feat: more aggressive android script

This commit is contained in:
Krzysztof Rudnicki 2025-12-21 19:12:16 +01:00
parent c030bab510
commit 964f3b5df6
4 changed files with 109 additions and 9 deletions

View File

@ -1,6 +1,6 @@
id=android_guardian
name=Android Guardian (Hosts + App Blocker)
version=1.0
versionCode=1
version=1.1
versionCode=2
author=linux-configuration
description=Persistent hosts blocking and app installation guard. Can only be controlled via ADB.
description=Persistent hosts blocking and app installation guard. Protected by watchdog - cannot be disabled from Magisk UI. Only controllable via ADB.

View File

@ -1,9 +1,63 @@
#!/system/bin/sh
# Runs early in boot - set up hosts file
# Runs early in boot - set up hosts file and start watchdog
# MODDIR is set by Magisk and points to this module's directory
GUARDIAN_DIR="/data/adb/android_guardian"
# shellcheck disable=SC2034 # Used for documentation; heredoc defines its own
MODULE_DIR="/data/adb/modules/android_guardian"
WATCHDOG_SCRIPT="$GUARDIAN_DIR/watchdog.sh"
mkdir -p "$GUARDIAN_DIR"
# Log that we're starting
echo "[$(date '+%Y-%m-%d %H:%M:%S')] post-fs-data: Guardian module loading" >>"$GUARDIAN_DIR/guardian.log"
# Create persistent watchdog script that runs independently of module state
cat >"$WATCHDOG_SCRIPT" <<'WATCHDOG'
#!/system/bin/sh
# Secondary watchdog - runs independently of module state
# Even if module is "disabled" in Magisk UI, this keeps running and undoes it
GUARDIAN_DIR="/data/adb/android_guardian"
MODULE_DIR="/data/adb/modules/android_guardian"
LOG_FILE="$GUARDIAN_DIR/watchdog.log"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" >>"$LOG_FILE"
}
log "=== Watchdog starting ==="
while true; do
# Protect module from Magisk UI disable/remove
if [ -f "$MODULE_DIR/disable" ]; then
log "ALERT: Module disable detected via Magisk UI - removing disable flag"
rm -f "$MODULE_DIR/disable"
fi
if [ -f "$MODULE_DIR/remove" ]; then
log "ALERT: Module removal detected via Magisk UI - removing remove flag"
rm -f "$MODULE_DIR/remove"
fi
# Also protect the hosts file directly
CONTROL_FILE="$GUARDIAN_DIR/control"
if [ "$(cat "$CONTROL_FILE" 2>/dev/null)" = "ENABLED" ]; then
if [ -f "$GUARDIAN_DIR/hosts.backup" ] && [ -f "$MODULE_DIR/system/etc/hosts" ]; then
current_hash=$(md5sum "$MODULE_DIR/system/etc/hosts" 2>/dev/null | cut -d' ' -f1)
backup_hash=$(md5sum "$GUARDIAN_DIR/hosts.backup" 2>/dev/null | cut -d' ' -f1)
if [ "$current_hash" != "$backup_hash" ]; then
log "ALERT: Hosts tampering detected - restoring"
cp "$GUARDIAN_DIR/hosts.backup" "$MODULE_DIR/system/etc/hosts"
fi
fi
fi
sleep 3
done
WATCHDOG
chmod 755 "$WATCHDOG_SCRIPT"
# Start watchdog as a separate background process
nohup sh "$WATCHDOG_SCRIPT" >/dev/null 2>&1 &
echo "[$(date '+%Y-%m-%d %H:%M:%S')] post-fs-data: Watchdog started" >>"$GUARDIAN_DIR/guardian.log"

View File

@ -3,7 +3,8 @@
# This service:
# 1. Monitors and protects the hosts file
# 2. Blocks installation of forbidden apps
# 3. Can only be stopped via ADB with the correct command
# 3. Prevents module from being disabled via Magisk UI
# 4. Can only be stopped via ADB with the correct command
MODDIR=${0%/*}
GUARDIAN_DIR="/data/adb/android_guardian"
@ -11,6 +12,9 @@ LOG_FILE="$GUARDIAN_DIR/guardian.log"
BLOCKED_APPS_FILE="$GUARDIAN_DIR/blocked_apps.txt"
CONTROL_FILE="$GUARDIAN_DIR/control"
HOSTS_BACKUP="$GUARDIAN_DIR/hosts.backup"
MODULE_DIR="/data/adb/modules/android_guardian"
DISABLE_FILE="$MODULE_DIR/disable"
REMOVE_FILE="$MODULE_DIR/remove"
# Ensure guardian directory exists
mkdir -p "$GUARDIAN_DIR"
@ -24,11 +28,28 @@ log() {
log "=== Android Guardian starting ==="
# Function to check if guardian is enabled
# Function to check if guardian is enabled (via ADB control, not Magisk UI)
is_enabled() {
[ "$(cat "$CONTROL_FILE" 2>/dev/null)" = "ENABLED" ]
}
# Function to protect module from being disabled via Magisk UI
protect_module() {
# Remove disable file if someone tried to disable via Magisk
if [ -f "$DISABLE_FILE" ]; then
log "Module disable attempt detected via Magisk UI! Re-enabling..."
rm -f "$DISABLE_FILE"
log "Module re-enabled"
fi
# Remove remove file if someone tried to uninstall via Magisk
if [ -f "$REMOVE_FILE" ]; then
log "Module removal attempt detected via Magisk UI! Blocking..."
rm -f "$REMOVE_FILE"
log "Module removal blocked"
fi
}
# Function to restore hosts file if tampered
protect_hosts() {
if [ -f "$HOSTS_BACKUP" ]; then
@ -63,15 +84,19 @@ check_blocked_apps() {
done <"$BLOCKED_APPS_FILE"
}
# Main monitoring loop
# Main monitoring loop - runs every 5 seconds for faster protection
while true; do
# ALWAYS protect module from UI disabling (even if guardian is "disabled" via ADB)
# This ensures only ADB can control the guardian
protect_module
if is_enabled; then
protect_hosts
check_blocked_apps
fi
# Check every 30 seconds
sleep 30
# Check every 5 seconds (faster response to disable attempts)
sleep 5
done &
log "Guardian service started (PID: $!)"

View File

@ -478,6 +478,24 @@ cmd_status() {
status=$(adb shell "su -c 'cat $GUARDIAN_DATA_DIR/control 2>/dev/null || echo UNKNOWN'" | tr -d '\r')
echo "Status: $status"
# Check if module is "disabled" in Magisk UI (should be auto-fixed by watchdog)
local magisk_disabled
if adb shell "su -c 'test -f $MODULE_DEST/disable'" 2>/dev/null; then
magisk_disabled="YES (watchdog should fix this)"
else
magisk_disabled="No"
fi
echo "Magisk UI disabled: $magisk_disabled"
# Check if watchdog is running
local watchdog_running
watchdog_running=$(adb shell "su -c 'pgrep -f watchdog.sh 2>/dev/null | wc -l'" | tr -d '\r')
if [ "$watchdog_running" -gt 0 ] 2>/dev/null; then
echo "Watchdog: RUNNING ($watchdog_running processes)"
else
echo "Watchdog: NOT RUNNING (reboot phone to start)"
fi
# Check hosts file
local hosts_entries
hosts_entries=$(adb shell "su -c 'grep -c \"^0.0.0.0\" /system/etc/hosts 2>/dev/null || echo 0'" | tr -d '\r')
@ -489,6 +507,9 @@ cmd_status() {
echo "Blocked app rules: $blocked_count packages"
echo ""
echo "Protection: Module cannot be disabled from Magisk UI"
echo " Only controllable via: $0 disable/enable"
echo ""
}
# Disable guardian