Profile

Cover photo
Sundararajan Mohan
Attended Bhavan's Rajaji Vidyashram
178 followers|105,937 views
AboutPosts

Stream

Sundararajan Mohan

Shared publicly  - 
1
Add a comment...

Sundararajan Mohan

Shared publicly  - 
3
Kaushik Viswanathan's profile photoSundararajan Mohan's profile photo
2 comments
 
Thanks da!

--
Sundar
Add a comment...

Sundararajan Mohan

Shared publicly  - 
 
 
How weird must this feeling be...to be kind of suspended in the middle of a frozen lake with crystal clear water all around you.  I think I'd freak out a bit. #ice   #slovakia  
These two guys were hiking in the High Tatras Mountains, in Slovakia, when they bumped into this frozen lake with crystal clear ice. The water is so transparent that they seem to be floating a few feet above the ground.
9 comments on original post
1
Add a comment...

Sundararajan Mohan

Shared publicly  - 
Photographers like Stephen Orlando in Ontario always find a way to bring fresh ideas to the popular photographic sub-genre of light painting. His photos capture the hypnotically repetitive motions of kayakers and canoers as they paddle through the water, turning their movement into beautiful woven braids of light.
1
Add a comment...

Sundararajan Mohan

Shared publicly  - 
Those eyes! I just loved those cat eyes. Sinistrous plan running in its head?
1
Add a comment...

Sundararajan Mohan

Shared publicly  - 
 
 
I will have to subscribe to this channel.  Thank you +Matthieu Oostveen for sharing this! This guy is absolutely hilarious - and right. :)
6 comments on original post
1
Add a comment...
Have him in circles
178 people
MOHAMMED TAUSIF's profile photo
Ernesto Sengia's profile photo
jayachandran M's profile photo
Sathish lee's profile photo
pruthvey koushik's profile photo
Sandhya Kapoor's profile photo
Sundar Mohan's profile photo
Soundararajan Narayanan's profile photo
Rajesh Kannan's profile photo

Sundararajan Mohan

Shared publicly  - 
 
 
Best advertising for Tesla ever. NSFW (not suitable for wimps)
You should know by now that the Tesla Model S P85D is not messing around when it comes to performance. Thanks to dual motor all-wheel drive, 691 horsepower and a zero to 60 mph time of 3.2 seconds, it's one of the most crushingly fast cars you can get in 2015. It's also great for scaring the shit out of your friends and family!
5 comments on original post
1
Add a comment...

Sundararajan Mohan

Shared publicly  - 
 
This is some fantastic shot!
 
Michael Blanchette Photography
Moon over Nubble
Cape Neddick, Maine
1 comment on original post
1
Add a comment...

Sundararajan Mohan

Shared publicly  - 
 
 
A Scam Called as Vedic Mathematics. The math we learn today is Indian Mathematics. No need of this crap 'vedic maths' 
1 comment on original post
1
Add a comment...

Sundararajan Mohan

Shared publicly  - 
 
 
For this pie chart to be fixed nexus devices being first to updates shouldn't matter. You should care about the greater good of the platform. Its clear that most Nexus devices are running 4.4 but they are many people who were left behind and who are running 2.3- 4.3 who are legit android fans. They dont see what you see with 4.4 or L. They are android fans too. This is why we want OEMs to beat the Nexus when it comes to software updates. We all win. 

Dont be naive read this article posted by facebook below. You then wonder why developers ignore android. The OEMS are the key to Androids happiness.

Facebook says two thirds of Android users connect with devices that have specs from 2011 

https://code.facebook.com/posts/307478339448736/year-class-a-classification-system-for-android/
1
Add a comment...

Sundararajan Mohan

Shared publicly  - 
 
 
On LPX13D, SELinux, and root

As promised, here are some more details about the current situation.

Why it breaks

Google has really put some effort into better securing Android, and we've seen a lot of SELinux related commits to the AOSP tree over the past months. There is some disconnect between the AOSP tree and actual L preview builds, some things from AOSP are not in the L preview build, and vice versa. Ultimately, it's a pretty good bet these things will mostly align, though.

On most devices and firmwares, SuperSU's daemon is started by the install-recovery.sh service script that runs at system boot time, as user root with the init context. This is what the daemon needs to function.

Recently, they've started requiring all started services to run in their own SELinux context, instead of init. Developers and security guys following AOSP have known this was coming; AOSP builds have been logging complaints about this specific service not having its own context for a while now.

Now this script runs as root, but as the install_recovery context, which breaks SuperSU's operation, as it is a very restrictive context.

In the last AOSP build I have tried (a few weeks old), there were a fair number of other holes that we could use to launch the daemon. At first glance(!), it seems those have all been closed. An impressive feat by the guys working on this, if it proves true.

How to fix it

To fix root, all that really had to be done was ensure the daemon's startup script is run at boot as the root user with the init context.

There are multiple ways to do this, but unfortunately for now it seems that it does require a modified kernel package (changing the ramdisk).

In the modified kernel packages I've posted for the Nexus 5 and Nexus 7, the daemon's startup is fixed by commenting out the line in init.rc that forces the install-recovery.sh script to run as the install_recovery context, so now it runs as init again, and all is well.

Repercussions

As stated above, it seems for now that modifications to the kernel package are required to have root, we cannot attain it with only modifications to the system partition.

Combine that with a locked bootloader (and optionally dm-verity) and a device becomes nigh unrootable - exactly as intended by the security guys.

Exploit-based roots are already harder to do thanks to SELinux, and now because of the kernel requirements for persistent root, these exploits will need to be run at every boot. Exploits that make the system unstable (as many do) are thus out as well.

Of course, this is all dependent on OEMs implementing everything exactly right. If a certain OEM doesn't protect one of their services correctly, then we can leverage that to launch the daemon without kernel modifications. While I'm fairly certain this will be the case for a bunch of devices and firmwares, especially the earlier L firmwares, this is not something you should expect or base decisions on. It is now thus more important than ever to buy unlocked devices if you want root.

It might also mean that every firmware update will require re-rooting, and OTA survival mode will be broken. For many (but far from all) devices we can probably automate patching the kernel package right in the SuperSU installer ZIP. We can try to keep it relatively easy, but updating stock firmwares while maintaining root is probably not going to work as easy and fast as it did until now.

Apps need updates

Unsurprisingly, with a new major Android release, apps will need updates. None more so than apps that go beyond the Android API, as root apps do, but even some non-root apps will be affected by the security changes.

As one example, someone posted in the SuperSU thread of a kernel flashing app that didn't work. From the logcat you could see that it was looking for partitions in /dev/block from its normal non-root user and non-init context. That used to be possible, but now it is restricted: normal apps no longer have read access there. 

The solution for that app is actually quite simple: list the /dev/block contents using root instead. But simple solution or not, the app will still need to be updated.

By far most root apps should be updateable for L without too much issue. There are indeed exceptions that will need some special care, but those are rare.

Permissive vs enforcing

The kernel packages I posted for the Nexus 5 and 7 LPX13D  firmware keep SELinux mostly set to enforcing. I say mostly, because SuperSU actually switches a small part of the system to permissive, so apps calling su can do most things without much interference. The details on this are lengthy (yes, your apps will be able to modify policies as well if needed, which should be rare), and I will document these for other developers after L retail release, assuming it will all still work at that time.

Alternatively, you can set the whole system to permissive or otherwise disable SELinux. There are other kernel packages released that indeed do this. The advantage here is that it instantly fixes some apps' issues, as the SELinux based restrictions have all gone the way of the dodo. The disadvantage here is that you've just shut down a major part of the security system of the device.

Some would argue that a device with an unlocked bootloader, root, encrypted modem firmwares of which nobody really knows what they're doing, etc, is inherently insecure, and thus disabling SELinux doesn't make much difference.

I personally disagree with this. While I do agree that these things weaken security down from the ideal level, I would still not disable more security features than I absolutely need to. Just because you cannot eliminate all attack vectors, is no reason to just completely give up on defending against them.

It is of course your own choice if you want to run a permissive system or not. I will strive to keep everything working in enforcing mode though, and I hope other root app developers will do the same - as stated earlier in the post, I believe this is still possible.

(everything in this post is subject to change for retail L release, obviously)
133 comments on original post
1
Add a comment...
People
Have him in circles
178 people
MOHAMMED TAUSIF's profile photo
Ernesto Sengia's profile photo
jayachandran M's profile photo
Sathish lee's profile photo
pruthvey koushik's profile photo
Sandhya Kapoor's profile photo
Sundar Mohan's profile photo
Soundararajan Narayanan's profile photo
Rajesh Kannan's profile photo
Basic Information
Gender
Male
Education
  • Bhavan's Rajaji Vidyashram
    High School, 1998 - 2000
  • University of Madras
    Engineering, 2000 - 2004
Links
Contributor to