Add xfrm netlink permissions for system server This change enables xfrm netlink socket use for the system server, and the network_stack process. This will be used by IpSecService to configure SAs, and network stack to monitor counters & replay bitmaps for monitoring of IPsec tunnels. Bug: 233392908 Test: Compiled Change-Id: I25539dc579f21d6288fa962d1fad9b51573f017d

commit: b25b4bf53f0de8ba43951a2b775836e88273585a [log] [tgz]
author: Benedict Wong <benedictwong@google.com> Fri May 20 20:55:32 2022 +0000
committer: Benedict Wong <benedictwong@google.com> Wed May 25 00:02:33 2022 +0000
tree: f3cb29476f6a23c6939c70310a2baebeab41be8e
parent: ce2b6da673afecfc52d0acc9e967bcf460335972 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 287503c..b48c9e7 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -177,6 +177,9 @@
 # Set and get routes directly via netlink.
 allow system_server self:netlink_route_socket nlmsg_write;
 
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
 # Kill apps.
 allow system_server appdomain:process { getpgid sigkill signal };
 # signull allowed for kill(pid, 0) existence test.
commit	b25b4bf53f0de8ba43951a2b775836e88273585a	[log] [tgz]
author	Benedict Wong <benedictwong@google.com>	Fri May 20 20:55:32 2022 +0000
committer	Benedict Wong <benedictwong@google.com>	Wed May 25 00:02:33 2022 +0000
tree	f3cb29476f6a23c6939c70310a2baebeab41be8e
parent	ce2b6da673afecfc52d0acc9e967bcf460335972 [diff] [blame]