Merge "Enforce RTM_GETLINK restrictions on all apps"

private/app_neverallows.te

@@ -117,12 +117,7 @@ neverallow all_untrusted_apps *:{
 } *;
 
 # Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow {
-  all_untrusted_apps
-  -untrusted_app_25
-  -untrusted_app_27
-  -untrusted_app_29
-} domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
 
 # Do not allow untrusted apps access to /cache
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };

private/untrusted_app_25.te

@@ -48,7 +48,3 @@ auditallow untrusted_app_25 ashmem_device:chr_file open;
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };

private/untrusted_app_27.te

@@ -36,7 +36,3 @@ auditallow untrusted_app_27 ashmem_device:chr_file open;
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };

private/untrusted_app_29.te

@@ -14,7 +14,3 @@ app_domain(untrusted_app_29)
 untrusted_app_domain(untrusted_app_29)
 net_domain(untrusted_app_29)
 bluetooth_domain(untrusted_app_29)
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };