From 6cd57a43d2eafed5454bd7d4e55c57d8a1c91898 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 5 Jun 2014 23:30:08 +0900
Subject: [PATCH] Allow clatd to read from packet sockets and write to raw
 sockets

This addresses the following denials that occur when switching
clatd from an IPv6 tun interface to packet and raw sockets:

avc: denied { net_raw } for pid=3540 comm="clatd" capability=13 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability
avc: denied { create } for pid=3540 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket
avc: denied { bind } for pid=3540 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket
avc: denied { setopt } for pid=3540 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket
avc: denied { read } for pid=3540 comm="clatd" path="socket:[19117]" dev="sockfs" ino=19117 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket

Bug: 15340961
Change-Id: I3c06e8e3e0cfc0869a7b73c803bbffe28369ee5e
---
 clatd.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/clatd.te b/clatd.te
index b1bda1e76..372cc2d50 100644
--- a/clatd.te
+++ b/clatd.te
@@ -15,12 +15,12 @@ allow clatd netd:udp_socket { read write };
 allow clatd netd:unix_stream_socket { read write };
 allow clatd netd:unix_dgram_socket { read write };
 
-allow clatd self:capability { net_admin setuid setgid };
+allow clatd self:capability { net_admin net_raw setuid setgid };
 
 # TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
 allow clatd self:capability dac_override;
 
 allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:tun_socket create_socket_perms;
+allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
 allow clatd tun_device:chr_file rw_file_perms;
 allow clatd proc_net:file rw_file_perms;;
-- 
GitLab