Update netlink_xfrm_socket for nlmsg xperm Translate the netlink_xfrm_socket rules for the new extended permission. This policy is updated to support kernel with or without the new nlmsg permission. Test: run bugreport and check that dumpstate is able to read the ipsec policy Bug: 353255679 Change-Id: Iede0b259057e5f9a51f051c8b78fba504d217efb

commit: eb4cc3eed4ac683629c4a39e4f8185a2db5c44b4 [log] [tgz]
author: Thiébaud Weksteen <tweek@google.com> Fri Oct 18 15:26:40 2024 +1100
committer: Thiébaud Weksteen <tweek@google.com> Wed Nov 27 10:26:34 2024 +1100
tree: 42df8a56b375559cdf4e1c44babb927d5fa930c3
parent: 67c1b352ca84b8f9d93d3b75226c69194a853f2d [diff] [blame]
diff --git a/private/netd.te b/private/netd.te
index 93d0141..d966bcc 100644
--- a/private/netd.te
+++ b/private/netd.te

@@ -140,7 +140,11 @@
 allow netd netdomain:fd use;
 
 # give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+allow netd self:netlink_xfrm_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow netd self:netlink_xfrm_socket { nlmsg_write nlmsg_read };
+# For kernel >= 6.13
+allow netd self:netlink_xfrm_socket nlmsg;
 
 # Allow netd to register as hal server.
 add_hwservice(netd, system_net_netd_hwservice)
commit	eb4cc3eed4ac683629c4a39e4f8185a2db5c44b4	[log] [tgz]
author	Thiébaud Weksteen <tweek@google.com>	Fri Oct 18 15:26:40 2024 +1100
committer	Thiébaud Weksteen <tweek@google.com>	Wed Nov 27 10:26:34 2024 +1100
tree	42df8a56b375559cdf4e1c44babb927d5fa930c3
parent	67c1b352ca84b8f9d93d3b75226c69194a853f2d [diff] [blame]