Merge "emulator: update aosp sepolicies"

# Network namespace creation

type createns, domain;

type createns_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(createns)

allow createns self:capability { sys_admin net_raw setuid setgid };

allow createns varrun_file:dir { add_name search write };

allow createns varrun_file:file { create mounton open read write };

#Allow createns itself to be run by init in its own domain

domain_auto_trans(goldfish_setup, createns_exec, createns);

allow createns goldfish_setup:fd use;

# DHCP client

type dhcpclient, domain;

type dhcpclient_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(dhcpclient)

net_domain(dhcpclient)

allow dhcpclient execns:fd use;

set_prop(dhcpclient, net_eth0_prop);

allow dhcpclient self:capability { net_admin net_raw };

allow dhcpclient self:udp_socket create;

allow dhcpclient self:netlink_route_socket { write nlmsg_write };

allow dhcpclient varrun_file:dir search;

allow dhcpclient self:packet_socket { create bind write read };

allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS

                                              SIOCSIFADDR

                                              SIOCSIFNETMASK

                                              SIOCSIFMTU

                                              SIOCGIFHWADDR };

# DHCP server

type dhcpserver, domain;

type dhcpserver_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(dhcpserver)

net_domain(dhcpserver)

allow dhcpserver execns:fd use;

get_prop(dhcpserver, net_eth0_prop);

allow dhcpserver self:udp_socket { ioctl create setopt bind };

allow dhcpserver self:capability { net_raw net_bind_service };

# Network namespace transitions

type execns, domain;

type execns_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(execns)

allow execns varrun_file:dir search;

allow execns varrun_file:file r_file_perms;

allow execns self:capability sys_admin;

allow execns nsfs:file { open read };

#Allow execns itself to be run by init in its own domain

domain_auto_trans(init, execns_exec, execns);

# Allow dhcpclient to be run by execns in its own domain

domain_auto_trans(execns, dhcpclient_exec, dhcpclient);

# Allow dhcpserver to be run by execns in its own domain

domain_auto_trans(execns, dhcpserver_exec, dhcpserver);

# Rules to allow execution of hostapd and allow it to run

allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };

allow execns self:capability { net_admin net_raw };

allow execns self:netlink_generic_socket { bind create getattr read setopt write };

allow execns self:netlink_route_socket { bind create read write nlmsg_write };

allow execns execns:udp_socket { create ioctl };

allow execns self:packet_socket { create setopt };

allow execns sysfs_net:dir { search };

allowxperm execns self:udp_socket ioctl priv_sock_ioctls;

# Allow execns to read createns proc file to get the namespace file

allow execns createns:file read;

allow execns createns:dir search;

allow execns createns:lnk_file read;

type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;

type varrun_file, file_type, data_file_type, mlstrustedobject;

type mediadrm_vendor_data_file, file_type, data_file_type;

type nsfs, fs_type;