One question about AppOps and superuser permissions.
I have browsed the CyanogenMode Lollipop code and seen that the superuser permission is enforced through the AppOpsManager. (see system/extras/su/... )
This is very nice and integrates well with the other permissions management.
IMO, one thing is missing, i.e. the proper hiding the superuser executable from inspection from apps.
I noticed in the code that the permission to handle some special files is also handled through AppOpsManager.
It would be very useful if all requests to see if the superuser executable (/system/xbin/su or /system/bin/su) is present were filtered in the same way by asking the AppOpsManager if the SUPERUSER permission is allowed for the requesting app.
This (I think) would completely hide from non-allowed apps the presence of rooting.
Unfortunately I am not (yet) good enough with the system code to change it, thus it would be nice if some better developer could help doing this change.
Or perhaps this change is already available as a gerrit cherry-pick? Then it would be very nice if you could point it to me.
I have browsed the CyanogenMode Lollipop code and seen that the superuser permission is enforced through the AppOpsManager. (see system/extras/su/... )
This is very nice and integrates well with the other permissions management.
IMO, one thing is missing, i.e. the proper hiding the superuser executable from inspection from apps.
I noticed in the code that the permission to handle some special files is also handled through AppOpsManager.
It would be very useful if all requests to see if the superuser executable (/system/xbin/su or /system/bin/su) is present were filtered in the same way by asking the AppOpsManager if the SUPERUSER permission is allowed for the requesting app.
This (I think) would completely hide from non-allowed apps the presence of rooting.
Unfortunately I am not (yet) good enough with the system code to change it, thus it would be nice if some better developer could help doing this change.
Or perhaps this change is already available as a gerrit cherry-pick? Then it would be very nice if you could point it to me.
