commit 8b87947e2494a033b949ddb262139207b5f0ac59
author Jaesoo Lee <jaesoo@google.com> Tue Apr 11 05:39:12 2017 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Tue Apr 11 05:39:13 2017 +0000
tree 7e290e03e687ad9696b10cb25560bfc7f88f7e98
parent 4966f2b578bb1884f5a1cf1b899f7a0ac9e11525
parent a6ac1147c3ebd236389d98cd34bb3b77b5a558e8

Merge changes from topic 'modprobe_fix' into oc-dev

* changes:
  allow to load kernel modules from vendor partition
  SELinux changes for Treble Loadable Kernel Module

private/init.te

diff --git a/private/init.te b/private/init.te
index fb4335a..f84d87e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, watchdogd)
 domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 2487419..66029f8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -998,7 +998,7 @@
 # Enforce restrictions on kernel module origin.
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
 
 # Only allow filesystem caps to be set at build time or
 # during upgrade by recovery.

public/modprobe.te

diff --git a/public/modprobe.te b/public/modprobe.te
index 0fc173d..24a6b3b 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,3 +6,5 @@
   allow modprobe rootfs:system module_load;
   allow modprobe rootfs:file r_file_perms;
 ')
+allow modprobe { system_file vendor_file }:system module_load;
+r_dir_file(modprobe, { system_file vendor_file })