Revert "Update netlink_route_socket for nlmsg xperm"
Revert submission 3316655
Reason for revert: emulator does not boot
[ 6.468328] selinux: SELinux: Could not stat /data/dalvik-cache/arm: No such file or directory.
[ 6.468892] ------------[ cut here ]------------
[ 6.469241] selinux: SELinux: Could not stat /data/dalvik-cache/arm64: No such file or directory.
[ 6.469648] kernel BUG at security/selinux/ss/services.c:961!
[ 6.470549] selinux: SELinux: Could not stat /data/dalvik-cache/riscv64: No such file or directory.
[ 6.471166] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 6.471928] selinux: SELinux: Could not stat /data/dalvik-cache/x86: No such file or directory.
[ 6.472389] CPU: 1 PID: 403 Comm: dhcpclient Tainted: G OE 6.6.56-android15-8-gb713239b1f7f-ab12714926 #1 1400000003000000474e5500b8d4777a75d64646
[ 6.473207] selinux: SELinux: Could not stat /data/dalvik-cache/x86_64: No such file or directory.
[ 6.474476] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
[ 6.474478] RIP: 0010:services_compute_xperms_decision+0x19f/0x1b0
[ 6.474483] Code: 8b 4e 08 8b 49 18 09 48 14 48 8b 07 48 8b 4e 08 8b 49 1c 09 48 18 48 8b 07 48 8b 4e 08 8b 49 20 09 48 1c 5d c3 cc cc cc cc cc <0f> 0b 0f 0b 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 b8 00 00 00 00
[ 6.474485] RSP: 0018:ffffaa1601553bf8 EFLAGS: 00010202
[ 6.474486] RAX: ffff8b5401052578 RBX: ffffaa1601553ca8 RCX: 0000000000000003
[ 6.475300] init: Service 'ranchu-net' (pid 392) exited with status 0 oneshot service took 0.050000 seconds in background
[ 6.476348] RDX: 00000000000008a4 RSI: ffff8b540104fba0 RDI: ffffaa1601553ca8
[ 6.476912] init: Sending signal 9 to service 'ranchu-net' (pid 392) process group...
[ 6.478581] RBP: ffffaa1601553bf8 R08: 00000000000008a4 R09: 000000000000001f
[ 6.478582] R10: 00000000c7f20000 R11: ffff8b540c82a000 R12: ffff8b5402eae680
[ 6.478583] R13: ffff8b5402eae680 R14: 00000000000008a3 R15: ffff8b540104fba0
[ 6.478585] FS: 00007acc4a076fd8(0000) GS:ffff8b547da80000(0000) knlGS:0000000000000000
[ 6.478587] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.478588] CR2: 000063c8ffb69960 CR3: 000000000c9ea000 CR4: 00000000000006a0
[ 6.478590] Call Trace:
[ 6.479124] libprocessgroup: Removed cgroup /sys/fs/cgroup/uid_0/pid_392
[ 6.479709] <TASK>
[ 6.480943] init: processing action (post-fs-data) from (/system/etc/init/perfetto.rc:76)
[ 6.481403] ? __die_body+0x67/0xb0
[ 6.482141] init: Command 'rm /data/misc/perfetto-traces/.guardraildata' action=post-fs-data (/system/etc/init/perfetto.rc:77) took 0ms and failed: unlink() failed: No such file or directory
[ 6.482764] ? die+0xa9/0xd0
[ 6.483423] init: processing action (post-fs-data) from (/system/etc/init/profcollectd.rc:9)
[ 6.484069] ? do_trap+0x88/0x160
[ 6.485330] init: processing action (post-fs-data) from (/system/etc/init/recovery-persist.rc:1)
[ 6.485397] ? services_compute_xperms_decision+0x19f/0x1b0
[ 6.486136] init: starting service 'exec 13 (/system/bin/recovery-persist)'...
[ 6.486273] ? handle_invalid_op+0x69/0x90
[ 6.487943] init: ... started service 'exec 13 (/system/bin/recovery-persist)' has pid 405
[ 6.488173] ? services_compute_xperms_decision+0x19f/0x1b0
[ 6.489818] init: processing action (post-fs-data) from (/system/etc/init/wifi.rc:18)
[ 6.490068] ? exc_invalid_op+0x36/0x60
[ 6.490071] ? asm_exc_invalid_op+0x1f/0x30
[ 6.490073] ? services_compute_xperms_decision+0x19f/0x1b0
[ 6.490075] security_compute_xperms_decision+0x2b7/0x460
[ 6.490077] avc_has_extended_perms+0x2f6/0x610
[ 6.490080] ioctl_has_perm+0x12a/0x180
[ 6.491055] selinux: SELinux: Skipping restorecon on directory(/data/misc/apexdata/com.android.wifi)
[ 6.491154] selinux_file_ioctl+0x1af/0x210
[ 6.491957] init: processing action (post-fs-data) from (/system_ext/etc/init/init.system_ext.radio.rc:1)
[ 6.492462] ? alloc_file_pseudo+0xa6/0x110
[ 6.500532] security_file_ioctl+0x4a/0x60
[ 6.500917] __se_sys_ioctl+0x39/0xe0
[ 6.501263] __x64_sys_ioctl+0x1c/0x40
[ 6.501612] x64_sys_call+0x15b1/0x2e10
[ 6.501995] do_syscall_64+0x4a/0xa0
[ 6.502335] ? exc_page_fault+0x65/0xc0
[ 6.502680] entry_SYSCALL_64_after_hwframe+0x78/0xe2
[ 6.503128] RIP: 0033:0x7acc47fad527
[ 6.503462] Code: 00 00 00 b8 1b 00 00 00 0f 05 48 3d 01 f0 ff ff 72 09 f7 d8 89 c7 e8 e8 f7 ff ff c3 0f 1f 80 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 72 09 f7 d8 89 c7 e8 c8 f7 ff ff c3 0f 1f 80 00
[ 6.505170] RSP: 002b:00007fff9386e268 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 6.505869] RAX: ffffffffffffffda RBX: 00007fff9386e420 RCX: 00007acc47fad527
[ 6.506521] RDX: 00007fff9386e390 RSI: 0000000000008933 RDI: 0000000000000003
[ 6.507157] RBP: 00007fff9386e340 R08: 000000000000000a R09: 000000000000000b
[ 6.507798] R10: 00000000fffff800 R11: 0000000000000206 R12: 0000000000000003
[ 6.508460] R13: 00007fff9386e390 R14: 00007fff9386f898 R15: 00007fff9386f899
[ 6.509121] </TASK>
[ 6.509331] Modules linked in: virtio_snd(E) virtio_pmem(E) virtio_net(E) virtio_input(E) virtio_media(OE) virtio_gpu(E) virt_wifi(E) vhci_hcd(E) v4l2loopback(OE) usbip_core(E) test_meminit(E) system_heap(E) snd_aloop(E) rtc_test(E) pulse8_cec(E) net_failover(E) nd_virtio(E) mt76x2u(E) mt76x2_common(E) mt76x0u(E) mt76x02_usb(E) mt76x0_common(E) mt76x02_lib(E) mt76_usb(E) mt76(E) mac80211_hwsim(E) mac80211(E) libarc4 hci_vhci(E) gs_usb(E) can_dev goldfish_sync(OE) goldfish_pipe(OE) goldfish_battery(E) goldfish_address_space(OE) failover(E) dummy_hcd(E) dummy_cpufreq(E) cfg80211(E) btusb(E) btbcm btrtl(E) btintel(E) bluetooth zram rfkill zsmalloc vmw_vsock_virtio_transport(E) virtio_pci(E) virtio_pci_modern_dev(E) virtio_console(E) virtio_blk(E) virtio_rng(E) virtio_pci_legacy_dev(E) virtio_dma_buf(E)
[ 6.515674] ---[ end trace 0000000000000000 ]---
[ 6.515799] init: Service 'exec 13 (/system/bin/recovery-persist)' (pid 405) exited with status 0 oneshot service took 0.028000 seconds in background
[ 6.517623] init: Sending signal 9 to service 'exec 13 (/system/bin/recovery-persist)' (pid 405) process group...
[ 6.518721] li
Reverted changes: /q/submissionid:3316655
Change-Id: I9275693f478454b437359643d2f7240e411abbe0
diff --git a/private/access_vectors b/private/access_vectors
index 1ad1885..2779926 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -398,7 +398,6 @@
nlmsg_write
nlmsg_readpriv
nlmsg_getneigh
- nlmsg
}
class netlink_tcpdiag_socket
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1f6a06e..0e2b01c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -148,7 +148,7 @@
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
-neverallowxperm all_untrusted_apps domain:netlink_route_socket nlmsg RTM_GETLINK;
+neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
neverallow {
@@ -158,13 +158,6 @@
-untrusted_app_29
-untrusted_app_30
} domain:netlink_route_socket nlmsg_getneigh;
-neverallowxperm {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -untrusted_app_29
- -untrusted_app_30
-} domain:netlink_route_socket nlmsg RTM_GETNEIGH;
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
diff --git a/private/dhcp.te b/private/dhcp.te
index 437fa0c..ce4fef1 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -13,7 +13,6 @@
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
-allowxperm dhcp self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
diff --git a/private/hal_nlinterceptor.te b/private/hal_nlinterceptor.te
index 9004613..1a738a5 100644
--- a/private/hal_nlinterceptor.te
+++ b/private/hal_nlinterceptor.te
@@ -5,8 +5,4 @@
allow hal_nlinterceptor self:global_capability_class_set net_admin;
allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_nlinterceptor self:netlink_route_socket create_socket_perms_no_ioctl;
-# For kernel < 6.13
-allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
-# For kernel >= 6.13
-allow hal_nlinterceptor self:netlink_route_socket nlmsg;
+allow hal_nlinterceptor self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_readpriv nlmsg_write };
diff --git a/private/hal_telephony.te b/private/hal_telephony.te
index c44f748..306d459 100644
--- a/private/hal_telephony.te
+++ b/private/hal_telephony.te
@@ -8,7 +8,6 @@
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allowxperm hal_telephony_server self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
diff --git a/private/hal_wifi_hostapd.te b/private/hal_wifi_hostapd.te
index f5dbfb9..eeb72ba 100644
--- a/private/hal_wifi_hostapd.te
+++ b/private/hal_wifi_hostapd.te
@@ -22,7 +22,6 @@
allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
-allowxperm hal_wifi_hostapd_server self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
###
### neverallow rules
diff --git a/private/hal_wifi_supplicant.te b/private/hal_wifi_supplicant.te
index d2e59e6..498469d 100644
--- a/private/hal_wifi_supplicant.te
+++ b/private/hal_wifi_supplicant.te
@@ -15,7 +15,6 @@
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
-allowxperm hal_wifi_supplicant self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
diff --git a/private/net.te b/private/net.te
index 3e44b2d..2c2f091 100644
--- a/private/net.te
+++ b/private/net.te
@@ -3,14 +3,11 @@
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
-# RTM_GETLINK, RTM_GETNEIGH and RTM_GETNEIGHTBL are not accessible to
-# untrusted_app (as these can be abused to recover the MAC address). See
-# b/141455849 and b/171572148. Some untrusted apps (e.g. untrusted_app_25-30)
-# are granted access elsewhere to avoid app-compat breakage. On kernel before
-# 6.13, Android-specific permissions were defined to implement this restriction
-# (nlmsg_readpriv and nlmsg_getneigh). From kernal 6.13 onwards, the permission
-# has been revoked for netdomain. If your domain requires it, access should be
-# granted using the extended permission "nlmsg".
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
+# to avoid app-compat breakage.
allow {
netdomain
-ephemeral_app
@@ -31,8 +28,7 @@
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read nlmsg };
-allowxperm netdomain self:netlink_route_socket nlmsg unpriv_route_socket_nlmsgs;
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/private/netd.te b/private/netd.te
index 1c8fed4..d966bcc 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -64,7 +64,6 @@
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow netd self:netlink_route_socket nlmsg_write;
-allowxperm netd self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
allow netd self:netlink_socket create_socket_perms_no_ioctl;
allow netd self:netlink_tcpdiag_socket create_socket_perms_no_ioctl;
diff --git a/private/network_stack.te b/private/network_stack.te
index 70b3ed3..e58d4fd 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -23,7 +23,6 @@
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
-allowxperm network_stack self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
# Use netlink uevent sockets.
allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/private/priv_app.te b/private/priv_app.te
index a3ba019..1ef5be1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -297,7 +297,3 @@
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
-
-# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
-neverallowxperm priv_app domain:netlink_route_socket nlmsg RTM_GETLINK;
diff --git a/private/recovery.te b/private/recovery.te
index dbc1ab3..24dfd43 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -26,13 +26,7 @@
set_prop(recovery, gsid_prop)
# These are needed to allow recovery to manage network
- allow recovery self:netlink_route_socket create_socket_perms_no_ioctl;
- # For kernel < 6.13
- allow recovery self:netlink_route_socket { nlmsg_readpriv nlmsg_read };
- # For kernel >= 6.13
- allow recovery self:netlink_route_socket nlmsg;
- allowxperm recovery self:netlink_route_socket nlmsg unpriv_route_socket_nlmsgs;
- allowxperm recovery self:netlink_route_socket nlmsg RTM_GETLINK;
+ allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
allow recovery self:global_capability_class_set net_admin;
allow recovery self:tcp_socket { create ioctl };
allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
diff --git a/private/system_server.te b/private/system_server.te
index 2887667..1cced81 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -180,7 +180,6 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
-allowxperm system_server self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
# Use XFRM (IPsec) netlink sockets
allow system_server self:netlink_xfrm_socket create_socket_perms_no_ioctl;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index f4d17ef..d59245c 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -52,8 +52,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
-allowxperm untrusted_app_25 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
-auditallowxperm untrusted_app_25 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_25, mdnsd, mdnsd)
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index cb3a860..8c970d8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,8 +40,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
-allowxperm untrusted_app_27 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
-auditallowxperm untrusted_app_27 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_27, mdnsd, mdnsd)
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index ddd3412..ed0bbfc 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -18,8 +18,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
-allowxperm untrusted_app_29 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
-auditallowxperm untrusted_app_29 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_29, mdnsd, mdnsd)
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index b645b05..c87548e 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -20,8 +20,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
-allowxperm untrusted_app_30 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
-auditallowxperm untrusted_app_30 self:netlink_route_socket nlmsg { RTM_GETNEIGH RTM_GETNEIGHTBL };
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_30, mdnsd, mdnsd)
diff --git a/private/wifi_mainline_supplicant.te b/private/wifi_mainline_supplicant.te
index 7980678..d6c7998 100644
--- a/private/wifi_mainline_supplicant.te
+++ b/private/wifi_mainline_supplicant.te
@@ -27,6 +27,5 @@
# Netlink sockets
allow wifi_mainline_supplicant self:netlink_route_socket { bind create read write nlmsg_readpriv nlmsg_write };
-allowxperm wifi_mainline_supplicant self:netlink_route_socket nlmsg priv_route_socket_nlmsgs;
allow wifi_mainline_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow wifi_mainline_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;