https://googleprojectzero.blogspot.com/2020/02/mitigations-are-attack-surface-too.html
Unfortunately, it is more difficult to generically lock down the attack surface that is created when vendors modify core kernel functionality.
For example, Samsung's kernel adds extra "protection" to credential structures: struct cred is made read-only with the assistance of hypervisor code (CONFIG_RKP_KDP, "Protection for cred structure"), and transitions to UID 0 are subject to special checks based on the path of the current executable (CONFIG_SEC_RESTRICT_SETUID, “Restrict changing root privilege except allowed process”). But none of these modifications actually prevent an attacker who has sufficient control over the kernel to modify credential structures from reading or modifying user data directly. For example, an attacker could:
In order to directly gain access to resources that are supposed to be inaccessible to the attacker:
- modify file-system-internal data structures to give themselves access to inodes that wouldn't be accessible normally (as demonstrated further down in this blogpost)
- directly read secrets from kernel memory
In order to gain control over processes that have interesting privileges or access to interesting data, such as an email application, a messenger app, the zygote or system_server - since virtually all user data is accessible to at least one userspace context:
- modify userspace code that is present in the page cache through the direct mapping (also known as "physmap" among security folks)
- modify the saved register state of other userspace processes that are stored in the kernel
- modify userspace pointers that are saved in the kernel and will later be used to write to userspace
- modify memory management state such that victim-process-owned pages will become accessible to an attacker process
Of course, this is a non-exhaustive list. In other words, Samsung's protection mechanisms won't provide meaningful protection against malicious attackers trying to hack your phone, they only block straightforward rooting tools that haven't been customized for Samsung phones. My opinion is that such modifications are not worth the cost because:
They make it more difficult to rebase onto a new upstream kernel, which should be happening more often than it currently does
They add additional attack surface