From a287c3bb29068dc1264ddeb4f61e0f3a5559d204 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 15 Jun 2017 15:38:56 -0700
Subject: [PATCH] suppress spurious module loading denials

We only load modules during boot, on only by a single script:
init.insmod.sh

Other denials are caused by code we don't rely on that
automatically looks for modules.

Bug: 34784662
Test: build policy
Change-Id: Iccdbe52582e9960f49ecb4ba9b472cf792e48fe6
---
 sepolicy/vendor/init.te           | 2 ++
 sepolicy/vendor/kernel.te         | 2 ++
 sepolicy/vendor/location.te       | 2 ++
 sepolicy/vendor/netd.te           | 3 +++
 sepolicy/vendor/netmgrd.te        | 3 +++
 sepolicy/vendor/surfaceflinger.te | 1 +
 6 files changed, 13 insertions(+)

diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
index 73216a04..54ec0d27 100644
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -9,3 +9,5 @@ allow init debugfs_clk:file w_file_perms;
 allow init tty_device:chr_file rw_file_perms;
 
 allow init persist_file:dir mounton;
+
+dontaudit init kernel:system module_request;
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
index a1d78b39..e3c7f54a 100644
--- a/sepolicy/vendor/kernel.te
+++ b/sepolicy/vendor/kernel.te
@@ -6,3 +6,5 @@ userdebug_or_eng(`
 
 allow kernel vendor_firmware_file:dir search;
 allow kernel vendor_firmware_file:file r_file_perms;
+
+dontaudit kernel kernel:system module_request;
diff --git a/sepolicy/vendor/location.te b/sepolicy/vendor/location.te
index 3a40ab54..609ef6f3 100644
--- a/sepolicy/vendor/location.te
+++ b/sepolicy/vendor/location.te
@@ -36,3 +36,5 @@ r_dir_file(location, sysfs_type)
 # socket communications between system components and vendor components are not permted.
 # Once we switch full Treble devices to binderized only mode, this issue will disappear.
 typeattribute location socket_between_core_and_vendor_violators;
+
+dontaudit location kernel:system module_request;
diff --git a/sepolicy/vendor/netd.te b/sepolicy/vendor/netd.te
index 02ddc3e9..cc679185 100644
--- a/sepolicy/vendor/netd.te
+++ b/sepolicy/vendor/netd.te
@@ -1 +1,4 @@
 allow netd sysfs_net:file w_file_perms;
+
+dontaudit netd kernel:system module_request;
+dontaudit netd self:system module_request;
diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te
index f24ca34d..4bb81af6 100644
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
@@ -43,3 +43,6 @@ allow netmgrd system_file:file execute_no_trans;
 allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };
 
 allow netmgrd toolbox_exec:file rx_file_perms;
+
+dontaudit netmgrd kernel:system module_request;
+dontaudit netmgrd self:system module_request;
diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
index 88805acb..fee5e123 100644
--- a/sepolicy/vendor/surfaceflinger.te
+++ b/sepolicy/vendor/surfaceflinger.te
@@ -1,2 +1,3 @@
 dontaudit surfaceflinger firmware_file:dir search;
+dontaudit surfaceflinger kernel:system module_request;
 allow surfaceflinger debugfs_ion:dir search;