common/init-insmod-sh.te - platform/hardware/google/pixel-sepolicy - Git at Google

 type init-insmod-sh, domain;
 type init-insmod-sh_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(init-insmod-sh)

 allow init-insmod-sh vendor_toolbox_exec:file rx_file_perms;
 allow init-insmod-sh self:capability sys_module;
 allow init-insmod-sh vendor_kernel_modules:system module_load;
 allow init-insmod-sh kernel:key search;

 # modprobe needs sys_nice and setsched for driver threads
 allow init-insmod-sh self:capability sys_nice;
 allow init-insmod-sh kernel:process setsched;

 # modprobe need proc_modules
 allow init-insmod-sh proc_modules:file r_file_perms;

 # Set the vendor.all.modules.ready property
 set_prop(init-insmod-sh, vendor_device_prop)
	type init-insmod-sh, domain;
	type init-insmod-sh_exec, exec_type, vendor_file_type, file_type;

	init_daemon_domain(init-insmod-sh)

	allow init-insmod-sh vendor_toolbox_exec:file rx_file_perms;
	allow init-insmod-sh self:capability sys_module;
	allow init-insmod-sh vendor_kernel_modules:system module_load;
	allow init-insmod-sh kernel:key search;

	# modprobe needs sys_nice and setsched for driver threads
	allow init-insmod-sh self:capability sys_nice;
	allow init-insmod-sh kernel:process setsched;

	# modprobe need proc_modules
	allow init-insmod-sh proc_modules:file r_file_perms;

	# Set the vendor.all.modules.ready property
	set_prop(init-insmod-sh, vendor_device_prop)