Allow getsockopt and setsockopt for Encap Sockets

Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

Allow getsockopt and setsockopt for Encap Sockets
Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
ea4eaaf1 · Nathan Harold · 49e7b04a · ea4eaaf1 · ea4eaaf1 · ea4eaaf1
Commit ea4eaaf1 authored 7 years ago by Nathan Harold
--- a/private/app.te
+++ b/private/app.te
@@ -3,5 +3,5 @@
 allow appdomain zygote_tmpfs:file read;
 neverallow appdomain system_server:udp_socket {
-        accept append bind create getopt ioctl listen lock name_bind
+        accept append bind create ioctl listen lock name_bind
-        relabelfrom relabelto setattr setopt shutdown };
+        relabelfrom relabelto setattr shutdown };
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -43,7 +43,8 @@ unix_socket_connect(ephemeral_app, traced_producer, traced)
 # allow ephemeral apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 ###
 ### neverallow rules

--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,7 +71,8 @@ read_runtime_log_tags(platform_app)
 # allow platform apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow platform_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 ###
 ### Neverallow rules

--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -147,7 +147,8 @@ dontaudit priv_app net_dns_prop:file read;
 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow priv_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 ###
 ### neverallow rules

--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,7 +116,8 @@ get_prop(system_app, device_logging_prop)
 # allow system apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow system_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 ###
 ### Neverallow rules

--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,7 +123,8 @@ unix_socket_connect(untrusted_app_all, traced_producer, traced)
 # allow untrusted apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow untrusted_app_all system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm