Upgrade securize for metadata + new no exec xbin

Use /metadata/phh/secure to store securize status
And if securized, remove apk and system/xbin

phh-securize.sh

@@ -33,4 +33,6 @@ rm -Rf $SYSTEM/{app,priv-app}/me.phh.superuser/
 rm -Rf /data/su || true
 mount -o remount,ro $MOUNTPOINT
 sync
+mkdir /metadata/phh
+touch /metadata/phh/secure
 reboot

rw-system.sh

@@ -666,7 +666,7 @@ fi
 
 setprop ctl.stop console
 dmesg -n 1
-if [ -f /system/phh/secure ];then
+if [ -f /system/phh/secure ] || [ -f /metadata/phh/secure ];then
     copyprop() {
         p="$(getprop "$2")"
         if [ "$p" ]; then
@@ -717,6 +717,21 @@ if [ -f /system/phh/secure ];then
 
     resetprop_phh ro.adb.secure 1
     setprop ctl.restart adbd
+
+    # Hide system/xbin/su
+    mount /mnt/phh/empty_dir /system/xbin
+    mount /mnt/phh/empty_dir /system/app/me.phh.superuser
+    mount /system/phh/empty /system/xbin/phh-su
+else
+    mkdir /mnt/phh/xbin
+    chmod 0755 /mnt/phh/xbin
+    chcon u:object_r:system_file:s0 /mnt/phh/xbin
+
+    #phh-su will bind over this empty file to make a real su
+    touch /mnt/phh/xbin/su
+    chcon u:object_r:system_file:s0 /mnt/phh/xbin/su
+
+    mount -o bind /mnt/phh/xbin /system/xbin
 fi
 
 for abi in "" 64;do