StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge changes from topic "emu_wifi_fixes" into pi-dev am: c6bd5fc81a

Browse Source 
am: 5d145d5e58

Change-Id: I58b57847568fadb6fe4a611e55d41ecc097b1de8
This commit is contained in:
Bjoern Johansson
2018-03-23 16:11:36 +00:00
committed by android-build-merger
parent f83b43e66c 5d145d5e58
commit 7ee78863b3
7 changed files with 45 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
target/board/generic/sepolicy/createns.te Normal file
View File

@@ -0,0 +1,14 @@
# Network namespace creation
type createns, domain;
type createns_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(createns)
allow createns self:capability { sys_admin net_raw setuid setgid };
allow createns varrun_file:dir { add_name search write };
allow createns varrun_file:file { create mounton open read write };
#Allow createns itself to be run by init in its own domain
domain_auto_trans(goldfish_setup, createns_exec, createns);
allow createns goldfish_setup:fd use;

20
target/board/generic/sepolicy/execns.te
View File

@@ -5,8 +5,9 @@ type execns_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(execns) init_daemon_domain(execns)
allow execns varrun_file:dir search; allow execns varrun_file:dir search;
allow execns varrun_file:file r_file_perms;
allow execns self:capability sys_admin; allow execns self:capability sys_admin;
allow execns proc:file { open read }; allow execns nsfs:file { open read };
#Allow execns itself to be run by init in its own domain #Allow execns itself to be run by init in its own domain
domain_auto_trans(init, execns_exec, execns); domain_auto_trans(init, execns_exec, execns);
@@ -17,6 +18,17 @@ domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
# Allow dhcpserver to be run by execns in its own domain # Allow dhcpserver to be run by execns in its own domain
domain_auto_trans(execns, dhcpserver_exec, dhcpserver); domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
# Allow hostapd to be run by execns in its own domain # Rules to allow execution of hostapd and allow it to run
domain_auto_trans(execns, hostapd_exec, hostapd); allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
allow hostapd execns:fd use; allow execns self:capability { net_admin net_raw };
allow execns self:netlink_generic_socket { bind create getattr read setopt write };
allow execns self:netlink_route_socket { bind create read write nlmsg_write };
allow execns execns:udp_socket { create ioctl };
allow execns self:packet_socket { create setopt };
allow execns sysfs_net:dir { search };
allowxperm execns self:udp_socket ioctl priv_sock_ioctls;
# Allow execns to read createns proc file to get the namespace file
allow execns createns:file read;
allow execns createns:dir search;
allow execns createns:lnk_file read;

1
target/board/generic/sepolicy/file.te
View File

@@ -1,3 +1,4 @@
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
type varrun_file, file_type, data_file_type, mlstrustedobject; type varrun_file, file_type, data_file_type, mlstrustedobject;
type mediadrm_vendor_data_file, file_type, data_file_type; type mediadrm_vendor_data_file, file_type, data_file_type;
type nsfs, fs_type;

3
target/board/generic/sepolicy/file_contexts
View File

@@ -19,6 +19,7 @@
/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0
/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 /vendor/bin/qemu-props u:object_r:qemu_props_exec:s0
/vendor/bin/createns u:object_r:createns_exec:s0
/vendor/bin/execns u:object_r:execns_exec:s0 /vendor/bin/execns u:object_r:execns_exec:s0
/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 /vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0 /vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
@@ -41,5 +42,5 @@
# data # data
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
/data/var/run(/.*)? u:object_r:varrun_file:s0 /data/vendor/var/run(/.*)? u:object_r:varrun_file:s0

3
target/board/generic/sepolicy/genfs_contexts
View File

@@ -15,3 +15,6 @@ genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0 genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0 genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0 genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
# /proc/<pid>/ns
genfscon nsfs / u:object_r:nsfs:s0

9
target/board/generic/sepolicy/goldfish_setup.te
View File

@@ -17,7 +17,7 @@ set_prop(goldfish_setup, ctl_default_prop);
# Set up WiFi # Set up WiFi
allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read }; allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
allow goldfish_setup self:netlink_socket create_socket_perms_no_ioctl; allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
allow goldfish_setup self:capability { sys_module sys_admin }; allow goldfish_setup self:capability { sys_module sys_admin };
allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
@@ -25,14 +25,21 @@ allow goldfish_setup execns_exec:file rx_file_perms;
allow goldfish_setup proc_net:file rw_file_perms; allow goldfish_setup proc_net:file rw_file_perms;
allow goldfish_setup proc:file r_file_perms; allow goldfish_setup proc:file r_file_perms;
set_prop(goldfish_setup, ctl_default_prop); set_prop(goldfish_setup, ctl_default_prop);
allow goldfish_setup nsfs:file r_file_perms;
allow goldfish_setup system_data_file:dir getattr; allow goldfish_setup system_data_file:dir getattr;
allow goldfish_setup kernel:system module_request; allow goldfish_setup kernel:system module_request;
# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw # Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
allow goldfish_setup system_file:file execute_no_trans; allow goldfish_setup system_file:file execute_no_trans;
# Allow goldfish_setup to run init.wifi.sh # Allow goldfish_setup to run init.wifi.sh
allow goldfish_setup goldfish_setup_exec:file execute_no_trans; allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
#Allow goldfish_setup to run createns in its own domain
domain_auto_trans(goldfish_setup, createns_exec, createns);
# iw # iw
allow goldfish_setup sysfs:file { read open }; allow goldfish_setup sysfs:file { read open };
# iptables # iptables
allow goldfish_setup system_file:file lock; allow goldfish_setup system_file:file lock;
allow goldfish_setup self:rawip_socket { create getopt setopt }; allow goldfish_setup self:rawip_socket { create getopt setopt };
# Allow goldfish_setup to read createns proc file to get the namespace file
allow goldfish_setup createns:file { read };
allow goldfish_setup createns:dir { search };
allow goldfish_setup createns:lnk_file { read };

1
target/product/emulator.mk
View File

@@ -119,6 +119,7 @@ PRODUCT_PACKAGES += \
# WiFi # WiFi
PRODUCT_PACKAGES += \ PRODUCT_PACKAGES += \
createns \
dhcpclient \ dhcpclient \
dhcpserver \ dhcpserver \
execns \ execns \