1# 464xlat daemon
2type clatd, domain;
3type clatd_exec, exec_type, file_type;
4
5net_domain(clatd)
6
7# Access objects inherited from netd.
8allow clatd netd:fd use;
9allow clatd netd:fifo_file { read write };
10# TODO: Check whether some or all of these sockets should be close-on-exec.
11allow clatd netd:netlink_kobject_uevent_socket { read write };
12allow clatd netd:netlink_nflog_socket { read write };
13allow clatd netd:netlink_route_socket { read write };
14allow clatd netd:udp_socket { read write };
15allow clatd netd:unix_stream_socket { read write };
16allow clatd netd:unix_dgram_socket { read write };
17
18allow clatd self:capability { net_admin net_raw setuid setgid };
19
20# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
21# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
22# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
23# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
24# so we permit any requests we see from clatd asking for this capability.
25# See https://android-review.googlesource.com/127940 and
26# https://b.corp.google.com/issues/21736319
27allow clatd self:capability ipc_lock;
28
29allow clatd self:netlink_route_socket nlmsg_write;
30allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
31allow clatd tun_device:chr_file rw_file_perms;
32