Merge pull request #41 from NVISOsecurity/v1.3

TheDauntless · web-flow · commit ef3ba0e75471 · 2025-05-21T09:49:52.000+02:00
V1.3
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## v1.3
+
+* Fixed bug on A14
+* Fixed bug on A15/A16
+
 ## v1.2
 
 * Added automatic update support
diff --git a/README.md b/README.md
@@ -8,9 +8,9 @@ Features:
 * Support for Magisk/KernelSU/KernelSU Next
 * Support for devices with and without mainline/conscrypt updates
 
-## Conscrypt certs or not
+Depending on your Android version and Google Play Security Update version, your certificates will be either stored in `/system/etc/security/cacerts` or in `/apex/com.android.conscrypt/cacerts/`. This module handles all scenarios and works on any device from Android 7 until Android 16.
 
-Depending on your Android version and Google Play Security Update version, your certificates will be either stored in `/system/etc/security/cacerts` or in `/apex/com.android.conscrypt/cacerts/`. This module handles all scenarios and should work on any device from Android 7 until Android 16.
+## Usage
 
 ### Installing certificates
 
@@ -22,6 +22,10 @@ Remove the certificate from the user store through the settings and restart the
 
 ## Changelog
 
+### v1.3
+
+* Fixed bug on A14+
+
 ### v1.2
 
 * Added automatic update support
diff --git a/module.prop b/module.prop
@@ -1,7 +1,7 @@
 id=trustusercerts
 name=Always Trust User Certificates
-version=v1.2
-versionCode=44
+version=v1.3
+versionCode=45
 author=Jeroen Beckers (NVISO.eu)
 description=Copy user certs to the system trust store
 updateJson=https://raw.githubusercontent.com/NVISOsecurity/AlwaysTrustUserCerts/master/update.json
diff --git a/service.sh b/service.sh
@@ -7,41 +7,59 @@ log() {
     echo "$(date '+%m-%d %H:%M:%S ')" "$@" >> $MODDIR/log.txt
 }
 
-inject_into_zygote(){
+has_mount() {
+  local pid="$1"
+  grep -q " $APEX_CERT_DIR " "/proc/$pid/mountinfo"
+}
+
+monitor_zygote(){
 
-    log "Injecting into Zygote"
+    (
+    while true; do
 
-    # Collect all zygote PIDs (both 32‑ and 64‑bit)
-    zygote_pids=""
-    for name in zygote zygote64; do
-        for p in $(pidof $name 2>/dev/null); do
-            zygote_pids="$zygote_pids $p"
+        # Collect all zygote PIDs (both 32‑ and 64‑bit)
+        zygote_pids=""
+        for name in zygote zygote64; do
+            for p in $(pidof $name 2>/dev/null); do
+                zygote_pids="$zygote_pids $p"
+            done
         done
-    done
 
-    log "Zygote PIDs: $zygote_pids"
+        for zp in $zygote_pids; do
+
+            # if our bind isn’t present, re-apply it
+            if ! has_mount "$pid"; then
 
-    for zp in $zygote_pids; do
-        log "zygote PID: $zp"
+                # Get active children
+                children=$(echo "$zp" | xargs -n1 ps -o pid -P  | grep -v PID)
 
-        log "  Injecting into $zp"
-        /system/bin/nsenter --mount=/proc/$zp/ns/mnt -- /bin/mount --bind $APEX_CERT_DIR $APEX_CERT_DIR
+                # Fallback for old Android ps (columns: USER PID PPID ...):
+                if [ -z "$children" ]; then
+                    children=$(ps \
+                    | awk -v PPID=$zp '$3==PPID { print $2 }')
+                fi
 
-        # Get active children
-        children=$(echo "$zp" | xargs -n1 ps -o pid -P  | grep -v PID)
+                # After a crash, zygote is a bit unstable, so waiting to settle.
+                if [ "$(echo "$children" | wc -l)" -lt 5 ]; then
+                    /system/bin/sleep 1s
+                    continue
+                fi
 
-        # Fallback for old Android ps (columns: USER PID PPID ...):
-        if [ -z "$children" ]; then
-            children=$(ps \
-            | awk -v PPID=$zp '$3==PPID { print $2 }')
-        fi
+                log "Injecting into zygote ($zp)"
+                /system/bin/nsenter --mount=/proc/$zp/ns/mnt -- /bin/mount --rbind $SYS_CERT_DIR $APEX_CERT_DIR
 
-        for pid in $children; do
-            log "  Injecting into child: $pid"
-            /system/bin/nsenter --mount=/proc/$pid/ns/mnt -- /bin/mount --bind $APEX_CERT_DIR $APEX_CERT_DIR
 
+                for pid in $children; do
+                    if ! has_mount "$pid"; then
+                        log "  Injecting into child $pid"
+                        /system/bin/nsenter --mount=/proc/$pid/ns/mnt -- /bin/mount --rbind $SYS_CERT_DIR $APEX_CERT_DIR
+                    fi
+                done
+            fi
         done
+        sleep 5
     done
+    )&
 }
 
 main(){
@@ -65,7 +83,7 @@ main(){
         chmod 644 $SYS_CERT_DIR/*
         chcon u:object_r:system_security_cacerts_file:s0 $SYS_CERT_DIR/*
 
-        inject_into_zygote
+        monitor_zygote
     else
         # /system certs are automatically mounted by Magisk due to collection in post-fs-data
 	    log "No conscrypt"
