Merge changes from topic "revert-3316655-MWSNJIMVUE" into main
* changes:
Revert "Add nlmsg constants and macros"
Revert "Update netlink_audit_socket for nlmsg xperm"
Revert "Update netlink_tcpdiag_socket for nlmsg xperm"
Revert "Update netlink_xfrm_socket for nlmsg xperm"
Revert "Update netlink_route_socket for nlmsg xperm"
Revert "Enable netlink_xperm capability"
diff --git a/Android.bp b/Android.bp
index 3d81c49..558810c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -72,8 +72,6 @@
"attributes",
"ioctl_defines",
"ioctl_macros",
- "nlmsg_defines",
- "nlmsg_macros",
"*.te",
"roles_decl",
"roles",
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 9595255..8bdf01b 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -46,8 +46,6 @@
"te_macros",
"ioctl_defines",
"ioctl_macros",
- "nlmsg_defines",
- "nlmsg_macros",
"attributes|*.te",
"roles_decl",
"roles",
diff --git a/private/access_vectors b/private/access_vectors
index 1ad1885..f91c1a4 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -398,7 +398,6 @@
nlmsg_write
nlmsg_readpriv
nlmsg_getneigh
- nlmsg
}
class netlink_tcpdiag_socket
@@ -406,7 +405,6 @@
{
nlmsg_read
nlmsg_write
- nlmsg
}
class netlink_nflog_socket
@@ -417,7 +415,6 @@
{
nlmsg_read
nlmsg_write
- nlmsg
}
class netlink_selinux_socket
@@ -431,7 +428,6 @@
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
- nlmsg
}
class netlink_dnrt_socket
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1f6a06e..0e2b01c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -148,7 +148,7 @@
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
-neverallowxperm all_untrusted_apps domain:netlink_route_socket nlmsg RTM_GETLINK;
+neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
neverallow {
@@ -158,13 +158,6 @@
-untrusted_app_29
-untrusted_app_30
} domain:netlink_route_socket nlmsg_getneigh;
-neverallowxperm {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -untrusted_app_29
- -untrusted_app_30
-} domain:netlink_route_socket nlmsg RTM_GETNEIGH;
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
diff --git a/private/auditctl.te b/private/auditctl.te
index b6d191a..f634d3d 100644
--- a/private/auditctl.te
+++ b/private/auditctl.te
@@ -15,10 +15,4 @@
init_daemon_domain(auditctl)
allow auditctl self:global_capability_class_set audit_control;
-allow auditctl self:netlink_audit_socket create_socket_perms_no_ioctl;
-
-# For kernel < 6.13
-allow auditctl self:netlink_audit_socket nlmsg_write;
-# For kernel >= 6.13
-allow auditctl self:netlink_audit_socket nlmsg;
-allowxperm auditctl self:netlink_audit_socket nlmsg AUDIT_SET;
+allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
diff --git a/private/dhcp.te b/private/dhcp.te
index 437fa0c..ce4fef1 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -13,7 +13,6 @@
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
-allowxperm dhcp self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 17aca37..5e3bce5 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -415,12 +415,7 @@
allow dumpstate net_data_file:file r_file_perms;
# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow dumpstate self:netlink_tcpdiag_socket nlmsg_read;
-# For kernel >= 6.13
-allow dumpstate self:netlink_tcpdiag_socket nlmsg;
-allowxperm dumpstate self:netlink_tcpdiag_socket nlmsg SOCK_DIAG_BY_FAMILY;
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
@@ -516,12 +511,7 @@
binder_call(dumpstate, installd);
# Allow dumpstate to run ip xfrm policy
-allow dumpstate self:netlink_xfrm_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow dumpstate self:netlink_xfrm_socket nlmsg_read;
-# For kernel >= 6.13
-allow dumpstate self:netlink_xfrm_socket nlmsg;
-allowxperm dumpstate self:netlink_xfrm_socket nlmsg XFRM_MSG_GETPOLICY;
+allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
# Allow dumpstate to run iotop
allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
diff --git a/private/hal_nlinterceptor.te b/private/hal_nlinterceptor.te
index 9004613..1a738a5 100644
--- a/private/hal_nlinterceptor.te
+++ b/private/hal_nlinterceptor.te
@@ -5,8 +5,4 @@
allow hal_nlinterceptor self:global_capability_class_set net_admin;
allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_nlinterceptor self:netlink_route_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
-# For kernel >= 6.13
-allow hal_nlinterceptor self:netlink_route_socket nlmsg;
+allow hal_nlinterceptor self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_readpriv nlmsg_write };
diff --git a/private/hal_telephony.te b/private/hal_telephony.te
index c44f748..306d459 100644
--- a/private/hal_telephony.te
+++ b/private/hal_telephony.te
@@ -8,7 +8,6 @@
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allowxperm hal_telephony_server self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
diff --git a/private/hal_wifi_hostapd.te b/private/hal_wifi_hostapd.te
index f5dbfb9..eeb72ba 100644
--- a/private/hal_wifi_hostapd.te
+++ b/private/hal_wifi_hostapd.te
@@ -22,7 +22,6 @@
allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
-allowxperm hal_wifi_hostapd_server self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
###
### neverallow rules
diff --git a/private/hal_wifi_supplicant.te b/private/hal_wifi_supplicant.te
index d2e59e6..498469d 100644
--- a/private/hal_wifi_supplicant.te
+++ b/private/hal_wifi_supplicant.te
@@ -15,7 +15,6 @@
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
-allowxperm hal_wifi_supplicant self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
diff --git a/private/init.te b/private/init.te
index c2a129b..b16e918 100644
--- a/private/init.te
+++ b/private/init.te
@@ -705,14 +705,7 @@
# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket create_socket_perms_no_ioctl;
-
-# For kernel < 6.13
-allow init self:netlink_audit_socket nlmsg_relay;
-# For kernel >= 6.13
-allow init self:netlink_audit_socket nlmsg;
-allowxperm init self:netlink_audit_socket nlmsg AUDIT_USER_AVC;
-
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
allow init self:global_capability_class_set audit_write;
# Run "ifup lo" to bring up the localhost interface
diff --git a/private/logd.te b/private/logd.te
index 8f97e10..b6e8b27 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -58,14 +58,7 @@
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
-allow logd self:netlink_audit_socket create_socket_perms_no_ioctl;
-
-# For kernel < 6.13
-allow logd self:netlink_audit_socket nlmsg_write;
-# For kernel >= 6.13
-allow logd self:netlink_audit_socket nlmsg;
-allowxperm logd self:netlink_audit_socket nlmsg { AUDIT_SET AUDIT_USER_AVC };
-
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file { getattr w_file_perms };
allow logd system_data_file:{ file lnk_file } r_file_perms;
diff --git a/private/net.te b/private/net.te
index 3e44b2d..2c2f091 100644
--- a/private/net.te
+++ b/private/net.te
@@ -3,14 +3,11 @@
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
-# RTM_GETLINK, RTM_GETNEIGH and RTM_GETNEIGHTBL are not accessible to
-# untrusted_app (as these can be abused to recover the MAC address). See
-# b/141455849 and b/171572148. Some untrusted apps (e.g. untrusted_app_25-30)
-# are granted access elsewhere to avoid app-compat breakage. On kernel before
-# 6.13, Android-specific permissions were defined to implement this restriction
-# (nlmsg_readpriv and nlmsg_getneigh). From kernal 6.13 onwards, the permission
-# has been revoked for netdomain. If your domain requires it, access should be
-# granted using the extended permission "nlmsg".
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
+# to avoid app-compat breakage.
allow {
netdomain
-ephemeral_app
@@ -31,8 +28,7 @@
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read nlmsg };
-allowxperm netdomain self:netlink_route_socket nlmsg unpriv_route_socket_nlmsgs;
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/private/netd.te b/private/netd.te
index 1c8fed4..8b6ea4c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -64,14 +64,9 @@
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow netd self:netlink_route_socket nlmsg_write;
-allowxperm netd self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow netd self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
-# For kernel >= 6.13
-allow netd self:netlink_tcpdiag_socket nlmsg;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow netd shell_exec:file rx_file_perms;
@@ -141,11 +136,7 @@
allow netd netdomain:fd use;
# give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow netd self:netlink_xfrm_socket { nlmsg_write nlmsg_read };
-# For kernel >= 6.13
-allow netd self:netlink_xfrm_socket nlmsg;
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
diff --git a/private/network_stack.te b/private/network_stack.te
index 70b3ed3..4450e02 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -23,7 +23,6 @@
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
-allowxperm network_stack self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
# Use netlink uevent sockets.
allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
@@ -56,11 +55,7 @@
get_prop(network_stack, device_config_connectivity_prop)
# Create/use netlink_tcpdiag_socket to get tcp info
-allow network_stack self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow network_stack self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
-# For kernel >= 6.13
-allow network_stack self:netlink_tcpdiag_socket nlmsg;
+allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
############### Tethering Service app - Tethering.apk ##############
hal_client_domain(network_stack, hal_tetheroffload)
# Create and share netlink_netfilter_sockets for tetheroffload.
@@ -77,11 +72,7 @@
get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
# Use XFRM (IPsec) netlink sockets
-allow network_stack self:netlink_xfrm_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow network_stack self:netlink_xfrm_socket { nlmsg_write nlmsg_read };
-# For kernel >= 6.13
-allow network_stack self:netlink_xfrm_socket nlmsg;
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
# tun device used for 3rd party vpn apps and test network manager
allow network_stack tun_device:chr_file rw_file_perms;
diff --git a/private/policy_capabilities b/private/policy_capabilities
index e0f27c2..9290e3a 100644
--- a/private/policy_capabilities
+++ b/private/policy_capabilities
@@ -18,7 +18,3 @@
# process2: nnp_transition, nosuid_transition
#
policycap nnp_nosuid_transition;
-
-# Support extended permissions for netlink sockets.
-# Available in kernel >= 6.13.
-policycap netlink_xperm;
diff --git a/private/priv_app.te b/private/priv_app.te
index a3ba019..1ef5be1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -297,7 +297,3 @@
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
-
-# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
-neverallowxperm priv_app domain:netlink_route_socket nlmsg RTM_GETLINK;
diff --git a/private/recovery.te b/private/recovery.te
index dbc1ab3..24dfd43 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -26,13 +26,7 @@
set_prop(recovery, gsid_prop)
# These are needed to allow recovery to manage network
- allow recovery self:netlink_route_socket create_socket_perms_no_ioctl;
- # For kernel < 6.13
- allow recovery self:netlink_route_socket { nlmsg_readpriv nlmsg_read };
- # For kernel >= 6.13
- allow recovery self:netlink_route_socket nlmsg;
- allowxperm recovery self:netlink_route_socket nlmsg unpriv_route_socket_nlmsgs;
- allowxperm recovery self:netlink_route_socket nlmsg RTM_GETLINK;
+ allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
allow recovery self:global_capability_class_set net_admin;
allow recovery self:tcp_socket { create ioctl };
allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
diff --git a/private/system_server.te b/private/system_server.te
index 69ecd61..99ef142 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -154,11 +154,8 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow system_server self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
-# For kernel >= 6.13
-allow system_server self:netlink_tcpdiag_socket nlmsg;
+allow system_server self:netlink_tcpdiag_socket
+ { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
@@ -180,14 +177,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
-allowxperm system_server self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
# Use XFRM (IPsec) netlink sockets
-allow system_server self:netlink_xfrm_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow system_server self:netlink_xfrm_socket { nlmsg_read nlmsg_write };
-# For kernel >= 6.13
-allow system_server self:netlink_xfrm_socket nlmsg;
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index f4d17ef..d59245c 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -52,8 +52,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
-allowxperm untrusted_app_25 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
-auditallowxperm untrusted_app_25 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_25, mdnsd, mdnsd)
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index cb3a860..8c970d8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,8 +40,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
-allowxperm untrusted_app_27 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
-auditallowxperm untrusted_app_27 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_27, mdnsd, mdnsd)
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index ddd3412..ed0bbfc 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -18,8 +18,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
-allowxperm untrusted_app_29 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
-auditallowxperm untrusted_app_29 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_29, mdnsd, mdnsd)
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index b645b05..c87548e 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -20,8 +20,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
-allowxperm untrusted_app_30 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
-auditallowxperm untrusted_app_30 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_30, mdnsd, mdnsd)
diff --git a/private/wifi_mainline_supplicant.te b/private/wifi_mainline_supplicant.te
index 7980678..d6c7998 100644
--- a/private/wifi_mainline_supplicant.te
+++ b/private/wifi_mainline_supplicant.te
@@ -27,6 +27,5 @@
# Netlink sockets
allow wifi_mainline_supplicant self:netlink_route_socket { bind create read write nlmsg_readpriv nlmsg_write };
-allowxperm wifi_mainline_supplicant self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow wifi_mainline_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow wifi_mainline_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/public/nlmsg_defines b/public/nlmsg_defines
deleted file mode 100644
index 9ddfb92..0000000
--- a/public/nlmsg_defines
+++ /dev/null
@@ -1,121 +0,0 @@
-# Netlink messages may be filtered using extended permissions, based on the
-# nlmsg_type field. This files defines the most common constants for each
-# netlink socket class.
-
-# NETLINK_ROUTE_SOCKET
-# Based on uapi/linux/rnetlink.h
-define(`RTM_NEWLINK', `16')
-define(`RTM_DELLINK', `17')
-define(`RTM_GETLINK', `18')
-define(`RTM_SETLINK', `19')
-define(`RTM_NEWADDR', `20')
-define(`RTM_DELADDR', `21')
-define(`RTM_GETADDR', `22')
-define(`RTM_NEWROUTE', `24')
-define(`RTM_DELROUTE', `25')
-define(`RTM_GETROUTE', `26')
-define(`RTM_NEWNEIGH', `28')
-define(`RTM_DELNEIGH', `29')
-define(`RTM_GETNEIGH', `30')
-define(`RTM_NEWRULE', `32')
-define(`RTM_DELRULE', `33')
-define(`RTM_GETRULE', `34')
-define(`RTM_NEWQDISC', `36')
-define(`RTM_DELQDISC', `37')
-define(`RTM_GETQDISC', `38')
-define(`RTM_NEWTCLASS', `40')
-define(`RTM_DELTCLASS', `41')
-define(`RTM_GETTCLASS', `42')
-define(`RTM_NEWTFILTER', `44')
-define(`RTM_DELTFILTER', `45')
-define(`RTM_GETTFILTER', `46')
-define(`RTM_NEWACTION', `48')
-define(`RTM_DELACTION', `49')
-define(`RTM_GETACTION', `50')
-define(`RTM_NEWPREFIX', `52')
-define(`RTM_GETMULTICAST', `58')
-define(`RTM_GETANYCAST', `62')
-define(`RTM_NEWNEIGHTBL', `64')
-define(`RTM_GETNEIGHTBL', `66')
-define(`RTM_SETNEIGHTBL', `67')
-define(`RTM_NEWNDUSEROPT', `68')
-define(`RTM_NEWADDRLABEL', `72')
-define(`RTM_DELADDRLABEL', `73')
-define(`RTM_GETADDRLABEL', `74')
-define(`RTM_GETDCB', `78')
-define(`RTM_SETDCB', `79')
-define(`RTM_NEWNETCONF', `80')
-define(`RTM_DELNETCONF', `81')
-define(`RTM_GETNETCONF', `82')
-define(`RTM_NEWMDB', `84')
-define(`RTM_DELMDB', `85')
-define(`RTM_GETMDB', `86')
-define(`RTM_NEWNSID', `88')
-define(`RTM_DELNSID', `89')
-define(`RTM_GETNSID', `90')
-define(`RTM_NEWSTATS', `92')
-define(`RTM_GETSTATS', `94')
-define(`RTM_SETSTATS', `95')
-define(`RTM_NEWCACHEREPORT', `96')
-define(`RTM_NEWCHAIN', `100')
-define(`RTM_DELCHAIN', `101')
-define(`RTM_GETCHAIN', `102')
-define(`RTM_NEWNEXTHOP', `104')
-define(`RTM_DELNEXTHOP', `105')
-define(`RTM_GETNEXTHOP', `106')
-define(`RTM_NEWLINKPROP', `108')
-define(`RTM_DELLINKPROP', `109')
-define(`RTM_GETLINKPROP', `110')
-define(`RTM_NEWVLAN', `112')
-define(`RTM_DELVLAN', `113')
-define(`RTM_GETVLAN', `114')
-define(`RTM_NEWNEXTHOPBUCKET', `116')
-define(`RTM_DELNEXTHOPBUCKET', `117')
-define(`RTM_GETNEXTHOPBUCKET', `118')
-define(`RTM_NEWTUNNEL', `120')
-define(`RTM_DELTUNNEL', `121')
-define(`RTM_GETTUNNEL', `122')
-
-# NETLINK_TCPDIAG_SOCKET
-# Based on uapi/linux/inet_diag.h and uapi/linux/sock_diag.h
-define(`TCPDIAG_GETSOCK', `18')
-define(`DCCPDIAG_GETSOCK', `19')
-define(`SOCK_DIAG_BY_FAMILY', `20')
-define(`SOCK_DESTROY', `21')
-
-# NETLINK_XFRM_SOCKET
-# Based on uapi/linux/xfrm.h
-define(`XFRM_MSG_NEWSA', `0x10')
-define(`XFRM_MSG_DELSA', `0x11')
-define(`XFRM_MSG_GETSA', `0x12')
-define(`XFRM_MSG_NEWPOLICY', `0x13')
-define(`XFRM_MSG_DELPOLICY', `0x14')
-define(`XFRM_MSG_GETPOLICY', `0x15')
-define(`XFRM_MSG_ALLOCSPI', `0x16')
-define(`XFRM_MSG_ACQUIRE', `0x17')
-define(`XFRM_MSG_EXPIRE', `0x18')
-define(`XFRM_MSG_UPDPOLICY', `0x19')
-define(`XFRM_MSG_UPDSA', `0x1a')
-define(`XFRM_MSG_POLEXPIRE', `0x1b')
-define(`XFRM_MSG_FLUSHSA', `0x1c')
-define(`XFRM_MSG_FLUSHPOLICY', `0x1d')
-define(`XFRM_MSG_NEWAE', `0x1e')
-define(`XFRM_MSG_GETAE', `0x1f')
-define(`XFRM_MSG_REPORT', `0x20')
-define(`XFRM_MSG_MIGRATE', `0x21')
-define(`XFRM_MSG_NEWSADINFO', `0x22')
-define(`XFRM_MSG_GETSADINFO', `0x23')
-define(`XFRM_MSG_NEWSPDINFO', `0x24')
-define(`XFRM_MSG_GETSPDINFO', `0x25')
-define(`XFRM_MSG_MAPPING', `0x26')
-define(`XFRM_MSG_SETDEFAULT', `0x27')
-define(`XFRM_MSG_GETDEFAULT', `0x28')
-
-# NETLINK_AUDIT_SOCKET
-# Based on uapi/linux/audit.h
-define(`AUDIT_SET', `1001')
-define(`AUDIT_USER', `1005')
-define(`AUDIT_USER_AVC', `1107')
-define(`AUDIT_AVC', `1400')
-define(`AUDIT_SELINUX_ERR', `1401')
-
diff --git a/public/nlmsg_macros b/public/nlmsg_macros
deleted file mode 100644
index c40ef9b..0000000
--- a/public/nlmsg_macros
+++ /dev/null
@@ -1,20 +0,0 @@
-# Macros for Netlink messages. See nlmsg_defines.
-
-# This is the whole range for netlink_route_socket. This is equivalent to the
-# older: { nlmsg_read nlmsg_write nlmsg_readpriv nlmsg_getneigh }.
-# If possible, prefer to define the exact nlmsg required by your domain.
-define(`priv_route_socket_nlmsgs', `{ RTM_NEWLINK-RTM_GETTUNNEL }')
-
-# This is a subset of nlmsg_read without RTM_GETLINK, RTM_GETNEIGH nor
-# RTM_GETNEIGHTBL.
-define(`unpriv_route_socket_nlmsgs', `
-{
- RTM_GETADDR RTM_GETROUTE RTM_GETRULE
- RTM_GETQDISC RTM_GETTCLASS RTM_GETTFILTER
- RTM_GETACTION RTM_GETMULTICAST RTM_GETANYCAST
- RTM_GETADDRLABEL RTM_GETDCB RTM_GETNETCONF
- RTM_GETMDB RTM_GETNSID RTM_NEWSTATS RTM_GETSTATS
- RTM_NEWCACHEREPORT RTM_GETCHAIN RTM_GETNEXTHOP
- RTM_GETVLAN RTM_GETNEXTHOPBUCKET RTM_GETTUNNEL
-}
-')
diff --git a/vendor/ot_rcp.te b/vendor/ot_rcp.te
index fd9cae2..3d56bf4 100644
--- a/vendor/ot_rcp.te
+++ b/vendor/ot_rcp.te
@@ -14,10 +14,4 @@
allow ot_rcp self:udp_socket { bind create ioctl read setopt write };
allow ot_rcp node:udp_socket node_bind;
allow ot_rcp port:udp_socket name_bind;
-allow ot_rcp self:netlink_route_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow ot_rcp self:netlink_route_socket { nlmsg_read nlmsg_readpriv };
-# For kernel >= 6.13
-allow ot_rcp self:netlink_route_socket nlmsg;
-allowxperm ot_rcp self:netlink_route_socket nlmsg unpriv_route_socket_nlmsgs;
-allowxperm ot_rcp self:netlink_route_socket nlmsg RTM_GETLINK;
+allow ot_rcp self:netlink_route_socket { nlmsg_read nlmsg_readpriv create read write };