move insert module script sepolicy to gs-common
Bug: 243763292
Test: boot to home with no relevant SELinux error
Change-Id: I6646fa4433fc1ccb94ac05f9cc8d7076a6a2d8cf
diff --git a/insmod/insmod.mk b/insmod/insmod.mk
index ac8d555..aa2261a 100644
--- a/insmod/insmod.mk
+++ b/insmod/insmod.mk
@@ -1,3 +1,4 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/insmod/sepolicy
PRODUCT_PACKAGES += \
insmod.sh \
init.common.cfg
diff --git a/insmod/sepolicy/file_contexts b/insmod/sepolicy/file_contexts
new file mode 100644
index 0000000..e048641
--- /dev/null
+++ b/insmod/sepolicy/file_contexts
@@ -0,0 +1,5 @@
+# Vendor_kernel_modules
+/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0
+
+/vendor/bin/insmod\.sh u:object_r:insmod-sh_exec:s0
+
diff --git a/insmod/sepolicy/insmod-sh.te b/insmod/sepolicy/insmod-sh.te
new file mode 100644
index 0000000..d7b4f72
--- /dev/null
+++ b/insmod/sepolicy/insmod-sh.te
@@ -0,0 +1,11 @@
+type insmod-sh, domain;
+type insmod-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(insmod-sh)
+
+allow insmod-sh self:capability sys_module;
+allow insmod-sh vendor_kernel_modules:system module_load;
+allow insmod-sh vendor_toolbox_exec:file execute_no_trans;
+
+set_prop(insmod-sh, vendor_device_prop)
+
+dontaudit insmod-sh proc_cmdline:file r_file_perms;
diff --git a/insmod/sepolicy/property.te b/insmod/sepolicy/property.te
new file mode 100644
index 0000000..50f7b34
--- /dev/null
+++ b/insmod/sepolicy/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_device_prop)
diff --git a/insmod/sepolicy/property_contexts b/insmod/sepolicy/property_contexts
new file mode 100644
index 0000000..1e871b6
--- /dev/null
+++ b/insmod/sepolicy/property_contexts
@@ -0,0 +1,5 @@
+# Kernel modules related
+vendor.common.modules.ready u:object_r:vendor_device_prop:s0
+vendor.device.modules.ready u:object_r:vendor_device_prop:s0
+vendor.all.modules.ready u:object_r:vendor_device_prop:s0
+vendor.all.devices.ready u:object_r:vendor_device_prop:s0