From 277175ee37efbadfd751a9060970014225436939 Mon Sep 17 00:00:00 2001 From: Krzysztof Rudnicki Date: Sun, 21 Dec 2025 19:12:16 +0100 Subject: [PATCH] feat: more aggressive android script --- scripts/utils/android_guardian/module.prop | 6 +- .../utils/android_guardian/post-fs-data.sh | 56 ++++++++++++++++++- scripts/utils/android_guardian/service.sh | 35 ++++++++++-- scripts/utils/update_android_hosts.sh | 21 +++++++ 4 files changed, 109 insertions(+), 9 deletions(-) diff --git a/scripts/utils/android_guardian/module.prop b/scripts/utils/android_guardian/module.prop index bceabd4..f0b3803 100644 --- a/scripts/utils/android_guardian/module.prop +++ b/scripts/utils/android_guardian/module.prop @@ -1,6 +1,6 @@ id=android_guardian name=Android Guardian (Hosts + App Blocker) -version=1.0 -versionCode=1 +version=1.1 +versionCode=2 author=linux-configuration -description=Persistent hosts blocking and app installation guard. Can only be controlled via ADB. +description=Persistent hosts blocking and app installation guard. Protected by watchdog - cannot be disabled from Magisk UI. Only controllable via ADB. diff --git a/scripts/utils/android_guardian/post-fs-data.sh b/scripts/utils/android_guardian/post-fs-data.sh index c602a7e..1e47410 100755 --- a/scripts/utils/android_guardian/post-fs-data.sh +++ b/scripts/utils/android_guardian/post-fs-data.sh @@ -1,9 +1,63 @@ #!/system/bin/sh -# Runs early in boot - set up hosts file +# Runs early in boot - set up hosts file and start watchdog # MODDIR is set by Magisk and points to this module's directory GUARDIAN_DIR="/data/adb/android_guardian" +# shellcheck disable=SC2034 # Used for documentation; heredoc defines its own +MODULE_DIR="/data/adb/modules/android_guardian" +WATCHDOG_SCRIPT="$GUARDIAN_DIR/watchdog.sh" mkdir -p "$GUARDIAN_DIR" # Log that we're starting echo "[$(date '+%Y-%m-%d %H:%M:%S')] post-fs-data: Guardian module loading" >>"$GUARDIAN_DIR/guardian.log" + +# Create persistent watchdog script that runs independently of module state +cat >"$WATCHDOG_SCRIPT" <<'WATCHDOG' +#!/system/bin/sh +# Secondary watchdog - runs independently of module state +# Even if module is "disabled" in Magisk UI, this keeps running and undoes it +GUARDIAN_DIR="/data/adb/android_guardian" +MODULE_DIR="/data/adb/modules/android_guardian" +LOG_FILE="$GUARDIAN_DIR/watchdog.log" + +log() { + echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" >>"$LOG_FILE" +} + +log "=== Watchdog starting ===" + +while true; do + # Protect module from Magisk UI disable/remove + if [ -f "$MODULE_DIR/disable" ]; then + log "ALERT: Module disable detected via Magisk UI - removing disable flag" + rm -f "$MODULE_DIR/disable" + fi + + if [ -f "$MODULE_DIR/remove" ]; then + log "ALERT: Module removal detected via Magisk UI - removing remove flag" + rm -f "$MODULE_DIR/remove" + fi + + # Also protect the hosts file directly + CONTROL_FILE="$GUARDIAN_DIR/control" + if [ "$(cat "$CONTROL_FILE" 2>/dev/null)" = "ENABLED" ]; then + if [ -f "$GUARDIAN_DIR/hosts.backup" ] && [ -f "$MODULE_DIR/system/etc/hosts" ]; then + current_hash=$(md5sum "$MODULE_DIR/system/etc/hosts" 2>/dev/null | cut -d' ' -f1) + backup_hash=$(md5sum "$GUARDIAN_DIR/hosts.backup" 2>/dev/null | cut -d' ' -f1) + + if [ "$current_hash" != "$backup_hash" ]; then + log "ALERT: Hosts tampering detected - restoring" + cp "$GUARDIAN_DIR/hosts.backup" "$MODULE_DIR/system/etc/hosts" + fi + fi + fi + + sleep 3 +done +WATCHDOG + +chmod 755 "$WATCHDOG_SCRIPT" + +# Start watchdog as a separate background process +nohup sh "$WATCHDOG_SCRIPT" >/dev/null 2>&1 & +echo "[$(date '+%Y-%m-%d %H:%M:%S')] post-fs-data: Watchdog started" >>"$GUARDIAN_DIR/guardian.log" diff --git a/scripts/utils/android_guardian/service.sh b/scripts/utils/android_guardian/service.sh index d559152..eab2044 100755 --- a/scripts/utils/android_guardian/service.sh +++ b/scripts/utils/android_guardian/service.sh @@ -3,7 +3,8 @@ # This service: # 1. Monitors and protects the hosts file # 2. Blocks installation of forbidden apps -# 3. Can only be stopped via ADB with the correct command +# 3. Prevents module from being disabled via Magisk UI +# 4. Can only be stopped via ADB with the correct command MODDIR=${0%/*} GUARDIAN_DIR="/data/adb/android_guardian" @@ -11,6 +12,9 @@ LOG_FILE="$GUARDIAN_DIR/guardian.log" BLOCKED_APPS_FILE="$GUARDIAN_DIR/blocked_apps.txt" CONTROL_FILE="$GUARDIAN_DIR/control" HOSTS_BACKUP="$GUARDIAN_DIR/hosts.backup" +MODULE_DIR="/data/adb/modules/android_guardian" +DISABLE_FILE="$MODULE_DIR/disable" +REMOVE_FILE="$MODULE_DIR/remove" # Ensure guardian directory exists mkdir -p "$GUARDIAN_DIR" @@ -24,11 +28,28 @@ log() { log "=== Android Guardian starting ===" -# Function to check if guardian is enabled +# Function to check if guardian is enabled (via ADB control, not Magisk UI) is_enabled() { [ "$(cat "$CONTROL_FILE" 2>/dev/null)" = "ENABLED" ] } +# Function to protect module from being disabled via Magisk UI +protect_module() { + # Remove disable file if someone tried to disable via Magisk + if [ -f "$DISABLE_FILE" ]; then + log "Module disable attempt detected via Magisk UI! Re-enabling..." + rm -f "$DISABLE_FILE" + log "Module re-enabled" + fi + + # Remove remove file if someone tried to uninstall via Magisk + if [ -f "$REMOVE_FILE" ]; then + log "Module removal attempt detected via Magisk UI! Blocking..." + rm -f "$REMOVE_FILE" + log "Module removal blocked" + fi +} + # Function to restore hosts file if tampered protect_hosts() { if [ -f "$HOSTS_BACKUP" ]; then @@ -63,15 +84,19 @@ check_blocked_apps() { done <"$BLOCKED_APPS_FILE" } -# Main monitoring loop +# Main monitoring loop - runs every 5 seconds for faster protection while true; do + # ALWAYS protect module from UI disabling (even if guardian is "disabled" via ADB) + # This ensures only ADB can control the guardian + protect_module + if is_enabled; then protect_hosts check_blocked_apps fi - # Check every 30 seconds - sleep 30 + # Check every 5 seconds (faster response to disable attempts) + sleep 5 done & log "Guardian service started (PID: $!)" diff --git a/scripts/utils/update_android_hosts.sh b/scripts/utils/update_android_hosts.sh index 04da36e..a56037a 100755 --- a/scripts/utils/update_android_hosts.sh +++ b/scripts/utils/update_android_hosts.sh @@ -478,6 +478,24 @@ cmd_status() { status=$(adb shell "su -c 'cat $GUARDIAN_DATA_DIR/control 2>/dev/null || echo UNKNOWN'" | tr -d '\r') echo "Status: $status" + # Check if module is "disabled" in Magisk UI (should be auto-fixed by watchdog) + local magisk_disabled + if adb shell "su -c 'test -f $MODULE_DEST/disable'" 2>/dev/null; then + magisk_disabled="YES (watchdog should fix this)" + else + magisk_disabled="No" + fi + echo "Magisk UI disabled: $magisk_disabled" + + # Check if watchdog is running + local watchdog_running + watchdog_running=$(adb shell "su -c 'pgrep -f watchdog.sh 2>/dev/null | wc -l'" | tr -d '\r') + if [ "$watchdog_running" -gt 0 ] 2>/dev/null; then + echo "Watchdog: RUNNING ($watchdog_running processes)" + else + echo "Watchdog: NOT RUNNING (reboot phone to start)" + fi + # Check hosts file local hosts_entries hosts_entries=$(adb shell "su -c 'grep -c \"^0.0.0.0\" /system/etc/hosts 2>/dev/null || echo 0'" | tr -d '\r') @@ -489,6 +507,9 @@ cmd_status() { echo "Blocked app rules: $blocked_count packages" echo "" + echo "Protection: Module cannot be disabled from Magisk UI" + echo " Only controllable via: $0 disable/enable" + echo "" } # Disable guardian