Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 02b55354bd662550c2f6a4655baac3f7984b261e^! / .
commit02b55354bd662550c2f6a4655baac3f7984b261e[log] [tgz]
authorPatrick Rohr <prohr@google.com>Tue May 31 20:29:55 2022 -0700
committerPatrick Rohr <prohr@google.com>Tue May 31 20:36:33 2022 -0700
tree7d45f9cd8837a3b82b71c6cab48f36bf42df4716
parent76bfb7ecbfd5274555b7b281e25702a03b4d2035 [diff]
sepolicy: allow TUNSETLINK and TUNSETCARRIER

This is required for testing new ethernet APIs in T.

Test: TH
Bug: 171872016
Change-Id: I1e6024d7d649be50aa2321543b289f81fcdfc483

diff --git a/private/network_stack.te b/private/network_stack.te
index 356bebf..24d2c66 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te

@@ -67,6 +67,10 @@
 # Use XFRM (IPsec) netlink sockets
 allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
 
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
 # Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
 # Unfortunately init/vendor_init have all sorts of extra privs
 neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;

diff --git a/private/system_server.te b/private/system_server.te
index 1f19b05..81cde09 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -478,9 +478,9 @@
 # write access to ALSA interfaces (/dev/snd/*) needed for MIDI
 allow system_server audio_device:chr_file rw_file_perms;
 
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
 allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
 
 # Manage data/ota_package
 allow system_server ota_package_file:dir rw_dir_perms;

diff --git a/public/ioctl_defines b/public/ioctl_defines
index 1e79682..e900173 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines

@@ -2441,6 +2441,7 @@
 define(`TUNGETSNDBUF', `0x800454d3')
 define(`TUNGETVNETHDRSZ', `0x800454d7')
 define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
 define(`TUNSETDEBUG', `0x400454c9')
 define(`TUNSETGROUP', `0x400454ce')
 define(`TUNSETIFF', `0x400454ca')