Add nlmsg constants and macros
The nlmsg extended permission has been introduced in kernel 6.13.
Similarly to ioctl, define the constants usable in the policy
(nlmsg_defines) and macros (nlmsg_macros).
Bug: 353255679
Test: presubmit
Change-Id: I7ef499bf6fd3258c7ebb4f9a0cf4b898422d6b08
diff --git a/Android.bp b/Android.bp
index 558810c..3d81c49 100644
--- a/Android.bp
+++ b/Android.bp
@@ -72,6 +72,8 @@
"attributes",
"ioctl_defines",
"ioctl_macros",
+ "nlmsg_defines",
+ "nlmsg_macros",
"*.te",
"roles_decl",
"roles",
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 8bdf01b..9595255 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -46,6 +46,8 @@
"te_macros",
"ioctl_defines",
"ioctl_macros",
+ "nlmsg_defines",
+ "nlmsg_macros",
"attributes|*.te",
"roles_decl",
"roles",
diff --git a/public/nlmsg_defines b/public/nlmsg_defines
new file mode 100644
index 0000000..9ddfb92
--- /dev/null
+++ b/public/nlmsg_defines
@@ -0,0 +1,121 @@
+# Netlink messages may be filtered using extended permissions, based on the
+# nlmsg_type field. This files defines the most common constants for each
+# netlink socket class.
+
+# NETLINK_ROUTE_SOCKET
+# Based on uapi/linux/rnetlink.h
+define(`RTM_NEWLINK', `16')
+define(`RTM_DELLINK', `17')
+define(`RTM_GETLINK', `18')
+define(`RTM_SETLINK', `19')
+define(`RTM_NEWADDR', `20')
+define(`RTM_DELADDR', `21')
+define(`RTM_GETADDR', `22')
+define(`RTM_NEWROUTE', `24')
+define(`RTM_DELROUTE', `25')
+define(`RTM_GETROUTE', `26')
+define(`RTM_NEWNEIGH', `28')
+define(`RTM_DELNEIGH', `29')
+define(`RTM_GETNEIGH', `30')
+define(`RTM_NEWRULE', `32')
+define(`RTM_DELRULE', `33')
+define(`RTM_GETRULE', `34')
+define(`RTM_NEWQDISC', `36')
+define(`RTM_DELQDISC', `37')
+define(`RTM_GETQDISC', `38')
+define(`RTM_NEWTCLASS', `40')
+define(`RTM_DELTCLASS', `41')
+define(`RTM_GETTCLASS', `42')
+define(`RTM_NEWTFILTER', `44')
+define(`RTM_DELTFILTER', `45')
+define(`RTM_GETTFILTER', `46')
+define(`RTM_NEWACTION', `48')
+define(`RTM_DELACTION', `49')
+define(`RTM_GETACTION', `50')
+define(`RTM_NEWPREFIX', `52')
+define(`RTM_GETMULTICAST', `58')
+define(`RTM_GETANYCAST', `62')
+define(`RTM_NEWNEIGHTBL', `64')
+define(`RTM_GETNEIGHTBL', `66')
+define(`RTM_SETNEIGHTBL', `67')
+define(`RTM_NEWNDUSEROPT', `68')
+define(`RTM_NEWADDRLABEL', `72')
+define(`RTM_DELADDRLABEL', `73')
+define(`RTM_GETADDRLABEL', `74')
+define(`RTM_GETDCB', `78')
+define(`RTM_SETDCB', `79')
+define(`RTM_NEWNETCONF', `80')
+define(`RTM_DELNETCONF', `81')
+define(`RTM_GETNETCONF', `82')
+define(`RTM_NEWMDB', `84')
+define(`RTM_DELMDB', `85')
+define(`RTM_GETMDB', `86')
+define(`RTM_NEWNSID', `88')
+define(`RTM_DELNSID', `89')
+define(`RTM_GETNSID', `90')
+define(`RTM_NEWSTATS', `92')
+define(`RTM_GETSTATS', `94')
+define(`RTM_SETSTATS', `95')
+define(`RTM_NEWCACHEREPORT', `96')
+define(`RTM_NEWCHAIN', `100')
+define(`RTM_DELCHAIN', `101')
+define(`RTM_GETCHAIN', `102')
+define(`RTM_NEWNEXTHOP', `104')
+define(`RTM_DELNEXTHOP', `105')
+define(`RTM_GETNEXTHOP', `106')
+define(`RTM_NEWLINKPROP', `108')
+define(`RTM_DELLINKPROP', `109')
+define(`RTM_GETLINKPROP', `110')
+define(`RTM_NEWVLAN', `112')
+define(`RTM_DELVLAN', `113')
+define(`RTM_GETVLAN', `114')
+define(`RTM_NEWNEXTHOPBUCKET', `116')
+define(`RTM_DELNEXTHOPBUCKET', `117')
+define(`RTM_GETNEXTHOPBUCKET', `118')
+define(`RTM_NEWTUNNEL', `120')
+define(`RTM_DELTUNNEL', `121')
+define(`RTM_GETTUNNEL', `122')
+
+# NETLINK_TCPDIAG_SOCKET
+# Based on uapi/linux/inet_diag.h and uapi/linux/sock_diag.h
+define(`TCPDIAG_GETSOCK', `18')
+define(`DCCPDIAG_GETSOCK', `19')
+define(`SOCK_DIAG_BY_FAMILY', `20')
+define(`SOCK_DESTROY', `21')
+
+# NETLINK_XFRM_SOCKET
+# Based on uapi/linux/xfrm.h
+define(`XFRM_MSG_NEWSA', `0x10')
+define(`XFRM_MSG_DELSA', `0x11')
+define(`XFRM_MSG_GETSA', `0x12')
+define(`XFRM_MSG_NEWPOLICY', `0x13')
+define(`XFRM_MSG_DELPOLICY', `0x14')
+define(`XFRM_MSG_GETPOLICY', `0x15')
+define(`XFRM_MSG_ALLOCSPI', `0x16')
+define(`XFRM_MSG_ACQUIRE', `0x17')
+define(`XFRM_MSG_EXPIRE', `0x18')
+define(`XFRM_MSG_UPDPOLICY', `0x19')
+define(`XFRM_MSG_UPDSA', `0x1a')
+define(`XFRM_MSG_POLEXPIRE', `0x1b')
+define(`XFRM_MSG_FLUSHSA', `0x1c')
+define(`XFRM_MSG_FLUSHPOLICY', `0x1d')
+define(`XFRM_MSG_NEWAE', `0x1e')
+define(`XFRM_MSG_GETAE', `0x1f')
+define(`XFRM_MSG_REPORT', `0x20')
+define(`XFRM_MSG_MIGRATE', `0x21')
+define(`XFRM_MSG_NEWSADINFO', `0x22')
+define(`XFRM_MSG_GETSADINFO', `0x23')
+define(`XFRM_MSG_NEWSPDINFO', `0x24')
+define(`XFRM_MSG_GETSPDINFO', `0x25')
+define(`XFRM_MSG_MAPPING', `0x26')
+define(`XFRM_MSG_SETDEFAULT', `0x27')
+define(`XFRM_MSG_GETDEFAULT', `0x28')
+
+# NETLINK_AUDIT_SOCKET
+# Based on uapi/linux/audit.h
+define(`AUDIT_SET', `1001')
+define(`AUDIT_USER', `1005')
+define(`AUDIT_USER_AVC', `1107')
+define(`AUDIT_AVC', `1400')
+define(`AUDIT_SELINUX_ERR', `1401')
+
diff --git a/public/nlmsg_macros b/public/nlmsg_macros
new file mode 100644
index 0000000..c40ef9b
--- /dev/null
+++ b/public/nlmsg_macros
@@ -0,0 +1,20 @@
+# Macros for Netlink messages. See nlmsg_defines.
+
+# This is the whole range for netlink_route_socket. This is equivalent to the
+# older: { nlmsg_read nlmsg_write nlmsg_readpriv nlmsg_getneigh }.
+# If possible, prefer to define the exact nlmsg required by your domain.
+define(`priv_route_socket_nlmsgs', `{ RTM_NEWLINK-RTM_GETTUNNEL }')
+
+# This is a subset of nlmsg_read without RTM_GETLINK, RTM_GETNEIGH nor
+# RTM_GETNEIGHTBL.
+define(`unpriv_route_socket_nlmsgs', `
+{
+ RTM_GETADDR RTM_GETROUTE RTM_GETRULE
+ RTM_GETQDISC RTM_GETTCLASS RTM_GETTFILTER
+ RTM_GETACTION RTM_GETMULTICAST RTM_GETANYCAST
+ RTM_GETADDRLABEL RTM_GETDCB RTM_GETNETCONF
+ RTM_GETMDB RTM_GETNSID RTM_NEWSTATS RTM_GETSTATS
+ RTM_NEWCACHEREPORT RTM_GETCHAIN RTM_GETNEXTHOP
+ RTM_GETVLAN RTM_GETNEXTHOPBUCKET RTM_GETTUNNEL
+}
+')