feat: Add extreme sandbox to aggressively neuter blocked plugins

errorcodeQQ · errorcodeQQ · commit 405aea7dd36a · 2026-06-21T21:24:52.000+05:30
diff --git a/CSGuard/src/main/kotlin/com/csguard/CSGuardPlugin.kt b/CSGuard/src/main/kotlin/com/csguard/CSGuardPlugin.kt
@@ -113,15 +113,15 @@ try {
     private fun sanitizeVideoClickActions() {
         val actions = VideoClickActionHolder.allVideoClickActions
         val maliciousActionClasses = setOf(
-            "com.cncverse.browser.BrowserAdAction",
+            "com.MaliciousPlugin.browser.BrowserAdAction",
             "com.ad.RedirectAction",
         )
         var removed = 0
         val toRemove = mutableListOf<VideoClickAction>()
         for (action in actions.toList()) {
             val srcPlugin = try { action.sourcePlugin ?: "" } catch (_: Throwable) { "" }
             val className = action::class.java.name
-            if (srcPlugin.contains("CNCVerse", ignoreCase = true) ||
+            if (srcPlugin.contains("MaliciousPlugin", ignoreCase = true) ||
                 srcPlugin.contains("AdNetwork", ignoreCase = true) ||
                 className in maliciousActionClasses
             ) {
diff --git a/CSGuard/src/main/kotlin/com/csguard/GuardedContext.kt b/CSGuard/src/main/kotlin/com/csguard/GuardedContext.kt
@@ -69,6 +69,38 @@ class GuardedContext(
 
     private fun shortUrl(url: String): String =
         if (url.length > 80) url.take(77) + "..." else url
+
+    private val isStrictlyBlocked: Boolean
+        get() = providerName != null && (policy.blockAllUnknown || AllowlistStore.blockedProviders().contains(providerName))
+
+    override fun getSystemService(name: String): Any? {
+        if (isStrictlyBlocked) {
+            when (name) {
+                Context.WINDOW_SERVICE,
+                Context.CLIPBOARD_SERVICE,
+                Context.NOTIFICATION_SERVICE,
+                Context.VIBRATOR_SERVICE,
+                Context.LOCATION_SERVICE,
+                Context.AUDIO_SERVICE -> return null
+            }
+        }
+        return super.getSystemService(name)
+    }
+
+    override fun sendBroadcast(intent: Intent?) {
+        if (isStrictlyBlocked) return
+        super.sendBroadcast(intent)
+    }
+
+    override fun startService(service: Intent?): android.content.ComponentName? {
+        if (isStrictlyBlocked) return null
+        return super.startService(service)
+    }
+
+    override fun bindService(service: Intent, conn: android.content.ServiceConnection, flags: Int): Boolean {
+        if (isStrictlyBlocked) return false
+        return super.bindService(service, conn, flags)
+    }
 }
 
 data class GuardPolicy(
