Re: capable(CAP_SYS_MODULE) causes sys_module denial?

Mon, 11 Jul 2016 17:53:11 -0700 

On 11 July 2016 at 23:08, Stephen Smalley <[email protected]> wrote:

> On 07/07/2016 01:11 PM, YongQin Liu wrote:
> > Hi, ALL
> >
> > When I try AOSP master with the hikey board, I see following sys_module
> > denial on netd domain.
> >
> >     avc: denied { sys_module } for pid=1775 comm="netd" capability=16
> >     scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability
> permissive=0
> >
> >
> > After some check, I found it was caused by "capable(CAP_SYS_MODULE)"
> > call in dev_load method of the kernel net/core/dev_ioctl.c file here:
> >
> >
> https://android.googlesource.com/kernel/hikey-linaro/+/refs/heads/android-hikey-linaro-4.4/net/core/dev_ioctl.c#371
> >
> >
> > When I comment the capable(CAP_SYS_MODULE) check, there is no
> >  sys_module denial output.
> >
> > I did not dig into the implementation of capable, but should not it just
> > return false without the sys_module denial?
>
> Why would you expect it to do that?  netd has CAP_SYS_MODULE in its
> effective capability set, so you'll pass the capability module check but
> will then fail the SELinux check if it is not allowed by policy.
>
> When it fail the SELinux check, it will output the avc denial like this:
>     avc: denied { sys_module } for pid=1775 comm="netd" capability=16
>     scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability
permissive=0

And this will make people to think why this avc denial is caused, and will
check if there is something wrong in the source.

So I think it's better to not show this avc denial during the check when
CAP_SYS_MODULE is not allowed.


>
> > Could anyone please help point to the source where I should check, why
> > the  sys_module denial is output?
> >
> > Thanks in advance!
>
>
>
>


-- 
Best Regards,
Yongqin Liu
---------------------------------------------------------------
#mailing list
[email protected] <[email protected]>
http://lists.linaro.org/mailman/listinfo/linaro-android

_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to 
[email protected].

Reply via email to