-
- Downloads
Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes.
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5. Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.
Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.
Test: policy builds
Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: 
Stephen Smalley <sds@tycho.nsa.gov>
Showing
- private/access_vectors 0 additions, 14 deletionsprivate/access_vectors
- private/app.te 0 additions, 2 deletionsprivate/app.te
- private/app_neverallows.te 2 additions, 2 deletionsprivate/app_neverallows.te
- private/security_classes 0 additions, 2 deletionsprivate/security_classes
- private/webview_zygote.te 2 additions, 2 deletionsprivate/webview_zygote.te
- public/global_macros 1 addition, 1 deletionpublic/global_macros
Loading
Please register or sign in to comment