Merge "Move pf_key socket creation permission to netd"

commit: 3cba24a81a3e77251f942c1e480309218a0ff5e1 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Fri Apr 12 22:35:52 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Apr 12 22:35:52 2019 +0000
tree: a97cbc13555243ebf30cd9a5a870e3ad58152790
parent: 9c4ebe2bc996db99d19fca1ee8cb30f83b2d7074 [diff]
parent: 8a5539b5f00b8993e1817ef61b4da16a03967d59 [diff]
diff --git a/private/netd.te b/private/netd.te
index a00cb69..4c129b7 100644
--- a/private/netd.te
+++ b/private/netd.te

@@ -12,6 +12,10 @@
 # the map created by bpfloader
 allow netd bpfloader:bpf { prog_run map_read map_write };
 
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow netd self:key_socket create;
+
 get_prop(netd, bpf_progs_loaded_prop)
 
 # Allow netd to write to statsd.

diff --git a/private/system_server.te b/private/system_server.te
index 9b986b1..68a8f55 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -879,10 +879,6 @@
 allow system_server fs_bpf:dir search;
 allow system_server fs_bpf:file { read write };
 allow system_server bpfloader:bpf { map_read map_write };
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow system_server self:key_socket create;
-
 
 # ART Profiles.
 # Allow system_server to open profile snapshots for read.
commit	3cba24a81a3e77251f942c1e480309218a0ff5e1	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Fri Apr 12 22:35:52 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Apr 12 22:35:52 2019 +0000
tree	a97cbc13555243ebf30cd9a5a870e3ad58152790
parent	9c4ebe2bc996db99d19fca1ee8cb30f83b2d7074 [diff]
parent	8a5539b5f00b8993e1817ef61b4da16a03967d59 [diff]