From d46b5d3519fcea3c61266bb44371c495a9aaefa8 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Mon, 22 May 2017 12:09:14 -0700
Subject: [PATCH] Allow init to run vendor toybox for modprobe

vendor implementations need to be able to run modprobe as part of
init.rc scripts.  They cannot do so because of the strict neverallow
currently in place that disallows all coredomains (including init)
to execute vendor toybox.

Fix this by adding init to the exception list for the neverallow so
vendors can then run modprobe from .rc scripts and also add the rule to
allow init to transition to modprobe domain using vendor_toolbox.

Bug: b/38212864
Test: Boot sailfish

Change-Id: Ib839246954e9002859f3ba986094f206bfead137
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/init.te          | 3 +--
 public/vendor_toolbox.te | 8 ++++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/private/init.te b/private/init.te
index f84d87ebb..b6c49b952 100644
--- a/private/init.te
+++ b/private/init.te
@@ -13,8 +13,7 @@ recovery_only(`
 domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, watchdogd)
-domain_trans(init, rootfs, modprobe)
-domain_trans(init, toolbox_exec, modprobe)
+domain_trans(init, { rootfs toolbox_exec vendor_toolbox_exec }, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
index 39462f8e7..eb292cafb 100644
--- a/public/vendor_toolbox.te
+++ b/public/vendor_toolbox.te
@@ -7,6 +7,10 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
 # or read, execute the vendor_toolbox file.
 full_treble_only(`
     # Do not allow non-vendor domains to transition
-    # to vendor toolbox
-    neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+    # to vendor toolbox except for the whitelisted domains.
+    neverallow {
+        coredomain
+        -init
+        -modprobe
+    } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
 ')
-- 
GitLab