Merge "Allow UDP Sockets to be returned from IpSecService"

commit: 327d7cb91073ae8138fdc8c8cd513f7176713cda [log] [tgz]
author: nharold <nharold@google.com> Tue Apr 25 03:45:31 2017 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Apr 25 03:45:35 2017 +0000
tree: d734c4100f5fe02d5979c091d250dc0a2aac2157
parent: 35fd3212345feb5a3d593569f891fb9b839845af [diff]
parent: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d [diff]
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 68c1a41..93a73f1 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te

@@ -24,6 +24,14 @@
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app)
+
+neverallow untrusted_app system_server:udp_socket {
+        accept append bind create getopt ioctl listen lock name_bind
+        relabelfrom relabelto setattr setopt shutdown };
commit	327d7cb91073ae8138fdc8c8cd513f7176713cda	[log] [tgz]
author	nharold <nharold@google.com>	Tue Apr 25 03:45:31 2017 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Apr 25 03:45:35 2017 +0000
tree	d734c4100f5fe02d5979c091d250dc0a2aac2157
parent	35fd3212345feb5a3d593569f891fb9b839845af [diff]
parent	0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d [diff]