Blame - target/board/generic/sepolicy/goldfish_setup.te - platform/build

blob: 1492cbd425547b70ce6e741cc78025e5d41fe349 [file] [log] [blame]

Stephen Smalley	704744a	2014-09-03 11:07:03 -0400	[diff] [blame]	1	# goldfish-setup service: runs init.goldfish.sh script
Jeff Vander Stoep	ec488e1	2017-05-15 13:25:06 -0700	[diff] [blame]	2	type goldfish_setup, domain;
bohu	cb0bebb	2017-05-26 10:26:15 -0700	[diff] [blame]	3	type goldfish_setup_exec, vendor_file_type, exec_type, file_type;
Stephen Smalley	704744a	2014-09-03 11:07:03 -0400	[diff] [blame]	4
				5	init_daemon_domain(goldfish_setup)
				6
bohu	7b46d57	2017-12-04 12:57:10 -0800	[diff] [blame]	7	set_prop(goldfish_setup, debug_prop);
Stephen Smalley	704744a	2014-09-03 11:07:03 -0400	[diff] [blame]	8	allow goldfish_setup self:capability { net_admin net_raw };
bohu	cb0bebb	2017-05-26 10:26:15 -0700	[diff] [blame]	9	allow goldfish_setup self:udp_socket { create ioctl };
				10	allow goldfish_setup vendor_toolbox_exec:file execute_no_trans;
Richard Haines	8a09cc2	2016-10-20 15:47:44 +0100	[diff] [blame]	11	allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
bohu	cb0bebb	2017-05-26 10:26:15 -0700	[diff] [blame]	12	wakelock_use(goldfish_setup);
				13	allow goldfish_setup vendor_shell_exec:file { rx_file_perms };
Bjoern Johansson	127395f	2017-02-09 22:28:47 -0800	[diff] [blame]	14
				15	# Set system properties to start services
				16	set_prop(goldfish_setup, ctl_default_prop);
				17
				18	# Set up WiFi
Bjoern Johansson	760871c	2017-08-31 12:57:18 -0700	[diff] [blame]	19	allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
Bjoern Johansson	ca5bfb1	2018-03-19 11:14:30 -0700	[diff] [blame]	20	allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
Bjoern Johansson	127395f	2017-02-09 22:28:47 -0800	[diff] [blame]	21	allow goldfish_setup self:capability { sys_module sys_admin };
Bjoern Johansson	12fd2d8	2017-05-04 10:51:02 -0700	[diff] [blame]	22	allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
Bjoern Johansson	127395f	2017-02-09 22:28:47 -0800	[diff] [blame]	23	allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
				24	allow goldfish_setup execns_exec:file rx_file_perms;
Bjoern Johansson	760871c	2017-08-31 12:57:18 -0700	[diff] [blame]	25	allow goldfish_setup proc_net:file rw_file_perms;
				26	allow goldfish_setup proc:file r_file_perms;
				27	set_prop(goldfish_setup, ctl_default_prop);
Bjoern Johansson	ca5bfb1	2018-03-19 11:14:30 -0700	[diff] [blame]	28	allow goldfish_setup nsfs:file r_file_perms;
Bjoern Johansson	760871c	2017-08-31 12:57:18 -0700	[diff] [blame]	29	allow goldfish_setup system_data_file:dir getattr;
				30	allow goldfish_setup kernel:system module_request;
				31	# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
				32	allow goldfish_setup system_file:file execute_no_trans;
				33	# Allow goldfish_setup to run init.wifi.sh
				34	allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
Bjoern Johansson	ca5bfb1	2018-03-19 11:14:30 -0700	[diff] [blame]	35	#Allow goldfish_setup to run createns in its own domain
				36	domain_auto_trans(goldfish_setup, createns_exec, createns);
Bjoern Johansson	760871c	2017-08-31 12:57:18 -0700	[diff] [blame]	37	# iw
				38	allow goldfish_setup sysfs:file { read open };
				39	# iptables
				40	allow goldfish_setup system_file:file lock;
				41	allow goldfish_setup self:rawip_socket { create getopt setopt };
Bjoern Johansson	ca5bfb1	2018-03-19 11:14:30 -0700	[diff] [blame]	42	# Allow goldfish_setup to read createns proc file to get the namespace file
				43	allow goldfish_setup createns:file { read };
				44	allow goldfish_setup createns:dir { search };
				45	allow goldfish_setup createns:lnk_file { read };