diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2015-09-09 17:39:25 +0900 |
|---|---|---|
| committer | Lorenzo Colitti <lorenzo@google.com> | 2015-09-14 11:33:20 +0900 |
| commit | 16c36f68ae575a87e438329e6d159532d61cf113 (patch) | |
| tree | 5acc0a57cabb9b62e1d61103dc23c9d823d40ae9 | |
| parent | 1c38b8a225db3fa3f12e4892985c48e369550235 (diff) | |
| download | android_external_sepolicy-16c36f68ae575a87e438329e6d159532d61cf113.tar.gz android_external_sepolicy-16c36f68ae575a87e438329e6d159532d61cf113.tar.bz2 android_external_sepolicy-16c36f68ae575a87e438329e6d159532d61cf113.zip | |
Allow system_server to bind ping sockets.
This allows NetworkDiagnostics to send ping packets from specific
source addresses in order to detect reachability problems on the
reverse path.
This addresses the following denial:
[ 209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0
Bug: 23661687
(cherry picked from commit c37121436be95ae2ed75cb83605940455446ef4e)
Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2
| -rw-r--r-- | system_server.te | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/system_server.te b/system_server.te index 0b18eb4..c9d8f3b 100644 --- a/system_server.te +++ b/system_server.te @@ -101,9 +101,13 @@ allow system_server proc_sysrq:file rw_file_perms; # Read /sys/kernel/debug/wakeup_sources. allow system_server debugfs:file r_file_perms; -# WifiWatchdog uses a packet_socket +# The DhcpClient and WifiWatchdog use packet_sockets allow system_server self:packet_socket create_socket_perms; +# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same +# as raw sockets, but the kernel doesn't yet distinguish between the two. +allow system_server node:rawip_socket node_bind; + # 3rd party VPN clients require a tun_socket to be created allow system_server self:tun_socket create_socket_perms; |