netd: limit DAC capabilities
Limit netd to have only exactly those capabilities that selinux
already allows for it and its children (clatd, dnsmasq).
There is no change in what netd is allowed todo, this is enforcing
the same restrictions using two mechanisms to improve
defense-in-depth, and avoid spurious selinux denials when
something goes wrong. For example the following denial caused a
postsubmit failure:
avc: denied { sys_resource } for comm="Binder:826_3" capability=24
scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability
Test: capabilities in netd.rc match those granted in selinux policy:
adb pull /sys/fs/selinux/policy
sesearch --allow -s netd,clatd,dnsmasq -c capability,capability2
Test: atest netd_integration_test:netd_integration_test32.BinderTest#ClatdStartStop
Bug: 143627693
Change-Id: I6c93cec262cfbc5f53404eb4a0bdf113b11ecce4
1 file changed