git.stricted.de - GitHub/LineageOS/android_kernel_motorola

author	Bram Bonné <brambonne@google.com>
	Fri, 30 Apr 2021 09:50:19 +0000 (11:50 +0200)
committer	Bram Bonné <brambonne@google.com>
	Tue, 27 Jul 2021 15:16:25 +0000 (17:16 +0200)
commit	3a06037a326fcf7fc147d13da1af9eb4a2937306
tree	1125f6c66d966f76b1deda83c3c1d413e1b8ddb4	tree \| snapshot (tar.gz zip)
parent	b0428f4d5b612b8aa61f4c188fc38f3f87b705a6	commit \| diff

ANDROID: selinux: modify RTM_GETNEIGH{TBL}

Map the permission gating RTM_GETNEIGH/RTM_GETNEIGHTBL messages to a
new permission so that it can be distinguished from the other netlink
route permissions in selinux policy. The new permission is triggered by
a flag set in system images T and up.

This change is intended to be backported to all kernels that a T system
image can run on top of.

Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Test: atest bionic-unit-tests-static
Test: On Cuttlefish, run combinations of:
    - Policy bit set or omitted (see https://r.android.com/1701847)
    - This patch applied or omitted
    - App having nlmsg_readneigh permission or not
  Verify that only the combination of this patch + the policy bit being
  set + the app not having the nlmsg_readneigh permission prevents the
  app from sending RTM_GETNEIGH messages.

Change-Id: I4bcfce4decb34ea9388eeedfc4be67403de8a980
Signed-off-by: Bram Bonné <brambonne@google.com>
(cherry picked from commit fac07550bdac9adea0dbe3edbdbec7a9a690a178)
(cherry picked from commit 32d7afd1472c3cce509a3455b40a575540eac780)

security/selinux/include/classmap.h		diff \| blob \| blame \| history
security/selinux/include/security.h		diff \| blob \| blame \| history
security/selinux/nlmsgtab.c		diff \| blob \| blame \| history
security/selinux/ss/policydb.c		diff \| blob \| blame \| history
security/selinux/ss/policydb.h		diff \| blob \| blame \| history
security/selinux/ss/services.c		diff \| blob \| blame \| history