From 8a5539b5f00b8993e1817ef61b4da16a03967d59 Mon Sep 17 00:00:00 2001 From: Chenbo Feng Date: Wed, 27 Feb 2019 17:44:26 -0800 Subject: [PATCH] Move pf_key socket creation permission to netd Allow netd to trigger the kernel synchronize rcu with open and close pf_key socket. This action was previously done by system_server but now it need to be done by netd instead because there might be race issue when netd is operating on a map that is cleaned up by system server. Bug: 126620214 Test: android.app.usage.cts.NetworkUsageStatsTest android.net.cts.TrafficStatsTest Change-Id: Id5ca86aa4610e37a2752709ed9cfd4536ea3bfaf --- private/netd.te | 4 ++++ private/system_server.te | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/private/netd.te b/private/netd.te index a00cb6976..4c129b7e2 100644 --- a/private/netd.te +++ b/private/netd.te @@ -12,6 +12,10 @@ domain_auto_trans(netd, clatd_exec, clatd) # the map created by bpfloader allow netd bpfloader:bpf { prog_run map_read map_write }; +# in order to invoke side effect of close() on such a socket calling synchronize_rcu() +# TODO: Remove this permission when 4.9 kernel is deprecated. +allow netd self:key_socket create; + get_prop(netd, bpf_progs_loaded_prop) # Allow netd to write to statsd. diff --git a/private/system_server.te b/private/system_server.te index 9b986b124..68a8f55ec 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -879,10 +879,6 @@ with_asan(` allow system_server fs_bpf:dir search; allow system_server fs_bpf:file { read write }; allow system_server bpfloader:bpf { map_read map_write }; -# in order to invoke side effect of close() on such a socket calling synchronize_rcu() -# TODO: Remove this permission when 4.9 kernel is deprecated. -allow system_server self:key_socket create; - # ART Profiles. # Allow system_server to open profile snapshots for read.