Update netlink_route_socket for nlmsg xperm
Translate the netlink_route_socket rules for the new extended permission.
This policy is updated to support kernel with or without the new nlmsg
permission.
Bug: 353255679
Test: CtsSelinuxTargetSdk25TestCases
Test: CtsSelinuxTargetSdk27TestCases
Test: CtsSelinuxTargetSdk28TestCases
Test: CtsSelinuxTargetSdk29TestCases
Test: CtsSelinuxTargetSdk30TestCases
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: CtsLibcoreTestCases
Change-Id: Idf9eeded4f6dbb2711af34f01643a6d025d89c79
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0e2b01c..1f6a06e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -148,7 +148,7 @@
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
-neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallowxperm all_untrusted_apps domain:netlink_route_socket nlmsg RTM_GETLINK;
# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
neverallow {
@@ -158,6 +158,13 @@
-untrusted_app_29
-untrusted_app_30
} domain:netlink_route_socket nlmsg_getneigh;
+neverallowxperm {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+} domain:netlink_route_socket nlmsg RTM_GETNEIGH;
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };