diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-09-03 11:07:03 -0400 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-09-22 14:41:56 -0400 |
| commit | 704744ad812e76b2f9f43c04d9cc07a60b530168 (patch) | |
| tree | 5d642eca71cbc88f246df27406b2150d852a80a9 | |
| parent | c5a99042e944787b2cd5f2e93ba4775ffd9e36fc (diff) | |
| download | build-704744ad812e76b2f9f43c04d9cc07a60b530168.tar.gz | |
Add domains for goldfish services.
goldfish-setup, goldfish-logcat, and qemu-props are goldfish-specific
oneshot services that lacked domain definitions and thus were left in init's
domain.
This depends on a change to external/sepolicy with the same Change-Id
to define non-goldfish-specific types for properties and logcat.
Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
| -rw-r--r-- | target/board/generic/BoardConfig.mk | 5 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/file_contexts | 2 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/goldfish_logcat.te | 11 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/goldfish_setup.te | 19 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/property.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/property_contexts | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/qemu_props.te | 10 | ||||
| -rw-r--r-- | target/board/generic_mips/BoardConfig.mk | 5 | ||||
| -rw-r--r-- | target/board/generic_x86/BoardConfig.mk | 5 |
9 files changed, 59 insertions, 0 deletions
diff --git a/target/board/generic/BoardConfig.mk b/target/board/generic/BoardConfig.mk index 62303d6c5b..d42b652062 100644 --- a/target/board/generic/BoardConfig.mk +++ b/target/board/generic/BoardConfig.mk @@ -82,6 +82,11 @@ BOARD_SEPOLICY_UNION += \ domain.te \ file.te \ file_contexts \ + goldfish_setup.te \ + goldfish_logcat.te \ + property.te \ + property_contexts \ + qemu_props.te \ qemud.te \ rild.te \ shell.te \ diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts index f204cde96f..bbc34afb51 100644 --- a/target/board/generic/sepolicy/file_contexts +++ b/target/board/generic/sepolicy/file_contexts @@ -2,3 +2,5 @@ /dev/socket/qemud u:object_r:qemud_socket:s0 /system/bin/qemud u:object_r:qemud_exec:s0 /sys/qemu_trace(/.*)? -- u:object_r:sysfs_writable:s0 +/system/etc/init.goldfish.sh u:object_r:goldfish_setup_exec:s0 +/system/bin/qemu-props u:object_r:qemu_props_exec:s0 diff --git a/target/board/generic/sepolicy/goldfish_logcat.te b/target/board/generic/sepolicy/goldfish_logcat.te new file mode 100644 index 0000000000..34ef280ab6 --- /dev/null +++ b/target/board/generic/sepolicy/goldfish_logcat.te @@ -0,0 +1,11 @@ +# goldfish-logcat service: runs logcat -Q +type goldfish_logcat, domain; +permissive_or_unconfined(goldfish_logcat) + +domain_auto_trans(init, logcat_exec, goldfish_logcat) + +# Read from logd. +read_logd(goldfish_logcat) + +# Write to /dev/ttyS2 +allow goldfish_logcat serial_device:chr_file { write open }; diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te new file mode 100644 index 0000000000..786c1c2984 --- /dev/null +++ b/target/board/generic/sepolicy/goldfish_setup.te @@ -0,0 +1,19 @@ +# goldfish-setup service: runs init.goldfish.sh script +type goldfish_setup, domain; +type goldfish_setup_exec, exec_type, file_type; +permissive_or_unconfined(goldfish_setup) + +init_daemon_domain(goldfish_setup) + +# Inherit open file to shell (interpreter) for script. +allow goldfish_setup shell_exec:file read; + +# Run ifconfig, route commands to configure interfaces and routes. +allow goldfish_setup system_file:file execute_no_trans; +allow goldfish_setup self:capability { net_admin net_raw }; +allow goldfish_setup self:udp_socket create_socket_perms; + +# Set net.eth0.dns*, debug.sf.nobootanimation +unix_socket_connect(goldfish_setup, property, init) +allow goldfish_setup system_prop:property_service set; +allow goldfish_setup debug_prop:property_service set; diff --git a/target/board/generic/sepolicy/property.te b/target/board/generic/sepolicy/property.te new file mode 100644 index 0000000000..b3d15f8e31 --- /dev/null +++ b/target/board/generic/sepolicy/property.te @@ -0,0 +1 @@ +type qemu_prop, property_type; diff --git a/target/board/generic/sepolicy/property_contexts b/target/board/generic/sepolicy/property_contexts new file mode 100644 index 0000000000..5f741f8931 --- /dev/null +++ b/target/board/generic/sepolicy/property_contexts @@ -0,0 +1 @@ +qemu. u:object_r:qemu_prop:s0 diff --git a/target/board/generic/sepolicy/qemu_props.te b/target/board/generic/sepolicy/qemu_props.te new file mode 100644 index 0000000000..ade111d2a2 --- /dev/null +++ b/target/board/generic/sepolicy/qemu_props.te @@ -0,0 +1,10 @@ +# qemu-props service: Sets system properties on boot. +type qemu_props, domain; +type qemu_props_exec, exec_type, file_type; +permissive_or_unconfined(qemu_props) + +init_daemon_domain(qemu_props) + +# Set properties. +unix_socket_connect(qemu_props, property, init) +allow qemu_props { qemu_prop dalvik_prop config_prop }:property_service set; diff --git a/target/board/generic_mips/BoardConfig.mk b/target/board/generic_mips/BoardConfig.mk index a319ad71a0..dbc715a8d6 100644 --- a/target/board/generic_mips/BoardConfig.mk +++ b/target/board/generic_mips/BoardConfig.mk @@ -64,6 +64,11 @@ BOARD_SEPOLICY_UNION += \ domain.te \ file.te \ file_contexts \ + goldfish_setup.te \ + goldfish_logcat.te \ + property.te \ + property_contexts \ + qemu_props.te \ qemud.te \ rild.te \ shell.te \ diff --git a/target/board/generic_x86/BoardConfig.mk b/target/board/generic_x86/BoardConfig.mk index 5d091f515c..78b7590747 100644 --- a/target/board/generic_x86/BoardConfig.mk +++ b/target/board/generic_x86/BoardConfig.mk @@ -53,6 +53,11 @@ BOARD_SEPOLICY_UNION += \ file_contexts \ healthd.te \ installd.te \ + goldfish_setup.te \ + goldfish_logcat.te \ + property.te \ + property_contexts \ + qemu_props.te \ qemud.te \ rild.te \ shell.te \ |