diff --git a/private/access_vectors b/private/access_vectors
index 6f23538df539371038d33ce5ddbac41a31d1d1e1..c4f13bb2c7673f6897a7041e6ae99af01c1b4ae4 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -403,13 +403,6 @@ inherits socket
nlmsg_write
}
-class netlink_firewall_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
class netlink_tcpdiag_socket
inherits socket
{
@@ -440,13 +433,6 @@ inherits socket
nlmsg_tty_audit
}
-class netlink_ip6fw_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
class netlink_dnrt_socket
inherits socket
diff --git a/private/app.te b/private/app.te
index d27ce64af3012eb6980310110c8062ee2227a289..e87f8df5b69b460f9aaba6c05dd8fc7200df644a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -317,12 +317,10 @@ neverallow appdomain tee_device:chr_file { read write };
# Privileged netlink socket interfaces.
neverallow appdomain
domain:{
- netlink_firewall_socket
netlink_tcpdiag_socket
netlink_nflog_socket
netlink_xfrm_socket
netlink_audit_socket
- netlink_ip6fw_socket
netlink_dnrt_socket
} *;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6928cd616bc23d5c25aebb9c1130731e78739fe6..33670aa6c6a722624c373de7904e57327c406308 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -50,8 +50,8 @@ neverallowxperm { untrusted_app ephemeral_app isolated_app } domain:{ rawip_sock
neverallow { untrusted_app ephemeral_app isolated_app } *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow { untrusted_app ephemeral_app isolated_app } *:{
socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
diff --git a/private/security_classes b/private/security_classes
index 22d7feda09336aa523c98315bd0c9d706ee017a7..a202c5db69174d514bb4bb1ded95bcca494fb012 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -45,13 +45,11 @@ class ipc
# extended netlink sockets
class netlink_route_socket
-class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
-class netlink_ip6fw_socket
class netlink_dnrt_socket
# IPSec association
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 769f66b76fb90539dbea3abd6c1d00c7bce4cac0..aad66bf983947998ebbbdb83f2c5f1c0a3c4bfbb 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -98,8 +98,8 @@ neverallow webview_zygote cache_file:file ~{ read getattr };
# unix_stream_socket, and netlink_selinux_socket.
neverallow webview_zygote domain:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+ appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
diff --git a/public/global_macros b/public/global_macros
index f0cc0cbcde934f6110f06d8f4a23eeb71d05da2e..a61ffbc42a6e0e98b652bc3c6155d9b58466eb05 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -8,7 +8,7 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
define(`dir_file_class_set', `{ dir file_class_set }')
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket }')
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')