data: allow necessary socket operations for telux test app

- Allow necessary TCP socket operations for telux_power_refd and data_keep_alive_app CRs-Fixed: 4002695 Change-Id: Ib8228f96c9d3da859cc7c2166ee1685f489b6e2e

data: allow necessary socket operations for telux test app
- Allow necessary TCP socket operations for telux_power_refd and data_keep_alive_app CRs-Fixed: 4002695 Change-Id: Ib8228f96c9d3da859cc7c2166ee1685f489b6e2e
e40f3f3b · Abhijeet Jagdale · 2c625992 · e40f3f3b · e40f3f3b
Commit e40f3f3b authored 2 months ago by Abhijeet Jagdale
--- a/recipes-security/auto-sepolicy/common/device/data_keep_alive_app.te
+++ b/recipes-security/auto-sepolicy/common/device/data_keep_alive_app.te
@@ -19,3 +19,23 @@ telux_allow_console_apps(data_keep_alive_app_t)

 #Allow setting TCU activity state
 telux_allow_data_ka_offload_ops(data_keep_alive_app_t)
+
+#Allow data clients
+telux_allow_data(data_keep_alive_app_t)
+
+# Allow to perform necessary actions on tcp_socket
+allow data_keep_alive_app_t self:tcp_socket { create setopt bind connect read write shutdown listen accept };
+
+gen_require(`
+    type unreserved_port_t;
+    type node_t;
+')
+
+# Allow to name bind and name connect for unreserved port
+allow data_keep_alive_app_t unreserved_port_t:tcp_socket { name_bind name_connect };
+
+# Allow to bind to node_t
+allow data_keep_alive_app_t node_t:tcp_socket node_bind;
+
+# Allow to bind to network service ports
+allow data_keep_alive_app_t self:capability net_bind_service;
--- a/recipes-security/auto-sepolicy/common/device/telux_power_refd.te
+++ b/recipes-security/auto-sepolicy/common/device/telux_power_refd.te
@@ -44,10 +44,13 @@ dontaudit telux_power_refd_t default_t:dir search;
 dontaudit telux_power_refd_t self:capability sys_module;
 dontaudit telux_power_refd_t sysctl_t:dir search;

+# Allow data_keep_alive to bind to network service ports
+allow telux_power_refd_t self:capability net_bind_service;
+
 #TCP/UDP socket for NAOIP trigger
-allow telux_power_refd_t self:tcp_socket { create setopt bind listen accept node_bind name_bind read shutdown };
+allow telux_power_refd_t self:tcp_socket { create setopt bind listen accept node_bind name_bind read shutdown connect write shutdown };
 allow telux_power_refd_t http_cache_port_t:tcp_socket { name_bind };
-allow telux_power_refd_t unreserved_port_t:tcp_socket { name_bind };
+allow telux_power_refd_t unreserved_port_t:tcp_socket { name_bind name_connect };
 allow telux_power_refd_t node_t:tcp_socket { node_bind };
 allow telux_power_refd_t unreserved_port_t:udp_socket { name_bind };
 allow telux_power_refd_t node_t:udp_socket { node_bind };