Merge "Enforce restrictions on kernel module origin"

3541843a · Jeffrey Vander Stoep · Gerrit Code Review · acb07f8a · 70159fd3 · 3541843a
Commit 3541843a authored 9 years ago by Jeffrey Vander Stoep Committed by Gerrit Code Review 9 years ago
--- a/domain.te
+++ b/domain.te
@@ -545,3 +545,8 @@ neverallow {
  -ueventd
  -vold
 } fuse_device:chr_file *;
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;