Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_google_pixel-sepolicy / d5097703355fb7d3d96292b5905fad11e5cda6c9^! / .
commitd5097703355fb7d3d96292b5905fad11e5cda6c9[log] [tgz]
authorAdam Shih <adamshih@google.com>Wed Mar 04 17:55:12 2020 +0800
committerAdam Shih <adamshih@google.com>Wed Mar 04 17:55:12 2020 +0800
tree9ef09693071fbf47fe561b659838be4be2539a05
parent7bb693cd68471a221683037b84fb12fbafb10fd6 [diff]
move init.insmod.sh to common place

Bug: 143338171
Test: boot to home with no avc error
Change-Id: I8dfeddffa3a7469223b68a80d6ae2fba847b5c15

diff --git a/common/file.te b/common/file.te
index 7dc080d..3f4f23a 100644
--- a/common/file.te
+++ b/common/file.te

@@ -1,4 +1,7 @@
 type persist_file, file_type, vendor_persist_type;
 type firmware_file, file_type, contextmount_type, vendor_file_type;
 
+# kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
 allow firmware_file self:filesystem associate;

diff --git a/common/file_contexts b/common/file_contexts
index b8aed0e..2d2bbb8 100644
--- a/common/file_contexts
+++ b/common/file_contexts

@@ -1,3 +1,10 @@
 /mnt/vendor/persist(/.*)?       u:object_r:persist_file:s0
 /vendor/firmware_mnt(/.*)?      u:object_r:firmware_file:s0
 /persist(/.*)?                  u:object_r:persist_file:s0
+
+/vendor/bin/init\.insmod\.sh                        u:object_r:init-insmod-sh_exec:s0
+/vendor/bin/grep                                    u:object_r:vendor_toolbox_exec:s0
+/vendor/bin/awk                                     u:object_r:vendor_toolbox_exec:s0
+/vendor/bin/cp                                      u:object_r:vendor_toolbox_exec:s0
+/vendor/bin/toolbox_vendor                          u:object_r:vendor_toolbox_exec:s0
+/vendor/lib/modules/.*\.ko                          u:object_r:vendor_kernel_modules:s0

diff --git a/common/init-insmod-sh.te b/common/init-insmod-sh.te
new file mode 100644
index 0000000..de1d408
--- /dev/null
+++ b/common/init-insmod-sh.te

@@ -0,0 +1,15 @@
+type init-insmod-sh, domain;
+type init-insmod-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-insmod-sh)
+
+allow init-insmod-sh vendor_toolbox_exec:file rx_file_perms;
+allow init-insmod-sh self:capability sys_module;
+allow init-insmod-sh vendor_kernel_modules:system module_load;
+allow init-insmod-sh kernel:key search;
+
+# modprobe need proc_modules
+allow init-insmod-sh proc_modules:file r_file_perms;
+
+# Set the vendor.all.modules.ready property
+set_prop(init-insmod-sh, vendor_device_prop)

diff --git a/common/property.te b/common/property.te
new file mode 100644
index 0000000..f014ad5
--- /dev/null
+++ b/common/property.te

@@ -0,0 +1 @@
+type vendor_device_prop, property_type;

diff --git a/common/property_contexts b/common/property_contexts
new file mode 100644
index 0000000..8343ea5
--- /dev/null
+++ b/common/property_contexts

@@ -0,0 +1,2 @@
+vendor.all.modules.ready                        u:object_r:vendor_device_prop:s0
+vendor.all.devices.ready                        u:object_r:vendor_device_prop:s0