Update netlink_audit_socket for nlmsg xperm
Translate the netlink_audit_socket rules for the new extended permission.
This policy is updated to support kernel with or without the new nlmsg
permission.
Test: Boot and validate that:
- auditd (via logd) is set as the audit daemon.
- auditctl is able to set the log rate.
- init is able to forward log related to libselinux.
Bug: 353255679
Change-Id: Ib7bb1c9e729f4248e333cb32b4d11f8b54ffcc07
diff --git a/private/access_vectors b/private/access_vectors
index f91c1a4..6bfe5d9 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -428,6 +428,7 @@
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
+ nlmsg
}
class netlink_dnrt_socket
diff --git a/private/auditctl.te b/private/auditctl.te
index f634d3d..b6d191a 100644
--- a/private/auditctl.te
+++ b/private/auditctl.te
@@ -15,4 +15,10 @@
init_daemon_domain(auditctl)
allow auditctl self:global_capability_class_set audit_control;
-allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow auditctl self:netlink_audit_socket create_socket_perms_no_ioctl;
+
+# For kernel < 6.13
+allow auditctl self:netlink_audit_socket nlmsg_write;
+# For kernel >= 6.13
+allow auditctl self:netlink_audit_socket nlmsg;
+allowxperm auditctl self:netlink_audit_socket nlmsg AUDIT_SET;
diff --git a/private/init.te b/private/init.te
index 15f79e3..cdcf0b9 100644
--- a/private/init.te
+++ b/private/init.te
@@ -706,7 +706,14 @@
# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:netlink_audit_socket create_socket_perms_no_ioctl;
+
+# For kernel < 6.13
+allow init self:netlink_audit_socket nlmsg_relay;
+# For kernel >= 6.13
+allow init self:netlink_audit_socket nlmsg;
+allowxperm init self:netlink_audit_socket nlmsg AUDIT_USER_AVC;
+
allow init self:global_capability_class_set audit_write;
# Run "ifup lo" to bring up the localhost interface
diff --git a/private/logd.te b/private/logd.te
index b6e8b27..8f97e10 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -58,7 +58,14 @@
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd self:netlink_audit_socket create_socket_perms_no_ioctl;
+
+# For kernel < 6.13
+allow logd self:netlink_audit_socket nlmsg_write;
+# For kernel >= 6.13
+allow logd self:netlink_audit_socket nlmsg;
+allowxperm logd self:netlink_audit_socket nlmsg { AUDIT_SET AUDIT_USER_AVC };
+
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file { getattr w_file_perms };
allow logd system_data_file:{ file lnk_file } r_file_perms;