Allow binder services to r/w su:tcp_socket Test: binderHostDeviceTest Bug: 182914638 Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9

commit: be04b091bbfcdddcac39b474631c77ed47a1a4aa [log] [tgz]
author: Yifan Hong <elsk@google.com> Mon Jun 07 12:37:31 2021 -0700
committer: Yifan Hong <elsk@google.com> Tue Jun 08 10:39:02 2021 -0700
tree: f2b28f41cfe7a8df57ab15268b724d9c73a3e975
parent: c4efcbdc069bbdba3171ab482ac936c1fed7d11e [diff] [blame]
diff --git a/private/audioserver.te b/private/audioserver.te
index 2d0b46d..feda8d4 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te

@@ -95,7 +95,8 @@
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
+neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
 
 # Allow using wake locks
 wakelock_use(audioserver)
commit	be04b091bbfcdddcac39b474631c77ed47a1a4aa	[log] [tgz]
author	Yifan Hong <elsk@google.com>	Mon Jun 07 12:37:31 2021 -0700
committer	Yifan Hong <elsk@google.com>	Tue Jun 08 10:39:02 2021 -0700
tree	f2b28f41cfe7a8df57ab15268b724d9c73a3e975
parent	c4efcbdc069bbdba3171ab482ac936c1fed7d11e [diff] [blame]