From f69311300f0179d259e9eeca4a282d5bbe78e569 Mon Sep 17 00:00:00 2001
From: Howard Chen <howardsoc@google.com>
Date: Mon, 27 Mar 2017 14:47:10 +0800
Subject: [PATCH] SELinux changes for Treble Loadable Kernel Module

This change extends the recovery mode modprobe sepolicy
to support loadable kernel module in normal mode by using
statement below in init.rc:

exec u:r:modprobe:s0 -- /system/bin/modprobe \
    -d /vendor/lib/modules mod

Bug: b/35653245
Test: sailfish  with local built kernel and LKM enabled
Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
(cherry picked from commit b638d9493f9fe8fca8fe61d40f9bbe762684a15c)
---
 private/init.te    | 1 +
 public/modprobe.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/private/init.te b/private/init.te
index fb4335a09..f84d87ebb 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@ domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, watchdogd)
 domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/public/modprobe.te b/public/modprobe.te
index 0fc173df6..ca0657f88 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,3 +6,4 @@ recovery_only(`
   allow modprobe rootfs:system module_load;
   allow modprobe rootfs:file r_file_perms;
 ')
+allow modprobe system_file:system module_load;
-- 
GitLab