Merge "Allow isolated_app to use TCP and UDP sockets brokered over IPC."

private/isolated_app.te

@@ -13,6 +13,10 @@ app_domain(isolated_app)
 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
 
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 allow isolated_app webviewupdate_service:service_manager find;
@@ -130,7 +134,7 @@ neverallow isolated_app {
 # excluding unix_stream_socket and unix_dgram_socket.
 # Many of these are socket families which have never and will never
 # be compiled into the Android kernel.
-neverallow isolated_app self:{
+neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
   socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
   key_socket appletalk_socket netlink_route_socket
   netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket