lingyicute

  • a day ago
  • Joined 4 days ago

  • A high school student passionate about open-source. My English may not be entirely fluent, so I sometimes rely on AI translations when posting – please bear with me! (◍•ᴗ•◍)

  • In Seeking Clarification on Potential Security Compromise of KernelSU

    Watermelon Have you tried the "Clear cache" button in the app list in the Settings app?

    The "Clear cache" button doesn't work at all because the companies designing those apps never considered user experience in the first place.

    Watermelon GrapheneOS wouldn't provide security features like sandboxing and verified boot just to supply another feature that bypasses them, even if only partially.

    This has always confused me. Security features like sandboxing and verified boot are clearly meant to defend against malware/attacks, not restrict users. Yet the current implementation feels confused - for instance, AOSP has never granted users access to app-private storage by default, which should morality belong to the device owner. However, This could easily be implemented safely using existing patterns. As I understand it, newer Android versions block apps with storage permissions from accessing the external "Android" folder, yet allow user access it through DocumentUI. The same logic could extend to app-private storage: grant DocumentUI access and let users manage app-private storage through that framework.

    While AOSP's stance is understandable (aligning with Google's philosophy of "aggressively defensive security" towards the end consumer - much like how ChromiumOS, built on Linux, strips users of the freedom to natively execute binaries — however this actually forcing them to rely on tools like chromebrew, which function similarly to Android rootkits in unavoidably expanding the attack surface.), I've always hoped custom ROMs might implement this (although I've never mentioned this idea of mine to anyone until today (◍•ᴗ•◍) ). However, on second thought, they may lack motivation since their users usually root the device anyway. But GrapheneOS users can't have both root and security. Why doesn't GrapheneOS officially implement such user freedom-enhancing features? An official implementation could actually preserve the OS's security achievements while empowering users.

    Watermelon more restrictive APIs could still bring you more functionality because they could give you more control, restricting apps from behaving badly/uncleanly

    Unfortunately, API changes will never include "restricting apps from dumping junk files in private storage."

    Watermelon VPN on hotspot users is something I've heard the project officials saying they won't implement because it breaks the isolation between your device's traffic and the hotspot users' traffic. Can't you just use a VPN on the client devices?

    Ahahaha, I get it. I use hotspot with VPN because I like to collect old Android devices, like Samsung Note 4, and do some research. And running a VPN program on them takes up too much performance.

    (On a side note) Maybe the only solution is to find and set a secondary device with LineageOS + KernelSU for running unscrupulous apps or VPN Hotspot?

            • In Seeking Clarification on Potential Security Compromise of KernelSU

              Watermelon I see. I understand these reduce security, but I’m conflicted about the extent to which it does so and whether the trade-off is worth the risk. By the way, when I try to bypass sandbox restrictions—for example, accessing an app’s private data directory—should this be categorized as "my file manager (e.g., Material Files) bypassing the sandbox"? If such a file manager has been thoroughly audited, could it be considered free of security risks? (Of course, KernelSU itself might pose security risks. However, the kernel technologies it employs, such as namespaces, have existed for years and stood the test of time. The likelihood of inherent security flaws seems low in my opinion.)

                • In Seeking Clarification on Potential Security Compromise of KernelSU

                  Watermelon you'd still not have verified boot as it's fundamentally incompatible with having root access.

                  KernelSU’s design ensures that it does not modify system files but instead injects its kernel module into the boot image. Theoretically, this approach should not interfere with Verified Boot mechanisms, as Verified Boot can still validate the integrity of the boot chain against the originally signed state. Common security concerns typically arise from modifications to the system partition or OS binaries, which would violate Verified Boot’s guarantees. KernelSU sidesteps such issues by dynamically loading its module at runtime, avoiding persistent changes to critical partitions. Thus, it should technically coexist with Verified Boot.

                  That said, strict security philosophies prioritizing "untouched" systems might argue that even adding a kernel module deviates from the "clean" state endorsed by OEMs, potentially introducing attack surface. However, from an engineering perspective, KernelSU’s implementation may minimizes risk compared to traditional root methods that alter system partitions.

                    • In Seeking Clarification on Potential Security Compromise of KernelSU

                      Watermelon Hi~
                      Traditional root implementations indeed grant apps unrestricted capabilities, which is why many security-focused systems, like GrapheneOS, strongly discourage root. However, KernelSU offers a different approach with its app profile functionality.

                      With app profiles, KernelSU allows for granular permission management. Each app granted root privileges can have its access tightly controlled through predefined profiles, effectively limiting its actions to those explicitly allowed. This means that, rather than giving an app complete, unrestricted control, KernelSU provides a way to confine root privileges to well-defined boundaries.

                      While I understand the concerns about root inherently undermining security, I believe that KernelSU’s design mitigates these risks by enforcing strict scoping policies. This approach does not entirely align with the traditional “root equals absolute control” notion, and I find that to be an important distinction. Of course, this remains a debated topic in security circles, but I feel it is a meaningful step toward balancing flexibility and security.

                        • In Seeking Clarification on Potential Security Compromise of KernelSU

                          Respected GrapheneOS maintainers,

                          Greetings! I have been a long-time LineageOS user, relying on KernelSU for root access. Recently, I have been deeply impressed by GrapheneOS's philosophy toward security and privacy. However, I find myself conflicted, as my workflow currently depends on root privileges. Allow me to briefly explain my use case:

                          1.Managing Low-Quality Apps: Many apps developed by local software companies here are notoriously poorly engineered. They generate excessive amounts of useless files (cache, logs, residual data) within their private directories, often with no user-accessible cleanup mechanisms. To mitigate this, I routinely use open-source tools like Material Files to manually inspect and delete these files — a process requiring root access to bypass app sandboxing.
                          2.Other Tools: Certain tools I rely on, such as VPN Hotspot, require root access to function properly.

                          I have carefully read your explanations (e.g., the December 9, 2022 posts) about how root access fundamentally undermines the OS security model. Your arguments are both clear and compelling. That said, I wish to seek clarification regarding KernelSU, a newer root implementation that claims to address some of Magisk’s shortcomings. To my understanding:

                          KernelSU operates at the kernel level without spawning privileged userland daemons (unlike Magisk).
                          It enforces strict scoping: Its "app profiles" feature allows granular restriction of granted privileges, and apps receive only the permissions explicitly granted via its "app profiles". This eliminates the risk of unsafe or vulnerable apps making broader changes to the system. Also, It avoids modifying userland/system app behavior unless explicitly specified.

                          While I fully acknowledge that such modifications would forfeit community support (and I have no intention of burdening the team with related issues), I wish to respectfully ask: From a purely technical security/privacy perspective, does KernelSU’s design meaningfully mitigate the risks described in your earlier critiques?

                          Additionally, if you are willing to address them, I have two technical questions:

                          AVB & Boot Flow: If I install KernelSU via its default method (injecting an LKM into the ramdisk) and sign the OS with my own keys using tools like avbroot, would GrapheneOS boot successfully? If so, could I enroll my custom key into the device and relock the bootloader?
                          Custom Builds: If the above is infeasible, would compiling a custom GrapheneOS build be necessary? Beyond merging KernelSU’s kernel patches, are there additional steps required to ensure compatibility?

                          I sincerely appreciate your time and expertise in considering this inquiry. The transparency and rigor of your project continue to inspire admiration. I look forward to your guidance on these matters.

                          Best regards,
                          lingyicute