From 16c36f68ae575a87e438329e6d159532d61cf113 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 9 Sep 2015 17:39:25 +0900
Subject: Allow system_server to bind ping sockets.

This allows NetworkDiagnostics to send ping packets from specific
source addresses in order to detect reachability problems on the
reverse path.

This addresses the following denial:

[  209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0

Bug: 23661687

(cherry picked from commit c37121436be95ae2ed75cb83605940455446ef4e)

Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2
---
 system_server.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/system_server.te b/system_server.te
index 0b18eb4..c9d8f3b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -101,9 +101,13 @@ allow system_server proc_sysrq:file rw_file_perms;
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 
-# WifiWatchdog uses a packet_socket
+# The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms;
 
+# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
+# as raw sockets, but the kernel doesn't yet distinguish between the two.
+allow system_server node:rawip_socket node_bind;
+
 # 3rd party VPN clients require a tun_socket to be created
 allow system_server self:tun_socket create_socket_perms;
 
-- 
cgit v1.2.3