Merge "ANDROID: selinux: modify RTM_GETLINK permission" (45c8d4f2) · Commits · e / devices / android_kernel_xiaomi_nabu

security/selinux/include/classmap.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -115,7 +115,7 @@ struct security_class_mapping secclass_map[] = {
		{ COMMON_IPC_PERMS, NULL } },
		{ "netlink_route_socket",
		{ COMMON_SOCK_PERMS,
		"nlmsg_read", "nlmsg_write", NULL } },
		"nlmsg_read", "nlmsg_write", "nlmsg_readpriv", NULL } },
		{ "netlink_tcpdiag_socket",
		{ COMMON_SOCK_PERMS,
		"nlmsg_read", "nlmsg_write", NULL } },

+2 −0

Original line number	Diff line number	Diff line
		@@ -81,6 +81,7 @@ enum {

		extern char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];

		extern int selinux_android_netlink_route;
		extern int selinux_policycap_netpeer;
		extern int selinux_policycap_openperm;
		extern int selinux_policycap_extsockclass;
		@@ -276,6 +277,7 @@ extern struct vfsmount *selinuxfs_mount;
		extern void selnl_notify_setenforce(int val);
		extern void selnl_notify_policyload(u32 seqno);
		extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
		extern void selinux_nlmsg_init(void);

		#endif /* _SELINUX_SECURITY_H_ */

+25 −1

Original line number	Diff line number	Diff line
		@@ -28,7 +28,7 @@ struct nlmsg_perm {
		u32 perm;
		};

		static const struct nlmsg_perm nlmsg_route_perms[] =
		static struct nlmsg_perm nlmsg_route_perms[] =
		{
		{ RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
		{ RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
		@@ -195,3 +195,27 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)

		return err;
		}

		static void nlmsg_set_getlink_perm(u32 perm)
		{
		int i;

		for (i = 0; i < ARRAY_SIZE(nlmsg_route_perms); i++) {
		if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {
		nlmsg_route_perms[i].perm = perm;
		break;
		}
		}
		}

		/**
		* Use nlmsg_readpriv as the permission for RTM_GETLINK messages if the
		* netlink_route_getlink policy capability is set. Otherwise use nlmsg_read.
		*/
		void selinux_nlmsg_init(void)
		{
		if (selinux_android_netlink_route)
		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
		else
		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ);
		}

+4 −0

Original line number	Diff line number	Diff line
		@@ -2386,6 +2386,10 @@ int policydb_read(struct policydb p, void fp)
		p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
		p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);

		if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE)) {
		p->android_netlink_route = 1;
		}

		if (p->policyvers >= POLICYDB_VERSION_POLCAP) {
		rc = ebitmap_read(&p->policycaps, fp);
		if (rc)

+2 −0

Original line number	Diff line number	Diff line
		@@ -238,6 +238,7 @@ struct genfs {
		/* The policy database */
		struct policydb {
		int mls_enabled;
		int android_netlink_route;

		/* symbol tables */
		struct symtab symtab[SYM_NUM];
		@@ -324,6 +325,7 @@ extern int policydb_write(struct policydb p, void fp);
		#define PERM_SYMTAB_SIZE 32

		#define POLICYDB_CONFIG_MLS 1
		#define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE (1 << 31)

		/* the config flags related to unknown classes/perms are bits 2 and 3 */
		#define REJECT_UNKNOWN 0x00000002