system_server, bluetooth: grant access to priv socket ioctls

Needed for setting up VPN and PAN networks.

avc: denied { ioctl } for pid=1926 comm="Binder:1088_6" path="socket:[21847]" dev="sockfs" ino=21847 ioctlcmd=8922 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=udp_socket permissive=0

avc: denied { ioctl } for comm=425420536572766963652043616C6C path="socket:[152297]" dev="sockfs" ino=152297 ioctlcmd=8927 scontext=u:r:bluetooth:s0 tcontext=u:r:bluetooth:s0 tclass=udp_socket permissive=0

Change-Id: Id29c2f91ff16a02fe75a04d2828896f501ba127f

bluetooth.te

@@ -2,6 +2,8 @@
 type bluetooth, domain, domain_deprecated;
 app_domain(bluetooth)
 net_domain(bluetooth)
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
 
 wakelock_use(bluetooth);
 

system_server.te

@@ -42,8 +42,8 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 # in addition to ioctls whitelisted for all domains, also allow system_server
-# to use:
-allowxperm system_server self:udp_socket ioctl SIOCSIFFLAGS;
+# to use privileged ioctls commands. Needed to set up VPNs.
+allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
 bluetooth_domain(system_server)
 
 # These are the capabilities assigned by the zygote to the