feat: Introduce deep-level advanced sandbox toggles

Author: errorcodeQQ

CSGuard/src/main/kotlin/com/csguard/AllowlistStore.kt

@@ -14,6 +14,12 @@ object AllowlistStore {
     private const val KEY_BLOCKED_PROVIDERS = "blocked_providers"
     private const val KEY_GLOBAL_STRICT = "global_strict"
     private const val KEY_BLOCKED = "blocked_attempts_log"
+    
+    const val KEY_BLOCK_POPUPS = "setting_block_popups"
+    const val KEY_BLOCK_CLIPBOARD = "setting_block_clipboard"
+    const val KEY_BLOCK_BACKGROUND = "setting_block_bg"
+    const val KEY_SANDBOX_PREFS = "setting_sandbox_prefs"
+    const val KEY_WATCHDOG = "setting_watchdog"
     private const val MAX_BLOCKED_LOG = 200
 
     @Volatile private var prefs: SharedPreferences? = null
@@ -61,6 +67,14 @@ fun alwaysAllow(): Set<String> {
         prefs?.edit()?.putBoolean(KEY_GLOBAL_STRICT, strict)?.apply()
     }
 
+    fun isSettingEnabled(key: String, default: Boolean = true): Boolean {
+        return prefs?.getBoolean(key, default) ?: default
+    }
+
+    fun setSettingEnabled(key: String, enabled: Boolean) {
+        prefs?.edit()?.putBoolean(key, enabled)?.apply()
+    }
+
 fun blockedProviders(): Set<String> {
         val raw = prefs?.getString(KEY_BLOCKED_PROVIDERS, "[]") ?: "[]"
         return try {

CSGuard/src/main/kotlin/com/csguard/CSGuardPlugin.kt

@@ -80,7 +80,12 @@ try {
                 blockKnownAdHosts = true,
                 blockAdPaths = true,
                 blockAllUnknown = isStrict,
-                showToast = false
+                showToast = false,
+                blockPopups = AllowlistStore.isSettingEnabled(AllowlistStore.KEY_BLOCK_POPUPS),
+                blockClipboard = AllowlistStore.isSettingEnabled(AllowlistStore.KEY_BLOCK_CLIPBOARD),
+                blockBackgroundTasks = AllowlistStore.isSettingEnabled(AllowlistStore.KEY_BLOCK_BACKGROUND),
+                sandboxPreferences = AllowlistStore.isSettingEnabled(AllowlistStore.KEY_SANDBOX_PREFS),
+                watchdogEnabled = AllowlistStore.isSettingEnabled(AllowlistStore.KEY_WATCHDOG)
             )
             ProviderSanitizer.start(context)
             Log.i(TAG, "✓ Started ProviderSanitizer (policy.blockAllUnknown=$isStrict)")

CSGuard/src/main/kotlin/com/csguard/GuardSettingsDialog.kt

@@ -84,6 +84,26 @@ class GuardSettingsDialog(
             }
         }
 
+        container.addView(TextView(context).apply {
+            text = "Advanced Sandbox Controls"
+            textSize = 18f
+            typeface = Typeface.DEFAULT_BOLD
+            setTextColor(Color.parseColor("#E0E0E0"))
+            setPadding(0, 32, 0, 16)
+        })
+
+        var blockPopups = current.blockPopups
+        var blockClipboard = current.blockClipboard
+        var blockBg = current.blockBackgroundTasks
+        var sandboxPrefs = current.sandboxPreferences
+        var watchdog = current.watchdogEnabled
+
+        container.addView(createRow("Block UI Popups & Toasts", blockPopups) { blockPopups = it })
+        container.addView(createRow("Block Clipboard Access", blockClipboard) { blockClipboard = it })
+        container.addView(createRow("Block Background Services", blockBg) { blockBg = it })
+        container.addView(createRow("Sandbox Plugin Data (Anti-Theft)", sandboxPrefs) { sandboxPrefs = it })
+        container.addView(createRow("Anti-Tamper Watchdog (Reflection)", watchdog) { watchdog = it })
+
         val scroll = ScrollView(context).apply {
             addView(container)
         }
@@ -97,12 +117,22 @@ class GuardSettingsDialog(
                 blockedSet.forEach { AllowlistStore.addBlockedProvider(it) }
 
                 AllowlistStore.setGlobalStrict(isGlobalStrict)
+                AllowlistStore.setSettingEnabled(AllowlistStore.KEY_BLOCK_POPUPS, blockPopups)
+                AllowlistStore.setSettingEnabled(AllowlistStore.KEY_BLOCK_CLIPBOARD, blockClipboard)
+                AllowlistStore.setSettingEnabled(AllowlistStore.KEY_BLOCK_BACKGROUND, blockBg)
+                AllowlistStore.setSettingEnabled(AllowlistStore.KEY_SANDBOX_PREFS, sandboxPrefs)
+                AllowlistStore.setSettingEnabled(AllowlistStore.KEY_WATCHDOG, watchdog)
 
                 val newPolicy = GuardPolicy(
                     blockKnownAdHosts = true,
                     blockAdPaths = true,
                     blockAllUnknown = isGlobalStrict,
-                    showToast = current.showToast
+                    showToast = current.showToast,
+                    blockPopups = blockPopups,
+                    blockClipboard = blockClipboard,
+                    blockBackgroundTasks = blockBg,
+                    sandboxPreferences = sandboxPrefs,
+                    watchdogEnabled = watchdog
                 )
                 onApply(newPolicy)
             }

CSGuard/src/main/kotlin/com/csguard/GuardedContext.kt

@@ -111,8 +111,12 @@ class GuardedContext(
     override fun getSystemService(name: String): Any? {
         when (name) {
             Context.WINDOW_SERVICE,
-            Context.CLIPBOARD_SERVICE,
-            Context.NOTIFICATION_SERVICE,
+            Context.NOTIFICATION_SERVICE -> {
+                if (policy.blockPopups && isCallerBlocked()) return null
+            }
+            Context.CLIPBOARD_SERVICE -> {
+                if (policy.blockClipboard && isCallerBlocked()) return null
+            }
             Context.VIBRATOR_SERVICE,
             Context.LOCATION_SERVICE,
             Context.AUDIO_SERVICE -> {
@@ -123,26 +127,39 @@ class GuardedContext(
     }
 
     override fun sendBroadcast(intent: Intent?) {
-        if (isCallerBlocked()) return
+        if (policy.blockBackgroundTasks && isCallerBlocked()) return
         super.sendBroadcast(intent)
     }
 
     override fun startService(service: Intent?): android.content.ComponentName? {
-        if (isCallerBlocked()) return null
+        if (policy.blockBackgroundTasks && isCallerBlocked()) return null
         return super.startService(service)
     }
 
     override fun bindService(service: Intent, conn: android.content.ServiceConnection, flags: Int): Boolean {
-        if (isCallerBlocked()) return false
+        if (policy.blockBackgroundTasks && isCallerBlocked()) return false
         return super.bindService(service, conn, flags)
     }
+
+    override fun getSharedPreferences(name: String?, mode: Int): android.content.SharedPreferences {
+        if (policy.sandboxPreferences && isCallerBlocked()) {
+            return super.getSharedPreferences("sandbox_$name", mode)
+        }
+        return super.getSharedPreferences(name, mode)
+    }
 }
 
 data class GuardPolicy(
         val blockKnownAdHosts: Boolean = true,
         val blockAdPaths: Boolean = true,
         val blockAllUnknown: Boolean = true,
         val showToast: Boolean = false,
+        
+        val blockPopups: Boolean = true,
+        val blockClipboard: Boolean = true,
+        val blockBackgroundTasks: Boolean = true,
+        val sandboxPreferences: Boolean = true,
+        val watchdogEnabled: Boolean = true
 ) {
     companion object {
                 val DEFAULT get() = STRICT
@@ -152,20 +169,35 @@ data class GuardPolicy(
             blockAdPaths = true,
             blockAllUnknown = false,
             showToast = true,
+            blockPopups = false,
+            blockClipboard = false,
+            blockBackgroundTasks = false,
+            sandboxPreferences = false,
+            watchdogEnabled = false
         )
 
                 val STRICT = GuardPolicy(
             blockKnownAdHosts = true,
             blockAdPaths = true,
             blockAllUnknown = true,
-            showToast = false,    // silent void
+            showToast = false,
+            blockPopups = true,
+            blockClipboard = true,
+            blockBackgroundTasks = true,
+            sandboxPreferences = true,
+            watchdogEnabled = true
         )
 
                 val STRICT_VERBOSE = GuardPolicy(
             blockKnownAdHosts = true,
             blockAdPaths = true,
             blockAllUnknown = true,
             showToast = true,
+            blockPopups = true,
+            blockClipboard = true,
+            blockBackgroundTasks = true,
+            sandboxPreferences = true,
+            watchdogEnabled = true
         )
     }
 

CSGuard/src/main/kotlin/com/csguard/InstrumentationHook.kt

@@ -77,6 +77,17 @@ object InstrumentationHook {
         }
     }
 
+    fun isHookIntact(): Boolean {
+        if (!installed) return false
+        try {
+            val activityThread = currentActivityThread() ?: return false
+            val field = findField(activityThread.javaClass, "mInstrumentation") ?: return false
+            field.isAccessible = true
+            val current = field.get(activityThread)
+            return current is GuardInstrumentation
+        } catch (_: Throwable) { return false }
+    }
+
     private fun currentActivityThread(): Any? {
         return try {
             val cls = Class.forName("android.app.ActivityThread")

CSGuard/src/main/kotlin/com/csguard/ProviderSanitizer.kt

@@ -25,6 +25,11 @@ object ProviderSanitizer {
         override fun run() {
             try {
                 sanitizeAllProviders()
+                
+                if (policy.watchdogEnabled && !InstrumentationHook.isHookIntact()) {
+                    Log.w(TAG, "Watchdog detected unhooked Instrumentation! Re-installing...")
+                    InstrumentationHook.install { policy }
+                }
             } catch (t: Throwable) {
                 Log.e(TAG, "Sanitizer poll failed", t)
             }