Introduce fwmarkd: a service to set the fwmark of sockets.

(cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907)

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9

file.te

@@ -118,6 +118,7 @@ type adbd_socket, file_type;
 type bluetooth_socket, file_type;
 type dnsproxyd_socket, file_type, mlstrustedobject;
 type dumpstate_socket, file_type;
+type fwmarkd_socket, file_type, mlstrustedobject;
 type gps_socket, file_type;
 type installd_socket, file_type;
 type lmkd_socket, file_type;

file_contexts

@@ -79,6 +79,7 @@
 /dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 /dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
 /dev/socket/gps		u:object_r:gps_socket:s0
 /dev/socket/installd	u:object_r:installd_socket:s0
 /dev/socket/lmkd        u:object_r:lmkd_socket:s0

net.te

@@ -18,5 +18,8 @@ allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
 
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
 # Connect to mdnsd via mdnsd socket.
 unix_socket_connect(netdomain, mdnsd, mdnsd)

netd.te

@@ -58,6 +58,10 @@ allow netd clatd:process signal;
 
 allow netd ctl_mdnsd_prop:property_service set;
 
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
+allow netd netdomain:fd use;
+
 ###
 ### Neverallow rules
 ###