enabled /sbin/modprobe for recovery mode

am: d363b0f9eb

Change-Id: I51f72ccf06551aa609e4013ccb50ee628a7af7b7

private/file_contexts

@@ -18,6 +18,9 @@
 /init               u:object_r:init_exec:s0
 /sbin(/.*)?         u:object_r:rootfs:s0
 
+# For kernel modules
+/lib(/.*)?          u:object_r:rootfs:s0
+
 # Empty directories
 /lost\+found        u:object_r:rootfs:s0
 /acct               u:object_r:cgroup:s0

private/genfs_contexts

@@ -7,6 +7,7 @@ genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
 genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0

private/init.te

@@ -13,6 +13,7 @@ recovery_only(`
 domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, watchdogd)
+domain_trans(init, rootfs, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)

public/file.te

@@ -17,6 +17,7 @@ type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_meminfo, fs_type;
 type proc_misc, fs_type;
+type proc_modules, fs_type;
 type proc_net, fs_type;
 type proc_perf, fs_type;
 type proc_stat, fs_type;

public/modprobe.te

@@ -0,0 +1,8 @@
+type modprobe, domain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe self:capability sys_module;
+recovery_only(`
+  allow modprobe rootfs:system module_load;
+  allow modprobe rootfs:file r_file_perms;
+')