commit ea4eaaf128dd74da37134de4fbc9323a7f936afa
author Nathan Harold <nharold@google.com> Tue Mar 27 06:34:54 2018 -0700
committer Nathan Harold <nharold@google.com> Tue Apr 03 10:28:10 2018 -0700
tree 656e9235a3d8f9a4915adf8c367e3a912308d873
parent 49e7b04ad355b911fc73375b4c3a62b228f72fb2

Allow getsockopt and setsockopt for Encap Sockets

Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

private/app.te

diff --git a/private/app.te b/private/app.te
index 7dceaaa..f3e1e2a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -3,5 +3,5 @@
 allow appdomain zygote_tmpfs:file read;
 
 neverallow appdomain system_server:udp_socket {
-        accept append bind create getopt ioctl listen lock name_bind
-        relabelfrom relabelto setattr setopt shutdown };
+        accept append bind create ioctl listen lock name_bind
+        relabelfrom relabelto setattr shutdown };

private/ephemeral_app.te

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e0547b6..75a6317 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -43,7 +43,8 @@
 
 # allow ephemeral apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### neverallow rules

private/platform_app.te

diff --git a/private/platform_app.te b/private/platform_app.te
index 67a9c33..80b20e1 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,7 +71,8 @@
 
 # allow platform apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow platform_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### Neverallow rules

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 565aa4a..b13e3f6 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -147,7 +147,8 @@
 
 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow priv_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### neverallow rules

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index d6be5a3..b2f8376 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,7 +116,8 @@
 
 # allow system apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow system_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### Neverallow rules

private/untrusted_app_all.te

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 949c87a..6cf1668 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,7 +123,8 @@
 
 # allow untrusted apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow untrusted_app_all system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm