From 8df86b24fae1922fa1eb6657a57cab2a823d1767 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 28 Sep 2012 18:15:49 -0700
Subject: [PATCH] build_image: disable module restrictions in factory image

The factory test image uses third party kernel modules from /usr/local.
Since it builds with verity enabled, the module restrictions must be
disabled in the command line instead of via run-time sysctl values
(which are not available if verity is enabled).

BUG=chromium-os:34134
TEST=parrot build, manual testing

Change-Id: Ibfc3332eac88e3748f2c81d6dce1a595dd16c055
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/34321
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Liam McLoughlin <lmcloughlin@chromium.org>
Reviewed-by: Joseph Shyh-In Hwang <josephsih@chromium.org>
---
 build_image | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/build_image b/build_image
index 047c9ba82f..a1fd4c2ee4 100755
--- a/build_image
+++ b/build_image
@@ -122,6 +122,12 @@ if should_build_image ${CHROMEOS_FACTORY_INSTALL_SHIM_NAME}; then
   fi
 fi
 
+if should_build_image ${CHROMEOS_FACTORY_TEST_IMAGE_NAME}; then
+  # Disable module restrictions on factory test image to allow for
+  # external third party drivers in /usr/local.
+  FLAGS_boot_args="${FLAGS_boot_args} lsm.module_locking=0"
+fi
+
 # TODO: </prebuild hook>
 
 # If we are creating a developer image, also create a pristine image with a