Allow getsockopt and setsockopt for Encap Sockets

am: 252b0153 Change-Id: I1800da081c5f164c35a470978053514f67c016da

Allow getsockopt and setsockopt for Encap Sockets
9f33cad7 · Nathan Harold · android-build-merger · 950388f0 · 252b0153 · 9f33cad7
Commit 9f33cad7 authored 7 years ago by Nathan Harold Committed by android-build-merger 7 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -3,5 +3,5 @@
 allow appdomain zygote_tmpfs:file read;

 neverallow appdomain system_server:udp_socket {
-        accept append bind create getopt ioctl listen lock name_bind
-        relabelfrom relabelto setattr setopt shutdown };
+        accept append bind create ioctl listen lock name_bind
+        relabelfrom relabelto setattr shutdown };
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -43,7 +43,8 @@ unix_socket_connect(ephemeral_app, traced_producer, traced)

 # allow ephemeral apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 ###
 ### neverallow rules

--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,7 +71,8 @@ read_runtime_log_tags(platform_app)

 # allow platform apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow platform_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 ###
 ### Neverallow rules

--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -150,7 +150,8 @@ dontaudit priv_app net_dns_prop:file read;

 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow priv_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 ###
 ### neverallow rules

--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,7 +116,8 @@ get_prop(system_app, device_logging_prop)

 # allow system apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow system_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 ###
 ### Neverallow rules

--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,7 +123,8 @@ unix_socket_connect(untrusted_app_all, traced_producer, traced)

 # allow untrusted apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow untrusted_app_all system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };

 # This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
 dontaudit untrusted_app_all net_dns_prop:file read;