commit ca5bfb1ca7568a4e4b62c571cc1906a0ffc6c5ef
author Bjoern Johansson <bjoernj@google.com> Mon Mar 19 11:14:30 2018 -0700
committer Bjoern Johansson <bjoernj@google.com> Thu Mar 22 12:59:49 2018 -0700
tree dc960a3ceb10525b78670ad98fd239506a2cc718
parent 275bdb08cdc112f2b3b46725b14ae200651daa9e

Update SELinux rules to support emulator WiFi

SELinux policies have become stricter, this updates the emulator SELinux
rules to accomodate these changes. It also adds rules for the new
createns command with the accompanying execns changes that are needed
to work with an updated filesystem layout.

BUG: 74514143
Test: Compile emulator images and verify that WiFi works
Change-Id: I4b58cea681a1e41b0cb7368e1c696f74ce28f871

target/board/generic/sepolicy/createns.te

diff --git a/target/board/generic/sepolicy/createns.te b/target/board/generic/sepolicy/createns.te
new file mode 100644
index 0000000..1eaf9ef
--- /dev/null
+++ b/target/board/generic/sepolicy/createns.te
@@ -0,0 +1,14 @@
+# Network namespace creation
+type createns, domain;
+type createns_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(createns)
+
+allow createns self:capability { sys_admin net_raw setuid setgid };
+allow createns varrun_file:dir { add_name search write };
+allow createns varrun_file:file { create mounton open read write };
+
+#Allow createns itself to be run by init in its own domain
+domain_auto_trans(goldfish_setup, createns_exec, createns);
+allow createns goldfish_setup:fd use;
+