top | item 46503360

(no title)

kpcyrd | 1 month ago

The rootkit runs in ring0, at that point all kernel-enforced security controls are potentially compromised. Instead, you need to prevent the kernel module from being loaded in the first place. There are multiple ways to ensure no further kernel modules can be loaded without rebooting the computer, e.g. by having pid=1 drop CAP_SYS_MODULE out of it's bounding set before starting any child processes. After it has been loaded it's too late to do anything about the integrity of your system.

discuss

hugo1789|1 month ago

That is a critical observation. Last time I had to root an Android device it hat pretty robust defenses like dm-verity and strict SELinux policies (correctly configured) and then everything collapsed because the system loaded a exfat kernel module from an unverified filesystem.

Permitting user-loaded kernel modules effectively invalidates all other security measures.

iberator|1 month ago

Naive question: does Linux check checksum of loaded modules? If not I could just replace them and voila?

stackghost|1 month ago

I'm quite surprised to learn that Android allows this