From 92b10ddb47caa4c80a626e6c70330439feb4aa30 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 5 Mar 2015 14:11:27 -0800
Subject: [PATCH] Eliminate CAP_SYS_MODULE from system_server

Right now, the system_server has the CAP_SYS_MODULE capability.  This allows the
system server to install kernel modules.  Effectively, system_server is one
kernel module load away from full root access.

Most devices don't need this capability. Remove this capability from
the core SELinux policy. For devices which require this capability,
they can add it to their device-specific SELinux policy without making
any framework code changes.

In particular, most Nexus devices ship with monolithic kernels, so this
capability isn't needed on those devices.

Bug: 7118228
Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3
---
 system_server.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/system_server.te b/system_server.te
index 191c446e6..41036b62c 100644
--- a/system_server.te
+++ b/system_server.te
@@ -49,7 +49,6 @@ allow system_server self:capability {
     net_broadcast
     net_raw
     sys_boot
-    sys_module
     sys_nice
     sys_resource
     sys_time
-- 
GitLab