Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 704744ad authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Add domains for goldfish services. 



goldfish-setup, goldfish-logcat, and qemu-props are goldfish-specific
oneshot services that lacked domain definitions and thus were left in init's
domain.

This depends on a change to external/sepolicy with the same Change-Id
to define non-goldfish-specific types for properties and logcat.

Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent c5a99042

target/board/generic/BoardConfig.mk

+5 −0
Original line number Diff line number Diff line
@@ -82,6 +82,11 @@ BOARD_SEPOLICY_UNION += \ 
        domain.te \

        file.te \

        file_contexts \

        goldfish_setup.te \

        goldfish_logcat.te \

        property.te \

        property_contexts \

        qemu_props.te \

        qemud.te \

        rild.te \

        shell.te \

target/board/generic/sepolicy/file_contexts

+2 −0
Original line number Diff line number Diff line
@@ -2,3 +2,5 @@ 
/dev/socket/qemud	u:object_r:qemud_socket:s0

/system/bin/qemud	u:object_r:qemud_exec:s0

/sys/qemu_trace(/.*)?	--	u:object_r:sysfs_writable:s0

/system/etc/init.goldfish.sh u:object_r:goldfish_setup_exec:s0

/system/bin/qemu-props	     u:object_r:qemu_props_exec:s0

target/board/generic/sepolicy/goldfish_logcat.te

0 → 100644
+11 −0
Original line number Diff line number Diff line 
# goldfish-logcat service:  runs logcat -Q

type goldfish_logcat, domain;

permissive_or_unconfined(goldfish_logcat)



domain_auto_trans(init, logcat_exec, goldfish_logcat)



# Read from logd.

read_logd(goldfish_logcat)



# Write to /dev/ttyS2

allow goldfish_logcat serial_device:chr_file { write open };

target/board/generic/sepolicy/goldfish_setup.te

0 → 100644
+19 −0
Original line number Diff line number Diff line 
# goldfish-setup service: runs init.goldfish.sh script

type goldfish_setup, domain;

type goldfish_setup_exec, exec_type, file_type;

permissive_or_unconfined(goldfish_setup)



init_daemon_domain(goldfish_setup)



# Inherit open file to shell (interpreter) for script.

allow goldfish_setup shell_exec:file read;



# Run ifconfig, route commands to configure interfaces and routes.

allow goldfish_setup system_file:file execute_no_trans;

allow goldfish_setup self:capability { net_admin net_raw };

allow goldfish_setup self:udp_socket create_socket_perms;



# Set net.eth0.dns*, debug.sf.nobootanimation

unix_socket_connect(goldfish_setup, property, init)

allow goldfish_setup system_prop:property_service set;

allow goldfish_setup debug_prop:property_service set;

target/board/generic/sepolicy/property.te

0 → 100644
+1 −0
Original line number Diff line number Diff line 
type qemu_prop, property_type;