From 185941aaff0e0c0050c32fba38af7617fcdf56cf Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Tue, 24 Oct 2017 14:40:53 -0700
Subject: [PATCH] sepolicy: allow netd to write to qtaguid file

Since all qtaguid related userspace implementation are moved into netd
and will use netd to choose which module to run at run time. Netd module
should be the only process can directly read/write to the ctrl file of
qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant
netd the privilege to access qtaguid proc files. It also grant netd the
permission to control trigger to turn on and off qtaguid module by write
parameters to files under sys_fs. The file and directory related is
properly labled.

Bug: 68774956
Bug: 30950746
Test: qtaguid function still working after the native function is
redirected.

Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b
---
 public/netd.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/public/netd.te b/public/netd.te
index 17f60b559..a8a32bef9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -33,6 +33,11 @@ allow netd devpts:chr_file rw_file_perms;
 # Acquire advisory lock on /system/etc/xtables.lock
 allow netd system_file:file lock;
 
+# Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have
+# TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration
+#       complete
+allow netd qtaguid_proc:file rw_file_perms;
+
 r_dir_file(netd, proc_net)
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;
-- 
GitLab