untrusted_app: disallow bind RTM_ROUTE socket Bug: 141455849 Change-Id: I27a8735626a5c3c8aad49e8a68de166f3a10cfde Test: CtsSelinuxTargetSdkCurrentTestCases Test: atest bionic-unit-tests-static Test: atest NetworkInterfaceTest

commit: b38a1d8804a6bedf0626e6ef3b02f6ffe7ca721e [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Tue Jan 28 10:42:41 2020 +0100
committer: Jeff Vander Stoep <jeffv@google.com> Tue Jan 28 10:49:50 2020 +0100
tree: 54e20cf56603647bae19d1f0884e367c484662a7
parent: 5f11b2e0ed315f8f083dd9224f723673464334da [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5c8ad88..677b9e2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -118,7 +118,7 @@
   -untrusted_app_25
   -untrusted_app_27
   -untrusted_app_29
-} domain:netlink_route_socket { nlmsg_readpriv };
+} domain:netlink_route_socket { bind nlmsg_readpriv };
 
 # Do not allow untrusted apps access to /cache
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
commit	b38a1d8804a6bedf0626e6ef3b02f6ffe7ca721e	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Tue Jan 28 10:42:41 2020 +0100
committer	Jeff Vander Stoep <jeffv@google.com>	Tue Jan 28 10:49:50 2020 +0100
tree	54e20cf56603647bae19d1f0884e367c484662a7
parent	5f11b2e0ed315f8f083dd9224f723673464334da [diff] [blame]