untrusted_app: disallow bind RTM_ROUTE socket

Bug: 141455849
Change-Id: I27a8735626a5c3c8aad49e8a68de166f3a10cfde
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest

private/app_neverallows.te

@@ -118,7 +118,7 @@ neverallow {
   -untrusted_app_25
   -untrusted_app_27
   -untrusted_app_29
-} domain:netlink_route_socket { nlmsg_readpriv };
+} domain:netlink_route_socket { bind nlmsg_readpriv };
 
 # Do not allow untrusted apps access to /cache
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };

public/net.te

@@ -18,7 +18,7 @@ allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket
 allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
 allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
 # b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
 # untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
 # to avoid app-compat breakage.
@@ -27,7 +27,7 @@ allow {
   -ephemeral_app
   -mediaprovider
   -untrusted_app_all
-} self:netlink_route_socket { nlmsg_readpriv };
+} self:netlink_route_socket { bind nlmsg_readpriv };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)