From 2b935cd78dae5db5035808f79b00c71be0e32b43 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 8 Jan 2016 15:01:40 -0800
Subject: [PATCH] grant appdomain rw perms to tun_device

Previously granted to only untrusted_app, allow all apps except
isolated_app read write permissions to tun_device.

avc: denied { read write } for path="/dev/tun" dev="tmpfs" ino=8906 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file

Bug: 26462997
Change-Id: Id6f5b09cda26dc6c8651eb76f6791fb95640e4c7
---
 app.te           | 4 ++++
 untrusted_app.te | 4 ----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app.te b/app.te
index 7de624b7a..45225b54d 100644
--- a/app.te
+++ b/app.te
@@ -222,6 +222,10 @@ selinux_check_context(appdomain)
 auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
 auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
 
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
+
 ###
 ### Neverallow rules
 ###
diff --git a/untrusted_app.te b/untrusted_app.te
index 055844341..463745ef1 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -29,10 +29,6 @@ bluetooth_domain(untrusted_app)
 # to their sandbox directory and then execute.
 allow untrusted_app app_data_file:file { rx_file_perms execmod };
 
-# Third party vpn apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow untrusted_app tun_device:chr_file { read write getattr ioctl append };
-
 # ASEC
 allow untrusted_app asec_apk_file:file r_file_perms;
 # Execute libs in asec containers.
-- 
GitLab