Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(removal): Treat system UIDs as unsafe #770

Open
3 tasks done
Rudxain opened this issue Dec 31, 2024 · 4 comments
Open
3 tasks done

feat(removal): Treat system UIDs as unsafe #770

Rudxain opened this issue Dec 31, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@Rudxain
Copy link
Member

Rudxain commented Dec 31, 2024

Describe the feature you want

If any package belongs to any of these special kernel user IDs:

  • 0 = root: 0 packs associated (always?)
  • 1000 = system: multiple packs share this ID
  • 2000 = shell: typically only com.android.shell

Then UADNG should refuse to disable them, as if they were marked as unsafe.

This seems necessary, because the actual pack-IDs that belong to these high-privilege groups can vary across devices, so we can't simply mark them all as expert or unsafe.

How to implement:

Acknowledgements

  • This issue is not a duplicate of an existing feature request.
  • I have chosen an appropriate title.
  • All requested information has been provided properly.
@Rudxain Rudxain added the enhancement New feature or request label Dec 31, 2024
@schbrns
Copy link
Contributor

schbrns commented Jan 1, 2025

Further reading:
https://developer.android.com/reference/android/app/AppOpsManager

App-ops can either be controlled for each uid or for each package. Which one is used depends on the API provider maintaining this app-op. For any security or privacy related app-op the provider needs to control the app-op for per uid as all security and privacy is based on uid in Android.

Galaxy S23, Android 14, One UI 6.1.1
I've thoroughly tested with adb and Proton VPN split tunneling:
EVERY uid 1000 app needs to be enabled AND have full internet access to run system updates.

You'll notice this is why apps like RethinkDNS pre-merge the UIDs of apps, e.g. if you modify one UID 1000 app, you modify all of them the same way.

@Rudxain
Copy link
Member Author

Rudxain commented Jan 1, 2025

apps like RethinkDNS pre-merge the UIDs

True, NetGuard does it too.

The funny thing is that the built-in system settings app (on every device I tried) doesn't immediately update the perms for an app group; we have to "reload" the list to see the new perms for all apps in a group. Bad UX at its finest

@schbrns
Copy link
Contributor

schbrns commented Jan 2, 2025

we have to "reload" the list to see the new perms

Goes for more than just new perms, this happens in many cases in Settings > Apps.

Bad UX at its finest

Truly.

@Rudxain Rudxain mentioned this issue Jan 4, 2025
4 tasks
@Rudxain
Copy link
Member Author

Rudxain commented Jan 4, 2025

Found more info. I already added the official doc link to the initial comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants