sepolicy: allow TUNSETLINK and TUNSETCARRIER This is required for testing new ethernet APIs in T. This change is not identical to the corresponding AOSP change because it also needs to update the T prebuilts. Test: TH Bug: 171872016 Merged-In: I1e6024d7d649be50aa2321543b289f81fcdfc483 (cherry picked from commit 02b55354bd662550c2f6a4655baac3f7984b261e) Change-Id: I1d620bcd9b3d02c6acb45636bb862f40282f636d

commit: 69fa8ca6f2609e2109a89992de9531c01816c5ae [log] [tgz]
author: Patrick Rohr <prohr@google.com> Tue May 31 20:29:55 2022 -0700
committer: Lorenzo Colitti <lorenzo@google.com> Wed Jun 01 17:26:10 2022 +0900
tree: a136818e4595e5cddd82ae55ecec19c9e0e93200
parent: ee87a35010a4b3d85618707cb87207037c1d85ab [diff]
diff --git a/prebuilts/api/33.0/private/network_stack.te b/prebuilts/api/33.0/private/network_stack.te
index 356bebf..24d2c66 100644
--- a/prebuilts/api/33.0/private/network_stack.te
+++ b/prebuilts/api/33.0/private/network_stack.te

@@ -67,6 +67,10 @@
 # Use XFRM (IPsec) netlink sockets
 allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
 
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
 # Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
 # Unfortunately init/vendor_init have all sorts of extra privs
 neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;

diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index e6c129a..3c49dc3 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te

@@ -478,9 +478,9 @@
 # write access to ALSA interfaces (/dev/snd/*) needed for MIDI
 allow system_server audio_device:chr_file rw_file_perms;
 
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
 allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
 
 # Manage data/ota_package
 allow system_server ota_package_file:dir rw_dir_perms;

diff --git a/prebuilts/api/33.0/public/ioctl_defines b/prebuilts/api/33.0/public/ioctl_defines
index 51cce4e..d46e485 100644
--- a/prebuilts/api/33.0/public/ioctl_defines
+++ b/prebuilts/api/33.0/public/ioctl_defines

@@ -2438,6 +2438,7 @@
 define(`TUNGETSNDBUF', `0x800454d3')
 define(`TUNGETVNETHDRSZ', `0x800454d7')
 define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
 define(`TUNSETDEBUG', `0x400454c9')
 define(`TUNSETGROUP', `0x400454ce')
 define(`TUNSETIFF', `0x400454ca')

diff --git a/private/network_stack.te b/private/network_stack.te
index 356bebf..24d2c66 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te

@@ -67,6 +67,10 @@
 # Use XFRM (IPsec) netlink sockets
 allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
 
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
 # Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
 # Unfortunately init/vendor_init have all sorts of extra privs
 neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;

diff --git a/private/system_server.te b/private/system_server.te
index e6c129a..3c49dc3 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -478,9 +478,9 @@
 # write access to ALSA interfaces (/dev/snd/*) needed for MIDI
 allow system_server audio_device:chr_file rw_file_perms;
 
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
 allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
 
 # Manage data/ota_package
 allow system_server ota_package_file:dir rw_dir_perms;

diff --git a/public/ioctl_defines b/public/ioctl_defines
index 51cce4e..d46e485 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines

@@ -2438,6 +2438,7 @@
 define(`TUNGETSNDBUF', `0x800454d3')
 define(`TUNGETVNETHDRSZ', `0x800454d7')
 define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
 define(`TUNSETDEBUG', `0x400454c9')
 define(`TUNSETGROUP', `0x400454ce')
 define(`TUNSETIFF', `0x400454ca')
commit	69fa8ca6f2609e2109a89992de9531c01816c5ae	[log] [tgz]
author	Patrick Rohr <prohr@google.com>	Tue May 31 20:29:55 2022 -0700
committer	Lorenzo Colitti <lorenzo@google.com>	Wed Jun 01 17:26:10 2022 +0900
tree	a136818e4595e5cddd82ae55ecec19c9e0e93200
parent	ee87a35010a4b3d85618707cb87207037c1d85ab [diff]