From 8a22477541a76f404a1a95e56d0334c543764822 Mon Sep 17 00:00:00 2001
From: Erik Kline <ek@google.com>
Date: Tue, 16 Jun 2015 17:30:03 +0900
Subject: [PATCH] Allow clatd CAP_IPC_LOCK for mmap()

clatd's environment may not have a sufficiently large memlock
ulimit; it needs >=1MB but values much lower can be encountered.

The mmap() is performed while clatd is still root, before dropping
privileges; allow this to succeed.

Bug: 21736319
Change-Id: I8171e077046566924c769e855144ae5fac634d4c
---
 clatd.te | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/clatd.te b/clatd.te
index 5c52bdbdf..21c9ca9ed 100644
--- a/clatd.te
+++ b/clatd.te
@@ -19,11 +19,12 @@ allow clatd self:capability { net_admin net_raw setuid setgid };
 
 # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
 # capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
-# does not need CAP_IPC_LOCK, so we suppress any denials we see
-# from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940
-dontaudit clatd self:capability ipc_lock;
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:capability ipc_lock;
 
 allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
-- 
GitLab