Move pf_key socket creation permission to netd Allow netd to trigger the kernel synchronize rcu with open and close pf_key socket. This action was previously done by system_server but now it need to be done by netd instead because there might be race issue when netd is operating on a map that is cleaned up by system server. Bug: 126620214 Test: android.app.usage.cts.NetworkUsageStatsTest android.net.cts.TrafficStatsTest Change-Id: Id5ca86aa4610e37a2752709ed9cfd4536ea3bfaf

commit: 8a5539b5f00b8993e1817ef61b4da16a03967d59 [log] [tgz]
author: Chenbo Feng <fengc@google.com> Wed Feb 27 17:44:26 2019 -0800
committer: Chenbo Feng <fengc@google.com> Fri Apr 12 02:24:46 2019 +0000
tree: 493b7543ab36b8f02f1585ddeabbadc404fa6add
parent: 0d86ec526de385d0a7bb6d32dd4bffb17409af9d [diff] [blame]
diff --git a/private/netd.te b/private/netd.te
index a00cb69..4c129b7 100644
--- a/private/netd.te
+++ b/private/netd.te

@@ -12,6 +12,10 @@
 # the map created by bpfloader
 allow netd bpfloader:bpf { prog_run map_read map_write };
 
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow netd self:key_socket create;
+
 get_prop(netd, bpf_progs_loaded_prop)
 
 # Allow netd to write to statsd.
commit	8a5539b5f00b8993e1817ef61b4da16a03967d59	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Wed Feb 27 17:44:26 2019 -0800
committer	Chenbo Feng <fengc@google.com>	Fri Apr 12 02:24:46 2019 +0000
tree	493b7543ab36b8f02f1585ddeabbadc404fa6add
parent	0d86ec526de385d0a7bb6d32dd4bffb17409af9d [diff] [blame]