commit f1c63a4e91e5ed186bfb6fd7d23385c00b74520d
author Patrick Rohr <prohr@google.com> Tue May 31 20:29:55 2022 -0700
committer Maciej Żenczykowski <maze@google.com> Wed Jun 22 16:07:28 2022 -0700
tree 9f3a7b499e25d20528a9a0c6d7b95b500aa363df
parent a6471611cc42da46d4f8e48f6ce4bed3565b13ea

sepolicy: allow TUNSETLINK and TUNSETCARRIER

This is required for testing new ethernet APIs in T.

This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.

Test: TH
Bug: 171872016
(cherry picked from commit 02b55354bd662550c2f6a4655baac3f7984b261e)
(cherry picked from commit 69fa8ca6f2609e2109a89992de9531c01816c5ae)
Change-Id: I036e48530e37f7213a21b250b858a37fba3e663b

prebuilts/api/33.0/private/network_stack.te

diff --git a/prebuilts/api/33.0/private/network_stack.te b/prebuilts/api/33.0/private/network_stack.te
index 356bebf..24d2c66 100644
--- a/prebuilts/api/33.0/private/network_stack.te
+++ b/prebuilts/api/33.0/private/network_stack.te
@@ -67,6 +67,10 @@
 # Use XFRM (IPsec) netlink sockets
 allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
 
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
 # Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
 # Unfortunately init/vendor_init have all sorts of extra privs
 neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;

prebuilts/api/33.0/private/system_server.te

diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index e6c129a..3c49dc3 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -478,9 +478,9 @@
 # write access to ALSA interfaces (/dev/snd/*) needed for MIDI
 allow system_server audio_device:chr_file rw_file_perms;
 
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
 allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
 
 # Manage data/ota_package
 allow system_server ota_package_file:dir rw_dir_perms;

prebuilts/api/33.0/public/ioctl_defines

diff --git a/prebuilts/api/33.0/public/ioctl_defines b/prebuilts/api/33.0/public/ioctl_defines
index fa96726..0e22670 100644
--- a/prebuilts/api/33.0/public/ioctl_defines
+++ b/prebuilts/api/33.0/public/ioctl_defines
@@ -2437,6 +2437,7 @@
 define(`TUNGETSNDBUF', `0x800454d3')
 define(`TUNGETVNETHDRSZ', `0x800454d7')
 define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
 define(`TUNSETDEBUG', `0x400454c9')
 define(`TUNSETGROUP', `0x400454ce')
 define(`TUNSETIFF', `0x400454ca')