Grants clatd privs since forked by system server
System server forks clatd now. Need to add rules to
fork clatd. netd doesn't fork clatd anymore.
Bug: 212345928
Test: ping 8.8.8.8 under ipv6-only network
check bpf maps are added.
$ adb shell dumpsys netd --short | grep Clat -A10
ClatdController
Trackers: iif[iface] nat64Prefix v6Addr -> v4Addr v4iif[v4iface] [fwmark]
BPF ingress map: iif(iface) nat64Prefix v6Addr -> v4Addr oif(iface)
47(wlan0) 64:ff9b::/96 2a00:79e1:abc:6f02:b7aa:ff3c:9220:595c -> 192.0.0.4 52(v4-wlan0)
BPF egress map: iif(iface) v4Addr -> v6Addr nat64Prefix oif(iface)
52(v4-wlan0) 192.0.0.4 -> 2a00:79e1:abc:6f02:b7aa:ff3c:9220:595c 64:ff9b::/96 47(wlan0) ether
Change-Id: I70be6132ab7bfdd96b5f537a96722312cd93bbb8
diff --git a/private/clatd.te b/private/clatd.te
index 57eee78..1f21d69 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -4,10 +4,10 @@
net_domain(clatd)
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:packet_socket { read write };
-allow clatd netd:rawip_socket { read write };
+# Access objects inherited from system_server.
+allow clatd system_server:fd use;
+allow clatd system_server:packet_socket { read write };
+allow clatd system_server:rawip_socket { read write };
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/netd.te b/private/netd.te
index d87b9a6..04f8e3c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -5,13 +5,6 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-# Allow netd to start clatd in its own domain and kill it
-domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
-
-# Allow netd to setup packet socket and pass to clatd
-allow netd self:packet_socket { bind create setopt };
-
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/private/system_server.te b/private/system_server.te
index d2b4091..779acb6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1114,6 +1114,10 @@
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
+# Allow system_server to start clatd in its own domain and kill it.
+domain_auto_trans(system_server, clatd_exec, clatd)
+allow system_server clatd:process signal;
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
@@ -1201,8 +1205,8 @@
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
+# transitioning to the crash_dump domain when a crash occurs or fork clatd.
+neverallow system_server { domain -clatd -crash_dump }:process transition;
neverallow system_server *:process dyntransition;
# Only allow crash_dump to connect to system_ndebug_socket.