Merge "Allow ephemeral apps network connections"

public/ephemeral_app.te

@@ -11,7 +11,7 @@
 ###
 ### PackageManager flags an app as ephemeral at install time.
 type ephemeral_app, domain;
-
+net_domain(ephemeral_app)
 # allow JITing
 allow ephemeral_app self:process execmem;
 allow ephemeral_app ashmem_device:chr_file execute;
@@ -38,6 +38,11 @@ allow ephemeral_app zygote:unix_dgram_socket write;
 allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
 allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
 
+# Keychain and user-trusted credentials
+r_dir_file(ephemeral_app, keychain_data_file)
+allow ephemeral_app misc_user_data_file:dir r_dir_perms;
+allow ephemeral_app misc_user_data_file:file r_file_perms;
+
 # Allow apps to read/execute installed binaries
 allow ephemeral_app ephemeral_apk_data_file:dir search;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };

public/net.te

@@ -9,9 +9,9 @@ allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
-allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.
 allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };