Merge "Suppress spurious denial" into pi-dev

commit: cb336d8965f57a84a7b0f0a5280e465782902e69 [log] [tgz]
author: TreeHugger Robot <treehugger-gerrit@google.com> Thu Apr 12 19:04:58 2018 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Thu Apr 12 19:04:58 2018 +0000
tree: 5fb77302dbf58b60620155901afe9d3b5c1ba0e6
parent: 96805f15b6395ea9ba5fe671e54473541489f2f6 [diff]
parent: 443a43c98121363929f268b1f77bd229a3247d3a [diff]
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f56e8d8..ea58814 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te

@@ -33,3 +33,9 @@
     -coredomain
     -appdomain
 }, netutils_wrapper_exec, netutils_wrapper)
+
+# suppress spurious denials
+dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+
+# netutils wrapper may only use the following capabilities.
+neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
commit	cb336d8965f57a84a7b0f0a5280e465782902e69	[log] [tgz]
author	TreeHugger Robot <treehugger-gerrit@google.com>	Thu Apr 12 19:04:58 2018 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Thu Apr 12 19:04:58 2018 +0000
tree	5fb77302dbf58b60620155901afe9d3b5c1ba0e6
parent	96805f15b6395ea9ba5fe671e54473541489f2f6 [diff]
parent	443a43c98121363929f268b1f77bd229a3247d3a [diff]