Allow getsockopt and setsockopt for Encap Sockets

Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

Allow getsockopt and setsockopt for Encap Sockets
252b0153 · Nathan Harold · nharold · 3aa7ca56 · 252b0153 · 252b0153
Commit 252b0153 authored 6 years ago by Nathan Harold Committed by nharold 6 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -3,5 +3,5 @@
 allow appdomain zygote_tmpfs:file read;

 neverallow appdomain system_server:udp_socket {
-        accept append bind create getopt ioctl listen lock name_bind
-        relabelfrom relabelto setattr setopt shutdown };
+        accept append bind create ioctl listen lock name_bind
+        relabelfrom relabelto setattr shutdown };
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -43,7 +43,8 @@ unix_socket_connect(ephemeral_app, traced_producer, traced)

 # allow ephemeral apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 ###
 ### neverallow rules

--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,7 +71,8 @@ read_runtime_log_tags(platform_app)

 # allow platform apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow platform_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 ###
 ### Neverallow rules

--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -150,7 +150,8 @@ dontaudit priv_app net_dns_prop:file read;

 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow priv_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 ###
 ### neverallow rules

--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,7 +116,8 @@ get_prop(system_app, device_logging_prop)

 # allow system apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow system_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 ###
 ### Neverallow rules

--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,7 +123,8 @@ unix_socket_connect(untrusted_app_all, traced_producer, traced)

 # allow untrusted apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow untrusted_app_all system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 # This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
 dontaudit untrusted_app_all net_dns_prop:file read;