From e2861bf297336fb18a596087d723c615b5918c5c Mon Sep 17 00:00:00 2001 From: John Stultz Date: Tue, 17 Nov 2015 08:35:54 -0800 Subject: [PATCH] ANDROID: exec_domains: Disable request_module() call for personalities (cherry pick from commit a9ac1262ce80c287562e604f3bb24f232fcb686e) With Android M, Android environments use a separate execution domain for 32bit processes. See: https://android-review.googlesource.com/#/c/122131/ This results in systems that use kernel modules to see selinux audit noise like: type=1400 audit(28.989:15): avc: denied { module_request } for pid=1622 comm="app_process32" kmod="personality-8" scontext=u:r:zygote:s0 tcontext=u:r:kernel:s0 tclass=system While using kernel modules is unadvised, some systems do require them. Thus to avoid developers adding sepolicy exceptions to allow for request_module calls, this patch disables the logic which tries to call request_module for the 32bit personality (ie: personality-8), which doesn't actually exist. Signed-off-by: John Stultz Change-Id: I32774083340e0f928d0e3bb4295517218e23c66c --- kernel/exec_domain.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c index 0dbeae374225..36cc21da4dd0 100644 --- a/kernel/exec_domain.c +++ b/kernel/exec_domain.c @@ -68,7 +68,14 @@ lookup_exec_domain(unsigned int personality) goto out; } -#ifdef CONFIG_MODULES +/* + * Disable the request_module here to avoid trying to + * load the personality-8 module, which doesn't exist, + * and results in selinux audit noise. + * Disabling this here avoids folks adding module_request + * to their sepolicy, which is maybe too generous + */ +#if 0 read_unlock(&exec_domains_lock); request_module("personality-%d", pers); read_lock(&exec_domains_lock);