On 06/03/2014 01:48 AM, Jaejyn Shin wrote: > Dear seandroid developer > > In the aosp policy file, I found follow allow rule. > > allow system_server kernel:system module_request; > > If I don't want to allow system_server to request all modules but I want > to allow system_server to request only "my_module", how can I write > policy rule? > (for example: allow system_server kernel:system module_request > "my_module"; -> is this way possible?) > > + > I want to allow below rule when the domain_1 has uid=1000. > allow domain_1 file_1:file execute; > (for example: allow domain_1 file_1:file execute uis=1000; -> is this > way possible?)
No, neither is possible; SELinux permission checks are only based on a pair of security contexts and the object security class, and it operates orthogonally to the uid/gid-based DAC checks (both must authorize each operation). Note however that kernel:system module_request is not the same as self:capability sys_module; the former only allows the caller to trigger auto-module loading by the kernel, while the latter allows inserting an arbitrary module from userspace. And of course neither is relevant if the kernel is built non-modular. If you want to restrict what modules can be loaded, you are likely better off enabling the kernel signed modules support and using that. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
