jailbreakd granted my process pseudo-superuser privileges access

[Donny1995]

Hello. I found a problem where my binary runs in pseudo-root mode. All details below:
Start with code to get superuser rights:

int main(int argc, char * argv[]) {
    @autoreleasepool {
        patch_setuidandplatformize();
        if (!(setuid(0) == 0 && setgid(0) == 0)) {
            printf("DID NOT SET UID 0");
            exit(0);
        }
        return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
    }
}

Where patch_setuidandplatformize is taken from cydo from youknowwhere

void patch_setuidandplatformize() {
    void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
    if (!handle) return;
    
    // Reset errors
    dlerror();
    
    typedef void (*fix_setuid_prt_t)(pid_t pid);
    fix_setuid_prt_t setuidptr = (fix_setuid_prt_t)dlsym(handle, "jb_oneshot_fix_setuid_now");
    
    typedef void (*fix_entitle_prt_t)(pid_t pid, uint32_t what);
    fix_entitle_prt_t entitleptr = (fix_entitle_prt_t)dlsym(handle, "jb_oneshot_entitle_now");
    
    setuidptr(getpid());
    setuid(0);
    const char *dlsym_error = dlerror();
    if (dlsym_error) {
        return;
    }
    
    entitleptr(getpid(), FLAG_PLATFORMIZE);
}

Then i entitle is with following file, using jtool or ldid2, does not matter:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>platform-application</key>
	<true/>
	<key>com.apple.private.security.no-container</key>
	<true/>
	<key>com.apple.private.skip-library-validation</key>
	<true/>
	<key>get-task-allow</key>
	<true/>
	<key>task_for_pid-allow</key>
	<true/>
</dict>
</plist>

Then i find my binary which is being installed by CydiaImpactor, and do:

• chown root:wheel executable
• chmod 6755 executable.

So, this is how binary looks like in filesystem. suid bits are set, aren't they?
-rwsr-sr-x 1 root admin 235872 Dec 3 02:38 ElectraTest

setuid(0) starts working.
Or, does it? I do get getuid() == 0

But

I can't use posix_spawn - Operation not permitted
status = posix_spawn(&pid, "/usr/bin/stat", NULL, NULL, argv, environ);
or
status = posix_spawn(&pid, "/bootstrap/usr/bin/stat", NULL, NULL, argv, environ);

I can't write anything to filesystem exact same way Electra does to test remount

int fd = open("/.fileAccess", O_RDWR|O_CREAT);
    if (fd == -1) {
        fd = creat("/.fileAccess", 0644);
    } else {
        printf("File already exists!\n");
    }
    close(fd);
    if (file_exists("/.fileAccess")) {

I can't get kernel task port with hsp4
host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &kern);
error is: "(os/kern) invalid argument"

So i can do nothing extra. The only changes are:

• dlopen stoped screaming about invalid mmap on libjailbreak.dylib (actually, this is not because of root, but due to injections).
• nice zeroes in getpid and getgid.

At least, hsp4 is really working when called inside Electra code after remapping tfp0 in fun.c
Also, jailbreakd on launch in main.m is getting hsp4 to start working.
So, if i got uid==0 => jailbreakd patched me => it got kernel task port from hsp4?

What's wrong with theese steps?
And if this question is to be classified as "This is not about actual Electra code, it's all your's broken arms", just tell me where to find the answers, please -_-.

• iOS version: 11.0.3
• iDevice model: MG472RU/A iPhone6
• electra version: all <= Beta11-3 && 1.0.2

[Donny1995]

Updated main.m to set euid and ruid in main, bit still same effect

int main(int argc, char * argv[]) {
    @autoreleasepool {
        patch_setuidandplatformize();
        if (!(setuid(0) == 0 && setgid(0) == 0)) { //uids
            printf("DID NOT SET UIDS");
        }
        if (!(seteuid(0) == 0 && setegid(0) == 0)) { //effective uids
            printf("DID NOT SET Effective UIDS");
        }
        if (!(setruid(0) == 0 && setrgid(0) == 0)) { //real? uids. There is no getruid or getrgid functions to check but whatever set them too please
            printf("DID NOT SET Real UIDS");
        }
        
        return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
    }
}

And also tried:

• move ElectraTest.app to /Applications
• chmod + chown
• delete ElectraTest original folder
• kill backboardd to make Springboard show new app available for launch

But still, same situation (