Patch denylist processes

java/app/src/main/java/dev/kdrag0n/safetynetfix/proxy/ProxyKeyStoreSpi.kt

@@ -21,7 +21,10 @@ class ProxyKeyStoreSpi private constructor(
     // Avoid breaking other, legitimate uses of key attestation in Google Play Services, e.g.
     //   - com.google.android.gms.auth.cryptauth.register.ReEnrollmentChimeraService
     //   - tk_trace.129-RegisterForKeyPairOperation
-    private fun isCallerSafetyNet() = Thread.currentThread().stackTrace.any {
+    private fun isCallerDeniedOrSafetyNet(): Boolean {
+        var isGMS = false
+
+        // SafetyNet stack trace example:
         // a.a.engineGetCertificateChain(Unknown Source:15)
         // java.security.KeyStore.getCertificateChain(KeyStore.java:1087)
         // com.google.ccc.abuse.droidguard.DroidGuard.initNative(Native Method)
@@ -33,14 +36,25 @@ class ProxyKeyStoreSpi private constructor(
         // dzx.onTransact(:com.google.android.gms@[email protected] (190400-387928701):8)
         // android.os.Binder.execTransactInternal(Binder.java:1179)
         // android.os.Binder.execTransact(Binder.java:1143)
-        logDebug("Stack trace element: $it")
-        it.className.contains("DroidGuard", ignoreCase = true)
+        for (it in Thread.currentThread().stackTrace) {
+            logDebug("Stack trace element: $it")
+
+            if (it.className.contains("DroidGuard", ignoreCase = true)) {
+                return true
+            }
+
+            if (!isGMS && it.className.contains("com.google.android.gms", ignoreCase = true)) {
+                isGMS = true
+            }
+        }
+
+        return !isGMS
     }
 
     override fun engineGetCertificateChain(alias: String?): Array<Certificate>? {
         logDebug("Proxy key store: get certificate chain")
 
-        if (isCallerSafetyNet()) {
+        if (isCallerDeniedOrSafetyNet()) {
             logDebug("Blocking call")
             throw UnsupportedOperationException()
         } else {

zygisk/module/jni/module.cpp

@@ -84,20 +84,22 @@ class SafetyNetFixModule : public zygisk::ModuleBase {
     }
 
     void preSpecialize(const std::string& process) {
-        // Only touch GMS
-        if (process.rfind("com.google.android.gms", 0) != 0) {
-            api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY);
+        api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY);
+
+        // Only touch denied and GMS
+        auto deny = (api->getFlags() & zygisk::PROCESS_ON_DENYLIST) != 0;
+        if (!deny && process.rfind("com.google.android.gms", 0) != 0) {
             return;
         }
 
-        // Force DenyList unmounting for all GMS processes
+        // Force DenyList unmounting for all touching processes
         api->setOption(zygisk::FORCE_DENYLIST_UNMOUNT);
 
         // The unstable process is where SafetyNet attestation actually runs, so we only need to
         // spoof the model in that process. Leaving other processes alone fixes various issues
         // caused by model detection and flag provisioning, such as broken weather with the new
         // smartspace on Android 12.
-        if (process == "com.google.android.gms.unstable") {
+        if (deny || process == "com.google.android.gms.unstable") {
             // Load the payload, but don't inject it yet until after specialization
             // Otherwise, specialization fails if any code from the payload still happens to be
             // running