Enforce MAC address restrictions for priv apps.

Bug: 230733237 Test: atest NetlinkSocketTest NetworkInterfaceTest bionic-unit-tests-static CtsSelinuxTargetSdkCurrentTestCases CtsSelinuxTargetSdk29TestCases CtsSelinuxTargetSdk27TestCases Change-Id: I1d66ae7849e950612f3b6693216ec8c84e942640
2022-05-17 14:22:02 +02:00 · 2022-05-17 14:22:02 +02:00 · af609b2f3c
commit af609b2f3c
parent e14ad82c98
2 changed files with 2 additions and 0 deletions
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -127,6 +127,7 @@ neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };

 # Disallow sending RTM_GETLINK messages on netlink sockets.
 neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };

 # Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
 neverallow {
--- a/private/net.te
+++ b/private/net.te
@ -12,6 +12,7 @@ allow {
  netdomain
  -ephemeral_app
  -mediaprovider
+  -priv_app
  -sdk_sandbox
  -untrusted_app_all
 } self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };