aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Stultz <john.stultz@linaro.org>2015-11-17 08:35:54 -0800
committerMark Salyzyn <salyzyn@google.com>2015-11-17 16:06:51 -0800
commitc037c42d164e186809b43838b8772aa1fe7cc8d5 (patch)
tree6a676f01f3827e65c96dd1477b25e8e5cac0a61e
parent64d52c07bef88839ccc0d93e0f2ff56fdbc3e6fc (diff)
downloadlinux-linaro-stable-c037c42d164e186809b43838b8772aa1fe7cc8d5.tar.gz
ANDROID: exec_domains: Disable request_module() call for personalities
(cherry pick from commit a9ac1262ce80c287562e604f3bb24f232fcb686e) With Android M, Android environments use a separate execution domain for 32bit processes. See: https://android-review.googlesource.com/#/c/122131/ This results in systems that use kernel modules to see selinux audit noise like: type=1400 audit(28.989:15): avc: denied { module_request } for pid=1622 comm="app_process32" kmod="personality-8" scontext=u:r:zygote:s0 tcontext=u:r:kernel:s0 tclass=system While using kernel modules is unadvised, some systems do require them. Thus to avoid developers adding sepolicy exceptions to allow for request_module calls, this patch disables the logic which tries to call request_module for the 32bit personality (ie: personality-8), which doesn't actually exist. Signed-off-by: John Stultz <john.stultz@linaro.org> Change-Id: I7bf8aabed0a39d9bb0c0b959e0e54f3e64b3db74
-rw-r--r--kernel/exec_domain.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c
index 0dbeae3..36cc21d 100644
--- a/kernel/exec_domain.c
+++ b/kernel/exec_domain.c
@@ -68,7 +68,14 @@ lookup_exec_domain(unsigned int personality)
goto out;
}
-#ifdef CONFIG_MODULES
+/*
+ * Disable the request_module here to avoid trying to
+ * load the personality-8 module, which doesn't exist,
+ * and results in selinux audit noise.
+ * Disabling this here avoids folks adding module_request
+ * to their sepolicy, which is maybe too generous
+ */
+#if 0
read_unlock(&exec_domains_lock);
request_module("personality-%d", pers);
read_lock(&exec_domains_lock);