Update Common NetD SEPolicy to allow Netlink XFRM In order to perform XFRM operations NetD needs the ability to both read and write Netlink XFRM messages. Bug: 34811756 Test: 34812052 Change-Id: I26831c58b24a4c1f344b113f0b5cf47ed2c93fee (cherry picked from commit 7eb3dd3b02693852d6dee1e8e1135d3d9b201b86)

commit: 63a93156014e6731b3f9627c6487f9f916b1b4cd [log] [tgz]
author: Nathan Harold <nharold@google.com> Wed Mar 01 20:29:21 2017 -0800
committer: Nathan Harold <nharold@google.com> Wed Mar 29 18:33:29 2017 -0700
tree: 3a9c121a4c2d5d68d59622517bdc11864e7a4362
parent: 3ad5c9e76754300562a04038b42f5510ac97a172 [diff]
diff --git a/public/netd.te b/public/netd.te
index 81f4af4..35d9b7c 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -80,6 +80,9 @@
 } { read write getattr setattr getopt setopt };
 allow netd netdomain:fd use;
 
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
 ###
 ### Neverallow rules
 ###
commit	63a93156014e6731b3f9627c6487f9f916b1b4cd	[log] [tgz]
author	Nathan Harold <nharold@google.com>	Wed Mar 01 20:29:21 2017 -0800
committer	Nathan Harold <nharold@google.com>	Wed Mar 29 18:33:29 2017 -0700
tree	3a9c121a4c2d5d68d59622517bdc11864e7a4362
parent	3ad5c9e76754300562a04038b42f5510ac97a172 [diff]