| # 464xlat daemon |
| type clatd, domain; |
| type clatd_exec, exec_type, file_type; |
| |
| net_domain(clatd) |
| |
| # Access objects inherited from netd. |
| allow clatd netd:fd use; |
| allow clatd netd:fifo_file { read write }; |
| # TODO: Check whether some or all of these sockets should be close-on-exec. |
| allow clatd netd:netlink_kobject_uevent_socket { read write }; |
| allow clatd netd:netlink_nflog_socket { read write }; |
| allow clatd netd:netlink_route_socket { read write }; |
| allow clatd netd:udp_socket { read write }; |
| allow clatd netd:unix_stream_socket { read write }; |
| allow clatd netd:unix_dgram_socket { read write }; |
| |
| allow clatd self:capability { net_admin net_raw setuid setgid }; |
| |
| # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks |
| # capable(CAP_IPC_LOCK), and then checks to see the requested amount is |
| # under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd |
| # does not need CAP_IPC_LOCK, so we suppress any denials we see |
| # from clatd asking for this capability. |
| # See https://android-review.googlesource.com/127940 |
| dontaudit clatd self:capability ipc_lock; |
| |
| allow clatd self:netlink_route_socket nlmsg_write; |
| allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms; |
| allow clatd tun_device:chr_file rw_file_perms; |
