Bump to 0.5.0

.gitmodules

@@ -4,3 +4,6 @@
 [submodule "loader/src/external/parallel-hashmap"]
 	path = loader/src/external/parallel-hashmap
 	url = https://github.com/greg7mdp/parallel-hashmap
+[submodule "zygiskd/src/external/binder_rs"]
+	path = zygiskd/src/external/binder_rs
+	url = https://github.com/Kernel-SU/binder_rs

README.md

@@ -2,33 +2,15 @@
 
 Zygisk loader for KernelSU, allowing Zygisk modules to run without Magisk environment.
 
-Warning: The current version of Zygisksu is UNSTABLE. You may suffer boot loop or even data loss so use with caution.
+Also works as standalone loader for Magisk on purpose of getting rid of LD_PRELOAD.
 
 ## Requirements
 
-+ Minimal KernelSU version: 15
-+ Minimal ksud version: 7b32c0e
++ Minimal KernelSU version: 10654
++ Minimal ksud version: 10647
++ Full SELinux patch support (If non-gki kernel)
++ No multiple root implementation installed
 
 ## Compatibility
 
-- [x] LSPosed
-- [x] Storage Isolation
-- [ ] IFW Enhance
-- [ ] Universal SafetyNet Fix
-- [ ] Shamiko
-
-## Development road map
-
-- [x] [Inject] Basic Zygisk loader
-- [x] [Inject] Stabilize injector
-- [x] [Inject] Unload
-- [ ] [Daemon] Separate zygiskd process
-- [ ] [Daemon] Handle 64 bit only devices
-- [ ] [Daemon] Handle zygote death
-
-## Running on Magisk
-
-It is possible to run Zygisksu on Magisk with a few steps:
-
-1. `mkdir /data/adb/ksu`
-2. `ln -s /data/adb/modules /data/adb/ksu/`
+Should work with everything except those rely on Magisk internal behaviors.

build.gradle.kts

@@ -31,14 +31,18 @@ val gitCommitHash = "git rev-parse --verify --short HEAD".execute()
 
 val moduleId by extra("zygisksu")
 val moduleName by extra("Zygisk on KernelSU")
-val verName by extra("v4-0.1.0")
+val verName by extra("v4-0.5.0")
 val verCode by extra(gitCommitCount)
+val minKsuVersion by extra(10654)
+val minKsudVersion by extra(10647)
+val maxKsuVersion by extra(20000)
+val minMagiskVersion by extra(25000)
 
 val androidMinSdkVersion by extra(29)
 val androidTargetSdkVersion by extra(33)
 val androidCompileSdkVersion by extra(33)
-val androidBuildToolsVersion by extra("33.0.1")
-val androidCompileNdkVersion by extra("25.1.8937393")
+val androidBuildToolsVersion by extra("33.0.2")
+val androidCompileNdkVersion by extra("25.2.9519653")
 val androidSourceCompatibility by extra(JavaVersion.VERSION_11)
 val androidTargetCompatibility by extra(JavaVersion.VERSION_11)
 

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.0-bin.zip
 distributionPath=wrapper/dists
 zipStorePath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME

loader/src/common/daemon.cpp

@@ -29,7 +29,6 @@ namespace zygiskd {
     }
 
     bool PingHeartbeat() {
-        LOGD("Daemon socket: %s", kZygiskSocket.data());
         UniqueFd fd = Connect(5);
         if (fd == -1) {
             PLOGE("Connect to zygiskd");
@@ -39,6 +38,16 @@ namespace zygiskd {
         return true;
     }
 
+    int RequestLogcatFd() {
+        int fd = Connect(1);
+        if (fd == -1) {
+            PLOGE("RequestLogcatFd");
+            return -1;
+        }
+        socket_utils::write_u8(fd, (uint8_t) SocketAction::RequestLogcatFd);
+        return fd;
+    }
+
     std::string ReadNativeBridge() {
         UniqueFd fd = Connect(1);
         if (fd == -1) {
@@ -49,6 +58,17 @@ namespace zygiskd {
         return socket_utils::read_string(fd);
     }
 
+    uint32_t GetProcessFlags(uid_t uid) {
+        UniqueFd fd = Connect(1);
+        if (fd == -1) {
+            PLOGE("GetProcessFlags");
+            return 0;
+        }
+        socket_utils::write_u8(fd, (uint8_t) SocketAction::GetProcessFlags);
+        socket_utils::write_u32(fd, uid);
+        return socket_utils::read_u32(fd);
+    }
+
     std::vector<Module> ReadModules() {
         std::vector<Module> modules;
         UniqueFd fd = Connect(1);
@@ -89,10 +109,6 @@ namespace zygiskd {
         }
         socket_utils::write_u8(fd, (uint8_t) SocketAction::GetModuleDir);
         socket_utils::write_usize(fd, index);
-        if (socket_utils::read_u8(fd) == 1) {
-            return fd;
-        } else {
-            return -1;
-        }
+        return socket_utils::recv_fd(fd);
     }
 }

loader/src/common/logging.cpp

@@ -0,0 +1,36 @@
+#include <android/log.h>
+#include <unistd.h>
+
+#include "logging.h"
+#include "socket_utils.h"
+
+namespace logging {
+    static int logfd = -1;
+
+    void setfd(int fd) {
+        close(logfd);
+        logfd = fd;
+    }
+
+    int getfd() {
+        return logfd;
+    }
+
+    void log(int prio, const char* tag, const char* fmt, ...) {
+        if (logfd == -1) {
+            va_list ap;
+            va_start(ap, fmt);
+            __android_log_vprint(prio, tag, fmt, ap);
+            va_end(ap);
+        } else {
+            char buf[BUFSIZ];
+            va_list ap;
+            va_start(ap, fmt);
+            vsnprintf(buf, sizeof(buf), fmt, ap);
+            va_end(ap);
+            socket_utils::write_u8(logfd, prio);
+            socket_utils::write_string(logfd, tag);
+            socket_utils::write_string(logfd, buf);
+        }
+    }
+}

loader/src/common/socket_utils.cpp

@@ -90,6 +90,10 @@ namespace socket_utils {
         return read_exact_or<uint8_t>(fd, 0);
     }
 
+    uint32_t read_u32(int fd) {
+        return read_exact_or<uint32_t>(fd, 0);
+    }
+
     size_t read_usize(int fd) {
         return read_exact_or<size_t>(fd, 0);
     }
@@ -110,6 +114,14 @@ namespace socket_utils {
         return write_exact<uint8_t>(fd, val);
     }
 
+    bool write_u32(int fd, uint32_t val) {
+        return write_exact<uint32_t>(fd, val);
+    }
+
+    bool write_string(int fd, std::string_view str) {
+        return write_usize(fd, str.size()) && str.size() == xwrite(fd, str.data(), str.size());
+    }
+
     int recv_fd(int sockfd) {
         char cmsgbuf[CMSG_SPACE(sizeof(int))];
 

loader/src/include/daemon.h

@@ -52,7 +52,9 @@ namespace zygiskd {
 
     enum class SocketAction {
         PingHeartBeat,
+        RequestLogcatFd,
         ReadNativeBridge,
+        GetProcessFlags,
         ReadModules,
         RequestCompanionSocket,
         GetModuleDir,
@@ -60,10 +62,14 @@ namespace zygiskd {
 
     bool PingHeartbeat();
 
+    int RequestLogcatFd();
+
     std::string ReadNativeBridge();
 
     std::vector<Module> ReadModules();
 
+    uint32_t GetProcessFlags(uid_t uid);
+
     int ConnectCompanion(size_t index);
 
     int GetModuleDir(size_t index);

loader/src/include/logging.h

@@ -20,15 +20,24 @@
 #define LOGE(...)
 #else
 #ifndef NDEBUG
-#define LOGD(...)  __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)
-#define LOGV(...)  __android_log_print(ANDROID_LOG_VERBOSE, LOG_TAG, __VA_ARGS__)
+#define LOGD(...)  logging::log(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)
+#define LOGV(...)  logging::log(ANDROID_LOG_VERBOSE, LOG_TAG, __VA_ARGS__)
 #else
 #define LOGD(...)
 #define LOGV(...)
 #endif
-#define LOGI(...)  __android_log_print(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__)
-#define LOGW(...)  __android_log_print(ANDROID_LOG_WARN, LOG_TAG, __VA_ARGS__)
-#define LOGE(...)  __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)
-#define LOGF(...)  __android_log_print(ANDROID_LOG_FATAL, LOG_TAG, __VA_ARGS__)
+#define LOGI(...)  logging::log(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__)
+#define LOGW(...)  logging::log(ANDROID_LOG_WARN, LOG_TAG, __VA_ARGS__)
+#define LOGE(...)  logging::log(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)
+#define LOGF(...)  logging::log(ANDROID_LOG_FATAL, LOG_TAG, __VA_ARGS__)
 #define PLOGE(fmt, args...) LOGE(fmt " failed with %d: %s", ##args, errno, strerror(errno))
 #endif
+
+namespace logging {
+    void setfd(int fd);
+
+    int getfd();
+
+    [[gnu::format(printf, 3, 4)]]
+    void log(int prio, const char* tag, const char* fmt, ...);
+}

loader/src/include/socket_utils.h

@@ -1,6 +1,7 @@
 #pragma once
 
 #include <string>
+#include <string_view>
 
 #include "logging.h"
 
@@ -12,13 +13,19 @@ namespace socket_utils {
 
     uint8_t read_u8(int fd);
 
+    uint32_t read_u32(int fd);
+
     size_t read_usize(int fd);
 
     std::string read_string(int fd);
 
     bool write_u8(int fd, uint8_t val);
 
+    bool write_u32(int fd, uint32_t val);
+
     int recv_fd(int fd);
 
     bool write_usize(int fd, size_t val);
+
+    bool write_string(int fd, std::string_view str);
 }

loader/src/injector/entry.cpp

@@ -1,3 +1,4 @@
+#include "daemon.h"
 #include "logging.h"
 #include "zygisk.hpp"
 #include "module.hpp"
@@ -17,14 +18,11 @@ static void zygisk_cleanup_wait() {
 
 extern "C" [[gnu::visibility("default")]]
 void entry(void *handle) {
-    LOGD("Load injector successfully");
+#ifdef NDEBUG
+    logging::setfd(zygiskd::RequestLogcatFd());
+#endif
     self_handle = handle;
+
+    LOGD("Load injector successfully");
     hook_functions();
 }
-
-// The following code runs in zygote/app process
-
-static inline bool should_load_modules(uint32_t flags) {
-    return (flags & UNMOUNT_MASK) != UNMOUNT_MASK &&
-           (flags & PROCESS_IS_MAGISK_APP) != PROCESS_IS_MAGISK_APP;
-}

loader/src/injector/hide.cpp

@@ -1,23 +0,0 @@
-#include <sys/mount.h>
-
-#include "logging.h"
-#include "misc.hpp"
-#include "zygisk.hpp"
-
-using namespace std::string_view_literals;
-
-static void lazy_unmount(const char* mountpoint) {
-    if (umount2(mountpoint, MNT_DETACH) != -1)
-        LOGD("Unmounted (%s)", mountpoint);
-}
-
-#define OVERLAY_MNT(dir) (mentry->mnt_type == "overlay"sv && std::string_view(mentry->mnt_dir).starts_with("/" #dir))
-
-void revert_unmount() {
-    parse_mnt("/proc/self/mounts", [](mntent* mentry) {
-        if (OVERLAY_MNT("system") || OVERLAY_MNT("vendor") || OVERLAY_MNT("product") || OVERLAY_MNT("system_ext")) {
-            lazy_unmount(mentry->mnt_fsname);
-        }
-        return true;
-    });
-}

loader/src/injector/hook.cpp

@@ -112,8 +112,8 @@ hash_map<xstring, tree_map<xstring, tree_map<xstring, void *>>> *jni_method_map;
 
 // Current context
 HookContext *g_ctx;
-const JNINativeInterface *old_functions;
-JNINativeInterface *new_functions;
+const JNINativeInterface *old_functions = nullptr;
+JNINativeInterface *new_functions = nullptr;
 
 } // namespace
 
@@ -143,15 +143,8 @@ if (methods[i].name == #method##sv) {
 
 namespace {
 
-jclass gClassRef;
-jmethodID class_getName;
 string get_class_name(JNIEnv *env, jclass clazz) {
-    if (!gClassRef) {
-        jclass cls = env->FindClass("java/lang/Class");
-        gClassRef = (jclass) env->NewGlobalRef(cls);
-        env->DeleteLocalRef(cls);
-        class_getName = env->GetMethodID(gClassRef, "getName", "()Ljava/lang/String;");
-    }
+    static auto class_getName = env->GetMethodID(env->FindClass("java/lang/Class"), "getName", "()Ljava/lang/String;");
     auto nameRef = (jstring) env->CallObjectMethod(clazz, class_getName);
     const char *name = env->GetStringUTFChars(nameRef, nullptr);
     string className(name);
@@ -172,11 +165,44 @@ jint env_RegisterNatives(
     return old_functions->RegisterNatives(env, clazz, newMethods.get() ?: methods, numMethods);
 }
 
-DCL_HOOK_FUNC(int, jniRegisterNativeMethods,
-        JNIEnv *env, const char *className, const JNINativeMethod *methods, int numMethods) {
-    LOGV("jniRegisterNativeMethods [%s]\n", className);
-    auto newMethods = hookAndSaveJNIMethods(className, methods, numMethods);
-    return old_jniRegisterNativeMethods(env, className, newMethods.get() ?: methods, numMethods);
+DCL_HOOK_FUNC(void, androidSetCreateThreadFunc, void* func) {
+    LOGD("androidSetCreateThreadFunc\n");
+    do {
+        auto get_created_java_vms = reinterpret_cast<jint (*)(JavaVM **, jsize, jsize *)>(
+                dlsym(RTLD_DEFAULT, "JNI_GetCreatedJavaVMs"));
+        if (!get_created_java_vms) {
+            for (auto &map: lsplt::MapInfo::Scan()) {
+                if (!map.path.ends_with("/libnativehelper.so")) continue;
+                void *h = dlopen(map.path.data(), RTLD_LAZY);
+                if (!h) {
+                    LOGW("cannot dlopen libnativehelper.so: %s\n", dlerror());
+                    break;
+                }
+                get_created_java_vms = reinterpret_cast<decltype(get_created_java_vms)>(dlsym(h, "JNI_GetCreatedJavaVMs"));
+                dlclose(h);
+                break;
+            }
+            if (!get_created_java_vms) {
+                LOGW("JNI_GetCreatedJavaVMs not found\n");
+                break;
+            }
+        }
+        JavaVM *vm = nullptr;
+        jsize num = 0;
+        jint res = get_created_java_vms(&vm, 1, &num);
+        if (res != JNI_OK || vm == nullptr) break;
+        JNIEnv *env = nullptr;
+        res = vm->GetEnv(reinterpret_cast<void **>(&env), JNI_VERSION_1_6);
+        if (res != JNI_OK || env == nullptr) break;
+        default_new(new_functions);
+        memcpy(new_functions, env->functions, sizeof(*new_functions));
+        new_functions->RegisterNatives = &env_RegisterNatives;
+
+        // Replace the function table in JNIEnv to hook RegisterNatives
+        old_functions = env->functions;
+        env->functions = new_functions;
+    } while (false);
+    old_androidSetCreateThreadFunc(func);
 }
 
 // Skip actual fork and return cached result if applicable
@@ -204,7 +230,17 @@ DCL_HOOK_FUNC(int, unshare, int flags) {
     return res;
 }
 
-/* Zygisksu changed: No android_log_close hook */
+// Close logd_fd if necessary to prevent crashing
+// For more info, check comments in zygisk_log_write
+DCL_HOOK_FUNC(void, android_log_close) {
+    if (g_ctx == nullptr) {
+        // Happens during un-managed fork like nativeForkApp, nativeForkUsap
+        logging::setfd(-1);
+    } else if (!g_ctx->flags[SKIP_FD_SANITIZATION]) {
+        logging::setfd(-1);
+    }
+    old_android_log_close();
+}
 
 // Last point before process secontext changes
 DCL_HOOK_FUNC(int, selinux_android_setcontext,
@@ -215,58 +251,6 @@ DCL_HOOK_FUNC(int, selinux_android_setcontext,
     return old_selinux_android_setcontext(uid, isSystemServer, seinfo, pkgname);
 }
 
-// -----------------------------------------------------------------
-
-// The original android::AppRuntime virtual table
-void **gAppRuntimeVTable;
-
-// This method is a trampoline for hooking JNIEnv->RegisterNatives
-void onVmCreated(void *self, JNIEnv* env) {
-    LOGD("AppRuntime::onVmCreated\n");
-
-    // Restore virtual table
-    auto new_table = *reinterpret_cast<void***>(self);
-    *reinterpret_cast<void***>(self) = gAppRuntimeVTable;
-    delete[] new_table;
-
-    new_functions = new JNINativeInterface();
-    memcpy(new_functions, env->functions, sizeof(*new_functions));
-    new_functions->RegisterNatives = &env_RegisterNatives;
-
-    // Replace the function table in JNIEnv to hook RegisterNatives
-    old_functions = env->functions;
-    env->functions = new_functions;
-}
-
-template<int N>
-void vtable_entry(void *self, JNIEnv* env) {
-    // The first invocation will be onVmCreated. It will also restore the vtable.
-    onVmCreated(self, env);
-    // Call original function
-    reinterpret_cast<decltype(&onVmCreated)>(gAppRuntimeVTable[N])(self, env);
-}
-
-/* Zygisksu changed: AndroidRuntime setArgv0 before native bridge loaded */
-void hookVirtualTable(void *self) {
-    LOGD("hook AndroidRuntime virtual table\n");
-
-    // We don't know which entry is onVmCreated, so overwrite every one
-    // We also don't know the size of the vtable, but 8 is more than enough
-    auto new_table = new void*[8];
-    new_table[0] = reinterpret_cast<void*>(&vtable_entry<0>);
-    new_table[1] = reinterpret_cast<void*>(&vtable_entry<1>);
-    new_table[2] = reinterpret_cast<void*>(&vtable_entry<2>);
-    new_table[3] = reinterpret_cast<void*>(&vtable_entry<3>);
-    new_table[4] = reinterpret_cast<void*>(&vtable_entry<4>);
-    new_table[5] = reinterpret_cast<void*>(&vtable_entry<5>);
-    new_table[6] = reinterpret_cast<void*>(&vtable_entry<6>);
-    new_table[7] = reinterpret_cast<void*>(&vtable_entry<7>);
-
-    // Swizzle C++ vtable to hook virtual function
-    gAppRuntimeVTable = *reinterpret_cast<void***>(self);
-    *reinterpret_cast<void***>(self) = new_table;
-}
-
 #undef DCL_HOOK_FUNC
 
 // -----------------------------------------------------------------
@@ -302,7 +286,7 @@ void hookJniNativeMethods(JNIEnv *env, const char *clz, JNINativeMethod *methods
     if (hooks.empty())
         return;
 
-    old_jniRegisterNativeMethods(env, clz, hooks.data(), hooks.size());
+    old_functions->RegisterNatives(env, env->FindClass(clz), hooks.data(), static_cast<int>(hooks.size()));
 }
 
 ZygiskModule::ZygiskModule(int id, void *handle, void *entry)
@@ -491,11 +475,11 @@ void HookContext::sanitize_fds() {
             if (exempted_fds.empty())
                 return nullptr;
 
-            jintArray array = env->NewIntArray(off + exempted_fds.size());
+            jintArray array = env->NewIntArray(static_cast<int>(off + exempted_fds.size()));
             if (array == nullptr)
                 return nullptr;
 
-            env->SetIntArrayRegion(array, off, exempted_fds.size(), exempted_fds.data());
+            env->SetIntArrayRegion(array, off, static_cast<int>(exempted_fds.size()), exempted_fds.data());
             for (int fd : exempted_fds) {
                 if (fd >= 0 && fd < MAX_FD_SIZE) {
                     allowed_fds[fd] = true;
@@ -582,20 +566,18 @@ void HookContext::run_modules_post() {
 /* Zygisksu changed: Load module fds */
 void HookContext::app_specialize_pre() {
     flags[APP_SPECIALIZE] = true;
+    info_flags = zygiskd::GetProcessFlags(g_ctx->args.app->uid);
     run_modules_pre();
 }
 
 
 void HookContext::app_specialize_post() {
     run_modules_post();
-    if (info_flags & PROCESS_IS_MAGISK_APP) {
-        setenv("ZYGISK_ENABLED", "1", 1);
-    }
 
     // Cleanups
     env->ReleaseStringUTFChars(args.app->nice_name, process);
     g_ctx = nullptr;
-    /* Zygisksu changed: No android_log_close */
+    logging::setfd(-1);
 }
 
 void HookContext::unload_zygisk() {
@@ -668,7 +650,9 @@ void HookContext::nativeForkAndSpecialize_pre() {
 
     flags[APP_FORK_AND_SPECIALIZE] = true;
     /* Zygisksu changed: No args.app->fds_to_ignore check since we are Android 10+ */
-    flags[SKIP_FD_SANITIZATION] = true;
+    if (logging::getfd() != -1) {
+        exempted_fds.push_back(logging::getfd());
+    }
 
     fork_pre();
     if (pid == 0) {
@@ -727,35 +711,16 @@ void hook_functions() {
 
     PLT_HOOK_REGISTER(android_runtime_dev, android_runtime_inode, fork);
     PLT_HOOK_REGISTER(android_runtime_dev, android_runtime_inode, unshare);
-    PLT_HOOK_REGISTER(android_runtime_dev, android_runtime_inode, jniRegisterNativeMethods);
     PLT_HOOK_REGISTER(android_runtime_dev, android_runtime_inode, selinux_android_setcontext);
-    /* Zygisksu changed: No android_log_close hook */
+    PLT_HOOK_REGISTER(android_runtime_dev, android_runtime_inode, androidSetCreateThreadFunc);
+    PLT_HOOK_REGISTER_SYM(android_runtime_dev, android_runtime_inode, "__android_log_close", android_log_close);
     hook_commit();
 
     // Remove unhooked methods
     plt_hook_list->erase(
             std::remove_if(plt_hook_list->begin(), plt_hook_list->end(),
-            [](auto &t) { return *std::get<3>(t) == nullptr;}),
+                           [](auto &t) { return *std::get<3>(t) == nullptr;}),
             plt_hook_list->end());
-
-    /* Zygisksu changed: AndroidRuntime setArgv0 before native bridge loaded */
-    if (old_jniRegisterNativeMethods == nullptr) {
-        do {
-            LOGD("jniRegisterNativeMethods not hooked, using fallback\n");
-            constexpr char sig[] = "_ZN7android14AndroidRuntime10getRuntimeEv";
-            auto *GetRuntime = (void*(*)()) dlsym(RTLD_DEFAULT, sig);
-            if (GetRuntime == nullptr) {
-                LOGE("GetRuntime is nullptr");
-                break;
-            }
-            hookVirtualTable(GetRuntime());
-        } while (false);
-
-        // We still need old_jniRegisterNativeMethods as other code uses it
-        // android::AndroidRuntime::registerNativeMethods(_JNIEnv*, const char*, const JNINativeMethod*, int)
-        constexpr char sig[] = "_ZN7android14AndroidRuntime21registerNativeMethodsEP7_JNIEnvPKcPK15JNINativeMethodi";
-        *(void **) &old_jniRegisterNativeMethods = dlsym(RTLD_DEFAULT, sig);
-    }
 }
 
 static bool unhook_functions() {
@@ -764,17 +729,14 @@ static bool unhook_functions() {
     // Restore JNIEnv
     if (g_ctx->env->functions == new_functions) {
         g_ctx->env->functions = old_functions;
-        if (gClassRef) {
-            g_ctx->env->DeleteGlobalRef(gClassRef);
-            gClassRef = nullptr;
-            class_getName = nullptr;
-        }
+        delete new_functions;
     }
 
     // Unhook JNI methods
     for (const auto &[clz, methods] : *jni_hook_list) {
-        if (!methods.empty() && old_jniRegisterNativeMethods(
-                g_ctx->env, clz.data(), methods.data(), methods.size()) != 0) {
+        if (!methods.empty() && g_ctx->env->RegisterNatives(
+                g_ctx->env->FindClass(clz.data()), methods.data(),
+                static_cast<int>(methods.size())) != 0) {
             LOGE("Failed to restore JNI hook of class [%s]\n", clz.data());
             success = false;
         }

loader/src/injector/misc.cpp

@@ -35,6 +35,31 @@ void parse_mnt(const char* file, const std::function<bool(mntent*)>& fn) {
     }
 }
 
+std::list<std::string> split_str(std::string_view s, std::string_view delimiter) {
+    std::list<std::string> ret;
+    size_t pos = 0;
+    while (pos < s.size()) {
+        auto next = s.find(delimiter, pos);
+        if (next == std::string_view::npos) {
+            ret.emplace_back(s.substr(pos));
+            break;
+        }
+        ret.emplace_back(s.substr(pos, next - pos));
+        pos = next + delimiter.size();
+    }
+    return ret;
+}
+
+std::string join_str(const std::list<std::string>& list, std::string_view delimiter) {
+    std::string ret;
+    for (auto& s : list) {
+        if (!ret.empty())
+            ret += delimiter;
+        ret += s;
+    }
+    return ret;
+}
+
 sDIR make_dir(DIR *dp) {
     return sDIR(dp, [](DIR *dp){ return dp ? closedir(dp) : 1; });
 }

loader/src/injector/misc.hpp

@@ -2,10 +2,12 @@
 
 #include <dirent.h>
 #include <functional>
+#include <list>
 #include <memory>
 #include <mntent.h>
 #include <pthread.h>
 #include <stdio.h>
+#include <string>
 #include <string_view>
 
 #include "logging.h"
@@ -34,6 +36,16 @@ private:
 using thread_entry = void *(*)(void *);
 int new_daemon_thread(thread_entry entry, void *arg);
 
+static inline bool str_contains(std::string_view s, std::string_view ss) {
+    return s.find(ss) != std::string_view::npos;
+}
+static inline bool str_starts(std::string_view s, std::string_view ss) {
+    return s.size() >= ss.size() && s.compare(0, ss.size(), ss) == 0;
+}
+static inline bool str_ends(std::string_view s, std::string_view ss) {
+    return s.size() >= ss.size() && s.compare(s.size() - ss.size(), std::string_view::npos, ss) == 0;
+}
+
 template<typename T, typename Impl>
 class stateless_allocator {
 public:
@@ -78,6 +90,25 @@ static inline sFILE xopen_file(int fd, const char *mode) {
     return make_file(fdopen(fd, mode));
 }
 
+template <typename T>
+class reversed_container {
+public:
+    reversed_container(T &base) : base(base) {}
+    decltype(std::declval<T>().rbegin()) begin() { return base.rbegin(); }
+    decltype(std::declval<T>().crbegin()) begin() const { return base.crbegin(); }
+    decltype(std::declval<T>().crbegin()) cbegin() const { return base.crbegin(); }
+    decltype(std::declval<T>().rend()) end() { return base.rend(); }
+    decltype(std::declval<T>().crend()) end() const { return base.crend(); }
+    decltype(std::declval<T>().crend()) cend() const { return base.crend(); }
+private:
+    T &base;
+};
+
+template <typename T>
+reversed_container<T> reversed(T &base) {
+    return reversed_container<T>(base);
+}
+
 template<class T>
 static inline void default_new(T *&p) { p = new T(); }
 
@@ -97,6 +128,10 @@ int parse_int(std::string_view s);
 
 void parse_mnt(const char* file, const std::function<bool(mntent*)>& fn);
 
+std::list<std::string> split_str(std::string_view s, std::string_view delimiter);
+
+std::string join_str(const std::list<std::string>& list, std::string_view delimiter);
+
 template <typename T>
 static inline T align_to(T v, int a) {
     static_assert(std::is_integral<T>::value);

loader/src/injector/module.hpp

@@ -111,12 +111,9 @@ namespace {
         PROCESS_GRANTED_ROOT = zygisk::StateFlag::PROCESS_GRANTED_ROOT,
         PROCESS_ON_DENYLIST = zygisk::StateFlag::PROCESS_ON_DENYLIST,
 
-        PROCESS_IS_SYS_UI = (1u << 29),
-        DENYLIST_ENFORCING = (1u << 30),
-        PROCESS_IS_MAGISK_APP = (1u << 31),
+        PROCESS_IS_SYS_UI = (1u << 31),
 
-        UNMOUNT_MASK = (PROCESS_ON_DENYLIST | DENYLIST_ENFORCING),
-        PRIVATE_MASK = (PROCESS_IS_SYS_UI | DENYLIST_ENFORCING | PROCESS_IS_MAGISK_APP)
+        PRIVATE_MASK = PROCESS_IS_SYS_UI
     };
 
     struct api_abi_base {

loader/src/injector/unmount.cpp

@@ -0,0 +1,73 @@
+#include <sys/mount.h>
+
+#include "logging.h"
+#include "misc.hpp"
+#include "zygisk.hpp"
+
+using namespace std::string_view_literals;
+
+static void lazy_unmount(const char* mountpoint) {
+    if (umount2(mountpoint, MNT_DETACH) != -1) {
+        LOGD("Unmounted (%s)", mountpoint);
+    } else {
+        PLOGE("Failed to unmount: %s (%s)", strerror(errno), mountpoint);
+    }
+}
+
+#define PARSE_OPT(name, flag)   \
+    if (opt == name) {          \
+        flags |= (flag);        \
+        return true;            \
+    }
+
+void revert_unmount() {
+    std::vector<std::string> targets;
+    std::list<std::pair<std::string, std::string>> backups;
+
+    targets.emplace_back("/data/adb/ksu/modules");
+    parse_mnt("/proc/self/mounts", [&](mntent* mentry) {
+        if (str_starts(mentry->mnt_fsname, "/data/adb/")) {
+            targets.emplace_back(mentry->mnt_dir);
+        }
+        if (mentry->mnt_type == "overlay"sv) {
+            if (str_contains(mentry->mnt_opts, "/data/adb/ksu/modules")) {
+                targets.emplace_back(mentry->mnt_dir);
+            } else {
+                backups.emplace_back(mentry->mnt_dir, mentry->mnt_opts);
+            }
+        }
+        return true;
+    });
+
+    for (auto& s: reversed(targets)) {
+        lazy_unmount(s.data());
+    }
+
+    parse_mnt("/proc/self/mounts", [&](mntent* mentry) {
+        if (mentry->mnt_type == "overlay"sv) {
+            for (auto it = backups.begin(); it != backups.end(); it++) {
+                backups.remove_if([&](auto& mnt) {
+                    return mnt.first == mentry->mnt_dir && mnt.second == mentry->mnt_opts;
+                });
+            }
+        }
+        return true;
+    });
+
+    for (auto& mnt: backups) {
+        auto opts = split_str(mnt.second, ",");
+        unsigned long flags = 0;
+        opts.remove_if([&](auto& opt) {
+            PARSE_OPT(MNTOPT_RO, MS_RDONLY)
+            PARSE_OPT(MNTOPT_NOSUID, MS_NOSUID)
+            PARSE_OPT("relatime", MS_RELATIME)
+            return false;
+        });
+        auto mnt_data = join_str(opts, ",");
+        if (mount("overlay", mnt.first.data(), "overlay", flags, mnt_data.data()) != -1) {
+            LOGD("Remounted (%s)", mnt.first.data());
+        } else {
+            LOGW("Failed to remount: %s (%s, %s)", strerror(errno), mnt.first.data(), mnt_data.data());
+        }
+    }
+}

loader/src/loader/loader.cpp

@@ -42,9 +42,10 @@ void Constructor() {
 
     std::string native_bridge;
     do {
-        LOGD("Ping heartbeat");
         if (!zygiskd::PingHeartbeat()) break;
-
+#ifdef NDEBUG
+        logging::setfd(zygiskd::RequestLogcatFd());
+#endif
         LOGI("Read native bridge");
         native_bridge = zygiskd::ReadNativeBridge();
 
@@ -63,32 +64,37 @@ void Constructor() {
         reinterpret_cast<void (*)(void*)>(entry)(handle);
     } while (false);
 
-    if (native_bridge.empty() || native_bridge == "0") return;
-    LOGI("Load original native bridge: %s", native_bridge.data());
-    sOriginalBridge = dlopen(native_bridge.data(), RTLD_NOW);
-    if (sOriginalBridge == nullptr) {
-        LOGE("dlopen failed: %s", dlerror());
-        return;
-    }
+    do {
+        if (native_bridge.empty() || native_bridge == "0") break;
 
-    auto* original_native_bridge_itf = dlsym(sOriginalBridge, "NativeBridgeItf");
-    if (original_native_bridge_itf == nullptr) {
-        LOGE("dlsym failed: %s", dlerror());
-        return;
-    }
+        LOGI("Load original native bridge: %s", native_bridge.data());
+        sOriginalBridge = dlopen(native_bridge.data(), RTLD_NOW);
+        if (sOriginalBridge == nullptr) {
+            LOGE("dlopen failed: %s", dlerror());
+            break;
+        }
 
-    long sdk = 0;
-    char value[PROP_VALUE_MAX + 1];
-    if (__system_property_get("ro.build.version.sdk", value) > 0) {
-        sdk = strtol(value, nullptr, 10);
-    }
+        auto* original_native_bridge_itf = dlsym(sOriginalBridge, "NativeBridgeItf");
+        if (original_native_bridge_itf == nullptr) {
+            LOGE("dlsym failed: %s", dlerror());
+            break;
+        }
 
-    auto callbacks_size = 0;
-    if (sdk >= __ANDROID_API_R__) {
-        callbacks_size = sizeof(NativeBridgeCallbacks<__ANDROID_API_R__>);
-    } else if (sdk == __ANDROID_API_Q__) {
-        callbacks_size = sizeof(NativeBridgeCallbacks<__ANDROID_API_Q__>);
-    }
+        long sdk = 0;
+        char value[PROP_VALUE_MAX + 1];
+        if (__system_property_get("ro.build.version.sdk", value) > 0) {
+            sdk = strtol(value, nullptr, 10);
+        }
 
-    memcpy(NativeBridgeItf, original_native_bridge_itf, callbacks_size);
+        auto callbacks_size = 0;
+        if (sdk >= __ANDROID_API_R__) {
+            callbacks_size = sizeof(NativeBridgeCallbacks<__ANDROID_API_R__>);
+        } else if (sdk == __ANDROID_API_Q__) {
+            callbacks_size = sizeof(NativeBridgeCallbacks<__ANDROID_API_Q__>);
+        }
+
+        memcpy(NativeBridgeItf, original_native_bridge_itf, callbacks_size);
+    } while (false);
+
+    logging::setfd(-1);
 }

module/build.gradle.kts

@@ -11,6 +11,10 @@ val moduleId: String by rootProject.extra
 val moduleName: String by rootProject.extra
 val verCode: Int by rootProject.extra
 val verName: String by rootProject.extra
+val minKsuVersion: Int by rootProject.extra
+val minKsudVersion: Int by rootProject.extra
+val maxKsuVersion: Int by rootProject.extra
+val minMagiskVersion: Int by rootProject.extra
 
 android.buildFeatures {
     androidResources = false
@@ -49,8 +53,11 @@ androidComponents.onVariants { variant ->
         from("$projectDir/src") {
             include("customize.sh", "daemon.sh")
             val tokens = mapOf(
-                "ZYGISK_API" to (verCode / 1000).toString(),
-                "DEBUG" to if (buildTypeLowered == "debug") "true" else "false"
+                "DEBUG" to if (buildTypeLowered == "debug") "true" else "false",
+                "MIN_KSU_VERSION" to "$minKsuVersion",
+                "MIN_KSUD_VERSION" to "$minKsudVersion",
+                "MAX_KSU_VERSION" to "$maxKsuVersion",
+                "MIN_MAGISK_VERSION" to "$minMagiskVersion",
             )
             filter<ReplaceTokens>("tokens" to tokens)
             filter<FixCrLfFilter>("eol" to FixCrLfFilter.CrLf.newInstance("lf"))
@@ -107,7 +114,7 @@ androidComponents.onVariants { variant ->
     val installMagiskTask = task<Exec>("installMagisk$variantCapped") {
         group = "module"
         dependsOn(pushTask)
-        commandLine("adb", "shell", "su", "-c", "KSU=true magisk --install-module /data/local/tmp/$zipFileName")
+        commandLine("adb", "shell", "su", "-c", "magisk --install-module /data/local/tmp/$zipFileName")
     }
 
     task<Exec>("installKsuAndReboot$variantCapped") {

module/src/customize.sh

@@ -1,27 +1,61 @@
 # shellcheck disable=SC2034
 SKIPUNZIP=1
 
-ZYGISK_API="@ZYGISK_API@"
+DEBUG=@DEBUG@
+MIN_KSU_VERSION=@MIN_KSU_VERSION@
+MIN_KSUD_VERSION=@MIN_KSUD_VERSION@
+MAX_KSU_VERSION=@MAX_KSU_VERSION@
+MIN_MAGISK_VERSION=@MIN_MAGISK_VERSION@
 
-if [ $BOOTMODE ] && [ "$KSU" == "true" ]; then
+if [ "$BOOTMODE" ] && [ "$KSU" ]; then
   ui_print "- Installing from KernelSU app"
+  ui_print "- KernelSU version: $KSU_KERNEL_VER_CODE (kernel) + $KSU_VER_CODE (ksud)"
+  if ! [ "$KSU_KERNEL_VER_CODE" ] || [ "$KSU_KERNEL_VER_CODE" -lt "$MIN_KSU_VERSION" ]; then
+    ui_print "*********************************************************"
+    ui_print "! KernelSU version is too old!"
+    ui_print "! Please update KernelSU to latest version"
+    abort    "*********************************************************"
+  elif [ "$KSU_KERNEL_VER_CODE" -ge "$MAX_KSU_VERSION" ]; then
+    ui_print "*********************************************************"
+    ui_print "! KernelSU version abnormal!"
+    ui_print "! Please integrate KernelSU into your kernel"
+    ui_print "  as submodule instead of copying the source code"
+    abort    "*********************************************************"
+  fi
+  if ! [ "$KSU_VER_CODE" ] || [ "$KSU_VER_CODE" -lt "$MIN_KSUD_VERSION" ]; then
+    ui_print "*********************************************************"
+    ui_print "! ksud version is too old!"
+    ui_print "! Please update KernelSU Manager to latest version"
+    abort    "*********************************************************"
+  fi
+  if [ "$(which magisk)" ]; then
+    ui_print "*********************************************************"
+    ui_print "! Multiple root implementation is NOT supported!"
+    ui_print "! Please uninstall Magisk before installing Zygisksu"
+    abort    "*********************************************************"
+  fi
+elif [ "$BOOTMODE" ] && [ "$MAGISK_VER_CODE" ]; then
+  ui_print "- Installing from Magisk app"
+  if [ "$MAGISK_VER_CODE" -lt "$MIN_MAGISK_VERSION" ]; then
+    ui_print "*********************************************************"
+    ui_print "! Magisk version is too old!"
+    ui_print "! Please update Magisk to latest version"
+    abort    "*********************************************************"
+  fi
 else
   ui_print "*********************************************************"
-  ui_print "! Install from recovery or Magisk is NOT supported"
-  ui_print "! Please install from KernelSU app"
-  abort "*********************************************************"
+  ui_print "! Install from recovery is not supported"
+  ui_print "! Please install from KernelSU or Magisk app"
+  abort    "*********************************************************"
 fi
 
 VERSION=$(grep_prop version "${TMPDIR}/module.prop")
-ui_print "- Installing Zygisksu $VERSION (ZYGISK API $ZYGISK_API)"
-
-# check KernelSU
-# ui_print "- KernelSU version: $KSU_VER ($KSU_VER_CODE)"
+ui_print "- Installing Zygisksu $VERSION"
 
 # check android
 if [ "$API" -lt 29 ]; then
   ui_print "! Unsupported sdk: $API"
-  abort "! Minimal supported sdk is 29 (Android 10.0)"
+  abort "! Minimal supported sdk is 29 (Android 10)"
 else
   ui_print "- Device sdk: $API"
 fi
@@ -39,11 +73,22 @@ if [ ! -f "$TMPDIR/verify.sh" ]; then
   ui_print "*********************************************************"
   ui_print "! Unable to extract verify.sh!"
   ui_print "! This zip may be corrupted, please try downloading again"
-  abort "*********************************************************"
+  abort    "*********************************************************"
 fi
 . "$TMPDIR/verify.sh"
-extract "$ZIPFILE" 'customize.sh' "$TMPDIR/.vunzip"
-extract "$ZIPFILE" 'verify.sh' "$TMPDIR/.vunzip"
+extract "$ZIPFILE" 'customize.sh'  "$TMPDIR/.vunzip"
+extract "$ZIPFILE" 'verify.sh'     "$TMPDIR/.vunzip"
+extract "$ZIPFILE" 'sepolicy.rule' "$TMPDIR"
+
+if [ "$KSU" ]; then
+  ui_print "- Checking SELinux patches"
+  if ! check_sepolicy "$TMPDIR/sepolicy.rule"; then
+    ui_print "*********************************************************"
+    ui_print "! Unable to apply SELinux patches!"
+    ui_print "! Your kernel may not support SELinux patch fully"
+    abort    "*********************************************************"
+  fi
+fi
 
 ui_print "- Extracting module files"
 extract "$ZIPFILE" 'daemon.sh'       "$MODPATH"
@@ -98,17 +143,19 @@ else
   fi
 fi
 
-ui_print "- Hex patching"
-SOCKET_PATCH=$(tr -dc 'a-f0-9' </dev/urandom | head -c 18)
-if [ "$HAS32BIT" = true ]; then
-  sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/bin/zygiskd32"
-  sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib/libinjector.so"
-  sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib/libzygiskloader.so"
-fi
-if [ "$HAS64BIT" = true ]; then
-  sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/bin/zygiskd64"
-  sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib64/libinjector.so"
-  sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib64/libzygiskloader.so"
+if [ $DEBUG = false ]; then
+  ui_print "- Hex patching"
+  SOCKET_PATCH=$(tr -dc 'a-f0-9' </dev/urandom | head -c 18)
+  if [ "$HAS32BIT" = true ]; then
+    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/bin/zygiskd32"
+    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib/libinjector.so"
+    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib/libzygiskloader.so"
+  fi
+  if [ "$HAS64BIT" = true ]; then
+    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/bin/zygiskd64"
+    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib64/libinjector.so"
+    sed -i "s/socket_placeholder/$SOCKET_PATCH/g" "$MODPATH/system/lib64/libzygiskloader.so"
+  fi
 fi
 
 ui_print "- Setting permissions"

module/src/daemon.sh

@@ -1,7 +1,6 @@
 #!/system/bin/sh
 
 DEBUG=@DEBUG@
-MODDIR=${0%/*}
 
 # shellcheck disable=SC2155
 export NATIVE_BRIDGE=$(getprop ro.dalvik.vm.native.bridge)
@@ -9,4 +8,4 @@ export NATIVE_BRIDGE=$(getprop ro.dalvik.vm.native.bridge)
 
 log -p i -t "zygisksu" "Start watchdog"
 resetprop ro.dalvik.vm.native.bridge libzygiskloader.so
-exec "$MODDIR/bin/zygiskwd" >/dev/null 2>&1
+exec "bin/zygiskwd" "watchdog" >/dev/null 2>&1

module/src/post-fs-data.sh

@@ -1,5 +1,24 @@
 #!/system/bin/sh
 
 MODDIR=${0%/*}
+if [ "$ZYGISK_ENABLED" ]; then
+  exit 0
+fi
+
+cd "$MODDIR"
 export NATIVE_BRIDGE=$(getprop ro.dalvik.vm.native.bridge)
-unshare -m sh -c "$MODDIR/daemon.sh $@&"
+
+if [ "$(which magisk)" ] && [ ".." -ef "/data/adb/modules" ]; then
+  for file in ../*; do
+    if [ -d "$file" ] && [ -d "$file/zygisk" ] && ! [ -f "$file/disable" ]; then
+      if [ -f "$file/post-fs-data.sh" ]; then
+        cd "$file"
+        log -p i -t "zygisksu" "Manually trigger post-fs-data.sh for $file"
+        sh "$(realpath ./post-fs-data.sh)"
+        cd "$MODDIR"
+      fi
+    fi
+  done
+fi
+
+sh -c "./daemon.sh $@&"

module/src/sepolicy.rule

@@ -10,3 +10,6 @@ allow * magisk_file lnk_file *
 allow * magisk_file sock_file *
 
 allow system_server system_server process execmem
+allow zygote mnt_vendor_file dir search
+allow zygote system_file dir mounton
+allow zygote labeledfs filesystem mount

module/src/service.sh

@@ -1 +1,21 @@
 #!/system/bin/sh
+
+MODDIR=${0%/*}
+if [ "$ZYGISK_ENABLED" ]; then
+  exit 0
+fi
+
+cd "$MODDIR"
+
+if [ "$(which magisk)" ] && [ ".." -ef "/data/adb/modules" ]; then
+  for file in ../*; do
+    if [ -d "$file" ] && [ -d "$file/zygisk" ] && ! [ -f "$file/disable" ]; then
+      if [ -f "$file/service.sh" ]; then
+        cd "$file"
+        log -p i -t "zygisksu" "Manually trigger service.sh for $file"
+        sh "$(realpath ./service.sh)"
+        cd "$MODDIR"
+      fi
+    fi
+  done
+fi

settings.gradle.kts

@@ -7,8 +7,8 @@ pluginManagement {
         gradlePluginPortal()
     }
     plugins {
-        id("com.android.library") version "7.4.0"
-        id("com.android.application") version "7.4.0"
+        id("com.android.library") version "7.4.1"
+        id("com.android.application") version "7.4.1"
     }
 }
 

zygiskd/Cargo.toml

@@ -8,14 +8,20 @@ rust-version = "1.67"
 [dependencies]
 android_logger = "0.12.0"
 anyhow = { version = "1.0.68", features = ["backtrace"] }
+clap = { version = "4.1.4", features = ["derive"] }
 const_format = "0.2.5"
+konst = "0.3.4"
+lazy_static = "1.4.0"
 log = "0.4.17"
 memfd = "0.6.2"
 nix = "0.26.2"
 num_enum = "0.5.9"
+once_cell = "1.17.1"
 passfd = "0.1.5"
 rand = "0.8.5"
 
+binder = { path = "src/external/binder_rs/binder" }
+
 [profile.release]
 strip = true
 opt-level = "z"

zygiskd/build.gradle.kts

@@ -3,6 +3,12 @@ plugins {
     id("org.mozilla.rust-android-gradle.rust-android")
 }
 
+val verName: String by rootProject.extra
+val verCode: Int by rootProject.extra
+val minKsuVersion: Int by rootProject.extra
+val maxKsuVersion: Int by rootProject.extra
+val minMagiskVersion: Int by rootProject.extra
+
 android.buildFeatures {
     androidResources = false
     buildConfig = false
@@ -16,4 +22,12 @@ cargo {
     targetDirectory = "build/intermediates/rust"
     val isDebug = gradle.startParameter.taskNames.any { it.toLowerCase().contains("debug") }
     profile = if (isDebug) "debug" else "release"
+    exec = { spec, _ ->
+        spec.environment("ANDROID_NDK_HOME", android.ndkDirectory.path)
+        spec.environment("VERSION_CODE", verCode)
+        spec.environment("VERSION_NAME", verName)
+        spec.environment("MIN_KSU_VERSION", minKsuVersion)
+        spec.environment("MAX_KSU_VERSION", maxKsuVersion)
+        spec.environment("MIN_MAGISK_VERSION", minMagiskVersion)
+    }
 }

zygiskd/src/companion.rs

@@ -0,0 +1,61 @@
+use std::ffi::c_void;
+use std::os::fd::{FromRawFd, RawFd};
+use std::os::unix::net::UnixStream;
+use std::thread;
+use anyhow::Result;
+use nix::libc;
+use passfd::FdPassingExt;
+use crate::utils::UnixStreamExt;
+use crate::dl;
+
+type ZygiskCompanionEntryFn = unsafe extern "C" fn(i32);
+
+pub fn entry(fd: i32) -> Result<()> {
+    unsafe { libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGKILL) };
+    let mut stream = unsafe { UnixStream::from_raw_fd(fd) };
+    let name = stream.read_string()?;
+    let library = stream.recv_fd()?;
+    let entry = load_module(library)?;
+    unsafe { libc::close(library) };
+
+    let entry = match entry {
+        Some(entry) => {
+            log::debug!("Companion process created for `{name}`");
+            stream.write_u8(1)?;
+            entry
+        }
+        None => {
+            log::debug!("No companion entry for `{name}`");
+            stream.write_u8(0)?;
+            return Ok(());
+        }
+    };
+
+    loop {
+        let fd = stream.recv_fd()?;
+        log::trace!("New companion request from module `{name}`");
+        thread::spawn(move || {
+            unsafe {
+                let mut s = UnixStream::from_raw_fd(fd);
+                match s.write_u8(1) { // Ack
+                    Ok(_) => entry(fd),
+                    Err(_) => log::warn!("Ack failed?"),
+                }
+            };
+        });
+    }
+}
+
+fn load_module(fd: RawFd) -> Result<Option<ZygiskCompanionEntryFn>> {
+    unsafe {
+        let path = format!("/proc/self/fd/{fd}");
+        let handle = dl::dlopen(&path, libc::RTLD_NOW)?;
+        let symbol = std::ffi::CString::new("zygisk_companion_entry")?;
+        let entry = libc::dlsym(handle, symbol.as_ptr());
+        if entry.is_null() {
+            return Ok(None);
+        }
+        let fnptr = std::mem::transmute::<*mut c_void, ZygiskCompanionEntryFn>(entry);
+        Ok(Some(fnptr))
+    }
+}

zygiskd/src/constants.rs

@@ -1,22 +1,55 @@
 use const_format::concatcp;
+use konst::primitive::parse_i32;
+use konst::unwrap_ctx;
+use log::LevelFilter;
 use num_enum::TryFromPrimitive;
 
+pub const VERSION_NAME: &str = env!("VERSION_NAME");
+pub const VERSION_CODE: &str = env!("VERSION_CODE");
+pub const VERSION_FULL: &str = concatcp!(VERSION_NAME, " (", VERSION_CODE, ")");
+pub const MIN_KSU_VERSION: i32 = unwrap_ctx!(parse_i32(env!("MIN_KSU_VERSION")));
+pub const MAX_KSU_VERSION: i32 = unwrap_ctx!(parse_i32(env!("MAX_KSU_VERSION")));
+pub const MIN_MAGISK_VERSION: i32 = unwrap_ctx!(parse_i32(env!("MIN_MAGISK_VERSION")));
+
+#[cfg(debug_assertions)]
+pub const MAX_LOG_LEVEL: LevelFilter = LevelFilter::Trace;
+#[cfg(not(debug_assertions))]
+pub const MAX_LOG_LEVEL: LevelFilter = LevelFilter::Info;
+
+#[cfg(target_pointer_width = "64")]
+#[macro_export]
+macro_rules! lp_select {
+    ($lp32:expr, $lp64:expr) => { $lp64 };
+}
+#[cfg(target_pointer_width = "32")]
+#[macro_export]
+macro_rules! lp_select {
+    ($lp32:expr, $lp64:expr) => { $lp32 };
+}
+
 pub const PROP_NATIVE_BRIDGE: &str = "ro.dalvik.vm.native.bridge";
+pub const PROP_SVC_ZYGOTE: &str = "init.svc.zygote";
+pub const ZYGISK_LOADER: &str = "libzygiskloader.so";
 
 pub const SOCKET_PLACEHOLDER: &str = "socket_placeholder";
 
-pub const PATH_KSU_MODULE_DIR: &str = "/data/adb/ksu/modules";
-pub const PATH_ZYGISKSU_DIR: &str = concatcp!(PATH_KSU_MODULE_DIR, "/zygisksu");
-pub const PATH_ZYGISKD32: &str = concatcp!(PATH_ZYGISKSU_DIR, "/bin/zygiskd32");
-pub const PATH_ZYGISKD64: &str = concatcp!(PATH_ZYGISKSU_DIR, "/bin/zygiskd64");
-pub const PATH_DAEMON_LOCK: &str = concatcp!(PATH_ZYGISKSU_DIR, "/zygiskd.lock");
+pub const PATH_MODULE_DIR: &str = "..";
+pub const PATH_ZYGISKD32: &str = "bin/zygiskd32";
+pub const PATH_ZYGISKD64: &str = "bin/zygiskd64";
 
 #[derive(Debug, Eq, PartialEq, TryFromPrimitive)]
 #[repr(u8)]
 pub enum DaemonSocketAction {
     PingHeartbeat,
+    RequestLogcatFd,
     ReadNativeBridge,
+    GetProcessFlags,
     ReadModules,
     RequestCompanionSocket,
     GetModuleDir,
 }
+
+// Zygisk process flags
+pub const PROCESS_GRANTED_ROOT: u32 = 1 << 0;
+pub const PROCESS_ON_DENYLIST: u32 = 1 << 1;
+pub const PROCESS_IS_SYSUI: u32 = 1 << 31;

zygiskd/src/dl.rs

@@ -0,0 +1,82 @@
+use anyhow::{bail, Result};
+use std::ffi::{c_char, c_void};
+use nix::libc;
+
+const ANDROID_NAMESPACE_TYPE_SHARED: u64 = 0x2;
+const ANDROID_DLEXT_USE_NAMESPACE: u64 = 0x200;
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+struct AndroidNamespace {
+    _unused: [u8; 0],
+}
+
+#[repr(C)]
+struct AndroidDlextinfo {
+    pub flags: u64,
+    pub reserved_addr: *mut c_void,
+    pub reserved_size: libc::size_t,
+    pub relro_fd: libc::c_int,
+    pub library_fd: libc::c_int,
+    pub library_fd_offset: libc::off64_t,
+    pub library_namespace: *mut AndroidNamespace,
+}
+
+extern "C" {
+    fn android_dlopen_ext(
+        filename: *const c_char,
+        flags: libc::c_int,
+        extinfo: *const AndroidDlextinfo,
+    ) -> *mut c_void;
+}
+
+type AndroidCreateNamespaceFn = unsafe extern "C" fn(
+    *const c_char,          // name
+    *const c_char,          // ld_library_path
+    *const c_char,          // default_library_path
+    u64,                    // type
+    *const c_char,          // permitted_when_isolated_path
+    *mut AndroidNamespace,  // parent
+    *const c_void,          // caller_addr
+) -> *mut AndroidNamespace;
+
+pub unsafe fn dlopen(path: &str, flags: i32) -> Result<*mut c_void> {
+    let filename = std::ffi::CString::new(path)?;
+    let filename = filename.as_ptr() as *mut _;
+    let dir = libc::dirname(filename);
+    let mut info = AndroidDlextinfo {
+        flags: 0,
+        reserved_addr: std::ptr::null_mut(),
+        reserved_size: 0,
+        relro_fd: 0,
+        library_fd: 0,
+        library_fd_offset: 0,
+        library_namespace: std::ptr::null_mut(),
+    };
+
+    let android_create_namespace_fn = libc::dlsym(
+        libc::RTLD_DEFAULT,
+        std::ffi::CString::new("__loader_android_create_namespace")?.as_ptr(),
+    );
+    let android_create_namespace_fn: AndroidCreateNamespaceFn = std::mem::transmute(android_create_namespace_fn);
+    let ns = android_create_namespace_fn(
+        filename, dir, std::ptr::null(),
+        ANDROID_NAMESPACE_TYPE_SHARED,
+        std::ptr::null(), std::ptr::null_mut(),
+        &dlopen as *const _ as *const c_void,
+    );
+    if ns != std::ptr::null_mut() {
+        info.flags = ANDROID_DLEXT_USE_NAMESPACE;
+        info.library_namespace = ns;
+        log::debug!("Open {} with namespace {:p}", path, ns);
+    } else {
+        log::debug!("Cannot create namespace for {}", path);
+    };
+
+    let result = android_dlopen_ext(filename, flags, &info);
+    if result.is_null() {
+        let e = std::ffi::CStr::from_ptr(libc::dlerror()).to_string_lossy();
+        bail!("dlopen failed: {}", e);
+    }
+    Ok(result)
+}

zygiskd/src/main.rs

@@ -1,51 +1,59 @@
 #![allow(dead_code)]
 
+mod companion;
 mod constants;
+mod dl;
+mod root_impl;
 mod utils;
 mod watchdog;
-mod zygisk;
+mod zygiskd;
+
+use anyhow::Result;
+use clap::{Subcommand, Parser};
+
+#[derive(Parser, Debug)]
+#[command(author, version = constants::VERSION_FULL, about, long_about = None)]
+struct Args {
+    #[command(subcommand)]
+    command: Commands,
+}
+
+#[derive(Subcommand, Debug)]
+enum Commands {
+    /// Start zygisk watchdog
+    Watchdog,
+    /// Start zygisk daemon
+    Daemon,
+    /// Start zygisk companion
+    Companion { fd: i32 },
+}
 
-use anyhow::{bail, Result};
-use log::LevelFilter;
-use nix::libc;
 
 fn init_android_logger(tag: &str) {
     android_logger::init_once(
         android_logger::Config::default()
-            .with_max_level(LevelFilter::Trace)
+            .with_max_level(constants::MAX_LOG_LEVEL)
             .with_tag(tag),
     );
 }
 
-fn entry() -> Result<()> {
-    let process = std::env::args().next().unwrap();
-    let process = process.split('/').last().unwrap();
-    init_android_logger(process);
-    match process {
-        "zygiskwd" => {
-            log::info!("Start zygisksu watchdog");
-            watchdog::check_permission()?;
-            watchdog::ensure_single_instance()?;
-            watchdog::spawn_daemon()?;
-        }
-        "zygiskd32" => {
-            log::info!("Start zygiskd32");
-            unsafe { libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGKILL); }
-            zygisk::start(false)?;
-            loop {}
-        }
-        "zygiskd64" => {
-            log::info!("Start zygiskd64");
-            unsafe { libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGKILL); }
-            zygisk::start(true)?;
-        }
-        _ => bail!("Unexpected process name: {process}")
-    }
+fn start() -> Result<()> {
+    root_impl::setup()?;
+    let cli = Args::parse();
+    match cli.command {
+        Commands::Watchdog => watchdog::entry()?,
+        Commands::Daemon => zygiskd::entry()?,
+        Commands::Companion { fd } => companion::entry(fd)?,
+    };
     Ok(())
 }
 
 fn main() {
-    if let Err(e) = entry() {
+    let process = std::env::args().next().unwrap();
+    let nice_name = process.split('/').last().unwrap();
+    init_android_logger(nice_name);
+
+    if let Err(e) = start() {
         log::error!("Crashed: {}\n{}", e, e.backtrace());
     }
 }

zygiskd/src/root_impl/kernelsu.rs

@@ -0,0 +1,36 @@
+use anyhow::{bail, Result};
+use nix::libc::prctl;
+use crate::constants::{MIN_KSU_VERSION, MAX_KSU_VERSION};
+
+const KERNEL_SU_OPTION: i32 = 0xdeadbeefu32 as i32;
+
+const CMD_GET_VERSION: usize = 2;
+const CMD_GET_ALLOW_LIST: usize = 5;
+const CMD_GET_DENY_LIST: usize = 6;
+
+pub fn is_kernel_su() -> Result<bool> {
+    let mut version = 0;
+    unsafe { prctl(KERNEL_SU_OPTION, CMD_GET_VERSION, &mut version as *mut i32) };
+    return match version {
+        0 => Ok(false),
+        MIN_KSU_VERSION..=MAX_KSU_VERSION => Ok(true),
+        1..=MIN_KSU_VERSION => bail!("KernelSU version too old: {}", version),
+        _ => bail!("KernelSU version abnormal: {}", version)
+    }
+}
+
+pub fn uid_on_allowlist(uid: i32) -> bool {
+    let mut size = 1024u32;
+    let mut uids = vec![0; size as usize];
+    unsafe { prctl(KERNEL_SU_OPTION, CMD_GET_ALLOW_LIST, uids.as_mut_ptr(), &mut size as *mut u32) };
+    uids.resize(size as usize, 0);
+    uids.contains(&uid)
+}
+
+pub fn uid_on_denylist(uid: i32) -> bool {
+    let mut size = 1024u32;
+    let mut uids = vec![0; size as usize];
+    unsafe { prctl(KERNEL_SU_OPTION, CMD_GET_DENY_LIST, uids.as_mut_ptr(), &mut size as *mut u32) };
+    uids.resize(size as usize, 0);
+    uids.contains(&uid)
+}

zygiskd/src/root_impl/magisk.rs

@@ -0,0 +1,30 @@
+use anyhow::{bail, Result};
+use std::process::{Command, Stdio};
+use crate::constants::MIN_MAGISK_VERSION;
+
+pub fn is_magisk() -> Result<bool> {
+    let version: Option<i32> = Command::new("magisk")
+        .arg("-V")
+        .stdout(Stdio::piped())
+        .spawn().ok()
+        .and_then(|child| child.wait_with_output().ok())
+        .and_then(|output| String::from_utf8(output.stdout).ok())
+        .and_then(|output| output.trim().parse().ok());
+    if let Some(version) = version {
+        if version < MIN_MAGISK_VERSION {
+            bail!("Magisk version too old: {}", version);
+        }
+        return Ok(true);
+    }
+    Ok(false)
+}
+
+pub fn uid_on_allowlist(uid: i32) -> bool {
+    // TODO: uid_on_allowlist
+    return false;
+}
+
+pub fn uid_on_denylist(uid: i32) -> bool {
+    // TODO: uid_on_denylist
+    return false;
+}

zygiskd/src/root_impl/mod.rs

@@ -0,0 +1,40 @@
+mod kernelsu;
+mod magisk;
+
+use once_cell::sync::OnceCell;
+use anyhow::{bail, Result};
+
+enum RootImpl {
+    KernelSU,
+    Magisk,
+}
+
+static ROOT_IMPL: OnceCell<RootImpl> = OnceCell::new();
+
+pub fn setup() -> Result<()> {
+    if kernelsu::is_kernel_su()? {
+        if let Ok(true) = magisk::is_magisk() {
+            bail!("Multiple root implementation");
+        }
+        let _ = ROOT_IMPL.set(RootImpl::KernelSU);
+    } else if magisk::is_magisk()? {
+        let _ = ROOT_IMPL.set(RootImpl::Magisk);
+    } else {
+        bail!("Unknown root implementation");
+    }
+    Ok(())
+}
+
+pub fn uid_on_allowlist(uid: i32) -> bool {
+    match ROOT_IMPL.get().unwrap() {
+        RootImpl::KernelSU => kernelsu::uid_on_allowlist(uid),
+        RootImpl::Magisk => magisk::uid_on_allowlist(uid),
+    }
+}
+
+pub fn uid_on_denylist(uid: i32) -> bool {
+    match ROOT_IMPL.get().unwrap() {
+        RootImpl::KernelSU => kernelsu::uid_on_denylist(uid),
+        RootImpl::Magisk => magisk::uid_on_denylist(uid),
+    }
+}

zygiskd/src/utils.rs

@@ -1,4 +1,3 @@
-use crate::constants;
 use anyhow::Result;
 use nix::unistd::gettid;
 use std::{fs, io::{Read, Write}, os::unix::net::UnixStream, process::Command};
@@ -27,10 +26,10 @@ pub fn get_native_bridge() -> String {
     std::env::var("NATIVE_BRIDGE").unwrap_or_default()
 }
 
-pub fn restore_native_bridge() -> Result<()> {
+pub fn set_property(name: &str, value: &str) -> Result<()> {
     Command::new("resetprop")
-        .arg(constants::PROP_NATIVE_BRIDGE)
-        .arg(get_native_bridge())
+        .arg(name)
+        .arg(value)
         .spawn()?.wait()?;
     Ok(())
 }
@@ -39,8 +38,11 @@ pub trait UnixStreamExt {
     fn read_u8(&mut self) -> Result<u8>;
     fn read_u32(&mut self) -> Result<u32>;
     fn read_usize(&mut self) -> Result<usize>;
+    fn read_string(&mut self) -> Result<String>;
     fn write_u8(&mut self, value: u8) -> Result<()>;
+    fn write_u32(&mut self, value: u32) -> Result<()>;
     fn write_usize(&mut self, value: usize) -> Result<()>;
+    fn write_string(&mut self, value: &str) -> Result<()>;
 }
 
 impl UnixStreamExt for UnixStream {
@@ -62,15 +64,33 @@ impl UnixStreamExt for UnixStream {
         Ok(usize::from_ne_bytes(buf))
     }
 
+    fn read_string(&mut self) -> Result<String> {
+        let len = self.read_usize()?;
+        let mut buf = vec![0u8; len];
+        self.read_exact(&mut buf)?;
+        Ok(String::from_utf8(buf)?)
+    }
+
     fn write_u8(&mut self, value: u8) -> Result<()> {
         self.write_all(&value.to_ne_bytes())?;
         Ok(())
     }
 
+    fn write_u32(&mut self, value: u32) -> Result<()> {
+        self.write_all(&value.to_ne_bytes())?;
+        Ok(())
+    }
+
     fn write_usize(&mut self, value: usize) -> Result<()> {
         self.write_all(&value.to_ne_bytes())?;
         Ok(())
     }
+
+    fn write_string(&mut self, value: &str) -> Result<()> {
+        self.write_usize(value.len())?;
+        self.write_all(value.as_bytes())?;
+        Ok(())
+    }
 }
 
 // TODO: Replace with SockAddrExt::from_abstract_name when it's stable

zygiskd/src/watchdog.rs

@@ -1,15 +1,24 @@
-use crate::constants;
+use crate::{constants, utils};
 use anyhow::{bail, Result};
-use nix::fcntl::{flock, FlockArg};
-use nix::unistd::{getgid, getuid};
-use std::os::unix::prelude::AsRawFd;
+use nix::unistd::{getgid, getuid, Pid};
 use std::process::{Child, Command};
 use std::sync::mpsc;
 use std::{fs, thread};
+use std::os::unix::net::UnixListener;
+use std::time::Duration;
+use binder::IBinder;
+use nix::sys::signal::{kill, Signal};
 
-static mut LOCK_FILE: Option<fs::File> = None;
+static mut LOCK: Option<UnixListener> = None;
 
-pub fn check_permission() -> Result<()> {
+pub fn entry() -> Result<()> {
+    log::info!("Start zygisksu watchdog");
+    check_permission()?;
+    ensure_single_instance()?;
+    spawn_daemon()
+}
+
+fn check_permission() -> Result<()> {
     log::info!("Check permission");
     let uid = getuid();
     if uid.as_raw() != 0 {
@@ -23,7 +32,6 @@ pub fn check_permission() -> Result<()> {
 
     let context = fs::read_to_string("/proc/self/attr/current")?;
     let context = context.trim_end_matches('\0');
-    //TODO: remove magisk context after debug finished
     if context != "u:r:su:s0" && context != "u:r:magisk:s0" {
         bail!("SELinux context incorrect: {context}");
     }
@@ -31,40 +39,67 @@ pub fn check_permission() -> Result<()> {
     Ok(())
 }
 
-pub fn ensure_single_instance() -> Result<()> {
+fn ensure_single_instance() -> Result<()> {
     log::info!("Ensure single instance");
-    let metadata = fs::metadata(constants::PATH_ZYGISKSU_DIR);
-    if metadata.is_err() || !metadata.unwrap().is_dir() {
-        bail!("Zygisksu is not installed");
-    }
-    unsafe {
-        match fs::File::create(constants::PATH_DAEMON_LOCK) {
-            Ok(file) => LOCK_FILE = Some(file),
-            Err(e) => bail!("Failed to open lock file: {e}"),
-        };
-        let fd = LOCK_FILE.as_ref().unwrap().as_raw_fd();
-        if let Err(e) = flock(fd, FlockArg::LockExclusiveNonblock) {
-            bail!("Failed to acquire lock: {e}. Maybe another instance is running?");
-        }
+    let name = String::from("zygiskwd") + constants::SOCKET_PLACEHOLDER;
+    match utils::abstract_namespace_socket(&name) {
+        Ok(socket) => unsafe { LOCK = Some(socket) },
+        Err(e) => bail!("Failed to acquire lock: {e}. Maybe another instance is running?")
     }
     Ok(())
 }
 
-pub fn spawn_daemon() -> Result<()> {
-    let daemon32 = Command::new(constants::PATH_ZYGISKD32).spawn()?;
-    let daemon64 = Command::new(constants::PATH_ZYGISKD64).spawn()?;
-    let (sender, receiver) = mpsc::channel();
-    let spawn = |mut daemon: Child| {
-        let sender = sender.clone();
-        thread::spawn(move || {
-            let result = daemon.wait().unwrap();
-            log::error!("Daemon process {} died: {}", daemon.id(), result);
-            drop(daemon);
-            sender.send(()).unwrap();
-        });
-    };
-    spawn(daemon32);
-    spawn(daemon64);
-    let _ = receiver.recv();
-    bail!("Daemon process died");
+fn spawn_daemon() -> Result<()> {
+    let mut lives = 5;
+    loop {
+        let daemon32 = Command::new(constants::PATH_ZYGISKD32).arg("daemon").spawn();
+        let daemon64 = Command::new(constants::PATH_ZYGISKD64).arg("daemon").spawn();
+        let mut child_ids = vec![];
+        let (sender, receiver) = mpsc::channel();
+        let mut spawn = |mut daemon: Child| {
+            child_ids.push(daemon.id());
+            let sender = sender.clone();
+            thread::spawn(move || {
+                let result = daemon.wait().unwrap();
+                log::error!("Daemon process {} died: {}", daemon.id(), result);
+                drop(daemon);
+                let _ = sender.send(());
+            });
+        };
+        if let Ok(it) = daemon32 { spawn(it) }
+        if let Ok(it) = daemon64 { spawn(it) }
+
+        let mut binder = loop {
+            if receiver.try_recv().is_ok() {
+                bail!("Daemon died before system server ready");
+            }
+            match binder::get_service("activity") {
+                Some(binder) => break binder,
+                None => {
+                    log::trace!("System server not ready, wait for 1s...");
+                    thread::sleep(Duration::from_secs(1));
+                }
+            };
+        };
+        log::info!("System server ready, restore native bridge");
+        utils::set_property(constants::PROP_NATIVE_BRIDGE, &utils::get_native_bridge())?;
+
+        loop {
+            if receiver.try_recv().is_ok() || binder.ping_binder().is_err() { break; }
+            thread::sleep(Duration::from_secs(1))
+        }
+        for child in child_ids {
+            let _ = kill(Pid::from_raw(child as i32), Signal::SIGKILL);
+        }
+
+        lives -= 1;
+        if lives == 0 {
+            bail!("Too many crashes, abort");
+        }
+
+        log::error!("Restarting zygote...");
+        utils::set_property(constants::PROP_NATIVE_BRIDGE, constants::ZYGISK_LOADER)?;
+        utils::set_property(constants::PROP_SVC_ZYGOTE, "restart")?;
+        thread::sleep(Duration::from_secs(2));
+    }
 }

zygiskd/src/zygiskd.rs

@@ -1,31 +1,29 @@
 use crate::constants::DaemonSocketAction;
-use crate::utils::{restore_native_bridge, UnixStreamExt};
-use crate::{constants, utils};
+use crate::utils::UnixStreamExt;
+use crate::{constants, lp_select, root_impl, utils};
 use anyhow::{bail, Result};
 use memfd::Memfd;
 use nix::{
-    libc::{self, dlsym},
-    unistd::getppid,
+    fcntl::{fcntl, FcntlArg, FdFlag},
+    libc::self,
 };
 use passfd::FdPassingExt;
-use std::io::Write;
-use std::sync::Arc;
+use std::sync::{Arc, Mutex};
 use std::thread;
-use std::ffi::c_void;
+use std::ffi::c_char;
 use std::fs;
 use std::os::unix::{
     net::{UnixListener, UnixStream},
     prelude::AsRawFd,
 };
+use std::os::unix::process::CommandExt;
 use std::path::PathBuf;
 use std::process::Command;
 
-type ZygiskCompanionEntryFn = unsafe extern "C" fn(i32);
-
 struct Module {
     name: String,
     memfd: Memfd,
-    companion_entry: Option<ZygiskCompanionEntryFn>,
+    companion: Mutex<Option<UnixStream>>,
 }
 
 struct Context {
@@ -33,9 +31,10 @@ struct Context {
     modules: Vec<Module>,
 }
 
-pub fn start(is64: bool) -> Result<()> {
-    check_parent()?;
-    let arch = get_arch(is64)?;
+pub fn entry() -> Result<()> {
+    unsafe { libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGKILL) };
+
+    let arch = get_arch()?;
     log::debug!("Daemon architecture: {arch}");
 
     log::info!("Load modules");
@@ -48,7 +47,7 @@ pub fn start(is64: bool) -> Result<()> {
     let context = Arc::new(context);
 
     log::info!("Create socket");
-    let listener = create_daemon_socket(is64)?;
+    let listener = create_daemon_socket()?;
 
     log::info!("Handle zygote connections");
     for stream in listener.incoming() {
@@ -64,32 +63,21 @@ pub fn start(is64: bool) -> Result<()> {
     Ok(())
 }
 
-fn check_parent() -> Result<()> {
-    let parent = fs::read_to_string(format!("/proc/{}/cmdline", getppid().as_raw()))?;
-    let parent = parent.split('/').last().unwrap().trim_end_matches('\0');
-    if parent != "zygiskwd" {
-        bail!("Daemon is not started by watchdog: {parent}");
-    }
-    Ok(())
-}
-
-fn get_arch(is64: bool) -> Result<&'static str> {
+fn get_arch() -> Result<&'static str> {
     let output = Command::new("getprop").arg("ro.product.cpu.abi").output()?;
     let system_arch = String::from_utf8(output.stdout)?;
-    let is_arm = system_arch.contains("arm");
-    let is_x86 = system_arch.contains("x86");
-    match (is_arm, is_x86, is64) {
-        (true, _, false) => Ok("armeabi-v7a"),
-        (true, _, true) => Ok("arm64-v8a"),
-        (_, true, false) => Ok("x86"),
-        (_, true, true) => Ok("x86_64"),
-        _ => bail!("Unsupported system architecture: {}", system_arch),
+    if system_arch.contains("arm") {
+        return Ok(lp_select!("armeabi-v7a", "arm64-v8a"));
     }
+    if system_arch.contains("x86") {
+        return Ok(lp_select!("x86", "x86_64"));
+    }
+    bail!("Unsupported system architecture: {}", system_arch);
 }
 
 fn load_modules(arch: &str) -> Result<Vec<Module>> {
     let mut modules = Vec::new();
-    let dir = match fs::read_dir(constants::PATH_KSU_MODULE_DIR) {
+    let dir = match fs::read_dir(constants::PATH_MODULE_DIR) {
         Ok(dir) => dir,
         Err(e) => {
             log::warn!("Failed reading modules directory: {}", e);
@@ -105,35 +93,32 @@ fn load_modules(arch: &str) -> Result<Vec<Module>> {
             continue;
         }
         log::info!("  Loading module `{name}`...");
-        let memfd = match create_memfd(&name, &so_path) {
+        let memfd = match create_memfd(&so_path) {
             Ok(memfd) => memfd,
             Err(e) => {
                 log::warn!("  Failed to create memfd for `{name}`: {e}");
                 continue;
             }
         };
-        let companion_entry = match preload_module(&memfd) {
-            Ok(entry) => entry,
+        let companion = match spawn_companion(&name, &memfd) {
+            Ok(companion) => companion,
             Err(e) => {
-                log::warn!("  Failed to preload `{name}`: {e}");
+                log::warn!("  Failed to spawn companion for `{name}`: {e}");
                 continue;
             }
         };
-        let module = Module {
-            name,
-            memfd,
-            companion_entry,
-        };
+
+        let companion = Mutex::new(companion);
+        let module = Module { name, memfd, companion };
         modules.push(module);
     }
 
     Ok(modules)
 }
 
-fn create_memfd(name: &str, so_path: &PathBuf) -> Result<Memfd> {
+fn create_memfd(so_path: &PathBuf) -> Result<Memfd> {
     let opts = memfd::MemfdOptions::default().allow_sealing(true);
-    let memfd = opts.create(name)?;
-
+    let memfd = opts.create("jit-cache")?;
     let file = fs::File::open(so_path)?;
     let mut reader = std::io::BufReader::new(file);
     let mut writer = memfd.as_file();
@@ -149,66 +134,95 @@ fn create_memfd(name: &str, so_path: &PathBuf) -> Result<Memfd> {
     Ok(memfd)
 }
 
-fn preload_module(memfd: &Memfd) -> Result<Option<ZygiskCompanionEntryFn>> {
-    unsafe {
-        let path = format!("/proc/self/fd/{}", memfd.as_raw_fd());
-        let filename = std::ffi::CString::new(path)?;
-        let handle = libc::dlopen(filename.as_ptr(), libc::RTLD_LAZY);
-        if handle.is_null() {
-            let e = std::ffi::CStr::from_ptr(libc::dlerror())
-                .to_string_lossy()
-                .into_owned();
-            bail!("dlopen failed: {}", e);
-        }
-        let symbol = std::ffi::CString::new("zygisk_companion_entry")?;
-        let entry = dlsym(handle, symbol.as_ptr());
-        if entry.is_null() {
-            return Ok(None);
-        }
-        let fnptr = std::mem::transmute::<*mut c_void, ZygiskCompanionEntryFn>(entry);
-        Ok(Some(fnptr))
-    }
-}
-
-fn create_daemon_socket(is64: bool) -> Result<UnixListener> {
+fn create_daemon_socket() -> Result<UnixListener> {
     utils::set_socket_create_context("u:r:zygote:s0")?;
-    let suffix = if is64 { "zygiskd64" } else { "zygiskd32" };
-    let name = String::from(suffix) + constants::SOCKET_PLACEHOLDER;
+    let prefix = lp_select!("zygiskd32", "zygiskd64");
+    let name = String::from(prefix) + constants::SOCKET_PLACEHOLDER;
     let listener = utils::abstract_namespace_socket(&name)?;
     log::debug!("Daemon socket: {name}");
     Ok(listener)
 }
 
+fn spawn_companion(name: &str, memfd: &Memfd) -> Result<Option<UnixStream>> {
+    let (mut daemon, companion) = UnixStream::pair()?;
+    // Remove FD_CLOEXEC flag
+    fcntl(companion.as_raw_fd(), FcntlArg::F_SETFD(FdFlag::empty()))?;
+
+    let process = std::env::args().next().unwrap();
+    let nice_name = process.split('/').last().unwrap();
+    Command::new(&process)
+        .arg0(format!("{}-{}", nice_name, name))
+        .arg("companion")
+        .arg(format!("{}", companion.as_raw_fd()))
+        .spawn()?;
+    drop(companion);
+
+    daemon.write_string(name)?;
+    daemon.send_fd(memfd.as_raw_fd())?;
+    match daemon.read_u8()? {
+        0 => Ok(None),
+        1 => Ok(Some(daemon)),
+        _ => bail!("Invalid companion response"),
+    }
+}
+
 fn handle_daemon_action(mut stream: UnixStream, context: &Context) -> Result<()> {
     let action = stream.read_u8()?;
     let action = DaemonSocketAction::try_from(action)?;
     log::trace!("New daemon action {:?}", action);
     match action {
         DaemonSocketAction::PingHeartbeat => {
-            restore_native_bridge()?;
+            // Do nothing
+        }
+        DaemonSocketAction::RequestLogcatFd => {
+            loop {
+                let level = match stream.read_u8() {
+                    Ok(level) => level,
+                    Err(_) => break,
+                };
+                let tag = stream.read_string()?;
+                let tag = std::ffi::CString::new(tag)?;
+                let message = stream.read_string()?;
+                let message = std::ffi::CString::new(message)?;
+                unsafe {
+                    __android_log_print(level as i32, tag.as_ptr(), message.as_ptr());
+                }
+            }
         }
         DaemonSocketAction::ReadNativeBridge => {
-            stream.write_usize(context.native_bridge.len())?;
-            stream.write_all(context.native_bridge.as_bytes())?;
+            stream.write_string(&context.native_bridge)?;
+        }
+        DaemonSocketAction::GetProcessFlags => {
+            let uid = stream.read_u32()? as i32;
+            let mut flags = 0u32;
+            if root_impl::uid_on_allowlist(uid) {
+                flags |= constants::PROCESS_GRANTED_ROOT;
+            }
+            if root_impl::uid_on_denylist(uid) {
+                flags |= constants::PROCESS_ON_DENYLIST;
+            }
+            // TODO: PROCESS_IS_SYSUI?
+            stream.write_u32(flags)?;
         }
         DaemonSocketAction::ReadModules => {
             stream.write_usize(context.modules.len())?;
             for module in context.modules.iter() {
-                stream.write_usize(module.name.len())?;
-                stream.write_all(module.name.as_bytes())?;
+                stream.write_string(&module.name)?;
                 stream.send_fd(module.memfd.as_raw_fd())?;
             }
         }
         DaemonSocketAction::RequestCompanionSocket => {
             let index = stream.read_usize()?;
             let module = &context.modules[index];
-            log::debug!("New companion request from module {}", module.name);
-
-            // FIXME: Spawn a new process
-            match module.companion_entry {
-                Some(entry) => {
-                    stream.write_u8(1)?;
-                    unsafe { entry(stream.as_raw_fd()); }
+            let mut companion = module.companion.lock().unwrap();
+            match companion.as_ref() {
+                Some(sock) => {
+                    if let Err(_) = sock.send_fd(stream.as_raw_fd()) {
+                        log::error!("Companion of module `{}` crashed", module.name);
+                        companion.take();
+                        stream.write_u8(0)?;
+                    }
+                    // Ok: Send by companion
                 }
                 None => {
                     stream.write_u8(0)?;
@@ -218,10 +232,14 @@ fn handle_daemon_action(mut stream: UnixStream, context: &Context) -> Result<()>
         DaemonSocketAction::GetModuleDir => {
             let index = stream.read_usize()?;
             let module = &context.modules[index];
-            let dir = format!("{}/{}", constants::PATH_KSU_MODULE_DIR, module.name);
+            let dir = format!("{}/{}", constants::PATH_MODULE_DIR, module.name);
             let dir = fs::File::open(dir)?;
             stream.send_fd(dir.as_raw_fd())?;
         }
     }
     Ok(())
 }
+
+extern "C" {
+    fn __android_log_print(prio: i32, tag: *const c_char, fmt: *const c_char, ...) -> i32;
+}