Allow binder services to r/w su:tcp_socket am: d030ad6b1candroid-s-beta-4 android-s-beta-3 android-s-beta-4

Original change: https://android-review.googlesource.com/c/device/mediatek/wembley-sepolicy/+/1730394 Change-Id: Ia9c524f09aa9212f98a1d25d0e3bdc744da4491b
author: Yifan Hong <elsk@google.com> 2021-06-08 22:30:46 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2021-06-08 22:30:46 +0000
commit: 263f4c655d578559180759e56e145a71437e1f52 (patch)
tree: eb960f4580beb078d8940cdcb054d5d3778b1de5
parent: 81656c39f47143c67b12534467f5d74787a510e9 (diff)
parent: d030ad6b1c30c888d73599a66874fefae5abb90c (diff)
download: wembley-sepolicy-android-s-beta-4.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/non_plat/mtk_hal_audio.te b/non_plat/mtk_hal_audio.te
index 48ef236..ea6e647 100644
--- a/non_plat/mtk_hal_audio.te
+++ b/non_plat/mtk_hal_audio.te
@@ -27,7 +27,8 @@ neverallow mtk_hal_audio { file_type fs_type }:file execute_no_trans;
 
 # mtk_hal_audio should never need network access.
 # Disallow network sockets.
-neverallow mtk_hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mtk_hal_audio domain:{ udp_socket rawip_socket } *;
+neverallow mtk_hal_audio { domain userdebug_or_eng(`-su') }:tcp_socket *;
 
 # Date : WK14.32
 # Operation : Migration
author	Yifan Hong <elsk@google.com>	2021-06-08 22:30:46 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2021-06-08 22:30:46 +0000
commit	263f4c655d578559180759e56e145a71437e1f52 (patch)
tree	eb960f4580beb078d8940cdcb054d5d3778b1de5
parent	81656c39f47143c67b12534467f5d74787a510e9 (diff)
parent	d030ad6b1c30c888d73599a66874fefae5abb90c (diff)
download	wembley-sepolicy-android-s-beta-4.tar.gz