afwall
afwall copied to clipboard
ukanth
Priv-app
The root usage icon in cyonogenmod still annoyed me so I installed AFwall as a system app. But it's still using the standard root access instead of system privilleges (like playstore does for example) Could you guys make a small patch so that it uses system privilleges instead of standard su when it's installed as a system app? Or, you might want to use: su, apply rules, exit. So that the icon only appears briefly instead of persistently. As it is now, it does: su, apply rules. And so it's still in su/root mode causing cyanogemmod to show a # icon ("root is being used" so to say)
Actually, both would be great! An option in settings to install itself as system/privilleged app like f-droid would be great as well. (Again make sure not to use the standard root acces from that point on)
Thanks!
Continuous root usage is a bad idea too, malicious apps could use memory overflows to gain root acces through afwall. I think it should be really easy to solve. All that needs to be done is to quit root acces as soon as it's done applying the rules. In a terminal it would be simmilar to: sudo su, [do stuff], exit. Not sure how that translates to programming but it should be easy.
AFWall+ works on IPTables. Main reason to have root shell is to make sure the rules are applied dynamically and quickly when there is a change in network (Roaming/VPN/LAN). Otherwise getting root everytime on network change would be an time consuming operation.
It's possible to have root access with system-app privilleges. So that would solve the problem. So basically, if one installs afwall as a system app, afwall should make use of that instead of regular root permissions.
What it will solve is the fact that I have this permanent # symbol in my status bar. Cyanogenmod shows this to indicate root is being used. But it's rather annoying to have it permanently there because of afwall.
That, or you make afwall use system privilleges when installed as a system app.....
I will keep it open, but only there are more users wants this way, then I will priorities this.
I would like to know if there's still interest in implementing a "non-root" version of AfWall and with "non-root" I mean as privileged application.
The holy grail would be the possibility of applying the ip-table rules from a privileged level but without having to use root. I think that this could be achieved by lowering the privilege needs for using iptables (which will be dangerous) or by making afwall privileged enough to write iptable rules without the need of being root.
Until now I've been looking in a way of blocking apps internet access without root and without having to involve a local VPN server as NetGuard does. AfWall seems to be the correct way, however I rather use the app as a priv-app (flashing it or something similar) than rooting the whole phone.
I am not telling that having a rooted phone is more "insecure" than a non-rooted one, however a rooted phone may be tampered through tapjacking or vulnerabilities in the root manager.
If there's any misconception please correct me, thanks.
Referring to the first point: As far as I know iptables cannot be bypassed by non-privileged users as it relies in a kernel module and a daemon that controls the configuration. So a privileged enough app would able to write rules to whichever user in the system.
Point 2, I am not familiarised with chroot but couldn’t the script be rerun again (with chroot) after installing a new application?
Point 3, apps with higher privileges than AfWall can still be affected by iptable rules, however they can also bypass themselves by removing the blocking rules or directly accessing the network through root. Nevertheless this should not be a problem as we should consider that our system is safe and no user app can escalate to a higher privileged state.
Point 4, agree.
I was also thinking that a correct implementation of a non-root privileged firewall app could be easily ported and embedded in custom ROMs like Lineage OS or Paranoid Android. This seriously, would be awesome.
Thanks for the replies and as always, feel free to point me out my misconceptions :)
Let me add my 2 cents on the priv app issue. My bank app will soon block rooted phones. My main, and perhaps only reason, to have a rooted phone is that I want to block out traffic from apps I don't fully trust. F-Droid already is installed as a priv app. So if a priv app firewall could be possible, I could un-root my phone, having a privacy friendly-ish configuration while still be able to do mobile banking.
There is still interest in this. Thought I would be able to install as system app to get around having to use root, but it uses root anyway even in system dir
