| type dlkm_loader, domain; |
| type dlkm_loader_exec, exec_type, vendor_file_type, file_type; |
| |
| init_daemon_domain(dlkm_loader) |
| |
| # Allow insmod on vendor, system and system_dlkm partitions |
| allow dlkm_loader self:capability sys_module; |
| allow dlkm_loader system_dlkm_file:dir r_dir_perms; |
| allow dlkm_loader system_dlkm_file:file r_file_perms; |
| allow dlkm_loader system_dlkm_file:system module_load; |
| allow dlkm_loader system_file:system module_load; |
| allow dlkm_loader vendor_file:system module_load; |
| |
| # needed for libmodprobe to read kernel commandline |
| allow dlkm_loader proc_cmdline:file r_file_perms; |
| |
| # Needed because CONFIG_USB_DUMMY_HCD adds some additional logic to |
| # finit_module() syscall, causing that syscall to create/update keyrings. |
| # Once we remove CONFIG_USB_DUMMY_HCD config, self:key write permission can be |
| # removed. |
| allow dlkm_loader self:key write; |
| |
| # Allow writing to kernel log |
| allow dlkm_loader kmsg_device:chr_file rw_file_perms; |
| |
| # dlkm_loader searches tracefs while looking for modules |
| dontaudit dlkm_loader debugfs_bootreceiver_tracing:dir search; |
| dontaudit dlkm_loader debugfs_mm_events_tracing:dir search; |
| |
| set_prop(dlkm_loader, vendor_device_prop) |
