netdclient - attempt to eliminate spurious netd selinux denials on unix_stream_sockets
This should hopefully fix for example:
avc: denied { read write } for comm="netd" path="socket:[1580915]" dev="sockfs" ino=1580915 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0
Make sure protectFromVpn() only passes AF_INET/AF_INET6 sockets to netd.
Let us make sure that we pass real AF_INET/AF_INET6 sockets to netd
from sendmmsg/sendmsg/sendto - the type of the socket when erroneously
used by an app might not necessarily match the address family of the
passed in sockaddr. ie. sendto(AF_LOCAL_socket, AF_INET_sockaddr)
Note that this also means these system calls will now honour the
'ANDROID_NO_USE_FWMARK_CLIENT' env variable for euid=0 processes.
While we're at it also add some missing parentheses in a macro.
Test: build, atest netdclient_test
Bug: 77870037
Change-Id: I1040838950d363f08a02593e9b669fec31fa847b
Merged-In: I1040838950d363f08a02593e9b669fec31fa847b
2 files changed
