undefined | Better HN

0 pointspwnna9y ago0 comments

> You literally didn't need to do any of this.

For me personally, this is not the reason for me to build CyanogenMod. I will occasionally modify certain things inside android to suit my needs and there are enough of these things that are not merged upstream that it's more convenient for me to just build my own version every month/week/whenever.

> Also, I'd like to remind you that SEAndroid (i.e., SELinux) doesn't give a fig about "root" so your statements about that are quite wrong.

This is an area i'm not quite informed, so maybe you can elaborate further.

The core issue that I wanted to express is that barely any community ROMs are CTS compliant, which is ultimately what SafetyNet checks.

> You can simply rename your su binaries through the recovery environment to disable them, which neatly disables "root access" and makes the SafetyNet check Niantic is invoking pass with flying colors. Should you need them again, they're only a reboot and couple of mv invocations away.

Doing a bunch of mv's is a hassle (esp over multiple devices) as I rarely ever need root on my phone. The only times when I need it nowadays is host based ad blocking, which I just integrated into my ROM. So this way I can just get rid of root all together, which is one more step towards CTS compliance.

0 comments

3 comments · 2 top-level

xorcist9y ago· 1 in thread

How do you non-root using people backup your phones, without running the backup software as root?

colejohnson669y ago

If you never change any files outside of the ones you own (i.e. the ones owned by "root"), you don't need to back them up, right? For example, if I never touch any of the files under C:\Windows, I have no need to back up that folder (especially the files owned by SYSTEM that you can't access).

evilDagmar9y ago

It's two mv invocations. That falls quite a bit short of "a bunch of mv's". It doesn't exactly qualify as going out of one's way when most of us are already going through recovery (like TWRP) to install the updates.

SEAndroid/SELinux is a mandatory labeling system, which simply doesn't believe in special UIDs at all. It gives us pretty incredible granularity of control over things as well. Deny/grant access any number of users to each and every object and facility of the system, in any combination you like. Just understand that there's a steep and somewhat unforgiving learning curve and the documentation on what labels have been put into play on any given deployment has a strong and nearly universal tendency to suck until you're looking directly at the source code that sets up those rules.

j / k navigate · click thread line to collapse