From 4921085d9c7a188596914de415b3d2346ac44fda Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 6 Feb 2017 14:14:58 -0500
Subject: [PATCH] Remove obsolete netlink_firewall_socket and
 netlink_ip6fw_socket classes.

The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.

Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.

Test: policy builds

Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 private/access_vectors     | 14 --------------
 private/app.te             |  2 --
 private/app_neverallows.te |  4 ++--
 private/security_classes   |  2 --
 private/webview_zygote.te  |  4 ++--
 public/global_macros       |  2 +-
 6 files changed, 5 insertions(+), 23 deletions(-)

diff --git a/private/access_vectors b/private/access_vectors
index 6f23538df..c4f13bb2c 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -403,13 +403,6 @@ inherits socket
 	nlmsg_write
 }
 
-class netlink_firewall_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-}
-
 class netlink_tcpdiag_socket
 inherits socket
 {
@@ -440,13 +433,6 @@ inherits socket
 	nlmsg_tty_audit
 }
 
-class netlink_ip6fw_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-}
-
 class netlink_dnrt_socket
 inherits socket
 
diff --git a/private/app.te b/private/app.te
index d27ce64af..e87f8df5b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -317,12 +317,10 @@ neverallow appdomain tee_device:chr_file { read write };
 # Privileged netlink socket interfaces.
 neverallow appdomain
     domain:{
-        netlink_firewall_socket
         netlink_tcpdiag_socket
         netlink_nflog_socket
         netlink_xfrm_socket
         netlink_audit_socket
-        netlink_ip6fw_socket
         netlink_dnrt_socket
     } *;
 
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6928cd616..33670aa6c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -50,8 +50,8 @@ neverallowxperm { untrusted_app ephemeral_app isolated_app } domain:{ rawip_sock
 neverallow { untrusted_app ephemeral_app isolated_app } *:{ netlink_route_socket netlink_selinux_socket } ioctl;
 neverallow { untrusted_app ephemeral_app isolated_app } *:{
   socket netlink_socket packet_socket key_socket appletalk_socket
-  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
-  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket
   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
   netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
diff --git a/private/security_classes b/private/security_classes
index 22d7feda0..a202c5db6 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -45,13 +45,11 @@ class ipc
 
 # extended netlink sockets
 class netlink_route_socket
-class netlink_firewall_socket
 class netlink_tcpdiag_socket
 class netlink_nflog_socket
 class netlink_xfrm_socket
 class netlink_selinux_socket
 class netlink_audit_socket
-class netlink_ip6fw_socket
 class netlink_dnrt_socket
 
 # IPSec association
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 769f66b76..aad66bf98 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -98,8 +98,8 @@ neverallow webview_zygote cache_file:file ~{ read getattr };
 # unix_stream_socket, and netlink_selinux_socket.
 neverallow webview_zygote domain:{
   socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
-  appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
-  netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+  netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
   netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
   netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
diff --git a/public/global_macros b/public/global_macros
index f0cc0cbcd..a61ffbc42 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -8,7 +8,7 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
 define(`dir_file_class_set', `{ dir file_class_set }')
 
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
-- 
GitLab