From 8a09cc22979490275a34c28f6d2da9407bbcddde Mon Sep 17 00:00:00 2001
From: Richard Haines <richard_c_haines@btinternet.com>
Date: Thu, 20 Oct 2016 15:47:44 +0100
Subject: [PATCH] goldfish_setup: grant ifconfig priv_sock_ioctls

The goldfish_setup shell script needs the ability to set the interface
address via ifconfig. This requires SIOCSIFADDR plus other ioctl
permissions, therefore allow the set of priv_sock_ioctls permissions.

Addresses the following denial that stops internet access via browser:
avc: denied { ioctl } for pid=712 comm="ifconfig" path="socket:[1825]"
dev="sockfs" ino=1825 ioctlcmd=8916 scontext=u:r:goldfish_setup:s0
tcontext=u:r:goldfish_setup:s0 tclass=udp_socket permissive=0

Test: With update can access internet via browser.

Change-Id: I77a52c0b72bb0ebe9451f45c346a399c1f61672d
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 target/board/generic/sepolicy/goldfish_setup.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
index b8f121cda..bc25967e4 100644
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ b/target/board/generic/sepolicy/goldfish_setup.te
@@ -12,6 +12,7 @@ allow goldfish_setup system_file:file execute_no_trans;
 allow goldfish_setup toolbox_exec:file rx_file_perms;
 allow goldfish_setup self:capability { net_admin net_raw };
 allow goldfish_setup self:udp_socket create_socket_perms;
+allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
 
 net_domain(goldfish_setup)