[KA08] Allow system_server call tcp socket ioctl In order to offload application tcp socket’s keepalive message, system server must know if application's socket is idle with no data in send/receive queues. Allow system_server to use ioctl on all tcp sockets. Bug: 114151147 Test: -build, flash, boot Change-Id: I3f5a0e06bc22f8a64ae6180db48df2a31106c511

commit: f6b59fe6442d4d3ac308020f9a6912da49a58592 [log] [tgz]
author: markchien <markchien@google.com> Wed Jan 16 19:23:58 2019 +0800
committer: Chalard Jean <jchalard@google.com> Wed Feb 06 13:17:38 2019 +0900
tree: 5b77a3106a928915bec6747568adc8acd9cd5a72
parent: 73d0a67b06ef7b08d653383e8024789521270545 [diff]
diff --git a/private/system_server.te b/private/system_server.te
index 98ae7f8..2cf5ea7 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -53,6 +53,12 @@
 allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
 bluetooth_domain(system_server)
 
+# Allow setup of tcp keepalive offload. This gives system_server the permission to
+# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
+# be granted individually, except for a small set of safe values whitelisted in
+# public/domain.te.
+allow system_server appdomain:tcp_socket ioctl;
+
 # These are the capabilities assigned by the zygote to the
 # system server.
 allow system_server self:global_capability_class_set {
commit	f6b59fe6442d4d3ac308020f9a6912da49a58592	[log] [tgz]
author	markchien <markchien@google.com>	Wed Jan 16 19:23:58 2019 +0800
committer	Chalard Jean <jchalard@google.com>	Wed Feb 06 13:17:38 2019 +0900
tree	5b77a3106a928915bec6747568adc8acd9cd5a72
parent	73d0a67b06ef7b08d653383e8024789521270545 [diff]