" which was upstreamed by us
Pixel 2, Pixel 2 XL: kernel: add simpler page sanitization
Pixel 2, Pixel 2 XL: kernel: add support for verifying page sanitization
Pixel 2, Pixel 2 XL: kernel: slub: add basic full slab sanitization
Pixel 2, Pixel 2 XL: kernel: slub: add support for verifying slab sanitization
Pixel 2, Pixel 2 XL: kernel: slub: add multi-purpose random canaries
Pixel 2, Pixel 2 XL: kernel: backport "arm64/mmap: properly account for stack randomization in mmap_base" which was upstreamed by us
Pixel 2, Pixel 2 XL: kernel: arm64: determine stack entropy based on mmap entropy
Pixel 2, Pixel 2 XL: kernel: Revert "Revert "arm: move ELF_ET_DYN_BASE to 4MB""
Pixel 2, Pixel 2 XL: kernel: Revert "mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes"
Pixel 2, Pixel 2 XL: kernel: add specialized associated MAC randomization for qcacld-3.0
Pixel, Pixel XL: kernel: simplify specialized associated MAC randomization for qcacld-2.0 to match taimen/walleye implementation
set clang vendor string to indicate -fsanitize=local-init and future extensions are present
simplify clang build environment
rebuild clang prebuilt
system/core/libutils/RefBase.cpp: fix build with debugging
F-Droid privileged extension: whitelist taimen / walleye releasekeys
move pthread_internal_t out of the stack mapping again
Nexus 5X, Nexus 6P, Pixel, Pixel XL, Pixel 2 (everything but the Pixel 2 XL): replace default wallpaper
Pixel, Pixel XL, Pixel 2, Pixel 2 XL: kernel: disable module support in production builds
VTS: drop requirement to support kernel modules
malloc: drop workaround for use-after-free in init now that it's fixed upstream

2018.01.03.02

Changes since 2017.12.17.21:

2018-01-01 security patch level
2018-01-05 security patch level
PackageInstaller: add back fix for upstream bug preventing toggling off current permissions in review
disable exec spawning for apps that are being debugged until the debug features are compatible (upstream bug)
improve robustness of the code implementing toggles for background audio recording and clipboard access
Updater: bump API level to 27
PDF Viewer: bump API level to 27
F-Droid: update to 1.0.2

2017.12.17.21

Changes since 2017.12.12.16:

Silence: update to 0.15.10
Chromium: update to 63.0.3239.111
Google WebView (included until Android 8.1 WebView stable release is open source): update to 63.0.3239.111
Pixel, Pixel XL: remove AOSP Updater package inclusion

2017.12.12.16

Changes since 2017.12.10.21:

set the default for the background audio recording toggle to allowed for the time being

Blocking background audio recording by default ended up hitting far more app compatibility issues than expected. The goal is still to disable it by default but we need to whitelist Phone services and figure out if anything can be done to improve compatibility with apps like Signal and WhatsApp.

2017.12.10.21

Changes since 2017.12.07.19:

Updater: reduce update check rate to every 4 hours from 1
Updater: reduce retry rate to every 4 minutes from 1
DeskClock: fix broken upstream fix in Android 8.1 to match our fix for Android 8.0
Nexus 5X: update stock update-binary to OPM1.171019.011
stop disabling brotli compression for legacy format over-the-air updates
replace global toggle for background clipboard access with a per-app toggle (still disabled by default)
add toggle for background audio recording (now disabled by default)

Apps can still start recording audio in the foreground and continue in the background even with background audio recording disabled. This will end up being mitigated in the future but it isn't fully implemented yet.

2017.12.07.19

Changes since the 2017.12.06.06 release:

SELinux policy: allow system_app to read selinuxfs for the Settings SELinux status display
Chromium: update to 63.0.3239.83 from 62.0.3202.84
update android-prepare-vendor to the latest revision
add back Nexus 5X and Nexus 6P support
replace obsolete brotli command line syntax
disable OTA update brotli compression since it breaks on the 5X and is only for legacy pre-Pixel devices anyway

2017.12.06.06

Changes since the 2017.11.20.01 release:

2017-12-01 security patch level
2017-12-05 security patch level
update android-prepare-vendor to the latest revision
migrate from Android 8.0 to Android 8.1 (MR1)
Settings: stop marking KRACK fixes as extra security patches since Google included the fixes in AOSP
kernel (Pixel, Pixel XL): add fixes for GCC builds until time is available to migrate to using Clang like Google
Launcher3: revert broken upstream commit
overhaul exec spawning to work with the new spawning infrastructure
overhaul SELinux policy changes to cope with Treble ABI compatibility layer
temporarily switch to official WebView build (63.0.3239.83) due to temporary lack of published Chromium sources with API 27 WebView support
set up the slightly hardened Clang / LLVM toolchain for mr1

Known upstream issues for Android 8.1:

Settings app wrongly displays the SELinux status as Permissive because SELinux prevents Settings from reading the SELinux enforce mode
Pixel verified boot fingerprint display has been fixed but the fingerprint is not yet meaningful (verified boot does continue to work and automatically enforces that the key doesn't change, it's only a fingerprint display issue)
android-prepare-vendor may not work properly without manual intervention

2017.11.20.01

script: include directory for python2 workaround
limit platform signature permissions to system again
dr1 only: rebuild clang with our patch adding support for the local-init sanitizer and enable it again in build/make and build/soong
update android-prepare-vendor to latest upstream revision
PDF Viewer: minor UX improvements (from @Tommy-Geenexus)
Updater: add warning about illegitimate resellers for legacy devices (Nexus 5X, Nexus 6P)

2017.11.06.22

2017-11-01 security patch level
2017-11-05 security patch level
other November 2017 security update changes for Nexus/Pixel devices from AOSP
Chromium (including the WebView): update to 62.0.3202.84 from 62.0.3202.73
F-Droid: update base code to 1.0.1
PDF Viewer: update pdf.js to 1.9.426 including fixing a conflict with our change to allow sane style-src Content Security Policy
SELinux policy: disallow execmem for ephemeral_app
SELinux policy: auditallow execmem for untrusted app domains again
SELinux policy: auditallow app_data_file execute for untrusted app domains again
SELinux policy: restore missing dalvikcache_data_file execute rules for non-base-system apps
sdcard service: enable the object-size sanitizer again (our integer sanitizer change is now upstream)

2017.10.31.17

Chromium (including the WebView): update to 62.0.3202.73 from 62.0.3202.66
Settings: mark anti-theft protection as not available if file-based encryption isn't supported to avoid confusion
replace decentralized python2 workarounds with a global workaround in our envsetup wrapper
HiKey: remove broken bootloader requirement for now (the bootloader isn't passing a version on the kernel command line)
svox: drop fix for CTS failure and use the upstream fix from oreo-dr1-release
assorted tweaks to minimize conflicts when cherry-picking from oreo-r3-release to oreo-dr1-release
add oreo-dr1-release branch
dr1 only: manually port changes with conflicts from oreo-r3-release: platform_bionic, platform_bootable_recovery, platform_build, platform_build_soong, platform_external_svox, platform_external_sqlite, platform_frameworks_base, platform_packages_apps_Bluetooth, platform_packages_apps_Settings, platform_prebuilts_clang_host_linux-x86, platform_system_sepolicy
dr1 only: add HiKey 960 support
dr1 only: backport upstream fix for bad merge in services/surfaceflinger/DisplayHardware/FramebufferSurface.cpp
dr1 only: backport upstream fix for hwc1 support for HiKey / HiKey 960
dr1 only: apply SettingsProvider fix from r3 that was missing to keep the settings db version in sync
dr1 only: backport upstream fixes for HiKey 960 gralloc
dr1 only: backport upstream changes for HiKey 960 SELinux support in enforcing mode
SELinux policy: backport changes for timerslack support
dr1 only: backport removal of device-specific timerslack support
HiKey, HiKey 960: stop disabling malloc junk on free
dr1 only: temporarily use zero fill on free in debug builds to work around unidentified bugs on HiKey / HiKey 960
dr1 only: backport stub memtrack HAL for HiKey / HiKey 960
dr1 only: backport add dt.img into BOARD_PACK_RADIOIMAGES
dr1 only: fix release.sh for hikey960 target
HiKey 960: update vendor files to 20170523
drop device/linaro/hikey fork from non-dr1 branches as we'll only be maintaining it in dr1

2017.10.21.14

Settings: add WPA2 issues fixed in the last release (2017.10.16.22) to the "Extra security patches" field
HiKey: add boot animation
SELinux policy: backport init configfs fix for HiKey
Settings: handle devices without factory reset protection
HiKey: disable malloc junk on free until use-after-free bugs are addressed
SELinux policy: fully remove base system dalvikcache_data_file execute again
Chromium: update base version to 62.0.3202.66 from 61.0.3163.98 and port the hardening changes

2017.10.16.22

Net Monitor: update to v1.2 from v1.1.4 (fixes the major issues of missing connections when it was running in the background and wrongly attributing connections to apps with shared uids like assigning all system uid connections to atfwd)
enable LOCAL_DEX_PREOPT for apks in vendor.img again
SELinux policy: allow vendor apps to execute vendor_framework_file for dexpreopt to avoid needing /data/dalvik-cache
backport wpa_supplicant security fixes for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088 (CVE-2017-13084 is not applicable) to Oreo's current post-2.6 revision

2017.10.11.21

Updater (Pixel, Pixel XL): stop setting the notification to CATEGORY_SYSTEM
Silence: update from 0.15.7 to 0.15.8
SELinux policy: auditallow legacy execmod
Nexus 5X, Nexus 6P: only add Updater to PRODUCT_PACKAGES in official builds
work around latent F-Droid bug with privileged extension app installation (bug is still present but no longer worse than before)

2017.10.07.23

SELinux policy: split out base system isolated_app again
SELinux policy: begin purge of base system dalvikcache_data_file execute again
SELinux policy: remove webview_zygote apk_data_file access
Nexus 5X, Nexus 6P: add back missing vendor apps via improved android-prepare-vendor Oreo compatibility
refactor checks for added runtime permissions (previously only used to make INTERNET into a runtime permission)
add new permission for non-body-related sensors

2017.10.02.22

2017-10-01 kernel security patch level
2017-10-05 kernel security patch level
Nexus 5X, Nexus 6P: enforce privileged permission whitelisting (already enforced on Pixels)

2017.10.01.17

Updater: Update settings → System update settings
SELinux policy: remove execmem for privileged app domains again
SELinux policy: add seinfo tag for generic base system apps again
SELinux policy: split out untrusted base app domains again
SELinux policy: remove base system execmod again
SELinux policy: remove base system untrusted app execmem again
SELinux policy: remove base system app_data_file execute again
kernel (Pixel, Pixel XL): add specialized MAC randomization for Pixel phones
Settings (Pixel, Pixel XL): add new toggle for associated MAC randomization to Wi-Fi preferences

2017.09.29.01

SELinux policy: split out domain for Updater from priv_app domain again
SELinux policy: remove ota update access from priv_app domain again
SELinux policy: split netmonitor domain from untrusted_base_app again
SELinux policy: split out basic routing / iface info from proc_net again
SELinux policy: remove non-netmonitor untrusted_app_all / isolated_app proc_net access again
Nexus 6P: update vendor files to OPR6.170623.019 from OPR6.170623.017 (2nd published September release)
add support for HiKey as a build target
Nexus 5X, Nexus 6P: log privileged permission whitelisting violations (already fully enforced on Pixels)
F-Droid privileged extension: update to 0.2.7
Nexus 6P: get audio_effects.conf from vendor instead again
Nexus 6P: remove wpa_supplicant scanning MAC randomization as it no longer works
Nexus 6P: remove kernel associated MAC randomization as it no longer works
remove infrastructure for legacy kernel associated MAC randomization
kernel: wcnss: fix 3 byte buffer overflow on MAC change

2017.09.24.15

Contacts: remove no-op help & feedback menu entries
keyboard: rebranding
fix logging for denials of background clipboard access
Updater (Pixel, Pixel XL): always wait for reboot after completing an update
Updater (Pixel, Pixel XL): switch to new system update icon for notification
Updater (Nexus 5X, Nexus 6P): add makeshift legacy update system support (This update client was designed to run on top of the update_engine A/B update system and file-based encryption. It can't offer the same user experience and robustness elsewhere. However, due to some recent changes it's possible to hack in support for the legacy recovery-based update system. It will handle edge cases like a normal reboot after an update is downloaded strangely but the basics can work.)
Updater (Nexus 5X, Nexus 6P): use legacy update server
Nexus 5X, Nexus 6P: replace LegacyUpdater with Updater
Chromium: update to 61.0.3163.98 from 61.0.3163.81

2017.09.19.23

keyboard: disable personalized suggestions by default
Updater (Pixel, Pixel XL): use the standard update settings intent
Nexus 5X, Nexus 6P: port to oreo
LegacyUpdater (Nexus 5X, Nexus 6P): use the standard update settings intent
Settings: use standard update settings mechanism
Nexus 5X, Nexus 6P: vendor: remove system partition bytecode packages until they work properly (loses transparent WiFi / LTE switching on both and Qualcomm time service on 5X)
wpa_supplicant: enable WiFi scanning MAC randomization for non-Qualcomm WiFi devices again (Qualcomm WiFi devices already have a better implementation in firmware)
DeskClock: drop targetSdkVersion to 25 since Google released it as targeting 26 without handling the breaking changes
Nexus 5X: fix preferred network settings

2017.09.13.21

full 2017-09-01 kernel security patch level (not just the kernel)
full 2017-09-05 kernel security patch level (not just the kernel)

2017.09.13.02

2017-09-01 kernel security patch level (other sources are inexplicably not published yet)
2017-09-05 kernel security patch level (other sources are inexplicably not published yet)
Pixel, Pixel XL: remove fstab override made unnecessary by the wonders of Treble (still necessary for Nexus)
Pixel, Pixel XL: build PresencePolling app (IMS / RCS related)
Pixel, Pixel XL: build nanotool, libion and libminui from source instead of extracting with android-prepare-vendor
Pixel, Pixel XL: avoid stripping out PixelThemeOverlay from vendor but don't enable it by default (AOSP keyboard doesn't support the theme like Gboard)
Pixel, Pixel XL: remove unnecessary DiagMon priv-app
libc: add back dynamic object size checking support without actually wiring it up to any system calls yet
use permanent fingerprint lockout immediately
Updater (Pixel, Pixel XL): reject any serialno constraint for stable / beta (serialno constraint is only for alternate update channels not exposed as standard update channel choices)

2017.09.10.17

Settings: do not allow disabling Chromium (it's very common for people to disable it without realizing Chromium provides the WebView to other apps)
Settings: do not allow disabling the main keyboard (it's not obvious that disabling it after installing another keyboard is a very bad idea. Other keyboards rarely support Direct Boot and won't work for entering the password, forcing recovery by plugging in a physical keyboard)
Updater (Pixel, Pixel XL): replace the notification channel to move away from deprecated APIs
Updater (Pixel, Pixel XL): add permissions whitelist file
disable OpenGL preloading again
disable preload ICU cache pinning again
disable JCA provider preloading again
disable resource preloading again
disable class preloading again
add missing /system/etc/permissions and /system/etc/sysconfig configuration files from stock (via android-prepare-vendor)
omit stock Android libtinyxml2 since it's part of AOSP (via android-prepare-vendor)
remove CarrierSetup app as it appears to be unnecessary and tied to Verizon bloat / Google Play
fix com.android.launcher3 permissions whitelist
fix com.android.dialer permission whitelist
fix android.ext.services permissions whitelist
add com.android.apps.tag permission whitelist
F-Droid privileged extension: update to 0.2.6
F-Droid privileged extension: whitelist privileged permissions
Pixel, Pixel XL: enforce privileged permission whitelisting
backport upstream fix for the wrap debug feature

2017.09.08.04

Chromium: update to 61.0.3163.81 from 60.0.3112.116
Chromium: backport support for the Android Oreo WebView
Chromium: bump MonochromePublic targetSdkVersion to 26 to match the internal Monochrome metadata (needed to provide the WebView on Oreo among other things)
remove Google WebView since our hardened Chromium builds provide the WebView again
remove Google WebView from the WebView provider whitelist
PDF Viewer: adopt targetSandboxVersion 2 to use the much stronger instant app style sandbox for the app itself (rendering already happened in the stronger WebView sandbox)
Updater (Pixel, Pixel XL): migrate to Build.getSerial() API for enforcing update zip serialno constraints in anticipation of it becoming mandatory
grant Updater app on Pixel and Pixel XL Phone permissions for Build.getSerial()
leave deprecated Build.SERIAL field set to UNKNOWN (only support fetching the serial number via the new Build.getSerial() requiring the READ_PHONE_STATE permission)

2017.09.06.03

Chromium: update to 60.0.3112.116 from 60.0.3112.107
Chromium WebView (temporarily included until Oreo WebView support is pushed): update to 60.0.3112.116 from 60.0.3112.107
add two forms of ASLR for secondary stacks again
make the minimum secondary stack gap size one page again
kernel: getrandom: make blocking until init configurable (disabled temporarily to mimic the AOSP urandom fallback)

2017.09.03.17

move to Android Oreo OPR6.170623.013 the base OS (tip of oreo-r6-release branch)
port of many of our features to Android Oreo (8.0), requiring many changes to the implementations (details not listed here)
android-prepare-vendor port to Android Oreo / Treble and new vendor files
add missing ro.hardware.egl property
stop clobbering stock audio_effects.conf
temporarily bundle and whitelist the AOSP WebView until Android Oreo support is pushed to Chromium
add ambient capability support to exec-based spawning
use exec-based spawning for com.android.bluetooth now that there's ambient capability support
fix upstream issue with replacing the fingerprint of the boot image
handle -ftrapv like the signed integer sanitizer options (signed-integer-overflow, integer, undefined) by not passing -fwrapv
build new Clang toolchain
switch back to using speed mode for dexpreopt globally rather than only for certain core code
Launcher3: disable icon normalization for now as most icons aren't prepared for it
disable aapt2 for LatinIME (the keyboard) to work around a known aapt2 bug
increase padding from 16 to 32 bytes for the new AES_256_HEH filename encryption mode to match our increase from 4 to 32 bytes for the old AES_256_CTS mode (content is still encrypted with AES_256_XTS)
Contacts: remove no-op help and feedback option
Contacts: make add account message neutral about service choice
Settings: add back extra security patch level field
Settings: add back bootloader version field
Settings: add back verified boot status field
Settings: add back anti-theft protection status field
Updater (Pixel, Pixel XL): add support for battery not low job scheduling
remove shared relro support again
Launcher3: work around keyboard not being hidden
ExactCalculator: revert to the old Apache2 icon from before Google went out of the way to regress it in AOSP
Contacts: remove logo meant for the Google app based on this
recovery: rebranding
script: remove minutes/seconds from generated BUILD_NUMBER
temporarily bundle and whitelist the latest Google WebView until support for providing the WebView on Android Oreo is in Chromium
bionic: replace brk/sbrk/__bionic_brk with stubs again
Updater (Pixel, Pixel XL): move to new APIs provided at API level 26
Updater (Pixel, Pixel XL): add a notification channel
Updater (Pixel, Pixel XL): increase targetSdkVersion to 26
stop disabling unprivileged ptrace by default for compatibility with the new crash dump system
kernel (Pixel, Pixel XL): stop enabling ptrace_scope by default for compatibility with the new crash dump system
CarrierConfig (Pixel, Pixel XL): update vendor.xml configuration overlay for Android Oreo
roll back non-firewall network hardening too for the time being in case it's the source of carrier compatibility issues
add toggle for disabling native code debugging support (toggles kernel.yama.ptrace_scope between 0 and 2, with more restrictions coming later)
replace SELinux policy in vendor.img with our policy
sepolicy: remove permissions tied to the Dalvik / ART JIT compiler again
sepolicy: remove app_data_file execute for priv_app again
sepolicy: add back fine-grained policy for /proc/vmstat
sepolicy: disallow text relocations for API 26+
sqlite: enable shift, signed-integer-overflow and object-size sanitizers in trapping mode again
make some function pointer tables read-only again
PDF Viewer: update targetSdkVersion to 26
PDF Viewer: update pdf.js to 1.8.188
fix undefined out-of-bounds accesses in sched.h again
switch pthread_atfork handler to mmap again
add memory protection for pthread_atfork handlers again
add memory protection for at_quick_exit handlers again
clean up string formatting in libc again
increase pthread stack size to 8MiB on 64-bit again
add XOR mangling mitigation for thread local destructors again
avoid some variable length arrays again
make __stack_chk_guard read-only at runtime again
replace pthread_attr junk filling pattern again
add explicit_memset and fix explicit_bzero with it again
add a proper issetugid implementation again
add back hardened malloc with assorted changes and integration
temporarily disable junk on free for init
whitelist getrandom system call for media seccomp sandboxes since hardened malloc triggers regular calls to it
Updater (Pixel, Pixel XL): get payload offset from new streaming metadata
zero sensitive data (512 byte hardware generated random seed) with explicit_memset in init again
tighten up mount permissions again
use blocking getrandom to prevent urandom fallback to prevent arc4random abort before urandom is available and to guarantee high quality early boot entropy

Nougat

2017.08.21.00.41.27

Chromium (including the WebView): update to 60.0.3112.107 from 60.0.3112.97
kernel (Nexus 5X, Nexus 6P, Pixel, Pixel XL): use kernel command-line as early boot entropy since it has the serial number and bootloader stage timings
Updater (Pixel, Pixel XL): open updater settings when the notification is touched

2017.08.14.23.14.24

Chromium (including the WebView): update to 60.0.3112.97 from 60.0.3112.78
Chromium (no impact on WebView): hide passwords.google.com link when not supported
Camera2: remove no-op help and feedback button
mark added frameworks APIs as hidden to avoid API stability warnings
assorted cleanup / reorganization in preparation for porting to Android 8.0

2017.08.07.22.43.31

2017-08-01 security patch level
2017-08-05 security patch level
enable Verizon visual voicemail support
add CNEService for the Nexus 5X and Nexus 6P to bring them in line with the Pixel and Pixel XL
Pixel, Pixel XL: add CarrierConfig vendor.xml other than the Verizon entries from stock, resolving remaining non-Sprint / non-Verizon carrier compatibility issues (VoLTE / VoWiFi now work where supported, other than on Verizon where it requires proprietary apps / remote admin backdoor)
fix upstream bug in the permissions review activity (toggles only worked for new permissions, not previously granted / rejected ones)

2017.08.04.01.56.14

make sure https is used for all references to izatcloud
stop marking the LTE only mode as experimental (caveats still apply: VoLTE needed for voice calls to work, modem may have bugs allowing downgrade)
Chromium (including the WebView): update to 60.0.3112.78
Chromium (impacts browser only): enable dubious Do Not Track feature by default
Chromium (impacts browser only): stop enabling search engine geolocation by default
disable camera gestures while locked if camera is disabled on the lockscreen, to avoid needing to toggle off the gesture feature
ContactsCommon: remove irrelevant privacy policy / terms of use
disable firewall hardening until contributors with access to other carriers are willing to test it
disable bounds sanitizer for libc_dns until an overflow there is fixed

2017.07.27.03.08.18

fix bug causing permission review to no longer grant permissions by default at install time
set tether_dun_required to 0 by default (using net.tethering.noprovisioning=true isn't enough for every standard APN configuration)
require unlocking to use nfc quick tile
require unlocking to use bluetooth quick tile
require unlocking to use airplane mode quick tile
require unlocking to use wifi quick tile
require unlocking to use rotation lock quick tile
require unlocking to use data saver quick tile
require unlocking to use hotspot quick tile
require unlocking to use cellular quick tile
require unlocking to use battery quick tile

2017.07.26.12.53.31

rework how the INTERNET permission works (Network permission group will need to be toggled off again as desired)
make SET_TIME_ZONE require signature|privileged like SET_TIME (it's much less sensitive but shouldn't be a 'normal' permission)
stop granting location to Chromium by default for fresh installs (it works fine without it and requests it after the user grants access to a site)
add toggle to Settings → Security for disabling camera usage from the lockscreen
Updater (Pixel, Pixel XL): set minimum latency for idle reboot job to 5 minutes
Settings: remove irrelevant wallpaper copyright information

2017.07.23.16.40.26

extend support for toggling the Network permission group to apps targeting API level < 23
mark all JNINativeMethod tables in modules that are used as read-only

2017.07.22.14.48.26

Pixel, Pixel XL: add missing system/lib/soundfx/libfmas.so library (via android-prepare-vendor)
mark INTERNET as a dangerous permission, but granted by default for apps with runtime permission support for compatibility
add a NETWORK permission group for the INTERNET permission
add NETWORK permission group to the list with user-facing toggles

2017.07.18.08.53.56

Nexus 5X, Nexus 6P, Pixel, Pixel XL: fix enabled_networks_values / enabled_networks_except_gsm_values
add an experimental LTE only preferred network option
switch from deprecated ro.permission_review_required property to config_permissionReviewRequired resource
kernel (Pixel, Pixel XL): enable protected_{symlinks,hardlinks} by default rather than later via sysctl
kernel (Pixel, Pixel XL): replace CONFIG_FORTIFY_SOURCE implementation with the newer revision that landed in mainline
sdcard: rm poison on free since malloc does it
Pixel, Pixel XL: add SafetyRegulatoryInfo to packages (for Settings → About device → Safety and regulatory manual)
Pixel, Pixel XL: use regulatory information from stock for SafetyRegulatoryInfo
Settings (Pixel, Pixel XL): use regulatory labels from stock (for Settings → About device → Regulatory labels)
Updater (Pixel, Pixel XL): use Settings theme
Updater (Pixel, Pixel XL): set release channel summary
Updater (Pixel, Pixel XL): set permitted networks summary
PDF Viewer: add support for showing document properties (from @Tommy-Geenexus)
Music: revert Google's upgrade of targetSdkVersion from 9 to 24 since it's broken

2017.07.06.18.26.24

disable bluetooth toggle permission review for now due to upstream issues
disable wifi toggle permission review for now due to upstream issues

2017.07.06.00.04.39

2017-07-01 security patch level
2017-07-05 security patch level
replace default device policy manager maximum password length with 64 (was 16), which recently started to override the limit in Settings
Pixel, Pixel XL: include com.qualcomm.timeservice app to sync the hardware clock on time changes (via android-prepare-vendor)
only disable ART --abort-on-hard-verifier-error for the Nexus 5X and 6P, not Pixel phones where SoC support is less horrifying
PDF Viewer: preserve number picker state after being killed (from Tommy-Geenexus)
backport fix for NFC quick tile initialization from AOSP master
backported assorted memory corruption and other bug fixes
enable PERMISSIONS_REVIEW_REQUIRED to enforce user review of dangerous permissions pre-launch for apps targeting API levels less than 23 (pre-6.x)
Chromium (including the WebView): update to 59.0.3071.125
Chromium: build MonochromePublic instead of ChromeModernPublic
remove standalone Chromium WebView
switch WebView provider from com.android.webview to org.chromium.chrome
Chromium: build full Monochrome library for 64-bit and WebView-only library for 32-bit instead of vice versa, and set 64-bit as the preferred ABI to spawn all Chromium and WebView renderers as 64-bit as was the case before we used Monochrome (unlike stock Android)
Chromium: depend on WebView frameworks libraries

2017.06.29.02.31.13

Updater (Pixel, Pixel XL): cancel pending idle reboot when disabling setting
Updater (Pixel, Pixel XL): disable app for non-system users to save resources (already does nothing as non-system)
fix upstream recovery logging bug
enable dex preopt for apks in vendor.img
Pixel, Pixel XL: remove remnants of the disabled system_other odex split
wire up Android Runtime debug configuration for exec-based spawning
fix cached pid invalidation by vfork assembly code
F-Droid: update to 0.104
F-Droid: stop suggesting / attempting incompatible updates

2017.06.18.22.04.37

enable boot/bootloader/radio version checks
Settings: add device info field with bootloader version
Settings: enable showing SELinux status in device info
Settings: add device info field with verified boot status
Settings: add device info field with anti-theft protection status
add logging for denials of background clipboard access
Updater (Pixel, Pixel XL): fine tune logging
Updater (Pixel, Pixel XL): restore permitted network preference state (display issue only)
Updater (Pixel, Pixel XL): improve robustness against file permission inconsistencies in /data/ota_package
Updater (Pixel, Pixel XL): only run for the system user

2017.06.15.06.09.53

Updater (Pixel, Pixel XL): extend post-verification metadata sanity checking beyond the device/timestamp (not strictly necessary)
Updater (Pixel, Pixel XL): verify that serialno metadata matches if present (for debug/wipe builds accepted only by one device)
Updater (Pixel, Pixel XL): fine tuning of job scheduling
add scripts to the source tree (generating signed releases, incrementals and update server metadata; repository management)
recovery: remove recovery logs access in user builds
Settings: remove unused automatic update toggle
Settings: remove unsupported FBE conversion option (Nexus 5X, Nexus 6P)
kernel (Pixel, Pixel XL): disable brk system call since it's unused
add QuickSettings NFC toggle tile from AOSP master (written by Anas Karbila)
Chromium (including the WebView): update to 59.0.3071.92
Pixel, Pixel XL: add extracted bootloader and radio firmware for generating complete over-the-air updates without a non-standard process

2017.06.06.00.02.24

add back workaround for upstream race between camera services and flashlight quick tile
Etar: update to 1.0.12
F-Droid: update to 0.103.2
2017-06-01 security patch level
2017-06-05 security patch level

2017.05.27.09.20.58

kernel (Pixel, Pixel XL): add more __ro_after_init (partially from PaX)
kernel (Pixel, Pixel XL): randomize lower bits of the argument block like PaX
kernel (Pixel, Pixel XL): properly account for stack randomization in mmap base
kernel (Pixel, Pixel XL): determine stack entropy based on mmap entropy (11 → 16 bits for 32-bit processes, 18 → 24 bits for 64-bit processes) - note: arm64 4-level page tables could improve this significantly on 64-bit, but they aren't usable yet
kernel (Pixel, Pixel XL): move ET_DYN base lower in the address space
kernel (Pixel, Pixel XL): fix qcacld-2.0 buffer read overflows in userdebug builds caught by CONFIG_FORTIFY_SOURCE
update F-Droid privileged extension to 0.2.5
revert workaround for upstream race between camera services and flashlight quick tile (no longer needed)

2017.05.01.22.35.44

2017-05-01 security patch level
2017-05-05 security patch level
Silence: update to 0.15.7

2017.04.27.21.03.07

kernel (Pixel, Pixel XL): apply large series of arm64 improvements from the marlin O Preview 1 kernel including PAN emulation
kernel (Pixel, Pixel XL): add vmalloc alloc_size attributes
kernel (Pixel, Pixel XL): add fortified strlen/strnlen
only include the Updater app if OFFICIAL_BUILD is true (Pixel, Pixel XL)
initialize threaded malloc
refine malloc pthread_atfork integration
Chromium (including the WebView): update to 58.0.3029.83

2017.04.15.10.49.50

kernel (Pixel, Pixel XL): implement an equivalent to _FORTIFY_SOURCE=1 for buffer reads/writes via string.h functions
kernel (Pixel, Pixel XL): add kmalloc alloc_size attributes
kernel (Pixel, Pixel XL): avoid buffer overflow in Qualcomm display code
kernel (Pixel, Pixel XL): apply __ro_after_init changes from marlin O Preview 1 kernel
kernel (Pixel, Pixel XL): apply HARDENED_USERCOPY changes from marlin O Preview 1 kernel
kernel (Pixel, Pixel XL): slub: check cookies in __check_heap_object to detect use-after-free and heap corruption via user copy functions
PDF Viewer: update pdf.js to v1.8.170
PDF Viewer: create a fresh canvas for each page

2017.04.06.23.05.54

libc: malloc: use zero-based junk filling in production
F-Droid privileged extension: update to 0.2.3
F-Droid: update to 0.102.3
enable F-Droid privileged extension
Silence: update to 0.15.6
fix upstream buffer overflow in the Bluetooth stack caught by our dynamic system call overflow checks (fix from @ScottyBauer1)

2017.04.04.01.07.02

migrate to nougat-mr2-release (Android 7.1.2) and drop Nexus 9 support from this branch as it will remain on nougat-mr1.1-release
2017-04-01 security patch level
2017-04-05 security patch level
Chromium (including the WebView): update to 57.0.2987.132
kernel: fix CVE-2017-7184
kernel: slub: add back random cookies
kernel: use slab_equal_or_root checks without memcg kmem
kernel: always perform cache_from_obj sanity checks
kernel: slub: add check for write-after-free
Updater (Pixel, Pixel XL): delete corrupt update packages
Updater (Pixel, Pixel XL): resume installation of completed downloads

2017.03.30.01.11.28

kernel: slub: roll back random cookies until more resources are available to cope with fallout

2017.03.28.23.38.21

Chromium (including the WebView): upgrade to 57.0.2987.126
kernel: arm64: zero the leading stack canary byte to mitigate non-terminated C string overflows
kernel: panic on kmem_cache_free with the wrong cache
kernel: panic on !PageSlab && !PageCompound in ksize
kernel: slub: add multi-purpose random cookies

2017.03.18.04.46.03

kernel: gather extra early boot entropy like PaX
Updater (Pixel, Pixel XL): add the option to reboot once idle after updating
Updater (Pixel, Pixel XL): add support for Direct Boot to enable updates before unlocking
enable notification light by default (Nexus 5X, Nexus 6P, Pixel, Pixel XL)
Silence: update to 0.15.5
F-Droid: update to 0.102.2
F-Droid privileged extension: update to 0.2.2
Chromium: update to 57.0.2987.108

2017.03.13.18.50.01

Updater (Pixel, Pixel XL): extract care_map.txt for update_verifier
Updater (Pixel, Pixel XL): sanity check device name to mitigate key reuse
Updater (Pixel, Pixel XL): hold wake lock for update_engine
privacy-friendly-netmonitor: update to 1.1.4
SELinux policy: split out updater domain for the Updater app from priv_app
SELinux policy: remove priv_app OTA update access
on 64-bit, zero the leading stack canary byte: trade 8 bits of entropy (64 → 56) for mitigating non-terminated C string overflows
on 64-bit, zero the leading heap canary byte: trade 8 bits of entropy (64 → 56) for mitigating non-terminated C string overflows
use fully random stack and heap canaries in eng/userdebug builds

2017.03.06.21.33.13

2017-03-01 security patch level
2017-03-05 security patch level
Pixel, Pixel XL: whitelist Updater in power save modes

2017.03.02.10.47.25

Updater (Pixel, Pixel XL): add support for opting into the Beta channel
Updater (Pixel, Pixel XL): improve the code for resuming downloads
Updater (Pixel, Pixel XL): reschedule on failure to speed up retry
Etar: update to 1.0.10
privacy-friendly-netmonitor: update to 1.1.1
LegacyUpdater (Nexus 9, Nexus 5X, Nexus 6P): replace sys.update.test with the sys.update.channel property used by Updater
SELinux policy: remove sys.update.test property policy
enable preoptimization for system vendor files again
Silence: update to 0.15.2
initial 'stable' Pixel release (not Pixel XL)

2017.02.23.07.20.31

Chromium: avoid breaking other first run experience pages when disabling the welcome page
further work on Pixel / Pixel XL vendor files
rename Updater to LegacyUpdater
add new Updater app for A/B devices (Pixel / Pixel XL) implementing automatic background updates
Settings: integrate the new Updater for A/B devices instead of LegacyUpdater
LegacyUpdater: drop experimental A/B update support
drop SELinux policy workaround for the experimental A/B update support in LegacyUpdater
Etar: update to 1.0.9
Silence: update to 0.15.1
Camera: disable location tagging by default again
add a partial workaround for the upstream Pixel / Pixel XL flashlight quick tile race condition
PDF Viewer: Enable/disable zoom menu items based on zoom-level (from @Tommy-Geenexus)
PDF Viewer: Enable/disable menu entries based on whether a PDF is loaded (from @Tommy-Geenexus)
PDF Viewer: Show actual/max page numbers on page change (from @Tommy-Geenexus)
PDF Viewer: update pdf.js to 1.6.210
PDF Viewer: revert an insignificant upstream pdf.js micro-optimization to preserve strong Content Security Policy

2017.02.12.02.58.40

SELinux policy: split out basic routing / iface info from proc_net
SELinux policy: remove proc_net access for untrusted_app/untrusted_base_app
bundle org.secuso.privacyfriendlynetmonitor app
SELinux policy: add a domain for org.secuso.privacyfriendlynetmonitor based on untrusted_base_app with proc_net read access
Chromium: mark non-secure origins as non-secure
marlin / sailfish vendor file improvements
PDF Viewer: improve asynchronous request handling
PDF Viewer: add support for cancelling rendering
PDF Viewer: disable saving form data in the WebView
PDF Viewer: disable WebView cache
PDF Viewer: disable WebView URL loading
PDF Viewer: disable WebView cookies (already disallowed, but might as well disable it)
PDF Viewer: load a fresh viewer for each PDF (improve robustness/security by isolating the pdf.js environment for each document)
PDF Viewer: avoid content URL access within the WebView

2017.02.07.00.27.27

February security update
auditallow untrusted_app/untrusted_base_app /proc/net usage to assess the scope of the problem
ported marlin device repository changes from nougat-mr1.3-release

2017.02.04.15.16.45

remove unused Google development key from the marlin/sailfish kernel
Updater: initial support for A/B updates
Updater: remove Tv theme/layout
Updater: remove changelog support in anticipation of moving towards ChromeOS-style updates
Updater: remove unused VIBRATE permission
Updater: remove redundant system information
Updater: drop translations in anticipation of an overhaul
hash pthread_self when using it to select the malloc pool
Settings: hide MAC randomization toggle when not supported
use dummy values for ro.build.host ("host") and ro.build.user ("user") to match the kernel values
PDF Viewer: only reset page number for new documents
PDF Viewer: add support for text selection
rework hiding passwords by default (setting may need to be toggled off in Security for existing installs)
Chromium: update to 56.0.2924.87

2017.01.26.14.27.36

PDF Viewer: extend Content-Security-Policy to allow loading images from blobs
PDF Viewer: switch to default-src 'none' from 'self'
PDF Viewer: implement zoom actions
PDF Viewer: save/restore page number
PDF Viewer: implement jump to page action
PDF Viewer: remove extra whitespace below the canvas
PDF Viewer: save/restore zoom level
PDF Viewer: reset page number to 1 for new documents
kernel: enable SLUB_DEBUG_ON for debug kernels
kernel: only enable SLUB_DEBUG for debug kernels (match vanilla Android for production + make the Nexus 9 kernel consistent)
kernel: add back page sanitization with verification too this time around
kernel: add missing slab.h corruption check from PaX
kernel: add slub free list XOR encryption (tweaked from grsecurity 4.8+ feature)
kernel: add back slub sanitization (new post-4.5 PaX style without memory overhead, but with zeroing since it's production only)
disable the system_other odex split for marlin/sailfish
add missing property to make the marlin/sailfish fingerprint scanner work
add --replace_verity_keyid to release signing script to fix marlin/sailfish verified boot
add public keys for releases to the marlin/sailfish kernel to fix marlin/sailfish verified boot
revert the AOSP change for marlin/sailfish disabling dm-verity for the vendor partition
Chromium: update from 55.0.2883.91 to 56.0.2924.78
Chromium: stop forcing WebView renderers to be 32-bit (revert of an upstream change in v56)

2017.01.17.23.45.11

marlin/sailfish custom in-tree kernel builds
Chromium: disable form autofill by default
disable slub merging by default for non-PaX kernels too
stop disabling slub debugging support for the angler, bullhead and marlin/sailfish kernels
ignore slub_debug on the kernel line for the Nexus 5X since LG's bootloader passes slub_debug=FZP unconditionally
add back support for scrambling PIN layout
add PDF Viewer app based on pdf.js and content providers (no permissions)

2017.01.04.05.44.59

update Silence from 0.14.6 to 0.14.8
bluetooth disabled by default (patch from Jon Richards)
sailfish / marlin vendor files generated by android-prepare-vendor instead of the nonsense from Google
latin keyboard: disable keypress sound by default across all form factors
enable integer sanitizer for sdcard again, with sanitizers disabled in a problematic function
rename SMSSecure apk / module to Silence
sensitive notification content hidden on the lockscreen by default again
January security update (android-7.1.1_r9)
migrate from nougat-mr1-release (android-7.1.1_r9) to nougat-mr1.1-release (android-7.1.1_r11)

2016.12.25.22.27.39

SELinux policy: split system untrusted_app into untrusted_base_app
SELinux policy: untrusted_base_app: forbid text relocations
SELinux policy: untrusted_base_app: forbid dynamic code generation
SELinux policy: untrusted_base_app: remove asec access
SELinux policy: untrusted_base_app: remove dalvik cache execute
SELinux policy: untrusted_base_app: remove app_data_file execute
SELinux policy: split system isolated_app into isolated_base_app
SELinux policy: isolated_base_app: remove dalvik cache execute
Etar: update from 1.0.7 to 1.0.8
disable dynamic object size checks for getcwd with NULL (non-standard GNU extension)
QuickSearchBox: disable widget
Chromium: enable -fwrapv for clang
add missing whitelisting for LocalTransport backup service (upstream AOSP bug)
Nexus 6P: switch to /vendor/etc/audio_effects.conf from android-prepare-vendor
move compression from factory images generation to the release signing script
fix build with /usr/bin/python as python3
add our F-Droid repository to the defaults (it can be manually added for existing installs)

2016.12.17.07.29.30

move from NMF26O (android-7.1.1_r4) to NMF26Q (android-7.1.1_r6)
enable bounds sanitizer for bluetooth.default.so again
disable bounds sanitizer for libbt-stack for now
hide keyboard gesture settings due to missing Google Play dependency
hide keyboard voice input key due to missing Google Play dependency
switch from default 4 byte file name padding for file-based encryption to 32 bytes (from @thegrugq)
add missing WallpaperPicker app

2016.12.12.04.03.44

Chromium (including the WebView): update to 55.0.2883.91
fix detection of system apps updates by F-Droid
update Silence to 0.14.6
fix accessibility integration for the Extra security patch level field
fix some build non-determinism so target_files_diff.py detects no changes in a rebuild (i.e. smaller incrementals)
add back QuickSearchBox app to fulfill CTS requirements
disable QuickSearchBox launcher icon
disable QuickSearchBox launcher widget
disable bounds sounds for bluetooth.default until it's fixed
incremental updates are now considered stable and are being deployed over-the-air

2016.12.07.07.47.51

regenerated vendor files with android-prepare-vendor now that it has proper API level 25 support
enabled gesture settings
updated F-Droid to 0.102
removed placeholder QuickSearchBox widget in the launcher
disabled reserved area for the QuickSearchBox widget in the launcher
fixed upstream PackageInstaller bug introduced in 7.1.1 showing unknown sources dialogs for first-party interactive installs

2016.12.06.05.21.23

December security update, including migration to nougat-mr1-release (initial Android 7.1.1 branch) from nougat-mr0.5-release
disable integer sanitizer for sdcard service due to problems introduced with 7.1.1
fix Linux kernel CVE-2016-8655 (local privilege escalation)
Chromium: disabled hyperlink auditing by default
Chromium: added DuckDuckGo as the default search engine, including search suggestions
Chromium: updated to 55.0.2883.77
Chromium: mark the internal channel as stable rather than unknown due to not being com.android.chrome
fixed F-Droid version name
added signature verification to the over-the-air update client as an extra layer before recovery verifies them
remove redundant hash verification from the over-the-air update client now that it checks signatures
added compatibility with incremental (delta) updates from the update server
updated Silence to 0.14.5
remove priv_app app_data_file execution
bundle offline-calendar so that calendar functionality works out-of-the-box instead of adding an account failing without explanation
replace unmaintained AOSP Calendar app with Etar

2016.11.27.21.33.03

Chromium: disabled contextual search, network prediction, navigation error correction and metrics by default
Chromium: disabled first run welcome (metrics) and data reduction proxy opt-in pages
Chromium: disabled other forms of data reduction proxy promotions
Chromium: update to 55.0.2883.63 (Beta channel)
changed update server domain (old server will continue to work)
permit shell user to enable the test update channel
send device type in the delta update request

2016.11.21.18.36.19

rm a message from Settings referencing Google Play
stop incorrectly marking android.hardware.location.network as a supported feature (could be supported down the road)
removed mremap from Chromium system call whitelist
switched Chromium/WebView from -fstack-protector to -fstack-protector-strong
updated Chromium/WebView to 55.0.2883.53 (Beta channel)
marked F-Droid updates to system apps signed with different keys as incompatible
switched from ChromePublic.apk to ChromeModernPublic.apk (backported from master)
set a proper Chromium apk version name/code (rather than the default of "Developer Build" and "1")
implemented an initial way to test update infrastructure

2016.11.16.11.42.49

disable unused AssetAtlas service
worked around upstream Pico TTS bugs by building it as 32-bit
updated Chromium and Chromium WebView to 55.0.2883.45 (switched from Stable channel → Beta channel for now so that WebView can be built from source again)

2016.11.10.09.53.38

preload android.graphics.Typeface class to work around an upstream race condition (avoids Conversations crash)
updated Chromium WebView to 54.0.2840.85

2016.11.07.22.55.37

disable bounds sanitizer for libstagefright_amrwbenc
added back __dynamic_object_size executable fast path
updated Chromium to 54.0.2840.85
removed ipset support from the Nexus 9, as IP blacklisting is unlikely to be reimplemented any time soon
temporarily disabled exec-based spawning for com.android.systemui
November security update (2016-11-06 patch level, unlike stock's 2016-11-05 patch level)

2016.10.27.20.13.46

replaced several uses of strlen on untrusted binary data without a guaranteed NUL terminator
updated Chromium WebView to 54.0.2840.68
updated Chromium to 54.0.2840.68
set Chromium release channel to "stable" to disable StrictMode and fix the version information
added a field to Settings → About device listing vulnerability fixes not included in the latest Android patch level (does not include those without ids, and it's incomplete)
added back preloadResources to work around upstream bugs causing CtsWidgetTestCases to fail (100ms app start latency cost)
fixed a use-after-free in MediaHTTP

2016.10.21.23.10.25

roll back the CyanogenMod CMUpdater base for the Updater app to the last working revision

2016.10.21.09.43.36

fix CVE-2016-5195

2016.10.19.01.33.44

backported commit from AOSP master removing access to /dev/snd/{seq,timer}
bumped Updater app to API level 24 due to a fix from CyanogenMod
disabled background clipboard access (can be reactivated in Settings → Security)
enabled doze and app standby
fixed early boot and recovery failures due to a subtle compatibility issue triggering out-of-memory
updated OpenBSD malloc to new version with multi-pool (not yet enabling it) and lighter junk-on-free for large allocations
made dynamic object size checks work for static executables again
add back __dynamic_object_size stack fast path

2016.10.13.23.14.08

migrated from nougat-bugfix-release to nougat-mr0.5-release (no-op rename by Google)
extended dynamic object size checks to work with _FORTIFY_SOURCE functions
fixed dynamic object size queries to be fully async signal safe
extended dynamic object size checks to work inside libc itself

2016.10.05.01.09.35

enabled up-front compilation again rather than relying on background compilation
extended new dynamic overflow checks to cover the same system calls as before
added missing initializer in surfaceflinger
added missing overflow checks in binder (caught by -fsanitize=integer regardless)
migrated from nougat-release to nougat-bugfix-release branch as the base
October security update
added more bounds sanitizer exceptions

2016.10.01.19.24.44

add back madvise to the media seccomp policies (called by libbinder)
disabled bounds sanitizer for libsvoxpico (text to speech)
disabled bounds sanitizer for libstagefright_amrnbenc
reimplemented __dynamic_object_size/__malloc_object_size API
added back dynamic overflow checks for the read and write system calls (not yet the rest)
backported arc4random atfork fixes
backported patch to only set the stack guard value once

2016.09.27.15.19.19

reimplemented changes preventing ART from trying to map oat files from /data/dalvik-cache
reimplemented removal of SELinux policy allowing reads of dalvikcache_data_file symlinks
reimplemented maximum password length increase (16 → 64)
reimplemented Settings app toggle for MAC randomization so that it can be disabled again
reimplemented debug and production kernel split for the Nexus 6P
disabled tethering provisioning again
removed widevine library (via android-prepare-vendor)
added vendor-board-info.txt to enforce bootloader/radio versions (via android-prepare-vendor)
drop madvise from the media seccomp whitelists since it isn't used by OpenBSD malloc by default
disable bounds sanitizer for libunwind due to a regularly invoked undefined behavior on at least arm64
disable bounds sanitizer for keystore due to a regularly invoked undefined behavior
reverted a broken upstream zygote-based spawning optimization to get keystore working again

2016.09.23.17.14.14

force enable multiprocess sandboxed WebView (hidden as a developer option in stock)
removed obsolete developer options multiprocess WebView toggle
further reduce execmem based on not using the ART JIT and having out-of-process WebView
added back setting to control USB peripheral denial
pulled in minor upstream bug fix for the Updater app
disabled bounds sanitizer for libjni_latinime until the issues there are fixed

2016.09.21.10.30.07

enabled bounds sanitizer by default for C++ again
enabled object-size sanitizer for SQLite
updated Chromium to 53.0.2785.124
updated Chromium WebView to 53.0.2785.124
fixed some undefined array accesses in bionic libc
added more exceptions from the bounds sanitizer
removed malloc configuration property handling for now due to property initialization changes in Nougat

2016.09.17.19.33.24

enabled shift and signed-integer-overflow sanitizers for SQLite
disabled bounds sanitizer for a few more modules to work around bugs

2016.09.16.14.31.32

add Qualcomm build utilities again, to restore missing hardware features
begin bringing back selective use of the object-size sanitizer
add back -fsanitize=bounds -fsanitize-trap=bounds by default for C code (not yet C++ again)
fix AndroidID-29431260 vulnerability (moderate severity)

2016.09.14.05.23.28

updated Chromium to 53.0.2785.97
updated WebView to 53.0.2785.97
proprietary blob generation improvements
fix for CVE-2016-5343 for the 5X and 6P (does not impact Nexus 9)
added back -fwrapv for code where signed integer overflow checking is not enabled

2016.09.09.07.12.48

switch ART from profile-based AOT compilation to full compilation since JIT profiling is disabled (verify-profile changed to interpret-only, speed-profile changed to speed)
initial Nexus 6P Nougat support
reverted upstream commits disabling dm-verity for the Nexus 5X and Nexus 6P vendor partition in AOSP (Nexus 9 not impacted)

2016.09.07.19.27.04

September security update
replace our WebView builds with Google builds for now (Nougat support code is not public yet)
disable mremap code path in the OpenBSD malloc port to avoid violating standard seccomp whitelists
fix remaining Updater app Nougat compatibility issue

2016.09.05.03.48.51

initial Nexus 5X port to Nougat, with some proprietary carrier nonsense missing
narrower scope for execmod/execmem in the SELinux policy
allow dalvikcache_data_file execute for isolated_app again (removed by mistake)

2016.09.02.14.16.41

initial release based on Android Nougat, which has substantial security improvements in the base OS
ported many past features ported to the new base (not yet close to all features)
fixed various new AOSP issues
fixed / worked around various new compatibility issues with our features

Marshmallow

2016.08.23.15.51.31

backport replacement of AT_RANDOM with arc4random for the ART base address
backported dlopen support for PIC oat files
backported dexpreopt support for prebuilt Java libraries
enabled WITH_DEXPREOPT_PIC for boot.oat
removed execmem auditallow for mediaserver (can be revisited with the mediaserver split in N)
removed dalvikcache_data_file execute access for everything other than shell, untrusted_app and isolated_app
enabled the stackable Yama Linux Security Module for ptrace_scope
added a system property for controlling ptrace_scope, usable by the adb shell user
set ptrace_scope=2 by default, disabling unprivileged access to ptrace

2016.08.16.05.14.52

enabled WITH_DEXPREOPT_PIC to reduce the need for /data/dalvik-cache for the base system
minor kernel configuration adjustments (enable DEBUG_LIST, enable DEBUG_CREDENTIALS, disable INET_DIAG)
disabled unused kernel AIO support
updated Chromium-based WebView to 52.0.2743.98
updated Chromium to 52.0.2743.98
applied fix for CVE-2016-3866 to the Nexus 5X and 6P kernels (Nexus 9 not impacted, Nexus 5 does not appear to be)
extended fine-grained SELinux restrictions to /proc/vmstat and /proc/zoneinfo (only a few core services)
removed obsolete recovery menu entry for applying updates from SD card

2016.08.09.06.24.33

removed some infrastructure for the unused shared relro feature (incompatible with exec spawning)
removed support for partial junk-on-free, making full junk-on-free into the default
implemented and enabled Clang sanitizer for zeroing uninitialized local variables
applied fix for CVE-2016-5340 to the Nexus 5X and 6P kernels (Nexus 9 is not impacted)

2016.08.05.15.15.34

extended access to /proc/interrupts and /proc/stat to msm_irqbalance on the 5X and 6P
updated Chromium-based WebView from 52.0.2743.83 to 52.0.2743.91
updated Chromium from 52.0.2743.83 to 52.0.2743.91
only support SELinux enforcing mode in production (user) builds
worked around use-after-free caught by page cache protection in the proprietary 5X/6P camera service

2016.08.02.00.49.57

restrict access to /proc timing information to prevent sensitive data leaks via timing side channels
backported fix for get_nproc() to avoid depending on /proc/stat
enabled malloc canaries by default and moved them from 70% to 50% on the performance vs. security slider
backported a tiny patch series for Parcel to reduce noise from SELinux denials
August security patch level
perf events restrictions landed upstream and were backported, so they're now part of the AOSP base

2016.07.24.12.17.03

updated WebView to 52.0.2743.83
updated Chromium to 52.0.2743.83 and re-enabled Chromium linker to bypass bugs
added back shared library preloading to work around Chromium linker bug

2016.07.21.04.12.20

made stack canary global read-only after initialization
began purging alloca and variable length arrays across Android
added Qualcomm utility functions used but not provided by AOSP's build system (fixes a few bugs, and should improve 5X/6P power usage)

2016.07.07.02.16.02

rebase to 2016-07-05 security patch level

2016.07.03.03.18.57

updated F-Droid to v0.100.1 from v0.100
enable netfilter rpfilter support on the Nexus 6P
port of grsecurity's DEVICE_SIDECHANNEL feature
set malloc to abort on out-of-memory by default (see technical overview for rationale)
fixed libdmengine.so symlinks (does not appear to fix Sprint support)

2016.06.17.11.52.32

disabled unused AssetAtlas service (incompatible with exec-based spawning)
disabled Zygote preload step again
built-in Exchange support was removed upstream for the Nexus 5 and 9, similar to the 5X and 6P
fixed build for the generic x86/x86_64 targets
updated the baseline updater code from CyanogenMod, fixing a changelog-related crash
ported a minimal version of grsecurity's DENYUSB feature to the kernels (kernel.deny_new_usb sysctl)
hooked up deny_new_usb to the lockscreen to offer automatic toggling based on lock state
exposed deny_new_usb in Settings → Security → Device Security with 3 states: enabled, dynamic, disabled
updated F-Droid to 0.100 from 0.99.2
set deny_new_usb feature to the dynamic mode by default

2016.06.06.21.23.39

tweaked perf_harden property handling to avoid potential races
exposed perf_harden to the shell user, made it non-persistent and removed the Settings app toggle
updated Chromium apks (arm, arm64) to 51.0.2704.81
updated WebView apks (arm, arm64) to 51.0.2704.81
dropped PaX support for the deprecated (but still supported) Nexus 5 target
June security update

2016.05.28.01.02.27

removed leftover legacy permission model toggle on the 5X/6P
fixed upstream bug in AppCompat support to avoid a NullPointerException in DeskClock
fixed support for non-platform signature permissions in third party apps
minimal port of grsecurity's PERF_HARDEN feature (kernel.perf_event_paranoid=3)
added a toggle for profiling support in developer options

2016.05.24.21.38.49

use -fstack-protector for the Nexus 9 kernel (required backports)
updated Silence to 0.14.3
roll back DeskClock translation changes from AOSP on the 5X/6P to work around various issues

2016.05.17.11.18.09

ignore persist.security.perf_harden values less than 1 to avoid adding system→root attack surface
set persist.security.perf_harden=2 by default, rather than writing to /proc/sys directly
enable -fstack-protector-strong for the Nexus 5X and 6P kernels

2016.05.17.00.50.04

disabled scanning MAC randomization on the Nexus 5X to avoid authentication failure (requires network settings reset)

2016.05.14.04.14.03

compression disabled in the inner factory images zip, resulting in a significantly smaller tar.xz
removed forced disabling of malloc junk filling for mediaserver on the Nexus 5X for now
full MAC randomization for the Nexus 6P (no builds yet)
remove legacy permission toggle feature for now, as it needs to be reimplemented

2016.05.08.05.30.34

add back Exchange to marshmallow-mr2-release (Nexus 5, 9), since Google published tags
switch to xz from gzip for factory images (not a big improvement yet due to inner zip compression)
expose malloc quarantine size as a setting in Security → Advanced
wire up the malloc quarantine size option to the performance vs. security slider
avoid abort when the malloc quarantine is set to zero size
fix use-after-free/double-free mitigations with the maximum malloc quarantine size

2016.05.03.18.54.15

May security update (MTC19T for 5X, MOB30J for 5 and 9)
custom boot animation
configurable malloc quarantine size (not yet exposed in Settings)

2016.04.26.16.55.03

avoid benign unsigned overflow in sdcard service caught by -fsanitize=integer

2016.04.25.16.44.01

always randomize pre-associated MAC address via wpa_supplicant (requires WiFi settings reset to kick in)
hide the no-op legacy grant toggle for non-owner users
improved heap canary generation (each unique, not unique per-page)
enable bounds, integer and object-size sanitizers for sdcard service
migrated the Nexus 5 and 9 to marshmallow-mr2-release branch (first tag is 6.0.1_r30)
updated SMSSecure to 0.14.1 (note that it has been renamed to Silence upstream)

2016.04.15.02.07.53

added setting for disabling legacy handling of dangerous permissions

2016.04.10.03.35.03

updated Chromium to 49.0.2623.105
updated WebView to 49.0.2623.105

2016.04.06.11.37.02

migrated Nexus 5X to the new marshmallow-dr1.5-release branch
significant upstream performance and battery life improvements

2016.04.05.04.42.49

update F-Droid to 0.99.2
April security update

2016.03.27.04.15.10

set default SQLite journal mode to TRUNCATE, not PERSIST
hostname is now randomized by default on boot
applied fix for CVE-2016-0774 to the kernel
updated F-Droid to 0.99.1