From f19bcfd50fac59724f7b5731557cf086a808d112 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 11 Jul 2016 15:51:16 -0700
Subject: [PATCH] system_server, bluetooth: grant access to priv socket ioctls

Needed for setting up VPN and PAN networks.

avc: denied { ioctl } for pid=1926 comm="Binder:1088_6" path="socket:[21847]" dev="sockfs" ino=21847 ioctlcmd=8922 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=udp_socket permissive=0

avc: denied { ioctl } for comm=425420536572766963652043616C6C path="socket:[152297]" dev="sockfs" ino=152297 ioctlcmd=8927 scontext=u:r:bluetooth:s0 tcontext=u:r:bluetooth:s0 tclass=udp_socket permissive=0

Change-Id: Id29c2f91ff16a02fe75a04d2828896f501ba127f
---
 bluetooth.te     | 2 ++
 system_server.te | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/bluetooth.te b/bluetooth.te
index 146c0e511..2b99c3e92 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -2,6 +2,8 @@
 type bluetooth, domain, domain_deprecated;
 app_domain(bluetooth)
 net_domain(bluetooth)
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
 
 wakelock_use(bluetooth);
 
diff --git a/system_server.te b/system_server.te
index 71a45cde9..ee6bd2d0b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -42,8 +42,8 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 # in addition to ioctls whitelisted for all domains, also allow system_server
-# to use:
-allowxperm system_server self:udp_socket ioctl SIOCSIFFLAGS;
+# to use privileged ioctls commands. Needed to set up VPNs.
+allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
 bluetooth_domain(system_server)
 
 # These are the capabilities assigned by the zygote to the
-- 
GitLab