Tighten up handling of new classes 1b1d133be5350989cbd6c09e4f000e146f9ab7ae added the process2 class but forgot to suppress SELinux denials associated with these permissions for the su domain. Suppress them. Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule in su.te is relevant. Inspired by https://github.com/SELinuxProject/refpolicy/commit/66a337eec6d7244e44e51936835b4e904f275a02 Add xdp_socket to various other neverallow rules. Test: policy compiles. Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7

commit: a194d3757aae59ac59ee62a3b2a6d60be48b4cbb [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Nov 16 02:48:03 2018 -0800
committer: Nick Kralevich <nnk@google.com> Fri Nov 16 03:10:14 2018 -0800
tree: ae2fc546cba36029173cb604acf253c96835cc45
parent: e00ca14cbbf3256f36d145bf219879833ddccf9b [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 79437bd..30acf87 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -93,7 +93,7 @@
   ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
   atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
   bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
-  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
 } *;
 
 # Do not allow untrusted apps access to /cache
commit	a194d3757aae59ac59ee62a3b2a6d60be48b4cbb	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Nov 16 02:48:03 2018 -0800
committer	Nick Kralevich <nnk@google.com>	Fri Nov 16 03:10:14 2018 -0800
tree	ae2fc546cba36029173cb604acf253c96835cc45
parent	e00ca14cbbf3256f36d145bf219879833ddccf9b [diff] [blame]