Update netlink_xfrm_socket for nlmsg xperm
Translate the netlink_xfrm_socket rules for the new extended permission.
This policy is updated to support kernel with or without the new nlmsg
permission.
Test: run bugreport and check that dumpstate is able to read the ipsec
policy
Bug: 353255679
Change-Id: Iede0b259057e5f9a51f051c8b78fba504d217efb
diff --git a/private/network_stack.te b/private/network_stack.te
index ee7269e..e58d4fd 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -76,7 +76,11 @@
get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
# Use XFRM (IPsec) netlink sockets
-allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+allow network_stack self:netlink_xfrm_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow network_stack self:netlink_xfrm_socket { nlmsg_write nlmsg_read };
+# For kernel >= 6.13
+allow network_stack self:netlink_xfrm_socket nlmsg;
# tun device used for 3rd party vpn apps and test network manager
allow network_stack tun_device:chr_file rw_file_perms;