From eae6bfb8359d62910d0b8f15ad4981e53ebb0b95 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 10 Mar 2023 15:32:00 +0800
Subject: [PATCH 1/2] Allow insmod-sh lockdown in userdebug

Bug: 272166723
Change-Id: I1085decf2a00597992a95996b1a2875be08ba1f1
---
 tracking_denials/bug_map      | 1 -
 tracking_denials/insmod-sh.te | 4 ++++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 694ca9e6..6a1f594c 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -19,7 +19,6 @@ hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151
 hal_thermal_default sysfs file b/272166722
 hal_thermal_default sysfs file b/272166987
 hal_usb_gadget_impl sysfs_batteryinfo dir b/272166827
-insmod-sh insmod-sh lockdown b/272166723
 kernel vendor_fw_file dir b/272166737
 kernel vendor_fw_file dir b/272166787
 mtectrl unlabeled dir b/264483752
diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te
index d9e52eff..04c00fe8 100644
--- a/tracking_denials/insmod-sh.te
+++ b/tracking_denials/insmod-sh.te
@@ -4,3 +4,7 @@ dontaudit insmod-sh vendor_regmap_debugfs:dir { search };
 userdebug_or_eng(`
   permissive insmod-sh;
 ')
+# b/272166723
+userdebug_or_eng(`
+  allow insmod-sh self:lockdown integrity;
+')

From 0d8ede8308ae0a7be842c8e4efde1b2dd9d2a92d Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 10 Mar 2023 16:24:38 +0800
Subject: [PATCH 2/2] Enforce insmod-sh

Fix: 264490091
Test: Boot-to-home without insmod-sh avc error
Change-Id: I9868bdfd8fad7ac37c8d1104fb1fab10a7e8f79a
---
 tracking_denials/insmod-sh.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te
index 04c00fe8..adf41ef2 100644
--- a/tracking_denials/insmod-sh.te
+++ b/tracking_denials/insmod-sh.te
@@ -1,9 +1,5 @@
 # b/260522378
 dontaudit insmod-sh vendor_regmap_debugfs:dir { search };
-# b/264490091
-userdebug_or_eng(`
-  permissive insmod-sh;
-')
 # b/272166723
 userdebug_or_eng(`
   allow insmod-sh self:lockdown integrity;