Update netlink socket classes.

am: 01d95c23

* commit '01d95c23':
  Update netlink socket classes.

access_vectors

@@ -544,6 +544,30 @@ class binder
 	transfer
 }
 
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
 class property_service
 {
 	set

global_macros

@@ -8,7 +8,7 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
 define(`dir_file_class_set', `{ dir file_class_set }')
 
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')

hostapd.te

@@ -6,6 +6,7 @@ net_domain(hostapd)
 
 allow hostapd self:capability { net_admin net_raw setuid setgid };
 allow hostapd self:netlink_socket create_socket_perms;
+allow hostapd self:netlink_generic_socket create_socket_perms;
 allow hostapd self:packet_socket create_socket_perms;
 allow hostapd self:netlink_route_socket nlmsg_write;
 

netd.te

@@ -19,6 +19,8 @@ allow netd self:netlink_route_socket nlmsg_write;
 allow netd self:netlink_nflog_socket create_socket_perms;
 allow netd self:netlink_socket create_socket_perms;
 allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms;
+allow netd self:netlink_netfilter_socket create_socket_perms;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;

rild.te

@@ -38,6 +38,7 @@ allow rild tty_device:chr_file rw_file_perms;
 
 # Allow rild to create and use netlink sockets.
 allow rild self:netlink_socket create_socket_perms;
+allow rild self:netlink_generic_socket create_socket_perms;
 allow rild self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Access to wake locks

security_classes

@@ -84,6 +84,16 @@ class tun_socket
 
 class binder
 
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
 # Property service
 class property_service          # userspace
 

system_server.te

@@ -64,6 +64,7 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Use generic netlink sockets.
 allow system_server self:netlink_socket create_socket_perms;
+allow system_server self:netlink_generic_socket create_socket_perms;
 
 # Use generic "sockets" where the address family is not known
 # to the kernel.

tee.te

@@ -12,3 +12,4 @@ allow tee tee_device:chr_file rw_file_perms;
 allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:file create_file_perms;
 allow tee self:netlink_socket create_socket_perms;
+allow tee self:netlink_generic_socket create_socket_perms;

wpa.te

@@ -11,6 +11,7 @@ allow wpa self:capability { setuid net_admin setgid net_raw };
 allow wpa cgroup:dir create_dir_perms;
 allow wpa self:netlink_route_socket nlmsg_write;
 allow wpa self:netlink_socket create_socket_perms;
+allow wpa self:netlink_generic_socket create_socket_perms;
 allow wpa self:packet_socket create_socket_perms;
 allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;