Allow binder services to r/w su:tcp_socket

Test: binderHostDeviceTest Bug: 182914638 Change-Id: I6cc52b4702c3b03f3d8033bec0ee4227391affc5
author: Yifan Hong <elsk@google.com> 2021-06-08 10:38:19 -0700
committer: Steven Moreland <smoreland@google.com> 2021-06-08 20:20:59 +0000
commit: d030ad6b1c30c888d73599a66874fefae5abb90c (patch)
tree: eb960f4580beb078d8940cdcb054d5d3778b1de5
parent: ce9e9e32725e467693758e3a2224e43bc7d270bf (diff)
download: device_mediatek_wembley-sepolicy-d030ad6b1c30c888d73599a66874fefae5abb90c.tar.gz
device_mediatek_wembley-sepolicy-d030ad6b1c30c888d73599a66874fefae5abb90c.tar.bz2
device_mediatek_wembley-sepolicy-d030ad6b1c30c888d73599a66874fefae5abb90c.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/non_plat/mtk_hal_audio.te b/non_plat/mtk_hal_audio.te
index 48ef236..ea6e647 100644
--- a/non_plat/mtk_hal_audio.te
+++ b/non_plat/mtk_hal_audio.te
@@ -27,7 +27,8 @@ neverallow mtk_hal_audio { file_type fs_type }:file execute_no_trans;
 
 # mtk_hal_audio should never need network access.
 # Disallow network sockets.
-neverallow mtk_hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mtk_hal_audio domain:{ udp_socket rawip_socket } *;
+neverallow mtk_hal_audio { domain userdebug_or_eng(`-su') }:tcp_socket *;
 
 # Date : WK14.32
 # Operation : Migration
author	Yifan Hong <elsk@google.com>	2021-06-08 10:38:19 -0700
committer	Steven Moreland <smoreland@google.com>	2021-06-08 20:20:59 +0000
commit	d030ad6b1c30c888d73599a66874fefae5abb90c (patch)
tree	eb960f4580beb078d8940cdcb054d5d3778b1de5
parent	ce9e9e32725e467693758e3a2224e43bc7d270bf (diff)
download	device_mediatek_wembley-sepolicy-d030ad6b1c30c888d73599a66874fefae5abb90c.tar.gz device_mediatek_wembley-sepolicy-d030ad6b1c30c888d73599a66874fefae5abb90c.tar.bz2 device_mediatek_wembley-sepolicy-d030ad6b1c30c888d73599a66874fefae5abb90c.zip