Merge "ANDROID: selinux: modify RTM_GETLINK permission" (fe4dfdc7) · Commits · e / devices / android_kernel_oneplus_sm7250

security/selinux/include/classmap.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -115,7 +115,7 @@ struct security_class_mapping secclass_map[] = {
		{ COMMON_IPC_PERMS, NULL } },
		{ "netlink_route_socket",
		{ COMMON_SOCK_PERMS,
		"nlmsg_read", "nlmsg_write", NULL } },
		"nlmsg_read", "nlmsg_write", "nlmsg_readpriv", NULL } },
		{ "netlink_tcpdiag_socket",
		{ COMMON_SOCK_PERMS,
		"nlmsg_read", "nlmsg_write", NULL } },

+9 −0

Original line number	Diff line number	Diff line
		@@ -103,6 +103,7 @@ struct selinux_state {
		bool checkreqprot;
		bool initialized;
		bool policycap[__POLICYDB_CAPABILITY_MAX];
		bool android_netlink_route;
		struct selinux_avc *avc;
		struct selinux_ss *ss;
		};
		@@ -175,6 +176,13 @@ static inline bool selinux_policycap_nnp_nosuid_transition(void)
		return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION];
		}

		static inline bool selinux_android_nlroute_getlink(void)
		{
		struct selinux_state *state = &selinux_state;

		return state->android_netlink_route;
		}

		int security_mls_enabled(struct selinux_state *state);
		int security_load_policy(struct selinux_state *state,
		void *data, size_t len);
		@@ -390,5 +398,6 @@ extern void avtab_cache_init(void);
		extern void ebitmap_cache_init(void);
		extern void hashtab_cache_init(void);
		extern int security_sidtab_hash_stats(struct selinux_state state, char page);
		extern void selinux_nlmsg_init(void);

		#endif /* _SELINUX_SECURITY_H_ */

+25 −1

Original line number	Diff line number	Diff line
		@@ -28,7 +28,7 @@ struct nlmsg_perm {
		u32 perm;
		};

		static const struct nlmsg_perm nlmsg_route_perms[] =
		static struct nlmsg_perm nlmsg_route_perms[] =
		{
		{ RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
		{ RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
		@@ -206,3 +206,27 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)

		return err;
		}

		static void nlmsg_set_getlink_perm(u32 perm)
		{
		int i;

		for (i = 0; i < ARRAY_SIZE(nlmsg_route_perms); i++) {
		if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {
		nlmsg_route_perms[i].perm = perm;
		break;
		}
		}
		}

		/**
		* Use nlmsg_readpriv as the permission for RTM_GETLINK messages if the
		* netlink_route_getlink policy capability is set. Otherwise use nlmsg_read.
		*/
		void selinux_nlmsg_init(void)
		{
		if (selinux_android_nlroute_getlink())
		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
		else
		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ);
		}

+4 −0

Original line number	Diff line number	Diff line
		@@ -2400,6 +2400,10 @@ int policydb_read(struct policydb p, void fp)
		p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
		p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);

		if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE)) {
		p->android_netlink_route = 1;
		}

		if (p->policyvers >= POLICYDB_VERSION_POLCAP) {
		rc = ebitmap_read(&p->policycaps, fp);
		if (rc)

+2 −0

Original line number	Diff line number	Diff line
		@@ -238,6 +238,7 @@ struct genfs {
		/* The policy database */
		struct policydb {
		int mls_enabled;
		int android_netlink_route;

		/* symbol tables */
		struct symtab symtab[SYM_NUM];
		@@ -324,6 +325,7 @@ extern int policydb_write(struct policydb p, void fp);
		#define PERM_SYMTAB_SIZE 32

		#define POLICYDB_CONFIG_MLS 1
		#define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE (1 << 31)

		/* the config flags related to unknown classes/perms are bits 2 and 3 */
		#define REJECT_UNKNOWN 0x00000002