From 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Mon Sep 17 00:00:00 2001
From: Nathan Harold <nharold@google.com>
Date: Wed, 5 Apr 2017 19:37:58 -0700
Subject: [PATCH] Allow UDP Sockets to be returned from IpSecService

These permissions allow the system server to create and
bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK.
(ref: af_inet.c - inet_bind()) This prevents the user from
disconnecting the socket, which would create a security
vulnerability. The user may then use the provided socket,
which is always IPv4/UDP, for IKE negotiation. Thus, an
un-trusted user app must be able to use the socket for
communication.

-ALLOW: read, write, connect, sendto, and recvfrom.
-NEVERALLOW: anything else

Bug: 30984788
Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket

Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0
---
 private/untrusted_app.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 68c1a41bd..93a73f143 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -24,6 +24,14 @@ untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app)
+
+neverallow untrusted_app system_server:udp_socket {
+        accept append bind create getopt ioctl listen lock name_bind
+        relabelfrom relabelto setattr setopt shutdown };
-- 
GitLab