jailbreakd granted my process pseudo-superuser privileges access

Hello. I found a problem where my binary runs in pseudo-root mode. All details below: Start with code to get superuser rights:

int main(int argc, char * argv[]) {
    @autoreleasepool {
        patch_setuidandplatformize();
        if (!(setuid(0) == 0 && setgid(0) == 0)) {
            printf("DID NOT SET UID 0");
            exit(0);
        }
        return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
    }
}

Where patch_setuidandplatformize is taken from cydo from youknowwhere

void patch_setuidandplatformize() {
    void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
    if (!handle) return;

    // Reset errors
    dlerror();

    typedef void (*fix_setuid_prt_t)(pid_t pid);
    fix_setuid_prt_t setuidptr = (fix_setuid_prt_t)dlsym(handle, "jb_oneshot_fix_setuid_now");

    typedef void (*fix_entitle_prt_t)(pid_t pid, uint32_t what);
    fix_entitle_prt_t entitleptr = (fix_entitle_prt_t)dlsym(handle, "jb_oneshot_entitle_now");

    setuidptr(getpid());
    setuid(0);
    const char *dlsym_error = dlerror();
    if (dlsym_error) {
        return;
    }

    entitleptr(getpid(), FLAG_PLATFORMIZE);
}

Then i entitle is with following file, using jtool or ldid2, does not matter:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.security.no-container</key>
    <true/>
    <key>com.apple.private.skip-library-validation</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

Then i find my binary which is being installed by CydiaImpactor, and do:

chown root:wheel executable
chmod 6755 executable.

So, this is how binary looks like in filesystem. suid bits are set, aren't they? -rwsr-sr-x 1 root admin 235872 Dec 3 02:38 ElectraTest

setuid(0) starts working. Or, does it? I do get getuid() == 0

But

I can't use posix_spawn - Operation not permitted status = posix_spawn(&pid, "/usr/bin/stat", NULL, NULL, argv, environ); or status = posix_spawn(&pid, "/bootstrap/usr/bin/stat", NULL, NULL, argv, environ);

I can't write anything to filesystem exact same way Electra does to test remount

int fd = open("/.fileAccess", O_RDWR|O_CREAT);
    if (fd == -1) {
        fd = creat("/.fileAccess", 0644);
    } else {
        printf("File already exists!\n");
    }
    close(fd);
    if (file_exists("/.fileAccess")) {

I can't get kernel task port with hsp4 host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &kern); error is: "(os/kern) invalid argument"

So i can do nothing extra. The only changes are:

dlopen stoped screaming about invalid mmap on libjailbreak.dylib (actually, this is not because of root, but due to injections).
nice zeroes in getpid and getgid.

At least, hsp4 is really working when called inside Electra code after remapping tfp0 in fun.c Also, jailbreakd on launch in main.m is getting hsp4 to start working. So, if i got uid==0 => jailbreakd patched me => it got kernel task port from hsp4?

What's wrong with theese steps? And if this question is to be classified as "This is not about actual Electra code, it's all your's broken arms", just tell me where to find the answers, please -_-.

iOS version: 11.0.3
iDevice model: MG472RU/A iPhone6
electra version: all <= Beta11-3 && 1.0.2

coolstar / electra

jailbreakd granted my process pseudo-superuser privileges access #266

But