Merge pull request #1 from kam821/v4

v4 - new version, new features, many updates

.gitattributes

@@ -3,6 +3,4 @@ META-INF/** text eol=lf
 *.prop text eol=lf
 *.sh text eol=lf
 *.md text eol=lf
-
-# Denote all files that are truly binary and should not be modified.
-system/** binary
+*. text eol=lf

META-INF/com/google/android/update-binary

@@ -1,10 +1,173 @@
 #!/sbin/sh
-# This is a dummy file that should be replaced with a proper installer script
 
-# If you are creating a module locally for personal usage or testing,
-# download the script in the following URL:
-# https://github.com/topjohnwu/Magisk/blob/master/scripts/module_installer.sh
-# And replace this script with the downloaded script
+#################
+# Initialization
+#################
 
-# Error, this script should always be replaced
-exit 1
+umask 022
+
+# Global vars
+TMPDIR=/dev/tmp
+PERSISTDIR=/sbin/.magisk/mirror/persist
+
+rm -rf $TMPDIR 2>/dev/null
+mkdir -p $TMPDIR
+
+# echo before loading util_functions
+ui_print() { echo "$1"; }
+
+require_new_magisk() {
+  ui_print "*******************************"
+  ui_print " Please install Magisk v19.0+! "
+  ui_print "*******************************"
+  exit 1
+}
+
+is_legacy_script() {
+  unzip -l "$ZIPFILE" install.sh | grep -q install.sh
+  return $?
+}
+
+print_modname() {
+  local len
+  len=`echo -n $MODNAME | wc -c`
+  len=$((len + 2))
+  local pounds=`printf "%${len}s" | tr ' ' '*'`
+  ui_print "$pounds"
+  ui_print " $MODNAME "
+  ui_print "$pounds"
+  ui_print "*******************"
+  ui_print " Powered by Magisk "
+  ui_print "*******************"
+}
+
+##############
+# Environment
+##############
+
+OUTFD=$2
+ZIPFILE=$3
+
+mount /data 2>/dev/null
+
+# Load utility functions
+[ -f /data/adb/magisk/util_functions.sh ] || require_new_magisk
+. /data/adb/magisk/util_functions.sh
+[ $MAGISK_VER_CODE -gt 18100 ] || require_new_magisk
+
+# Preperation for flashable zips
+setup_flashable
+
+# Mount partitions
+mount_partitions
+
+# Detect version and architecture
+api_level_arch_detect
+
+# Setup busybox and binaries
+$BOOTMODE && boot_actions || recovery_actions
+
+##############
+# Preparation
+##############
+
+# Extract prop file
+unzip -o "$ZIPFILE" module.prop -d $TMPDIR >&2
+[ ! -f $TMPDIR/module.prop ] && abort "! Unable to extract zip file!"
+
+$BOOTMODE && MODDIRNAME=modules_update || MODDIRNAME=modules
+MODULEROOT=$NVBASE/$MODDIRNAME
+MODID=`grep_prop id $TMPDIR/module.prop`
+MODPATH=$MODULEROOT/$MODID
+MODNAME=`grep_prop name $TMPDIR/module.prop`
+
+# Create mod paths
+rm -rf $MODPATH 2>/dev/null
+mkdir -p $MODPATH
+
+##########
+# Install
+##########
+
+if is_legacy_script; then
+  unzip -oj "$ZIPFILE" module.prop install.sh uninstall.sh 'common/*' -d $TMPDIR >&2
+
+  # Load install script
+  . $TMPDIR/install.sh
+
+  # Callbacks
+  print_modname
+  on_install
+
+  # Custom uninstaller
+  [ -f $TMPDIR/uninstall.sh ] && cp -af $TMPDIR/uninstall.sh $MODPATH/uninstall.sh
+
+  # Skip mount
+  $SKIPMOUNT && touch $MODPATH/skip_mount
+
+  # prop file
+  $PROPFILE && cp -af $TMPDIR/system.prop $MODPATH/system.prop
+
+  # Module info
+  cp -af $TMPDIR/module.prop $MODPATH/module.prop
+
+  # post-fs-data scripts
+  $POSTFSDATA && cp -af $TMPDIR/post-fs-data.sh $MODPATH/post-fs-data.sh
+
+  # service scripts
+  $LATESTARTSERVICE && cp -af $TMPDIR/service.sh $MODPATH/service.sh
+
+  ui_print "- Setting permissions"
+  set_permissions
+else
+  print_modname
+
+  unzip -o "$ZIPFILE" customize.sh -d $MODPATH >&2
+
+  if ! grep -q '^SKIPUNZIP=1$' $MODPATH/customize.sh 2>/dev/null; then
+    ui_print "- Extracting module files"
+    unzip -o "$ZIPFILE" -x 'META-INF/*' -d $MODPATH >&2
+
+    # Default permissions
+    set_perm_recursive $MODPATH 0 0 0755 0644
+  fi
+
+  # Load customization script
+  [ -f $MODPATH/customize.sh ] && . $MODPATH/customize.sh
+fi
+
+# Handle replace folders
+for TARGET in $REPLACE; do
+  ui_print "- Replace target: $TARGET"
+  mktouch $MODPATH$TARGET/.replace
+done
+
+if $BOOTMODE; then
+  # Update info for Magisk Manager
+  mktouch $NVBASE/modules/$MODID/update
+  cp -af $MODPATH/module.prop $NVBASE/modules/$MODID/module.prop
+fi
+
+# Copy over custom sepolicy rules
+if [ -f $MODPATH/sepolicy.rule -a -e $PERSISTDIR ]; then
+  ui_print "- Installing custom sepolicy patch"
+  PERSISTMOD=$PERSISTDIR/magisk/$MODID
+  mkdir -p $PERSISTMOD
+  cp -af $MODPATH/sepolicy.rule $PERSISTMOD/sepolicy.rule
+fi
+
+# Remove stuffs that don't belong to modules
+rm -rf \
+$MODPATH/system/placeholder $MODPATH/customize.sh \
+$MODPATH/README.md $MODPATH/.git* 2>/dev/null
+
+##############
+# Finalizing
+##############
+
+cd /
+$BOOTMODE || recovery_cleanup
+rm -rf $TMPDIR
+
+ui_print "- Done"
+exit 0

README.md

@@ -1,25 +1,27 @@
-# **SafetyPatcher**
+# **SafetyPatch**
+
 ## Description
-Fixes safetynet basicIntegrity & CTS on most devices, after you've applied magiskhide
+This module increases changes to hide Magisk as much as possible
+
 ## Changelog
-- A1 - Initial alpha
-- v1 - Includes fixes for OP3 and other devices with messed up cases in the bootloader
+- V4 - Completely rewrite the code [kam821]
+  - New features:
+    - Added configuration file: /common/safetypatch_conf
+    - Security patch date is now possible to change
+    - Possibility to change chmod permissions for selected files
+  - Rewritten regular expressions (added hiding selinux policy value)
+  - Removed /system/bin/safetypatcher script
+  - Upgrade to the latest module installer format
+  - Added uninstall.sh to remove junk files after module uninstall
+- V3 - Latest hachintosh5 version.
 - V2 - Adds a load of stuff so that it now also has a GUI (run safetypatcher in shell as root) and also passes CTS.
+- V1 - Includes fixes for OP3 and other devices with messed up cases in the bootloader
+- A1 - Initial alpha
+
 ## Requirements
 - Magisk
 - Magisk Hide (https://www.didgeridoohan.com/magisk/MagiskHide)
+
 ## Instructions
 1. Flash in Magisk Manager
-2. Reboot
-3. Comment on XDA to share your experience
-
-Or to use without Magisk (TODO: update for V2)...
-
-1. Enable ADB.
-3. Run `adb shell sed 's/ORANGE/GREEN/i' /proc/cmdline | sed 's/YELLOW/GREEN/i' > /data/local/tmp/cmdline` from computer with connected and authorized ADB/USB
-4. `adb shell mount -o bind /data/local/tmp/cmdline /proc/cmdline` from computer with connected and authorized ADB/USB
-5. Comment on XDA to share your experience
-## Links
-[Module XDA Forum Thread](https://forum.xda-developers.com/apps/magisk/module-safetypatcher-t3809879 "Module official XDA thread")
-
-[Latest stable Magisk](http://www.tiny.cc/latestmagisk) or Beta if you want
+2. Reboot

common/post-fs-data.sh

@@ -7,13 +7,28 @@
 MODDIR=${0%/*}
 
 # This script will be executed in post-fs-data mode
-sed 's/ORANGE/GREEN/i' /proc/cmdline | sed 's/YELLOW/GREEN/i' > /data/local/tmp/cmdline
-mount -o bind /data/local/tmp/cmdline /proc/cmdline
+[ -f "$MODDIR/safetypatch_conf" ] && . $MODDIR/safetypatch_conf || exit 0
 
-sed 's;^ro.*\.build\.fingerprint=.*;ro.build.fingerprint=HUAWEI/CLT-L29/HWCLT:8.1.0/HUAWEICLT-L29/128(C432):user/release-keys;' /system/build.prop > /data/local/tmp/build.prop
-mount -o bind /data/local/tmp/build.prop /system/build.prop
-# The build.prop thing seems to be useless, but at some point Google are sure to catch on and check in the raw build.prop to see if we're abusing getprop/resetprop.
-resetprop ro.build.fingerprint 'HUAWEI/CLT-L29/HWCLT:8.1.0/HUAWEICLT-L29/128(C432):user/release-keys'
-resetprop ro.bootimage.build.fingerprint 'HUAWEI/CLT-L29/HWCLT:8.1.0/HUAWEICLT-L29/128(C432):user/release-keys'
-#resetprop ro.vendor.build.fingerprint 'HUAWEI/CLT-L29/HWCLT:8.1.0/HUAWEICLT-L29/128(C432):user/release-keys'
-#The above caused issues (critical services not starting) on my Honor
+rm -f "${CMDLINE_TEMP_PATH}"
+rm -f "${PROP_TEMP_PATH}"
+
+if [ "$CMDLINE_REPLACE_ENABLED" = true ]; then
+  sed "${CMDLINE_REPLACE_VALUE}" ${CMDLINE_SYSTEM_PATH} > ${CMDLINE_TEMP_PATH}
+  mount -o bind ${CMDLINE_TEMP_PATH} ${CMDLINE_SYSTEM_PATH}
+fi
+
+if [ "$PROP_FINGERPRINT_ENABLED" = true ]; then
+  sed "${PROP_FINGERPRINT_SED}" ${PROP_SYSTEM_PATH} > ${PROP_TEMP_PATH}
+  mount -o bind ${PROP_TEMP_PATH} ${PROP_SYSTEM_PATH}
+
+  # The build.prop thing seems to be useless, but at some point Google are sure to catch on and check in the raw build.prop to see if we're abusing getprop/resetprop.
+  for PROP_FINGERPRINT_VAR in "${PROP_FINGERPRINT_VARS[@]}"; do
+    resetprop ${PROP_FINGERPRINT_VAR} "${PROP_FINGERPRINT_VALUE}" >&2
+  done
+fi
+
+if [ "$PROP_SECURITYPATCH_ENABLED" = true ]; then
+  for PROP_SECURITYPATCH_VAR in "${PROP_SECURITYPATCH_VARS[@]}"; do
+    resetprop ${PROP_SECURITYPATCH_VAR} "${PROP_SECURITYPATCH_VALUE}" >&2
+  done
+fi

common/safetypatch_conf

@@ -0,0 +1,45 @@
+#!/system/bin/sh
+
+CMDLINE_SYSTEM_PATH="/proc/cmdline"
+CMDLINE_TEMP_PATH="/data/local/tmp/cmdline"
+
+PROP_SYSTEM_PATH="/system/build.prop"
+PROP_TEMP_PATH="/data/local/tmp/build.prop"
+
+CMDLINE_REPLACE_ENABLED=true
+CMDLINE_REPLACE_VALUE="
+  s/orange/green/g
+  s/yellow/green/g
+  s/ORANGE/GREEN/g
+  s/YELLOW/GREEN/g
+  s/androidboot\.selinux=permissive/androidboot.selinux=enforcing/"
+
+PROP_FINGERPRINT_ENABLED=false
+PROP_FINGERPRINT_VALUE="Xiaomi/dipper/dipper:8.1.0/OPM1.171019.011/V9.5.9.0.OEAMIFA:user/release-keys"
+PROP_FINGERPRINT_VARS=(
+  ro.build.fingerprint
+  ro.bootimage.build.fingerprint
+  ro.odm.build.fingerprint
+  ro.system.build.fingerprint
+  ro.vendor.build.fingerprint
+)
+PROP_FINGERPRINT_SED="
+  s;^ro\.build\.fingerprint=.*;ro.build.fingerprint=${PROP_FINGERPRINT_VALUE};
+  s;^ro\.bootimage\.build\.fingerprint=.*;ro.bootimage.build.fingerprint=${PROP_FINGERPRINT_VALUE};
+  s;^ro\.odm\.build\.fingerprint=.*;ro.odm.build.fingerprint=${PROP_FINGERPRINT_VALUE};
+  s;^ro\.system\.build\.fingerprint=.*;ro.system.build.fingerprint=${PROP_FINGERPRINT_VALUE};
+  s;^ro\.vendor\.build\.fingerprint=.*;ro.vendor.build.fingerprint=${PROP_FINGERPRINT_VALUE};"
+
+PROP_SECURITYPATCH_ENABLED=false
+PROP_SECURITYPATCH_VALUE="2019-11-01"
+PROP_SECURITYPATCH_VARS=(
+  ro.build.version.security_patch
+  ro.vendor.build.security_patch
+)
+
+CHMOD_CHANGE_ENABLED=false
+CHMOD_CHANGE_VALUE="0440"
+CHMOD_CHANGE_PATHS=(
+  /proc/net/unix
+  /proc/filesystems
+)

common/service.sh

@@ -7,3 +7,10 @@
 MODDIR=${0%/*}
 
 # This script will be executed in late_start service mode
+[ -f "$MODDIR/safetypatch_conf" ] && . $MODDIR/safetypatch_conf || exit 0
+
+if [ "$CHMOD_CHANGE_ENABLED" = true ]; then
+  for CHMOD_CHANGE_PATH in "${CHMOD_CHANGE_PATHS[@]}"; do
+    chmod ${CHMOD_CHANGE_VALUE} "${CHMOD_CHANGE_PATH}" >&2
+  done
+fi

customize.sh

@@ -0,0 +1,14 @@
+on_install() {
+  ui_print "- Extracting module files"
+  unzip -oj "$ZIPFILE" module.prop uninstall.sh 'common/*' -d $MODPATH >&2
+}
+
+set_permissions() {
+  ui_print "- Setting permissions"
+  # The following is the default rule, DO NOT remove
+  set_perm_recursive $MODPATH 0 0 0755 0644
+}
+
+SKIPUNZIP=1
+on_install
+set_permissions