76aab82cb3
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
34 lines
1.4 KiB
Plaintext
34 lines
1.4 KiB
Plaintext
# 464xlat daemon
|
|
type clatd, domain;
|
|
type clatd_exec, exec_type, file_type;
|
|
|
|
net_domain(clatd)
|
|
|
|
r_dir_file(clatd, proc_net)
|
|
|
|
# Access objects inherited from netd.
|
|
allow clatd netd:fd use;
|
|
allow clatd netd:fifo_file { read write };
|
|
# TODO: Check whether some or all of these sockets should be close-on-exec.
|
|
allow clatd netd:netlink_kobject_uevent_socket { read write };
|
|
allow clatd netd:netlink_nflog_socket { read write };
|
|
allow clatd netd:netlink_route_socket { read write };
|
|
allow clatd netd:udp_socket { read write };
|
|
allow clatd netd:unix_stream_socket { read write };
|
|
allow clatd netd:unix_dgram_socket { read write };
|
|
|
|
allow clatd self:capability { net_admin net_raw setuid setgid };
|
|
|
|
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
|
|
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
|
|
# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
|
|
# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
|
|
# so we permit any requests we see from clatd asking for this capability.
|
|
# See https://android-review.googlesource.com/127940 and
|
|
# https://b.corp.google.com/issues/21736319
|
|
allow clatd self:capability ipc_lock;
|
|
|
|
allow clatd self:netlink_route_socket nlmsg_write;
|
|
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
|
|
allow clatd tun_device:chr_file rw_file_perms;
|