Bump to 0.7.0

* umount for ksu 10763

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

* Add crashdump sepolicy

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

* Add more information about debug

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

* daemonize zygiskd companion

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

* create zygiskd if crash

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

* injector: use ANDROID_DLEXT_USE_LIBRARY_FD to load module

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

* zygiskd: use file as module fd instead of memfd on debug build

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

* use OwnedFd

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

* dlopen: no need to create ns

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

---------

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,72 @@
+name: Bug report/反馈 Bug
+description: Report errors or unexpected behavior./反馈错误或异常行为。
+labels: [bug]
+title: "[Bug] Short description/简单描述"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting issues of Zygisk on KernelSU!
+
+        To make it easier for us to help you please enter detailed information below.
+
+        感谢给 Zygisk on KernelSU 汇报问题！
+        为了使我们更好地帮助你，请提供以下信息。
+        为了防止重复汇报，标题请务必使用英文。
+  - type: textarea
+    attributes:
+      label: Steps to reproduce/复现步骤
+      placeholder: |
+        1.
+        2.
+        3.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected behaviour/预期行为
+      placeholder: Tell us what should happen/正常情况下应该发生什么
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Actual behaviour/实际行为
+      placeholder: Tell us what happens instead/实际上发生了什么
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: KernelSU Module List/KernelSU 模块列表
+      render: Shell
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Zygisk on KernelSU version/Zygisk on KernelSU 版本
+      description: Don't use 'latest'. Specify actual version, otherwise your issue will be closed./不要填用“最新版”。给出具体版本号，不然 issue 会被关闭。
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Android version/Android 版本
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: KernelSU version/KernelSU 版本
+    validations:
+      required: true
+  - type: checkboxes
+    id: latest
+    attributes:
+      label: Version requirement/版本要求
+      options:
+        - label: I am using latest debug CI version of Zygisk on KernelSU and enable verbose log/我正在使用最新 CI 调试版本 Zygisk on KernelSU 且启用详细日志
+          required: true
+  - type: textarea
+    attributes:
+      label: Logs/日志
+      description: For usage issues, please provide the log zip saved from KernelSU manager; for activation issues, please provide [bugreport](https://developer.android.com/studio/debug/bug-report). Without logs zip, the issue will be closed. /使用问题请提供从 KernelSU 管理器保存的日志压缩包；激活问题请提供 [bugreport](https://developer.android.google.cn/studio/debug/bug-report?hl=zh-cn) 日志。没有日志附件的问题会被关闭。
+      placeholder: Upload logs zip by clicking the bar on the bottom. Upload logs to other websites or using external links is prohibited. /点击文本框底栏上传日志压缩包，禁止上传到其它网站或使用外链提供日志。
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,23 @@
+name: Feature request/新特性请求
+description: Suggest an idea./提出建议
+labels: [enhancement]
+title: "[Feature Request] Short description/简单描述"
+body:
+  - type: textarea
+    attributes:
+      label: Is your feature request related to a problem?/你的请求是否与某个问题相关？
+      placeholder: A clear and concise description of what the problem is./请清晰准确表述该问题。
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Describe the solution you'd like/描述你想要的解决方案
+      placeholder: A clear and concise description of what you want to happen./请清晰准确描述新特性的预期行为
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Additional context/其他信息
+      placeholder: Add any other context or screenshots about the feature request here./其他关于新特性的信息或者截图
+    validations:
+      required: false

.github/workflows/ci.yml

@@ -0,0 +1,88 @@
+name: CI
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ master ]
+    tags: [ v* ]
+  pull_request:
+  merge_group:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
+      CCACHE_NOHASHDIR: "true"
+      CCACHE_HARDLINK: "true"
+      CCACHE_BASEDIR: "${{ github.workspace }}"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: "recursive"
+          fetch-depth: 0
+
+      - name: Setup Java
+        uses: actions/setup-java@v3
+        with:
+          distribution: "temurin"
+          java-version: "17"
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
+        with:
+          gradle-home-cache-cleanup: true
+
+      - name: Setup rust-cache
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: zygiskd/src -> ../build/intermediates/rust
+          cache-targets: false
+          
+      - name: Setup Rust
+        run: |
+          rustup target add armv7-linux-androideabi
+          rustup target add aarch64-linux-android
+          rustup target add x86_64-linux-android
+          rustup target add i686-linux-android
+
+      - name: Set up ccache
+        uses: hendrikmuhs/ccache-action@v1.2
+        with:
+          max-size: 2G
+          key: ${{ runner.os }}
+          restore-keys: ${{ runner.os }}
+          save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+
+      - name: Build with Gradle
+        run: |
+          echo 'org.gradle.parallel=true' >> gradle.properties
+          echo 'org.gradle.vfs.watch=true' >> gradle.properties
+          echo 'org.gradle.jvmargs=-Xmx2048m' >> gradle.properties
+          echo 'android.native.buildOutput=verbose' >> gradle.properties
+          sed -i 's/org.gradle.unsafe.configuration-cache=true//g' gradle.properties
+          ./gradlew zipRelease
+          ./gradlew zipDebug
+
+      - name: Prepare artifact
+        if: success()
+        id: prepareArtifact
+        run: |
+          releaseName=`ls module/build/outputs/release/Zygisk-on-KernelSU-v*-release.zip | awk -F '(/|.zip)' '{print $5}'` && echo "releaseName=$releaseName" >> $GITHUB_OUTPUT
+          debugName=`ls module/build/outputs/release/Zygisk-on-KernelSU-v*-debug.zip | awk -F '(/|.zip)' '{print $5}'` && echo "debugName=$debugName" >> $GITHUB_OUTPUT
+          unzip module/build/outputs/release/Zygisk-on-KernelSU-v*-release.zip -d zksu-release
+          unzip module/build/outputs/release/Zygisk-on-KernelSU-v*-debug.zip -d zksu-debug
+
+      - name: Upload release
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ steps.prepareArtifact.outputs.releaseName }}
+          path: "./zksu-release/*"
+
+      - name: Upload debug
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ steps.prepareArtifact.outputs.debugName }}
+          path: "./zksu-debug/*"

.github/workflows/issue_moderator.yml

@@ -0,0 +1,23 @@
+name: Issue moderator
+
+on:
+  issues:
+    types: [opened, edited, reopened]
+
+jobs:
+  autoclose:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check issue
+        uses: tachiyomiorg/issue-moderator-action@v1
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          auto-close-rules: |
+            [
+              {
+                "type": "title",
+                "regex": ".*(Short description|简单描述).*",
+                "message": "You did not fill out the description in the title/你没有填写标题"
+              }
+            ]
+          auto-close-ignore-label: do-not-autoclose

.gitmodules

@@ -1,6 +1,6 @@
-[submodule "loader/src/external/liblsplt"]
-	path = loader/src/external/liblsplt
-	url = https://github.com/LSPosed/LSPlt
+[submodule "loader/src/external/lsplt"]
+	path = loader/src/external/lsplt
+	url = https://github.com/LSPosed/lsplt
 [submodule "loader/src/external/parallel-hashmap"]
 	path = loader/src/external/parallel-hashmap
 	url = https://github.com/greg7mdp/parallel-hashmap

README.md

@@ -2,7 +2,7 @@
 
 Zygisk loader for KernelSU, allowing Zygisk modules to run without Magisk environment.
 
-Also works as standalone loader for Magisk on purpose of getting rid of LD_PRELOAD.
+Also works as standalone loader for Magisk.
 
 ## Requirements
 
@@ -12,12 +12,9 @@ Also works as standalone loader for Magisk on purpose of getting rid of LD_PRELO
 
 ### KernelSU
 
-+ Minimal KernelSU version: 10654
-+ Minimal ksud version: 10647
++ Minimal KernelSU version: 10940
++ Minimal ksud version: 10942
 + Kernel has full SELinux patch support
-+ For old kernels, you may need to manually add the following code to `sepolicy.rule`:  
-  `allow zygote appdomain_tmpfs file *`  
-  `allow zygote appdomain_tmpfs dir *`
 
 ### Magisk
 

build.gradle.kts

@@ -31,10 +31,10 @@ val gitCommitHash = "git rev-parse --verify --short HEAD".execute()
 
 val moduleId by extra("zygisksu")
 val moduleName by extra("Zygisk on KernelSU")
-val verName by extra("v4-0.6.0")
+val verName by extra("v4-0.7.0")
 val verCode by extra(gitCommitCount)
-val minKsuVersion by extra(10654)
-val minKsudVersion by extra(10647)
+val minKsuVersion by extra(10940)
+val minKsudVersion by extra(10942)
 val maxKsuVersion by extra(20000)
 val minMagiskVersion by extra(25208)
 

gradle.properties

@@ -20,4 +20,4 @@ kotlin.code.style=official
 # Enables namespacing of each library's R class so that its R class includes only the
 # resources declared in the library itself and none from the library's dependencies,
 # thereby reducing the size of the R class for that library
-android.nonTransitiveRClass=true
+android.nonTransitiveRClass=true

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.0-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.0.1-bin.zip
 distributionPath=wrapper/dists
 zipStorePath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME

loader/build.gradle.kts

@@ -1,7 +1,26 @@
+import java.nio.file.Paths
+import org.gradle.internal.os.OperatingSystem
+
 plugins {
     id("com.android.library")
 }
 
+fun Project.findInPath(executable: String, property: String): String? {
+    val pathEnv = System.getenv("PATH")
+    return pathEnv.split(File.pathSeparator).map { folder ->
+        Paths.get("${folder}${File.separator}${executable}${if (OperatingSystem.current().isWindows) ".exe" else ""}")
+            .toFile()
+    }.firstOrNull { path ->
+        path.exists()
+    }?.absolutePath ?: properties.getOrDefault(property, null) as? String?
+}
+
+val ccachePatch by lazy {
+    project.findInPath("ccache", "ccache.path")?.also {
+        println("loader: Use ccache: $it")
+    }
+}
+
 android {
     buildFeatures {
         androidResources = false
@@ -12,6 +31,16 @@ android {
     externalNativeBuild.ndkBuild {
         path("src/Android.mk")
     }
+
+    defaultConfig {
+        externalNativeBuild {
+            ndkBuild {
+                ccachePatch?.let {
+                    arguments += "NDK_CCACHE=$it"
+                }
+            }
+        }
+    }
 }
 
 dependencies {

loader/src/common/daemon.cpp

@@ -8,19 +8,37 @@
 
 namespace zygiskd {
 
+    bool sMagicRead = false;
+    static std::string sSocketName;
+
+    void ReadMagic() {
+        sMagicRead = true;
+        char magic[PATH_MAX]{0};
+        auto fp = fopen(kZygiskMagic, "r");
+        if (fp == nullptr) {
+            PLOGE("Open magic file");
+            return;
+        }
+        fgets(magic, PATH_MAX, fp);
+        fclose(fp);
+        sSocketName.append(LP_SELECT("zygiskd32", "zygiskd64")).append(magic);
+        LOGD("Socket name: %s", sSocketName.data());
+    }
+
     int Connect(uint8_t retry) {
+        if (!sMagicRead) ReadMagic();
         int fd = socket(PF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
         struct sockaddr_un addr{
                 .sun_family = AF_UNIX,
                 .sun_path={0},
         };
-        strncpy(addr.sun_path + 1, kZygiskSocket.data(), kZygiskSocket.size());
+        strcpy(addr.sun_path + 1, sSocketName.data());
         socklen_t socklen = sizeof(sa_family_t) + strlen(addr.sun_path + 1) + 1;
 
         while (retry--) {
             int r = connect(fd, reinterpret_cast<struct sockaddr*>(&addr), socklen);
             if (r == 0) return fd;
-            LOGW("retrying to connect to zygiskd, sleep 1s");
+            LOGW("Retrying to connect to zygiskd, sleep 1s");
             sleep(1);
         }
 
@@ -97,6 +115,7 @@ namespace zygiskd {
         if (socket_utils::read_u8(fd) == 1) {
             return fd;
         } else {
+            close(fd);
             return -1;
         }
     }

loader/src/common/dl.cpp

@@ -44,8 +44,17 @@ void* DlopenExt(const char* path, int flags) {
     return handle;
 }
 
-void* DlopenMem(int memfd, int flags) {
-    char path[PATH_MAX];
-    sprintf(path, "/proc/self/fd/%d", memfd);
-    return DlopenExt(path, flags);
+void* DlopenMem(int fd, int flags) {
+    auto info = android_dlextinfo{
+        .flags = ANDROID_DLEXT_USE_LIBRARY_FD,
+        .library_fd = fd
+    };
+
+    auto* handle = android_dlopen_ext("/jit-cache", flags, &info);
+    if (handle) {
+        LOGD("dlopen fd %d: %p", fd, handle);
+    } else {
+        LOGE("dlopen fd %d: %s", fd, dlerror());
+    }
+    return handle;
 }

loader/src/external/Android.mk

@@ -3,18 +3,19 @@ LOCAL_PATH := $(call my-dir)
 # liblsplt.a
 include $(CLEAR_VARS)
 LOCAL_MODULE:= liblsplt
-LOCAL_C_INCLUDES := $(LOCAL_PATH)/liblsplt/lsplt/src/main/jni/include
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/lsplt/lsplt/src/main/jni/include
 LOCAL_EXPORT_C_INCLUDES := $(LOCAL_C_INCLUDES)
-LOCAL_CFLAGS := -Wall -Wextra -Werror -fvisibility=hidden
+LOCAL_CFLAGS := -Wall -Wextra -Werror -fvisibility=hidden -DLOG_DISABLED
 LOCAL_CPPFLAGS := -std=c++20
 LOCAL_STATIC_LIBRARIES := libcxx
 LOCAL_SRC_FILES := \
-	liblsplt/lsplt/src/main/jni/elf_util.cc \
-	liblsplt/lsplt/src/main/jni/lsplt.cc
+    lsplt/lsplt/src/main/jni/elf_util.cc \
+    lsplt/lsplt/src/main/jni/lsplt.cc
 include $(BUILD_STATIC_LIBRARY)
 
 # Header only library
 include $(CLEAR_VARS)
 LOCAL_MODULE:= libphmap
+LOCAL_CFLAGS := -Wno-unused-value
 LOCAL_EXPORT_C_INCLUDES := $(LOCAL_PATH)/parallel-hashmap
 include $(BUILD_STATIC_LIBRARY)

loader/src/include/api.hpp

@@ -26,14 +26,40 @@
 #define ZYGISK_API_VERSION 4
 
 /*
+
+***************
+* Introduction
+***************
+
+On Android, all app processes are forked from a special daemon called "Zygote".
+For each new app process, zygote will fork a new process and perform "specialization".
+This specialization operation enforces the Android security sandbox on the newly forked
+process to make sure that 3rd party application code is only loaded after it is being
+restricted within a sandbox.
+
+On Android, there is also this special process called "system_server". This single
+process hosts a significant portion of system services, which controls how the
+Android operating system and apps interact with each other.
+
+The Zygisk framework provides a way to allow developers to build modules and run custom
+code before and after system_server and any app processes' specialization.
+This enable developers to inject code and alter the behavior of system_server and app processes.
+
+Please note that modules will only be loaded after zygote has forked the child process.
+THIS MEANS ALL OF YOUR CODE RUNS IN THE APP/SYSTEM_SERVER PROCESS, NOT THE ZYGOTE DAEMON!
+
+*********************
+* Development Guide
+*********************
+
 Define a class and inherit zygisk::ModuleBase to implement the functionality of your module.
 Use the macro REGISTER_ZYGISK_MODULE(className) to register that class to Zygisk.
-Please note that modules will only be loaded after zygote has forked the child process.
-THIS MEANS ALL OF YOUR CODE RUNS IN THE APP/SYSTEM SERVER PROCESS, NOT THE ZYGOTE DAEMON!
+
 Example code:
+
 static jint (*orig_logger_entry_max)(JNIEnv *env);
 static jint my_logger_entry_max(JNIEnv *env) { return orig_logger_entry_max(env); }
-static void example_handler(int socket) { ... }
+
 class ExampleModule : public zygisk::ModuleBase {
 public:
     void onLoad(zygisk::Api *api, JNIEnv *env) override {
@@ -51,8 +77,26 @@ private:
     zygisk::Api *api;
     JNIEnv *env;
 };
+
 REGISTER_ZYGISK_MODULE(ExampleModule)
+
+-----------------------------------------------------------------------------------------
+
+Since your module class's code runs with either Zygote's privilege in pre[XXX]Specialize,
+or runs in the sandbox of the target process in post[XXX]Specialize, the code in your class
+never runs in a true superuser environment.
+
+If your module require access to superuser permissions, you can create and register
+a root companion handler function. This function runs in a separate root companion
+daemon process, and an Unix domain socket is provided to allow you to perform IPC between
+your target process and the root companion process.
+
+Example code:
+
+static void example_handler(int socket) { ... }
+
 REGISTER_ZYGISK_COMPANION(example_handler)
+
 */
 
 namespace zygisk {
@@ -84,7 +128,7 @@ namespace zygisk {
 
         // This method is called after the app process is specialized.
         // At this point, the process has all sandbox restrictions enabled for this application.
-        // This means that this method runs as the same privilege of the app's own code.
+        // This means that this method runs with the same privilege of the app's own code.
         virtual void postAppSpecialize([[maybe_unused]] const AppSpecializeArgs *args) {}
 
         // This method is called before the system server process is specialized.
@@ -219,7 +263,16 @@ namespace zygisk {
         // will be set to nullptr.
         void hookJniNativeMethods(JNIEnv *env, const char *className, JNINativeMethod *methods, int numMethods);
 
-        // For ELFs loaded in memory matching `inode`, replace function `symbol` with `newFunc`.
+        // Hook functions in the PLT (Procedure Linkage Table) of ELFs loaded in memory.
+        //
+        // Parsing /proc/[PID]/maps will give you the memory map of a process. As an example:
+        //
+        //       <address>       <perms>  <offset>   <dev>  <inode>           <pathname>
+        // 56b4346000-56b4347000  r-xp    00002000   fe:00    235       /system/bin/app_process64
+        // (More details: https://man7.org/linux/man-pages/man5/proc.5.html)
+        //
+        // The `dev` and `inode` pair uniquely identifies a file being mapped into memory.
+        // For matching ELFs loaded in memory, replace function `symbol` with `newFunc`.
         // If `oldFunc` is not nullptr, the original function pointer will be saved to `oldFunc`.
         void pltHookRegister(dev_t dev, ino_t inode, const char *symbol, void *newFunc, void **oldFunc);
 
@@ -243,11 +296,11 @@ void zygisk_module_entry(zygisk::internal::api_table *table, JNIEnv *env) { \
 //
 // The function runs in a superuser daemon process and handles a root companion request from
 // your module running in a target process. The function has to accept an integer value,
-// which is a socket that is connected to the target process.
+// which is a Unix domain socket that is connected to the target process.
 // See Api::connectCompanion() for more info.
 //
 // NOTE: the function can run concurrently on multiple threads.
-// Be aware of race conditions if you have a globally shared resource.
+// Be aware of race conditions if you have globally shared resources.
 
 #define REGISTER_ZYGISK_COMPANION(func) \
 void zygisk_companion_entry(int client) { func(client); }

loader/src/include/daemon.h

@@ -10,7 +10,8 @@
 #else
 # define LP_SELECT(lp32, lp64) lp32
 #endif
-constexpr std::string_view kZygiskSocket = LP_SELECT("zygiskd32", "zygiskd64") "socket_placeholder";
+
+constexpr auto kZygiskMagic = "/system/zygisk_magic";
 
 class UniqueFd {
     using Fd = int;
@@ -19,7 +20,7 @@ public:
 
     UniqueFd(Fd fd) : fd_(fd) {}
 
-    ~UniqueFd() { close(fd_); }
+    ~UniqueFd() { if (fd_ >= 0) close(fd_); }
 
     // Disallow copy
     UniqueFd(const UniqueFd&) = delete;

loader/src/injector/hook.cpp

@@ -331,6 +331,7 @@ bool ZygiskModule::RegisterModuleImpl(ApiTable *api, long *module) {
         api->v2.getFlags = [](auto) { return ZygiskModule::getFlags(); };
     }
     if (api_version >= 4) {
+        api->v4.pltHookCommit = lsplt::CommitHook;
         api->v4.pltHookRegister = [](dev_t dev, ino_t inode, const char *symbol, void *fn, void **backup) {
             if (dev == 0 || inode == 0 || symbol == nullptr || fn == nullptr)
                 return;

loader/src/injector/unmount.cpp

@@ -9,13 +9,9 @@
 using namespace std::string_view_literals;
 
 namespace {
-    constexpr auto KSU_MODULE_DIR = "/data/adb/ksu/modules";
-
-    struct overlay_backup {
-        std::string target;
-        std::string vfs_option;
-        std::string fs_option;
-    };
+    constexpr auto MODULE_DIR = "/data/adb/modules";
+    constexpr auto KSU_OVERLAY_SOURCE = "KSU";
+    const std::vector<std::string> KSU_PARTITIONS{"/system", "/vendor", "/product", "/system_ext", "/odm", "/oem"};
 
     void lazy_unmount(const char* mountpoint) {
         if (umount2(mountpoint, MNT_DETACH) != -1) {
@@ -26,22 +22,15 @@ namespace {
     }
 }
 
-#define PARSE_OPT(name, flag)   \
-    if (opt == (name)) {        \
-        flags |= (flag);        \
-        return true;            \
-    }
-
 void revert_unmount_ksu() {
     std::string ksu_loop;
     std::vector<std::string> targets;
-    std::list<overlay_backup> backups;
 
     // Unmount ksu module dir last
-    targets.emplace_back(KSU_MODULE_DIR);
+    targets.emplace_back(MODULE_DIR);
 
     for (auto& info: parse_mount_info("self")) {
-        if (info.target == KSU_MODULE_DIR) {
+        if (info.target == MODULE_DIR) {
             ksu_loop = info.source;
             continue;
         }
@@ -50,23 +39,15 @@ void revert_unmount_ksu() {
             targets.emplace_back(info.target);
         }
         // Unmount ksu overlays
-        if (info.type == "overlay") {
-            LOGV("Overlay: %s (%s)", info.target.data(), info.fs_option.data());
-            if (str_contains(info.fs_option, KSU_MODULE_DIR)) {
-                targets.emplace_back(info.target);
-            } else {
-                auto backup = overlay_backup{
-                        .target = info.target,
-                        .vfs_option = info.vfs_option,
-                        .fs_option = info.fs_option,
-                };
-                backups.emplace_back(backup);
-            }
+        if (info.type == "overlay"
+            && info.source == KSU_OVERLAY_SOURCE
+            && std::find(KSU_PARTITIONS.begin(), KSU_PARTITIONS.end(), info.target) != KSU_PARTITIONS.end()) {
+            targets.emplace_back(info.target);
         }
     }
     for (auto& info: parse_mount_info("self")) {
         // Unmount everything from ksu loop except ksu module dir
-        if (info.source == ksu_loop && info.target != KSU_MODULE_DIR) {
+        if (info.source == ksu_loop && info.target != MODULE_DIR) {
             targets.emplace_back(info.target);
         }
     }
@@ -75,34 +56,6 @@ void revert_unmount_ksu() {
     for (auto& s: reversed(targets)) {
         lazy_unmount(s.data());
     }
-
-    // Affirm unmounted system overlays
-    for (auto& info: parse_mount_info("self")) {
-        if (info.type == "overlay") {
-            backups.remove_if([&](overlay_backup& mnt) {
-                return mnt.target == info.target && mnt.fs_option == info.fs_option;
-            });
-        }
-    }
-
-    // Restore system overlays
-    for (auto& mnt: backups) {
-        auto opts = split_str(mnt.vfs_option, ",");
-        opts.splice(opts.end(), split_str(mnt.fs_option, ","));
-        unsigned long flags = 0;
-        opts.remove_if([&](auto& opt) {
-            PARSE_OPT(MNTOPT_RO, MS_RDONLY)
-            PARSE_OPT(MNTOPT_NOSUID, MS_NOSUID)
-            PARSE_OPT("relatime", MS_RELATIME)
-            return false;
-        });
-        auto mnt_data = join_str(opts, ",");
-        if (mount("overlay", mnt.target.data(), "overlay", flags, mnt_data.data()) != -1) {
-            LOGD("Remounted (%s)", mnt.target.data());
-        } else {
-            PLOGE("Remount (%s, %s)", mnt.target.data(), mnt.fs_option.data());
-        }
-    }
 }
 
 void revert_unmount_magisk() {

module/build.gradle.kts

@@ -46,7 +46,7 @@ androidComponents.onVariants { variant ->
             expand(
                 "moduleId" to moduleId,
                 "moduleName" to moduleName,
-                "versionName" to "$verName ($verCode)",
+                "versionName" to "$verName ($verCode-$variantLowered)",
                 "versionCode" to verCode,
             )
         }

module/src/customize.sh

@@ -80,6 +80,11 @@ extract "$ZIPFILE" 'customize.sh'  "$TMPDIR/.vunzip"
 extract "$ZIPFILE" 'verify.sh'     "$TMPDIR/.vunzip"
 extract "$ZIPFILE" 'sepolicy.rule' "$TMPDIR"
 
+if [ "$DEBUG" = true ]; then
+  ui_print "- Add debug SELinux policy"
+  echo "allow crash_dump adb_data_file dir search" >> "$TMPDIR/sepolicy.rule"
+fi
+
 if [ "$KSU" ]; then
   ui_print "- Checking SELinux patches"
   if ! check_sepolicy "$TMPDIR/sepolicy.rule"; then
@@ -93,8 +98,8 @@ fi
 ui_print "- Extracting module files"
 extract "$ZIPFILE" 'module.prop'     "$MODPATH"
 extract "$ZIPFILE" 'post-fs-data.sh' "$MODPATH"
-extract "$ZIPFILE" 'sepolicy.rule'   "$MODPATH"
 extract "$ZIPFILE" 'service.sh'      "$MODPATH"
+mv "$TMPDIR/sepolicy.rule" "$MODPATH"
 
 HAS32BIT=false && [ -d "/system/lib" ] && HAS32BIT=true
 HAS64BIT=false && [ -d "/system/lib64" ] && HAS64BIT=true
@@ -142,20 +147,9 @@ else
   fi
 fi
 
-if [ $DEBUG = false ]; then
-  ui_print "- Hex patching"
-  SOCKET_PATCH=$(tr -dc 'a-f0-9' </dev/urandom | head -c 18)
-  if [ "$HAS32BIT" = true ]; then
-    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/bin/zygiskd32"
-    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib/libzygisk_injector.so"
-    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib/libzygisk_loader.so"
-  fi
-  if [ "$HAS64BIT" = true ]; then
-    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/bin/zygiskd64"
-    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib64/libzygisk_injector.so"
-    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib64/libzygisk_loader.so"
-  fi
-fi
+ui_print "- Generating magic"
+MAGIC=$(tr -dc 'a-f0-9' </dev/urandom | head -c 18)
+echo -n "$MAGIC" > "$MODPATH/system/zygisk_magic"
 
 ui_print "- Setting permissions"
 chmod 0744 "$MODPATH/daemon.sh"

module/src/post-fs-data.sh

@@ -9,7 +9,7 @@ cd "$MODDIR"
 getprop ro.dalvik.vm.native.bridge > /dev/.native_bridge
 resetprop ro.dalvik.vm.native.bridge libzygisk_loader.so
 
-if [ "$(which magisk)" ] && [ ".." -ef "/data/adb/modules" ]; then
+if [ "$(which magisk)" ]; then
   for file in ../*; do
     if [ -d "$file" ] && [ -d "$file/zygisk" ] && ! [ -f "$file/disable" ]; then
       if [ -f "$file/post-fs-data.sh" ]; then

module/src/sepolicy.rule

@@ -1,4 +1,6 @@
 allow * tmpfs * *
+allow zygote appdomain_tmpfs dir *
+allow zygote appdomain_tmpfs file *
 
 type magisk_file file_type
 typeattribute magisk_file mlstrustedobject
@@ -10,6 +12,8 @@ allow * magisk_file lnk_file *
 allow * magisk_file sock_file *
 
 allow system_server system_server process execmem
+allow zygote adb_data_file dir search
 allow zygote mnt_vendor_file dir search
 allow zygote system_file dir mounton
 allow zygote labeledfs filesystem mount
+allow zygote fs_type filesystem unmount

module/src/service.sh

@@ -11,7 +11,7 @@ cd "$MODDIR"
 export NATIVE_BRIDGE=$(cat /dev/.native_bridge)
 rm /dev/.native_bridge
 
-if [ "$(which magisk)" ] && [ ".." -ef "/data/adb/modules" ]; then
+if [ "$(which magisk)" ]; then
   for file in ../*; do
     if [ -d "$file" ] && [ -d "$file/zygisk" ] && ! [ -f "$file/disable" ]; then
       if [ -f "$file/service.sh" ]; then

settings.gradle.kts

@@ -7,8 +7,8 @@ pluginManagement {
         gradlePluginPortal()
     }
     plugins {
-        id("com.android.library") version "7.4.1"
-        id("com.android.application") version "7.4.1"
+        id("com.android.library") version "7.4.2"
+        id("com.android.application") version "7.4.2"
     }
 }
 

zygiskd/Cargo.toml

@@ -3,22 +3,25 @@ name = "zygiskd"
 authors = ["Nullptr"]
 version = "1.0.0"
 edition = "2021"
-rust-version = "1.67"
+rust-version = "1.69"
 
 [dependencies]
-android_logger = "0.13.0"
-anyhow = { version = "1.0.68", features = ["backtrace"] }
-clap = { version = "4.1.4", features = ["derive"] }
-const_format = "0.2.5"
-konst = "0.3.4"
-lazy_static = "1.4.0"
-log = "0.4.17"
-memfd = "0.6.2"
-nix = "0.26.2"
-num_enum = "0.5.9"
-once_cell = "1.17.1"
-passfd = "0.1.5"
-rand = "0.8.5"
+android_logger = "0.13"
+anyhow = { version = "1.0", features = ["backtrace"] }
+bitflags = { version = "2.3" }
+clap = { version = "4", features = ["derive"] }
+const_format = "0.2"
+futures = "0.3"
+konst = "0.3"
+lazy_static = "1.4"
+log = "0.4"
+memfd = "0.6"
+nix = { version = "0.26", features = ["process","poll"] }
+num_enum = "0.5"
+once_cell = "1.17"
+passfd = "0.1"
+rand = "0.8"
+tokio = { version = "1.28", features = ["full"] }
 
 binder = { git = "https://github.com/Kernel-SU/binder_rs" }
 

zygiskd/src/companion.rs

@@ -1,61 +0,0 @@
-use std::ffi::c_void;
-use std::os::fd::{FromRawFd, RawFd};
-use std::os::unix::net::UnixStream;
-use std::thread;
-use anyhow::Result;
-use nix::libc;
-use passfd::FdPassingExt;
-use crate::utils::UnixStreamExt;
-use crate::dl;
-
-type ZygiskCompanionEntryFn = unsafe extern "C" fn(i32);
-
-pub fn entry(fd: i32) -> Result<()> {
-    unsafe { libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGKILL) };
-    let mut stream = unsafe { UnixStream::from_raw_fd(fd) };
-    let name = stream.read_string()?;
-    let library = stream.recv_fd()?;
-    let entry = load_module(library)?;
-    unsafe { libc::close(library) };
-
-    let entry = match entry {
-        Some(entry) => {
-            log::debug!("Companion process created for `{name}`");
-            stream.write_u8(1)?;
-            entry
-        }
-        None => {
-            log::debug!("No companion entry for `{name}`");
-            stream.write_u8(0)?;
-            return Ok(());
-        }
-    };
-
-    loop {
-        let fd = stream.recv_fd()?;
-        log::trace!("New companion request from module `{name}`");
-        thread::spawn(move || {
-            unsafe {
-                let mut s = UnixStream::from_raw_fd(fd);
-                match s.write_u8(1) { // Ack
-                    Ok(_) => entry(fd),
-                    Err(_) => log::warn!("Ack failed?"),
-                }
-            };
-        });
-    }
-}
-
-fn load_module(fd: RawFd) -> Result<Option<ZygiskCompanionEntryFn>> {
-    unsafe {
-        let path = format!("/proc/self/fd/{fd}");
-        let handle = dl::dlopen(&path, libc::RTLD_NOW)?;
-        let symbol = std::ffi::CString::new("zygisk_companion_entry")?;
-        let entry = libc::dlsym(handle, symbol.as_ptr());
-        if entry.is_null() {
-            return Ok(None);
-        }
-        let fnptr = std::mem::transmute::<*mut c_void, ZygiskCompanionEntryFn>(entry);
-        Ok(Some(fnptr))
-    }
-}

zygiskd/src/constants.rs

@@ -1,3 +1,4 @@
+use bitflags::bitflags;
 use const_format::concatcp;
 use konst::primitive::parse_i32;
 use konst::unwrap_ctx;
@@ -19,15 +20,12 @@ pub const MAX_LOG_LEVEL: LevelFilter = LevelFilter::Info;
 pub const PROP_NATIVE_BRIDGE: &str = "ro.dalvik.vm.native.bridge";
 pub const PROP_CTL_RESTART: &str = "ctl.restart";
 pub const ZYGISK_LOADER: &str = "libzygisk_loader.so";
-
-pub const SOCKET_PLACEHOLDER: &str = "socket_placeholder";
+pub const ZYGISK_MAGIC: &str = "/system/zygisk_magic";
 
 pub const PATH_MODULES_DIR: &str = "..";
 pub const PATH_MODULE_PROP: &str = "module.prop";
 pub const PATH_ZYGISKD32: &str = "bin/zygiskd32";
 pub const PATH_ZYGISKD64: &str = "bin/zygiskd64";
-pub const PATH_TMP_DIR: &str = concatcp!("/dev/", SOCKET_PLACEHOLDER);
-pub const PATH_TMP_PROP: &str = concatcp!("/dev/", SOCKET_PLACEHOLDER, "/module.prop");
 
 pub const STATUS_LOADED: &str = "😋 Zygisksu is loaded";
 pub const STATUS_CRASHED: &str = "❌ Zygiskd has crashed";
@@ -49,8 +47,13 @@ pub enum DaemonSocketAction {
 }
 
 // Zygisk process flags
-pub const PROCESS_GRANTED_ROOT: u32 = 1 << 0;
-pub const PROCESS_ON_DENYLIST: u32 = 1 << 1;
-pub const PROCESS_ROOT_IS_KSU: u32 = 1 << 29;
-pub const PROCESS_ROOT_IS_MAGISK: u32 = 1 << 30;
-pub const PROCESS_IS_SYSUI: u32 = 1 << 31;
+bitflags! {
+    #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
+    pub struct ProcessFlags: u32 {
+        const PROCESS_GRANTED_ROOT = 1 << 0;
+        const PROCESS_ON_DENYLIST = 1 << 1;
+        const PROCESS_ROOT_IS_KSU = 1 << 29;
+        const PROCESS_ROOT_IS_MAGISK = 1 << 30;
+        const PROCESS_IS_SYSUI = 1 << 31;
+    }
+}

zygiskd/src/magic.rs

@@ -0,0 +1,19 @@
+use std::fs;
+use anyhow::Result;
+use crate::constants;
+use crate::utils::LateInit;
+
+pub static MAGIC: LateInit<String> = LateInit::new();
+pub static PATH_TMP_DIR: LateInit<String> = LateInit::new();
+pub static PATH_TMP_PROP: LateInit<String> = LateInit::new();
+
+pub fn setup() -> Result<()> {
+    let name = fs::read_to_string(constants::ZYGISK_MAGIC)?;
+    let path_tmp_dir = format!("/dev/{}", name);
+    let path_tmp_prop = format!("{}/module.prop", path_tmp_dir);
+
+    MAGIC.init(name);
+    PATH_TMP_DIR.init(path_tmp_dir);
+    PATH_TMP_PROP.init(path_tmp_prop);
+    Ok(())
+}

zygiskd/src/main.rs

@@ -1,8 +1,8 @@
 #![allow(dead_code)]
 
-mod companion;
 mod constants;
 mod dl;
+mod magic;
 mod root_impl;
 mod utils;
 mod watchdog;
@@ -24,8 +24,6 @@ enum Commands {
     Watchdog,
     /// Start zygisk daemon
     Daemon,
-    /// Start zygisk companion
-    Companion { fd: i32 },
 }
 
 
@@ -37,23 +35,24 @@ fn init_android_logger(tag: &str) {
     );
 }
 
-fn start() -> Result<()> {
+async fn start() -> Result<()> {
     root_impl::setup();
+    magic::setup()?;
     let cli = Args::parse();
     match cli.command {
-        Commands::Watchdog => watchdog::entry()?,
+        Commands::Watchdog => watchdog::entry().await?,
         Commands::Daemon => zygiskd::entry()?,
-        Commands::Companion { fd } => companion::entry(fd)?,
     };
     Ok(())
 }
 
-fn main() {
+#[tokio::main]
+async fn main() {
     let process = std::env::args().next().unwrap();
     let nice_name = process.split('/').last().unwrap();
     init_android_logger(nice_name);
 
-    if let Err(e) = start() {
+    if let Err(e) = start().await {
         log::error!("Crashed: {}\n{}", e, e.backtrace());
     }
 }

zygiskd/src/root_impl/kernelsu.rs

@@ -4,8 +4,8 @@ use crate::constants::{MIN_KSU_VERSION, MAX_KSU_VERSION};
 const KERNEL_SU_OPTION: i32 = 0xdeadbeefu32 as i32;
 
 const CMD_GET_VERSION: usize = 2;
-const CMD_GET_ALLOW_LIST: usize = 5;
-const CMD_GET_DENY_LIST: usize = 6;
+const CMD_UID_GRANTED_ROOT: usize = 12;
+const CMD_UID_SHOULD_UMOUNT: usize = 13;
 
 pub enum Version {
     Supported,
@@ -24,18 +24,14 @@ pub fn get_kernel_su() -> Option<Version> {
     }
 }
 
-pub fn uid_on_allowlist(uid: i32) -> bool {
-    let mut size = 1024u32;
-    let mut uids = vec![0; size as usize];
-    unsafe { prctl(KERNEL_SU_OPTION, CMD_GET_ALLOW_LIST, uids.as_mut_ptr(), &mut size as *mut u32) };
-    uids.resize(size as usize, 0);
-    uids.contains(&uid)
+pub fn uid_granted_root(uid: i32) -> bool {
+    let mut granted = false;
+    unsafe { prctl(KERNEL_SU_OPTION, CMD_UID_GRANTED_ROOT, uid, &mut granted as *mut bool) };
+    granted
 }
 
-pub fn uid_on_denylist(uid: i32) -> bool {
-    let mut size = 1024u32;
-    let mut uids = vec![0; size as usize];
-    unsafe { prctl(KERNEL_SU_OPTION, CMD_GET_DENY_LIST, uids.as_mut_ptr(), &mut size as *mut u32) };
-    uids.resize(size as usize, 0);
-    uids.contains(&uid)
+pub fn uid_should_umount(uid: i32) -> bool {
+    let mut umount = false;
+    unsafe { prctl(KERNEL_SU_OPTION, CMD_UID_SHOULD_UMOUNT, uid, &mut umount as *mut bool) };
+    umount
 }

zygiskd/src/root_impl/magisk.rs

@@ -23,7 +23,7 @@ pub fn get_magisk() -> Option<Version> {
     })
 }
 
-pub fn uid_on_allowlist(uid: i32) -> bool {
+pub fn uid_granted_root(uid: i32) -> bool {
     let output: Option<String> = Command::new("magisk")
         .arg("--sqlite")
         .arg("select uid from policies where policy=2")
@@ -40,7 +40,7 @@ pub fn uid_on_allowlist(uid: i32) -> bool {
     })
 }
 
-pub fn uid_on_denylist(uid: i32) -> bool {
-    // TODO: uid_on_denylist
+pub fn uid_should_umount(uid: i32) -> bool {
+    // TODO: uid_should_umount
     return false;
 }

zygiskd/src/root_impl/mod.rs

@@ -1,8 +1,6 @@
 mod kernelsu;
 mod magisk;
 
-use once_cell::sync::OnceCell;
-
 pub enum RootImpl {
     None,
     TooOld,
@@ -12,49 +10,49 @@ pub enum RootImpl {
     Magisk,
 }
 
-static ROOT_IMPL: OnceCell<RootImpl> = OnceCell::new();
+// FIXME: OnceCell bugs on 32 bit
+static mut ROOT_IMPL: RootImpl = RootImpl::None;
 
 pub fn setup() {
     let ksu_version = kernelsu::get_kernel_su();
     let magisk_version = magisk::get_magisk();
 
-    let _ = match (ksu_version, magisk_version) {
-        (None, None) => ROOT_IMPL.set(RootImpl::None),
-        (Some(_), Some(_)) => ROOT_IMPL.set(RootImpl::Multiple),
+    let impl_ = match (ksu_version, magisk_version) {
+        (None, None) => RootImpl::None,
+        (Some(_), Some(_)) => RootImpl::Multiple,
         (Some(ksu_version), None) => {
-            let val = match ksu_version {
+            match ksu_version {
                 kernelsu::Version::Supported => RootImpl::KernelSU,
                 kernelsu::Version::TooOld => RootImpl::TooOld,
                 kernelsu::Version::Abnormal => RootImpl::Abnormal,
-            };
-            ROOT_IMPL.set(val)
+            }
         }
         (None, Some(magisk_version)) => {
-            let val = match magisk_version {
+            match magisk_version {
                 magisk::Version::Supported => RootImpl::Magisk,
                 magisk::Version::TooOld => RootImpl::TooOld,
-            };
-            ROOT_IMPL.set(val)
+            }
         }
     };
+    unsafe { ROOT_IMPL = impl_; }
 }
 
 pub fn get_impl() -> &'static RootImpl {
-    ROOT_IMPL.get().unwrap()
+    unsafe { &ROOT_IMPL }
 }
 
-pub fn uid_on_allowlist(uid: i32) -> bool {
-    match ROOT_IMPL.get().unwrap() {
-        RootImpl::KernelSU => kernelsu::uid_on_allowlist(uid),
-        RootImpl::Magisk => magisk::uid_on_allowlist(uid),
+pub fn uid_granted_root(uid: i32) -> bool {
+    match get_impl() {
+        RootImpl::KernelSU => kernelsu::uid_granted_root(uid),
+        RootImpl::Magisk => magisk::uid_granted_root(uid),
         _ => unreachable!(),
     }
 }
 
-pub fn uid_on_denylist(uid: i32) -> bool {
-    match ROOT_IMPL.get().unwrap() {
-        RootImpl::KernelSU => kernelsu::uid_on_denylist(uid),
-        RootImpl::Magisk => magisk::uid_on_denylist(uid),
+pub fn uid_should_umount(uid: i32) -> bool {
+    match get_impl() {
+        RootImpl::KernelSU => kernelsu::uid_should_umount(uid),
+        RootImpl::Magisk => magisk::uid_should_umount(uid),
         _ => unreachable!(),
     }
 }

zygiskd/src/utils.rs

@@ -5,6 +5,7 @@ use std::ffi::c_char;
 use std::os::fd::FromRawFd;
 use std::os::unix::net::UnixListener;
 use nix::sys::socket::{AddressFamily, SockFlag, SockType, UnixAddr};
+use once_cell::sync::OnceCell;
 use rand::distributions::{Alphanumeric, DistString};
 
 #[cfg(target_pointer_width = "64")]
@@ -18,6 +19,38 @@ macro_rules! lp_select {
     ($lp32:expr, $lp64:expr) => { $lp32 };
 }
 
+#[cfg(debug_assertions)]
+#[macro_export]
+macro_rules! debug_select {
+    ($debug:expr, $release:expr) => { $debug };
+}
+#[cfg(not(debug_assertions))]
+#[macro_export]
+macro_rules! debug_select {
+    ($debug:expr, $release:expr) => { $release };
+}
+
+pub struct LateInit<T> {
+    cell: OnceCell<T>,
+}
+
+impl<T> LateInit<T> {
+    pub const fn new() -> Self {
+        LateInit { cell: OnceCell::new() }
+    }
+
+    pub fn init(&self, value: T) {
+        assert!(self.cell.set(value).is_ok())
+    }
+}
+
+impl<T> std::ops::Deref for LateInit<T> {
+    type Target = T;
+    fn deref(&self) -> &T {
+        self.cell.get().unwrap()
+    }
+}
+
 pub fn random_string() -> String {
     Alphanumeric.sample_string(&mut rand::thread_rng(), 8)
 }

zygiskd/src/watchdog.rs

@@ -1,33 +1,36 @@
-use crate::{constants, root_impl, utils};
+use crate::{constants, magic, root_impl, utils};
 use anyhow::{bail, Result};
 use nix::unistd::{getgid, getuid, Pid};
-use std::process::{Child, Command};
-use std::sync::mpsc;
-use std::{fs, io, thread};
+use std::{fs, io};
 use std::ffi::CString;
+use std::future::Future;
 use std::io::{BufRead, Write};
 use std::os::unix::net::UnixListener;
+use std::pin::Pin;
 use std::time::Duration;
 use binder::IBinder;
+use futures::stream::FuturesUnordered;
+use futures::StreamExt;
 use nix::errno::Errno;
 use nix::libc;
 use nix::sys::signal::{kill, Signal};
-use once_cell::sync::OnceCell;
+use tokio::process::{Child, Command};
+use crate::utils::LateInit;
 
-static LOCK: OnceCell<UnixListener> = OnceCell::new();
-static PROP_SECTIONS: OnceCell<[String; 2]> = OnceCell::new();
+static LOCK: LateInit<UnixListener> = LateInit::new();
+static PROP_SECTIONS: LateInit<[String; 2]> = LateInit::new();
 
-pub fn entry() -> Result<()> {
+pub async fn entry() -> Result<()> {
     log::info!("Start zygisksu watchdog");
     check_permission()?;
     ensure_single_instance()?;
-    mount_prop()?;
+    mount_prop().await?;
     if check_and_set_hint()? == false {
         log::warn!("Requirements not met, exiting");
         utils::set_property(constants::PROP_NATIVE_BRIDGE, &utils::get_native_bridge())?;
         return Ok(());
     }
-    let end = spawn_daemon();
+    let end = spawn_daemon().await;
     set_prop_hint(constants::STATUS_CRASHED)?;
     end
 }
@@ -55,17 +58,17 @@ fn check_permission() -> Result<()> {
 
 fn ensure_single_instance() -> Result<()> {
     log::info!("Ensure single instance");
-    let name = String::from("zygiskwd") + constants::SOCKET_PLACEHOLDER;
+    let name = format!("zygiskwd{}", magic::MAGIC.as_str());
     match utils::abstract_namespace_socket(&name) {
-        Ok(socket) => { let _ = LOCK.set(socket); }
+        Ok(socket) => LOCK.init(socket),
         Err(e) => bail!("Failed to acquire lock: {e}. Maybe another instance is running?")
     }
     Ok(())
 }
 
-fn mount_prop() -> Result<()> {
+async fn mount_prop() -> Result<()> {
     let module_prop = if let root_impl::RootImpl::Magisk = root_impl::get_impl() {
-        let magisk_path = Command::new("magisk").arg("--path").output()?;
+        let magisk_path = Command::new("magisk").arg("--path").output().await?;
         let mut magisk_path = String::from_utf8(magisk_path.stdout)?;
         magisk_path.pop(); // Removing '\n'
         let cwd = std::env::current_dir()?;
@@ -91,15 +94,15 @@ fn mount_prop() -> Result<()> {
             sections[section].push('\n');
         }
     }
-    let _ = PROP_SECTIONS.set(sections);
+    PROP_SECTIONS.init(sections);
 
-    fs::create_dir(constants::PATH_TMP_DIR)?;
-    fs::File::create(constants::PATH_TMP_PROP)?;
+    fs::create_dir(magic::PATH_TMP_DIR.as_str())?;
+    fs::File::create(magic::PATH_TMP_PROP.as_str())?;
 
     // FIXME: sys_mount cannot be compiled on 32 bit
     unsafe {
         let r = libc::mount(
-            CString::new(constants::PATH_TMP_PROP)?.as_ptr(),
+            CString::new(magic::PATH_TMP_PROP.as_str())?.as_ptr(),
             CString::new(module_prop)?.as_ptr(),
             std::ptr::null(),
             libc::MS_BIND,
@@ -112,13 +115,12 @@ fn mount_prop() -> Result<()> {
 }
 
 fn set_prop_hint(hint: &str) -> Result<()> {
-    let mut file = fs::File::create(constants::PATH_TMP_PROP)?;
-    let sections = PROP_SECTIONS.get().unwrap();
-    file.write_all(sections[0].as_bytes())?;
+    let mut file = fs::File::create(magic::PATH_TMP_PROP.as_str())?;
+    file.write_all(PROP_SECTIONS[0].as_bytes())?;
     file.write_all(b"[")?;
     file.write_all(hint.as_bytes())?;
     file.write_all(b"] ")?;
-    file.write_all(sections[1].as_bytes())?;
+    file.write_all(PROP_SECTIONS[1].as_bytes())?;
     Ok(())
 }
 
@@ -137,46 +139,57 @@ fn check_and_set_hint() -> Result<bool> {
     Ok(false)
 }
 
-fn spawn_daemon() -> Result<()> {
+async fn spawn_daemon() -> Result<()> {
     let mut lives = 5;
     loop {
+        let mut futures = FuturesUnordered::<Pin<Box<dyn Future<Output=Result<()>>>>>::new();
+        let mut child_ids = vec![];
+
         let daemon32 = Command::new(constants::PATH_ZYGISKD32).arg("daemon").spawn();
         let daemon64 = Command::new(constants::PATH_ZYGISKD64).arg("daemon").spawn();
-        let mut child_ids = vec![];
-        let (sender, receiver) = mpsc::channel();
-        let mut spawn = |mut daemon: Child| {
-            child_ids.push(daemon.id());
-            let sender = sender.clone();
-            thread::spawn(move || {
-                let result = daemon.wait().unwrap();
-                log::error!("Daemon process {} died: {}", daemon.id(), result);
-                drop(daemon);
-                let _ = sender.send(());
-            });
-        };
-        if let Ok(it) = daemon32 { spawn(it) }
-        if let Ok(it) = daemon64 { spawn(it) }
-
-        let mut binder = loop {
-            if receiver.try_recv().is_ok() {
-                bail!("Daemon died before system server ready");
-            }
-            match binder::get_service("activity") {
-                Some(binder) => break binder,
-                None => {
-                    log::trace!("System server not ready, wait for 1s...");
-                    thread::sleep(Duration::from_secs(1));
-                }
-            };
-        };
-        log::info!("System server ready, restore native bridge");
-        utils::set_property(constants::PROP_NATIVE_BRIDGE, &utils::get_native_bridge())?;
-
-        loop {
-            if receiver.try_recv().is_ok() || binder.ping_binder().is_err() { break; }
-            thread::sleep(Duration::from_secs(1))
+        async fn spawn_daemon(mut daemon: Child) -> Result<()> {
+            let result = daemon.wait().await?;
+            log::error!("Daemon process {} died: {}", daemon.id().unwrap(), result);
+            Ok(())
         }
+        if let Ok(it) = daemon32 {
+            child_ids.push(it.id().unwrap());
+            futures.push(Box::pin(spawn_daemon(it)));
+        }
+        if let Ok(it) = daemon64 {
+            child_ids.push(it.id().unwrap());
+            futures.push(Box::pin(spawn_daemon(it)));
+        }
+
+        async fn binder_listener() -> Result<()> {
+            let mut binder = loop {
+                match binder::get_service("activity") {
+                    Some(binder) => break binder,
+                    None => {
+                        log::trace!("System server not ready, wait for 1s...");
+                        tokio::time::sleep(Duration::from_secs(1)).await;
+                    }
+                };
+            };
+
+            log::info!("System server ready, restore native bridge");
+            utils::set_property(constants::PROP_NATIVE_BRIDGE, &utils::get_native_bridge())?;
+
+            loop {
+                if binder.ping_binder().is_err() { break; }
+                tokio::time::sleep(Duration::from_secs(1)).await;
+            }
+            log::error!("System server died");
+            Ok(())
+        }
+        futures.push(Box::pin(binder_listener()));
+
+        if let Err(e) = futures.next().await.unwrap() {
+            log::error!("{}", e);
+        }
+
         for child in child_ids {
+            log::debug!("Killing child process {}", child);
             let _ = kill(Pid::from_raw(child as i32), Signal::SIGKILL);
         }
 

zygiskd/src/zygiskd.rs

@@ -1,28 +1,28 @@
-use crate::constants::DaemonSocketAction;
+use std::ffi::c_void;
+use crate::constants::{DaemonSocketAction, ProcessFlags};
 use crate::utils::UnixStreamExt;
-use crate::{constants, lp_select, root_impl, utils};
+use crate::{constants, dl, lp_select, magic, root_impl, utils};
 use anyhow::{bail, Result};
-use memfd::Memfd;
-use nix::{
-    fcntl::{fcntl, FcntlArg, FdFlag},
-    libc::self,
-};
 use passfd::FdPassingExt;
-use std::sync::{Arc, Mutex};
+use std::sync::Arc;
 use std::thread;
 use std::fs;
+use std::os::fd::{IntoRawFd, OwnedFd};
 use std::os::unix::{
     net::{UnixListener, UnixStream},
     prelude::AsRawFd,
 };
-use std::os::unix::process::CommandExt;
 use std::path::PathBuf;
-use std::process::Command;
+use nix::libc;
+use nix::sys::stat::fstat;
+use nix::unistd::close;
+
+type ZygiskCompanionEntryFn = unsafe extern "C" fn(i32);
 
 struct Module {
     name: String,
-    memfd: Memfd,
-    companion: Mutex<Option<UnixStream>>,
+    lib_fd: OwnedFd,
+    entry: Option<ZygiskCompanionEntryFn>,
 }
 
 struct Context {
@@ -82,8 +82,8 @@ fn load_modules(arch: &str) -> Result<Vec<Module>> {
             return Ok(modules);
         }
     };
-    for entry_result in dir.into_iter() {
-        let entry = entry_result?;
+    for entry in dir.into_iter() {
+        let entry = entry?;
         let name = entry.file_name().into_string().unwrap();
         let so_path = entry.path().join(format!("zygisk/{arch}.so"));
         let disabled = entry.path().join("disable");
@@ -91,30 +91,28 @@ fn load_modules(arch: &str) -> Result<Vec<Module>> {
             continue;
         }
         log::info!("  Loading module `{name}`...");
-        let memfd = match create_memfd(&so_path) {
-            Ok(memfd) => memfd,
+        let lib_fd = match create_library_fd(&so_path) {
+            Ok(fd) => fd,
             Err(e) => {
                 log::warn!("  Failed to create memfd for `{name}`: {e}");
                 continue;
             }
         };
-        let companion = match spawn_companion(&name, &memfd) {
-            Ok(companion) => companion,
-            Err(e) => {
-                log::warn!("  Failed to spawn companion for `{name}`: {e}");
-                continue;
-            }
-        };
-
-        let companion = Mutex::new(companion);
-        let module = Module { name, memfd, companion };
+        let entry = resolve_module(&so_path.to_string_lossy())?;
+        let module = Module { name, lib_fd, entry };
         modules.push(module);
     }
 
     Ok(modules)
 }
 
-fn create_memfd(so_path: &PathBuf) -> Result<Memfd> {
+#[cfg(debug_assertions)]
+fn create_library_fd(so_path: &PathBuf) -> Result<OwnedFd> {
+    Ok(OwnedFd::from(fs::File::open(so_path)?))
+}
+
+#[cfg(not(debug_assertions))]
+fn create_library_fd(so_path: &PathBuf) -> Result<OwnedFd> {
     let opts = memfd::MemfdOptions::default().allow_sealing(true);
     let memfd = opts.create("jit-cache")?;
     let file = fs::File::open(so_path)?;
@@ -129,38 +127,28 @@ fn create_memfd(so_path: &PathBuf) -> Result<Memfd> {
     seals.insert(memfd::FileSeal::SealSeal);
     memfd.add_seals(&seals)?;
 
-    Ok(memfd)
+    Ok(OwnedFd::from(memfd.into_file()))
 }
 
 fn create_daemon_socket() -> Result<UnixListener> {
     utils::set_socket_create_context("u:r:zygote:s0")?;
     let prefix = lp_select!("zygiskd32", "zygiskd64");
-    let name = String::from(prefix) + constants::SOCKET_PLACEHOLDER;
+    let name = format!("{}{}", prefix, magic::MAGIC.as_str());
     let listener = utils::abstract_namespace_socket(&name)?;
     log::debug!("Daemon socket: {name}");
     Ok(listener)
 }
 
-fn spawn_companion(name: &str, memfd: &Memfd) -> Result<Option<UnixStream>> {
-    let (mut daemon, companion) = UnixStream::pair()?;
-    // Remove FD_CLOEXEC flag
-    fcntl(companion.as_raw_fd(), FcntlArg::F_SETFD(FdFlag::empty()))?;
-
-    let process = std::env::args().next().unwrap();
-    let nice_name = process.split('/').last().unwrap();
-    Command::new(&process)
-        .arg0(format!("{}-{}", nice_name, name))
-        .arg("companion")
-        .arg(format!("{}", companion.as_raw_fd()))
-        .spawn()?;
-    drop(companion);
-
-    daemon.write_string(name)?;
-    daemon.send_fd(memfd.as_raw_fd())?;
-    match daemon.read_u8()? {
-        0 => Ok(None),
-        1 => Ok(Some(daemon)),
-        _ => bail!("Invalid companion response"),
+fn resolve_module(path: &str) -> Result<Option<ZygiskCompanionEntryFn>> {
+    unsafe {
+        let handle = dl::dlopen(path, libc::RTLD_NOW)?;
+        let symbol = std::ffi::CString::new("zygisk_companion_entry")?;
+        let entry = libc::dlsym(handle, symbol.as_ptr());
+        if entry.is_null() {
+            return Ok(None);
+        }
+        let fnptr = std::mem::transmute::<*mut c_void, ZygiskCompanionEntryFn>(entry);
+        Ok(Some(fnptr))
     }
 }
 
@@ -188,43 +176,51 @@ fn handle_daemon_action(mut stream: UnixStream, context: &Context) -> Result<()>
         }
         DaemonSocketAction::GetProcessFlags => {
             let uid = stream.read_u32()? as i32;
-            let mut flags = 0u32;
-            if root_impl::uid_on_allowlist(uid) {
-                flags |= constants::PROCESS_GRANTED_ROOT;
+            let mut flags = ProcessFlags::empty();
+            if root_impl::uid_granted_root(uid) {
+                flags |= ProcessFlags::PROCESS_GRANTED_ROOT;
             }
-            if root_impl::uid_on_denylist(uid) {
-                flags |= constants::PROCESS_ON_DENYLIST;
+            if root_impl::uid_should_umount(uid) {
+                flags |= ProcessFlags::PROCESS_ON_DENYLIST;
             }
             match root_impl::get_impl() {
-                root_impl::RootImpl::KernelSU => flags |= constants::PROCESS_ROOT_IS_KSU,
-                root_impl::RootImpl::Magisk => flags |= constants::PROCESS_ROOT_IS_MAGISK,
-                _ => ()
+                root_impl::RootImpl::KernelSU => flags |= ProcessFlags::PROCESS_ROOT_IS_KSU,
+                root_impl::RootImpl::Magisk => flags |= ProcessFlags::PROCESS_ROOT_IS_MAGISK,
+                _ => unreachable!(),
             }
-            // TODO: PROCESS_IS_SYSUI?
-            stream.write_u32(flags)?;
+            log::trace!("Uid {} granted root: {}", uid, flags.contains(ProcessFlags::PROCESS_GRANTED_ROOT));
+            log::trace!("Uid {} on denylist: {}", uid, flags.contains(ProcessFlags::PROCESS_ON_DENYLIST));
+            stream.write_u32(flags.bits())?;
         }
         DaemonSocketAction::ReadModules => {
             stream.write_usize(context.modules.len())?;
             for module in context.modules.iter() {
                 stream.write_string(&module.name)?;
-                stream.send_fd(module.memfd.as_raw_fd())?;
+                stream.send_fd(module.lib_fd.as_raw_fd())?;
             }
         }
         DaemonSocketAction::RequestCompanionSocket => {
             let index = stream.read_usize()?;
             let module = &context.modules[index];
-            let mut companion = module.companion.lock().unwrap();
-            match companion.as_ref() {
-                Some(sock) => {
-                    if let Err(_) = sock.send_fd(stream.as_raw_fd()) {
-                        log::error!("Companion of module `{}` crashed", module.name);
-                        companion.take();
-                        stream.write_u8(0)?;
-                    }
-                    // Ok: Send by companion
-                }
+            match module.entry {
                 None => {
                     stream.write_u8(0)?;
+                    return Ok(());
+                }
+                Some(companion) => {
+                    stream.write_u8(1)?;
+                    let fd = stream.into_raw_fd();
+                    let st0 = fstat(fd)?;
+                    unsafe { companion(fd); }
+                    // Only close client if it is the same file so we don't
+                    // accidentally close a re-used file descriptor.
+                    // This check is required because the module companion
+                    // handler could've closed the file descriptor already.
+                    if let Ok(st1) = fstat(fd) {
+                        if st0.st_dev == st1.st_dev && st0.st_ino == st1.st_ino {
+                            close(fd)?;
+                        }
+                    }
                 }
             }
         }