sepolicy: allow TUNSETLINK and TUNSETCARRIER

This is required for testing new ethernet APIs in T.

Test: TH
Bug: 171872016
Change-Id: I1e6024d7d649be50aa2321543b289f81fcdfc483

private/network_stack.te

@@ -67,6 +67,10 @@ allow network_stack bpfloader:bpf { map_read map_write prog_run };
 # Use XFRM (IPsec) netlink sockets
 allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
 
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
 # Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
 # Unfortunately init/vendor_init have all sorts of extra privs
 neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;

private/system_server.te

@@ -478,9 +478,9 @@ allow system_server uhid_device:chr_file rw_file_perms;
 # write access to ALSA interfaces (/dev/snd/*) needed for MIDI
 allow system_server audio_device:chr_file rw_file_perms;
 
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
 allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
 
 # Manage data/ota_package
 allow system_server ota_package_file:dir rw_dir_perms;

public/ioctl_defines

@@ -2441,6 +2441,7 @@ define(`TUNGETIFF', `0x800454d2')
 define(`TUNGETSNDBUF', `0x800454d3')
 define(`TUNGETVNETHDRSZ', `0x800454d7')
 define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
 define(`TUNSETDEBUG', `0x400454c9')
 define(`TUNSETGROUP', `0x400454ce')
 define(`TUNSETIFF', `0x400454ca')