-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
su_sensitive domain addition #10
Comments
This needs to take extra thoughts about implementation, have you got any idea? |
su_sensitive needs to be exclusively for manual use by the user, so should only be accessible via adb shell or some mechanism where we can verify that a real human is typing in the commands. |
I switched su daemon to a su_daemon context in phhusson/super-bootimg@c8c86c1 |
This would be a domain that can only be accessed through inputting of a strong password every time it is requested.
The key difference between su and su_sensive would be that su_sensitive will have permission to modify kernel security -- set permissive, reload selinux policy, etc.
It is important to keep this permission very highly protected, since it can be used to wreak all kinds of havoc, like modifying the boot image to disable dm-verity, replace the verity metadata and key, and modify the system partition without being immediately obvious.
I will discuss use case in another issue shortly.
The text was updated successfully, but these errors were encountered: