9d55580966
Map the permission gating RTM_GETNEIGH/RTM_GETNEIGHTBL messages to a
new permission so that it can be distinguished from the other netlink
route permissions in selinux policy. The new permission is triggered by
a flag set in system images T and up.
This change is intended to be backported to all kernels that a T system
image can run on top of.
Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Test: atest bionic-unit-tests-static
Test: On Cuttlefish, run combinations of:
- Policy bit set or omitted (see https://r.android.com/1701847)
- This patch applied or omitted
- App having nlmsg_readneigh permission or not
Verify that only the combination of this patch + the policy bit being
set + the app not having the nlmsg_readneigh permission prevents the
app from sending RTM_GETNEIGH messages.
Change-Id: I4bcfce4decb34ea9388eeedfc4be67403de8a980
Signed-off-by: Bram Bonné <brambonne@google.com>
(cherry picked from commit fac07550bdac9adea0dbe3edbdbec7a9a690a178)
|
||
|---|---|---|
| .. | ||
| audit.h | ||
| avc_ss.h | ||
| avc.h | ||
| classmap.h | ||
| conditional.h | ||
| ibpkey.h | ||
| initial_sid_to_string.h | ||
| netif.h | ||
| netlabel.h | ||
| netnode.h | ||
| netport.h | ||
| objsec.h | ||
| policycap_names.h | ||
| policycap.h | ||
| security.h | ||
| xfrm.h | ||