Thanks Stephen and Jeffrey that really helped.
Regards,
Ravi
Ravi
On Thu, Jun 23, 2016 at 10:59 PM, Jeffrey Vander Stoep <jeffv@xxxxxxxxxx> wrote:
Here's an example migrating code from init_module to finit_module: https://android-review.googlesource.com/#/c/210691/On Thu, Jun 23, 2016 at 10:22 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:On 06/22/2016 03:02 PM, Jeffrey Vander Stoep wrote:
> selinux@xxxxxxxxxxxxx <mailto:selinux@xxxxxxxxxxxxx> to bcc
>
> Hi Ravi,
>
> The intent is not to restrict which processes may load modules, but to
> place restrictions on the origin of the module itself. Modules, like the
> kernel, should live on a verity protected partition.
>
> If you want system apps to load a kernel module from the system
> partition you just need to add an allow rule. e.g.
>
> # system_app loads /system/lib/module/wlan.ko
> allow system_app system_file:system module_load;
>
> Similar rules may be added for platform_app or system_server.
Actually, that probably won't work for any app domains, as they can't
pass the sys_module capability check. So hopefully you only truly need
it for system_server.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
