feat(core): harden VFS injection, crash resilience, and mount fallback

VFS executor now pre-injects directory rules for missing ancestor paths
before leaf file rules, ensuring modules that target non-existent
intermediate directories (e.g., /vendor/lib64/soundfx/) resolve
correctly through both getname_flags and permission hooks.

Module scanner rejects IDs with path traversal characters at the system
boundary. Conflict detection between modules promoted to warn-level
logging for operational visibility.

module.prop writes use atomic tmp+rename to prevent corruption on
OOM kill or watchdog timeout. Panic hook and mount-error handler
surface crash context in the KSU/APatch manager description field.

Overlay executor falls back to magic mount per-module when overlay
fails on all partitions for a given module, preventing one bad module
from taking down all mounts. Reflink (FICLONE) copy added for f2fs
CoW acceleration during overlay staging.

Author: Enginex0

src/main.rs

@@ -41,6 +41,24 @@ fn main() -> Result<()> {
     // the process before any visible work (R08: fixes BUG-L3).
     let cli = Cli::parse();
 
+    std::panic::set_hook(Box::new(|info| {
+        let msg = info
+            .payload()
+            .downcast_ref::<&str>()
+            .copied()
+            .or_else(|| info.payload().downcast_ref::<String>().map(|s| s.as_str()))
+            .unwrap_or("unknown panic");
+
+        let loc = info
+            .location()
+            .map(|l| format!(" ({}:{})", l.file(), l.line()))
+            .unwrap_or_default();
+
+        let desc = format!("❌ Crashed: {msg}{loc}");
+        eprintln!("zeromount panic: {msg}{loc}");
+        let _ = utils::platform::write_description_to_module_prop(&desc);
+    }));
+
     if let Err(e) = utils::process::camouflage() {
         eprintln!("camouflage failed (non-fatal): {e}");
     }
@@ -49,7 +67,9 @@ fn main() -> Result<()> {
     logging::init(cli.verbose, &config.logging)?;
     utils::signal::register_shutdown_handler();
 
-    match cli.command {
+    let is_mount = matches!(cli.command, Commands::Mount);
+
+    let result = match cli.command {
         Commands::Mount => cli::handlers::handle_mount(),
         Commands::Detect => cli::handlers::handle_detect(),
         Commands::Status { json } => cli::handlers::handle_status(json),
@@ -75,5 +95,14 @@ fn main() -> Result<()> {
             println!("zeromount v{}", read_version_from_prop());
             Ok(())
         }
+    };
+
+    if let Err(ref e) = result {
+        if is_mount {
+            let desc = format!("❌ Mount failed: {e:#}");
+            let _ = utils::platform::write_description_to_module_prop(&desc);
+        }
     }
+
+    result
 }

src/modules/rules.rs

@@ -1,7 +1,7 @@
 use std::collections::HashMap;
 use std::path::Path;
 
-use tracing::debug;
+use tracing::warn;
 
 use crate::core::types::{ModuleFileType, ScannedModule};
 
@@ -27,7 +27,7 @@ pub fn detect_conflicts(modules: &[ScannedModule]) -> u32 {
     let mut conflict_count = 0u32;
     for (path, providers) in &file_map {
         if providers.len() > 1 {
-            debug!(
+            warn!(
                 path = %path.display(),
                 modules = %providers.join(", "),
                 "file conflict: multiple modules provide same path"
@@ -37,7 +37,7 @@ pub fn detect_conflicts(modules: &[ScannedModule]) -> u32 {
     }
 
     if conflict_count > 0 {
-        debug!(count = conflict_count, "file conflicts detected");
+        warn!(count = conflict_count, "file conflicts detected");
     }
 
     conflict_count

src/modules/scanner.rs

@@ -50,7 +50,14 @@ pub fn scan_modules(modules_dir: &Path) -> Result<Vec<ScannedModule>> {
                 Some(n) => n,
                 None => return false,
             };
-            !BLACKLISTED_NAMES.contains(&name)
+            if BLACKLISTED_NAMES.contains(&name) {
+                return false;
+            }
+            if name.contains("..") || !name.bytes().all(|b| b.is_ascii_alphanumeric() || b == b'.' || b == b'_' || b == b'-') {
+                warn!(id = name, "rejected module with invalid ID");
+                return false;
+            }
+            true
         })
         .filter(|p| is_module_enabled(p) && !has_skip_mount(p) && !has_manual_mounts(p))
         .collect();

src/mount/executor.rs

@@ -87,11 +87,13 @@ fn execute_overlay(
         staged.push((pm, lower_dirs));
     }
 
-    // Phase 2: All staging succeeded — mount overlays.
+    // Phase 2: All staging succeeded -- mount overlays.
     // Lower dirs are partition-level (e.g., .../viperfxmod/system/) but mount points
     // may be subdirectories (e.g., /system/etc). Append the relative suffix so overlay
     // only exposes files belonging to that mount point.
     let mut results = Vec::new();
+    let mut failed_module_ids: std::collections::HashSet<String> = std::collections::HashSet::new();
+    let mut succeeded_module_ids: std::collections::HashSet<String> = std::collections::HashSet::new();
 
     for (pm, lower_dirs) in &staged {
         let adjusted: Vec<PathBuf> = lower_dirs
@@ -119,9 +121,22 @@ fn execute_overlay(
         let decoy_ref = decoy_subdir.as_deref();
 
         let result = match mount_overlay(&lower_refs, target, &mount_id, &storage.overlay_source, decoy_ref) {
-            Ok(r) => r,
+            Ok(r) => {
+                for mid in &pm.contributing_modules {
+                    succeeded_module_ids.insert(mid.clone());
+                }
+                r
+            }
             Err(e) => {
-                warn!(target = %target.display(), error = %e, "overlay mount failed");
+                warn!(
+                    target = %target.display(),
+                    modules = ?pm.contributing_modules,
+                    error = %e,
+                    "overlay mount failed, modules queued for magic mount fallback"
+                );
+                for mid in &pm.contributing_modules {
+                    failed_module_ids.insert(mid.clone());
+                }
                 MountResult {
                     module_id: mount_id.clone(),
                     strategy_used: MountStrategy::Overlay,
@@ -143,10 +158,52 @@ fn execute_overlay(
         decoy::teardown_decoy(d);
     }
 
+    // Phase 3: Fallback to magic mount for modules that failed overlay on every
+    // partition they contributed to. Modules with at least one successful overlay
+    // are excluded to prevent double-mounting.
+    let fallback_ids: Vec<&str> = failed_module_ids
+        .iter()
+        .filter(|id| !succeeded_module_ids.contains(id.as_str()))
+        .map(|id| id.as_str())
+        .collect();
+
+    if !fallback_ids.is_empty() {
+        let fallback_modules: Vec<&ScannedModule> = fallback_ids
+            .iter()
+            .filter_map(|id| module_map.get(id).copied())
+            .collect();
+
+        warn!(
+            count = fallback_modules.len(),
+            modules = ?fallback_ids,
+            "falling back to magic mount for overlay-failed modules"
+        );
+
+        match execute_magic_mount_for(
+            &fallback_modules,
+            capabilities,
+            mount_config,
+        ) {
+            Ok(mut fallback_results) => results.append(&mut fallback_results),
+            Err(e) => {
+                warn!(error = %e, "magic mount fallback failed");
+            }
+        }
+    }
+
     info!(mounts = results.len(), "overlay execution complete");
     Ok(results)
 }
 
+fn execute_magic_mount_for(
+    modules: &[&ScannedModule],
+    capabilities: &CapabilityFlags,
+    mount_config: &MountConfig,
+) -> Result<Vec<MountResult>> {
+    let owned: Vec<ScannedModule> = modules.iter().map(|m| (*m).clone()).collect();
+    execute_magic_mount(&owned, capabilities, mount_config)
+}
+
 fn execute_magic_mount(
     modules: &[ScannedModule],
     capabilities: &CapabilityFlags,
@@ -216,7 +273,7 @@ fn prepare_lower_dir(
                 ensure_parent_dirs_with_context(lower_dir, parent, partition)?;
             }
             if src.exists() {
-                fs::copy(&src, &dst).with_context(|| {
+                crate::utils::fs::copy_file(&src, &dst).with_context(|| {
                     format!("copy {} -> {}", src.display(), dst.display())
                 })?;
                 crate::utils::selinux::copy_selinux_context(&src, &dst);

src/utils/fs.rs

@@ -0,0 +1,27 @@
+use std::fs;
+use std::io;
+use std::os::unix::io::AsRawFd;
+use std::path::Path;
+
+const FICLONE: libc::c_ulong = 0x40049409;
+
+pub fn copy_file(src: &Path, dst: &Path) -> io::Result<u64> {
+    let src_file = fs::File::open(src)?;
+    let dst_file = fs::File::create(dst)?;
+
+    // SAFETY: Both fds are valid open files. FICLONE is a well-defined ioctl
+    // that performs CoW reflink on supporting filesystems (f2fs, btrfs, xfs).
+    // On unsupported filesystems it returns EOPNOTSUPP/EXDEV/EINVAL.
+    let ret = unsafe { libc::ioctl(dst_file.as_raw_fd(), FICLONE, src_file.as_raw_fd()) };
+
+    if ret == 0 {
+        let meta = src_file.metadata()?;
+        let perms = meta.permissions();
+        dst_file.set_permissions(perms)?;
+        return Ok(meta.len());
+    }
+
+    drop(src_file);
+    drop(dst_file);
+    fs::copy(src, dst)
+}

src/utils/mod.rs

@@ -1,4 +1,5 @@
 pub mod command;
+pub mod fs;
 pub mod hash;
 pub mod lock;
 pub mod platform;

src/utils/platform.rs

@@ -167,8 +167,15 @@ pub(crate) fn write_description_to_module_prop(text: &str) -> Result<()> {
         updated.push('\n');
     }
 
-    std::fs::write(&prop_path, &updated)
-        .context("failed to write module.prop for description update")?;
+    let tmp_path = prop_path.with_extension("prop.tmp");
+    std::fs::write(&tmp_path, &updated)
+        .context("failed to write module.prop.tmp for description update")?;
+
+    if let Err(e) = std::fs::rename(&tmp_path, &prop_path) {
+        tracing::warn!("atomic rename failed, trying direct write: {e}");
+        std::fs::write(&prop_path, &updated)
+            .context("failed to write module.prop for description update")?;
+    }
     Ok(())
 }
 

src/vfs/executor.rs

@@ -1,3 +1,4 @@
+use std::collections::HashSet;
 use std::path::{Path, PathBuf};
 
 use anyhow::{Context, Result};
@@ -56,6 +57,56 @@ impl VfsExecutor {
         Ok(results)
     }
 
+    fn ensure_ancestor_dirs(
+        &self,
+        relative: &Path,
+        module: &ScannedModule,
+        injected_dirs: &mut HashSet<PathBuf>,
+        mount_paths: &mut Vec<String>,
+    ) -> (u32, u32) {
+        let mut applied = 0u32;
+        let mut failed = 0u32;
+        let mut missing = Vec::new();
+
+        let mut ancestor = relative.parent();
+        while let Some(rel) = ancestor {
+            if rel.as_os_str().is_empty() {
+                break;
+            }
+            let target = match resolve_target_path(rel) {
+                Some(t) => t,
+                None => break,
+            };
+            if injected_dirs.contains(&target) || target.exists() {
+                break;
+            }
+            missing.push((rel.to_path_buf(), target));
+            ancestor = rel.parent();
+        }
+
+        for (rel, target) in missing.into_iter().rev() {
+            let source = module.path.join(&rel);
+            if !source.exists() {
+                continue;
+            }
+            if let Err(e) = self.driver.add_rule(&target, &source, true) {
+                debug!(
+                    module = %module.id,
+                    target = %target.display(),
+                    error = %e,
+                    "ancestor dir rule failed"
+                );
+                failed += 1;
+                continue;
+            }
+            injected_dirs.insert(target.clone());
+            mount_paths.push(target.display().to_string());
+            applied += 1;
+        }
+
+        (applied, failed)
+    }
+
     fn inject_module_rules(
         &self,
         module: &ScannedModule,
@@ -65,6 +116,7 @@ impl VfsExecutor {
         let mut failed = 0u32;
         let mut mount_paths = Vec::new();
         let mut error = None;
+        let mut injected_dirs = HashSet::new();
 
         for file in &module.files {
             // Whiteouts → hide the original path via SUSFS
@@ -128,10 +180,17 @@ impl VfsExecutor {
                         None => continue,
                     };
                     if target.exists() {
+                        injected_dirs.insert(target);
                         continue;
                     }
+                    let (a, f) = self.ensure_ancestor_dirs(
+                        &file.relative_path, module, &mut injected_dirs, &mut mount_paths,
+                    );
+                    applied += a;
+                    failed += f;
                     match self.driver.add_rule(&target, &source, true) {
                         Ok(()) => {
+                            injected_dirs.insert(target.clone());
                             applied += 1;
                             mount_paths.push(target.display().to_string());
                         }
@@ -153,6 +212,11 @@ impl VfsExecutor {
                 ModuleFileType::OpaqueDir => {
                     let source = module.path.join(&file.relative_path);
                     if let Some(target) = resolve_target_path(&file.relative_path) {
+                        let (a, f) = self.ensure_ancestor_dirs(
+                            &file.relative_path, module, &mut injected_dirs, &mut mount_paths,
+                        );
+                        applied += a;
+                        failed += f;
                         match self.driver.add_rule(&target, &source, true) {
                             Ok(()) => {
                                 applied += 1;
@@ -188,6 +252,12 @@ impl VfsExecutor {
                 }
             };
 
+            let (a, f) = self.ensure_ancestor_dirs(
+                &file.relative_path, module, &mut injected_dirs, &mut mount_paths,
+            );
+            applied += a;
+            failed += f;
+
             match self.driver.add_rule(&target, &source, false) {
                 Ok(()) => {
                     applied += 1;