Add a custom init.firewall.rc file.

We now want firewalld to launch only after the base firewall setup has
been configured, so we need to use a special trigger for that.

Bug: 23064386
Change-Id: Ic07cea72b91ccd9913bf7cfa744a2fc911b8e4c2

2 files changed, 14 insertions, 9 deletions

diff --git a/Android.mk b/Android.mk
index 46d1898..b15db9b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -67,19 +67,14 @@ LOCAL_C_INCLUDES += external/gtest/include
 $(eval $(firewalld_common))
 include $(BUILD_EXECUTABLE)
 
-# === init.firewalld.rc ===
-ifdef INITRC_TEMPLATE
+# === init.firewalld.rc (brillo only) ===
+ifdef TARGET_COPY_OUT_INITRCD
 include $(CLEAR_VARS)
 LOCAL_MODULE := init.firewalld.rc
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_PATH := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_INITRCD)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-.PHONY: $(LOCAL_BUILT_MODULE)
-$(LOCAL_BUILT_MODULE): my_groups := net_admin net_raw
-$(LOCAL_BUILT_MODULE): $(INITRC_TEMPLATE)
-	$(call generate-initrc-file,firewalld,,$(my_groups))
+include $(BUILD_PREBUILT)
 endif
 
 # === unittest ===
diff --git a/init.firewalld.rc b/init.firewalld.rc
new file mode 100644
index 0000000..e273a2e
--- /dev/null
+++ b/init.firewalld.rc
@@ -0,0 +1,10 @@
+# TODO(garnold) While we want firewalld to only start after basic firewall
+# rules are setup, its lifespan should be tied to class main, like other
+# services. This needs to be fixed.
+on property:brillo.setup_firewall=1
+    start firewalld
+
+service firewalld /system/bin/firewalld
+    user system
+    group system dbus net_admin net_raw
+    seclabel u:r:brillo:s0