From e9cafb91d2c2fcfbb233a402f09754b7ea04fcf9 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Mon, 6 May 2019 12:52:17 -0700 Subject: [PATCH] ppp: support using pppox_socket family Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families") modified the kernel to support fine grain differentiation of socket families, if userspace enables it (which Android does). Modify the ppp SELinux policy to allow the use of pppox_socket (needed for kernels 4.14 or greater) and the generic "socket" family (for kernels below 4.14). Addresses the following denials: 04-19 20:25:34.059 16848 16848 I pppd : type=1400 audit(0.0:8703): avc: denied { read write } for dsm=HS_Q path="socket:[171178]" dev="sockfs" ino=171178 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1 04-19 20:25:34.075 16848 16848 I pppd : type=1400 audit(0.0:8704): avc: denied { ioctl } for dsm=HS_Q path="socket:[171179]" dev="sockfs" ino=171179 ioctlcmd=0x7437 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1 Bug: 130852066 Test: compiles Change-Id: I00cc07108acaac5f2519ad0093d9db9572e325dc --- public/ppp.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/public/ppp.te b/public/ppp.te index 0fc3bee81..b736deff5 100644 --- a/public/ppp.te +++ b/public/ppp.te @@ -7,11 +7,11 @@ net_domain(ppp) r_dir_file(ppp, proc_net_type) -allow ppp mtp:socket rw_socket_perms; +allow ppp mtp:{ socket pppox_socket } rw_socket_perms; # ioctls needed for VPN. allowxperm ppp self:udp_socket ioctl priv_sock_ioctls; -allowxperm ppp mtp:socket ioctl ppp_ioctls; +allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls; allow ppp mtp:unix_dgram_socket rw_socket_perms; allow ppp ppp_device:chr_file rw_file_perms;