insmod in android lollipop with SE Linux enforced

Question

I am trying to perform insmod abc.ko with a few module params, However these module params need to be dynamically computed. So I am launching an app /system/bin/my_app to compute these params and then perform insmod within my_app.

Issue: When my_app is launched at bootup using init.hammerhead.rc script, it is unable to perform insmod and give following error

type=1400 audit(0.0.4): avc: denided {sys_module} for path="system/bin/my_app" dev="mmcblk0p25" ino=170 scontext=u:r:init:s0 tcontext=u:r:init.s0 tclass=file

How can i enable my_app to be able to insmod ?

Would appreciate any pointers to resolve this

Answer 1

Finally found a solution. my_app should be given new policies which allow it to perform insmod.

[1] Create my_app.te in ///sepolicy/my_app.te [2] Add the following policies to my_app.te .

type my_app, domain;
type my_app_exec, exec_type, file_type;

allow my_app self:capability sys_module;
allow my_app self:capability { setuid setgid };
allow my_app self:capability sys_admin;
allow my_app shell_exec:file rx_file_perms;;
init_daemon_domain(my_app)

permissive_or_unconfined(my_app)

[3] Add my_app.te to BOARD_SEPOLICY_UNION in BoardConfig.mk file. [4] Add following to sepolicy/file_contexts

/system/bin/my_app u:object_r:my_app_exec:s0

For further info or issue : subscribe to [email protected]

Answer 2

The ability to insmod a module is linked with the permissions of the code running do_insmod(). In your case, the issue is that there is no policy described that allow your sw to access the module. I am not expert in sepolicy but there is a why to generate the appropriate policy file from the logs : here is a good article about that : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/Security-Enhanced_Linux-The-sepolicy-Suite-sepolicy_generate.html

Hope that helps. Aymen.