Fix/align keystore2 interception model

.gitattributes

@@ -0,0 +1,4 @@
+# Ensure shell scripts always have LF line endings, even on Windows.
+# These get packaged into flashable zips and run on Android devices.
+*.sh text eol=lf
+module/daemon text eol=lf

app/build.gradle.kts

@@ -122,7 +122,7 @@ androidComponents {
                 // Now, copy and process the files from 'module' directory.
                 val sourceModuleDir = rootProject.projectDir.resolve("module")
                 from(sourceModuleDir) {
-                    exclude("module.prop") // Exclude the template file.
+                    exclude("module.prop", "service.sh") // Exclude templated files.
                 }
 
                 // Copy and filter the module.prop template separately.
@@ -136,6 +136,18 @@ androidComponents {
                     )
                 }
 
+                // Wire DEBUG flag in service.sh to the build variant.
+                // Cannot use expand() here because shell syntax ${0%/*} conflicts.
+                // FixCrLfFilter applied last to ensure LF output on Windows.
+                from(sourceModuleDir) {
+                    include("service.sh")
+                    filter { it.replace("DEBUG=false", "DEBUG=$isDebug") }
+                    filter(
+                        mapOf("eol" to org.apache.tools.ant.filters.FixCrLfFilter.CrLf.newInstance("lf")),
+                        org.apache.tools.ant.filters.FixCrLfFilter::class.java,
+                    )
+                }
+
                 // The destination for all the above 'from' operations.
                 into(tempModuleDir)
             }

app/src/main/cpp/binder_interceptor.cpp

@@ -235,6 +235,8 @@ class BinderInterceptor : public BBinder {
     struct RegistrationEntry {
         wp<IBinder> target;
         sp<IBinder> callback_interface;
+        // Transaction codes to intercept. Empty = intercept all (legacy behavior).
+        std::vector<uint32_t> filtered_codes;
     };
 
     // Reader-Writer lock for the registry to allow concurrent reads (lookups)
@@ -244,10 +246,15 @@ class BinderInterceptor : public BBinder {
 public:
     BinderInterceptor() = default;
 
-    // Checks if a specific Binder instance is currently registered for interception
-    bool isBinderIntercepted(const wp<BBinder> &target) const {
+    // Checks if a specific Binder+code combination should be intercepted.
+    // Returns true if the binder is registered AND the code is in its filter
+    // (or the filter is empty, meaning intercept everything).
+    bool shouldIntercept(const wp<BBinder> &target, uint32_t code) const {
         std::shared_lock lock(registry_mutex_);
-        return registry_.find(target) != registry_.end();
+        auto it = registry_.find(target);
+        if (it == registry_.end()) return false;
+        const auto &codes = it->second.filtered_codes;
+        return codes.empty() || std::find(codes.begin(), codes.end(), code) != codes.end();
     }
 
     // Main entry point for processing the "Man-in-the-Middle" logic
@@ -307,7 +314,11 @@ class BinderStub : public BBinder {
         }
 
         if (!found_context) {
-            LOGW("BinderStub received transaction but no context found for thread");
+            LOGW("BinderStub received transaction but no context found for thread (code=%u)", code);
+#ifndef NDEBUG
+            std::lock_guard<std::mutex> dbg_lock(g_thread_context_mutex);
+            LOGW("  Thread context map has %zu entries", g_thread_context_map.size());
+#endif
             return UNKNOWN_TRANSACTION;
         }
 
@@ -386,13 +397,16 @@ void inspectAndRewriteTransaction(binder_transaction_data *txn_data) {
             // This is safe because we are holding a strong reference.
             wp<BBinder> wp_target = target_binder_ptr;
 
-            if (g_interceptor_instance->isBinderIntercepted(wp_target)) {
+            if (g_interceptor_instance->shouldIntercept(wp_target, txn_data->code)) {
                 info.transaction_code = txn_data->code;
                 info.target_binder = wp_target; // Assign the valid weak pointer
                 hijack = true;
             }
             // Manually release the temporary strong reference we acquired at the start.
             target_binder_ptr->decStrong(nullptr);
+        } else {
+            LOGD("[Hook] attemptIncStrong failed for target %p (code=%u, uid=%d) — binder may be dying",
+                 reinterpret_cast<void*>(txn_data->target.ptr), txn_data->code, txn_data->sender_euid);
         }
     }
 
@@ -409,7 +423,13 @@ void inspectAndRewriteTransaction(binder_transaction_data *txn_data) {
 
         // Store context for the stub to retrieve later in its onTransact
         std::lock_guard<std::mutex> lock(g_thread_context_mutex);
-        g_thread_context_map[std::this_thread::get_id()].push(std::move(info));
+        auto &queue = g_thread_context_map[std::this_thread::get_id()];
+        queue.push(std::move(info));
+#ifndef NDEBUG
+        if (queue.size() > 8) {
+            LOGW("[Hook] Thread context queue depth=%zu for thread — possible leak", queue.size());
+        }
+#endif
     }
 }
 
@@ -537,12 +557,26 @@ status_t BinderInterceptor::handleRegister(const Parcel &data) {
         return BAD_TYPE;
     }
 
+    // Read optional transaction code filter. If present: int32 count + count * uint32 codes.
+    // If absent or count <= 0: intercept all transaction codes (legacy behavior).
+    std::vector<uint32_t> codes;
+    int32_t code_count = 0;
+    if (data.dataAvail() >= sizeof(int32_t) && data.readInt32(&code_count) == OK && code_count > 0) {
+        codes.reserve(code_count);
+        for (int32_t i = 0; i < code_count; i++) {
+            uint32_t c = 0;
+            if (data.readUint32(&c) == OK) codes.push_back(c);
+        }
+        LOGI("Interceptor registered for binder %p with %zu filtered codes", target.get(), codes.size());
+    } else {
+        LOGI("Interceptor registered for binder %p (all codes)", target.get());
+    }
+
     wp<IBinder> weak_target = target;
 
     std::unique_lock lock(registry_mutex_);
-    registry_[weak_target] = {weak_target, callback};
+    registry_[weak_target] = {weak_target, callback, std::move(codes)};
 
-    LOGI("Interceptor registered for binder %p", target.get());
     return OK;
 }
 
@@ -592,8 +626,24 @@ bool BinderInterceptor::processInterceptedTransaction(uint64_t tx_id, sp<BBinder
     Parcel pre_req, pre_resp;
     writeTransactionData(pre_req, tx_id, target, code, flags, request);
 
-    if (callback->transact(intercept::kPreTransact, pre_req, &pre_resp) != OK) {
-        LOGW("[TX_ID: %" PRIu64 "] Pre-transaction callback failed. Forwarding original call.", tx_id);
+#ifndef NDEBUG
+    struct timespec ts_start{};
+    clock_gettime(CLOCK_MONOTONIC, &ts_start);
+#endif
+
+    status_t pre_cb_status = callback->transact(intercept::kPreTransact, pre_req, &pre_resp);
+
+#ifndef NDEBUG
+    struct timespec ts_end{};
+    clock_gettime(CLOCK_MONOTONIC, &ts_end);
+    double pre_ms = (ts_end.tv_sec - ts_start.tv_sec) * 1000.0 + (ts_end.tv_nsec - ts_start.tv_nsec) / 1e6;
+    if (pre_ms > 5000.0) {
+        LOGW("[TX_ID: %" PRIu64 "] Pre-callback took %.0fms (code=%u) — possible hang", tx_id, pre_ms, code);
+    }
+#endif
+
+    if (pre_cb_status != OK) {
+        LOGW("[TX_ID: %" PRIu64 "] Pre-transaction callback failed (status=%d). Forwarding original call.", tx_id, pre_cb_status);
         return false; // Callback failed, proceed as if not intercepted
     }
 
@@ -627,8 +677,10 @@ bool BinderInterceptor::processInterceptedTransaction(uint64_t tx_id, sp<BBinder
     if (action == intercept::kActionOverrideData) {
         size_t size = pre_resp.readUint64();
         final_request.appendFrom(&pre_resp, pre_resp.dataPosition(), size);
+    } else if (action == intercept::kActionContinue) {
+        final_request.appendFrom(&request, 0, request.dataSize());
     } else {
-        // Default (kActionContinue): Use original data
+        LOGW("[TX_ID: %" PRIu64 "] Unknown pre-callback action %d (code=%u). Forwarding original data.", tx_id, action, code);
         final_request.appendFrom(&request, 0, request.dataSize());
     }
 
@@ -647,14 +699,18 @@ bool BinderInterceptor::processInterceptedTransaction(uint64_t tx_id, sp<BBinder
         VALIDATE_STATUS(tx_id, post_req.appendFrom(reply, 0, reply_size));
     }
 
-    if (callback->transact(intercept::kPostTransact, post_req, &post_resp) == OK) {
+    status_t post_cb_status = callback->transact(intercept::kPostTransact, post_req, &post_resp);
+    if (post_cb_status == OK) {
         int32_t post_action = post_resp.readInt32();
         if (post_action == intercept::kActionOverrideReply && reply) {
             result = post_resp.readInt32(); // Read new status
             size_t new_size = post_resp.readUint64();
             reply->setDataSize(0); // Clear original reply
             VALIDATE_STATUS(tx_id, reply->appendFrom(&post_resp, post_resp.dataPosition(), new_size));
         }
+    } else {
+        LOGW("[TX_ID: %" PRIu64 "] Post-transaction callback failed (status=%d, code=%u). Using original reply.",
+             tx_id, post_cb_status, code);
     }
 
     return true; // We handled the flow, even if we just forwarded it

app/src/main/java/org/matrix/TEESimulator/App.kt

@@ -40,9 +40,7 @@ object App {
             // Initialize and start the appropriate keystore interceptors.
             initializeInterceptors()
 
-            // Load the package configuration.
             ConfigurationManager.initialize()
-            // Set up the device's boot key and hash, which are crucial for attestation.
             AndroidDeviceUtils.setupBootKeyAndHash()
 
             // Android ships with a stripped-down Bouncy Castle provider under the name "BC".