allow systemserver to sigkill clat
This appears to be an oversight in T sepolicy???
Based on observed logs (on a slightly hacked up setup):
04-04 20:38:38.205 1548 1935 I Nat464Xlat: Stopping clatd on wlan0
04-04 20:38:38.205 1548 1935 I ClatCoordinator: Stopping clatd pid=7300 on wlan0
04-04 20:38:43.408 1548 1548 W ConnectivitySer: type=1400 audit(0.0:8): avc: denied { sigkill } for scontext=u:r:system_server:s0 tcontext=u:r:clatd:s0 tclass=process permissive=0
04-04 20:38:43.412 1548 1935 E jniClatCoordinator: Failed to SIGTERM clatd pid=7300, try SIGKILL
04-04 20:39:27.817 7300 7300 I clatd : Shutting down clat on wlan0
04-04 20:39:27.819 7300 7300 I clatd : Clatd on wlan0 already received SIGTERM
04-04 20:39:27.830 2218 2894 D IpClient/wlan0: clatInterfaceRemoved: v4-wlan0
04-04 20:39:27.857 1548 1935 D jniClatCoordinator: clatd process 7300 terminated status=0
I think this means SIGTERM failed to work in time, and we tried SIGKILL and that was denied, and then the SIGTERM succeeded?
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia55ebd812cb9e7062e3cb10d6cb6851638926868
diff --git a/private/system_server.te b/private/system_server.te
index 20e6427..ff863cd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1185,7 +1185,7 @@
# Allow system_server to start clatd in its own domain and kill it.
domain_auto_trans(system_server, clatd_exec, clatd)
-allow system_server clatd:process signal;
+allow system_server clatd:process { sigkill signal };
# ART Profiles.
# Allow system_server to open profile snapshots for read.