Merge changes from topic 'ipsec-svc-pick' into oc-dev
* changes:
Add IpSecService SEPolicy
Update Common NetD SEPolicy to allow Netlink XFRM
diff --git a/private/service_contexts b/private/service_contexts
index a65cb01..943cdee 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -66,6 +66,7 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipsec u:object_r:ipsec_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
diff --git a/public/netd.te b/public/netd.te
index 939d714..3a48cd3 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -83,6 +83,9 @@
} { read write getattr setattr getopt setopt };
allow netd netdomain:fd use;
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
###
### Neverallow rules
###
diff --git a/public/service.te b/public/service.te
index 9172353..96a692a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -81,6 +81,7 @@
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;