Commit 8a09cc22 authored Oct 20, 2016 by Richard Haines

goldfish_setup: grant ifconfig priv_sock_ioctls

The goldfish_setup shell script needs the ability to set the interface
address via ifconfig. This requires SIOCSIFADDR plus other ioctl
permissions, therefore allow the set of priv_sock_ioctls permissions.

Addresses the following denial that stops internet access via browser:
avc: denied { ioctl } for pid=712 comm="ifconfig" path="socket:[1825]"
dev="sockfs" ino=1825 ioctlcmd=8916 scontext=u:r:goldfish_setup:s0
tcontext=u:r:goldfish_setup:s0 tclass=udp_socket permissive=0

Test: With update can access internet via browser.

Change-Id: I77a52c0b72bb0ebe9451f45c346a399c1f61672d
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

parent 92396e17

target/board/generic/sepolicy/goldfish_setup.te

+1 −0

Original line number	Diff line number	Diff line
		@@ -12,6 +12,7 @@ allow goldfish_setup system_file:file execute_no_trans;
		allow goldfish_setup toolbox_exec:file rx_file_perms;
		allow goldfish_setup self:capability { net_admin net_raw };
		allow goldfish_setup self:udp_socket create_socket_perms;
		allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;

		net_domain(goldfish_setup)