Merge "sepolicy: Fix 'avc denied' issues for the emulators"brillo-m8-releasebrillo-m8-dev

3 files changed, 5 insertions, 0 deletions

diff --git a/target/board/generic/sepolicy/domain.te b/target/board/generic/sepolicy/domain.te
index c28ca74f15..201fa8640c 100644
--- a/target/board/generic/sepolicy/domain.te
+++ b/target/board/generic/sepolicy/domain.te
@@ -1,3 +1,5 @@
 # For /sys/qemu_trace files in the emulator.
 allow domain sysfs_writable:file rw_file_perms;
 allow domain qemu_device:chr_file rw_file_perms;
+
+get_prop(domain, qemu_prop)
diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
index b472d2aae7..bce196a7d2 100644
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ b/target/board/generic/sepolicy/goldfish_setup.te
@@ -13,6 +13,8 @@ allow goldfish_setup toolbox_exec:file rx_file_perms;
 allow goldfish_setup self:capability { net_admin net_raw };
 allow goldfish_setup self:udp_socket create_socket_perms;
 
+net_domain(goldfish_setup)
+
 # Set net.eth0.dns*, debug.sf.nobootanimation
 set_prop(goldfish_setup, system_prop)
 set_prop(goldfish_setup, debug_prop)
diff --git a/target/board/generic/sepolicy/netd.te b/target/board/generic/sepolicy/netd.te
new file mode 100644
index 0000000000..2b002ec9c6
--- /dev/null
+++ b/target/board/generic/sepolicy/netd.te
@@ -0,0 +1 @@
+dontaudit netd self:capability sys_module;