From d363b0f9eb2b9ff1b8e4da3781adea39e40ed718 Mon Sep 17 00:00:00 2001
From: Jaesoo Lee <jaesoo@google.com>
Date: Thu, 2 Mar 2017 17:02:29 +0900
Subject: [PATCH] enabled /sbin/modprobe for recovery mode
This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.
Denials:
[ 16.986440] c0 437 audit: type=1400 audit(6138546.943:5): avc:
denied { read } for pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[ 16.986521] c0 437 audit: type=1400 audit(6138546.943:6): avc:
denied { open } for pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[ 16.986544] c0 437 audit: type=1400 audit(6138546.943:7): avc:
denied { getattr } for pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line
exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl
Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa
---
private/file_contexts | 3 +++
private/genfs_contexts | 1 +
private/init.te | 1 +
public/file.te | 1 +
public/modprobe.te | 8 ++++++++
5 files changed, 14 insertions(+)
create mode 100644 public/modprobe.te
diff --git a/private/file_contexts b/private/file_contexts
index 2f009ac6b..1e7345ae4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -18,6 +18,9 @@
/init u:object_r:init_exec:s0
/sbin(/.*)? u:object_r:rootfs:s0
+# For kernel modules
+/lib(/.*)? u:object_r:rootfs:s0
+
# Empty directories
/lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 787336714..c2cfa2cce 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -7,6 +7,7 @@ genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/init.te b/private/init.te
index 8a6dcea77..f491d00f3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -13,6 +13,7 @@ recovery_only(`
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
+domain_trans(init, rootfs, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/public/file.te b/public/file.te
index 5b99344e0..a13f39634 100644
--- a/public/file.te
+++ b/public/file.te
@@ -17,6 +17,7 @@ type proc_interrupts, fs_type;
type proc_iomem, fs_type;
type proc_meminfo, fs_type;
type proc_misc, fs_type;
+type proc_modules, fs_type;
type proc_net, fs_type;
type proc_perf, fs_type;
type proc_stat, fs_type;
diff --git a/public/modprobe.te b/public/modprobe.te
new file mode 100644
index 000000000..0fc173df6
--- /dev/null
+++ b/public/modprobe.te
@@ -0,0 +1,8 @@
+type modprobe, domain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe self:capability sys_module;
+recovery_only(`
+ allow modprobe rootfs:system module_load;
+ allow modprobe rootfs:file r_file_perms;
+')
--
GitLab