Allow UDP Sockets to be returned from IpSecService

These permissions allow the system server to create and
bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK.
(ref: af_inet.c - inet_bind()) This prevents the user from
disconnecting the socket, which would create a security
vulnerability. The user may then use the provided socket,
which is always IPv4/UDP, for IKE negotiation. Thus, an
un-trusted user app must be able to use the socket for
communication.

-ALLOW: read, write, connect, sendto, and recvfrom.
-NEVERALLOW: anything else

Bug: 30984788
Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket

Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0

private/untrusted_app.te

@@ -24,6 +24,14 @@ untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app)
+
+neverallow untrusted_app system_server:udp_socket {
+        accept append bind create getopt ioctl listen lock name_bind
+        relabelfrom relabelto setattr setopt shutdown };