From 124a9c97e9815142a33480b81a5a3041a7cd66bd Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 27 Mar 2016 16:55:59 -0700
Subject: [PATCH] init/builtins.cpp: Switch to finit_module

Switch insmod from using init_module to finit_module. From
"man finit_module":

  The finit_module() system call is like init_module(), but reads the
  module to be loaded from the file descriptor fd. It is useful when the
  authenticity of a kernel module can be determined from its location in
  the file system; in cases where that is possible, the overhead of
  using cryptographically signed modules to determine the authenticity
  of a module can be avoided.

finit_module is preferred over init_module because it allows LSMs, such
as SELinux, to perform a permission check on kernel module loads based on
the file from which the module is loaded. This functionality is not yet
implemented in the Linux kernel, but is on the SEAndroid TODO list.
See https://bitbucket.org/seandroid/wiki/wiki/ToDo

Bug: 27824855
Change-Id: Id0ea88cd1930393c8c73ce38e63d5b2eeadf946a
---
 init/builtins.cpp | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/init/builtins.cpp b/init/builtins.cpp
index 35f1a9e04..6469ec488 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -27,6 +27,7 @@
 #include <sys/socket.h>
 #include <sys/mount.h>
 #include <sys/resource.h>
+#include <sys/syscall.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -61,19 +62,20 @@
 #define UNMOUNT_CHECK_MS 5000
 #define UNMOUNT_CHECK_TIMES 10
 
-// System call provided by bionic but not in any header file.
-extern "C" int init_module(void *, unsigned long, const char *);
-
 static const int kTerminateServiceDelayMicroSeconds = 50000;
 
 static int insmod(const char *filename, const char *options) {
-    std::string module;
-    if (!read_file(filename, &module)) {
+    int fd = open(filename, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+    if (fd == -1) {
+        ERROR("insmod: open(\"%s\") failed: %s", filename, strerror(errno));
         return -1;
     }
-
-    // TODO: use finit_module for >= 3.8 kernels.
-    return init_module(&module[0], module.size(), options);
+    int rc = syscall(__NR_finit_module, fd, options, 0);
+    if (rc == -1) {
+        ERROR("finit_module for \"%s\" failed: %s", filename, strerror(errno));
+    }
+    close(fd);
+    return rc;
 }
 
 static int __ifupdown(const char *interface, int up) {