Improved unmount logic (#93)

Proper info, in the section about KernelSU & APatch.

.github/workflows/ci.yml

@@ -28,23 +28,23 @@ jobs:
         if: success()
         id: prepareArtifact
         run: |
-          echo "releaseName=$(basename module/build/out/*-release.zip .zip)" >> $GITHUB_OUTPUT
-          echo "debugName=$(basename module/build/out/*-debug.zip .zip)" >> $GITHUB_OUTPUT
+          echo "releaseName=$(basename module/build/outputs/zip/*-release.zip .zip)" >> $GITHUB_OUTPUT
+          echo "debugName=$(basename module/build/outputs/zip/*-debug.zip .zip)" >> $GITHUB_OUTPUT
 
       - name: Upload Release Artifact
         uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.prepareArtifact.outputs.releaseName }}
-          path: "module/build/out/release"
+          path: "module/build/outputs/zip/release"
 
       - name: Upload Debug Artifact
         uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.prepareArtifact.outputs.debugName }}
-          path: "module/build/out/debug"
+          path: "module/build/outputs/zip/debug"
 
       - name: Create a release
         if: startsWith(github.ref, 'refs/tags/v')
         uses: softprops/action-gh-release@v2
         with:
-          files: module/build/out/*.zip
+          files: module/build/outputs/zip/*.zip

.gitmodules

@@ -4,9 +4,9 @@
 [submodule "module/jni/libcxx"]
 	path = module/jni/libcxx
 	url = https://github.com/topjohnwu/libcxx.git
-[submodule "module/jni/system_properties"]
-	path = module/jni/system_properties
-	url = https://github.com/topjohnwu/system_properties
 [submodule "module/jni/aosp_fd_utils"]
 	path = module/jni/aosp_fd_utils
 	url = https://github.com/snake-4/aosp_fd_utils.git
+[submodule "module/jni/aosp_system_properties"]
+	path = module/jni/aosp_system_properties
+	url = https://github.com/topjohnwu/system_properties

README.md

@@ -20,7 +20,7 @@ Using the **release** build is recommended over the debug build. Only use debug
 
 ### KernelSU & APatch users:
 1. Install ZygiskNext.
-1. Make sure the unmount setting is enabled for the target app in the KernelSU/APatch Manager.
+1. Make sure the option `Umount modules/Exclude modifications` is enabled for the target app in the KernelSU/APatch Manager.
 1. Disable `Enforce DenyList` in ZygiskNext settings if there is one.
 
 ### Magisk users:
@@ -48,4 +48,4 @@ Don't forget to give the project a star! Thanks again!
 <!-- LICENSE -->
 ## License
 
-Distributed under the MIT License. See `LICENSE` for more information.
+Distributed under the MIT License. See `LICENSE` for more information.

build.gradle.kts

@@ -1,19 +1,17 @@
 import java.io.ByteArrayOutputStream
 
 plugins {
-    id("com.android.library") version "8.3.2" apply false
+    id("com.android.library") version "8.8.1" apply false
 }
 
 val commitHash: String by extra {
-    val stdout = ByteArrayOutputStream()
-    rootProject.exec {
-        commandLine("git", "rev-parse", "--short", "HEAD")
-        standardOutput = stdout
+    val result = providers.exec {
+        commandLine("git", "rev-parse", "--verify", "--short", "HEAD")
     }
-    stdout.toString().trim()
+    result.standardOutput.asText.get().trim()
 }
 
 val moduleId by extra("zygisk-assistant")
 val moduleName by extra("Zygisk Assistant")
-val verName by extra("v2.1.1")
-val verCode by extra(211)
+val verName by extra("v2.1.4")
+val verCode by extra(214)

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

module/build.gradle.kts

@@ -14,7 +14,7 @@ val abiList: List<String> by rootProject.extra
 android {
     namespace = "com.example.library"
     compileSdkVersion = "android-34"
-    ndkVersion = "26.3.11579264"
+    ndkVersion = "28.0.13004108"
     defaultConfig {
         minSdk = 21
         externalNativeBuild {
@@ -36,8 +36,8 @@ androidComponents.onVariants { variant ->
     val buildTypeLowered = variant.buildType?.lowercase()
 
     val libOutDir = layout.buildDirectory.dir("intermediates/stripped_native_libs/$variantLowered/strip${variantCapped}DebugSymbols/out/lib").get()
-    val moduleDir = layout.buildDirectory.dir("out/$variantLowered").get()
-    val zipOutDir = layout.buildDirectory.dir("out/").get()
+    val moduleDir = layout.buildDirectory.dir("outputs/zip/$variantLowered").get()
+    val zipOutDir = layout.buildDirectory.dir("outputs/zip/").get()
     val zipFileName = "$moduleName-$verName-$commitHash-$buildTypeLowered.zip".replace(' ', '-')
 
     val moduleFilesTask = task<Sync>("moduleFiles$variantCapped") {

module/jni/Android.mk

@@ -9,5 +9,5 @@ LOCAL_LDLIBS := -llog
 include $(BUILD_SHARED_LIBRARY)
 
 include jni/libcxx/Android.mk
-include jni/system_properties/Android.mk
+include jni/aosp_system_properties/Android.mk
 include jni/aosp_fd_utils/Android.mk

module/jni/include/map_parser.hpp

@@ -6,10 +6,10 @@
 
 namespace Parsers
 {
-    class map_entry_t
+    class map_entry
     {
     public:
-        map_entry_t(uintptr_t address_start, uintptr_t address_end, uintptr_t offset,
+        map_entry(uintptr_t address_start, uintptr_t address_end, uintptr_t offset,
                     const std::string &perms, const std::string &pathname, dev_t device, ino_t inode);
 
         uintptr_t getAddressStart() const;
@@ -27,5 +27,5 @@ namespace Parsers
         ino_t inode;
     };
 
-    const std::vector<map_entry_t> &parseSelfMaps(bool cached = true);
+    const std::vector<map_entry> &parseSelfMaps(bool cached = true);
 }

module/jni/include/mountinfo_parser.hpp

@@ -6,10 +6,10 @@
 
 namespace Parsers
 {
-    class mountinfo_entry_t
+    class mountinfo_entry
     {
     public:
-        mountinfo_entry_t(int mount_id, int parent_id, dev_t device,
+        mountinfo_entry(int mount_id, int parent_id, dev_t device,
                           const std::string &root, const std::string &mount_point,
                           const std::string &mount_options, const std::string &optional_fields,
                           const std::string &filesystem_type, const std::string &mount_source,
@@ -33,13 +33,13 @@ namespace Parsers
         std::unordered_map<std::string, std::string> mount_options, super_options;
     };
 
-    const std::vector<mountinfo_entry_t> &parseSelfMountinfo(bool cached = true);
+    const std::vector<mountinfo_entry> &parseSelfMountinfo(bool cached = true);
 
     class mountinfo_root_resolver
     {
     public:
-        mountinfo_root_resolver(const std::vector<mountinfo_entry_t> &mount_infos);
-        std::string resolveRootOf(const mountinfo_entry_t &mount_info) const;
+        mountinfo_root_resolver(const std::vector<mountinfo_entry> &mount_infos);
+        std::string resolveRootOf(const mountinfo_entry &mount_info) const;
 
     private:
         std::unordered_map<dev_t, std::string> device_mount_map;

module/jni/include/utils.hpp

@@ -4,6 +4,7 @@
 #include <functional>
 #include "logging.hpp"
 #include "zygisk.hpp"
+#include "mountinfo_parser.hpp"
 
 #define DCL_HOOK_FUNC(ret, func, ...)         \
     ret (*old_##func)(__VA_ARGS__) = nullptr; \
@@ -36,4 +37,5 @@ namespace Utils
     int isUserAppUID(int uid);
     bool hookPLTByName(zygisk::Api *api, const std::string &libName, const std::string &symbolName, void *hookFunc, void **origFunc);
     int forkAndInvoke(const std::function<int()> &lambda);
+    const char *getExtErrorsBehavior(const Parsers::mountinfo_entry &entry);
 }

module/jni/main.cpp

@@ -19,16 +19,17 @@ static std::function<void()> callbackFunction = []() {};
 
 /*
  * [What's the purpose of this hook?]
- * Calling unshare twice invalidates existing FD links, which fails Zygote sanity checks.
- * So we prevent further namespaces by hooking unshare.
+ * Hooking unshare is necessary to stop Zygote from calling unshare a second time,
+ * because that breaks the FDs. We handle this by reopening FDs,
+ * allowing us to call unshare twice safely in our callback.
  *
  * [Doesn't Android already call unshare?]
- * Whether there's going to be an unshare or not changes with each major Android version
- * so we unconditionally unshare in preAppSpecialize.
- * > Android 5: Conditionally unshares
- * > Android 6: Always unshares
- * > Android 7-11: Conditionally unshares
- * > Android 12-14: Always unshares
+ * Android's use of unshare changes with each major version, so we always call unshare
+ * in preAppSpecialize.
+ * > Android 5: Sometimes calls unshare
+ * > Android 6: Always calls unshare
+ * > Android 7-11: Sometimes calls unshare
+ * > Android 12-14: Always calls unshare
  */
 DCL_HOOK_FUNC(static int, unshare, int flags)
 {
@@ -45,10 +46,11 @@ DCL_HOOK_FUNC(static int, unshare, int flags)
 }
 
 /*
- * The reason why we hook setresuid is because so far it has been unconditionally called
- * and we still have CAP_SYS_ADMIN during this call.
- * Also, KSU hooks setuid and unmounts some overlays
- * so we have to run our code before the syscall.
+ * [What's the purpose of this hook?]
+ * Hooking setresuid ensures we can execute code while we still have CAP_SYS_ADMIN,
+ * which is necessary for some operations.
+ * This hook is necessary because setresuid is called unconditionally,
+ * and we need to perform actions before this syscall.
  */
 DCL_HOOK_FUNC(static int, setresuid, uid_t ruid, uid_t euid, uid_t suid)
 {
@@ -56,6 +58,27 @@ DCL_HOOK_FUNC(static int, setresuid, uid_t ruid, uid_t euid, uid_t suid)
     return old_setresuid(ruid, euid, suid);
 }
 
+/*
+ * [Why is this function needed?]
+ * This function unconditionally calls unshare to create a new mount namespace.
+ * It ensures that the new namespace is isolated but still allows propagation of mount
+ * events from the parent namespace by setting the root as MS_SLAVE.
+ */
+static bool new_mount_ns()
+{
+    /*
+     * Unconditional unshare.
+     */
+    ASSERT_DO(new_mount_ns, old_unshare(CLONE_NEWNS) != -1, return false);
+
+    /*
+     * Mount the app mount namespace's root as MS_SLAVE, so every mount/umount from
+     * Zygote shared pre-specialization namespace is propagated to this one.
+     */
+    ASSERT_DO(new_mount_ns, mount("rootfs", "/", NULL, (MS_SLAVE | MS_REC), NULL) != -1, return false);
+    return true;
+}
+
 class ZygiskModule : public zygisk::ModuleBase
 {
 public:
@@ -80,17 +103,6 @@ public:
         }
         LOGD("Processing ppid=%d uid=%d isChildZygote=%d", getppid(), args->uid, isChildZygote);
 
-        /*
-         * Read the comment above unshare hook.
-         */
-        ASSERT_DO(preAppSpecialize, unshare(CLONE_NEWNS) != -1, return);
-
-        /*
-         * Mount the app mount namespace's root as MS_SLAVE, so every mount/umount from
-         * Zygote shared pre-specialization namespace is propagated to this one.
-         */
-        ASSERT_DO(preAppSpecialize, mount("rootfs", "/", NULL, (MS_SLAVE | MS_REC), NULL) != -1, return);
-
         ASSERT_DO(preAppSpecialize, hookPLTByName("libandroid_runtime.so", "unshare", new_unshare, &old_unshare), return);
         ASSERT_DO(preAppSpecialize, hookPLTByName("libandroid_runtime.so", "setresuid", new_setresuid, &old_setresuid), return);
 
@@ -100,7 +112,12 @@ public:
 
         callbackFunction = [fd = companionFd]()
         {
+            // Call only once per process.
+            callbackFunction = []() {};
             FDReopener::ScopedRegularReopener srr;
+            
+            if (!new_mount_ns())
+                return;
 
             bool result = false;
             if (fd != -1)
@@ -123,9 +140,6 @@ public:
             }
 
             doHideZygisk();
-
-            // Call only once per process.
-            callbackFunction = []() {};
         };
     }
 

module/jni/map_parser.cpp

@@ -9,21 +9,21 @@
 
 using namespace Parsers;
 
-map_entry_t::map_entry_t(uintptr_t address_start, uintptr_t address_end, uintptr_t offset, const std::string &perms, const std::string &pathname, dev_t device, ino_t inode)
+map_entry::map_entry(uintptr_t address_start, uintptr_t address_end, uintptr_t offset, const std::string &perms, const std::string &pathname, dev_t device, ino_t inode)
     : address_start(address_start), address_end(address_end), perms(perms),
       offset(offset), device(device), inode(inode), pathname(pathname) {}
 
-uintptr_t map_entry_t::getAddressStart() const { return address_start; }
-uintptr_t map_entry_t::getAddressEnd() const { return address_end; }
-const std::string &map_entry_t::getPerms() const { return perms; }
-uintptr_t map_entry_t::getOffset() const { return offset; }
-dev_t map_entry_t::getDevice() const { return device; }
-ino_t map_entry_t::getInode() const { return inode; }
-const std::string &map_entry_t::getPathname() const { return pathname; }
+uintptr_t map_entry::getAddressStart() const { return address_start; }
+uintptr_t map_entry::getAddressEnd() const { return address_end; }
+const std::string &map_entry::getPerms() const { return perms; }
+uintptr_t map_entry::getOffset() const { return offset; }
+dev_t map_entry::getDevice() const { return device; }
+ino_t map_entry::getInode() const { return inode; }
+const std::string &map_entry::getPathname() const { return pathname; }
 
-const std::vector<map_entry_t> &Parsers::parseSelfMaps(bool cached)
+const std::vector<map_entry> &Parsers::parseSelfMaps(bool cached)
 {
-    static std::vector<map_entry_t> parser_cache;
+    static std::vector<map_entry> parser_cache;
     if (cached && !parser_cache.empty())
     {
         return parser_cache;
@@ -59,7 +59,7 @@ const std::vector<map_entry_t> &Parsers::parseSelfMaps(bool cached)
         // This operation can fail, it doesn't matter as it's an optional field.
         std::getline(iss >> std::ws, pathname);
 
-        parser_cache.emplace_back(map_entry_t(address_start, address_end, offset, perms, pathname, makedev(dev_major, dev_minor), inode));
+        parser_cache.emplace_back(map_entry(address_start, address_end, offset, perms, pathname, makedev(dev_major, dev_minor), inode));
     }
 
     return parser_cache;

module/jni/modules.cpp

@@ -22,6 +22,7 @@
 
 using namespace Parsers;
 
+static const std::set<std::string> mountdir_list = {"/data/adb", "/debug_ramdisk"};
 static const std::set<std::string> fsname_list = {"KSU", "APatch", "magisk", "worker"};
 static const std::unordered_map<std::string, int> mount_flags_procfs = {
     {"nosuid", MS_NOSUID},
@@ -32,39 +33,38 @@ static const std::unordered_map<std::string, int> mount_flags_procfs = {
     {"relatime", MS_RELATIME},
     {"nosymfollow", MS_NOSYMFOLLOW}};
 
-static bool shouldUnmount(const mountinfo_entry_t &mount, const mountinfo_root_resolver &root_resolver)
+static bool shouldUnmount(const mountinfo_entry &mount, const mountinfo_root_resolver &root_resolver)
 {
     const auto true_root = root_resolver.resolveRootOf(mount);
     const auto &mount_point = mount.getMountPoint();
     const auto &type = mount.getFilesystemType();
 
-    // Mount is from /data/adb
-    if (true_root.starts_with("/data/adb"))
-        return true;
+    // Unmount all mounts from and to directories in mountdir_list
+    for (const auto &mountdir : mountdir_list)
+    {
+        if (true_root.starts_with(mountdir) || mount_point.starts_with(mountdir))
+            return true;
 
-    // Mount is to /data/adb
-    if (mount_point.starts_with("/data/adb"))
-        return true;
+        // Unmount all overlayfs with lowerdir/upperdir/workdir in mountdir_list
+        if (type == "overlay")
+        {
+            const auto &options = mount.getSuperOptions();
+
+            if (options.contains("lowerdir") && options.at("lowerdir").starts_with(mountdir))
+                return true;
+
+            if (options.contains("upperdir") && options.at("upperdir").starts_with(mountdir))
+                return true;
+
+            if (options.contains("workdir") && options.at("workdir").starts_with(mountdir))
+                return true;
+        }
+    }
 
     // Unmount all module overlayfs and tmpfs
     if ((type == "overlay" || type == "tmpfs") && fsname_list.contains(mount.getMountSource()))
         return true;
 
-    // Unmount all overlayfs with lowerdir/upperdir/workdir starting with /data/adb
-    if (type == "overlay")
-    {
-        const auto &options = mount.getSuperOptions();
-
-        if (options.contains("lowerdir") && options.at("lowerdir").starts_with("/data/adb"))
-            return true;
-
-        if (options.contains("upperdir") && options.at("upperdir").starts_with("/data/adb"))
-            return true;
-
-        if (options.contains("workdir") && options.at("workdir").starts_with("/data/adb"))
-            return true;
-    }
-
     return false;
 }
 
@@ -93,28 +93,26 @@ void doRemount()
         if (mount.getMountPoint() == "/data")
         {
             const auto &superOptions = mount.getSuperOptions();
+            if (!superOptions.contains("errors"))
+                break;
+
+            // Remount /data only if errors behavior is not the same as superblock's
+            const char *sb_errors = Utils::getExtErrorsBehavior(mount);
+            if (!sb_errors || superOptions.at("errors") == sb_errors)
+                break;
+
             const auto &mountOptions = mount.getMountOptions();
-
-            // If errors=remount-ro, remount it with errors=continue
-            if (superOptions.contains("errors") && superOptions.at("errors") == "remount-ro")
+            unsigned long flags = MS_REMOUNT;
+            for (const auto &flagName : mount_flags_procfs)
             {
-                unsigned long flags = MS_REMOUNT;
-                for (const auto &flagName : mount_flags_procfs)
-                {
-                    if (mountOptions.contains(flagName.first))
-                        flags |= flagName.second;
-                }
-
-                if (::mount(NULL, "/data", NULL, flags, "errors=continue") == 0)
-                {
-                    LOGD("mount(NULL, \"/data\", NULL, 0x%lx, \"errors=continue\") returned 0", flags);
-                }
-                else
-                {
-                    LOGW("mount(NULL, \"/data\", NULL, 0x%lx, \"errors=continue\") returned -1: %d (%s)", flags, errno, strerror(errno));
-                }
+                if (mountOptions.contains(flagName.first))
+                    flags |= flagName.second;
             }
 
+            if (::mount(NULL, "/data", NULL, flags, (std::string("errors=") + sb_errors).c_str()) == 0)
+                LOGD("mount(NULL, \"/data\", NULL, 0x%lx, ...) returned 0", flags);
+            else
+                LOGW("mount(NULL, \"/data\", NULL, 0x%lx, ...) returned -1: %d (%s)", flags, errno, strerror(errno));
             break;
         }
     }

module/jni/mountinfo_parser.cpp

@@ -30,7 +30,7 @@ static std::unordered_map<std::string, std::string> parseMountOptions(const std:
     return ret;
 }
 
-mountinfo_entry_t::mountinfo_entry_t(int mount_id, int parent_id, dev_t device,
+mountinfo_entry::mountinfo_entry(int mount_id, int parent_id, dev_t device,
                                      const std::string &root, const std::string &mount_point,
                                      const std::string &mount_options, const std::string &optional_fields,
                                      const std::string &filesystem_type, const std::string &mount_source,
@@ -44,20 +44,20 @@ mountinfo_entry_t::mountinfo_entry_t(int mount_id, int parent_id, dev_t device,
     this->super_options = parseMountOptions(super_options);
 }
 
-int mountinfo_entry_t::getMountId() const { return mount_id; }
-int mountinfo_entry_t::getParentId() const { return parent_id; }
-dev_t mountinfo_entry_t::getDevice() const { return device; }
-const std::string &mountinfo_entry_t::getRoot() const { return root; }
-const std::string &mountinfo_entry_t::getMountPoint() const { return mount_point; }
-const std::unordered_map<std::string, std::string> &mountinfo_entry_t::getMountOptions() const { return mount_options; }
-const std::string &mountinfo_entry_t::getOptionalFields() const { return optional_fields; }
-const std::string &mountinfo_entry_t::getFilesystemType() const { return filesystem_type; }
-const std::string &mountinfo_entry_t::getMountSource() const { return mount_source; }
-const std::unordered_map<std::string, std::string> &mountinfo_entry_t::getSuperOptions() const { return super_options; }
+int mountinfo_entry::getMountId() const { return mount_id; }
+int mountinfo_entry::getParentId() const { return parent_id; }
+dev_t mountinfo_entry::getDevice() const { return device; }
+const std::string &mountinfo_entry::getRoot() const { return root; }
+const std::string &mountinfo_entry::getMountPoint() const { return mount_point; }
+const std::unordered_map<std::string, std::string> &mountinfo_entry::getMountOptions() const { return mount_options; }
+const std::string &mountinfo_entry::getOptionalFields() const { return optional_fields; }
+const std::string &mountinfo_entry::getFilesystemType() const { return filesystem_type; }
+const std::string &mountinfo_entry::getMountSource() const { return mount_source; }
+const std::unordered_map<std::string, std::string> &mountinfo_entry::getSuperOptions() const { return super_options; }
 
-const std::vector<mountinfo_entry_t> &Parsers::parseSelfMountinfo(bool cached)
+const std::vector<mountinfo_entry> &Parsers::parseSelfMountinfo(bool cached)
 {
-    static std::vector<mountinfo_entry_t> parser_cache;
+    static std::vector<mountinfo_entry> parser_cache;
     if (cached && !parser_cache.empty())
     {
         return parser_cache;
@@ -106,7 +106,7 @@ const std::vector<mountinfo_entry_t> &Parsers::parseSelfMountinfo(bool cached)
             continue;
         }
 
-        parser_cache.emplace_back(mountinfo_entry_t(mount_id, parent_id, makedev(_major, _minor),
+        parser_cache.emplace_back(mountinfo_entry(mount_id, parent_id, makedev(_major, _minor),
                                                     root, mount_point, mount_options,
                                                     optional_fields, filesystem_type, mount_source,
                                                     super_options));
@@ -115,7 +115,7 @@ const std::vector<mountinfo_entry_t> &Parsers::parseSelfMountinfo(bool cached)
     return parser_cache;
 }
 
-mountinfo_root_resolver::mountinfo_root_resolver(const std::vector<mountinfo_entry_t> &mount_infos)
+mountinfo_root_resolver::mountinfo_root_resolver(const std::vector<mountinfo_entry> &mount_infos)
 {
     for (const auto &mount_info : mount_infos)
     {
@@ -126,7 +126,7 @@ mountinfo_root_resolver::mountinfo_root_resolver(const std::vector<mountinfo_ent
     }
 }
 
-std::string mountinfo_root_resolver::resolveRootOf(const mountinfo_entry_t &mount_info) const
+std::string mountinfo_root_resolver::resolveRootOf(const mountinfo_entry &mount_info) const
 {
     auto dev = mount_info.getDevice();
     if (device_mount_map.contains(dev))

module/jni/utils.cpp

@@ -1,11 +1,13 @@
+#include <fstream>
 #include <string.h>
+#include <cstdint>
 #include <string>
 #include <functional>
-#include <format>
 #include <unistd.h>
 #include <sys/wait.h>
 #include <sched.h>
 #include <fcntl.h>
+#include <endian.h>
 
 #include "map_parser.hpp"
 #include "utils.hpp"
@@ -80,3 +82,48 @@ int Utils::forkAndInvoke(const std::function<int()> &lambda)
     waitpid(pid, &status, 0);
     return status;
 }
+
+constexpr off_t EXT_SUPERBLOCK_OFFSET = 0x400;
+constexpr off_t EXT_MAGIC_OFFSET = 0x38;
+constexpr off_t EXT_ERRORS_OFFSET = 0x3C;
+constexpr uint16_t EXT_MAGIC = 0xEF53;
+
+const char *Utils::getExtErrorsBehavior(const Parsers::mountinfo_entry &entry)
+{
+    auto fs_type = entry.getFilesystemType();
+    if (fs_type != "ext2" && fs_type != "ext3" && fs_type != "ext4")
+        return nullptr;
+
+    std::ifstream file(entry.getMountSource(), std::ios::binary);
+    if (!file)
+        return nullptr;
+
+    uint16_t magic;
+    file.seekg(EXT_SUPERBLOCK_OFFSET + EXT_MAGIC_OFFSET, std::ios::beg);
+    file.read(reinterpret_cast<char *>(&magic), sizeof(magic));
+    if (!file || file.gcount() != sizeof(magic))
+        return nullptr;
+    magic = le16toh(magic);
+
+    if (magic != EXT_MAGIC)
+        return nullptr;
+
+    uint16_t errors;
+    file.seekg(EXT_SUPERBLOCK_OFFSET + EXT_ERRORS_OFFSET, std::ios::beg);
+    file.read(reinterpret_cast<char *>(&errors), sizeof(errors));
+    if (!file || file.gcount() != sizeof(errors))
+        return nullptr;
+    errors = le16toh(errors);
+
+    switch (errors)
+    {
+    case 1:
+        return "continue";
+    case 2:
+        return "remount-ro";
+    case 3:
+        return "panic";
+    default:
+        return nullptr;
+    }
+}

module/template/common_func.sh

@@ -0,0 +1,27 @@
+SKIPDELPROP=false
+[ -f "$MODPATH/skipdelprop" ] && SKIPDELPROP=true
+
+# resetprop_if_diff <prop name> <expected value>
+resetprop_if_diff() {
+    local NAME="$1"
+    local EXPECTED="$2"
+    local CURRENT="$(resetprop "$NAME")"
+
+    [ -z "$CURRENT" ] || [ "$CURRENT" = "$EXPECTED" ] || resetprop -n "$NAME" "$EXPECTED"
+}
+
+# resetprop_if_match <prop name> <value match string> <new value>
+resetprop_if_match() {
+    local NAME="$1"
+    local CONTAINS="$2"
+    local VALUE="$3"
+
+    [[ "$(resetprop "$NAME")" = *"$CONTAINS"* ]] && resetprop -n "$NAME" "$VALUE"
+}
+
+# delprop_if_exist <prop name>
+delprop_if_exist() {
+    local NAME="$1"
+
+    [ -n "$(resetprop "$NAME")" ] && resetprop --delete "$NAME"
+}

module/template/post-fs-data.sh

@@ -0,0 +1,35 @@
+MODPATH="${0%/*}"
+. $MODPATH/common_func.sh
+
+# Conditional early sensitive properties
+
+# Samsung
+resetprop_if_diff ro.boot.warranty_bit 0
+resetprop_if_diff ro.vendor.boot.warranty_bit 0
+resetprop_if_diff ro.vendor.warranty_bit 0
+resetprop_if_diff ro.warranty_bit 0
+
+# Realme
+resetprop_if_diff ro.boot.realmebootstate green
+
+# OnePlus
+resetprop_if_diff ro.is_ever_orange 0
+
+# Microsoft
+for PROP in $(resetprop | grep -oE 'ro.*.build.tags'); do
+    resetprop_if_diff $PROP release-keys
+done
+
+# Other
+for PROP in $(resetprop | grep -oE 'ro.*.build.type'); do
+    resetprop_if_diff $PROP user
+done
+resetprop_if_diff ro.adb.secure 1
+if ! $SKIPDELPROP; then
+    delprop_if_exist ro.boot.verifiedbooterror
+    delprop_if_exist ro.boot.verifyerrorpart
+fi
+resetprop_if_diff ro.boot.veritymode.managed yes
+resetprop_if_diff ro.debuggable 0
+resetprop_if_diff ro.force.debuggable 0
+resetprop_if_diff ro.secure 1

module/template/service.sh

@@ -0,0 +1,49 @@
+MODPATH="${0%/*}"
+. $MODPATH/common_func.sh
+
+# Conditional sensitive properties
+
+# Magisk Recovery Mode
+resetprop_if_match ro.boot.mode recovery unknown
+resetprop_if_match ro.bootmode recovery unknown
+resetprop_if_match vendor.boot.mode recovery unknown
+
+# SELinux
+resetprop_if_diff ro.boot.selinux enforcing
+# use delete since it can be 0 or 1 for enforcing depending on OEM
+if ! $SKIPDELPROP; then
+    delprop_if_exist ro.build.selinux
+fi
+# use toybox to protect stat access time reading
+if [ "$(toybox cat /sys/fs/selinux/enforce)" = "0" ]; then
+    chmod 640 /sys/fs/selinux/enforce
+    chmod 440 /sys/fs/selinux/policy
+fi
+
+# Conditional late sensitive properties
+
+# must be set after boot_completed for various OEMs
+{
+until [ "$(getprop sys.boot_completed)" = "1" ]; do
+    sleep 1
+done
+
+# SafetyNet/Play Integrity + OEM
+# avoid bootloop on some Xiaomi devices
+resetprop_if_diff ro.secureboot.lockstate locked
+# avoid breaking Realme fingerprint scanners
+resetprop_if_diff ro.boot.flash.locked 1
+resetprop_if_diff ro.boot.realme.lockstate 1
+# avoid breaking Oppo fingerprint scanners
+resetprop_if_diff ro.boot.vbmeta.device_state locked
+# avoid breaking OnePlus display modes/fingerprint scanners
+resetprop_if_diff vendor.boot.verifiedbootstate green
+# avoid breaking OnePlus/Oppo fingerprint scanners on OOS/ColorOS 12+
+resetprop_if_diff ro.boot.verifiedbootstate green
+resetprop_if_diff ro.boot.veritymode enforcing
+resetprop_if_diff vendor.boot.vbmeta.device_state locked
+
+# Other
+resetprop_if_diff sys.oem_unlock_allowed 0
+
+}&

update_metadata/CHANGELOG.md

@@ -1,14 +1,12 @@
-## 2.1.1
-+ Added prop hiding! 🎉
-+ Added FD reopener, might solve some issues.
-+ Changed mount detection logic to include bind mounts on KSU.
+## 2.1.4
+* Fixed a problem causing Zygisk Assistant to be detectable.
+* Updated prop scripts.
+* Compiled with a newer compiler.
 
-## 2.1.0
-+ Added Zygisk hide for Magisk 27.0.
-+ Fixed bind mount hiding. ReVanced is fully hidden now.
-+ All Systemless Hosts modules are hidden now.
-+ Fixed compatibility issues with other modules.
+## 2.1.3
+* Restored Shamiko v1.1.1 compatibility.
+* Fixed bootloop on some Xiaomi devices.
+- Removed unnecessary mount ID regeneration.
 
-## 2.0.4
-+ Fixed an issue causing root to be lost.
-+ Fixed potential incompatibilities with other apps.
+## 2.1.2
++ Added scripts to reset sensitive props.

update_metadata/update.json

@@ -1,6 +1,6 @@
 {
-    "version": "v2.1.0",
-    "versionCode": 210,
-    "zipUrl": "https://github.com/snake-4/Zygisk-Assistant/releases/download/v2.1.0/Zygisk-Assistant-v2.1.0-72f96df-release.zip",
+    "version": "v2.1.4",
+    "versionCode": 214,
+    "zipUrl": "https://github.com/snake-4/Zygisk-Assistant/releases/download/v2.1.4/Zygisk-Assistant-v2.1.4-1013f8a-release.zip",
     "changelog": "https://raw.githubusercontent.com/snake-4/Zygisk-Assistant/main/update_metadata/CHANGELOG.md"
-}
+}