Add xfrm netlink permissions for system server
This change enables xfrm netlink socket use for the system server,
and the network_stack process. This will be used by IpSecService
to configure SAs, and network stack to monitor counters & replay
bitmaps for monitoring of IPsec tunnels.
This patch updates the prebuilts, in addition to the changes to the
master source.
Bug: 233392908
Test: Compiled
(cherry picked from commit b25b4bf53f0de8ba43951a2b775836e88273585a)
(cherry picked from commit 8b7c1cbd5ec8229ff4901ee71196a4d29574694b)
Change-Id: I55e03a3ca7793b09688f603c973c38bd2f6e7c7f
diff --git a/prebuilts/api/33.0/private/network_stack.te b/prebuilts/api/33.0/private/network_stack.te
index e1c056d..356bebf 100644
--- a/prebuilts/api/33.0/private/network_stack.te
+++ b/prebuilts/api/33.0/private/network_stack.te
@@ -64,6 +64,9 @@
allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
# Unfortunately init/vendor_init have all sorts of extra privs
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 7bc0c66..e6c129a 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -183,6 +183,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.