From 423fd19d91259b19f3460eb4dd5ff9d63731429b Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 21 May 2015 16:17:26 -0400
Subject: [PATCH] Update netlink socket classes.

Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes").  This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).

Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary.  Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes.  For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 01d95c23ab8c14d72e4ce98b3dda64ce81ab6306)

Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114
---
 access_vectors   | 24 ++++++++++++++++++++++++
 global_macros    |  2 +-
 hostapd.te       |  1 +
 netd.te          |  2 ++
 rild.te          |  1 +
 security_classes | 10 ++++++++++
 system_server.te |  1 +
 tee.te           |  1 +
 wpa.te           |  1 +
 9 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/access_vectors b/access_vectors
index ccf70189b..c38aa7b5f 100644
--- a/access_vectors
+++ b/access_vectors
@@ -544,6 +544,30 @@ class binder
 	transfer
 }
 
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
 class property_service
 {
 	set
diff --git a/global_macros b/global_macros
index 8d7286863..e840d5627 100644
--- a/global_macros
+++ b/global_macros
@@ -8,7 +8,7 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
 define(`dir_file_class_set', `{ dir file_class_set }')
 
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
diff --git a/hostapd.te b/hostapd.te
index 858c28645..204a0d9eb 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -6,6 +6,7 @@ net_domain(hostapd)
 
 allow hostapd self:capability { net_admin net_raw setuid setgid };
 allow hostapd self:netlink_socket create_socket_perms;
+allow hostapd self:netlink_generic_socket create_socket_perms;
 allow hostapd self:packet_socket create_socket_perms;
 allow hostapd self:netlink_route_socket nlmsg_write;
 
diff --git a/netd.te b/netd.te
index 9c37c8569..51445fca9 100644
--- a/netd.te
+++ b/netd.te
@@ -19,6 +19,8 @@ allow netd self:netlink_route_socket nlmsg_write;
 allow netd self:netlink_nflog_socket create_socket_perms;
 allow netd self:netlink_socket create_socket_perms;
 allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms;
+allow netd self:netlink_netfilter_socket create_socket_perms;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
diff --git a/rild.te b/rild.te
index 1183d4cdb..e2856a31e 100644
--- a/rild.te
+++ b/rild.te
@@ -38,6 +38,7 @@ allow rild tty_device:chr_file rw_file_perms;
 
 # Allow rild to create and use netlink sockets.
 allow rild self:netlink_socket create_socket_perms;
+allow rild self:netlink_generic_socket create_socket_perms;
 allow rild self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Access to wake locks
diff --git a/security_classes b/security_classes
index 7ea3a380c..680d3ddbc 100644
--- a/security_classes
+++ b/security_classes
@@ -84,6 +84,16 @@ class tun_socket
 
 class binder
 
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
 # Property service
 class property_service          # userspace
 
diff --git a/system_server.te b/system_server.te
index fb5e94797..7602ec675 100644
--- a/system_server.te
+++ b/system_server.te
@@ -71,6 +71,7 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Use generic netlink sockets.
 allow system_server self:netlink_socket create_socket_perms;
+allow system_server self:netlink_generic_socket create_socket_perms;
 
 # Use generic "sockets" where the address family is not known
 # to the kernel.
diff --git a/tee.te b/tee.te
index ab625dea9..8ea6b95bc 100644
--- a/tee.te
+++ b/tee.te
@@ -12,3 +12,4 @@ allow tee tee_device:chr_file rw_file_perms;
 allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:file create_file_perms;
 allow tee self:netlink_socket create_socket_perms;
+allow tee self:netlink_generic_socket create_socket_perms;
diff --git a/wpa.te b/wpa.te
index a562fb75b..46d975b8a 100644
--- a/wpa.te
+++ b/wpa.te
@@ -11,6 +11,7 @@ allow wpa self:capability { setuid net_admin setgid net_raw };
 allow wpa cgroup:dir create_dir_perms;
 allow wpa self:netlink_route_socket nlmsg_write;
 allow wpa self:netlink_socket create_socket_perms;
+allow wpa self:netlink_generic_socket create_socket_perms;
 allow wpa self:packet_socket create_socket_perms;
 allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
-- 
GitLab