[android-porting] Re: AndroidM: Kernel module_request personality-8

Tue, 13 Oct 2015 11:59:11 -0700 

This was covered on the seandroid mailing list. Please 
see https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02418.html

A few things you can do:

1) Patch the kernel to not attempt module loading for alternate execution 
environments. This code never worked in the kernel anyway, so no harm in 
pulling it. Something like:

diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c
index 0dbeae3..a66ea19 100644
--- a/kernel/exec_domain.c
+++ b/kernel/exec_domain.c
@@ -68,7 +68,8 @@
                                goto out;
        }
 
-#ifdef CONFIG_MODULES
+
+#if 0
        read_unlock(&exec_domains_lock);
        request_module("personality-%d", pers);
        read_lock(&exec_domains_lock);

2) Add a dontaudit SELinux rule to suppress these:

Add the following to your device specific policy:

  dontaudit domain kernel:system module_request;

However, please 
read https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02433.html 
before doing so.

3) Backport the patches 
from https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02418.html

-- Nick

On Monday, October 12, 2015 at 8:55:28 PM UTC-7, Vishal Mahaveer wrote:
>
> Hi,
>
>
> In Android-M, below change in bionic was introduced
>
> https://android-review.googlesource.com/122131
>
>  
>
> Which caused lot of SELinux denials to be logged regarding module_request 
> (similar to below one) for 32bit systems, There is quite a lot of 
> module_request denials when any 32bit executable is executed.
>
>  
>
> type=1400 audit(946685139.719:12): avc: denied { module_request } for 
> pid=1970 comm="tzdatacheck" kmod="personality-8" 
> scontext=u:r:tzdatacheck:s0 tcontext=u:r:kernel:s0 tclass=system 
> permissive=1
>
>  
>
>
> The issue is discussed here
>
> http://marc.info/?t=144190478400004&r=1&w=2
>
>
>
> For kernel version < 4.0, is there any resolution available for resolving 
> these denials with out having to backport the removal of execution domain 
> patches from kernel 4.0?
>
> Is adding a dontaudit for kernel module_request good option?
>
>
> In our system disabling modules (CONFIG_MODULES=n) is currently not an 
> option.
>
>
>  
>
> Regards,
>
> Vishal
>

-- 
-- 
unsubscribe: android-porting+unsubscr...@googlegroups.com
website: http://groups.google.com/group/android-porting

--- 
You received this message because you are subscribed to the Google Groups 
"android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to android-porting+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to