sepolicy - move public clatd to private Clatd is effectively an internal implementation detail of netd. It exists as a separate daemon only because this gives us a better security boundary. Netd is it's only launcher (via fork/exec) and killer. Generated via: { echo; cat public/clatd.te; echo; } >> private/clatd.te rm -f public/clatd.te plus a minor edit to put coredomain after clatd type declaration and required changes to move netd's clatd use out of public into private. Test: build and install on non-aosp test device, atest, check for selinux clat denials Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c

commit: 44328c061d67636d4d8047ac69c4e778467eb4e8 [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Wed May 08 18:50:27 2019 -0700
committer: Maciej Żenczykowski <maze@google.com> Sat May 11 17:47:25 2019 -0700
tree: e87932ea7b045cdacdc657c623d04a903c45b06b
parent: 8f5436a19a3411d0aed1679561ed54ad9e33e9e7 [diff] [blame]
diff --git a/private/netd.te b/private/netd.te
index 4c129b7..41473b7 100644
--- a/private/netd.te
+++ b/private/netd.te

@@ -5,8 +5,9 @@
 # Allow netd to spawn dnsmasq in it's own domain
 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 
-# Allow netd to start clatd in its own domain
+# Allow netd to start clatd in its own domain and kill it
 domain_auto_trans(netd, clatd_exec, clatd)
+allow netd clatd:process signal;
 
 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
 # the map created by bpfloader
commit	44328c061d67636d4d8047ac69c4e778467eb4e8	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Wed May 08 18:50:27 2019 -0700
committer	Maciej Żenczykowski <maze@google.com>	Sat May 11 17:47:25 2019 -0700
tree	e87932ea7b045cdacdc657c623d04a903c45b06b
parent	8f5436a19a3411d0aed1679561ed54ad9e33e9e7 [diff] [blame]