Allow clatd CAP_IPC_LOCK for mmap()

clatd's environment may not have a sufficiently large memlock ulimit; it needs >=1MB but values much lower can be encountered. The mmap() is performed while clatd is still root, before dropping privileges; allow this to succeed. Bug: 21736319 Change-Id: I8171e077046566924c769e855144ae5fac634d4c

Allow clatd CAP_IPC_LOCK for mmap()
e7084511 · Erik Kline · df545265 · e7084511
Commit e7084511 authored 9 years ago by Erik Kline
--- a/clatd.te
+++ b/clatd.te
@@ -19,11 +19,12 @@ allow clatd self:capability { net_admin net_raw setuid setgid };

 # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
 # capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
-# does not need CAP_IPC_LOCK, so we suppress any denials we see
-# from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940
-dontaudit clatd self:capability ipc_lock;
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:capability ipc_lock;

 allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;