Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31

commit: ee268643c17eaf6932c0f2ad8f1552ca7269e3a3 [log] [tgz]
author: Nathan Harold <nharold@google.com> Thu Dec 14 18:20:30 2017 -0800
committer: nharold <nharold@google.com> Mon Jan 15 23:10:42 2018 +0000
tree: b360b71b45294369be55765def7027ff864c2865
parent: 1d2c3f4406cf755432ca3f9cba1e836b438d7672 [diff] [blame]
diff --git a/private/system_app.te b/private/system_app.te
index 7b8f3bf..c849aea 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -114,6 +114,10 @@
 control_logd(system_app)
 read_runtime_log_tags(system_app)
 
+# allow system apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 ###
 ### Neverallow rules
 ###
commit	ee268643c17eaf6932c0f2ad8f1552ca7269e3a3	[log] [tgz]
author	Nathan Harold <nharold@google.com>	Thu Dec 14 18:20:30 2017 -0800
committer	nharold <nharold@google.com>	Mon Jan 15 23:10:42 2018 +0000
tree	b360b71b45294369be55765def7027ff864c2865
parent	1d2c3f4406cf755432ca3f9cba1e836b438d7672 [diff] [blame]