platform_system_sepolicy/clatd.te
Lorenzo Colitti 1d75c90be7 Remove clatd's dac_override abilities.
These are no longer necessary after the clatd change to acquire
membership in AID_VPN when dropping root privileges.

Change-Id: I9955296fe79e6dcbaa12acad1f1438e11d3b06cf
2014-06-13 21:44:43 +09:00

22 lines
841 B
Text

# 464xlat daemon
type clatd, domain;
type clatd_exec, exec_type, file_type;
net_domain(clatd)
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
# TODO: Check whether some or all of these sockets should be close-on-exec.
allow clatd netd:netlink_kobject_uevent_socket { read write };
allow clatd netd:netlink_nflog_socket { read write };
allow clatd netd:netlink_route_socket { read write };
allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };
allow clatd self:capability { net_admin net_raw setuid setgid };
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
allow clatd tun_device:chr_file rw_file_perms;