From 447f127321cf6f76400b0b43418363a6ea050c44 Mon Sep 17 00:00:00 2001 From: Chris Renshaw Date: Thu, 1 Aug 2024 20:20:40 -0300 Subject: [PATCH] Add global sensitive props scripts (#57) Please see https://github.com/osm0sis/PlayIntegrityFork/tree/main/module and https://github.com/Displax/safetynet-fix/tree/dev/magisk for full commit history and attribution/authorship --- module/template/common_func.sh | 17 ++++++++++++ module/template/post-fs-data.sh | 32 ++++++++++++++++++++++ module/template/service.sh | 47 +++++++++++++++++++++++++++++++++ 3 files changed, 96 insertions(+) create mode 100644 module/template/common_func.sh create mode 100644 module/template/post-fs-data.sh create mode 100644 module/template/service.sh diff --git a/module/template/common_func.sh b/module/template/common_func.sh new file mode 100644 index 0000000..7623096 --- /dev/null +++ b/module/template/common_func.sh @@ -0,0 +1,17 @@ +# resetprop_if_diff +resetprop_if_diff() { + local NAME="$1" + local EXPECTED="$2" + local CURRENT="$(resetprop "$NAME")" + + [ -z "$CURRENT" ] || [ "$CURRENT" = "$EXPECTED" ] || resetprop -n "$NAME" "$EXPECTED" +} + +# resetprop_if_match +resetprop_if_match() { + local NAME="$1" + local CONTAINS="$2" + local VALUE="$3" + + [[ "$(resetprop "$NAME")" = *"$CONTAINS"* ]] && resetprop -n "$NAME" "$VALUE" +} diff --git a/module/template/post-fs-data.sh b/module/template/post-fs-data.sh new file mode 100644 index 0000000..9ab2cee --- /dev/null +++ b/module/template/post-fs-data.sh @@ -0,0 +1,32 @@ +MODPATH="${0%/*}" +. $MODPATH/common_func.sh + +# Conditional early sensitive properties + +# Samsung +resetprop_if_diff ro.boot.warranty_bit 0 +resetprop_if_diff ro.vendor.boot.warranty_bit 0 +resetprop_if_diff ro.vendor.warranty_bit 0 +resetprop_if_diff ro.warranty_bit 0 + +# Xiaomi +resetprop_if_diff ro.secureboot.lockstate locked + +# Realme +resetprop_if_diff ro.boot.realmebootstate green + +# OnePlus +resetprop_if_diff ro.is_ever_orange 0 + +# Microsoft +for PROP in $(resetprop | grep -oE 'ro.*.build.tags'); do + resetprop_if_diff $PROP release-keys +done + +# Other +for PROP in $(resetprop | grep -oE 'ro.*.build.type'); do + resetprop_if_diff $PROP user +done +resetprop_if_diff ro.debuggable 0 +resetprop_if_diff ro.force.debuggable 0 +resetprop_if_diff ro.secure 1 diff --git a/module/template/service.sh b/module/template/service.sh new file mode 100644 index 0000000..7874112 --- /dev/null +++ b/module/template/service.sh @@ -0,0 +1,47 @@ +MODPATH="${0%/*}" +. $MODPATH/common_func.sh + +# Conditional sensitive properties + +# Magisk Recovery Mode +resetprop_if_match ro.boot.mode recovery unknown +resetprop_if_match ro.bootmode recovery unknown +resetprop_if_match vendor.boot.mode recovery unknown + +# SELinux +resetprop_if_diff ro.boot.selinux enforcing +# use delete since it can be 0 or 1 for enforcing depending on OEM +if [ -n "$(resetprop ro.build.selinux)" ]; then + resetprop --delete ro.build.selinux +fi +# use toybox to protect stat access time reading +if [ "$(toybox cat /sys/fs/selinux/enforce)" = "0" ]; then + chmod 640 /sys/fs/selinux/enforce + chmod 440 /sys/fs/selinux/policy +fi + +# Conditional late sensitive properties + +# must be set after boot_completed for various OEMs +{ +until [ "$(getprop sys.boot_completed)" = "1" ]; do + sleep 1 +done + +# SafetyNet/Play Integrity + OEM +# avoid breaking Realme fingerprint scanners +resetprop_if_diff ro.boot.flash.locked 1 +resetprop_if_diff ro.boot.realme.lockstate 1 +# avoid breaking Oppo fingerprint scanners +resetprop_if_diff ro.boot.vbmeta.device_state locked +# avoid breaking OnePlus display modes/fingerprint scanners +resetprop_if_diff vendor.boot.verifiedbootstate green +# avoid breaking OnePlus/Oppo fingerprint scanners on OOS/ColorOS 12+ +resetprop_if_diff ro.boot.verifiedbootstate green +resetprop_if_diff ro.boot.veritymode enforcing +resetprop_if_diff vendor.boot.vbmeta.device_state locked + +# Other +resetprop_if_diff sys.oem_unlock_allowed 0 + +}&