Merge "Enforce restrictions on kernel module origin" into nyc-dev

3fc55e55 · Jeffrey Vander Stoep · Android (Google) Code Review · 10908ff2 · 66344009 · 3fc55e55
Commit 3fc55e55 authored 8 years ago by Jeffrey Vander Stoep Committed by Android (Google) Code Review 8 years ago
--- a/domain.te
+++ b/domain.te
@@ -560,3 +560,8 @@ neverallow {
  -installd
  -profman
 } profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;