commit 67c1b352ca84b8f9d93d3b75226c69194a853f2d
author Thiébaud Weksteen <tweek@google.com> Fri Oct 18 14:27:13 2024 +1100
committer Thiébaud Weksteen <tweek@google.com> Wed Nov 27 10:26:34 2024 +1100
tree d377e7d4fa304f12b7dfb53ad5d17270452e8639
parent 5bc9bb8c84f8b13a245f8ef70cdd2706e74b5ef6

Update netlink_tcpdiag_socket for nlmsg xperm

Translate the netlink_tcpdiag_socket rules for the new extended permission.
This policy is updated to support kernel with or without the new nlmsg
permission.

For netd and network_stack, complete access is granted (as no allowxperm
rule is defined). It was not possible to determine the exact access
required by system_server so the full access is also granted.

Test: Boot and validate that no denials are reported.
Bug: 353255679
Change-Id: Ifc5b2ab7706a2873448bc32a83d1cad70fc207b6

private/network_stack.te

diff --git a/private/network_stack.te b/private/network_stack.te
index 4450e02..ee7269e 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -55,7 +55,11 @@
 get_prop(network_stack, device_config_connectivity_prop)
 
 # Create/use netlink_tcpdiag_socket to get tcp info
-allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow network_stack self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow network_stack self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
+# For kernel >= 6.13
+allow network_stack self:netlink_tcpdiag_socket nlmsg;
 ############### Tethering Service app - Tethering.apk ##############
 hal_client_domain(network_stack, hal_tetheroffload)
 # Create and share netlink_netfilter_sockets for tetheroffload.