From 70159fd3bd014bdc97b087146490b7176a8d3cd1 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 7 Apr 2016 11:26:34 -0700
Subject: [PATCH] Enforce restrictions on kernel module origin

Do not allow module loading except from the system, vendor,
and boot partitions.

Bug: 27824855
Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1
---
 domain.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/domain.te b/domain.te
index f0201059e..0e46d318e 100644
--- a/domain.te
+++ b/domain.te
@@ -545,3 +545,8 @@ neverallow {
   -ueventd
   -vold
 } fuse_device:chr_file *;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;
-- 
GitLab