fix: shell injection guard, use named constants, bypass own hooks for /proc/self/maps

- WebUI: validate package names against [a-zA-Z0-9_.\-]+ before
  interpolating into shell commands (both kmod and zygisk copies)
- zygisk hooks.rs: use RTM_NEWLINK/RTM_NEWADDR from filter.rs instead
  of magic constants 16/20
- zygisk lib.rs: read /proc/self/maps via raw libc::open in
  scrub_shadowhook_maps to bypass our own hooked_openat
- kmod: add comment explaining why seq->buf access without seq->lock
  is safe in fib_route_ret (seq_read holds the mutex around ->show())
- kmod: add comment clarifying MODULE_LICENSE("GPL") vs MIT SPDX

zygisk/module/webroot/index.html

@@ -272,6 +272,10 @@
     countEl.textContent = `${n} selected`;
   }
 
+  // Android package names are [a-zA-Z0-9_.], but validate to prevent
+  // shell injection if a non-standard name somehow slips through.
+  const SAFE_PKG_RE = /^[a-zA-Z0-9_.\-]+$/;
+
   async function save() {
     saveBtn.disabled = true;
     try {
@@ -279,6 +283,8 @@
         .filter(p => p.selected)
         .map(p => p.pkg)
         .sort();
+      const unsafe = selected.find(p => !SAFE_PKG_RE.test(p));
+      if (unsafe) throw new Error(`invalid package name: ${unsafe}`);
       const body =
         '# Managed by the vpnhide_zygisk WebUI.\n' +
         '# One package name per line. Lines starting with # are comments.\n' +