From 51357e032284d84b389bfb025d370497fc1a1491 Mon Sep 17 00:00:00 2001
From: Yi-Yo Chiang <yochiang@google.com>
Date: Thu, 9 Jan 2025 18:26:49 +0800
Subject: [PATCH] insmod-sh: Allow writing to kmsg

modprobe would log errors to /dev/kmsg, need to explicit allow this.

```
avc:  denied  { write } for  comm="modprobe" name="kmsg" dev="tmpfs" ino=5 scontext=u:r:insmod-sh:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
```

Bug: 388717752
Test: DeviceBootTest#SELinuxUncheckedDenialBootTest
Change-Id: I49a3e6a9f76f20151034cb00f772247b0e9c668e
---
 insmod/init.module.rc        | 1 +
 insmod/sepolicy/insmod-sh.te | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/insmod/init.module.rc b/insmod/init.module.rc
index de23b5b..a106d11 100644
--- a/insmod/init.module.rc
+++ b/insmod/init.module.rc
@@ -8,3 +8,4 @@ service insmod_sh /vendor/bin/insmod.sh /vendor/etc/init.common.cfg
     group root system
     disabled
     oneshot
+    file /dev/kmsg w
diff --git a/insmod/sepolicy/insmod-sh.te b/insmod/sepolicy/insmod-sh.te
index ba82b0a..3a1d91a 100644
--- a/insmod/sepolicy/insmod-sh.te
+++ b/insmod/sepolicy/insmod-sh.te
@@ -12,3 +12,6 @@ allow insmod-sh vendor_toolbox_exec:file execute_no_trans;
 set_prop(insmod-sh, vendor_device_prop)
 
 dontaudit insmod-sh proc_cmdline:file r_file_perms;
+
+# Allow modprobe to log to kmsg.
+allow insmod-sh kmsg_device:chr_file w_file_perms;