From 53add31a257b9cba3b664f16814f1f2d1e1df46c Mon Sep 17 00:00:00 2001
From: Steve Muckle <smuckle@google.com>
Date: Thu, 1 Jun 2017 10:06:21 -0700
Subject: [PATCH] allow modprobe to load signed kernel modules

Modprobe requires this permission or the following denial will
prevent loading of signed kernel modules:

audit: type=1400 audit(27331649.656:4): avc:  denied  { search } for
pid=448 comm="modprobe" scontext=u:r:modprobe:s0 tcontext=u:r:kernel:s0
tclass=key permissive=0

Bug: 62256697
Test: Verified signed module loading on sailfish.
Change-Id: Idde41d1ab58e760398190d6686665a252f1823bb
---
 public/modprobe.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/modprobe.te b/public/modprobe.te
index 24a6b3b63..a286c1719 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -2,6 +2,7 @@ type modprobe, domain;
 
 allow modprobe proc_modules:file r_file_perms;
 allow modprobe self:capability sys_module;
+allow modprobe kernel:key search;
 recovery_only(`
   allow modprobe rootfs:system module_load;
   allow modprobe rootfs:file r_file_perms;
-- 
GitLab