ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init/builtins.cpp: Switch to finit_module

Browse source 
Switch insmod from using init_module to finit_module. From
"man finit_module":

  The finit_module() system call is like init_module(), but reads the
  module to be loaded from the file descriptor fd. It is useful when the
  authenticity of a kernel module can be determined from its location in
  the file system; in cases where that is possible, the overhead of
  using cryptographically signed modules to determine the authenticity
  of a module can be avoided.

finit_module is preferred over init_module because it allows LSMs, such
as SELinux, to perform a permission check on kernel module loads based on
the file from which the module is loaded. This functionality is not yet
implemented in the Linux kernel, but is on the SEAndroid TODO list.
See https://bitbucket.org/seandroid/wiki/wiki/ToDo

Bug: 27824855
Change-Id: Id0ea88cd1930393c8c73ce38e63d5b2eeadf946a
This commit is contained in:
Nick Kralevich 2016-03-27 16:55:59 -07:00
parent fbdbf100cb
commit 124a9c97e9
1 changed files with 10 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
init/builtins.cpp
View file

@ -27,6 +27,7 @@
#include <sys/socket.h>
#include <sys/mount.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/stat.h>
@ -61,19 +62,20 @@
#define UNMOUNT_CHECK_MS 5000
#define UNMOUNT_CHECK_TIMES 10
// System call provided by bionic but not in any header file.
extern "C" int init_module(void *, unsigned long, const char *);
static const int kTerminateServiceDelayMicroSeconds = 50000;
static int insmod(const char *filename, const char *options) {
std::string module;
if (!read_file(filename, &module)) {
int fd = open(filename, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
if (fd == -1) {
ERROR("insmod: open(\"%s\") failed: %s", filename, strerror(errno));
return -1;
}
// TODO: use finit_module for >= 3.8 kernels.
return init_module(&module[0], module.size(), options);
int rc = syscall(__NR_finit_module, fd, options, 0);
if (rc == -1) {
ERROR("finit_module for \"%s\" failed: %s", filename, strerror(errno));
}
close(fd);
return rc;
}
static int __ifupdown(const char *interface, int up) {