1# goldfish-setup service: runs init.goldfish.sh script 2type goldfish_setup, domain; 3type goldfish_setup_exec, vendor_file_type, exec_type, file_type; 4 5init_daemon_domain(goldfish_setup) 6 7# TODO(b/79502552): Invalid property access from emulator vendor 8#set_prop(goldfish_setup, debug_prop); 9allow goldfish_setup self:capability { fowner chown net_admin net_raw }; 10allow goldfish_setup self:udp_socket { create ioctl }; 11allow goldfish_setup vendor_toolbox_exec:file execute_no_trans; 12allow goldfish_setup vendor_file:file execute_no_trans; 13allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls; 14wakelock_use(goldfish_setup); 15allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; 16#============= goldfish_setup ============== 17allow goldfish_setup goldfish_ip_exec:file execute_no_trans; 18allow goldfish_setup goldfish_iw_exec:file execute_no_trans; 19allow goldfish_setup mac80211_create_radios_exec:file execute_no_trans; 20 21# Set system properties to start services 22set_prop(goldfish_setup, ctl_default_prop); 23 24# Set up WiFi 25allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read }; 26allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl; 27allow goldfish_setup self:capability { sys_module sys_admin }; 28allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; 29allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; 30allow goldfish_setup execns_exec:file rx_file_perms; 31allow goldfish_setup proc_net:file rw_file_perms; 32allow goldfish_setup proc:file r_file_perms; 33allow goldfish_setup nsfs:file r_file_perms; 34allow goldfish_setup system_data_file:dir getattr; 35allow goldfish_setup kernel:system module_request; 36set_prop(goldfish_setup, qemu_prop); 37get_prop(goldfish_setup, net_share_prop); 38# Allow goldfish_setup to run init.wifi.sh 39allow goldfish_setup goldfish_setup_exec:file execute_no_trans; 40#Allow goldfish_setup to run createns in its own domain 41domain_auto_trans(goldfish_setup, createns_exec, createns); 42# iw 43allow goldfish_setup sysfs:file { read open }; 44# iptables 45allow goldfish_setup self:rawip_socket { create getopt setopt }; 46# Allow goldfish_setup to read createns proc file to get the namespace file 47allow goldfish_setup createns:file { read }; 48allow goldfish_setup createns:dir { search }; 49allow goldfish_setup createns:lnk_file { read }; 50# Allow goldfish_setup to copy the hostapd conf template to the vendor data dir 51allow goldfish_setup hostapd_data_file:file create_file_perms; 52allow goldfish_setup hostapd_data_file:dir rw_dir_perms; 53#allow goldfish_setup system_file:file { execute getattr open read }; 54dontaudit goldfish_setup self:capability dac_override; 55