Bumped version to 2.1.3

Please see
https://github.com/osm0sis/PlayIntegrityFork/tree/main/module
and
https://github.com/Displax/safetynet-fix/tree/dev/magisk
for full commit history and attribution/authorship

.gitmodules

@@ -4,9 +4,9 @@
 [submodule "module/jni/libcxx"]
 	path = module/jni/libcxx
 	url = https://github.com/topjohnwu/libcxx.git
-[submodule "module/jni/system_properties"]
-	path = module/jni/system_properties
-	url = https://github.com/topjohnwu/system_properties
 [submodule "module/jni/aosp_fd_utils"]
 	path = module/jni/aosp_fd_utils
 	url = https://github.com/snake-4/aosp_fd_utils.git
+[submodule "module/jni/aosp_system_properties"]
+	path = module/jni/aosp_system_properties
+	url = https://github.com/topjohnwu/system_properties

build.gradle.kts

@@ -1,7 +1,7 @@
 import java.io.ByteArrayOutputStream
 
 plugins {
-    id("com.android.library") version "8.3.2" apply false
+    id("com.android.library") version "8.5.0" apply false
 }
 
 val commitHash: String by extra {
@@ -15,5 +15,5 @@ val commitHash: String by extra {
 
 val moduleId by extra("zygisk-assistant")
 val moduleName by extra("Zygisk Assistant")
-val verName by extra("v2.1.1")
-val verCode by extra(211)
+val verName by extra("v2.1.3")
+val verCode by extra(213)

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

module/build.gradle.kts

@@ -14,7 +14,7 @@ val abiList: List<String> by rootProject.extra
 android {
     namespace = "com.example.library"
     compileSdkVersion = "android-34"
-    ndkVersion = "26.3.11579264"
+    ndkVersion = "27.0.12077973"
     defaultConfig {
         minSdk = 21
         externalNativeBuild {

module/jni/Android.mk

@@ -9,5 +9,5 @@ LOCAL_LDLIBS := -llog
 include $(BUILD_SHARED_LIBRARY)
 
 include jni/libcxx/Android.mk
-include jni/system_properties/Android.mk
+include jni/aosp_system_properties/Android.mk
 include jni/aosp_fd_utils/Android.mk

module/jni/include/map_parser.hpp

@@ -6,10 +6,10 @@
 
 namespace Parsers
 {
-    class map_entry_t
+    class map_entry
     {
     public:
-        map_entry_t(uintptr_t address_start, uintptr_t address_end, uintptr_t offset,
+        map_entry(uintptr_t address_start, uintptr_t address_end, uintptr_t offset,
                     const std::string &perms, const std::string &pathname, dev_t device, ino_t inode);
 
         uintptr_t getAddressStart() const;
@@ -27,5 +27,5 @@ namespace Parsers
         ino_t inode;
     };
 
-    const std::vector<map_entry_t> &parseSelfMaps(bool cached = true);
+    const std::vector<map_entry> &parseSelfMaps(bool cached = true);
 }

module/jni/include/mountinfo_parser.hpp

@@ -6,10 +6,10 @@
 
 namespace Parsers
 {
-    class mountinfo_entry_t
+    class mountinfo_entry
     {
     public:
-        mountinfo_entry_t(int mount_id, int parent_id, dev_t device,
+        mountinfo_entry(int mount_id, int parent_id, dev_t device,
                           const std::string &root, const std::string &mount_point,
                           const std::string &mount_options, const std::string &optional_fields,
                           const std::string &filesystem_type, const std::string &mount_source,
@@ -33,13 +33,13 @@ namespace Parsers
         std::unordered_map<std::string, std::string> mount_options, super_options;
     };
 
-    const std::vector<mountinfo_entry_t> &parseSelfMountinfo(bool cached = true);
+    const std::vector<mountinfo_entry> &parseSelfMountinfo(bool cached = true);
 
     class mountinfo_root_resolver
     {
     public:
-        mountinfo_root_resolver(const std::vector<mountinfo_entry_t> &mount_infos);
-        std::string resolveRootOf(const mountinfo_entry_t &mount_info) const;
+        mountinfo_root_resolver(const std::vector<mountinfo_entry> &mount_infos);
+        std::string resolveRootOf(const mountinfo_entry &mount_info) const;
 
     private:
         std::unordered_map<dev_t, std::string> device_mount_map;

module/jni/main.cpp

@@ -19,16 +19,17 @@ static std::function<void()> callbackFunction = []() {};
 
 /*
  * [What's the purpose of this hook?]
- * Calling unshare twice invalidates existing FD links, which fails Zygote sanity checks.
- * So we prevent further namespaces by hooking unshare.
+ * Hooking unshare is necessary to stop Zygote from calling unshare a second time,
+ * because that breaks the FDs. We handle this by reopening FDs,
+ * allowing us to call unshare twice safely in our callback.
  *
  * [Doesn't Android already call unshare?]
- * Whether there's going to be an unshare or not changes with each major Android version
- * so we unconditionally unshare in preAppSpecialize.
- * > Android 5: Conditionally unshares
- * > Android 6: Always unshares
- * > Android 7-11: Conditionally unshares
- * > Android 12-14: Always unshares
+ * Android's use of unshare changes with each major version, so we always call unshare
+ * in preAppSpecialize.
+ * > Android 5: Sometimes calls unshare
+ * > Android 6: Always calls unshare
+ * > Android 7-11: Sometimes calls unshare
+ * > Android 12-14: Always calls unshare
  */
 DCL_HOOK_FUNC(static int, unshare, int flags)
 {
@@ -45,10 +46,11 @@ DCL_HOOK_FUNC(static int, unshare, int flags)
 }
 
 /*
- * The reason why we hook setresuid is because so far it has been unconditionally called
- * and we still have CAP_SYS_ADMIN during this call.
- * Also, KSU hooks setuid and unmounts some overlays
- * so we have to run our code before the syscall.
+ * [What's the purpose of this hook?]
+ * Hooking setresuid ensures we can execute code while we still have CAP_SYS_ADMIN,
+ * which is necessary for some operations.
+ * This hook is necessary because setresuid is called unconditionally,
+ * and we need to perform actions before this syscall.
  */
 DCL_HOOK_FUNC(static int, setresuid, uid_t ruid, uid_t euid, uid_t suid)
 {
@@ -56,6 +58,27 @@ DCL_HOOK_FUNC(static int, setresuid, uid_t ruid, uid_t euid, uid_t suid)
     return old_setresuid(ruid, euid, suid);
 }
 
+/*
+ * [Why is this function needed?]
+ * This function unconditionally calls unshare to create a new mount namespace.
+ * It ensures that the new namespace is isolated but still allows propagation of mount
+ * events from the parent namespace by setting the root as MS_SLAVE.
+ */
+static bool new_mount_ns()
+{
+    /*
+     * Unconditional unshare.
+     */
+    ASSERT_DO(new_mount_ns, old_unshare(CLONE_NEWNS) != -1, return false);
+
+    /*
+     * Mount the app mount namespace's root as MS_SLAVE, so every mount/umount from
+     * Zygote shared pre-specialization namespace is propagated to this one.
+     */
+    ASSERT_DO(new_mount_ns, mount("rootfs", "/", NULL, (MS_SLAVE | MS_REC), NULL) != -1, return false);
+    return true;
+}
+
 class ZygiskModule : public zygisk::ModuleBase
 {
 public:
@@ -80,17 +103,6 @@ public:
         }
         LOGD("Processing ppid=%d uid=%d isChildZygote=%d", getppid(), args->uid, isChildZygote);
 
-        /*
-         * Read the comment above unshare hook.
-         */
-        ASSERT_DO(preAppSpecialize, unshare(CLONE_NEWNS) != -1, return);
-
-        /*
-         * Mount the app mount namespace's root as MS_SLAVE, so every mount/umount from
-         * Zygote shared pre-specialization namespace is propagated to this one.
-         */
-        ASSERT_DO(preAppSpecialize, mount("rootfs", "/", NULL, (MS_SLAVE | MS_REC), NULL) != -1, return);
-
         ASSERT_DO(preAppSpecialize, hookPLTByName("libandroid_runtime.so", "unshare", new_unshare, &old_unshare), return);
         ASSERT_DO(preAppSpecialize, hookPLTByName("libandroid_runtime.so", "setresuid", new_setresuid, &old_setresuid), return);
 
@@ -100,8 +112,13 @@ public:
 
         callbackFunction = [fd = companionFd]()
         {
+            // Call only once per process.
+            callbackFunction = []() {};
             FDReopener::ScopedRegularReopener srr;
             
+            if (!new_mount_ns())
+                return;
+
             bool result = false;
             if (fd != -1)
             {
@@ -123,9 +140,6 @@ public:
             }
 
             doHideZygisk();
-
-            // Call only once per process.
-            callbackFunction = []() {};
         };
     }
 

module/jni/map_parser.cpp

@@ -9,21 +9,21 @@
 
 using namespace Parsers;
 
-map_entry_t::map_entry_t(uintptr_t address_start, uintptr_t address_end, uintptr_t offset, const std::string &perms, const std::string &pathname, dev_t device, ino_t inode)
+map_entry::map_entry(uintptr_t address_start, uintptr_t address_end, uintptr_t offset, const std::string &perms, const std::string &pathname, dev_t device, ino_t inode)
     : address_start(address_start), address_end(address_end), perms(perms),
       offset(offset), device(device), inode(inode), pathname(pathname) {}
 
-uintptr_t map_entry_t::getAddressStart() const { return address_start; }
-uintptr_t map_entry_t::getAddressEnd() const { return address_end; }
-const std::string &map_entry_t::getPerms() const { return perms; }
-uintptr_t map_entry_t::getOffset() const { return offset; }
-dev_t map_entry_t::getDevice() const { return device; }
-ino_t map_entry_t::getInode() const { return inode; }
-const std::string &map_entry_t::getPathname() const { return pathname; }
+uintptr_t map_entry::getAddressStart() const { return address_start; }
+uintptr_t map_entry::getAddressEnd() const { return address_end; }
+const std::string &map_entry::getPerms() const { return perms; }
+uintptr_t map_entry::getOffset() const { return offset; }
+dev_t map_entry::getDevice() const { return device; }
+ino_t map_entry::getInode() const { return inode; }
+const std::string &map_entry::getPathname() const { return pathname; }
 
-const std::vector<map_entry_t> &Parsers::parseSelfMaps(bool cached)
+const std::vector<map_entry> &Parsers::parseSelfMaps(bool cached)
 {
-    static std::vector<map_entry_t> parser_cache;
+    static std::vector<map_entry> parser_cache;
     if (cached && !parser_cache.empty())
     {
         return parser_cache;
@@ -59,7 +59,7 @@ const std::vector<map_entry_t> &Parsers::parseSelfMaps(bool cached)
         // This operation can fail, it doesn't matter as it's an optional field.
         std::getline(iss >> std::ws, pathname);
 
-        parser_cache.emplace_back(map_entry_t(address_start, address_end, offset, perms, pathname, makedev(dev_major, dev_minor), inode));
+        parser_cache.emplace_back(map_entry(address_start, address_end, offset, perms, pathname, makedev(dev_major, dev_minor), inode));
     }
 
     return parser_cache;

module/jni/modules.cpp

@@ -32,7 +32,7 @@ static const std::unordered_map<std::string, int> mount_flags_procfs = {
     {"relatime", MS_RELATIME},
     {"nosymfollow", MS_NOSYMFOLLOW}};
 
-static bool shouldUnmount(const mountinfo_entry_t &mount, const mountinfo_root_resolver &root_resolver)
+static bool shouldUnmount(const mountinfo_entry &mount, const mountinfo_root_resolver &root_resolver)
 {
     const auto true_root = root_resolver.resolveRootOf(mount);
     const auto &mount_point = mount.getMountPoint();

module/jni/mountinfo_parser.cpp

@@ -30,7 +30,7 @@ static std::unordered_map<std::string, std::string> parseMountOptions(const std:
     return ret;
 }
 
-mountinfo_entry_t::mountinfo_entry_t(int mount_id, int parent_id, dev_t device,
+mountinfo_entry::mountinfo_entry(int mount_id, int parent_id, dev_t device,
                                      const std::string &root, const std::string &mount_point,
                                      const std::string &mount_options, const std::string &optional_fields,
                                      const std::string &filesystem_type, const std::string &mount_source,
@@ -44,20 +44,20 @@ mountinfo_entry_t::mountinfo_entry_t(int mount_id, int parent_id, dev_t device,
     this->super_options = parseMountOptions(super_options);
 }
 
-int mountinfo_entry_t::getMountId() const { return mount_id; }
-int mountinfo_entry_t::getParentId() const { return parent_id; }
-dev_t mountinfo_entry_t::getDevice() const { return device; }
-const std::string &mountinfo_entry_t::getRoot() const { return root; }
-const std::string &mountinfo_entry_t::getMountPoint() const { return mount_point; }
-const std::unordered_map<std::string, std::string> &mountinfo_entry_t::getMountOptions() const { return mount_options; }
-const std::string &mountinfo_entry_t::getOptionalFields() const { return optional_fields; }
-const std::string &mountinfo_entry_t::getFilesystemType() const { return filesystem_type; }
-const std::string &mountinfo_entry_t::getMountSource() const { return mount_source; }
-const std::unordered_map<std::string, std::string> &mountinfo_entry_t::getSuperOptions() const { return super_options; }
+int mountinfo_entry::getMountId() const { return mount_id; }
+int mountinfo_entry::getParentId() const { return parent_id; }
+dev_t mountinfo_entry::getDevice() const { return device; }
+const std::string &mountinfo_entry::getRoot() const { return root; }
+const std::string &mountinfo_entry::getMountPoint() const { return mount_point; }
+const std::unordered_map<std::string, std::string> &mountinfo_entry::getMountOptions() const { return mount_options; }
+const std::string &mountinfo_entry::getOptionalFields() const { return optional_fields; }
+const std::string &mountinfo_entry::getFilesystemType() const { return filesystem_type; }
+const std::string &mountinfo_entry::getMountSource() const { return mount_source; }
+const std::unordered_map<std::string, std::string> &mountinfo_entry::getSuperOptions() const { return super_options; }
 
-const std::vector<mountinfo_entry_t> &Parsers::parseSelfMountinfo(bool cached)
+const std::vector<mountinfo_entry> &Parsers::parseSelfMountinfo(bool cached)
 {
-    static std::vector<mountinfo_entry_t> parser_cache;
+    static std::vector<mountinfo_entry> parser_cache;
     if (cached && !parser_cache.empty())
     {
         return parser_cache;
@@ -106,7 +106,7 @@ const std::vector<mountinfo_entry_t> &Parsers::parseSelfMountinfo(bool cached)
             continue;
         }
 
-        parser_cache.emplace_back(mountinfo_entry_t(mount_id, parent_id, makedev(_major, _minor),
+        parser_cache.emplace_back(mountinfo_entry(mount_id, parent_id, makedev(_major, _minor),
                                                     root, mount_point, mount_options,
                                                     optional_fields, filesystem_type, mount_source,
                                                     super_options));
@@ -115,7 +115,7 @@ const std::vector<mountinfo_entry_t> &Parsers::parseSelfMountinfo(bool cached)
     return parser_cache;
 }
 
-mountinfo_root_resolver::mountinfo_root_resolver(const std::vector<mountinfo_entry_t> &mount_infos)
+mountinfo_root_resolver::mountinfo_root_resolver(const std::vector<mountinfo_entry> &mount_infos)
 {
     for (const auto &mount_info : mount_infos)
     {
@@ -126,7 +126,7 @@ mountinfo_root_resolver::mountinfo_root_resolver(const std::vector<mountinfo_ent
     }
 }
 
-std::string mountinfo_root_resolver::resolveRootOf(const mountinfo_entry_t &mount_info) const
+std::string mountinfo_root_resolver::resolveRootOf(const mountinfo_entry &mount_info) const
 {
     auto dev = mount_info.getDevice();
     if (device_mount_map.contains(dev))

module/template/common_func.sh

@@ -0,0 +1,17 @@
+# resetprop_if_diff <prop name> <expected value>
+resetprop_if_diff() {
+    local NAME="$1"
+    local EXPECTED="$2"
+    local CURRENT="$(resetprop "$NAME")"
+
+    [ -z "$CURRENT" ] || [ "$CURRENT" = "$EXPECTED" ] || resetprop -n "$NAME" "$EXPECTED"
+}
+
+# resetprop_if_match <prop name> <value match string> <new value>
+resetprop_if_match() {
+    local NAME="$1"
+    local CONTAINS="$2"
+    local VALUE="$3"
+
+    [[ "$(resetprop "$NAME")" = *"$CONTAINS"* ]] && resetprop -n "$NAME" "$VALUE"
+}

module/template/post-fs-data.sh

@@ -0,0 +1,29 @@
+MODPATH="${0%/*}"
+. $MODPATH/common_func.sh
+
+# Conditional early sensitive properties
+
+# Samsung
+resetprop_if_diff ro.boot.warranty_bit 0
+resetprop_if_diff ro.vendor.boot.warranty_bit 0
+resetprop_if_diff ro.vendor.warranty_bit 0
+resetprop_if_diff ro.warranty_bit 0
+
+# Realme
+resetprop_if_diff ro.boot.realmebootstate green
+
+# OnePlus
+resetprop_if_diff ro.is_ever_orange 0
+
+# Microsoft
+for PROP in $(resetprop | grep -oE 'ro.*.build.tags'); do
+    resetprop_if_diff $PROP release-keys
+done
+
+# Other
+for PROP in $(resetprop | grep -oE 'ro.*.build.type'); do
+    resetprop_if_diff $PROP user
+done
+resetprop_if_diff ro.debuggable 0
+resetprop_if_diff ro.force.debuggable 0
+resetprop_if_diff ro.secure 1

module/template/service.sh

@@ -0,0 +1,51 @@
+MODPATH="${0%/*}"
+. $MODPATH/common_func.sh
+
+# Recovery Mode
+resetprop_if_match ro.boot.mode recovery unknown
+resetprop_if_match ro.bootmode recovery unknown
+resetprop_if_match vendor.boot.mode recovery unknown
+
+# SELinux
+resetprop_if_diff ro.boot.selinux enforcing
+if [ -n "$(resetprop ro.build.selinux)" ]; then
+    resetprop --delete ro.build.selinux
+fi
+
+# SELinux file access time
+if [ "$(toybox cat /sys/fs/selinux/enforce)" = "0" ]; then
+    chmod 640 /sys/fs/selinux/enforce
+    chmod 440 /sys/fs/selinux/policy
+fi
+
+{
+until [ "$(getprop sys.boot_completed)" = "1" ]; do
+    sleep 1
+done
+
+# Avoid bootloop on some Xiaomi devices
+resetprop_if_diff ro.secureboot.lockstate locked
+
+# Avoid breaking Realme fingerprint scanners
+resetprop_if_diff ro.boot.flash.locked 1
+resetprop_if_diff ro.boot.realme.lockstate 1
+
+# Avoid breaking Oppo fingerprint scanners
+resetprop_if_diff ro.boot.vbmeta.device_state locked
+
+# Avoid breaking OnePlus display modes/fingerprint scanners
+resetprop_if_diff vendor.boot.verifiedbootstate green
+
+# Avoid breaking OnePlus/Oppo fingerprint scanners on OOS/ColorOS 12+
+resetprop_if_diff ro.boot.verifiedbootstate green
+resetprop_if_diff ro.boot.veritymode enforcing
+resetprop_if_diff vendor.boot.vbmeta.device_state locked
+
+# Other
+resetprop_if_diff sys.oem_unlock_allowed 0
+resetprop_if_diff ro.secure 1
+resetprop_if_diff ro.adb.secure 1
+resetprop_if_diff ro.build.type user
+resetprop_if_diff ro.build.tags release-keys
+
+}&

update_metadata/CHANGELOG.md

@@ -1,14 +1,7 @@
-## 2.1.1
-+ Added prop hiding! 🎉
-+ Added FD reopener, might solve some issues.
-+ Changed mount detection logic to include bind mounts on KSU.
+## 2.1.3
+* Restored Shamiko v1.1.1 compatibility.
+* Fixed bootloop on some Xiaomi devices.
+- Removed unnecessary mount ID regeneration.
 
-## 2.1.0
-+ Added Zygisk hide for Magisk 27.0.
-+ Fixed bind mount hiding. ReVanced is fully hidden now.
-+ All Systemless Hosts modules are hidden now.
-+ Fixed compatibility issues with other modules.
-
-## 2.0.4
-+ Fixed an issue causing root to be lost.
-+ Fixed potential incompatibilities with other apps.
+## 2.1.2
++ Added scripts to reset sensitive props.

update_metadata/update.json

@@ -1,6 +1,6 @@
 {
-    "version": "v2.1.0",
-    "versionCode": 210,
-    "zipUrl": "https://github.com/snake-4/Zygisk-Assistant/releases/download/v2.1.0/Zygisk-Assistant-v2.1.0-72f96df-release.zip",
+    "version": "v2.1.2",
+    "versionCode": 212,
+    "zipUrl": "https://github.com/snake-4/Zygisk-Assistant/releases/download/v2.1.2/Zygisk-Assistant-v2.1.2-8878c9f-release.zip",
     "changelog": "https://raw.githubusercontent.com/snake-4/Zygisk-Assistant/main/update_metadata/CHANGELOG.md"
 }