From 6634400922bf12390fbe8741426f984d7fedc3d1 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 7 Apr 2016 11:26:34 -0700
Subject: [PATCH] Enforce restrictions on kernel module origin

(cherry picked from AOSP 163c8a006b87cae0217fd9dafdaec5271f1d795b)

Do not allow module loading except from the system, vendor,
and boot partitions.

Bug: 27824855
Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1
---
 domain.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/domain.te b/domain.te
index d7333c57f..5171fb321 100644
--- a/domain.te
+++ b/domain.te
@@ -560,3 +560,8 @@ neverallow {
   -installd
   -profman
 } profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;
-- 
GitLab