[twobob]

Question: The installer is script.?

EDIT: No initramfs. forget that idea

Spoiler:

What's to prevent creating Ixtabs bundle as a built-in addon.

The first time it runs it installs the recovery stuff (provide known configuration) and also:

Insert a few lines extra in the end of the updater. (so it runs everytime - whatever)

At the END of the OTA script (before it reboots) it does a few sanity tests:
checks for relevant iptables entries, do we have the bins and upstart still in place?

If not - trigger a post-install refix. thinking about it just do an quick (sanity) clean-up and ram the "recovery" .bin back through the installer.

Assumption: the installer script "hacking enhancement mechanism" could be clever enough to check the lines are still in the installer script and add them if not. (conditional patch?)
(also check they are not pre-pended by a # perhaps )

generally: be ready to restore it to last known good configuration if mangled with.

Worst that can happen is that it will fail to provide access if it failed. which is no worse than is the situation now. (and maybe some redundant unlinked bins, a borked OTA script and no entry in upstart, I don't see how the very simple upstart addition could go wrong but I am open to correction)

The overhead would be tiny. the result would be bulletproof? no?

I suppose the point is that would future proof all future updates against access tampering

That's my thought anyway. HTH