sepolicy: grant network_stack CAP_WAKE_ALARM
It is effectively an oversight that bluetooth has this
but network stack does not.
This prevents the network stack process from (for example)
using timerfd_create with CLOCK_{REAL,BOOT}TIME_ALARM,
without trampolining through parts of the mainline module
which are shipped as part of the system server.
See:
https://man7.org/linux/man-pages/man2/timerfd_create.2.html
Bug: 316171727
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iba95c80f830784a587fa4df6867a99bcb96ace79
This commit is contained in:
Maciej Żenczykowski
parent
34820408dd
commit
fd0efeb043
1 changed files with 2 additions and 0 deletions
|
|
@ -13,6 +13,8 @@ allow network_stack self:global_capability_class_set {
|
|||
net_raw
|
||||
};
|
||||
|
||||
allow network_stack self:global_capability2_class_set wake_alarm;
|
||||
|
||||
# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
|
||||
allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue