Revert "Update netlink_tcpdiag_socket for nlmsg xperm"
Revert submission 3316655
Reason for revert: emulator does not boot
[ 6.468328] selinux: SELinux: Could not stat /data/dalvik-cache/arm: No such file or directory.
[ 6.468892] ------------[ cut here ]------------
[ 6.469241] selinux: SELinux: Could not stat /data/dalvik-cache/arm64: No such file or directory.
[ 6.469648] kernel BUG at security/selinux/ss/services.c:961!
[ 6.470549] selinux: SELinux: Could not stat /data/dalvik-cache/riscv64: No such file or directory.
[ 6.471166] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 6.471928] selinux: SELinux: Could not stat /data/dalvik-cache/x86: No such file or directory.
[ 6.472389] CPU: 1 PID: 403 Comm: dhcpclient Tainted: G OE 6.6.56-android15-8-gb713239b1f7f-ab12714926 #1 1400000003000000474e5500b8d4777a75d64646
[ 6.473207] selinux: SELinux: Could not stat /data/dalvik-cache/x86_64: No such file or directory.
[ 6.474476] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
[ 6.474478] RIP: 0010:services_compute_xperms_decision+0x19f/0x1b0
[ 6.474483] Code: 8b 4e 08 8b 49 18 09 48 14 48 8b 07 48 8b 4e 08 8b 49 1c 09 48 18 48 8b 07 48 8b 4e 08 8b 49 20 09 48 1c 5d c3 cc cc cc cc cc <0f> 0b 0f 0b 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 b8 00 00 00 00
[ 6.474485] RSP: 0018:ffffaa1601553bf8 EFLAGS: 00010202
[ 6.474486] RAX: ffff8b5401052578 RBX: ffffaa1601553ca8 RCX: 0000000000000003
[ 6.475300] init: Service 'ranchu-net' (pid 392) exited with status 0 oneshot service took 0.050000 seconds in background
[ 6.476348] RDX: 00000000000008a4 RSI: ffff8b540104fba0 RDI: ffffaa1601553ca8
[ 6.476912] init: Sending signal 9 to service 'ranchu-net' (pid 392) process group...
[ 6.478581] RBP: ffffaa1601553bf8 R08: 00000000000008a4 R09: 000000000000001f
[ 6.478582] R10: 00000000c7f20000 R11: ffff8b540c82a000 R12: ffff8b5402eae680
[ 6.478583] R13: ffff8b5402eae680 R14: 00000000000008a3 R15: ffff8b540104fba0
[ 6.478585] FS: 00007acc4a076fd8(0000) GS:ffff8b547da80000(0000) knlGS:0000000000000000
[ 6.478587] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.478588] CR2: 000063c8ffb69960 CR3: 000000000c9ea000 CR4: 00000000000006a0
[ 6.478590] Call Trace:
[ 6.479124] libprocessgroup: Removed cgroup /sys/fs/cgroup/uid_0/pid_392
[ 6.479709] <TASK>
[ 6.480943] init: processing action (post-fs-data) from (/system/etc/init/perfetto.rc:76)
[ 6.481403] ? __die_body+0x67/0xb0
[ 6.482141] init: Command 'rm /data/misc/perfetto-traces/.guardraildata' action=post-fs-data (/system/etc/init/perfetto.rc:77) took 0ms and failed: unlink() failed: No such file or directory
[ 6.482764] ? die+0xa9/0xd0
[ 6.483423] init: processing action (post-fs-data) from (/system/etc/init/profcollectd.rc:9)
[ 6.484069] ? do_trap+0x88/0x160
[ 6.485330] init: processing action (post-fs-data) from (/system/etc/init/recovery-persist.rc:1)
[ 6.485397] ? services_compute_xperms_decision+0x19f/0x1b0
[ 6.486136] init: starting service 'exec 13 (/system/bin/recovery-persist)'...
[ 6.486273] ? handle_invalid_op+0x69/0x90
[ 6.487943] init: ... started service 'exec 13 (/system/bin/recovery-persist)' has pid 405
[ 6.488173] ? services_compute_xperms_decision+0x19f/0x1b0
[ 6.489818] init: processing action (post-fs-data) from (/system/etc/init/wifi.rc:18)
[ 6.490068] ? exc_invalid_op+0x36/0x60
[ 6.490071] ? asm_exc_invalid_op+0x1f/0x30
[ 6.490073] ? services_compute_xperms_decision+0x19f/0x1b0
[ 6.490075] security_compute_xperms_decision+0x2b7/0x460
[ 6.490077] avc_has_extended_perms+0x2f6/0x610
[ 6.490080] ioctl_has_perm+0x12a/0x180
[ 6.491055] selinux: SELinux: Skipping restorecon on directory(/data/misc/apexdata/com.android.wifi)
[ 6.491154] selinux_file_ioctl+0x1af/0x210
[ 6.491957] init: processing action (post-fs-data) from (/system_ext/etc/init/init.system_ext.radio.rc:1)
[ 6.492462] ? alloc_file_pseudo+0xa6/0x110
[ 6.500532] security_file_ioctl+0x4a/0x60
[ 6.500917] __se_sys_ioctl+0x39/0xe0
[ 6.501263] __x64_sys_ioctl+0x1c/0x40
[ 6.501612] x64_sys_call+0x15b1/0x2e10
[ 6.501995] do_syscall_64+0x4a/0xa0
[ 6.502335] ? exc_page_fault+0x65/0xc0
[ 6.502680] entry_SYSCALL_64_after_hwframe+0x78/0xe2
[ 6.503128] RIP: 0033:0x7acc47fad527
[ 6.503462] Code: 00 00 00 b8 1b 00 00 00 0f 05 48 3d 01 f0 ff ff 72 09 f7 d8 89 c7 e8 e8 f7 ff ff c3 0f 1f 80 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 72 09 f7 d8 89 c7 e8 c8 f7 ff ff c3 0f 1f 80 00
[ 6.505170] RSP: 002b:00007fff9386e268 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 6.505869] RAX: ffffffffffffffda RBX: 00007fff9386e420 RCX: 00007acc47fad527
[ 6.506521] RDX: 00007fff9386e390 RSI: 0000000000008933 RDI: 0000000000000003
[ 6.507157] RBP: 00007fff9386e340 R08: 000000000000000a R09: 000000000000000b
[ 6.507798] R10: 00000000fffff800 R11: 0000000000000206 R12: 0000000000000003
[ 6.508460] R13: 00007fff9386e390 R14: 00007fff9386f898 R15: 00007fff9386f899
[ 6.509121] </TASK>
[ 6.509331] Modules linked in: virtio_snd(E) virtio_pmem(E) virtio_net(E) virtio_input(E) virtio_media(OE) virtio_gpu(E) virt_wifi(E) vhci_hcd(E) v4l2loopback(OE) usbip_core(E) test_meminit(E) system_heap(E) snd_aloop(E) rtc_test(E) pulse8_cec(E) net_failover(E) nd_virtio(E) mt76x2u(E) mt76x2_common(E) mt76x0u(E) mt76x02_usb(E) mt76x0_common(E) mt76x02_lib(E) mt76_usb(E) mt76(E) mac80211_hwsim(E) mac80211(E) libarc4 hci_vhci(E) gs_usb(E) can_dev goldfish_sync(OE) goldfish_pipe(OE) goldfish_battery(E) goldfish_address_space(OE) failover(E) dummy_hcd(E) dummy_cpufreq(E) cfg80211(E) btusb(E) btbcm btrtl(E) btintel(E) bluetooth zram rfkill zsmalloc vmw_vsock_virtio_transport(E) virtio_pci(E) virtio_pci_modern_dev(E) virtio_console(E) virtio_blk(E) virtio_rng(E) virtio_pci_legacy_dev(E) virtio_dma_buf(E)
[ 6.515674] ---[ end trace 0000000000000000 ]---
[ 6.515799] init: Service 'exec 13 (/system/bin/recovery-persist)' (pid 405) exited with status 0 oneshot service took 0.028000 seconds in background
[ 6.517623] init: Sending signal 9 to service 'exec 13 (/system/bin/recovery-persist)' (pid 405) process group...
[ 6.518721] li
Reverted changes: /q/submissionid:3316655
Change-Id: I843d4cd8f9b34587c77f069636d79eb1021dace2
diff --git a/private/access_vectors b/private/access_vectors
index beacf21..6bfe5d9 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -405,7 +405,6 @@
{
nlmsg_read
nlmsg_write
- nlmsg
}
class netlink_nflog_socket
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b98cb97..13b7b9f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -416,12 +416,7 @@
allow dumpstate net_data_file:file r_file_perms;
# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow dumpstate self:netlink_tcpdiag_socket nlmsg_read;
-# For kernel >= 6.13
-allow dumpstate self:netlink_tcpdiag_socket nlmsg;
-allowxperm dumpstate self:netlink_tcpdiag_socket nlmsg SOCK_DIAG_BY_FAMILY;
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
diff --git a/private/netd.te b/private/netd.te
index 93d0141..8b6ea4c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -66,11 +66,7 @@
allow netd self:netlink_route_socket nlmsg_write;
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow netd self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
-# For kernel >= 6.13
-allow netd self:netlink_tcpdiag_socket nlmsg;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow netd shell_exec:file rx_file_perms;
diff --git a/private/network_stack.te b/private/network_stack.te
index ee7269e..4450e02 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -55,11 +55,7 @@
get_prop(network_stack, device_config_connectivity_prop)
# Create/use netlink_tcpdiag_socket to get tcp info
-allow network_stack self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow network_stack self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
-# For kernel >= 6.13
-allow network_stack self:netlink_tcpdiag_socket nlmsg;
+allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
############### Tethering Service app - Tethering.apk ##############
hal_client_domain(network_stack, hal_tetheroffload)
# Create and share netlink_netfilter_sockets for tetheroffload.
diff --git a/private/system_server.te b/private/system_server.te
index 6a498f8..aeeb566 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -154,11 +154,8 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow system_server self:netlink_tcpdiag_socket { nlmsg_read nlmsg_write };
-# For kernel >= 6.13
-allow system_server self:netlink_tcpdiag_socket nlmsg;
+allow system_server self:netlink_tcpdiag_socket
+ { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;