Hi Jeffrey,
I tried to do the same ,
added the allow rule in system_server as
* allow system_server system_file:system module_load;*
But still seeing issue as of the wlan.ko is a symlink as below
wlan.ko -> /system/lib/modules/vendor_wlan.ko
Wlan.ko or vendor_wlan.ko are with u:object_r:system_file:s0
But still i see there is some issue where it show up this denial .
W WifiStateMachin: type=1400 audit(0.0:2074): avc: denied { module_load }
for scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0
tclass=system permissive=0
in the above denial i see the tcontext as system_server.
I had not debugged much into will do but looks like there is some thing
which we are missing .
Regards,
Ravi
On Thu, Jun 23, 2016 at 12:32 AM, Jeffrey Vander Stoep <[email protected]>
wrote:
> [email protected] to bcc
>
> Hi Ravi,
>
> The intent is not to restrict which processes may load modules, but to
> place restrictions on the origin of the module itself. Modules, like the
> kernel, should live on a verity protected partition.
>
> If you want system apps to load a kernel module from the system partition
> you just need to add an allow rule. e.g.
>
> # system_app loads /system/lib/module/wlan.ko
> allow system_app system_file:system module_load;
>
> Similar rules may be added for platform_app or system_server.
>
> On Wed, Jun 22, 2016 at 10:43 AM Ravi Kumar <[email protected]> wrote:
>
>> Hi team ,
>>
>> I see some new changes both in kernel and sepolicy project on
>> restricting the load of kernel module .
>>
>> https://android-review.googlesource.com/#/c/213758/ -- kernel change on
>> check for moudle_load request by Jeff
>> https://android-review.googlesource.com/#/c/214021/-- sepolicy change
>> adding the neverallow on module_load request by Jeff .
>>
>> As most of the SoC /OEM has there own KO which are loaded on run-time
>> detection an mostly running in system_app/system_server/platfrom_app are
>> there any special guideline here .
>>
>> As an good example wlan.ko .
>>
>>
>> Regard,
>> Ravi
>> _______________________________________________
>> Selinux mailing list
>> [email protected]
>> To unsubscribe, send email to [email protected].
>> To get help, send an email containing "help" to
>> [email protected].
>
>
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
