From a6ac1147c3ebd236389d98cd34bb3b77b5a558e8 Mon Sep 17 00:00:00 2001
From: Jaesoo Lee <jaesoo@google.com>
Date: Tue, 11 Apr 2017 12:21:42 +0900
Subject: [PATCH] allow to load kernel modules from vendor partition

The kernel  modules under /vendor partition has been relabeled to vendor_file.
This CL allows for the modprobe to load modules labeled vendor_file.

Kernel modules are loaded in init.rc with following commands:
    exec u:r:modprobe:s0 -- /system/bin/modprobe -d /vendor/lib/modules MODULE

Bug: 35653245
Test: tested on sailfish
Change-Id: I2132ca4de01c5c60476dad8496e98266de5a1bb7
---
 public/domain.te   | 2 +-
 public/modprobe.te | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 1fb648bbe..8cfb87d24 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -994,7 +994,7 @@ neverallow {
 # Enforce restrictions on kernel module origin.
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
 
 # Only allow filesystem caps to be set at build time or
 # during upgrade by recovery.
diff --git a/public/modprobe.te b/public/modprobe.te
index ca0657f88..24a6b3b63 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,4 +6,5 @@ recovery_only(`
   allow modprobe rootfs:system module_load;
   allow modprobe rootfs:file r_file_perms;
 ')
-allow modprobe system_file:system module_load;
+allow modprobe { system_file vendor_file }:system module_load;
+r_dir_file(modprobe, { system_file vendor_file })
-- 
GitLab