build_image: disable module restrictions in factory image

The factory test image uses third party kernel modules from /usr/local. Since it builds with verity enabled, the module restrictions must be disabled in the command line instead of via run-time sysctl values (which are not available if verity is enabled). BUG=chromium-os:34134 TEST=parrot build, manual testing Change-Id: Ibfc3332eac88e3748f2c81d6dce1a595dd16c055 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/34321 Reviewed-by: Hung-Te Lin <hungte@chromium.org> Reviewed-by: Liam McLoughlin <lmcloughlin@chromium.org> Reviewed-by: Joseph Shyh-In Hwang <josephsih@chromium.org>
2025-08-08 05:26:58 +02:00 · 2012-09-28 18:15:49 -07:00 · 2012-09-28 18:15:49 -07:00 · 8df86b24fa
commit 8df86b24fa
parent 8b82f358ed
1 changed files with 6 additions and 0 deletions
--- a/6
+++ b/6
@ -122,6 +122,12 @@ if should_build_image ${CHROMEOS_FACTORY_INSTALL_SHIM_NAME}; then
  fi
 fi

+if should_build_image ${CHROMEOS_FACTORY_TEST_IMAGE_NAME}; then
+  # Disable module restrictions on factory test image to allow for
+  # external third party drivers in /usr/local.
+  FLAGS_boot_args="${FLAGS_boot_args} lsm.module_locking=0"
+fi
+
 # TODO: </prebuild hook>

 # If we are creating a developer image, also create a pristine image with a