insmod-sh: Allow writing to kmsg

modprobe would log errors to /dev/kmsg, need to explicit allow this. ``` avc: denied { write } for comm="modprobe" name="kmsg" dev="tmpfs" ino=5 scontext=u:r:insmod-sh:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 ``` Bug: 388717752 Test: DeviceBootTest#SELinuxUncheckedDenialBootTest Change-Id: I49a3e6a9f76f20151034cb00f772247b0e9c668e
2025-01-09 18:26:49 +08:00
parent b61a4f4345
commit 51357e0322
2 changed files with 4 additions and 0 deletions
--- a/insmod/init.module.rc
+++ b/insmod/init.module.rc
@@ -8,3 +8,4 @@ service insmod_sh /vendor/bin/insmod.sh /vendor/etc/init.common.cfg
    group root system
    disabled
    oneshot
+    file /dev/kmsg w
--- a/insmod/sepolicy/insmod-sh.te
+++ b/insmod/sepolicy/insmod-sh.te
@@ -12,3 +12,6 @@ allow insmod-sh vendor_toolbox_exec:file execute_no_trans;
 set_prop(insmod-sh, vendor_device_prop)

 dontaudit insmod-sh proc_cmdline:file r_file_perms;
+
+# Allow modprobe to log to kmsg.
+allow insmod-sh kmsg_device:chr_file w_file_perms;