Open lbdroid opened 8 years ago
phhusson
commented
8 years ago This needs to take extra thoughts about implementation, have you got any idea? The only thing I have in mind is allowing su => su_sensitive transition, but that means any app with su can escalate to su_sensitive We could have (again) a dedicated su_daemon context, whose only right is to transition to either su or su_sensitive
lbdroid
commented
8 years ago su_sensitive needs to be exclusively for manual use by the user, so should only be accessible via adb shell or some mechanism where we can verify that a real human is typing in the commands.
phhusson
commented
8 years ago I switched su daemon to a su_daemon context in https://github.com/phhusson/super-bootimg/commit/c8c86c157bc736a0ba27dce18d9ed4db3d744e44
This would be a domain that can only be accessed through inputting of a strong password every time it is requested.
The key difference between su and su_sensive would be that su_sensitive will have permission to modify kernel security -- set permissive, reload selinux policy, etc.
It is important to keep this permission very highly protected, since it can be used to wreak all kinds of havoc, like modifying the boot image to disable dm-verity, replace the verity metadata and key, and modify the system partition without being immediately obvious.
I will discuss use case in another issue shortly.