From 8e524374dd09303a4999e32a258e402ae5bc3b6d Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 6 Sep 2022 10:36:43 +0800
Subject: [PATCH] move insert module script sepolicy to gs-common

Bug: 243763292
Test: boot to home with no relevant SELinux error
Change-Id: I6646fa4433fc1ccb94ac05f9cc8d7076a6a2d8cf
---
 insmod/insmod.mk                  |  1 +
 insmod/sepolicy/file_contexts     |  5 +++++
 insmod/sepolicy/insmod-sh.te      | 11 +++++++++++
 insmod/sepolicy/property.te       |  1 +
 insmod/sepolicy/property_contexts |  5 +++++
 5 files changed, 23 insertions(+)
 create mode 100644 insmod/sepolicy/file_contexts
 create mode 100644 insmod/sepolicy/insmod-sh.te
 create mode 100644 insmod/sepolicy/property.te
 create mode 100644 insmod/sepolicy/property_contexts

diff --git a/insmod/insmod.mk b/insmod/insmod.mk
index ac8d555..aa2261a 100644
--- a/insmod/insmod.mk
+++ b/insmod/insmod.mk
@@ -1,3 +1,4 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/insmod/sepolicy
 PRODUCT_PACKAGES += \
         insmod.sh \
         init.common.cfg
diff --git a/insmod/sepolicy/file_contexts b/insmod/sepolicy/file_contexts
new file mode 100644
index 0000000..e048641
--- /dev/null
+++ b/insmod/sepolicy/file_contexts
@@ -0,0 +1,5 @@
+# Vendor_kernel_modules
+/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0
+
+/vendor/bin/insmod\.sh          u:object_r:insmod-sh_exec:s0
+
diff --git a/insmod/sepolicy/insmod-sh.te b/insmod/sepolicy/insmod-sh.te
new file mode 100644
index 0000000..d7b4f72
--- /dev/null
+++ b/insmod/sepolicy/insmod-sh.te
@@ -0,0 +1,11 @@
+type insmod-sh, domain;
+type insmod-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(insmod-sh)
+
+allow insmod-sh self:capability sys_module;
+allow insmod-sh vendor_kernel_modules:system module_load;
+allow insmod-sh vendor_toolbox_exec:file execute_no_trans;
+
+set_prop(insmod-sh, vendor_device_prop)
+
+dontaudit insmod-sh proc_cmdline:file r_file_perms;
diff --git a/insmod/sepolicy/property.te b/insmod/sepolicy/property.te
new file mode 100644
index 0000000..50f7b34
--- /dev/null
+++ b/insmod/sepolicy/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_device_prop)
diff --git a/insmod/sepolicy/property_contexts b/insmod/sepolicy/property_contexts
new file mode 100644
index 0000000..1e871b6
--- /dev/null
+++ b/insmod/sepolicy/property_contexts
@@ -0,0 +1,5 @@
+# Kernel modules related
+vendor.common.modules.ready     u:object_r:vendor_device_prop:s0
+vendor.device.modules.ready     u:object_r:vendor_device_prop:s0
+vendor.all.modules.ready        u:object_r:vendor_device_prop:s0
+vendor.all.devices.ready        u:object_r:vendor_device_prop:s0