commit 80b8e3cba384ed72e96c0ca0a428cdd2ec6ae5c6
author Bram Bonné <brambonne@google.com> Tue Dec 01 10:00:55 2020 +0000
committer Bram Bonné <brambonne@google.com> Tue Dec 01 10:04:23 2020 +0000
tree 013f10767aa8830b0227e2365adf4320021df0df
parent 18ccf9725e4ffa15581576e1fa965c31b95f6666

Revert^3 "Enforce RTM_GETLINK restrictions on all 3p apps"

18ccf9725e4ffa15581576e1fa965c31b95f6666

Revert submission 1498525-revert-1499099-revert-1450615-mac-address-restrictions-MNRMVNXRJM-OSETMCLBXY

Reason for revert: b/173384499#comment21
Reverted Changes:
I320d3bcf8:Revert^2 "Enforce RTM_GETLINK restrictions on all ...
I51c83733c:Revert^2 "Return anonymized MAC for apps targeting...
I0e8280c74:Revert "Revert "Updates tests for untrusted app MA...
Ia9f61819f:Revert^2 "Soft-enables new MAC address restriction...

Change-Id: I35a00e187f1b39f6aaa777709fb948f840565a82

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 87869dd..12357c7 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -114,7 +114,12 @@
 } *;
 
 # Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+} domain:netlink_route_socket { bind nlmsg_readpriv };
 
 # Do not allow untrusted apps access to /cache
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };

private/untrusted_app_25.te

diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 82c07ff..a1abc41 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -48,3 +48,6 @@
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };

private/untrusted_app_27.te

diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7a326a5..b7b6d72 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,3 +36,6 @@
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };

private/untrusted_app_29.te

diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index d03f399..344ae89 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -14,3 +14,6 @@
 untrusted_app_domain(untrusted_app_29)
 net_domain(untrusted_app_29)
 bluetooth_domain(untrusted_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };