Creating a new feature and/or permission set
13 views
Skip to first unread message
Bryan Ashby
Dec 13, 2010, 1:07:33 PM12/13/10
to Android Linux Kernel Development
I have a kernel module I would like to protect access to. I'd like to
do this cleanly via the Android model, e.g.: invent a new feature and/
or permission(s) that restrict access to it's usage. How do I go about
doing this? Let's assume I am modifying the Android distribution if
needed.
To clarify, I'd like something like this:
- mymodule.ko: kernel module provides functionality X, Y, and Z
- New feature (e.g. <feature> in app XML manifest):
com.me.myself.and.i.FEAT_MY_MODULE
- New permissions (in XML manifest): com.me.myself.and.i.PERM_X,
PERM_Y, PERM_Z
Any pointers / tips / etc. on how to do this are greatly appreciated!
(Forgive me if a similar post from me shows up -- I attempted to post
a few days ago but it never showed up.)
do this cleanly via the Android model, e.g.: invent a new feature and/
or permission(s) that restrict access to it's usage. How do I go about
doing this? Let's assume I am modifying the Android distribution if
needed.
To clarify, I'd like something like this:
- mymodule.ko: kernel module provides functionality X, Y, and Z
- New feature (e.g. <feature> in app XML manifest):
com.me.myself.and.i.FEAT_MY_MODULE
- New permissions (in XML manifest): com.me.myself.and.i.PERM_X,
PERM_Y, PERM_Z
Any pointers / tips / etc. on how to do this are greatly appreciated!
(Forgive me if a similar post from me shows up -- I attempted to post
a few days ago but it never showed up.)
Chris Stratton
Dec 14, 2010, 12:15:41 PM12/14/10
to Android Linux Kernel Development
Assuming your device driver is interacted with via a device file, I
think the cleanest of currently in-use mechanisms is to create a unix
group for your capability and set the device file to be owned by root
but with that as the group and as appropriate read or read/write
permissions to the group. Then you need to find where the package
permissions are converted to unix group assignments.
An uglier way to do it, but perhaps necessary if there's no device
file, is to hard code the value of the group id and check that
programmatically in the kernel. This is how android implements
internet permission with a tiny kernel patch.
The grep feature on android.git.kernel.org is handy (or grep -R on
your local repos). Start grepping for a permission name, then
whatever identifiers you find from that such as a group name.
think the cleanest of currently in-use mechanisms is to create a unix
group for your capability and set the device file to be owned by root
but with that as the group and as appropriate read or read/write
permissions to the group. Then you need to find where the package
permissions are converted to unix group assignments.
An uglier way to do it, but perhaps necessary if there's no device
file, is to hard code the value of the group id and check that
programmatically in the kernel. This is how android implements
internet permission with a tiny kernel patch.
The grep feature on android.git.kernel.org is handy (or grep -R on
your local repos). Start grepping for a permission name, then
whatever identifiers you find from that such as a group name.
Chris Stratton
Dec 14, 2010, 12:19:44 PM12/14/10
to Android Linux Kernel Development
Oh, I should add - this is for giving applications raw unix-type
access.
A lot of things on android reserve that for something running in the
system server process under the system group, and have it export
android services to applications, putting the permission checks on the
exported interfaces.
So it's really a question if you want android apps to interact at
device file level, or with a wrapping service.
access.
A lot of things on android reserve that for something running in the
system server process under the system group, and have it export
android services to applications, putting the permission checks on the
exported interfaces.
So it's really a question if you want android apps to interact at
device file level, or with a wrapping service.
Reply all
Reply to author
Forward
0 new messages