On 07/07/2016 01:11 PM, YongQin Liu wrote:
> Hi, ALL
>
> When I try AOSP master with the hikey board, I see following sys_module
> denial on netd domain.
>
> avc: denied { sys_module } for pid=1775 comm="netd" capability=16
> scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability permissive=0
>
>
> After some check, I found it was caused by "capable(CAP_SYS_MODULE)"
> call in dev_load method of the kernel net/core/dev_ioctl.c file here:
>
> https://android.googlesource.com/kernel/hikey-linaro/+/refs/heads/android-hikey-linaro-4.4/net/core/dev_ioctl.c#371
>
>
> When I comment the capable(CAP_SYS_MODULE) check, there is no
> sys_module denial output.
>
> I did not dig into the implementation of capable, but should not it just
> return false without the sys_module denial?
Why would you expect it to do that? netd has CAP_SYS_MODULE in its
effective capability set, so you'll pass the capability module check but
will then fail the SELinux check if it is not allowed by policy.
> Could anyone please help point to the source where I should check, why
> the sys_module denial is output?
>
> Thanks in advance!
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
