843f46e674
There is a longstanding bug where file-based encryption causes spurious SELinux denials of module_request because it uses the kernel's crypto API, and the crypto API tries to autoload kernel modules. While this sometimes indicate missing kconfig options, it can still happen even if all needed kconfig options are enabled. This is because a crypto algorithm can be a composition like "hmac(sha512)", and the crypto API will first look for the full composition before it instantiates it using the components like "hmac" and "sha512". But often an implementation of the full composition doesn't exist. However, as far as I can tell, Android doesn't actually use kernel module autoloading at all. First, Android never changes /proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this isn't where modprobe is located on Android. Android's SELinux policy contains a neverallow rule that ensures that only init (not even vendor_init) can write to this setting, so vendors can't be changing it. Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH, which overrides the path of all usermode helpers including modprobe. But this is a relatively new kconfig option, available only in android-4.14 and later. Also, for a vendor to actually do this they'd also need to extend the SELinux policy with a domain_auto_trans rule to allow their usermode helper to be executed by the kernel. Android does increasingly use kernel modules, and GKI (Generic Kernel Image) will require them. However, the modules are actually inserted by userspace by 'init', not autoloaded. It's possible to disable kernel module autoloading completely by setting /proc/sys/kernel/modprobe to an empty string. So, let's do that. This prevents lots of spurious SELinux denials, and allows removing unnecessary rules to allow or dontaudit the module_request permission. Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this change exposes a kernel bug that causes a WARNING in get_fs_type(). To avoid this WARNING, a kernel fix should be applied too -- currently under discussion upstream (https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org). Bug: 130424539 Bug: 132409186 Bug: 144399145 Bug: 146477240 Bug: 148005188 Bug: 149542343 Test: Tested on cuttlefish and coral: - Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe before this change, and the empty string after. - Checked that if all SELinux rules for module_request are removed, there are SELinux denials for module_request before this change but none after. - Ran lsmod both before and after and verified that the list is the same, i.e. checked that this change doesn't break how Android actually loads kernel modules. Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5 |
||
---|---|---|
.. | ||
avb | ||
etc | ||
adb_debug.prop | ||
Android.bp | ||
Android.mk | ||
asan.options | ||
asan_extract.rc | ||
asan_extract.sh | ||
init-debug.rc | ||
init.environ.rc.in | ||
init.rc | ||
init.usb.configfs.rc | ||
init.usb.rc | ||
init.zygote32.rc | ||
init.zygote32_64.rc | ||
init.zygote64.rc | ||
init.zygote64_32.rc | ||
OWNERS | ||
ueventd.rc |