selinux@xxxxxxxxxxxxx to bcc
Hi Ravi,
The intent is not to restrict which processes may load modules, but to place restrictions on the origin of the module itself. Modules, like the kernel, should live on a verity protected partition.
If you want system apps to load a kernel module from the system partition you just need to add an allow rule. e.g.
# system_app loads /system/lib/module/wlan.ko
allow system_app system_file:system module_load;
Similar rules may be added for platform_app or system_server.
Similar rules may be added for platform_app or system_server.
On Wed, Jun 22, 2016 at 10:43 AM Ravi Kumar <nxp.ravi@xxxxxxxxx> wrote:
_______________________________________________Hi team ,I see some new changes both in kernel and sepolicy project on restricting the load of kernel module .https://android-review.googlesource.com/#/c/213758/ -- kernel change on check for moudle_load request by Jeffhttps://android-review.googlesource.com/#/c/214021/-- sepolicy change adding the neverallow on module_load request by Jeff .As most of the SoC /OEM has there own KO which are loaded on run-time detection an mostly running in system_app/system_server/platfrom_app are there any special guideline here .As an good example wlan.ko .Regard,Ravi
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
