commit 02b55354bd662550c2f6a4655baac3f7984b261e
author Patrick Rohr <prohr@google.com> Tue May 31 20:29:55 2022 -0700
committer Patrick Rohr <prohr@google.com> Tue May 31 20:36:33 2022 -0700
tree 7d45f9cd8837a3b82b71c6cab48f36bf42df4716
parent 76bfb7ecbfd5274555b7b281e25702a03b4d2035

sepolicy: allow TUNSETLINK and TUNSETCARRIER

This is required for testing new ethernet APIs in T.

Test: TH
Bug: 171872016
Change-Id: I1e6024d7d649be50aa2321543b289f81fcdfc483

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 1f19b05..81cde09 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -478,9 +478,9 @@
 # write access to ALSA interfaces (/dev/snd/*) needed for MIDI
 allow system_server audio_device:chr_file rw_file_perms;
 
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
 allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
 
 # Manage data/ota_package
 allow system_server ota_package_file:dir rw_dir_perms;