On 10/10/2016 07:50 PM, Jeffrey Vander Stoep wrote: > On Mon, Oct 10, 2016 at 10:21 AM Dominick Grift <dac.override@xxxxxxxxx> > wrote: > >> On 10/10/2016 07:16 PM, Jeffrey Vander Stoep wrote: >>> No problem. We went through a number of iterations on this patch >>> because of how confusing the target object for init_module is. >>> >>> On Android we neverallow use of init_module. Forcing userspace to use >>> finit_module allows us to enforce restrictions on kernel module >>> origin. We only allow module loading from verified-boot protected >>> partitions. >>> >>> https://android-review.googlesource.com/#/c/214021/ >>> >> >> That is a nice approach. After you reminded me, i started looking at my >> policy and i actually commented it (i rarely comment in my policy): >> >> ; for compatibility with Linux =< 4.6 >> (allow sys.load_kernel_module_subj_type_attribute self >> (system (module_load)))))) >> >> So i suppose if i want to support Linux 4.6 then i might not have the >> option to neverallow it. >> >> > You shouldn't need this for compatibility. For kernel version <= 4.6, the > kernel hook for selinux_kernel_read_file is unused so no policy is needed, > it will already be allowed (or rather, not checked). > > The issue is that modprobe uses init_module() to load a kernel module. That > would need to be updated to use finit_module() in order to disallow > init_module(). > > modprobe could be updated to behave more like insmod which defaults to > using finit_module and falls back to init_module for old kernels. > https://android.googlesource.com/platform/external/toybox/+/android-7.0.0_r14/toys/other/insmod.c#37 > > I don't know what kind of control you have over kernels, but if you want a > stable backport of the module_load patch, we backported to 4.4, 4,1, 3.18, > 3.14, and 3.10: > https://android-review.googlesource.com/#/q/61d612ea731e57dc510472fb746b55cdc017f371+owner:jeffv > Thank you. All is clear now. I will rephrase my comment and next time look before asking because, even though the comment is inaccurate it, together with the av allow rule still clearly indicated that this event was to be expected (simply because in GNU/Linux some components use init_module() and dont fall back to finit_module() -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
