Make module mirror read only

app/src/main/res/raw/manager.sh

@@ -117,8 +117,8 @@ EOF
 
 add_hosts_module() {
   # Do not touch existing hosts module
-  [ -d $MAGISKTMP/modules/hosts ] && return
-  cd $MAGISKTMP/modules
+  [ -d $NVBASE/modules/hosts ] && return
+  cd $NVBASE/modules
   mkdir -p hosts/system/etc
   cat << EOF > hosts/module.prop
 id=hosts

native/src/core/bootstages.cpp

@@ -54,7 +54,7 @@ static void mount_mirrors() {
         xmkdir(MODULEROOT, 0755);
         xmkdir(dest.data(), 0755);
         xmount(MODULEROOT, dest.data(), nullptr, MS_BIND, nullptr);
-        xmount(nullptr, dest.data(), nullptr, MS_REMOUNT | MS_BIND | MS_NOATIME, nullptr);
+        xmount(nullptr, dest.data(), nullptr, MS_REMOUNT | MS_BIND | MS_RDONLY, nullptr);
         xmount(nullptr, dest.data(), nullptr, MS_PRIVATE, nullptr);
         chmod(SECURE_DIR, 0700);
         restorecon();

native/src/core/module.cpp

@@ -147,6 +147,10 @@ void mirror_node::mount() {
 
 void module_node::mount() {
     string src = module_mnt + module + parent()->root()->prefix + node_path();
+    if (node_path() == "/system/etc/hosts") {
+        // special case for /system/etc/hosts to ensure it is writable
+        src = std::string(MODULEROOT) + module + parent()->root()->prefix + "/system/etc/hosts";
+    }
     if (exist())
         clone_attr(mirror_path().data(), src.data());
     if (isa<tmpfs_node>(parent()))
@@ -303,6 +307,9 @@ void load_modules() {
         mount_zygisk(32)
         mount_zygisk(64)
     }
+
+    auto worker_dir = MAGISKTMP + "/" WORKERDIR;
+    xmount(nullptr, worker_dir.data(), nullptr, MS_REMOUNT | MS_RDONLY, nullptr);
 }
 
 /************************