Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

commit: 75806ef3c529c019ab002072cca7951b91f245aa [log] [tgz]
author: Inseob Kim <inseob@google.com> Wed Mar 27 17:18:41 2024 +0900
committer: Inseob Kim <inseob@google.com> Thu Mar 28 00:33:46 2024 +0000
tree: cbd0c46779774cd09f127c0e20144c39dff08dca
parent: e98c6d2b38114e0819a558ef5e0d2793a30eebff [diff] [blame]
diff --git a/private/modprobe.te b/private/modprobe.te
index 9858675..d7b2fc3 100644
--- a/private/modprobe.te
+++ b/private/modprobe.te

@@ -1 +1,13 @@
 typeattribute modprobe coredomain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe proc_cmdline:file r_file_perms;
+allow modprobe self:global_capability_class_set sys_module;
+allow modprobe kernel:key search;
+allow modprobe system_dlkm_file:dir search;
+allow modprobe system_dlkm_file:file r_file_perms;
+allow modprobe system_dlkm_file:system module_load;
+recovery_only(`
+  allow modprobe rootfs:system module_load;
+  allow modprobe rootfs:file r_file_perms;
+')
commit	75806ef3c529c019ab002072cca7951b91f245aa	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Wed Mar 27 17:18:41 2024 +0900
committer	Inseob Kim <inseob@google.com>	Thu Mar 28 00:33:46 2024 +0000
tree	cbd0c46779774cd09f127c0e20144c39dff08dca
parent	e98c6d2b38114e0819a558ef5e0d2793a30eebff [diff] [blame]