From 56ecf4bdf8cb33362143f37cf683efd909415d5b Mon Sep 17 00:00:00 2001
From: Sreeram Ramachandran <sreeram@google.com>
Date: Thu, 1 May 2014 11:12:10 -0700
Subject: [PATCH] Introduce fwmarkd: a service to set the fwmark of sockets.

(cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907)

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
---
 file.te       | 1 +
 file_contexts | 1 +
 net.te        | 3 +++
 netd.te       | 4 ++++
 4 files changed, 9 insertions(+)

diff --git a/file.te b/file.te
index ac4220fd4..00f158936 100644
--- a/file.te
+++ b/file.te
@@ -118,6 +118,7 @@ type adbd_socket, file_type;
 type bluetooth_socket, file_type;
 type dnsproxyd_socket, file_type, mlstrustedobject;
 type dumpstate_socket, file_type;
+type fwmarkd_socket, file_type, mlstrustedobject;
 type gps_socket, file_type;
 type installd_socket, file_type;
 type lmkd_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 0926d745f..74c6db3e0 100644
--- a/file_contexts
+++ b/file_contexts
@@ -79,6 +79,7 @@
 /dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 /dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
 /dev/socket/gps		u:object_r:gps_socket:s0
 /dev/socket/installd	u:object_r:installd_socket:s0
 /dev/socket/lmkd        u:object_r:lmkd_socket:s0
diff --git a/net.te b/net.te
index 9942efe4a..6aa12f23a 100644
--- a/net.te
+++ b/net.te
@@ -18,5 +18,8 @@ allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
 
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
 # Connect to mdnsd via mdnsd socket.
 unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/netd.te b/netd.te
index 46cc43631..6fe1ad313 100644
--- a/netd.te
+++ b/netd.te
@@ -58,6 +58,10 @@ allow netd clatd:process signal;
 
 allow netd ctl_mdnsd_prop:property_service set;
 
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
+allow netd netdomain:fd use;
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab