undefined | Better HN

0 pointshugo17892mo ago0 comments

That is a critical observation. Last time I had to root an Android device it hat pretty robust defenses like dm-verity and strict SELinux policies (correctly configured) and then everything collapsed because the system loaded a exfat kernel module from an unverified filesystem.

Permitting user-loaded kernel modules effectively invalidates all other security measures.

0 comments

iberator2mo ago

Naive question: does Linux check checksum of loaded modules? If not I could just replace them and voila?

fc417fc8022mo ago

What would it be checking against? There's no central signing authority the way there is with Windows. (I mean I guess a distro could implement that but then how would I load my own custom modules?)

The kernel provides the option to embed a signing key for kernel modules at compile time. But (AFAIK) you'll need to compile your own kernel to go that route.

stackghost2mo ago

I'm quite surprised to learn that Android allows this

surajrmal2mo ago

It doesn't.

j / k navigate · click thread line to collapse