Update netlink_xfrm_socket for nlmsg xperm
Translate the netlink_xfrm_socket rules for the new extended permission.
This policy is updated to support kernel with or without the new nlmsg
permission.
Test: run bugreport and check that dumpstate is able to read the ipsec
policy
Bug: 353255679
Change-Id: Iede0b259057e5f9a51f051c8b78fba504d217efb
diff --git a/private/access_vectors b/private/access_vectors
index beacf21..2779926 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -416,6 +416,7 @@
{
nlmsg_read
nlmsg_write
+ nlmsg
}
class netlink_selinux_socket
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b98cb97..8cdf3cc 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -517,7 +517,12 @@
binder_call(dumpstate, installd);
# Allow dumpstate to run ip xfrm policy
-allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow dumpstate self:netlink_xfrm_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow dumpstate self:netlink_xfrm_socket nlmsg_read;
+# For kernel >= 6.13
+allow dumpstate self:netlink_xfrm_socket nlmsg;
+allowxperm dumpstate self:netlink_xfrm_socket nlmsg XFRM_MSG_GETPOLICY;
# Allow dumpstate to run iotop
allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
diff --git a/private/netd.te b/private/netd.te
index 93d0141..d966bcc 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -140,7 +140,11 @@
allow netd netdomain:fd use;
# give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+allow netd self:netlink_xfrm_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow netd self:netlink_xfrm_socket { nlmsg_write nlmsg_read };
+# For kernel >= 6.13
+allow netd self:netlink_xfrm_socket nlmsg;
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
diff --git a/private/network_stack.te b/private/network_stack.te
index ee7269e..e58d4fd 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -76,7 +76,11 @@
get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
# Use XFRM (IPsec) netlink sockets
-allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+allow network_stack self:netlink_xfrm_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow network_stack self:netlink_xfrm_socket { nlmsg_write nlmsg_read };
+# For kernel >= 6.13
+allow network_stack self:netlink_xfrm_socket nlmsg;
# tun device used for 3rd party vpn apps and test network manager
allow network_stack tun_device:chr_file rw_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 6a498f8..1cced81 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -182,7 +182,11 @@
allow system_server self:netlink_route_socket nlmsg_write;
# Use XFRM (IPsec) netlink sockets
-allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+allow system_server self:netlink_xfrm_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow system_server self:netlink_xfrm_socket { nlmsg_read nlmsg_write };
+# For kernel >= 6.13
+allow system_server self:netlink_xfrm_socket nlmsg;
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };