after researching the adbd part for two days it seems that adbd already tries to call "echo u > /proc/sysrq-trigger" when adb reboot is issued but at this point we already dropped privs to the phablet user ...
/proc/sysrq-trigger is owned by root:system and writable for both, the only solution i see (beyond making /proc/sysrq-trigger owned by phablet or its group which would rip a giant security hole) is to make adbd start with "setguid system" and have it drop this group membership right before any adb shell call (so that the logged in phablet user is not member of system by default)
i'm trying to implement this but am constantly running into smaller issues.
after researching the adbd part for two days it seems that adbd already tries to call "echo u > /proc/sysrq- trigger" when adb reboot is issued but at this point we already dropped privs to the phablet user ...
/proc/sysrq-trigger is owned by root:system and writable for both, the only solution i see (beyond making /proc/sysrq-trigger owned by phablet or its group which would rip a giant security hole) is to make adbd start with "setguid system" and have it drop this group membership right before any adb shell call (so that the logged in phablet user is not member of system by default)
i'm trying to implement this but am constantly running into smaller issues.