commit e397503f8064f089e976f938995188d8e1a7c838
author Maciej Żenczykowski <maze@google.com> Tue Jun 02 18:35:57 2020 -0700
committer Maciej Żenczykowski <maze@google.com> Tue Nov 09 19:26:13 2021 +0000
tree 672dab022147dd80915b7bc325bca0bd8dc5f61d
parent 9e6dcd74fc379f0e51840395d8b9f73990734971

remove spurious clat selinux privs

Test: ran on flame with ipv6 only wifi network
Bug: 144642337
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5610b5e446ed1f2288edb12c665a5bddd69d6dae

private/clatd.te

diff --git a/private/clatd.te b/private/clatd.te
index 0fa774a..dfcaf57 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -12,25 +12,9 @@
 # Access objects inherited from netd.
 allow clatd netd:fd use;
 allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
 
 allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
 
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
 allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
 allow clatd tun_device:chr_file rw_file_perms;