Allow system_server to bind ping sockets. This allows NetworkDiagnostics to send ping packets from specific source addresses in order to detect reachability problems on the reverse path. This addresses the following denial: [ 209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0 Bug: 23661687 Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2

commit: c37121436be95ae2ed75cb83605940455446ef4e [log] [tgz]
author: Lorenzo Colitti <lorenzo@google.com> Wed Sep 09 17:39:25 2015 +0900
committer: Lorenzo Colitti <lorenzo@google.com> Wed Sep 09 23:08:27 2015 +0900
tree: d6049a4a671c289c76e289c27a204385bc890041
parent: b55f10e937360f42ce573c7eb9b7914ea75edd49 [diff]
diff --git a/system_server.te b/system_server.te
index 39a19e9..dde7596 100644
--- a/system_server.te
+++ b/system_server.te

@@ -97,9 +97,13 @@
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 
-# WifiWatchdog uses a packet_socket
+# The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms;
 
+# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
+# as raw sockets, but the kernel doesn't yet distinguish between the two.
+allow system_server node:rawip_socket node_bind;
+
 # 3rd party VPN clients require a tun_socket to be created
 allow system_server self:tun_socket create_socket_perms;
commit	c37121436be95ae2ed75cb83605940455446ef4e	[log] [tgz]
author	Lorenzo Colitti <lorenzo@google.com>	Wed Sep 09 17:39:25 2015 +0900
committer	Lorenzo Colitti <lorenzo@google.com>	Wed Sep 09 23:08:27 2015 +0900
tree	d6049a4a671c289c76e289c27a204385bc890041
parent	b55f10e937360f42ce573c7eb9b7914ea75edd49 [diff]