This will have to do it for now... (arm64 CS_VALID issues)

BaseBin/launchdhook/src/jbserver/jbdomain_systemwide.c

@@ -232,6 +232,19 @@ static int systemwide_fork_fix(audit_token_t *parentToken, uint64_t childPid)
 	return 0;
 }
 
+static int systemwide_cs_revalidate(audit_token_t *callerToken)
+{
+	uint64_t callerPid = audit_token_to_pid(*callerToken);
+	if (callerPid > 0) {
+		uint64_t callerProc = proc_find(callerPid);
+		if (callerProc) {
+			proc_csflags_set(callerProc, CS_VALID);
+			return 0;
+		}
+	}
+	return -1;
+}
+
 struct jbserver_domain gSystemwideDomain = {
 	.permissionHandler = systemwide_domain_allowed,
 	.actions = {
@@ -289,6 +302,14 @@ struct jbserver_domain gSystemwideDomain = {
 				{ 0 },
 			},
 		},
+		// JBS_SYSTEMWIDE_CS_REVALIDATE
+		{
+			.handler = systemwide_cs_revalidate,
+			.args = (jbserver_arg[]) {
+				{ .name = "caller-token", .type = JBS_TYPE_CALLER_TOKEN, .out = false },
+				{ 0 },
+			},
+		},
 		{ 0 },
 	},
 };

BaseBin/libjailbreak/src/jbclient_xpc.c

@@ -262,6 +262,17 @@ int jbclient_fork_fix(uint64_t childPid)
 	return -1;
 }
 
+int jbclient_cs_revalidate(void)
+{
+	xpc_object_t xreply = jbserver_xpc_send(JBS_DOMAIN_SYSTEMWIDE, JBS_SYSTEMWIDE_CS_REVALIDATE, NULL);
+	if (xreply) {
+		int result = xpc_dictionary_get_int64(xreply, "result");
+		xpc_release(xreply);
+		return result;
+	}
+	return -1;
+}
+
 int jbclient_platform_set_process_debugged(uint64_t pid)
 {
 	xpc_object_t xargs = xpc_dictionary_create_empty();

BaseBin/libjailbreak/src/jbclient_xpc.h

@@ -15,6 +15,7 @@ int jbclient_trust_binary(const char *binaryPath);
 int jbclient_trust_library(const char *libraryPath, void *addressInCaller);
 int jbclient_process_checkin(char **rootPathOut, char **bootUUIDOut, char **sandboxExtensionsOut);
 int jbclient_fork_fix(uint64_t childPid);
+int jbclient_cs_revalidate(void);
 int jbclient_platform_set_process_debugged(uint64_t pid);
 int jbclient_platform_stage_jailbreak_update(const char *updateTar);
 int jbclient_watchdog_intercept_userspace_panic(const char *panicMessage);

BaseBin/libjailbreak/src/jbserver.h

@@ -51,6 +51,7 @@ enum {
     JBS_SYSTEMWIDE_TRUST_LIBRARY,
     JBS_SYSTEMWIDE_PROCESS_CHECKIN,
     JBS_SYSTEMWIDE_FORK_FIX,
+    JBS_SYSTEMWIDE_CS_REVALIDATE,
     // JBS_SYSTEMWIDE_LOCK_PAGE,
 };
 

BaseBin/systemhook/src/common.c

@@ -229,10 +229,6 @@ kBinaryConfig configForBinary(const char* path, char *const argv[restrict])
 		"/System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd",
 		"/System/Library/PrivateFrameworks/IDSBlastDoorSupport.framework/XPCServices/IDSBlastDoorService.xpc/IDSBlastDoorService",
 		"/System/Library/PrivateFrameworks/MessagesBlastDoorSupport.framework/XPCServices/MessagesBlastDoorService.xpc/MessagesBlastDoorService",
-#ifndef __arm64e__
-		// Hooking anything in nesessionmanager on arm64 removes CS_VALID and breaks VPN functionality because the kernel checks for that
-		"/usr/libexec/nesessionmanager",
-#endif
 	};
 	size_t blacklistCount = sizeof(processBlacklist) / sizeof(processBlacklist[0]);
 	for (size_t i = 0; i < blacklistCount; i++)

BaseBin/systemhook/src/main.c

@@ -421,6 +421,14 @@ __attribute__((constructor)) static void initializer(void)
 				if (tweakLoaderHandle != NULL) {
 					dlclose(tweakLoaderHandle);
 					dopamine_fix_NSTask();
+
+#ifndef __arm64e__
+					// Feeable attempt at adding back CS_VALID
+					// If any hooks are applied after this, it is lost again
+					// Temporary workaround until a better solution for this problem is found
+					// This + the csops hook should resolve all cases unless a tweak does something really stupid
+					jbclient_cs_revalidate();
+#endif
 				}
 			}
 		}