Merge changes from topic 'modprobe_fix' into oc-dev

* changes: allow to load kernel modules from vendor partition SELinux changes for Treble Loadable Kernel Module

Merge changes from topic 'modprobe_fix' into oc-dev
8b87947e · Jaesoo Lee · Android (Google) Code Review · 4966f2b5 · a6ac1147 · 8b87947e
Commit 8b87947e authored 7 years ago by Jaesoo Lee Committed by Android (Google) Code Review 7 years ago
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@ domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, watchdogd)
 domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
  domain_auto_trans(init, logcat_exec, logpersist)

--- a/public/domain.te
+++ b/public/domain.te
@@ -998,7 +998,7 @@ neverallow {
 # Enforce restrictions on kernel module origin.
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;

 # Only allow filesystem caps to be set at build time or
 # during upgrade by recovery.

--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,3 +6,5 @@ recovery_only(`
  allow modprobe rootfs:system module_load;
  allow modprobe rootfs:file r_file_perms;
 ')
+allow modprobe { system_file vendor_file }:system module_load;
+r_dir_file(modprobe, { system_file vendor_file })