From fd21dc0e1fd3f8605533a840611856eaaa0a0dc8 Mon Sep 17 00:00:00 2001
From: Jorge Lucangeli Obes <jorgelo@google.com>
Date: Fri, 17 Mar 2017 13:48:39 -0400
Subject: [PATCH] ppp: Allow specific ioctls on mtp:socket.

The fix for b/35100237 surfaced this error. This SELinux policy
fragment was included only on Marlin, but needs to be included in core
policy.

Bug: 35100237
Test: With https://android-review.googlesource.com/#/c/354292/
Test: Set up PPTP VPN using http://www.vpnbook.com/ on Marlin.
Test: Connect:
03-17 15:41:22.602  3809  3809 I mtpd    : Starting pppd (pppox = 9)
03-17 15:41:22.628  3811  3811 I pppd    : Using PPPoX (socket = 9)
03-17 15:41:22.637  3811  3811 I pppd    : pppd 2.4.7 started by vpn, uid 1016
03-17 15:41:22.639  3811  3811 I pppd    : Using interface ppp0
03-17 15:41:22.639  3811  3811 I pppd    : Connect: ppp0 <-->
03-17 15:41:22.770  3811  3811 I pppd    : CHAP authentication succeeded
03-17 15:41:22.909  3811  3811 I pppd    : MPPE 128-bit stateless compression enabled
03-17 15:41:23.065  3811  3811 I pppd    : local  IP address 172.16.36.113
03-17 15:41:23.065  3811  3811 I pppd    : remote IP address 172.16.36.1
03-17 15:41:23.065  3811  3811 I pppd    : primary   DNS address 8.8.8.8
03-17 15:41:23.065  3811  3811 I pppd    : secondary DNS address 91.239.100.100

Change-Id: I192b4dfc9613d1000f804b9c4ca2727d502a1927
---
 public/ppp.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/public/ppp.te b/public/ppp.te
index 9c1b7078b..7a5eada59 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -7,7 +7,12 @@ net_domain(ppp)
 
 r_dir_file(ppp, proc_net)
 
-allow ppp mtp:socket rw_socket_perms_no_ioctl;
+allow ppp mtp:socket rw_socket_perms;
+
+# ioctls needed for VPN.
+allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
+allowxperm ppp mtp:socket ioctl ppp_ioctls;
+
 allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
-- 
GitLab