su_sensitive domain addition #10
Comments
This was referenced Oct 26, 2015
phhusson
added a commit
that referenced
this issue
Nov 1, 2015
|
This needs to take extra thoughts about implementation, have you got any idea? |
|
su_sensitive needs to be exclusively for manual use by the user, so should only be accessible via adb shell or some mechanism where we can verify that a real human is typing in the commands. |
|
I switched su daemon to a su_daemon context in phhusson/super-bootimg@c8c86c1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This would be a domain that can only be accessed through inputting of a strong password every time it is requested.
The key difference between su and su_sensive would be that su_sensitive will have permission to modify kernel security -- set permissive, reload selinux policy, etc.
It is important to keep this permission very highly protected, since it can be used to wreak all kinds of havoc, like modifying the boot image to disable dm-verity, replace the verity metadata and key, and modify the system partition without being immediately obvious.
I will discuss use case in another issue shortly.
The text was updated successfully, but these errors were encountered: