Merge "neverallow write access to /data/dalvik-cache directories."

commit: e010f08e405f67d6bd5ecc8826ead753ab880a68 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Tue Jun 16 15:15:23 2015 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jun 16 15:15:23 2015 +0000
tree: b4e25f19241e008fe47e406fc9ced121dbb915f7
parent: 8a22477541a76f404a1a95e56d0334c543764822 [diff]
parent: d9bf7b3fc008533a6552887a3451a311c3a2607a [diff]
diff --git a/clatd.te b/clatd.te
index 5c52bdb..21c9ca9 100644
--- a/clatd.te
+++ b/clatd.te

@@ -19,11 +19,12 @@
 
 # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
 # capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
-# does not need CAP_IPC_LOCK, so we suppress any denials we see
-# from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940
-dontaudit clatd self:capability ipc_lock;
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:capability ipc_lock;
 
 allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
commit	e010f08e405f67d6bd5ecc8826ead753ab880a68	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Tue Jun 16 15:15:23 2015 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Jun 16 15:15:23 2015 +0000
tree	b4e25f19241e008fe47e406fc9ced121dbb915f7
parent	8a22477541a76f404a1a95e56d0334c543764822 [diff]
parent	d9bf7b3fc008533a6552887a3451a311c3a2607a [diff]