Stephen Smalley | 704744a | 2014-09-03 11:07:03 -0400 | [diff] [blame] | 1 | # goldfish-setup service: runs init.goldfish.sh script |
Jeff Vander Stoep | ec488e1 | 2017-05-15 13:25:06 -0700 | [diff] [blame] | 2 | type goldfish_setup, domain; |
bohu | cb0bebb | 2017-05-26 10:26:15 -0700 | [diff] [blame] | 3 | type goldfish_setup_exec, vendor_file_type, exec_type, file_type; |
Stephen Smalley | 704744a | 2014-09-03 11:07:03 -0400 | [diff] [blame] | 4 | |
| 5 | init_daemon_domain(goldfish_setup) |
| 6 | |
bohu | 7b46d57 | 2017-12-04 12:57:10 -0800 | [diff] [blame] | 7 | set_prop(goldfish_setup, debug_prop); |
Stephen Smalley | 704744a | 2014-09-03 11:07:03 -0400 | [diff] [blame] | 8 | allow goldfish_setup self:capability { net_admin net_raw }; |
bohu | cb0bebb | 2017-05-26 10:26:15 -0700 | [diff] [blame] | 9 | allow goldfish_setup self:udp_socket { create ioctl }; |
| 10 | allow goldfish_setup vendor_toolbox_exec:file execute_no_trans; |
Richard Haines | 8a09cc2 | 2016-10-20 15:47:44 +0100 | [diff] [blame] | 11 | allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls; |
bohu | cb0bebb | 2017-05-26 10:26:15 -0700 | [diff] [blame] | 12 | wakelock_use(goldfish_setup); |
| 13 | allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; |
Bjoern Johansson | 127395f | 2017-02-09 22:28:47 -0800 | [diff] [blame] | 14 | |
| 15 | # Set system properties to start services |
| 16 | set_prop(goldfish_setup, ctl_default_prop); |
| 17 | |
| 18 | # Set up WiFi |
Bjoern Johansson | 760871c | 2017-08-31 12:57:18 -0700 | [diff] [blame] | 19 | allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read }; |
Bjoern Johansson | ca5bfb1 | 2018-03-19 11:14:30 -0700 | [diff] [blame] | 20 | allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl; |
Bjoern Johansson | 127395f | 2017-02-09 22:28:47 -0800 | [diff] [blame] | 21 | allow goldfish_setup self:capability { sys_module sys_admin }; |
Bjoern Johansson | 12fd2d8 | 2017-05-04 10:51:02 -0700 | [diff] [blame] | 22 | allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; |
Bjoern Johansson | 127395f | 2017-02-09 22:28:47 -0800 | [diff] [blame] | 23 | allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; |
| 24 | allow goldfish_setup execns_exec:file rx_file_perms; |
Bjoern Johansson | 760871c | 2017-08-31 12:57:18 -0700 | [diff] [blame] | 25 | allow goldfish_setup proc_net:file rw_file_perms; |
| 26 | allow goldfish_setup proc:file r_file_perms; |
| 27 | set_prop(goldfish_setup, ctl_default_prop); |
Bjoern Johansson | ca5bfb1 | 2018-03-19 11:14:30 -0700 | [diff] [blame] | 28 | allow goldfish_setup nsfs:file r_file_perms; |
Bjoern Johansson | 760871c | 2017-08-31 12:57:18 -0700 | [diff] [blame] | 29 | allow goldfish_setup system_data_file:dir getattr; |
| 30 | allow goldfish_setup kernel:system module_request; |
| 31 | # Allow goldfish_setup to run /system/bin/ip and /system/bin/iw |
| 32 | allow goldfish_setup system_file:file execute_no_trans; |
| 33 | # Allow goldfish_setup to run init.wifi.sh |
| 34 | allow goldfish_setup goldfish_setup_exec:file execute_no_trans; |
Bjoern Johansson | ca5bfb1 | 2018-03-19 11:14:30 -0700 | [diff] [blame] | 35 | #Allow goldfish_setup to run createns in its own domain |
| 36 | domain_auto_trans(goldfish_setup, createns_exec, createns); |
Bjoern Johansson | 760871c | 2017-08-31 12:57:18 -0700 | [diff] [blame] | 37 | # iw |
| 38 | allow goldfish_setup sysfs:file { read open }; |
| 39 | # iptables |
| 40 | allow goldfish_setup system_file:file lock; |
| 41 | allow goldfish_setup self:rawip_socket { create getopt setopt }; |
Bjoern Johansson | ca5bfb1 | 2018-03-19 11:14:30 -0700 | [diff] [blame] | 42 | # Allow goldfish_setup to read createns proc file to get the namespace file |
| 43 | allow goldfish_setup createns:file { read }; |
| 44 | allow goldfish_setup createns:dir { search }; |
| 45 | allow goldfish_setup createns:lnk_file { read }; |