netdomain: allow node_bind for ping sockets

Grant for icmp_socket for devices with 4.14 or greater kernel, and rawip_socket for devices with earlier kernels. Bug: 122572608 Test: build Change-Id: I1c9d2ce6761dbd2c4db3635600c5f5c335461083

netdomain: allow node_bind for ping sockets
Grant for icmp_socket for devices with 4.14 or greater kernel, and rawip_socket for devices with earlier kernels. Bug: 122572608 Test: build Change-Id: I1c9d2ce6761dbd2c4db3635600c5f5c335461083
036090d2 · Jeff Vander Stoep · Jeffrey Vander Stoep · 75448f83 · 036090d2 · 036090d2
Commit 036090d2 authored 6 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 6 years ago
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -150,10 +150,6 @@ allow system_server stats_data_file:file unlink;
 # The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms_no_ioctl;

-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
 # 3rd party VPN clients require a tun_socket to be created
 allow system_server self:tun_socket create_socket_perms_no_ioctl;


--- a/public/net.te
+++ b/public/net.te
@@ -14,7 +14,7 @@ allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
 allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
 allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.