[a-dub]

it still seems kinda weird to me that all it takes to elevate privileges for a user process to "can arbitrarily write system level memory or disk" is just the clearing of all the bits of a single integer in kernel space which can be done by pretty much any execution path in the kernel.

it just seems like there could be a more tamper resistant mechanism around privilege elevations.

[umanwizard]

Yeah, everything in the kernel is trusted and lives in one address space, just like any normal program. This is part of what would be solved by a microkernel architecture.

[worthless-trash]

Can you explain how..

Its my understanding that if "OS process" runs with its own address space with privileges (as it needs to talk to hardware), once an attacker has code execution functionality, what stops them from mapping the memory they need then writing to the address to set uid ?

[a-dub]

that's part of it. and is the basis of the classic tannenbaum v. torvalds debate, but only part of what i mean.

it would be interesting if there were some kind of write protection on the process-privilege data where some effort is made to verify the provenance of updates before they're allowed to go through or maybe even the whole privilege table is centralized and signed.