Allow clatd CAP_IPC_LOCK for mmap()

clatd's environment may not have a sufficiently large memlock
ulimit; it needs >=1MB but values much lower can be encountered.

The mmap() is performed while clatd is still root, before dropping
privileges; allow this to succeed.

Bug: 21736319
Change-Id: I8171e077046566924c769e855144ae5fac634d4c

clatd.te

@@ -19,11 +19,12 @@ allow clatd self:capability { net_admin net_raw setuid setgid };
 
 # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
 # capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
-# does not need CAP_IPC_LOCK, so we suppress any denials we see
-# from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940
-dontaudit clatd self:capability ipc_lock;
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:capability ipc_lock;
 
 allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;