From a8bed7e04408024b9882e0c287442f0f2db0271d Mon Sep 17 00:00:00 2001
From: okhsunrog <me@okhsunrog.dev>
Date: Sun, 12 Apr 2026 02:06:39 +0300
Subject: [PATCH] security: restrict target list visibility from apps

- /proc/vpnhide_targets: change from 0644 to 0600 (root only).
  Apps could read the UID list and discover which apps are targeted.
- Remove /data/local/tmp/vpnhide_targets.txt copies from service.sh
  and WebUI (no longer needed after get_module_dir() fix).
---
 kmod/vpnhide_kmod.c              | 6 +++---
 zygisk/module/service.sh         | 6 +-----
 zygisk/module/webroot/index.html | 2 +-
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/kmod/vpnhide_kmod.c b/kmod/vpnhide_kmod.c
index 98e2c31..894f88d 100644
--- a/kmod/vpnhide_kmod.c
+++ b/kmod/vpnhide_kmod.c
@@ -631,9 +631,9 @@ static int __init vpnhide_init(void)
 		}
 	}
 
-	/* 0644: root writes, everyone reads (system_server needs read
-	 * access to load target UIDs for Java-level VPN filtering). */
-	targets_entry = proc_create("vpnhide_targets", 0644, NULL,
+	/* 0600: root-only read/write. UIDs are written here by service.sh
+	 * and WebUI (both root). Apps must not see the target list. */
+	targets_entry = proc_create("vpnhide_targets", 0600, NULL,
 				    &targets_proc_ops);
 
 	pr_info(MODNAME ": loaded — write UIDs to /proc/vpnhide_targets\n");
diff --git a/zygisk/module/service.sh b/zygisk/module/service.sh
index 5e4f659..8809db5 100644
--- a/zygisk/module/service.sh
+++ b/zygisk/module/service.sh
@@ -7,13 +7,9 @@ TARGETS_FILE="$PERSIST_DIR/targets.txt"
 MODULE_DIR="${0%/*}"
 SS_UIDS_FILE="/data/system/vpnhide_uids.txt"
 
-# Copy targets to module dir and world-readable location.
-# On Magisk, SELinux blocks both zygote and untrusted_app from
-# /data/adb/*. /data/local/tmp/ is readable by all apps.
+# Copy targets to module dir so Zygisk can read via get_module_dir() fd.
 if [ -f "$TARGETS_FILE" ]; then
     cp "$TARGETS_FILE" "$MODULE_DIR/targets.txt" 2>/dev/null
-    cp "$TARGETS_FILE" /data/local/tmp/vpnhide_targets.txt 2>/dev/null
-    chmod 644 /data/local/tmp/vpnhide_targets.txt 2>/dev/null
 fi
 
 # Wait for PackageManager to be ready
diff --git a/zygisk/module/webroot/index.html b/zygisk/module/webroot/index.html
index d025730..c048ad6 100644
--- a/zygisk/module/webroot/index.html
+++ b/zygisk/module/webroot/index.html
@@ -289,7 +289,7 @@
       const b64 = btoa(body);
 
       // Step 1: save package names to targets.txt (persistent + module dir for Magisk SELinux compat)
-      const step1 = `mkdir -p ${PERSIST_DIR} && echo '${b64}' | base64 -d > ${TARGETS_PATH} && chmod 644 ${TARGETS_PATH} && cp ${TARGETS_PATH} ${MODULE_TARGETS_PATH} 2>/dev/null && cp ${TARGETS_PATH} /data/local/tmp/vpnhide_targets.txt 2>/dev/null && chmod 644 /data/local/tmp/vpnhide_targets.txt 2>/dev/null`;
+      const step1 = `mkdir -p ${PERSIST_DIR} && echo '${b64}' | base64 -d > ${TARGETS_PATH} && chmod 644 ${TARGETS_PATH} && cp ${TARGETS_PATH} ${MODULE_TARGETS_PATH} 2>/dev/null`;
       const r1 = await ksuExec(step1);
       if (r1.errno !== 0) throw new Error(r1.stderr || `step1 errno=${r1.errno}`);