Update netlink_tcpdiag_socket for nlmsg xperm
Translate the netlink_tcpdiag_socket rules for the new extended permission.
This policy is updated to support kernel with or without the new nlmsg
permission.
For netd and network_stack, complete access is granted (as no allowxperm
rule is defined). It was not possible to determine the exact access
required by system_server so the full access is also granted.
Test: Boot and validate that no denials are reported.
Bug: 353255679
Change-Id: Ifc5b2ab7706a2873448bc32a83d1cad70fc207b6
diff --git a/private/access_vectors b/private/access_vectors
index 6bfe5d9..beacf21 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -405,6 +405,7 @@
{
nlmsg_read
nlmsg_write
+ nlmsg
}
class netlink_nflog_socket
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13b7b9f..b98cb97 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -416,7 +416,12 @@
allow dumpstate net_data_file:file r_file_perms;
# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow dumpstate self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow dumpstate self:netlink_tcpdiag_socket nlmsg_read;
+# For kernel >= 6.13
+allow dumpstate self:netlink_tcpdiag_socket nlmsg;
+allowxperm dumpstate self:netlink_tcpdiag_socket nlmsg SOCK_DIAG_BY_FAMILY;
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
diff --git a/private/netd.te b/private/netd.te
index 8b6ea4c..93d0141 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -66,7 +66,11 @@
allow netd self:netlink_route_socket nlmsg_write;
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netd self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow netd self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
+# For kernel >= 6.13
+allow netd self:netlink_tcpdiag_socket nlmsg;
allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow netd shell_exec:file rx_file_perms;
diff --git a/private/network_stack.te b/private/network_stack.te
index 4450e02..ee7269e 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -55,7 +55,11 @@
get_prop(network_stack, device_config_connectivity_prop)
# Create/use netlink_tcpdiag_socket to get tcp info
-allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow network_stack self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow network_stack self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
+# For kernel >= 6.13
+allow network_stack self:netlink_tcpdiag_socket nlmsg;
############### Tethering Service app - Tethering.apk ##############
hal_client_domain(network_stack, hal_tetheroffload)
# Create and share netlink_netfilter_sockets for tetheroffload.
diff --git a/private/system_server.te b/private/system_server.te
index aeeb566..6a498f8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -154,8 +154,11 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket
- { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow system_server self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow system_server self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
+# For kernel >= 6.13
+allow system_server self:netlink_tcpdiag_socket nlmsg;
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;