commit 17dc3a1a88740001cc55b16ace012ebbe570933b
author Maciej Żenczykowski <maze@google.com> Mon Dec 16 09:58:43 2024 -0800
committer Maciej Żenczykowski <maze@google.com> Mon Dec 16 10:00:26 2024 -0800
tree ade330599164eb6cdf289bbf369af6f732fd5c6f
parent 6e5857b281480050ac69b720bd20eae1fe3598c9

netd.te: allow netd to bind to ports <1024 (including dns: 53 & 853)

This is already granted in dnsmasq.te, but we'd like to deprecate that in favour of the in-netd-process dnsresolver

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1bdb5d6d0eab1d93cc1c2cc4532d8db54fd7b604

private/netd.te

diff --git a/private/netd.te b/private/netd.te
index 8b6ea4c..3b3c697 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -48,7 +48,7 @@
 
 allow netd system_server:fd use;
 
-allow netd self:global_capability_class_set { net_admin net_raw kill };
+allow netd self:global_capability_class_set { net_admin net_raw net_bind_service kill };
 # Note: fsetid is deliberately not included above. fsetid checks are
 # triggered by chmod on a directory or file owned by a group other
 # than one of the groups assigned to the current process to see if