commit d363b0f9eb2b9ff1b8e4da3781adea39e40ed718
author Jaesoo Lee <jaesoo@google.com> Thu Mar 02 17:02:29 2017 +0900
committer Jaesoo Lee <jaesoo@google.com> Thu Mar 16 01:19:58 2017 +0000
tree 92511ec747620ab3af58393df24184aa239049ec
parent bb26f90457f0d229deab084074d36570c3966c40

enabled /sbin/modprobe for recovery mode

This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.

Denials:
[   16.986440] c0    437 audit: type=1400 audit(6138546.943:5): avc:
denied  { read } for  pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986521] c0    437 audit: type=1400 audit(6138546.943:6): avc:
denied  { open } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986544] c0    437 audit: type=1400 audit(6138546.943:7): avc:
denied  { getattr } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1

Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line

    exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl

Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 2f009ac..1e7345a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -18,6 +18,9 @@
 /init               u:object_r:init_exec:s0
 /sbin(/.*)?         u:object_r:rootfs:s0
 
+# For kernel modules
+/lib(/.*)?          u:object_r:rootfs:s0
+
 # Empty directories
 /lost\+found        u:object_r:rootfs:s0
 /acct               u:object_r:cgroup:s0

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 7873367..c2cfa2c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -7,6 +7,7 @@
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
 genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0

private/init.te

diff --git a/private/init.te b/private/init.te
index 8a6dcea..f491d00 100644
--- a/private/init.te
+++ b/private/init.te
@@ -13,6 +13,7 @@
 domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, watchdogd)
+domain_trans(init, rootfs, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)