Grants clatd privs since forked by system server
System server forks clatd now. Need to add rules to
fork clatd. netd doesn't fork clatd anymore.
Bug: 212345928
Test: ping 8.8.8.8 under ipv6-only network
check bpf maps are added.
$ adb shell dumpsys netd --short | grep Clat -A10
ClatdController
Trackers: iif[iface] nat64Prefix v6Addr -> v4Addr v4iif[v4iface] [fwmark]
BPF ingress map: iif(iface) nat64Prefix v6Addr -> v4Addr oif(iface)
47(wlan0) 64:ff9b::/96 2a00:79e1:abc:6f02:b7aa:ff3c:9220:595c -> 192.0.0.4 52(v4-wlan0)
BPF egress map: iif(iface) v4Addr -> v6Addr nat64Prefix oif(iface)
52(v4-wlan0) 192.0.0.4 -> 2a00:79e1:abc:6f02:b7aa:ff3c:9220:595c 64:ff9b::/96 47(wlan0) ether
Change-Id: I70be6132ab7bfdd96b5f537a96722312cd93bbb8
diff --git a/private/system_server.te b/private/system_server.te
index d2b4091..779acb6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1114,6 +1114,10 @@
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
+# Allow system_server to start clatd in its own domain and kill it.
+domain_auto_trans(system_server, clatd_exec, clatd)
+allow system_server clatd:process signal;
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
@@ -1201,8 +1205,8 @@
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
+# transitioning to the crash_dump domain when a crash occurs or fork clatd.
+neverallow system_server { domain -clatd -crash_dump }:process transition;
neverallow system_server *:process dyntransition;
# Only allow crash_dump to connect to system_ndebug_socket.