44328c061d
Clatd is effectively an internal implementation detail of netd.
It exists as a separate daemon only because this gives us a better
security boundary. Netd is it's only launcher (via fork/exec) and
killer.
Generated via:
{ echo; cat public/clatd.te; echo; } >> private/clatd.te
rm -f public/clatd.te
plus a minor edit to put coredomain after clatd type declaration
and required changes to move netd's clatd use out of public into private.
Test: build and install on non-aosp test device, atest, check for selinux clat denials
Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c
30 lines
983 B
Text
30 lines
983 B
Text
typeattribute netd coredomain;
|
|
|
|
init_daemon_domain(netd)
|
|
|
|
# Allow netd to spawn dnsmasq in it's own domain
|
|
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
|
|
|
|
# Allow netd to start clatd in its own domain and kill it
|
|
domain_auto_trans(netd, clatd_exec, clatd)
|
|
allow netd clatd:process signal;
|
|
|
|
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
|
|
# the map created by bpfloader
|
|
allow netd bpfloader:bpf { prog_run map_read map_write };
|
|
|
|
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
|
# TODO: Remove this permission when 4.9 kernel is deprecated.
|
|
allow netd self:key_socket create;
|
|
|
|
get_prop(netd, bpf_progs_loaded_prop)
|
|
|
|
# Allow netd to write to statsd.
|
|
unix_socket_send(netd, statsdw, statsd)
|
|
|
|
# Allow netd to send callbacks to network_stack
|
|
binder_call(netd, network_stack)
|
|
|
|
# Allow netd to send dump info to dumpstate
|
|
allow netd dumpstate:fd use;
|
|
allow netd dumpstate:fifo_file { getattr write };
|