diff --git a/module/common_func.sh b/module/common_func.sh deleted file mode 100644 index 7623096..0000000 --- a/module/common_func.sh +++ /dev/null @@ -1,17 +0,0 @@ -# resetprop_if_diff -resetprop_if_diff() { - local NAME="$1" - local EXPECTED="$2" - local CURRENT="$(resetprop "$NAME")" - - [ -z "$CURRENT" ] || [ "$CURRENT" = "$EXPECTED" ] || resetprop -n "$NAME" "$EXPECTED" -} - -# resetprop_if_match -resetprop_if_match() { - local NAME="$1" - local CONTAINS="$2" - local VALUE="$3" - - [[ "$(resetprop "$NAME")" = *"$CONTAINS"* ]] && resetprop -n "$NAME" "$VALUE" -} diff --git a/module/post-fs-data.sh b/module/post-fs-data.sh index 25d3ae3..b921a27 100644 --- a/module/post-fs-data.sh +++ b/module/post-fs-data.sh @@ -1,12 +1,18 @@ -MODPATH="${0%/*}" -. $MODPATH/common_func.sh - -# Remove Play Services from Magisk DenyList when set to Enforce in normal mode +# Remove Play Services from the Magisk Denylist when set to enforcing. if magisk --denylist status; then magisk --denylist rm com.google.android.gms fi -# Conditional early sensitive properties +resetprop_if_diff() { + local NAME="$1" + local EXPECTED="$2" + local CURRENT="$(resetprop "$NAME")" + + [ -z "$CURRENT" ] || [ "$CURRENT" = "$EXPECTED" ] || resetprop -n "$NAME" "$EXPECTED" +} + +# RootBeer, Microsoft +resetprop_if_diff ro.build.tags release-keys # Samsung resetprop_if_diff ro.boot.warranty_bit 0 @@ -14,24 +20,10 @@ resetprop_if_diff ro.vendor.boot.warranty_bit 0 resetprop_if_diff ro.vendor.warranty_bit 0 resetprop_if_diff ro.warranty_bit 0 -# Xiaomi -resetprop_if_diff ro.secureboot.lockstate locked - -# Realme -resetprop_if_diff ro.boot.realmebootstate green - # OnePlus resetprop_if_diff ro.is_ever_orange 0 -# Microsoft -for PROP in $(resetprop | grep -oE 'ro.*.build.tags'); do - resetprop_if_diff $PROP release-keys -done - # Other -for PROP in $(resetprop | grep -oE 'ro.*.build.type'); do - resetprop_if_diff $PROP user -done +resetprop_if_diff ro.build.type user resetprop_if_diff ro.debuggable 0 -resetprop_if_diff ro.force.debuggable 0 resetprop_if_diff ro.secure 1 diff --git a/module/service.sh b/module/service.sh index 0b9b4c1..a0fc182 100644 --- a/module/service.sh +++ b/module/service.sh @@ -1,44 +1,55 @@ -MODPATH="${0%/*}" -. $MODPATH/common_func.sh +# Sensitive properties -# Conditional sensitive properties +resetprop_if_diff() { + local NAME="$1" + local EXPECTED="$2" + local CURRENT="$(resetprop "$NAME")" + + [ -z "$CURRENT" ] || [ "$CURRENT" = "$EXPECTED" ] || resetprop -n "$NAME" "$EXPECTED" +} -# Magisk Recovery Mode -resetprop_if_match ro.boot.mode recovery unknown +resetprop_if_match() { + local NAME="$1" + local CONTAINS="$2" + local VALUE="$3" + + [[ "$(resetprop "$NAME")" = *"$CONTAINS"* ]] && resetprop -n "$NAME" "$VALUE" +} + +# Magisk recovery mode resetprop_if_match ro.bootmode recovery unknown +resetprop_if_match ro.boot.mode recovery unknown resetprop_if_match vendor.boot.mode recovery unknown -# SELinux +# Hiding SELinux | Permissive status resetprop_if_diff ro.boot.selinux enforcing -# use delete since it can be 0 or 1 for enforcing depending on OEM if [ -n "$(resetprop ro.build.selinux)" ]; then resetprop --delete ro.build.selinux fi -# use toybox to protect stat access time reading -if [ "$(toybox cat /sys/fs/selinux/enforce)" = "0" ]; then + +# Hiding SELinux | Use toybox to protect *stat* access time reading +if [[ "$(toybox cat /sys/fs/selinux/enforce)" == "0" ]]; then chmod 640 /sys/fs/selinux/enforce chmod 440 /sys/fs/selinux/policy fi -# Conditional late sensitive properties - -# must be set after boot_completed for various OEMs -until [[ "$(getprop sys.boot_completed)" == "1" ]]; do - sleep 1 -done - -# SafetyNet/Play Integrity + OEM -# avoid breaking Realme fingerprint scanners -resetprop_if_diff ro.boot.flash.locked 1 -resetprop_if_diff ro.boot.realme.lockstate 1 -# avoid breaking Oppo fingerprint scanners -resetprop_if_diff ro.boot.vbmeta.device_state locked -# avoid breaking OnePlus display modes/fingerprint scanners -resetprop_if_diff vendor.boot.verifiedbootstate green -# avoid breaking OnePlus/Oppo fingerprint scanners on OOS/ColorOS 12+ -resetprop_if_diff ro.boot.verifiedbootstate green -resetprop_if_diff ro.boot.veritymode enforcing -resetprop_if_diff vendor.boot.vbmeta.device_state locked - -# Other -resetprop_if_diff sys.oem_unlock_allowed 0 +# Late props which must be set after boot_completed +{ + until [[ "$(getprop sys.boot_completed)" == "1" ]]; do + sleep 1 + done + + # SafetyNet/Play Integrity | Avoid breaking Realme fingerprint scanners + resetprop_if_diff ro.boot.flash.locked 1 + + # SafetyNet/Play Integrity | Avoid breaking Oppo fingerprint scanners + resetprop_if_diff ro.boot.vbmeta.device_state locked + + # SafetyNet/Play Integrity | Avoid breaking OnePlus display modes/fingerprint scanners + resetprop_if_diff vendor.boot.verifiedbootstate green + + # SafetyNet/Play Integrity | Avoid breaking OnePlus display modes/fingerprint scanners on OOS 12 + resetprop_if_diff ro.boot.verifiedbootstate green + resetprop_if_diff ro.boot.veritymode enforcing + resetprop_if_diff vendor.boot.vbmeta.device_state locked +}&