Merge changes from topic "cherrypicker-L90100000954806085:N90400001269057103" into tm-dev
* changes:
Add xfrm netlink permissions for system server
Fix system server and network stack netlink permissions
diff --git a/prebuilts/api/33.0/private/network_stack.te b/prebuilts/api/33.0/private/network_stack.te
index b105938..356bebf 100644
--- a/prebuilts/api/33.0/private/network_stack.te
+++ b/prebuilts/api/33.0/private/network_stack.te
@@ -22,6 +22,14 @@
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
+# Use netlink uevent sockets.
+allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# give network_stack the same netlink permissions as netd
+allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
+
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack mdns_service:service_manager find;
@@ -56,6 +64,9 @@
allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
# Unfortunately init/vendor_init have all sorts of extra privs
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index ba097f2..e6c129a 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -159,11 +159,14 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow system_server self:netlink_tcpdiag_socket
+ { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
+
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -180,6 +183,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.
diff --git a/prebuilts/api/33.0/public/app.te b/prebuilts/api/33.0/public/app.te
index da24012..de3d0ca 100644
--- a/prebuilts/api/33.0/public/app.te
+++ b/prebuilts/api/33.0/public/app.te
@@ -53,7 +53,8 @@
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+neverallow { appdomain -network_stack }
+ domain:netlink_kobject_uevent_socket { write append };
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
diff --git a/private/network_stack.te b/private/network_stack.te
index b105938..356bebf 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -22,6 +22,14 @@
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
+# Use netlink uevent sockets.
+allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# give network_stack the same netlink permissions as netd
+allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
+
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack mdns_service:service_manager find;
@@ -56,6 +64,9 @@
allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
# Unfortunately init/vendor_init have all sorts of extra privs
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
diff --git a/private/system_server.te b/private/system_server.te
index ba097f2..e6c129a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -159,11 +159,14 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow system_server self:netlink_tcpdiag_socket
+ { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
+
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -180,6 +183,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.
diff --git a/public/app.te b/public/app.te
index da24012..de3d0ca 100644
--- a/public/app.te
+++ b/public/app.te
@@ -53,7 +53,8 @@
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+neverallow { appdomain -network_stack }
+ domain:netlink_kobject_uevent_socket { write append };
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;