Merge "Enforce restrictions on kernel module origin" into nyc-dev

commit: 3fc55e554849cb6d67f9a0c94190902095a8d0ea [log] [tgz]
author: Jeffrey Vander Stoep <jeffv@google.com> Thu Apr 07 20:18:06 2016 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Thu Apr 07 20:18:07 2016 +0000
tree: 2f45a2008828894a3a9947851b8770720a2163de
parent: 10908ff29dfb654787f99f1e4ea7e4bf2c93aec9 [diff]
parent: 6634400922bf12390fbe8741426f984d7fedc3d1 [diff]
diff --git a/domain.te b/domain.te
index d7333c5..5171fb3 100644
--- a/domain.te
+++ b/domain.te

@@ -560,3 +560,8 @@
   -installd
   -profman
 } profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;
commit	3fc55e554849cb6d67f9a0c94190902095a8d0ea	[log] [tgz]
author	Jeffrey Vander Stoep <jeffv@google.com>	Thu Apr 07 20:18:06 2016 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Thu Apr 07 20:18:07 2016 +0000
tree	2f45a2008828894a3a9947851b8770720a2163de
parent	10908ff29dfb654787f99f1e4ea7e4bf2c93aec9 [diff]
parent	6634400922bf12390fbe8741426f984d7fedc3d1 [diff]