From 4abf491a9ee49bad77097cd35bdaa1339134c3ac Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Mon, 14 Nov 2016 11:07:21 -0800
Subject: [PATCH] Allow ephemeral apps network connections

Test: Verify that HTTP and HTTPS connections from ephemeral apps do not
cause denials.
Change-Id: I0ce25602906e63ec55d5b5869445f2aec10900cb
---
 public/ephemeral_app.te | 7 ++++++-
 public/net.te           | 6 +++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index a96bff7c0..481cfa5ce 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -11,7 +11,7 @@
 ###
 ### PackageManager flags an app as ephemeral at install time.
 type ephemeral_app, domain;
-
+net_domain(ephemeral_app)
 # allow JITing
 allow ephemeral_app self:process execmem;
 allow ephemeral_app ashmem_device:chr_file execute;
@@ -38,6 +38,11 @@ allow ephemeral_app zygote:unix_dgram_socket write;
 allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
 allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
 
+# Keychain and user-trusted credentials
+r_dir_file(ephemeral_app, keychain_data_file)
+allow ephemeral_app misc_user_data_file:dir r_dir_perms;
+allow ephemeral_app misc_user_data_file:file r_file_perms;
+
 # Allow apps to read/execute installed binaries
 allow ephemeral_app ephemeral_apk_data_file:dir search;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
diff --git a/public/net.te b/public/net.te
index 4616eb170..9345454ca 100644
--- a/public/net.te
+++ b/public/net.te
@@ -9,9 +9,9 @@ allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
-allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.
 allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
 
-- 
GitLab