Re: New rules on restrict kernel module loading

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jeffrey,
I tried to do the same , 
added the allow rule in system_server as 
 allow system_server system_file:system module_load;

But still seeing issue  as of the wlan.ko is a symlink as below  
wlan.ko -> /system/lib/modules/vendor_wlan.ko 

Wlan.ko   or  vendor_wlan.ko are with   u:object_r:system_file:s0

But still  i see there is some issue where it show up this denial .

W WifiStateMachin: type=1400 audit(0.0:2074): avc: denied { module_load } for scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=system permissive=0
in the above denial  i see the tcontext as system_server.

I had not debugged much into will do  but looks like there is some thing which we are missing . 

Regards,
Ravi


On Thu, Jun 23, 2016 at 12:32 AM, Jeffrey Vander Stoep <jeffv@xxxxxxxxxx> wrote:
selinux@xxxxxxxxxxxxx to bcc

Hi Ravi,

The intent is not to restrict which processes may load modules, but to place restrictions on the origin of the module itself. Modules, like the kernel, should live on a verity protected partition.

If you want system apps to load a kernel module from the system partition you just need to add an allow rule. e.g.

# system_app loads /system/lib/module/wlan.ko
allow system_app system_file:system module_load;

Similar rules may be added for platform_app or system_server. 

On Wed, Jun 22, 2016 at 10:43 AM Ravi Kumar <nxp.ravi@xxxxxxxxx> wrote:
Hi team , 

I see some new changes  both in kernel and sepolicy project on restricting the load of kernel module  . 

https://android-review.googlesource.com/#/c/213758/ -- kernel change  on check for moudle_load request  by Jeff 
https://android-review.googlesource.com/#/c/214021/-- sepolicy change adding the neverallow  on module_load request  by Jeff .

As most of the  SoC /OEM has there own KO  which are loaded on run-time detection an mostly running in system_app/system_server/platfrom_app  are there any special guideline here . 

As an good example  wlan.ko  .


Regard,
Ravi 
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux