KernelSU

KernelSU is going to develop a feature called the "App Profile", which consists of three parts:

1. Root Authorization: granting specified applications access to root permissions
2. Blacklist and Whitelist: providing a list of modules to mount or hide
3. Root Profile

The Root Profile can be used to restrict applications that already have root privileges.

Root permissions can actually be divided into several aspects:

- UID and GID
- Groups
- Capabilities
- SELINUX

In all previous root implementations, permissions in these aspects have been unlimited. This means that a firewall app could format your phone and delete all data, even though it only needed network management privileges; a file manager app could implant viruses, load kernel modules, and hide itself, even though it only needed full file access permissions. There are many similar examples. Imagine hiring a cleaner to tidy up your house, only for them to open your safe and transfer all your possessions away. In fact, most root apps only need a very small subset of root permissions. Why should we grant them unrestricted root privileges?

The Root Profile aims to solve this problem by granting applications restricted root permissions based on appropriate identification, groups, capabilities, and a series of SELinux rules. You can customize the rules yourself or use rules created by others. Of course, if you want to use unrestricted root permissions, there is no problem.

This feature is still in development, and we welcome any feedback and suggestions!

Credits to @nu11ptr @Ylarod for the ideas!

www.group-telegram.com/in/KernelSU.com/44

95.6K viewsMay 16, 2023 at 08:22

KernelSU is going to develop a feature called the "App Profile", which consists of three parts:

1. Root Authorization: granting specified applications access to root permissions
2. Blacklist and Whitelist: providing a list of modules to mount or hide
3. Root Profile

The Root Profile can be used to restrict applications that already have root privileges.

Root permissions can actually be divided into several aspects:

- UID and GID
- Groups
- Capabilities
- SELINUX

In all previous root implementations, permissions in these aspects have been unlimited. This means that a firewall app could format your phone and delete all data, even though it only needed network management privileges; a file manager app could implant viruses, load kernel modules, and hide itself, even though it only needed full file access permissions. There are many similar examples. Imagine hiring a cleaner to tidy up your house, only for them to open your safe and transfer all your possessions away. In fact, most root apps only need a very small subset of root permissions. Why should we grant them unrestricted root privileges?

The Root Profile aims to solve this problem by granting applications restricted root permissions based on appropriate identification, groups, capabilities, and a series of SELinux rules. You can customize the rules yourself or use rules created by others. Of course, if you want to use unrestricted root permissions, there is no problem.

This feature is still in development, and we welcome any feedback and suggestions!

Credits to @nu11ptr @Ylarod for the ideas!

BY KernelSU