Enforce restrictions on kernel module origin

Do not allow module loading except from the system, vendor, and boot partitions. Bug: 27824855 Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1

Enforce restrictions on kernel module origin
Do not allow module loading except from the system, vendor, and boot partitions. Bug: 27824855 Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1
70159fd3 · Jeff Vander Stoep · a16b0589 · 70159fd3
Commit 70159fd3 authored 9 years ago by Jeff Vander Stoep
--- a/domain.te
+++ b/domain.te
@@ -545,3 +545,8 @@ neverallow {
  -ueventd
  -vold
 } fuse_device:chr_file *;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;