Add permission for NetworkStack updatability

NetworkStack will need to use netlink_tcpdiag_socket to get tcp info. In order to support updatability for NetworkStack as it's a mainline module, get the information from kernel directly to reduce the dependecy with framework. Test: Build and test if NetworkStack can get the tcp_info without SEPolicy exception Bug: 136162280 Change-Id: I8f584f27d5ece5e97090fb5fafe8c70c5cbbe123
2019-10-12 20:49:23 +09:00 · 2019-10-12 20:49:23 +09:00 · e063585bbf
commit e063585bbf
parent 0c8a90693a
2 changed files with 4 additions and 1 deletions
--- a/private/network_stack.te
+++ b/private/network_stack.te
@ -67,3 +67,6 @@ allow network_stack debugfs_wifi_tracing:file rw_file_perms;
 # dumpstate support
 allow network_stack dumpstate:fd use;
 allow network_stack dumpstate:fifo_file write;
+
+# Create/use netlink_tcpdiag_socket to get tcp info
+allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
--- a/public/app.te
+++ b/public/app.te
@ -390,7 +390,7 @@ neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
 neverallow appdomain tee_device:chr_file { read write };

 # Privileged netlink socket interfaces.
-neverallow appdomain
+neverallow { appdomain -network_stack }
    domain:{
        netlink_tcpdiag_socket
        netlink_nflog_socket