PlayIntegrityFix/module/service.sh

#!/system/bin/sh

check_reset_prop() {
  local NAME=$1
  local EXPECTED=$2
  local VALUE=$(resetprop $NAME)
  [ -z $VALUE ] || [ $VALUE = $EXPECTED ] || resetprop $NAME $EXPECTED
}

contains_reset_prop() {
  local NAME=$1
  local CONTAINS=$2
  local NEWVAL=$3
  [[ "$(resetprop $NAME)" = *"$CONTAINS"* ]] && resetprop $NAME $NEWVAL
}

# Conditional sensitive properties

# SELinux
check_reset_prop ro.boot.selinux enforcing
# use delete since it can be 0 or 1 for enforcing depending on OEM
if [ -n "$(resetprop ro.build.selinux)" ]; then
    resetprop --delete ro.build.selinux
fi
# use toybox to protect stat access time reading
if [ "$(toybox cat /sys/fs/selinux/enforce)" = "0" ]; then
    chmod 640 /sys/fs/selinux/enforce
    chmod 440 /sys/fs/selinux/policy
fi

# Conditional late sensitive properties

# must be set after boot_completed for various OEMs
until [[ "$(getprop sys.boot_completed)" == "1" ]]; do
    sleep 1
done

check_reset_prop "ro.boot.vbmeta.device_state" "locked"
check_reset_prop "ro.boot.verifiedbootstate" "green"
check_reset_prop "ro.boot.flash.locked" "1"
check_reset_prop "ro.boot.veritymode" "enforcing"
check_reset_prop "ro.boot.warranty_bit" "0"
check_reset_prop "ro.warranty_bit" "0"
check_reset_prop "ro.debuggable" "0"
check_reset_prop "ro.force.debuggable" "0"
check_reset_prop "ro.secure" "1"
check_reset_prop "ro.adb.secure" "1"
check_reset_prop "ro.build.type" "user"
check_reset_prop "ro.build.tags" "release-keys"
check_reset_prop "ro.vendor.boot.warranty_bit" "0"
check_reset_prop "ro.vendor.warranty_bit" "0"
check_reset_prop "vendor.boot.vbmeta.device_state" "locked"
check_reset_prop "vendor.boot.verifiedbootstate" "green"
check_reset_prop "sys.oem_unlock_allowed" "0"

# MIUI specific
check_reset_prop "ro.secureboot.lockstate" "locked"

# Realme specific
check_reset_prop "ro.boot.realmebootstate" "green"
check_reset_prop "ro.boot.realme.lockstate" "1"

# Hide that we booted from recovery when magisk is in recovery mode
contains_reset_prop "ro.bootmode" "recovery" "unknown"
contains_reset_prop "ro.boot.bootmode" "recovery" "unknown"
contains_reset_prop "vendor.boot.bootmode" "recovery" "unknown"
Use Shamiko service.sh 2024-07-22 12:48:49 +03:00			`#!/system/bin/sh`
Rebase PIF 2024-07-21 19:34:45 +03:00
Use Shamiko service.sh 2024-07-22 12:48:49 +03:00			`check_reset_prop() {`
			`local NAME=$1`
			`local EXPECTED=$2`
			`local VALUE=$(resetprop $NAME)`
			`[ -z $VALUE ] \|\| [ $VALUE = $EXPECTED ] \|\| resetprop $NAME $EXPECTED`
			`}`

			`contains_reset_prop() {`
			`local NAME=$1`
			`local CONTAINS=$2`
			`local NEWVAL=$3`
			`[[ "$(resetprop $NAME)" = "$CONTAINS" ]] && resetprop $NAME $NEWVAL`
			`}`
Rebase PIF 2024-07-21 19:34:45 +03:00
Use Shamiko service.sh 2024-07-22 12:48:49 +03:00			`# Conditional sensitive properties`
Rebase PIF 2024-07-21 19:34:45 +03:00
			`# SELinux`
Revert "Use quotation marks" This reverts commit cc3e72224e3657612538d650af8993a60e144e35. 2024-07-24 14:35:18 +03:00			`check_reset_prop ro.boot.selinux enforcing`
Rebase PIF 2024-07-21 19:34:45 +03:00			`# use delete since it can be 0 or 1 for enforcing depending on OEM`
			`if [ -n "$(resetprop ro.build.selinux)" ]; then`
			`resetprop --delete ro.build.selinux`
			`fi`
			`# use toybox to protect stat access time reading`
			`if [ "$(toybox cat /sys/fs/selinux/enforce)" = "0" ]; then`
			`chmod 640 /sys/fs/selinux/enforce`
			`chmod 440 /sys/fs/selinux/policy`
			`fi`

			`# Conditional late sensitive properties`

			`# must be set after boot_completed for various OEMs`
			`until [[ "$(getprop sys.boot_completed)" == "1" ]]; do`
			`sleep 1`
			`done`

Use Shamiko service.sh 2024-07-22 12:48:49 +03:00			`check_reset_prop "ro.boot.vbmeta.device_state" "locked"`
			`check_reset_prop "ro.boot.verifiedbootstate" "green"`
			`check_reset_prop "ro.boot.flash.locked" "1"`
			`check_reset_prop "ro.boot.veritymode" "enforcing"`
			`check_reset_prop "ro.boot.warranty_bit" "0"`
			`check_reset_prop "ro.warranty_bit" "0"`
			`check_reset_prop "ro.debuggable" "0"`
			`check_reset_prop "ro.force.debuggable" "0"`
			`check_reset_prop "ro.secure" "1"`
			`check_reset_prop "ro.adb.secure" "1"`
			`check_reset_prop "ro.build.type" "user"`
			`check_reset_prop "ro.build.tags" "release-keys"`
			`check_reset_prop "ro.vendor.boot.warranty_bit" "0"`
			`check_reset_prop "ro.vendor.warranty_bit" "0"`
			`check_reset_prop "vendor.boot.vbmeta.device_state" "locked"`
			`check_reset_prop "vendor.boot.verifiedbootstate" "green"`
			`check_reset_prop "sys.oem_unlock_allowed" "0"`

			`# MIUI specific`
			`check_reset_prop "ro.secureboot.lockstate" "locked"`

			`# Realme specific`
			`check_reset_prop "ro.boot.realmebootstate" "green"`
			`check_reset_prop "ro.boot.realme.lockstate" "1"`

			`# Hide that we booted from recovery when magisk is in recovery mode`
			`contains_reset_prop "ro.bootmode" "recovery" "unknown"`
			`contains_reset_prop "ro.boot.bootmode" "recovery" "unknown"`
			`contains_reset_prop "vendor.boot.bootmode" "recovery" "unknown"`