Allow getsockopt and setsockopt for Encap Sockets Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

commit: 252b015365e3ecd5e4353c1555c2eeb9331eb715 [log] [tgz]
author: Nathan Harold <nharold@google.com> Tue Mar 27 06:34:54 2018 -0700
committer: nharold <nharold@google.com> Tue Apr 03 21:52:14 2018 +0000
tree: 0c160ecab219bb4ee33151fb22241baa8778eaf0
parent: 3aa7ca56fdbcc710cb18ddcb53f4eda618ba83a9 [diff] [blame]
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e0547b6..75a6317 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -43,7 +43,8 @@
 
 # allow ephemeral apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### neverallow rules
commit	252b015365e3ecd5e4353c1555c2eeb9331eb715	[log] [tgz]
author	Nathan Harold <nharold@google.com>	Tue Mar 27 06:34:54 2018 -0700
committer	nharold <nharold@google.com>	Tue Apr 03 21:52:14 2018 +0000
tree	0c160ecab219bb4ee33151fb22241baa8778eaf0
parent	3aa7ca56fdbcc710cb18ddcb53f4eda618ba83a9 [diff] [blame]