-
-
Notifications
You must be signed in to change notification settings - Fork 361
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
2c149cb
commit 527de92
Showing
2 changed files
with
44 additions
and
66 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,41 +1,28 @@ | ||
| # Remove Play Services from Magisk DenyList when set to Enforce in normal mode | ||
| # Remove Play Services from the Magisk Denylist when set to enforcing. | ||
| if magisk --denylist status; then | ||
| magisk --denylist rm com.google.android.gms | ||
| fi | ||
|
|
||
| check_reset_prop() { | ||
| local NAME=$1 | ||
| local EXPECTED=$2 | ||
| local VALUE=$(resetprop $NAME) | ||
| [ -z $VALUE ] || [ $VALUE = $EXPECTED ] || resetprop $NAME $EXPECTED | ||
| local NAME=$1 | ||
| local EXPECTED=$2 | ||
| local VALUE=$(resetprop $NAME) | ||
| [ -z $VALUE ] || [ $VALUE = $EXPECTED ] || resetprop $NAME $EXPECTED | ||
| } | ||
|
|
||
| # Conditional early sensitive properties | ||
| # RootBeer, Microsoft | ||
| check_reset_prop "ro.build.tags" "release-keys" | ||
|
|
||
| # Samsung | ||
| check_reset_prop "ro.boot.warranty_bit" "0" | ||
| check_reset_prop "ro.vendor.boot.warranty_bit" "0" | ||
| check_reset_prop "ro.vendor.warranty_bit" "0" | ||
| check_reset_prop "ro.warranty_bit" "0" | ||
|
|
||
| # Xiaomi | ||
| check_reset_prop "ro.secureboot.lockstate" "locked" | ||
|
|
||
| # Realme | ||
| check_reset_prop "ro.boot.realmebootstate" "green" | ||
|
|
||
| # OnePlus | ||
| check_reset_prop "ro.is_ever_orange" "0" | ||
|
|
||
| # Microsoft | ||
| for PROP in $(resetprop | grep -oE 'ro.*.build.tags'); do | ||
| check_reset_prop "$PROP" "release-keys" | ||
| done | ||
|
|
||
| # Other | ||
| for PROP in $(resetprop | grep -oE 'ro.*.build.type'); do | ||
| check_reset_prop "$PROP" "user" | ||
| done | ||
| check_reset_prop "ro.build.type" "user" | ||
| check_reset_prop "ro.debuggable" "0" | ||
| check_reset_prop "ro.force.debuggable" "0" | ||
| check_reset_prop "ro.secure" "1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,66 +1,57 @@ | ||
| #!/system/bin/sh | ||
| # Sensitive properties | ||
|
|
||
| check_reset_prop() { | ||
| local NAME=$1 | ||
| local EXPECTED=$2 | ||
| local VALUE=$(resetprop $NAME) | ||
| [ -z $VALUE ] || [ $VALUE = $EXPECTED ] || resetprop $NAME $EXPECTED | ||
| local NAME=$1 | ||
| local EXPECTED=$2 | ||
| local VALUE=$(resetprop $NAME) | ||
| [ -z $VALUE ] || [ $VALUE = $EXPECTED ] || resetprop $NAME $EXPECTED | ||
| } | ||
|
|
||
| contains_reset_prop() { | ||
| local NAME=$1 | ||
| local CONTAINS=$2 | ||
| local NEWVAL=$3 | ||
| [[ "$(resetprop $NAME)" = *"$CONTAINS"* ]] && resetprop $NAME $NEWVAL | ||
| local NAME=$1 | ||
| local CONTAINS=$2 | ||
| local NEWVAL=$3 | ||
| [[ "$(resetprop $NAME)" = *"$CONTAINS"* ]] && resetprop $NAME $NEWVAL | ||
| } | ||
|
|
||
| # Conditional sensitive properties | ||
| # Magisk recovery mode | ||
| contains_reset_prop "ro.bootmode" "recovery" "unknown" | ||
| contains_reset_prop "ro.boot.mode" "recovery" "unknown" | ||
| contains_reset_prop "vendor.boot.mode" "recovery" "unknown" | ||
| contains_reset_prop "ro.boot.bootmode" "recovery" "unknown" | ||
| contains_reset_prop "vendor.boot.bootmode" "recovery" "unknown" | ||
|
|
||
| # SELinux | ||
| check_reset_prop "ro.boot.selinux" "enforcing" | ||
|
|
||
| # use delete since it can be 0 or 1 for enforcing depending on OEM | ||
| if [ -n "$(resetprop ro.build.selinux)" ]; then | ||
| resetprop --delete ro.build.selinux | ||
| resetprop --delete "ro.build.selinux" | ||
| fi | ||
| # use toybox to protect stat access time reading | ||
| if [ "$(toybox cat /sys/fs/selinux/enforce)" = "0" ]; then | ||
|
|
||
| # Hiding SELinux | Use toybox to protect *stat* access time reading | ||
| if [[ "$(toybox cat /sys/fs/selinux/enforce)" == "0" ]]; then | ||
| chmod 640 /sys/fs/selinux/enforce | ||
| chmod 440 /sys/fs/selinux/policy | ||
| fi | ||
|
|
||
| # Conditional late sensitive properties | ||
| # Late props which must be set after boot_completed | ||
| { | ||
| until [[ "$(resetprop sys.boot_completed)" == "1" ]]; do | ||
| sleep 1 | ||
| done | ||
|
|
||
| # must be set after boot_completed for various OEMs | ||
| until [[ "$(getprop sys.boot_completed)" == "1" ]]; do | ||
| sleep 1 | ||
| done | ||
| # SafetyNet/Play Integrity | Avoid breaking Realme fingerprint scanners | ||
| check_reset_prop "ro.boot.flash.locked" "1" | ||
|
|
||
| check_reset_prop "ro.boot.vbmeta.device_state" "locked" | ||
| check_reset_prop "ro.boot.verifiedbootstate" "green" | ||
| check_reset_prop "ro.boot.flash.locked" "1" | ||
| check_reset_prop "ro.boot.veritymode" "enforcing" | ||
| check_reset_prop "ro.boot.warranty_bit" "0" | ||
| check_reset_prop "ro.warranty_bit" "0" | ||
| check_reset_prop "ro.debuggable" "0" | ||
| check_reset_prop "ro.force.debuggable" "0" | ||
| check_reset_prop "ro.secure" "1" | ||
| check_reset_prop "ro.adb.secure" "1" | ||
| check_reset_prop "ro.build.type" "user" | ||
| check_reset_prop "ro.build.tags" "release-keys" | ||
| check_reset_prop "ro.vendor.boot.warranty_bit" "0" | ||
| check_reset_prop "ro.vendor.warranty_bit" "0" | ||
| check_reset_prop "vendor.boot.vbmeta.device_state" "locked" | ||
| check_reset_prop "vendor.boot.verifiedbootstate" "green" | ||
| check_reset_prop "sys.oem_unlock_allowed" "0" | ||
| # SafetyNet/Play Integrity | Avoid breaking Oppo fingerprint scanners | ||
| check_reset_prop "ro.boot.vbmeta.device_state" "locked" | ||
|
|
||
| # MIUI specific | ||
| check_reset_prop "ro.secureboot.lockstate" "locked" | ||
| # SafetyNet/Play Integrity | Avoid breaking OnePlus display modes/fingerprint scanners | ||
| check_reset_prop "vendor.boot.verifiedbootstate" "green" | ||
|
|
||
| # Realme specific | ||
| check_reset_prop "ro.boot.realmebootstate" "green" | ||
| check_reset_prop "ro.boot.realme.lockstate" "1" | ||
|
|
||
| # Hide that we booted from recovery when magisk is in recovery mode | ||
| contains_reset_prop "ro.bootmode" "recovery" "unknown" | ||
| contains_reset_prop "ro.boot.bootmode" "recovery" "unknown" | ||
| contains_reset_prop "vendor.boot.bootmode" "recovery" "unknown" | ||
| # SafetyNet/Play Integrity | Avoid breaking OnePlus display modes/fingerprint scanners on OOS 12 | ||
| check_reset_prop "ro.boot.verifiedbootstate" "green" | ||
| check_reset_prop "ro.boot.veritymode" "enforcing" | ||
| check_reset_prop "vendor.boot.vbmeta.device_state" "locked" | ||
| }& |