sepolicy: allow TUNSETLINK and TUNSETCARRIER This is required for testing new ethernet APIs in T. Test: TH Bug: 171872016 Change-Id: I1e6024d7d649be50aa2321543b289f81fcdfc483

commit: 02b55354bd662550c2f6a4655baac3f7984b261e [log] [tgz]
author: Patrick Rohr <prohr@google.com> Tue May 31 20:29:55 2022 -0700
committer: Patrick Rohr <prohr@google.com> Tue May 31 20:36:33 2022 -0700
tree: 7d45f9cd8837a3b82b71c6cab48f36bf42df4716
parent: 76bfb7ecbfd5274555b7b281e25702a03b4d2035 [diff] [blame]
diff --git a/private/network_stack.te b/private/network_stack.te
index 356bebf..24d2c66 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te

@@ -67,6 +67,10 @@
 # Use XFRM (IPsec) netlink sockets
 allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
 
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
 # Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
 # Unfortunately init/vendor_init have all sorts of extra privs
 neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
commit	02b55354bd662550c2f6a4655baac3f7984b261e	[log] [tgz]
author	Patrick Rohr <prohr@google.com>	Tue May 31 20:29:55 2022 -0700
committer	Patrick Rohr <prohr@google.com>	Tue May 31 20:36:33 2022 -0700
tree	7d45f9cd8837a3b82b71c6cab48f36bf42df4716
parent	76bfb7ecbfd5274555b7b281e25702a03b4d2035 [diff] [blame]