PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

allow to load kernel modules from vendor partition

Browse Source 
The kernel  modules under /vendor partition has been relabeled to vendor_file.
This CL allows for the modprobe to load modules labeled vendor_file.

Kernel modules are loaded in init.rc with following commands:
    exec u:r:modprobe:s0 -- /system/bin/modprobe -d /vendor/lib/modules MODULE

Bug: 35653245
Test: tested on sailfish
Change-Id: I2132ca4de01c5c60476dad8496e98266de5a1bb7
This commit is contained in:
Jaesoo Lee 2017-04-11 12:21:42 +09:00
parent f69311300f
commit a6ac1147c3
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
public/domain.te
View File

@ -994,7 +994,7 @@ neverallow {
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
neverallow * ~{ system_file vendor_file rootfs }:system module_load;
# Only allow filesystem caps to be set at build time or
# during upgrade by recovery.

3
public/modprobe.te
View File

@ -6,4 +6,5 @@ recovery_only(`
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
')
allow modprobe system_file:system module_load;
allow modprobe { system_file vendor_file }:system module_load;
r_dir_file(modprobe, { system_file vendor_file })