Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 38d430ff authored by John Stultz's avatar John Stultz Committed by Mark Salyzyn
Browse files

ANDROID: exec_domains: Disable request_module() call for personalities 

(cherry pick from commit a9ac1262ce80c287562e604f3bb24f232fcb686e)

With Android M, Android environments use a separate execution
domain for 32bit processes.
See:
https://android-review.googlesource.com/#/c/122131/



This results in systems that use kernel modules to see selinux
audit noise like:
  type=1400 audit(28.989:15): avc: denied { module_request } for
  pid=1622 comm="app_process32" kmod="personality-8"
  scontext=u:r:zygote:s0 tcontext=u:r:kernel:s0 tclass=system

While using kernel modules is unadvised, some systems do require
them.

Thus to avoid developers adding sepolicy exceptions to allow for
request_module calls, this patch disables the logic which tries
to call request_module for the 32bit personality (ie:
personality-8), which doesn't actually exist.

Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
Change-Id: I32774083340e0f928d0e3bb4295517218e23c66c
parent 19dc2c8b
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment