emulator: update aosp sepolicies
There have been quite some changes that should go to aosp.
This CL squash all of them into a single one.
Change-Id: I1e8d172b99cc98c93f2925fef32da8b461c277ed
Merged-In: I93b8489f710d194917d4b482ebca960c39658fd9
Merged-In: Ifac85db4e13d0b946f91b7eeffb4288d40d0ebb8
diff --git a/target/board/generic/sepolicy/createns.te b/target/board/generic/sepolicy/createns.te
new file mode 100644
index 0000000..1eaf9ef
--- /dev/null
+++ b/target/board/generic/sepolicy/createns.te
@@ -0,0 +1,14 @@
+# Network namespace creation
+type createns, domain;
+type createns_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(createns)
+
+allow createns self:capability { sys_admin net_raw setuid setgid };
+allow createns varrun_file:dir { add_name search write };
+allow createns varrun_file:file { create mounton open read write };
+
+#Allow createns itself to be run by init in its own domain
+domain_auto_trans(goldfish_setup, createns_exec, createns);
+allow createns goldfish_setup:fd use;
+
diff --git a/target/board/generic/sepolicy/dhcpclient.te b/target/board/generic/sepolicy/dhcpclient.te
new file mode 100644
index 0000000..df71fca
--- /dev/null
+++ b/target/board/generic/sepolicy/dhcpclient.te
@@ -0,0 +1,20 @@
+# DHCP client
+type dhcpclient, domain;
+type dhcpclient_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(dhcpclient)
+net_domain(dhcpclient)
+
+allow dhcpclient execns:fd use;
+
+set_prop(dhcpclient, net_eth0_prop);
+allow dhcpclient self:capability { net_admin net_raw };
+allow dhcpclient self:udp_socket create;
+allow dhcpclient self:netlink_route_socket { write nlmsg_write };
+allow dhcpclient varrun_file:dir search;
+allow dhcpclient self:packet_socket { create bind write read };
+allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS
+ SIOCSIFADDR
+ SIOCSIFNETMASK
+ SIOCSIFMTU
+ SIOCGIFHWADDR };
diff --git a/target/board/generic/sepolicy/dhcpserver.te b/target/board/generic/sepolicy/dhcpserver.te
new file mode 100644
index 0000000..7e8ba26
--- /dev/null
+++ b/target/board/generic/sepolicy/dhcpserver.te
@@ -0,0 +1,12 @@
+# DHCP server
+type dhcpserver, domain;
+type dhcpserver_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(dhcpserver)
+net_domain(dhcpserver)
+
+allow dhcpserver execns:fd use;
+
+get_prop(dhcpserver, net_eth0_prop);
+allow dhcpserver self:udp_socket { ioctl create setopt bind };
+allow dhcpserver self:capability { net_raw net_bind_service };
diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te
new file mode 100644
index 0000000..9675a99
--- /dev/null
+++ b/target/board/generic/sepolicy/execns.te
@@ -0,0 +1,34 @@
+# Network namespace transitions
+type execns, domain;
+type execns_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(execns)
+
+allow execns varrun_file:dir search;
+allow execns varrun_file:file r_file_perms;
+allow execns self:capability sys_admin;
+allow execns nsfs:file { open read };
+
+#Allow execns itself to be run by init in its own domain
+domain_auto_trans(init, execns_exec, execns);
+
+# Allow dhcpclient to be run by execns in its own domain
+domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
+
+# Allow dhcpserver to be run by execns in its own domain
+domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
+
+# Rules to allow execution of hostapd and allow it to run
+allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
+allow execns self:capability { net_admin net_raw };
+allow execns self:netlink_generic_socket { bind create getattr read setopt write };
+allow execns self:netlink_route_socket { bind create read write nlmsg_write };
+allow execns execns:udp_socket { create ioctl };
+allow execns self:packet_socket { create setopt };
+allow execns sysfs_net:dir { search };
+allowxperm execns self:udp_socket ioctl priv_sock_ioctls;
+
+# Allow execns to read createns proc file to get the namespace file
+allow execns createns:file read;
+allow execns createns:dir search;
+allow execns createns:lnk_file read;
diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te
new file mode 100644
index 0000000..b0aa217
--- /dev/null
+++ b/target/board/generic/sepolicy/file.te
@@ -0,0 +1,4 @@
+type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type varrun_file, file_type, data_file_type, mlstrustedobject;
+type mediadrm_vendor_data_file, file_type, data_file_type;
+type nsfs, fs_type;
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
index 521c65e..73fe752 100644
--- a/target/board/generic/sepolicy/file_contexts
+++ b/target/board/generic/sepolicy/file_contexts
@@ -17,7 +17,13 @@
/dev/ttyS2 u:object_r:console_device:s0
/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0
/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
+/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0
/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0
+/vendor/bin/createns u:object_r:createns_exec:s0
+/vendor/bin/execns u:object_r:execns_exec:s0
+/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
+/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
+/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
@@ -33,3 +39,8 @@
/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0
+
+# data
+/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0
+
diff --git a/target/board/generic/sepolicy/genfs_contexts b/target/board/generic/sepolicy/genfs_contexts
index 91cedf1..1b81626 100644
--- a/target/board/generic/sepolicy/genfs_contexts
+++ b/target/board/generic/sepolicy/genfs_contexts
@@ -15,3 +15,6 @@
genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
+
+# /proc/<pid>/ns
+genfscon nsfs / u:object_r:nsfs:s0
diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
index eb913e9..3041436 100644
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ b/target/board/generic/sepolicy/goldfish_setup.te
@@ -4,10 +4,44 @@
init_daemon_domain(goldfish_setup)
-set_prop(goldfish_setup, debug_prop);
+# TODO(b/79502552): Invalid property access from emulator vendor
+#set_prop(goldfish_setup, debug_prop);
allow goldfish_setup self:capability { net_admin net_raw };
allow goldfish_setup self:udp_socket { create ioctl };
allow goldfish_setup vendor_toolbox_exec:file execute_no_trans;
allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
wakelock_use(goldfish_setup);
allow goldfish_setup vendor_shell_exec:file { rx_file_perms };
+
+# Set system properties to start services
+set_prop(goldfish_setup, ctl_default_prop);
+
+# Set up WiFi
+allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
+allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow goldfish_setup self:capability { sys_module sys_admin };
+allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
+allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
+allow goldfish_setup execns_exec:file rx_file_perms;
+allow goldfish_setup proc_net:file rw_file_perms;
+allow goldfish_setup proc:file r_file_perms;
+allow goldfish_setup nsfs:file r_file_perms;
+allow goldfish_setup system_data_file:dir getattr;
+allow goldfish_setup kernel:system module_request;
+set_prop(goldfish_setup, qemu_prop);
+get_prop(goldfish_setup, net_share_prop);
+# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
+allow goldfish_setup system_file:file execute_no_trans;
+# Allow goldfish_setup to run init.wifi.sh
+allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
+#Allow goldfish_setup to run createns in its own domain
+domain_auto_trans(goldfish_setup, createns_exec, createns);
+# iw
+allow goldfish_setup sysfs:file { read open };
+# iptables
+allow goldfish_setup system_file:file lock;
+allow goldfish_setup self:rawip_socket { create getopt setopt };
+# Allow goldfish_setup to read createns proc file to get the namespace file
+allow goldfish_setup createns:file { read };
+allow goldfish_setup createns:dir { search };
+allow goldfish_setup createns:lnk_file { read };
diff --git a/target/board/generic/sepolicy/hal_drm_widevine.te b/target/board/generic/sepolicy/hal_drm_widevine.te
index 42d462a..d49000d 100644
--- a/target/board/generic/sepolicy/hal_drm_widevine.te
+++ b/target/board/generic/sepolicy/hal_drm_widevine.te
@@ -10,3 +10,5 @@
vndbinder_use(hal_drm_widevine);
hal_client_domain(hal_drm_widevine, hal_graphics_composer);
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
diff --git a/target/board/generic/sepolicy/hal_gnss_default.te b/target/board/generic/sepolicy/hal_gnss_default.te
index ddc68cc..0dd3d03 100644
--- a/target/board/generic/sepolicy/hal_gnss_default.te
+++ b/target/board/generic/sepolicy/hal_gnss_default.te
@@ -1 +1,3 @@
-vndbinder_use(hal_gnss_default);
+#============= hal_gnss_default ==============
+allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
+
diff --git a/target/board/generic/sepolicy/hal_graphics_composer_default.te b/target/board/generic/sepolicy/hal_graphics_composer_default.te
index 40ecda6..034bdef 100644
--- a/target/board/generic/sepolicy/hal_graphics_composer_default.te
+++ b/target/board/generic/sepolicy/hal_graphics_composer_default.te
@@ -1 +1,3 @@
-vndbinder_use(hal_graphics_composer_default);
+#============= hal_graphics_composer_default ==============
+allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
+
diff --git a/target/board/generic/sepolicy/hal_wifi_default.te b/target/board/generic/sepolicy/hal_wifi_default.te
new file mode 100644
index 0000000..de4b996
--- /dev/null
+++ b/target/board/generic/sepolicy/hal_wifi_default.te
@@ -0,0 +1 @@
+allow hal_wifi_default hal_wifi_default:netlink_route_socket { create bind write read nlmsg_read };
diff --git a/target/board/generic/sepolicy/ipv6proxy.te b/target/board/generic/sepolicy/ipv6proxy.te
new file mode 100644
index 0000000..22976fe
--- /dev/null
+++ b/target/board/generic/sepolicy/ipv6proxy.te
@@ -0,0 +1,16 @@
+# IPv6 proxying
+type ipv6proxy, domain;
+type ipv6proxy_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(ipv6proxy)
+net_domain(ipv6proxy)
+
+# Allow ipv6proxy to be run by execns in its own domain
+domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy);
+allow ipv6proxy execns:fd use;
+
+allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw };
+allow ipv6proxy self:packet_socket { bind create read };
+allow ipv6proxy self:netlink_route_socket nlmsg_write;
+allow ipv6proxy varrun_file:dir search;
+allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR };
diff --git a/target/board/generic/sepolicy/property.te b/target/board/generic/sepolicy/property.te
index 56e02ef..3593a39 100644
--- a/target/board/generic/sepolicy/property.te
+++ b/target/board/generic/sepolicy/property.te
@@ -1,3 +1,5 @@
type qemu_prop, property_type;
type qemu_cmdline, property_type;
type radio_noril_prop, property_type;
+type net_eth0_prop, property_type;
+type net_share_prop, property_type;
diff --git a/target/board/generic/sepolicy/property_contexts b/target/board/generic/sepolicy/property_contexts
index 3a61b6b..f7a241c 100644
--- a/target/board/generic/sepolicy/property_contexts
+++ b/target/board/generic/sepolicy/property_contexts
@@ -1,5 +1,8 @@
qemu. u:object_r:qemu_prop:s0
qemu.cmdline u:object_r:qemu_cmdline:s0
+vendor.qemu u:object_r:qemu_prop:s0
ro.emu. u:object_r:qemu_prop:s0
ro.emulator. u:object_r:qemu_prop:s0
ro.radio.noril u:object_r:radio_noril_prop:s0
+net.eth0. u:object_r:net_eth0_prop:s0
+net.shared_net_ip u:object_r:net_share_prop:s0
diff --git a/target/board/generic/sepolicy/qemu_props.te b/target/board/generic/sepolicy/qemu_props.te
index 0f5ec8c..b3e2d95 100644
--- a/target/board/generic/sepolicy/qemu_props.te
+++ b/target/board/generic/sepolicy/qemu_props.te
@@ -5,5 +5,6 @@
init_daemon_domain(qemu_props)
set_prop(qemu_props, qemu_prop)
-set_prop(qemu_props, dalvik_prop)
+# TODO(b/79502552): Invalid property access from emulator vendor
+#set_prop(qemu_props, qemu_cmdline)
set_prop(qemu_props, qemu_cmdline)
diff --git a/target/board/generic/sepolicy/radio.te b/target/board/generic/sepolicy/radio.te
new file mode 100644
index 0000000..742d3b2
--- /dev/null
+++ b/target/board/generic/sepolicy/radio.te
@@ -0,0 +1,3 @@
+# Allow the radio to read these properties, they only have an SELinux label in
+# the emulator.
+get_prop(radio, net_eth0_prop);
diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te
new file mode 100644
index 0000000..ea18373
--- /dev/null
+++ b/target/board/generic/sepolicy/rild.te
@@ -0,0 +1,3 @@
+# Allow rild to read these properties, they only have an SELinux label in the
+# emulator.
+get_prop(rild, net_eth0_prop);
diff --git a/target/board/generic/sepolicy/vendor_init.te b/target/board/generic/sepolicy/vendor_init.te
new file mode 100644
index 0000000..b18d391
--- /dev/null
+++ b/target/board/generic/sepolicy/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, qemu_prop)