platform_system_core/rootdir
Eric Biggers 843f46e674 init.rc: disable kernel module autoloading
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.

While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled.  This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512".  But
often an implementation of the full composition doesn't exist.

However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all.  First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android.  Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.

Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later.  Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.

Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them.  However, the modules are actually inserted by
userspace by 'init', not autoloaded.

It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string.  So, let's do that.

This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.

Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type().  To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).

Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343

Test: Tested on cuttlefish and coral:

    - Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
      before this change, and the empty string after.

    - Checked that if all SELinux rules for module_request are removed,
      there are SELinux denials for module_request before this change
      but none after.

    - Ran lsmod both before and after and verified that the list is the
      same, i.e. checked that this change doesn't break how Android
      actually loads kernel modules.

Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
2020-03-11 10:01:32 -07:00
..
avb Adding new GSI public keys 2020-02-19 08:50:26 +00:00
etc Use generated linker config only 2019-12-24 14:18:53 +09:00
adb_debug.prop Adding adb_debug.prop into debug ramdisk 2019-04-23 11:13:46 +08:00
Android.bp Move init and ueventd scripts from / to /system/etc 2019-11-08 10:15:49 -08:00
Android.mk Merge "Set Clang coverage environment variables." 2020-01-22 22:34:35 +00:00
asan.options Include asan options from data partition. 2017-08-09 15:32:23 -07:00
asan_extract.rc
asan_extract.sh
init-debug.rc
init.environ.rc.in Set Clang coverage environment variables. 2020-01-13 14:38:15 -08:00
init.rc init.rc: disable kernel module autoloading 2020-03-11 10:01:32 -07:00
init.usb.configfs.rc Remove sys.usb.ffs.mtp.ready property 2018-03-22 11:35:20 -07:00
init.usb.rc Don't reset sys.usb.configfs during userspace reboot 2020-01-31 15:59:19 +00:00
init.zygote32.rc Remove references to /sys/android_power/* 2019-10-01 13:30:41 -07:00
init.zygote32_64.rc Remove references to /sys/android_power/* 2019-10-01 13:30:41 -07:00
init.zygote64.rc Remove references to /sys/android_power/* 2019-10-01 13:30:41 -07:00
init.zygote64_32.rc Remove references to /sys/android_power/* 2019-10-01 13:30:41 -07:00
OWNERS rootdir: add ccross to OWNERS. 2018-10-15 14:18:04 -07:00
ueventd.rc ueventd: duplicate /dev/ashmem 2019-09-25 12:49:38 -07:00