| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # 464xlat daemon |
| 2 | type clatd, domain, coredomain; |
| 3 | type clatd_exec, system_file_type, exec_type, file_type; |
| 4 | |
| 5 | net_domain(clatd) |
| 6 | |
| 7 | r_dir_file(clatd, proc_net_type) |
| 8 | userdebug_or_eng(` |
| 9 | auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read }; |
| 10 | ') |
| 11 | |
| 12 | # Access objects inherited from netd. |
| 13 | allow clatd netd:fd use; |
| 14 | allow clatd netd:fifo_file { read write }; |
| 15 | # TODO: Check whether some or all of these sockets should be close-on-exec. |
| 16 | allow clatd netd:netlink_kobject_uevent_socket { read write }; |
| 17 | allow clatd netd:netlink_nflog_socket { read write }; |
| 18 | allow clatd netd:netlink_route_socket { read write }; |
| 19 | allow clatd netd:udp_socket { read write }; |
| 20 | allow clatd netd:unix_stream_socket { read write }; |
| 21 | allow clatd netd:unix_dgram_socket { read write }; |
| 22 | |
| 23 | allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid }; |
| 24 | |
| 25 | # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks |
| 26 | # capable(CAP_IPC_LOCK), and then checks to see the requested amount is |
| 27 | # under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have |
| 28 | # needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices |
| 29 | # so we permit any requests we see from clatd asking for this capability. |
| 30 | # See https://android-review.googlesource.com/127940 and |
| 31 | # https://b.corp.google.com/issues/21736319 |
| 32 | allow clatd self:global_capability_class_set ipc_lock; |
| 33 | |
| 34 | allow clatd self:netlink_route_socket nlmsg_write; |
| 35 | allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl; |
| 36 | allow clatd tun_device:chr_file rw_file_perms; |