It would be great if we had a fine-grained access control mechanism where the user could specify that AccA may write to anything in /sys/class/power\_supply and AdAway may write to /etc/hosts, but neither can access any *other* system files. Apps that use root almost always need a fairly narrow set of elevated privileges.
Android already has everything it needs to support that under the hood with SELinux. A UI for it would allow users full control of their devices with a reduced attack surface area.
KernelSU has something like this called app profiles where you can set the capabilities that each app gets when it uses su. And if you are a SELinux wizard you can also set a custom domain for each app which would give you the fine grained control you’re looking for. I doubt the average KernelSU user wants to delve into SELinux details so some tool to automate this would be cool.
Sadly doesn’t look like Magisk supports this.
@prism @Twakyr
It would be great if we had a fine-grained access control mechanism where the user could specify that AccA may write to anything in
/sys/class/power\_supplyand AdAway may write to/etc/hosts, but neither can access any *other* system files. Apps that use root almost always need a fairly narrow set of elevated privileges.Android already has everything it needs to support that under the hood with SELinux. A UI for it would allow users full control of their devices with a reduced attack surface area.
KernelSU has something like this called app profiles where you can set the capabilities that each app gets when it uses su. And if you are a SELinux wizard you can also set a custom domain for each app which would give you the fine grained control you’re looking for. I doubt the average KernelSU user wants to delve into SELinux details so some tool to automate this would be cool. Sadly doesn’t look like Magisk supports this.