Update netlink_tcpdiag_socket for nlmsg xperm Translate the netlink_tcpdiag_socket rules for the new extended permission. This policy is updated to support kernel with or without the new nlmsg permission. For netd and network_stack, complete access is granted (as no allowxperm rule is defined). It was not possible to determine the exact access required by system_server so the full access is also granted. Test: Boot and validate that no denials are reported. Bug: 353255679 Change-Id: Ifc5b2ab7706a2873448bc32a83d1cad70fc207b6

commit: 67c1b352ca84b8f9d93d3b75226c69194a853f2d [log] [tgz]
author: Thiébaud Weksteen <tweek@google.com> Fri Oct 18 14:27:13 2024 +1100
committer: Thiébaud Weksteen <tweek@google.com> Wed Nov 27 10:26:34 2024 +1100
tree: d377e7d4fa304f12b7dfb53ad5d17270452e8639
parent: 5bc9bb8c84f8b13a245f8ef70cdd2706e74b5ef6 [diff] [blame]
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13b7b9f..b98cb97 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te

@@ -416,7 +416,12 @@
 allow dumpstate net_data_file:file r_file_perms;
 
 # List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow dumpstate self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow dumpstate self:netlink_tcpdiag_socket nlmsg_read;
+# For kernel >= 6.13
+allow dumpstate self:netlink_tcpdiag_socket nlmsg;
+allowxperm dumpstate self:netlink_tcpdiag_socket nlmsg SOCK_DIAG_BY_FAMILY;
 
 # Access /data/tombstones.
 allow dumpstate tombstone_data_file:dir r_dir_perms;
commit	67c1b352ca84b8f9d93d3b75226c69194a853f2d	[log] [tgz]
author	Thiébaud Weksteen <tweek@google.com>	Fri Oct 18 14:27:13 2024 +1100
committer	Thiébaud Weksteen <tweek@google.com>	Wed Nov 27 10:26:34 2024 +1100
tree	d377e7d4fa304f12b7dfb53ad5d17270452e8639
parent	5bc9bb8c84f8b13a245f8ef70cdd2706e74b5ef6 [diff] [blame]