From ea4eaaf128dd74da37134de4fbc9323a7f936afa Mon Sep 17 00:00:00 2001
From: Nathan Harold <nharold@google.com>
Date: Tue, 27 Mar 2018 06:34:54 -0700
Subject: [PATCH] Allow getsockopt and setsockopt for Encap Sockets
Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.
Bug: 68689438
Test: compilation
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
---
private/app.te | 4 ++--
private/ephemeral_app.te | 3 ++-
private/platform_app.te | 3 ++-
private/priv_app.te | 3 ++-
private/system_app.te | 3 ++-
private/untrusted_app_all.te | 3 ++-
6 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/private/app.te b/private/app.te
index 7dceaaa37..f3e1e2a09 100644
--- a/private/app.te
+++ b/private/app.te
@@ -3,5 +3,5 @@
allow appdomain zygote_tmpfs:file read;
neverallow appdomain system_server:udp_socket {
- accept append bind create getopt ioctl listen lock name_bind
- relabelfrom relabelto setattr setopt shutdown };
+ accept append bind create ioctl listen lock name_bind
+ relabelfrom relabelto setattr shutdown };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e0547b6e5..75a631765 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -43,7 +43,8 @@ unix_socket_connect(ephemeral_app, traced_producer, traced)
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### neverallow rules
diff --git a/private/platform_app.te b/private/platform_app.te
index 67a9c3317..80b20e145 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,7 +71,8 @@ read_runtime_log_tags(platform_app)
# allow platform apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow platform_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### Neverallow rules
diff --git a/private/priv_app.te b/private/priv_app.te
index 565aa4aa5..b13e3f6b7 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -147,7 +147,8 @@ dontaudit priv_app net_dns_prop:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow priv_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### neverallow rules
diff --git a/private/system_app.te b/private/system_app.te
index d6be5a301..b2f83764f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,7 +116,8 @@ get_prop(system_app, device_logging_prop)
# allow system apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow system_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### Neverallow rules
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 949c87acf..6cf166827 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,7 +123,8 @@ unix_socket_connect(untrusted_app_all, traced_producer, traced)
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow untrusted_app_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
--
GitLab