On Jul 7, 2016 1:13 PM, "YongQin Liu" <[email protected]> wrote: > > Hi, ALL > > When I try AOSP master with the hikey board, I see following sys_module denial on netd domain. > >> avc: denied { sys_module } for pid=1775 comm="netd" capability=16 scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability permissive=0 > > > After some check, I found it was caused by "capable(CAP_SYS_MODULE)" call in dev_load method of the kernel net/core/dev_ioctl.c file here: > > https://android.googlesource.com/kernel/hikey-linaro/+/refs/heads/android-hikey-linaro-4.4/net/core/dev_ioctl.c#371 > > > When I comment the capable(CAP_SYS_MODULE) check, there is no sys_module denial output. > > I did not dig into the implementation of capable, but should not it just return false without the sys_module denial? > > Could anyone please help point to the source where I should check, why the sys_module denial is output?
>From what I know is the cap check is separate. This denial is on finit_module. See this patch: http://comments.gmane.org/gmane.comp.security.selinux/24164 > > Thanks in advance! > > -- > Best Regards, > Yongqin Liu > --------------------------------------------------------------- > #mailing list > [email protected] > http://lists.linaro.org/mailman/listinfo/linaro-android > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to [email protected].
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
