platform_system_sepolicy/vendor/vendor_modprobe.te
Sandeep Patil e41af20397 Fix coredomain violation for modprobe
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
2017-06-05 08:09:18 -07:00

11 lines
406 B
Text

type vendor_modprobe, domain;
# For the use of /vendor/bin/modprobe from vendor init.rc fragments
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
allow vendor_modprobe proc_modules:file r_file_perms;
allow vendor_modprobe self:capability sys_module;
allow vendor_modprobe kernel:key search;
allow vendor_modprobe { vendor_file }:system module_load;
r_dir_file(vendor_modprobe, { vendor_file })