Improved unmount logic (#93)

Proper info, in the section about KernelSU & APatch.

.github/workflows/ci.yml

@@ -28,23 +28,23 @@ jobs:
         if: success()
         id: prepareArtifact
         run: |
-          echo "releaseName=$(basename module/build/out/*-release.zip .zip)" >> $GITHUB_OUTPUT
-          echo "debugName=$(basename module/build/out/*-debug.zip .zip)" >> $GITHUB_OUTPUT
+          echo "releaseName=$(basename module/build/outputs/zip/*-release.zip .zip)" >> $GITHUB_OUTPUT
+          echo "debugName=$(basename module/build/outputs/zip/*-debug.zip .zip)" >> $GITHUB_OUTPUT
 
       - name: Upload Release Artifact
         uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.prepareArtifact.outputs.releaseName }}
-          path: "module/build/out/release"
+          path: "module/build/outputs/zip/release"
 
       - name: Upload Debug Artifact
         uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.prepareArtifact.outputs.debugName }}
-          path: "module/build/out/debug"
+          path: "module/build/outputs/zip/debug"
 
       - name: Create a release
         if: startsWith(github.ref, 'refs/tags/v')
         uses: softprops/action-gh-release@v2
         with:
-          files: module/build/out/*.zip
+          files: module/build/outputs/zip/*.zip

README.md

@@ -20,7 +20,7 @@ Using the **release** build is recommended over the debug build. Only use debug
 
 ### KernelSU & APatch users:
 1. Install ZygiskNext.
-1. Make sure the unmount setting is enabled for the target app in the KernelSU/APatch Manager.
+1. Make sure the option `Umount modules/Exclude modifications` is enabled for the target app in the KernelSU/APatch Manager.
 1. Disable `Enforce DenyList` in ZygiskNext settings if there is one.
 
 ### Magisk users:
@@ -48,4 +48,4 @@ Don't forget to give the project a star! Thanks again!
 <!-- LICENSE -->
 ## License
 
-Distributed under the MIT License. See `LICENSE` for more information.
+Distributed under the MIT License. See `LICENSE` for more information.

build.gradle.kts

@@ -1,19 +1,17 @@
 import java.io.ByteArrayOutputStream
 
 plugins {
-    id("com.android.library") version "8.5.0" apply false
+    id("com.android.library") version "8.8.1" apply false
 }
 
 val commitHash: String by extra {
-    val stdout = ByteArrayOutputStream()
-    rootProject.exec {
-        commandLine("git", "rev-parse", "--short", "HEAD")
-        standardOutput = stdout
+    val result = providers.exec {
+        commandLine("git", "rev-parse", "--verify", "--short", "HEAD")
     }
-    stdout.toString().trim()
+    result.standardOutput.asText.get().trim()
 }
 
 val moduleId by extra("zygisk-assistant")
 val moduleName by extra("Zygisk Assistant")
-val verName by extra("v2.1.3")
-val verCode by extra(213)
+val verName by extra("v2.1.4")
+val verCode by extra(214)

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

module/build.gradle.kts

@@ -14,7 +14,7 @@ val abiList: List<String> by rootProject.extra
 android {
     namespace = "com.example.library"
     compileSdkVersion = "android-34"
-    ndkVersion = "27.0.12077973"
+    ndkVersion = "28.0.13004108"
     defaultConfig {
         minSdk = 21
         externalNativeBuild {
@@ -36,8 +36,8 @@ androidComponents.onVariants { variant ->
     val buildTypeLowered = variant.buildType?.lowercase()
 
     val libOutDir = layout.buildDirectory.dir("intermediates/stripped_native_libs/$variantLowered/strip${variantCapped}DebugSymbols/out/lib").get()
-    val moduleDir = layout.buildDirectory.dir("out/$variantLowered").get()
-    val zipOutDir = layout.buildDirectory.dir("out/").get()
+    val moduleDir = layout.buildDirectory.dir("outputs/zip/$variantLowered").get()
+    val zipOutDir = layout.buildDirectory.dir("outputs/zip/").get()
     val zipFileName = "$moduleName-$verName-$commitHash-$buildTypeLowered.zip".replace(' ', '-')
 
     val moduleFilesTask = task<Sync>("moduleFiles$variantCapped") {

module/jni/include/utils.hpp

@@ -4,6 +4,7 @@
 #include <functional>
 #include "logging.hpp"
 #include "zygisk.hpp"
+#include "mountinfo_parser.hpp"
 
 #define DCL_HOOK_FUNC(ret, func, ...)         \
     ret (*old_##func)(__VA_ARGS__) = nullptr; \
@@ -36,4 +37,5 @@ namespace Utils
     int isUserAppUID(int uid);
     bool hookPLTByName(zygisk::Api *api, const std::string &libName, const std::string &symbolName, void *hookFunc, void **origFunc);
     int forkAndInvoke(const std::function<int()> &lambda);
+    const char *getExtErrorsBehavior(const Parsers::mountinfo_entry &entry);
 }

module/jni/modules.cpp

@@ -22,6 +22,7 @@
 
 using namespace Parsers;
 
+static const std::set<std::string> mountdir_list = {"/data/adb", "/debug_ramdisk"};
 static const std::set<std::string> fsname_list = {"KSU", "APatch", "magisk", "worker"};
 static const std::unordered_map<std::string, int> mount_flags_procfs = {
     {"nosuid", MS_NOSUID},
@@ -38,33 +39,32 @@ static bool shouldUnmount(const mountinfo_entry &mount, const mountinfo_root_res
     const auto &mount_point = mount.getMountPoint();
     const auto &type = mount.getFilesystemType();
 
-    // Mount is from /data/adb
-    if (true_root.starts_with("/data/adb"))
-        return true;
+    // Unmount all mounts from and to directories in mountdir_list
+    for (const auto &mountdir : mountdir_list)
+    {
+        if (true_root.starts_with(mountdir) || mount_point.starts_with(mountdir))
+            return true;
 
-    // Mount is to /data/adb
-    if (mount_point.starts_with("/data/adb"))
-        return true;
+        // Unmount all overlayfs with lowerdir/upperdir/workdir in mountdir_list
+        if (type == "overlay")
+        {
+            const auto &options = mount.getSuperOptions();
+
+            if (options.contains("lowerdir") && options.at("lowerdir").starts_with(mountdir))
+                return true;
+
+            if (options.contains("upperdir") && options.at("upperdir").starts_with(mountdir))
+                return true;
+
+            if (options.contains("workdir") && options.at("workdir").starts_with(mountdir))
+                return true;
+        }
+    }
 
     // Unmount all module overlayfs and tmpfs
     if ((type == "overlay" || type == "tmpfs") && fsname_list.contains(mount.getMountSource()))
         return true;
 
-    // Unmount all overlayfs with lowerdir/upperdir/workdir starting with /data/adb
-    if (type == "overlay")
-    {
-        const auto &options = mount.getSuperOptions();
-
-        if (options.contains("lowerdir") && options.at("lowerdir").starts_with("/data/adb"))
-            return true;
-
-        if (options.contains("upperdir") && options.at("upperdir").starts_with("/data/adb"))
-            return true;
-
-        if (options.contains("workdir") && options.at("workdir").starts_with("/data/adb"))
-            return true;
-    }
-
     return false;
 }
 
@@ -93,28 +93,26 @@ void doRemount()
         if (mount.getMountPoint() == "/data")
         {
             const auto &superOptions = mount.getSuperOptions();
+            if (!superOptions.contains("errors"))
+                break;
+
+            // Remount /data only if errors behavior is not the same as superblock's
+            const char *sb_errors = Utils::getExtErrorsBehavior(mount);
+            if (!sb_errors || superOptions.at("errors") == sb_errors)
+                break;
+
             const auto &mountOptions = mount.getMountOptions();
-
-            // If errors=remount-ro, remount it with errors=continue
-            if (superOptions.contains("errors") && superOptions.at("errors") == "remount-ro")
+            unsigned long flags = MS_REMOUNT;
+            for (const auto &flagName : mount_flags_procfs)
             {
-                unsigned long flags = MS_REMOUNT;
-                for (const auto &flagName : mount_flags_procfs)
-                {
-                    if (mountOptions.contains(flagName.first))
-                        flags |= flagName.second;
-                }
-
-                if (::mount(NULL, "/data", NULL, flags, "errors=continue") == 0)
-                {
-                    LOGD("mount(NULL, \"/data\", NULL, 0x%lx, \"errors=continue\") returned 0", flags);
-                }
-                else
-                {
-                    LOGW("mount(NULL, \"/data\", NULL, 0x%lx, \"errors=continue\") returned -1: %d (%s)", flags, errno, strerror(errno));
-                }
+                if (mountOptions.contains(flagName.first))
+                    flags |= flagName.second;
             }
 
+            if (::mount(NULL, "/data", NULL, flags, (std::string("errors=") + sb_errors).c_str()) == 0)
+                LOGD("mount(NULL, \"/data\", NULL, 0x%lx, ...) returned 0", flags);
+            else
+                LOGW("mount(NULL, \"/data\", NULL, 0x%lx, ...) returned -1: %d (%s)", flags, errno, strerror(errno));
             break;
         }
     }

module/jni/utils.cpp

@@ -1,11 +1,13 @@
+#include <fstream>
 #include <string.h>
+#include <cstdint>
 #include <string>
 #include <functional>
-#include <format>
 #include <unistd.h>
 #include <sys/wait.h>
 #include <sched.h>
 #include <fcntl.h>
+#include <endian.h>
 
 #include "map_parser.hpp"
 #include "utils.hpp"
@@ -80,3 +82,48 @@ int Utils::forkAndInvoke(const std::function<int()> &lambda)
     waitpid(pid, &status, 0);
     return status;
 }
+
+constexpr off_t EXT_SUPERBLOCK_OFFSET = 0x400;
+constexpr off_t EXT_MAGIC_OFFSET = 0x38;
+constexpr off_t EXT_ERRORS_OFFSET = 0x3C;
+constexpr uint16_t EXT_MAGIC = 0xEF53;
+
+const char *Utils::getExtErrorsBehavior(const Parsers::mountinfo_entry &entry)
+{
+    auto fs_type = entry.getFilesystemType();
+    if (fs_type != "ext2" && fs_type != "ext3" && fs_type != "ext4")
+        return nullptr;
+
+    std::ifstream file(entry.getMountSource(), std::ios::binary);
+    if (!file)
+        return nullptr;
+
+    uint16_t magic;
+    file.seekg(EXT_SUPERBLOCK_OFFSET + EXT_MAGIC_OFFSET, std::ios::beg);
+    file.read(reinterpret_cast<char *>(&magic), sizeof(magic));
+    if (!file || file.gcount() != sizeof(magic))
+        return nullptr;
+    magic = le16toh(magic);
+
+    if (magic != EXT_MAGIC)
+        return nullptr;
+
+    uint16_t errors;
+    file.seekg(EXT_SUPERBLOCK_OFFSET + EXT_ERRORS_OFFSET, std::ios::beg);
+    file.read(reinterpret_cast<char *>(&errors), sizeof(errors));
+    if (!file || file.gcount() != sizeof(errors))
+        return nullptr;
+    errors = le16toh(errors);
+
+    switch (errors)
+    {
+    case 1:
+        return "continue";
+    case 2:
+        return "remount-ro";
+    case 3:
+        return "panic";
+    default:
+        return nullptr;
+    }
+}

module/template/common_func.sh

@@ -1,3 +1,6 @@
+SKIPDELPROP=false
+[ -f "$MODPATH/skipdelprop" ] && SKIPDELPROP=true
+
 # resetprop_if_diff <prop name> <expected value>
 resetprop_if_diff() {
     local NAME="$1"
@@ -15,3 +18,10 @@ resetprop_if_match() {
 
     [[ "$(resetprop "$NAME")" = *"$CONTAINS"* ]] && resetprop -n "$NAME" "$VALUE"
 }
+
+# delprop_if_exist <prop name>
+delprop_if_exist() {
+    local NAME="$1"
+
+    [ -n "$(resetprop "$NAME")" ] && resetprop --delete "$NAME"
+}

module/template/post-fs-data.sh

@@ -24,6 +24,12 @@ done
 for PROP in $(resetprop | grep -oE 'ro.*.build.type'); do
     resetprop_if_diff $PROP user
 done
+resetprop_if_diff ro.adb.secure 1
+if ! $SKIPDELPROP; then
+    delprop_if_exist ro.boot.verifiedbooterror
+    delprop_if_exist ro.boot.verifyerrorpart
+fi
+resetprop_if_diff ro.boot.veritymode.managed yes
 resetprop_if_diff ro.debuggable 0
 resetprop_if_diff ro.force.debuggable 0
-resetprop_if_diff ro.secure 1
+resetprop_if_diff ro.secure 1

module/template/service.sh

@@ -1,51 +1,49 @@
 MODPATH="${0%/*}"
 . $MODPATH/common_func.sh
 
-# Recovery Mode
+# Conditional sensitive properties
+
+# Magisk Recovery Mode
 resetprop_if_match ro.boot.mode recovery unknown
 resetprop_if_match ro.bootmode recovery unknown
 resetprop_if_match vendor.boot.mode recovery unknown
 
 # SELinux
 resetprop_if_diff ro.boot.selinux enforcing
-if [ -n "$(resetprop ro.build.selinux)" ]; then
-    resetprop --delete ro.build.selinux
+# use delete since it can be 0 or 1 for enforcing depending on OEM
+if ! $SKIPDELPROP; then
+    delprop_if_exist ro.build.selinux
 fi
-
-# SELinux file access time
+# use toybox to protect stat access time reading
 if [ "$(toybox cat /sys/fs/selinux/enforce)" = "0" ]; then
     chmod 640 /sys/fs/selinux/enforce
     chmod 440 /sys/fs/selinux/policy
 fi
 
+# Conditional late sensitive properties
+
+# must be set after boot_completed for various OEMs
 {
 until [ "$(getprop sys.boot_completed)" = "1" ]; do
     sleep 1
 done
 
-# Avoid bootloop on some Xiaomi devices
+# SafetyNet/Play Integrity + OEM
+# avoid bootloop on some Xiaomi devices
 resetprop_if_diff ro.secureboot.lockstate locked
-
-# Avoid breaking Realme fingerprint scanners
+# avoid breaking Realme fingerprint scanners
 resetprop_if_diff ro.boot.flash.locked 1
 resetprop_if_diff ro.boot.realme.lockstate 1
-
-# Avoid breaking Oppo fingerprint scanners
+# avoid breaking Oppo fingerprint scanners
 resetprop_if_diff ro.boot.vbmeta.device_state locked
-
-# Avoid breaking OnePlus display modes/fingerprint scanners
+# avoid breaking OnePlus display modes/fingerprint scanners
 resetprop_if_diff vendor.boot.verifiedbootstate green
-
-# Avoid breaking OnePlus/Oppo fingerprint scanners on OOS/ColorOS 12+
+# avoid breaking OnePlus/Oppo fingerprint scanners on OOS/ColorOS 12+
 resetprop_if_diff ro.boot.verifiedbootstate green
 resetprop_if_diff ro.boot.veritymode enforcing
 resetprop_if_diff vendor.boot.vbmeta.device_state locked
 
 # Other
 resetprop_if_diff sys.oem_unlock_allowed 0
-resetprop_if_diff ro.secure 1
-resetprop_if_diff ro.adb.secure 1
-resetprop_if_diff ro.build.type user
-resetprop_if_diff ro.build.tags release-keys
 
-}&
+}&

update_metadata/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 2.1.4
+* Fixed a problem causing Zygisk Assistant to be detectable.
+* Updated prop scripts.
+* Compiled with a newer compiler.
+
 ## 2.1.3
 * Restored Shamiko v1.1.1 compatibility.
 * Fixed bootloop on some Xiaomi devices.

update_metadata/update.json

@@ -1,6 +1,6 @@
 {
-    "version": "v2.1.2",
-    "versionCode": 212,
-    "zipUrl": "https://github.com/snake-4/Zygisk-Assistant/releases/download/v2.1.2/Zygisk-Assistant-v2.1.2-8878c9f-release.zip",
+    "version": "v2.1.4",
+    "versionCode": 214,
+    "zipUrl": "https://github.com/snake-4/Zygisk-Assistant/releases/download/v2.1.4/Zygisk-Assistant-v2.1.4-1013f8a-release.zip",
     "changelog": "https://raw.githubusercontent.com/snake-4/Zygisk-Assistant/main/update_metadata/CHANGELOG.md"
-}
+}