Module scripts fixes/improvements

- add back check_resetprop but rename functions to make their use more clear (thanks HuskyDG)
- combine system.prop (runs at post-fs-data) entries into service.sh so that they're only set if needed (note that they therefore wouldn't need to be late props)
- use a uniform style in all scripts (only necessary quoting and brackets, add trailing newlines, spaces not tabs :P)
- remove GMS data pif.prop/pif.json files left over from previous releases to ensure they don't trigger detection at some point (these lines can be removed again in a later release once we're satisfied everyone affected has this resolved)

module/customize.sh

@@ -1,10 +1,14 @@
 # Error on < Android 8
 if [ "$API" -lt 26 ]; then
-    abort "!!! You can't use this module on Android < 8.0."
+    abort "!!! You can't use this module on Android < 8.0"
 fi
 
-# safetynet-fix module is incompatible
+# Remove safetynet-fix module if installed
-if [ -d "/data/adb/modules/safetynet-fix" ]; then
+if [ -d /data/adb/modules/safetynet-fix ]; then
-    touch "/data/adb/modules/safetynet-fix/remove"
+    touch /data/adb/modules/safetynet-fix/remove
-	ui_print "- 'safetynet-fix' module will be removed in next reboot."
+    ui_print "- 'safetynet-fix' module will be removed on next reboot"
 fi
+
+# Clean up any leftover files from previous deprecated methods
+rm -f /data/data/com.google.android.gms/cache/pif.prop /data/data/com.google.android.gms/pif.prop
+rm -f /data/data/com.google.android.gms/cache/pif.json /data/data/com.google.android.gms/pif.json

module/post-fs-data.sh

@@ -1,9 +1,9 @@
-# Remove Play Services from the Magisk Denylist when set to enforcing
+# Remove Play Services from Magisk Denylist when set to enforcing
 if magisk --denylist status; then
     magisk --denylist rm com.google.android.gms
 fi
 
-# Check if safetynet-fix is installed
+# Remove safetynet-fix module if installed
-if [ -d "/data/adb/modules/safetynet-fix" ]; then
+if [ -d /data/adb/modules/safetynet-fix ]; then
-    touch "/data/adb/modules/safetynet-fix/remove"
+    touch /data/adb/modules/safetynet-fix/remove
 fi

module/service.sh

@@ -1,46 +1,68 @@
-# Sensitive properties
+# Conditional sensitive properties
 
-maybe_set_prop() {
+resetprop_if_diff() {
-    local prop="$1"
+    local NAME=$1
-    local contains="$2"
+    local EXPECTED=$2
-    local value="$3"
+    local CURRENT=$(resetprop $NAME)
 
-    if [[ "$(getprop "$prop")" == *"$contains"* ]]; then
+    [ -z "$CURRENT" ] || [ "$CURRENT" == "$EXPECTED" ] || resetprop $NAME $EXPECTED
-        resetprop "$prop" "$value"
+}
-    fi
+resetprop_if_match() {
+    local NAME=$1
+    local CONTAINS=$2
+    local VALUE=$3
+
+    [[ "$(resetprop $NAME)" == *"$CONTAINS"* ]] && resetprop $NAME $VALUE
 }
 
+# RootBeer, Microsoft
+resetprop_if_diff ro.build.tags release-keys
+
+# Samsung
+resetprop_if_diff ro.boot.warranty_bit 0
+resetprop_if_diff ro.vendor.boot.warranty_bit 0
+resetprop_if_diff ro.vendor.warranty_bit 0
+resetprop_if_diff ro.warranty_bit 0
+
+# OnePlus
+resetprop_if_diff ro.is_ever_orange 0
+
+# Other
+resetprop_if_diff ro.build.type user
+resetprop_if_diff ro.debuggable 0
+resetprop_if_diff ro.secure 1
+
 # Magisk recovery mode
-maybe_set_prop ro.bootmode recovery unknown
+resetprop_if_match ro.bootmode recovery unknown
-maybe_set_prop ro.boot.mode recovery unknown
+resetprop_if_match ro.boot.mode recovery unknown
-maybe_set_prop vendor.boot.mode recovery unknown
+resetprop_if_match vendor.boot.mode recovery unknown
 
-# Hiding SELinux | Permissive status
+# SELinux
 resetprop --delete ro.build.selinux
-
+# use toybox to protect *stat* access time reading
-# Hiding SELinux | Use toybox to protect *stat* access time reading
+if [ "$(toybox cat /sys/fs/selinux/enforce)" == "0" ]; then
-if [[ "$(toybox cat /sys/fs/selinux/enforce)" == "0" ]]; then
     chmod 640 /sys/fs/selinux/enforce
     chmod 440 /sys/fs/selinux/policy
 fi
 
-# Late props which must be set after boot_completed
+# SafetyNet/Play Integrity
 {
-    until [[ "$(getprop sys.boot_completed)" == "1" ]]; do
+    # late props which must be set after boot_completed for various OEMs
+    until [ "$(getprop sys.boot_completed)" == "1" ]; do
         sleep 1
     done
 
-    # SafetyNet/Play Integrity | Avoid breaking Realme fingerprint scanners
+    # Avoid breaking Realme fingerprint scanners
-    resetprop ro.boot.flash.locked 1
+    resetprop_if_diff ro.boot.flash.locked 1
 
-    # SafetyNet/Play Integrity | Avoid breaking Oppo fingerprint scanners
+    # Avoid breaking Oppo fingerprint scanners
-    resetprop ro.boot.vbmeta.device_state locked
+    resetprop_if_diff ro.boot.vbmeta.device_state locked
 
-    # SafetyNet/Play Integrity | Avoid breaking OnePlus display modes/fingerprint scanners
+    # Avoid breaking OnePlus display modes/fingerprint scanners
-    resetprop vendor.boot.verifiedbootstate green
+    resetprop_if_diff vendor.boot.verifiedbootstate green
 
-    # SafetyNet/Play Integrity | Avoid breaking OnePlus display modes/fingerprint scanners on OOS 12
+    # Avoid breaking OnePlus/Oppo display fingerprint scanners on OOS/ColorOS 12+
-    resetprop ro.boot.verifiedbootstate green
+    resetprop_if_diff ro.boot.verifiedbootstate green
-    resetprop ro.boot.veritymode enforcing
+    resetprop_if_diff ro.boot.veritymode enforcing
-    resetprop vendor.boot.vbmeta.device_state locked
+    resetprop_if_diff vendor.boot.vbmeta.device_state locked
 }&

module/system.prop

@@ -1,16 +0,0 @@
-# RootBeer, Microsoft
-ro.build.tags=release-keys
-
-# Samsung
-ro.boot.warranty_bit=0
-ro.vendor.boot.warranty_bit=0
-ro.vendor.warranty_bit=0
-ro.warranty_bit=0
-
-# OnePlus
-ro.is_ever_orange=0
-
-# Other
-ro.build.type=user
-ro.debuggable=0
-ro.secure=1