From 036090d203730b520660ce0b926284b361092e8b Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 11 Jan 2019 15:50:21 -0800
Subject: [PATCH] netdomain: allow node_bind for ping sockets

Grant for icmp_socket for devices with 4.14 or greater kernel, and
rawip_socket for devices with earlier kernels.

Bug: 122572608
Test: build
Change-Id: I1c9d2ce6761dbd2c4db3635600c5f5c335461083
---
 private/system_server.te | 4 ----
 public/net.te            | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/private/system_server.te b/private/system_server.te
index e183606d7..46fb59182 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -150,10 +150,6 @@ allow system_server stats_data_file:file unlink;
 # The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms_no_ioctl;
 
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
 # 3rd party VPN clients require a tun_socket to be created
 allow system_server self:tun_socket create_socket_perms_no_ioctl;
 
diff --git a/public/net.te b/public/net.te
index 5867d67f5..afa2a9c8c 100644
--- a/public/net.te
+++ b/public/net.te
@@ -14,7 +14,7 @@ allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
 allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
 allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.
-- 
GitLab