Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31

commit: ee268643c17eaf6932c0f2ad8f1552ca7269e3a3 [log] [tgz]
author: Nathan Harold <nharold@google.com> Thu Dec 14 18:20:30 2017 -0800
committer: nharold <nharold@google.com> Mon Jan 15 23:10:42 2018 +0000
tree: b360b71b45294369be55765def7027ff864c2865
parent: 1d2c3f4406cf755432ca3f9cba1e836b438d7672 [diff] [blame]
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index e76407b..a43f04c 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -111,3 +111,7 @@
 allow untrusted_app_all traced:fd use;
 allow untrusted_app_all traced_tmpfs:file { read write getattr map };
 unix_socket_connect(untrusted_app_all, traced_producer, traced)
+
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
commit	ee268643c17eaf6932c0f2ad8f1552ca7269e3a3	[log] [tgz]
author	Nathan Harold <nharold@google.com>	Thu Dec 14 18:20:30 2017 -0800
committer	nharold <nharold@google.com>	Mon Jan 15 23:10:42 2018 +0000
tree	b360b71b45294369be55765def7027ff864c2865
parent	1d2c3f4406cf755432ca3f9cba1e836b438d7672 [diff] [blame]