Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31

commit: ee268643c17eaf6932c0f2ad8f1552ca7269e3a3 [log] [tgz]
author: Nathan Harold <nharold@google.com> Thu Dec 14 18:20:30 2017 -0800
committer: nharold <nharold@google.com> Mon Jan 15 23:10:42 2018 +0000
tree: b360b71b45294369be55765def7027ff864c2865
parent: 1d2c3f4406cf755432ca3f9cba1e836b438d7672 [diff] [blame]
diff --git a/private/app.te b/private/app.te
index 9c4461c..7dceaaa 100644
--- a/private/app.te
+++ b/private/app.te

@@ -1,3 +1,7 @@
 # TODO: deal with tmpfs_domain pub/priv split properly
 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;
+
+neverallow appdomain system_server:udp_socket {
+        accept append bind create getopt ioctl listen lock name_bind
+        relabelfrom relabelto setattr setopt shutdown };
commit	ee268643c17eaf6932c0f2ad8f1552ca7269e3a3	[log] [tgz]
author	Nathan Harold <nharold@google.com>	Thu Dec 14 18:20:30 2017 -0800
committer	nharold <nharold@google.com>	Mon Jan 15 23:10:42 2018 +0000
tree	b360b71b45294369be55765def7027ff864c2865
parent	1d2c3f4406cf755432ca3f9cba1e836b438d7672 [diff] [blame]