blob: a35c311400ea388c4ef67e35389f2ddbafd894fd [file] [log] [blame]
# Brillo setup services; used for the different init.brillo-setup-*.sh scripts.
type brillo_setup, domain;
type brillo_setup_exec, exec_type, file_type;
type brillo_setup_prop, property_type;
# Inherit open file to shell (interpreter) for script.
allow brillo_setup shell_exec:file {read getattr};
# Configure interfaces, routes and firewall rules.
allow brillo_setup self:capability { net_admin net_raw };
allow brillo_setup self:rawip_socket { create getopt setopt };
allow brillo_setup system_file:file execute_no_trans;
allow brillo_setup self:netlink_route_socket nlmsg_write;
# Set properties for init.
set_prop(brillo_setup, brillo_setup_prop)
allow brillo_setup toolbox_exec:file { rx_file_perms };
# Allow crash_reporter access to core dump files.
# Allow /proc access.
allow brillo_setup proc:dir search;
allow brillo_setup proc:filesystem getattr;
allow brillo_setup proc_net:file getattr;
allow brillo_setup selinuxfs:filesystem getattr;
# Quiet logging.
dontaudit brillo_setup kernel:system module_request;