mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
ANDROID: exec_domains: Disable request_module() call for personalities
(cherry pick from commit a9ac1262ce)
With Android M, Android environments use a separate execution
domain for 32bit processes.
See:
https://android-review.googlesource.com/#/c/122131/
This results in systems that use kernel modules to see selinux
audit noise like:
type=1400 audit(28.989:15): avc: denied { module_request } for
pid=1622 comm="app_process32" kmod="personality-8"
scontext=u:r:zygote:s0 tcontext=u:r:kernel:s0 tclass=system
While using kernel modules is unadvised, some systems do require
them.
Thus to avoid developers adding sepolicy exceptions to allow for
request_module calls, this patch disables the logic which tries
to call request_module for the 32bit personality (ie:
personality-8), which doesn't actually exist.
Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: I9cb90bd1291f0a858befa7d347c85464346702db
This commit is contained in:
John Stultz
Artem Borisov
parent
f57b91255d
commit
ff9ff2f4b9
1 changed files with 8 additions and 1 deletions
|
|
@ -68,7 +68,14 @@ lookup_exec_domain(unsigned int personality)
|
|||
goto out;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_MODULES
|
||||
/*
|
||||
* Disable the request_module here to avoid trying to
|
||||
* load the personality-8 module, which doesn't exist,
|
||||
* and results in selinux audit noise.
|
||||
* Disabling this here avoids folks adding module_request
|
||||
* to their sepolicy, which is maybe too generous
|
||||
*/
|
||||
#if 0
|
||||
read_unlock(&exec_domains_lock);
|
||||
request_module("personality-%d", pers);
|
||||
read_lock(&exec_domains_lock);
|
||||
|
|
|
|||
Loading…
Reference in a new issue