From aa9003784430ca4e6cfd3e73acb501500d535816 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 10 Mar 2023 01:57:36 +0800
Subject: [PATCH] Add insmod-sh policy

Fix: 260366066
Change-Id: I0874c1f476b47a9ad3cee344986404958c96fd25
---
 tracking_denials/insmod-sh.te | 5 +----
 vendor/insmod-sh.te           | 2 ++
 2 files changed, 3 insertions(+), 4 deletions(-)
 create mode 100644 vendor/insmod-sh.te

diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te
index b3f7e576..d9e52eff 100644
--- a/tracking_denials/insmod-sh.te
+++ b/tracking_denials/insmod-sh.te
@@ -1,9 +1,6 @@
-# b/260366066
-dontaudit insmod-sh insmod-sh:capability { sys_nice };
-dontaudit insmod-sh kernel:process { setsched };
 # b/260522378
 dontaudit insmod-sh vendor_regmap_debugfs:dir { search };
 # b/264490091
 userdebug_or_eng(`
   permissive insmod-sh;
-')
\ No newline at end of file
+')
diff --git a/vendor/insmod-sh.te b/vendor/insmod-sh.te
new file mode 100644
index 00000000..e09c2480
--- /dev/null
+++ b/vendor/insmod-sh.te
@@ -0,0 +1,2 @@
+allow insmod-sh self:capability sys_nice;
+allow insmod-sh kernel:process setsched;