These two permission is absolutely required:
- CAP_NET_ADMIN is needed for modifying routes.
- CAP_NET_RAW is for modifying iptables.
When the app starts to set up a tunnel, it seems to execute "cat
/sys/module/wireguard/version" to check if wireguard kernel module is
loaded or not. Despite the permission seems okay, without
CAP_DAC_READ_SEARCH it could not read the version number and threw an
error in the application log.
CAP_DAC_OVERRIDE is needed optionally for installing Wireguard command
line tools. It could be turned back off once the binaries have been
copied.
* Following capabilities are removed as not commonly used on Kernel
Managers:
- CAP_SYS_NICE
- CAP_PERFMON
- CAP_SYS_MODULE
- CAP_SYS_RESOURCE
* Added CAP_DAC_OVERRIDE to prevent read/write permission issues
Signed-off-by: Rem01Gaming <Rem01_Gaming@proton.me>
This app requires DAC_OVERRIDE, DAC_READ_SEARCH, SYS_PTRACE, SYS_ADMIN
(for /data/local r/w) and SYS_CHROOT, SETGID (to run chroot and run it's
processes)
Devices with NetHunter installed is already considered compromised due
to lack of security features(like SELinux), therefore users are advised
not to store private data
It's not really worth restricting more capabilities of the app.
Adaway only needs the following permissions to work properly:
DAC_OVERRIDE, SYS_PTRACE.
Note: [systemless hosts kernelsu
module](https://github.com/symbuzzer/systemless-hosts-KernelSU-module)
needs to be installed, to add support.
This PR only addresses the minimal permission requirements of Adaway to
let it modify hosts file.
- The use of CAP_SYS_ADMIN can be avoided in Kernel Manager, but cannot
be avoided in Root Explorer because it's needed for mounting RW/RO.
- Capabilities adjustment
- Fix template typo
---------
Signed-off-by: Rem01Gaming <Rem01_Gaming@proton.me>
