init.rc: disable kernel module autoloading

There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.

While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled.  This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512".  But
often an implementation of the full composition doesn't exist.

However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all.  First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android.  Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.

Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later.  Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.

Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them.  However, the modules are actually inserted by
userspace by 'init', not autoloaded.

It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string.  So, let's do that.

This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.

Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type().  To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).

Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343

Test: Tested on cuttlefish and coral:

    - Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
      before this change, and the empty string after.

    - Checked that if all SELinux rules for module_request are removed,
      there are SELinux denials for module_request before this change
      but none after.

    - Ran lsmod both before and after and verified that the list is the
      same, i.e. checked that this change doesn't break how Android
      actually loads kernel modules.

Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
(cherry picked from commit 843f46e674e3f9d424144aa91c51777d66c9692c)

1 files changed, 5 insertions, 0 deletions

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 4e101a90e..2925725df 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -16,6 +16,11 @@ on early-init
     # Disable sysrq from keyboard
     write /proc/sys/kernel/sysrq 0
 
+    # Android doesn't need kernel module autoloading, and it causes SELinux
+    # denials.  So disable it by setting modprobe to the empty string.  Note: to
+    # explicitly set a sysctl to an empty string, a trailing newline is needed.
+    write /proc/sys/kernel/modprobe \n
+
     # Set the security context of /adb_keys if present.
     restorecon /adb_keys