Update netlink socket classes.

Define new netlink socket security classes introduced by upstream kernel commit 6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket classes"). This was merged in Linux 4.2 and is therefore only required for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch of the kernel/common tree). Add the new socket classes to socket_class_set. Add an initial set of allow rules although further refinement will likely be necessary. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one or more of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-21 16:17:26 -04:00 · 2015-05-21 16:17:26 -04:00 · 01d95c23ab
commit 01d95c23ab
parent 6ef10bd48b
9 changed files with 42 additions and 1 deletions
--- a/24
+++ b/24
@ -544,6 +544,30 @@ class binder
 	transfer
 }

+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
 class property_service
 {
 	set
--- a/2
+++ b/2
@ -8,7 +8,7 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
 define(`dir_file_class_set', `{ dir file_class_set }')

-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
--- a/hostapd.te
+++ b/hostapd.te
@ -6,6 +6,7 @@ net_domain(hostapd)

 allow hostapd self:capability { net_admin net_raw setuid setgid };
 allow hostapd self:netlink_socket create_socket_perms;
+allow hostapd self:netlink_generic_socket create_socket_perms;
 allow hostapd self:packet_socket create_socket_perms;
 allow hostapd self:netlink_route_socket nlmsg_write;

--- a/netd.te
+++ b/netd.te
@ -19,6 +19,8 @@ allow netd self:netlink_route_socket nlmsg_write;
 allow netd self:netlink_nflog_socket create_socket_perms;
 allow netd self:netlink_socket create_socket_perms;
 allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms;
+allow netd self:netlink_netfilter_socket create_socket_perms;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
--- a/rild.te
+++ b/rild.te
@ -38,6 +38,7 @@ allow rild tty_device:chr_file rw_file_perms;

 # Allow rild to create and use netlink sockets.
 allow rild self:netlink_socket create_socket_perms;
+allow rild self:netlink_generic_socket create_socket_perms;
 allow rild self:netlink_kobject_uevent_socket create_socket_perms;

 # Access to wake locks
--- a/10
+++ b/10
@ -84,6 +84,16 @@ class tun_socket

 class binder

+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
 # Property service
 class property_service          # userspace

--- a/system_server.te
+++ b/system_server.te
@ -64,6 +64,7 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms;

 # Use generic netlink sockets.
 allow system_server self:netlink_socket create_socket_perms;
+allow system_server self:netlink_generic_socket create_socket_perms;

 # Use generic "sockets" where the address family is not known
 # to the kernel.
--- a/tee.te
+++ b/tee.te
@ -12,3 +12,4 @@ allow tee tee_device:chr_file rw_file_perms;
 allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:file create_file_perms;
 allow tee self:netlink_socket create_socket_perms;
+allow tee self:netlink_generic_socket create_socket_perms;
--- a/wpa.te
+++ b/wpa.te
@ -11,6 +11,7 @@ allow wpa self:capability { setuid net_admin setgid net_raw };
 allow wpa cgroup:dir create_dir_perms;
 allow wpa self:netlink_route_socket nlmsg_write;
 allow wpa self:netlink_socket create_socket_perms;
+allow wpa self:netlink_generic_socket create_socket_perms;
 allow wpa self:packet_socket create_socket_perms;
 allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;