diff options
| author | Maciej Żenczykowski <maze@google.com> | 2020-04-02 03:05:18 -0700 |
|---|---|---|
| committer | Maciej Żenczykowski <maze@google.com> | 2020-04-02 14:42:06 +0000 |
| commit | 3e5b166512c7da1fcbb4b42fa908c3ad0b5eb850 (patch) | |
| tree | 4c50901bfb582005b76aeed41df1920327443af4 /server/TetherController.cpp | |
| parent | 15df207b1e6fc1735020daf6937d9027f5a71e03 (diff) | |
netdclient - attempt to eliminate spurious netd selinux denials on unix_stream_sockets
This should hopefully fix for example:
avc: denied { read write } for comm="netd" path="socket:[1580915]" dev="sockfs" ino=1580915 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0
Make sure protectFromVpn() only passes AF_INET/AF_INET6 sockets to netd.
Let us make sure that we pass real AF_INET/AF_INET6 sockets to netd
from sendmmsg/sendmsg/sendto - the type of the socket when erroneously
used by an app might not necessarily match the address family of the
passed in sockaddr. ie. sendto(AF_LOCAL_socket, AF_INET_sockaddr)
Note that this also means these system calls will now honour the
'ANDROID_NO_USE_FWMARK_CLIENT' env variable for euid=0 processes.
While we're at it also add some missing parentheses in a macro.
Test: build, atest netdclient_test
Bug: 77870037
Change-Id: I1040838950d363f08a02593e9b669fec31fa847b
Diffstat (limited to 'server/TetherController.cpp')
0 files changed, 0 insertions, 0 deletions