Merge android11-5.4.86+ (fe9e863) into msm-5.4
* refs/heads/tmp-fe9e863:
FROMGIT: bpf: Do not change gso_size during bpf_skb_change_proto()
ANDROID: selinux: modify RTM_GETNEIGH{TBL}
Change-Id: I02fcc7795c4380aafb293dd8f575cccdc8e86825
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
This commit is contained in:
Srinivasarao P
commit
1154cfab73
@ -1 +1 @@
|
||||
LTS_5.4.86_e399f16519fa
|
||||
LTS_5.4.86_fe9e8630bfaf
|
||||
|
||||
@ -2861,8 +2861,6 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
|
||||
shinfo->gso_type |= SKB_GSO_TCPV6;
|
||||
}
|
||||
|
||||
/* Due to IPv6 header, MSS needs to be downgraded. */
|
||||
skb_decrease_gso_size(shinfo, len_diff);
|
||||
/* Header must be checked, and gso_segs recomputed. */
|
||||
shinfo->gso_type |= SKB_GSO_DODGY;
|
||||
shinfo->gso_segs = 0;
|
||||
@ -2902,8 +2900,6 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
|
||||
shinfo->gso_type |= SKB_GSO_TCPV4;
|
||||
}
|
||||
|
||||
/* Due to IPv4 header, MSS can be upgraded. */
|
||||
skb_increase_gso_size(shinfo, len_diff);
|
||||
/* Header must be checked, and gso_segs recomputed. */
|
||||
shinfo->gso_type |= SKB_GSO_DODGY;
|
||||
shinfo->gso_segs = 0;
|
||||
|
||||
@ -116,7 +116,8 @@ struct security_class_mapping secclass_map[] = {
|
||||
{ COMMON_IPC_PERMS, NULL } },
|
||||
{ "netlink_route_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"nlmsg_read", "nlmsg_write", "nlmsg_readpriv", NULL } },
|
||||
"nlmsg_read", "nlmsg_write", "nlmsg_readpriv", "nlmsg_getneigh",
|
||||
NULL } },
|
||||
{ "netlink_tcpdiag_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"nlmsg_read", "nlmsg_write", NULL } },
|
||||
|
||||
@ -106,6 +106,8 @@ struct selinux_state {
|
||||
bool initialized;
|
||||
bool policycap[__POLICYDB_CAPABILITY_MAX];
|
||||
bool android_netlink_route;
|
||||
bool android_netlink_getneigh;
|
||||
|
||||
struct selinux_avc *avc;
|
||||
struct selinux_ss *ss;
|
||||
};
|
||||
@ -185,6 +187,13 @@ static inline bool selinux_android_nlroute_getlink(void)
|
||||
return state->android_netlink_route;
|
||||
}
|
||||
|
||||
static inline bool selinux_android_nlroute_getneigh(void)
|
||||
{
|
||||
struct selinux_state *state = &selinux_state;
|
||||
|
||||
return state->android_netlink_getneigh;
|
||||
}
|
||||
|
||||
int security_mls_enabled(struct selinux_state *state);
|
||||
int security_load_policy(struct selinux_state *state,
|
||||
void *data, size_t len);
|
||||
|
||||
@ -207,12 +207,12 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
|
||||
return err;
|
||||
}
|
||||
|
||||
static void nlmsg_set_getlink_perm(u32 perm)
|
||||
static void nlmsg_set_perm_for_type(u32 perm, u16 type)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < ARRAY_SIZE(nlmsg_route_perms); i++) {
|
||||
if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {
|
||||
if (nlmsg_route_perms[i].nlmsg_type == type) {
|
||||
nlmsg_route_perms[i].perm = perm;
|
||||
break;
|
||||
}
|
||||
@ -222,11 +222,27 @@ static void nlmsg_set_getlink_perm(u32 perm)
|
||||
/**
|
||||
* Use nlmsg_readpriv as the permission for RTM_GETLINK messages if the
|
||||
* netlink_route_getlink policy capability is set. Otherwise use nlmsg_read.
|
||||
* Similarly, use nlmsg_getneigh for RTM_GETNEIGH and RTM_GETNEIGHTBL if the
|
||||
* netlink_route_getneigh policy capability is set. Otherwise use nlmsg_read.
|
||||
*/
|
||||
void selinux_nlmsg_init(void)
|
||||
{
|
||||
if (selinux_android_nlroute_getlink())
|
||||
nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
|
||||
nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV,
|
||||
RTM_GETLINK);
|
||||
else
|
||||
nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ);
|
||||
nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,
|
||||
RTM_GETLINK);
|
||||
|
||||
if (selinux_android_nlroute_getneigh()) {
|
||||
nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH,
|
||||
RTM_GETNEIGH);
|
||||
nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH,
|
||||
RTM_GETNEIGHTBL);
|
||||
} else {
|
||||
nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,
|
||||
RTM_GETNEIGH);
|
||||
nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,
|
||||
RTM_GETNEIGHTBL);
|
||||
}
|
||||
}
|
||||
|
||||
@ -2353,6 +2353,10 @@ int policydb_read(struct policydb *p, void *fp)
|
||||
p->android_netlink_route = 1;
|
||||
}
|
||||
|
||||
if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH)) {
|
||||
p->android_netlink_getneigh = 1;
|
||||
}
|
||||
|
||||
if (p->policyvers >= POLICYDB_VERSION_POLCAP) {
|
||||
rc = ebitmap_read(&p->policycaps, fp);
|
||||
if (rc)
|
||||
|
||||
@ -235,6 +235,7 @@ struct genfs {
|
||||
struct policydb {
|
||||
int mls_enabled;
|
||||
int android_netlink_route;
|
||||
int android_netlink_getneigh;
|
||||
|
||||
/* symbol tables */
|
||||
struct symtab symtab[SYM_NUM];
|
||||
@ -322,6 +323,7 @@ extern int policydb_write(struct policydb *p, void *fp);
|
||||
|
||||
#define POLICYDB_CONFIG_MLS 1
|
||||
#define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE (1 << 31)
|
||||
#define POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH (1 << 30)
|
||||
|
||||
/* the config flags related to unknown classes/perms are bits 2 and 3 */
|
||||
#define REJECT_UNKNOWN 0x00000002
|
||||
|
||||
@ -2127,6 +2127,7 @@ static void security_load_policycaps(struct selinux_state *state)
|
||||
}
|
||||
|
||||
state->android_netlink_route = p->android_netlink_route;
|
||||
state->android_netlink_getneigh = p->android_netlink_getneigh;
|
||||
selinux_nlmsg_init();
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user