Allow More Apps to Recv UDP Sockets from SystemServer
This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.
This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d
Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
diff --git a/private/app.te b/private/app.te
index 9c4461c..7dceaaa 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,3 +1,7 @@
# TODO: deal with tmpfs_domain pub/priv split properly
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
+
+neverallow appdomain system_server:udp_socket {
+ accept append bind create getopt ioctl listen lock name_bind
+ relabelfrom relabelto setattr setopt shutdown };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index dbfbcf9..e0547b6 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -41,6 +41,10 @@
allow ephemeral_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(ephemeral_app, traced_producer, traced)
+# allow ephemeral apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
###
### neverallow rules
###
diff --git a/private/platform_app.te b/private/platform_app.te
index ee0590c..2596a8e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,6 +67,10 @@
read_runtime_log_tags(platform_app)
+# allow platform apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
###
### Neverallow rules
###
diff --git a/private/priv_app.te b/private/priv_app.te
index 92bfc57..9909e06 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -128,6 +128,10 @@
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
+# allow privileged apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
###
### neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index 7b8f3bf..c849aea 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -114,6 +114,10 @@
control_logd(system_app)
read_runtime_log_tags(system_app)
+# allow system apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
###
### Neverallow rules
###
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 93a73f1..68c1a41 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -24,14 +24,6 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
-# allow untrusted apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
-
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)
-
-neverallow untrusted_app system_server:udp_socket {
- accept append bind create getopt ioctl listen lock name_bind
- relabelfrom relabelto setattr setopt shutdown };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index e76407b..a43f04c 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -111,3 +111,7 @@
allow untrusted_app_all traced:fd use;
allow untrusted_app_all traced_tmpfs:file { read write getattr map };
unix_socket_connect(untrusted_app_all, traced_producer, traced)
+
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };