Merge "Allow clatd to read from packet sockets and write to raw sockets"

commit: b32448c90f982e9832ca87a6931dfc956da8b71b [log] [tgz]
author: Lorenzo Colitti <lorenzo@google.com> Fri Jun 13 00:59:01 2014 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jun 10 22:38:27 2014 +0000
tree: cd8463bb637a8029408500786f9eccdf381b9a56
parent: f0ffff0bc9b00df985aecba77334af65b06e65c6 [diff]
parent: 6cd57a43d2eafed5454bd7d4e55c57d8a1c91898 [diff]
diff --git a/clatd.te b/clatd.te
index b1bda1e..372cc2d 100644
--- a/clatd.te
+++ b/clatd.te

@@ -15,12 +15,12 @@
 allow clatd netd:unix_stream_socket { read write };
 allow clatd netd:unix_dgram_socket { read write };
 
-allow clatd self:capability { net_admin setuid setgid };
+allow clatd self:capability { net_admin net_raw setuid setgid };
 
 # TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
 allow clatd self:capability dac_override;
 
 allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:tun_socket create_socket_perms;
+allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
 allow clatd tun_device:chr_file rw_file_perms;
 allow clatd proc_net:file rw_file_perms;;
commit	b32448c90f982e9832ca87a6931dfc956da8b71b	[log] [tgz]
author	Lorenzo Colitti <lorenzo@google.com>	Fri Jun 13 00:59:01 2014 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Jun 10 22:38:27 2014 +0000
tree	cd8463bb637a8029408500786f9eccdf381b9a56
parent	f0ffff0bc9b00df985aecba77334af65b06e65c6 [diff]
parent	6cd57a43d2eafed5454bd7d4e55c57d8a1c91898 [diff]