On 10/10/2016 07:16 PM, Jeffrey Vander Stoep wrote: > No problem. We went through a number of iterations on this patch > because of how confusing the target object for init_module is. > > On Android we neverallow use of init_module. Forcing userspace to use > finit_module allows us to enforce restrictions on kernel module > origin. We only allow module loading from verified-boot protected > partitions. > > https://android-review.googlesource.com/#/c/214021/ > That is a nice approach. After you reminded me, i started looking at my policy and i actually commented it (i rarely comment in my policy): ; for compatibility with Linux =< 4.6 (allow sys.load_kernel_module_subj_type_attribute self (system (module_load)))))) So i suppose if i want to support Linux 4.6 then i might not have the option to neverallow it. > On Mon, Oct 10, 2016 at 8:10 AM, Dominick Grift <dac.override@xxxxxxxxx> wrote: >> On 10/10/2016 05:02 PM, Jeffrey Vander Stoep wrote: >>> When loading a kernel module using init_module the module is copied >>> from memory of the calling process. In that case, the target really is >>> the calling process. When using finit_module a file is passed to the >>> kernel and that file is the target object. >>> >>> See the commit message that added module_load for a more complete >>> description: https://marc.info/?l=selinux&m=145988689809307&w=2 >>> >> >> Thanks, Sorry about that. >> >>> On Sun, Oct 9, 2016 at 1:10 AM, Dominick Grift <dac.override@xxxxxxxxx> wrote: >>>> >>>> I encountered a system module_load event for the first time today. >>>> Howver i am a bit surprised: >>>> >>>> >>>> avc: denied { module_load } for pid=473 comm="modprobe" >>>> scontext=wheel.id:sysadm.role:lmc.subj:s0-s0:c0.c1023 >>>> tcontext=wheel.id:sysadm.role:lmc.subj:s0-s0:c0.c1023 tclass=system >>>> permissive=1 >>>> >>>> Should that permission not have applied to a kernel module object >>>> instead of "self"? >>>> -- >>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>> Dominick Grift >>>> >>>> >>>> _______________________________________________ >>>> Selinux mailing list >>>> Selinux@xxxxxxxxxxxxx >>>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >>>> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. >> >> >> -- >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >> Dominick Grift >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
