From 8a8d4ef5329f700f150db9bbfa2940e16af796c2 Mon Sep 17 00:00:00 2001
From: Yongqin Liu <yongqin.liu@linaro.org>
Date: Mon, 2 Jul 2018 18:34:18 +0800
Subject: [PATCH] public/netd.te: allow netd to operate icmp_socket that passed
 to it

This should be supplement for the change here:
https://android-review.googlesource.com/c/platform/system/sepolicy/+/708638

When test the cts libcore.libcore.io.OsTest#test_socketPing test case, it will fail
with avc denial message like following:

[ 1906.617027] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617189] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617206] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617313] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617330] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1907.832425] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1

Test: run cts -m CtsLibcoreTestCases -t libcore.libcore.io.OsTest#test_socketPing

Change-Id: If41cb804292834b8994333f170d1f7f837bcd7df
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
---
 public/netd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/netd.te b/public/netd.te
index faf7cacdd..7657eaf9d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -94,6 +94,7 @@ allow netd netd_listener_service:service_manager find;
 
 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{
+  icmp_socket
   tcp_socket
   udp_socket
   rawip_socket
-- 
GitLab