sepolicy: allow TUNSETLINK and TUNSETCARRIER
This is required for testing new ethernet APIs in T.
Test: TH
Bug: 171872016
Change-Id: I1e6024d7d649be50aa2321543b289f81fcdfc483
diff --git a/private/network_stack.te b/private/network_stack.te
index 356bebf..24d2c66 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -67,6 +67,10 @@
# Use XFRM (IPsec) netlink sockets
allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
# Unfortunately init/vendor_init have all sorts of extra privs
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
diff --git a/private/system_server.te b/private/system_server.te
index 1f19b05..81cde09 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -478,9 +478,9 @@
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
# Manage data/ota_package
allow system_server ota_package_file:dir rw_dir_perms;