commit 67c1b352ca84b8f9d93d3b75226c69194a853f2d
author Thiébaud Weksteen <tweek@google.com> Fri Oct 18 14:27:13 2024 +1100
committer Thiébaud Weksteen <tweek@google.com> Wed Nov 27 10:26:34 2024 +1100
tree d377e7d4fa304f12b7dfb53ad5d17270452e8639
parent 5bc9bb8c84f8b13a245f8ef70cdd2706e74b5ef6

Update netlink_tcpdiag_socket for nlmsg xperm

Translate the netlink_tcpdiag_socket rules for the new extended permission.
This policy is updated to support kernel with or without the new nlmsg
permission.

For netd and network_stack, complete access is granted (as no allowxperm
rule is defined). It was not possible to determine the exact access
required by system_server so the full access is also granted.

Test: Boot and validate that no denials are reported.
Bug: 353255679
Change-Id: Ifc5b2ab7706a2873448bc32a83d1cad70fc207b6

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index aeeb566..6a498f8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -154,8 +154,11 @@
 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 
 # Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket
-    { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow system_server self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow system_server self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
+# For kernel >= 6.13
+allow system_server self:netlink_tcpdiag_socket nlmsg;
 
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;