From 9273c1bb5ca9b2ea71f2e35adbc170950fcdb9d1 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Sun, 16 Jul 2017 17:48:39 +0900
Subject: [PATCH] Explicitly allow netd to take the iptables lock.

This was previously relying on domain_deprecated rules deleted in
change I588a1e7ea7ef984907b79a5a391efb2dcd6e6431.

Bug: 28760354
Test: unbreaks networking on AOSP bullhead
Change-Id: I873e1f08f72104dee7509e45b1db0b284ca56085
---
 public/netd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/public/netd.te b/public/netd.te
index d01d2f856..1442be7cf 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -51,6 +51,9 @@ allow netd net_data_file:file create_file_perms;
 allow netd net_data_file:dir rw_dir_perms;
 allow netd self:capability fowner;
 
+# Needed to lock the iptables lock.
+allow netd system_file:file lock;
+
 # Allow netd to spawn dnsmasq in it's own domain
 allow netd dnsmasq:process signal;
 
-- 
GitLab