Yeah, everything in the kernel is trusted and lives in one address space, just like any normal program. This is part of what would be solved by a microkernel architecture.
Its my understanding that if "OS process" runs with its own address space with privileges (as it needs to talk to hardware), once an attacker has code execution functionality, what stops them from mapping the memory they need then writing to the address to set uid ?
that's part of it. and is the basis of the classic tannenbaum v. torvalds debate, but only part of what i mean.
it would be interesting if there were some kind of write protection on the process-privilege data where some effort is made to verify the provenance of updates before they're allowed to go through or maybe even the whole privilege table is centralized and signed.
Its my understanding that if "OS process" runs with its own address space with privileges (as it needs to talk to hardware), once an attacker has code execution functionality, what stops them from mapping the memory they need then writing to the address to set uid ?