1 # goldfish-setup service: runs init.goldfish.sh script 2 type goldfish_setup, domain; 3 type goldfish_setup_exec, vendor_file_type, exec_type, file_type; 4 5 init_daemon_domain(goldfish_setup) 6 7 # TODO(b/79502552): Invalid property access from emulator vendor 8 #set_prop(goldfish_setup, debug_prop); 9 allow goldfish_setup self:capability { net_admin net_raw }; 10 allow goldfish_setup self:udp_socket { create ioctl }; 11 allow goldfish_setup vendor_toolbox_exec:file execute_no_trans; 12 allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls; 13 wakelock_use(goldfish_setup); 14 allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; 15 16 # Set system properties to start services 17 set_prop(goldfish_setup, ctl_default_prop); 18 19 # Set up WiFi 20 allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read }; 21 allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl; 22 allow goldfish_setup self:capability { sys_module sys_admin }; 23 allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; 24 allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; 25 allow goldfish_setup execns_exec:file rx_file_perms; 26 allow goldfish_setup proc_net:file rw_file_perms; 27 allow goldfish_setup proc:file r_file_perms; 28 allow goldfish_setup nsfs:file r_file_perms; 29 allow goldfish_setup system_data_file:dir getattr; 30 allow goldfish_setup kernel:system module_request; 31 set_prop(goldfish_setup, qemu_prop); 32 get_prop(goldfish_setup, net_share_prop); 33 # Allow goldfish_setup to run /system/bin/ip and /system/bin/iw 34 allow goldfish_setup system_file:file execute_no_trans; 35 # Allow goldfish_setup to run init.wifi.sh 36 allow goldfish_setup goldfish_setup_exec:file execute_no_trans; 37 #Allow goldfish_setup to run createns in its own domain 38 domain_auto_trans(goldfish_setup, createns_exec, createns); 39 # iw 40 allow goldfish_setup sysfs:file { read open }; 41 # iptables 42 allow goldfish_setup system_file:file lock; 43 allow goldfish_setup self:rawip_socket { create getopt setopt }; 44 # Allow goldfish_setup to read createns proc file to get the namespace file 45 allow goldfish_setup createns:file { read }; 46 allow goldfish_setup createns:dir { search }; 47 allow goldfish_setup createns:lnk_file { read }; 48
