e41af20397
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.
Bug: 37008075
Test: Build and boot sailfish
Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
11 lines
343 B
Text
11 lines
343 B
Text
type modprobe, domain;
|
|
|
|
allow modprobe proc_modules:file r_file_perms;
|
|
allow modprobe self:capability sys_module;
|
|
allow modprobe kernel:key search;
|
|
recovery_only(`
|
|
allow modprobe rootfs:system module_load;
|
|
allow modprobe rootfs:file r_file_perms;
|
|
')
|
|
allow modprobe { system_file }:system module_load;
|
|
r_dir_file(modprobe, { system_file })
|