platform_system_sepolicy/clatd.te
Lorenzo Colitti 81c0301387 Remove clatd's ability to write to proc files.
This is no longer required now that clatd has switched from IPv6
forwarding to sockets.

Bug: 15340961
Change-Id: Id7d503b842882d30e6cb860ed0af69ad4ea3e62c
2014-06-13 12:00:21 +09:00

25 lines
951 B
Text

# 464xlat daemon
type clatd, domain;
type clatd_exec, exec_type, file_type;
net_domain(clatd)
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
# TODO: Check whether some or all of these sockets should be close-on-exec.
allow clatd netd:netlink_kobject_uevent_socket { read write };
allow clatd netd:netlink_nflog_socket { read write };
allow clatd netd:netlink_route_socket { read write };
allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };
allow clatd self:capability { net_admin net_raw setuid setgid };
# TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
allow clatd self:capability dac_override;
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
allow clatd tun_device:chr_file rw_file_perms;