[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81670":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":16,"stars30d":12,"stars90d":15,"forks30d":15,"starsTrendScore":17,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":19,"archived":20,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},81670,"Isolation-Policy","MhmRdd\u002FIsolation-Policy","MhmRdd","LSPosed module that denies useAppZygote for selected packages by hooking HostingRecord.usesAppZygote in system_server.",null,"Java",45,7,38,1,0,5,15,2.71,"Apache License 2.0",true,false,"main",[],"2026-06-12 02:04:18","# IsolPolicy\n\nLSPosed module that denies the `useAppZygote` service-spawn path on a user-selected list of packages.\n\n## Background\n\nOn Android 10+ a service can declare `android:useAppZygote=\"true\"` together with `android:isolatedProcess=\"true\"`. The platform forks the service from a per-app **App Zygote** rather than the global zygote. Whatever code an app puts in its `ZygotePreload` runs inside the `app_zygote` SELinux domain before the dyntransition to `isolated_app`. That domain is granted `selinux_check_context` and `selinux_check_access` by AOSP's `system\u002Fsepolicy\u002Fprivate\u002Fapp_zygote.te`, so the preload can ask the kernel to validate arbitrary SELinux labels and answer arbitrary access-vector queries via `\u002Fsys\u002Ffs\u002Fselinux\u002F{context,access}`. An untrusted app domain has neither permission.\n\n## What this module does\n\nThe hook is on `com.android.server.am.ProcessList#startProcessLocked` inside `system_server`. When the target process is being hosted by App Zygote and its package is in the deny list, the hook reports the process-start request as accepted but skips the actual fork. The caller's `Context.bindIsolatedService(...)` can resolve to `true`, but no service connection arrives. The `ZygotePreload` callback never runs in `app_zygote`.\n\nSystem packages cannot be added to the deny list. The module's own package is always denied and cannot be unchecked, so the built-in tester can verify that the hook is blocking `useAppZygote` binds for the host.\n\n## References\n\n- LSPosed\u002FDirtySepolicy: https:\u002F\u002Fgithub.com\u002FLSPosed\u002FDirtySepolicy\n- AOSP `app_zygote.te`: https:\u002F\u002Fandroid.googlesource.com\u002Fplatform\u002Fsystem\u002Fsepolicy\u002F+\u002Fmaster\u002Fprivate\u002Fapp_zygote.te\n\n## License\n\nApache 2.0. See [`LICENSE`](LICENSE).\n","IsolPolicy 是一个 LSPosed 模块，通过钩住 system_server 中的 HostingRecord.usesAppZygote 方法来阻止选定应用包使用 App Zygote。其核心功能在于允许用户自定义一份黑名单，名单上的应用将被禁止从特定的 App Zygote 启动服务进程，从而防止这些应用执行可能的安全敏感操作如 SELinux 标签验证。该模块适用于希望增强设备安全性的高级Android用户或开发者场景中，特别是对于那些需要对某些应用程序进行更严格隔离控制的情况。采用Java编写，并遵循Apache License 2.0开源协议。",2,"2026-06-11 04:05:54","CREATED_QUERY"]