From f6b59fe6442d4d3ac308020f9a6912da49a58592 Mon Sep 17 00:00:00 2001
From: markchien <markchien@google.com>
Date: Wed, 16 Jan 2019 19:23:58 +0800
Subject: [PATCH] [KA08] Allow system_server call tcp socket ioctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order to offload application tcp socket’s keepalive
message, system server must know if application's socket
is idle with no data in send/receive queues. Allow
system_server to use ioctl on all tcp sockets.

Bug: 114151147
Test: -build, flash, boot
Change-Id: I3f5a0e06bc22f8a64ae6180db48df2a31106c511
---
 private/system_server.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/private/system_server.te b/private/system_server.te
index 98ae7f8e1..2cf5ea7f6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -53,6 +53,12 @@ net_domain(system_server)
 allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
 bluetooth_domain(system_server)
 
+# Allow setup of tcp keepalive offload. This gives system_server the permission to
+# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
+# be granted individually, except for a small set of safe values whitelisted in
+# public/domain.te.
+allow system_server appdomain:tcp_socket ioctl;
+
 # These are the capabilities assigned by the zygote to the
 # system server.
 allow system_server self:global_capability_class_set {