Bump to 0.6.5

Signed-off-by: 5ec1cff <ewtqyqyewtqyqy@gmail.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,72 @@
+name: Bug report/反馈 Bug
+description: Report errors or unexpected behavior./反馈错误或异常行为。
+labels: [bug]
+title: "[Bug] Short description/简单描述"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting issues of Zygisk on KernelSU!
+
+        To make it easier for us to help you please enter detailed information below.
+
+        感谢给 Zygisk on KernelSU 汇报问题！
+        为了使我们更好地帮助你，请提供以下信息。
+        为了防止重复汇报，标题请务必使用英文。
+  - type: textarea
+    attributes:
+      label: Steps to reproduce/复现步骤
+      placeholder: |
+        1.
+        2.
+        3.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected behaviour/预期行为
+      placeholder: Tell us what should happen/正常情况下应该发生什么
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Actual behaviour/实际行为
+      placeholder: Tell us what happens instead/实际上发生了什么
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: KernelSU Module List/KernelSU 模块列表
+      render: Shell
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Zygisk on KernelSU version/Zygisk on KernelSU 版本
+      description: Don't use 'latest'. Specify actual version, otherwise your issue will be closed./不要填用“最新版”。给出具体版本号，不然 issue 会被关闭。
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Android version/Android 版本
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: KernelSU version/KernelSU 版本
+    validations:
+      required: true
+  - type: checkboxes
+    id: latest
+    attributes:
+      label: Version requirement/版本要求
+      options:
+        - label: I am using latest debug CI version of Zygisk on KernelSU and enable verbose log/我正在使用最新 CI 调试版本 Zygisk on KernelSU 且启用详细日志
+          required: true
+  - type: textarea
+    attributes:
+      label: Logs/日志
+      description: For usage issues, please provide the log zip saved from KernelSU manager; for activation issues, please provide [bugreport](https://developer.android.com/studio/debug/bug-report). Without logs zip, the issue will be closed. /使用问题请提供从 KernelSU 管理器保存的日志压缩包；激活问题请提供 [bugreport](https://developer.android.google.cn/studio/debug/bug-report?hl=zh-cn) 日志。没有日志附件的问题会被关闭。
+      placeholder: Upload logs zip by clicking the bar on the bottom. Upload logs to other websites or using external links is prohibited. /点击文本框底栏上传日志压缩包，禁止上传到其它网站或使用外链提供日志。
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,23 @@
+name: Feature request/新特性请求
+description: Suggest an idea./提出建议
+labels: [enhancement]
+title: "[Feature Request] Short description/简单描述"
+body:
+  - type: textarea
+    attributes:
+      label: Is your feature request related to a problem?/你的请求是否与某个问题相关？
+      placeholder: A clear and concise description of what the problem is./请清晰准确表述该问题。
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Describe the solution you'd like/描述你想要的解决方案
+      placeholder: A clear and concise description of what you want to happen./请清晰准确描述新特性的预期行为
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Additional context/其他信息
+      placeholder: Add any other context or screenshots about the feature request here./其他关于新特性的信息或者截图
+    validations:
+      required: false

.github/workflows/issue_moderator.yml

@@ -0,0 +1,23 @@
+name: Issue moderator
+
+on:
+  issues:
+    types: [opened, edited, reopened]
+
+jobs:
+  autoclose:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check issue
+        uses: tachiyomiorg/issue-moderator-action@v1
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          auto-close-rules: |
+            [
+              {
+                "type": "title",
+                "regex": ".*(Short description|简单描述).*",
+                "message": "You did not fill out the description in the title/你没有填写标题"
+              }
+            ]
+          auto-close-ignore-label: do-not-autoclose

build.gradle.kts

@@ -31,10 +31,10 @@ val gitCommitHash = "git rev-parse --verify --short HEAD".execute()
 
 val moduleId by extra("zygisksu")
 val moduleName by extra("Zygisk on KernelSU")
-val verName by extra("v4-0.6.3")
+val verName by extra("v4-0.6.5")
 val verCode by extra(gitCommitCount)
-val minKsuVersion by extra(10654)
-val minKsudVersion by extra(10670)
+val minKsuVersion by extra(10818)
+val minKsudVersion by extra(10818)
 val maxKsuVersion by extra(20000)
 val minMagiskVersion by extra(25208)
 

loader/src/include/api.hpp

@@ -26,14 +26,40 @@
 #define ZYGISK_API_VERSION 4
 
 /*
+
+***************
+* Introduction
+***************
+
+On Android, all app processes are forked from a special daemon called "Zygote".
+For each new app process, zygote will fork a new process and perform "specialization".
+This specialization operation enforces the Android security sandbox on the newly forked
+process to make sure that 3rd party application code is only loaded after it is being
+restricted within a sandbox.
+
+On Android, there is also this special process called "system_server". This single
+process hosts a significant portion of system services, which controls how the
+Android operating system and apps interact with each other.
+
+The Zygisk framework provides a way to allow developers to build modules and run custom
+code before and after system_server and any app processes' specialization.
+This enable developers to inject code and alter the behavior of system_server and app processes.
+
+Please note that modules will only be loaded after zygote has forked the child process.
+THIS MEANS ALL OF YOUR CODE RUNS IN THE APP/SYSTEM_SERVER PROCESS, NOT THE ZYGOTE DAEMON!
+
+*********************
+* Development Guide
+*********************
+
 Define a class and inherit zygisk::ModuleBase to implement the functionality of your module.
 Use the macro REGISTER_ZYGISK_MODULE(className) to register that class to Zygisk.
-Please note that modules will only be loaded after zygote has forked the child process.
-THIS MEANS ALL OF YOUR CODE RUNS IN THE APP/SYSTEM SERVER PROCESS, NOT THE ZYGOTE DAEMON!
+
 Example code:
+
 static jint (*orig_logger_entry_max)(JNIEnv *env);
 static jint my_logger_entry_max(JNIEnv *env) { return orig_logger_entry_max(env); }
-static void example_handler(int socket) { ... }
+
 class ExampleModule : public zygisk::ModuleBase {
 public:
     void onLoad(zygisk::Api *api, JNIEnv *env) override {
@@ -51,8 +77,26 @@ private:
     zygisk::Api *api;
     JNIEnv *env;
 };
+
 REGISTER_ZYGISK_MODULE(ExampleModule)
+
+-----------------------------------------------------------------------------------------
+
+Since your module class's code runs with either Zygote's privilege in pre[XXX]Specialize,
+or runs in the sandbox of the target process in post[XXX]Specialize, the code in your class
+never runs in a true superuser environment.
+
+If your module require access to superuser permissions, you can create and register
+a root companion handler function. This function runs in a separate root companion
+daemon process, and an Unix domain socket is provided to allow you to perform IPC between
+your target process and the root companion process.
+
+Example code:
+
+static void example_handler(int socket) { ... }
+
 REGISTER_ZYGISK_COMPANION(example_handler)
+
 */
 
 namespace zygisk {
@@ -84,7 +128,7 @@ namespace zygisk {
 
         // This method is called after the app process is specialized.
         // At this point, the process has all sandbox restrictions enabled for this application.
-        // This means that this method runs as the same privilege of the app's own code.
+        // This means that this method runs with the same privilege of the app's own code.
         virtual void postAppSpecialize([[maybe_unused]] const AppSpecializeArgs *args) {}
 
         // This method is called before the system server process is specialized.
@@ -219,7 +263,16 @@ namespace zygisk {
         // will be set to nullptr.
         void hookJniNativeMethods(JNIEnv *env, const char *className, JNINativeMethod *methods, int numMethods);
 
-        // For ELFs loaded in memory matching `inode`, replace function `symbol` with `newFunc`.
+        // Hook functions in the PLT (Procedure Linkage Table) of ELFs loaded in memory.
+        //
+        // Parsing /proc/[PID]/maps will give you the memory map of a process. As an example:
+        //
+        //       <address>       <perms>  <offset>   <dev>  <inode>           <pathname>
+        // 56b4346000-56b4347000  r-xp    00002000   fe:00    235       /system/bin/app_process64
+        // (More details: https://man7.org/linux/man-pages/man5/proc.5.html)
+        //
+        // The `dev` and `inode` pair uniquely identifies a file being mapped into memory.
+        // For matching ELFs loaded in memory, replace function `symbol` with `newFunc`.
         // If `oldFunc` is not nullptr, the original function pointer will be saved to `oldFunc`.
         void pltHookRegister(dev_t dev, ino_t inode, const char *symbol, void *newFunc, void **oldFunc);
 
@@ -243,11 +296,11 @@ void zygisk_module_entry(zygisk::internal::api_table *table, JNIEnv *env) { \
 //
 // The function runs in a superuser daemon process and handles a root companion request from
 // your module running in a target process. The function has to accept an integer value,
-// which is a socket that is connected to the target process.
+// which is a Unix domain socket that is connected to the target process.
 // See Api::connectCompanion() for more info.
 //
 // NOTE: the function can run concurrently on multiple threads.
-// Be aware of race conditions if you have a globally shared resource.
+// Be aware of race conditions if you have globally shared resources.
 
 #define REGISTER_ZYGISK_COMPANION(func) \
 void zygisk_companion_entry(int client) { func(client); }

loader/src/injector/hook.cpp

@@ -331,6 +331,7 @@ bool ZygiskModule::RegisterModuleImpl(ApiTable *api, long *module) {
         api->v2.getFlags = [](auto) { return ZygiskModule::getFlags(); };
     }
     if (api_version >= 4) {
+        api->v4.pltHookCommit = lsplt::CommitHook;
         api->v4.pltHookRegister = [](dev_t dev, ino_t inode, const char *symbol, void *fn, void **backup) {
             if (dev == 0 || inode == 0 || symbol == nullptr || fn == nullptr)
                 return;

loader/src/injector/unmount.cpp

@@ -10,12 +10,8 @@ using namespace std::string_view_literals;
 
 namespace {
     constexpr auto MODULE_DIR = "/data/adb/modules";
-
-    struct overlay_backup {
-        std::string target;
-        std::string vfs_option;
-        std::string fs_option;
-    };
+    constexpr auto KSU_OVERLAY_SOURCE = "KSU";
+    const std::vector<std::string> KSU_PARTITIONS{"/system", "/vendor", "/product", "/system_ext", "/odm", "/oem"};
 
     void lazy_unmount(const char* mountpoint) {
         if (umount2(mountpoint, MNT_DETACH) != -1) {
@@ -26,16 +22,9 @@ namespace {
     }
 }
 
-#define PARSE_OPT(name, flag)   \
-    if (opt == (name)) {        \
-        flags |= (flag);        \
-        return true;            \
-    }
-
 void revert_unmount_ksu() {
     std::string ksu_loop;
     std::vector<std::string> targets;
-    std::list<overlay_backup> backups;
 
     // Unmount ksu module dir last
     targets.emplace_back(MODULE_DIR);
@@ -50,17 +39,10 @@ void revert_unmount_ksu() {
             targets.emplace_back(info.target);
         }
         // Unmount ksu overlays
-        if (info.type == "overlay") {
-            if (str_contains(info.fs_option, MODULE_DIR)) {
-                targets.emplace_back(info.target);
-            } else {
-                auto backup = overlay_backup{
-                        .target = info.target,
-                        .vfs_option = info.vfs_option,
-                        .fs_option = info.fs_option,
-                };
-                backups.emplace_back(backup);
-            }
+        if (info.type == "overlay"
+            && info.source == KSU_OVERLAY_SOURCE
+            && std::find(KSU_PARTITIONS.begin(), KSU_PARTITIONS.end(), info.target) != KSU_PARTITIONS.end()) {
+            targets.emplace_back(info.target);
         }
     }
     for (auto& info: parse_mount_info("self")) {
@@ -74,34 +56,6 @@ void revert_unmount_ksu() {
     for (auto& s: reversed(targets)) {
         lazy_unmount(s.data());
     }
-
-    // Affirm unmounted system overlays
-    for (auto& info: parse_mount_info("self")) {
-        if (info.type == "overlay") {
-            backups.remove_if([&](overlay_backup& mnt) {
-                return mnt.target == info.target && mnt.fs_option == info.fs_option;
-            });
-        }
-    }
-
-    // Restore system overlays
-    for (auto& mnt: backups) {
-        auto opts = split_str(mnt.vfs_option, ",");
-        opts.splice(opts.end(), split_str(mnt.fs_option, ","));
-        unsigned long flags = 0;
-        opts.remove_if([&](auto& opt) {
-            PARSE_OPT(MNTOPT_RO, MS_RDONLY)
-            PARSE_OPT(MNTOPT_NOSUID, MS_NOSUID)
-            PARSE_OPT("relatime", MS_RELATIME)
-            return false;
-        });
-        auto mnt_data = join_str(opts, ",");
-        if (mount("overlay", mnt.target.data(), "overlay", flags, mnt_data.data()) != -1) {
-            LOGD("Remounted (%s)", mnt.target.data());
-        } else {
-            PLOGE("Remount (%s, %s)", mnt.target.data(), mnt.fs_option.data());
-        }
-    }
 }
 
 void revert_unmount_magisk() {

module/src/customize.sh

@@ -82,10 +82,6 @@ extract "$ZIPFILE" 'sepolicy.rule' "$TMPDIR"
 
 if [ "$KSU" ]; then
   ui_print "- Checking SELinux patches"
-  if [ "$(getprop ro.product.first_api_level)" -lt 31 ]; then
-    echo "allow zygote appdomain_tmpfs file *" >> "$TMPDIR/sepolicy.rule"
-    echo "allow zygote appdomain_tmpfs dir *"  >> "$TMPDIR/sepolicy.rule"
-  fi
   if ! check_sepolicy "$TMPDIR/sepolicy.rule"; then
     ui_print "*********************************************************"
     ui_print "! Unable to apply SELinux patches!"

module/src/sepolicy.rule

@@ -1,4 +1,6 @@
 allow * tmpfs * *
+allow zygote appdomain_tmpfs dir *
+allow zygote appdomain_tmpfs file *
 
 type magisk_file file_type
 typeattribute magisk_file mlstrustedobject

zygiskd/src/root_impl/kernelsu.rs

@@ -5,7 +5,6 @@ const KERNEL_SU_OPTION: i32 = 0xdeadbeefu32 as i32;
 
 const CMD_GET_VERSION: usize = 2;
 const CMD_GET_ALLOW_LIST: usize = 5;
-const CMD_GET_DENY_LIST: usize = 6;
 
 pub enum Version {
     Supported,
@@ -35,9 +34,5 @@ pub fn uid_on_allowlist(uid: i32) -> bool {
 
 #[inline(never)]
 pub fn uid_on_denylist(uid: i32) -> bool {
-    let mut size = 1024u32;
-    let mut uids = vec![0; size as usize];
-    unsafe { prctl(KERNEL_SU_OPTION, CMD_GET_DENY_LIST, uids.as_mut_ptr(), &mut size as *mut u32) };
-    uids.resize(size as usize, 0);
-    uids.contains(&uid)
+    false
 }