1type dlkm_loader, domain; 2type dlkm_loader_exec, exec_type, vendor_file_type, file_type; 3init_daemon_domain(dlkm_loader) 4 5# Allow insmod on vendor, system and system_dlkm partitions 6allow dlkm_loader self:capability net_admin; 7allow dlkm_loader self:capability sys_module; 8allow dlkm_loader system_dlkm_file:dir r_dir_perms; 9allow dlkm_loader system_dlkm_file:file r_file_perms; 10allow dlkm_loader system_dlkm_file:system module_load; 11allow dlkm_loader system_file:system module_load; 12allow dlkm_loader vendor_file:system module_load; 13 14# needed for libmodprobe to read kernel commandline 15allow dlkm_loader proc_bootconfig:file r_file_perms; 16allow dlkm_loader proc_cmdline:file r_file_perms; 17 18# Needed because CONFIG_USB_DUMMY_HCD adds some additional logic to 19# finit_module() syscall, causing that syscall to create/update keyrings. 20# Once we remove CONFIG_USB_DUMMY_HCD config, self:key write permission can be 21# removed. 22allow dlkm_loader self:key write; 23 24# Needed because CONFIG_DMABUF_HEAPS_DEFERRED_FREE calls sched_set_normal() 25# in its module_init() function, which is attributed to dlkm_loader. 26allow dlkm_loader kernel:process setsched; 27allow dlkm_loader self:capability sys_nice; 28 29# Allow writing to kernel log 30allow dlkm_loader kmsg_device:chr_file rw_file_perms; 31 32# dlkm_loader searches tracefs while looking for modules 33dontaudit dlkm_loader debugfs_bootreceiver_tracing:dir search; 34dontaudit dlkm_loader debugfs_mm_events_tracing:dir search; 35 36set_prop(dlkm_loader, vendor_device_prop) 37