Update SELinux rules to support emulator WiFi (ca5bfb1c) · Commits · e / os / android_build

target/board/generic/sepolicy/createns.te

0 → 100644

+14 −0

Original line number	Diff line number	Diff line
		# Network namespace creation
		type createns, domain;
		type createns_exec, exec_type, vendor_file_type, file_type;

		init_daemon_domain(createns)

		allow createns self:capability { sys_admin net_raw setuid setgid };
		allow createns varrun_file:dir { add_name search write };
		allow createns varrun_file:file { create mounton open read write };

		#Allow createns itself to be run by init in its own domain
		domain_auto_trans(goldfish_setup, createns_exec, createns);
		allow createns goldfish_setup:fd use;

+16 −4

Original line number	Diff line number	Diff line
		@@ -5,8 +5,9 @@ type execns_exec, exec_type, vendor_file_type, file_type;
		init_daemon_domain(execns)

		allow execns varrun_file:dir search;
		allow execns varrun_file:file r_file_perms;
		allow execns self:capability sys_admin;
		allow execns proc:file { open read };
		allow execns nsfs:file { open read };

		#Allow execns itself to be run by init in its own domain
		domain_auto_trans(init, execns_exec, execns);
		@@ -17,6 +18,17 @@ domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
		# Allow dhcpserver to be run by execns in its own domain
		domain_auto_trans(execns, dhcpserver_exec, dhcpserver);

		# Allow hostapd to be run by execns in its own domain
		domain_auto_trans(execns, hostapd_exec, hostapd);
		allow hostapd execns:fd use;
		# Rules to allow execution of hostapd and allow it to run
		allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
		allow execns self:capability { net_admin net_raw };
		allow execns self:netlink_generic_socket { bind create getattr read setopt write };
		allow execns self:netlink_route_socket { bind create read write nlmsg_write };
		allow execns execns:udp_socket { create ioctl };
		allow execns self:packet_socket { create setopt };
		allow execns sysfs_net:dir { search };
		allowxperm execns self:udp_socket ioctl priv_sock_ioctls;

		# Allow execns to read createns proc file to get the namespace file
		allow execns createns:file read;
		allow execns createns:dir search;
		allow execns createns:lnk_file read;

+1 −0

Original line number	Diff line number	Diff line
		type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
		type varrun_file, file_type, data_file_type, mlstrustedobject;
		type mediadrm_vendor_data_file, file_type, data_file_type;
		type nsfs, fs_type;

+2 −1

Original line number	Diff line number	Diff line
		@@ -19,6 +19,7 @@
		/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
		/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0
		/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0
		/vendor/bin/createns u:object_r:createns_exec:s0
		/vendor/bin/execns u:object_r:execns_exec:s0
		/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
		/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
		@@ -41,5 +42,5 @@

		# data
		/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
		/data/var/run(/.*)? u:object_r:varrun_file:s0
		/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0

+3 −0

Original line number	Diff line number	Diff line
		@@ -15,3 +15,6 @@ genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0
		genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
		genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
		genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0

		# /proc/<pid>/ns
		genfscon nsfs / u:object_r:nsfs:s0