I am trying to perform insmod abc.ko with a few module params, However these module params need to be dynamically computed. So I am launching an app /system/bin/my_app to compute these params and then perform insmod within my_app.
Issue: When my_app is launched at bootup using init.hammerhead.rc script, it is unable to perform insmod and give following error
type=1400 audit(0.0.4): avc: denided {sys_module} for path="system/bin/my_app" dev="mmcblk0p25" ino=170 scontext=u:r:init:s0 tcontext=u:r:init.s0 tclass=file
How can i enable my_app to be able to insmod ?
Would appreciate any pointers to resolve this
Finally found a solution. my_app should be given new policies which allow it to perform insmod.
[1] Create my_app.te in ///sepolicy/my_app.te [2] Add the following policies to my_app.te .
type my_app, domain;
type my_app_exec, exec_type, file_type;
allow my_app self:capability sys_module;
allow my_app self:capability { setuid setgid };
allow my_app self:capability sys_admin;
allow my_app shell_exec:file rx_file_perms;;
init_daemon_domain(my_app)
permissive_or_unconfined(my_app)
[3] Add my_app.te to BOARD_SEPOLICY_UNION in BoardConfig.mk file. [4] Add following to sepolicy/file_contexts
/system/bin/my_app u:object_r:my_app_exec:s0
For further info or issue : subscribe to seandroid-list-join@tycho.nsa.gov