commit ab02397814159c66bed18eaf303981bb97cb6681
author Patrick Rohr <prohr@google.com> Thu May 19 21:34:31 2022 -0700
committer Patrick Rohr <prohr@google.com> Thu May 19 22:07:49 2022 -0700
tree 4d751b5894afc3e46da70f69179ef04c44059da7
parent 6b2fefbf46df51537f94db4bdfaf41f6fb223041

Fix system server and network stack netlink permissions

Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.

Test: TH
Bug: 233300834
Change-Id: I9559185081213fdeb33019733654ce95af816d99

private/network_stack.te

diff --git a/private/network_stack.te b/private/network_stack.te
index b105938..e1c056d 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -22,6 +22,14 @@
 # Monitor neighbors via netlink.
 allow network_stack self:netlink_route_socket nlmsg_write;
 
+# Use netlink uevent sockets.
+allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# give network_stack the same netlink permissions as netd
+allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
+
 allow network_stack app_api_service:service_manager find;
 allow network_stack dnsresolver_service:service_manager find;
 allow network_stack mdns_service:service_manager find;

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index e77ba5d..af798ef 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -156,11 +156,14 @@
 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 
 # Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow system_server self:netlink_tcpdiag_socket
+    { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
 
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 
+allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
+
 # Use generic netlink sockets.
 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;

public/app.te

diff --git a/public/app.te b/public/app.te
index da24012..de3d0ca 100644
--- a/public/app.te
+++ b/public/app.te
@@ -53,7 +53,8 @@
 # These messages are broadcast messages from the kernel to userspace.
 # Do not allow the writing of netlink messages, which has been a source
 # of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+neverallow { appdomain -network_stack }
+    domain:netlink_kobject_uevent_socket { write append };
 
 # Sockets under /dev/socket that are not specifically typed.
 neverallow appdomain socket_device:sock_file write;