Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5523c1b2 authored by Bram Bonné's avatar Bram Bonné Committed by Srinivasarao Pathipati
Browse files

ANDROID: selinux: modify RTM_GETNEIGH{TBL} 

Map the permission gating RTM_GETNEIGH/RTM_GETNEIGHTBL messages to a
new permission so that it can be distinguished from the other netlink
route permissions in selinux policy. The new permission is triggered by
a flag set in system images T and up.

This change is intended to be backported to all kernels that a T system
image can run on top of.

Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Test: atest bionic-unit-tests-static
Test: On Cuttlefish, run combinations of:
    - Policy bit set or omitted (see https://r.android.com/1701847

)
    - This patch applied or omitted
    - App having nlmsg_readneigh permission or not
  Verify that only the combination of this patch + the policy bit being
  set + the app not having the nlmsg_readneigh permission prevents the
  app from sending RTM_GETNEIGH messages.

Change-Id: I4bcfce4decb34ea9388eeedfc4be67403de8a980
Signed-off-by: default avatarBram Bonné <brambonne@google.com>
(cherry picked from commit fac07550bdac9adea0dbe3edbdbec7a9a690a178)
Git-commit: 19c8fef9
Git-repo: https://android.googlesource.com/kernel/common/


Signed-off-by: default avatarSrinivasarao Pathipati <quic_c_spathi@quicinc.com>
parent 3e7bb833

security/selinux/include/classmap.h

+2 −1
Original line number Diff line number Diff line
@@ -115,7 +115,8 @@ struct security_class_mapping secclass_map[] = { 
	  { COMMON_IPC_PERMS, NULL } },

	{ "netlink_route_socket",

	  { COMMON_SOCK_PERMS,

	    "nlmsg_read", "nlmsg_write", "nlmsg_readpriv", NULL } },

	    "nlmsg_read", "nlmsg_write", "nlmsg_readpriv", "nlmsg_getneigh",

	    NULL } },

	{ "netlink_tcpdiag_socket",

	  { COMMON_SOCK_PERMS,

	    "nlmsg_read", "nlmsg_write", NULL } },

security/selinux/include/security.h

+9 −0
Original line number Diff line number Diff line
@@ -105,6 +105,8 @@ struct selinux_state { 
	bool initialized;

	bool policycap[__POLICYDB_CAPABILITY_MAX];

	bool android_netlink_route;

	bool android_netlink_getneigh;



	struct selinux_avc *avc;

	struct selinux_ss *ss;

};
@@ -184,6 +186,13 @@ static inline bool selinux_android_nlroute_getlink(void) 
	return state->android_netlink_route;

}



static inline bool selinux_android_nlroute_getneigh(void)

{

	struct selinux_state *state = &selinux_state;



	return state->android_netlink_getneigh;

}



int security_mls_enabled(struct selinux_state *state);

int security_load_policy(struct selinux_state *state,

			 void *data, size_t len);

security/selinux/nlmsgtab.c

+20 −4
Original line number Diff line number Diff line
@@ -207,12 +207,12 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) 
	return err;

}



static void nlmsg_set_getlink_perm(u32 perm)

static void nlmsg_set_perm_for_type(u32 perm, u16 type)

{

	int i;



	for (i = 0; i < ARRAY_SIZE(nlmsg_route_perms); i++) {

		if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {

		if (nlmsg_route_perms[i].nlmsg_type == type) {

			nlmsg_route_perms[i].perm = perm;

			break;

		}
@@ -222,11 +222,27 @@ static void nlmsg_set_getlink_perm(u32 perm) 
/**

 * Use nlmsg_readpriv as the permission for RTM_GETLINK messages if the

 * netlink_route_getlink policy capability is set. Otherwise use nlmsg_read.

 * Similarly, use nlmsg_getneigh for RTM_GETNEIGH and RTM_GETNEIGHTBL if the

 * netlink_route_getneigh policy capability is set. Otherwise use nlmsg_read.

 */

void selinux_nlmsg_init(void)

{

	if (selinux_android_nlroute_getlink())

		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);

		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV,

					RTM_GETLINK);

	else

		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ);

		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,

					RTM_GETLINK);



	if (selinux_android_nlroute_getneigh()) {

		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH,

					RTM_GETNEIGH);

		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH,

					RTM_GETNEIGHTBL);

	} else {

		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,

					RTM_GETNEIGH);

		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,

					RTM_GETNEIGHTBL);

	}

}

security/selinux/ss/policydb.c

+4 −0
Original line number Diff line number Diff line
@@ -2404,6 +2404,10 @@ int policydb_read(struct policydb *p, void *fp) 
		p->android_netlink_route = 1;

	}



	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH)) {

		p->android_netlink_getneigh = 1;

	}



	if (p->policyvers >= POLICYDB_VERSION_POLCAP) {

		rc = ebitmap_read(&p->policycaps, fp);

		if (rc)

security/selinux/ss/policydb.h

+2 −0
Original line number Diff line number Diff line
@@ -239,6 +239,7 @@ struct genfs { 
struct policydb {

	int mls_enabled;

	int android_netlink_route;

	int android_netlink_getneigh;



	/* symbol tables */

	struct symtab symtab[SYM_NUM];
@@ -326,6 +327,7 @@ extern int policydb_write(struct policydb *p, void *fp); 


#define POLICYDB_CONFIG_MLS    1

#define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE    (1 << 31)

#define POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH (1 << 30)



/* the config flags related to unknown classes/perms are bits 2 and 3 */

#define REJECT_UNKNOWN	0x00000002