Update netlink_xfrm_socket for nlmsg xperm Translate the netlink_xfrm_socket rules for the new extended permission. This policy is updated to support kernel with or without the new nlmsg permission. Test: run bugreport and check that dumpstate is able to read the ipsec policy Bug: 353255679 Change-Id: Iede0b259057e5f9a51f051c8b78fba504d217efb

commit: eb4cc3eed4ac683629c4a39e4f8185a2db5c44b4 [log] [tgz]
author: Thiébaud Weksteen <tweek@google.com> Fri Oct 18 15:26:40 2024 +1100
committer: Thiébaud Weksteen <tweek@google.com> Wed Nov 27 10:26:34 2024 +1100
tree: 42df8a56b375559cdf4e1c44babb927d5fa930c3
parent: 67c1b352ca84b8f9d93d3b75226c69194a853f2d [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 6a498f8..1cced81 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -182,7 +182,11 @@
 allow system_server self:netlink_route_socket nlmsg_write;
 
 # Use XFRM (IPsec) netlink sockets
-allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+allow system_server self:netlink_xfrm_socket create_socket_perms_no_ioctl;
+# For kernel < 6.13
+allow system_server self:netlink_xfrm_socket { nlmsg_read nlmsg_write };
+# For kernel >= 6.13
+allow system_server self:netlink_xfrm_socket nlmsg;
 
 # Kill apps.
 allow system_server appdomain:process { getpgid sigkill signal };
commit	eb4cc3eed4ac683629c4a39e4f8185a2db5c44b4	[log] [tgz]
author	Thiébaud Weksteen <tweek@google.com>	Fri Oct 18 15:26:40 2024 +1100
committer	Thiébaud Weksteen <tweek@google.com>	Wed Nov 27 10:26:34 2024 +1100
tree	42df8a56b375559cdf4e1c44babb927d5fa930c3
parent	67c1b352ca84b8f9d93d3b75226c69194a853f2d [diff] [blame]