Revert "ANDROID: selinux: modify RTM_GETNEIGH{TBL}"

Some of the changes in this commit are no longer suitable as we have selinux backports from upstream kernel. Revert it first so relevant fixes can be ported later. This reverts commit 90da9cd.
Sorayukii · Oct 15, 2024 · aba7015 · aba7015
1 parent 4eb5bf2
commit aba7015
Show file tree

Hide file tree

Showing 6 changed files with 5 additions and 31 deletions.
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
@@ -105,8 +105,7 @@ struct security_class_mapping secclass_map[] = {
 	  { COMMON_IPC_PERMS, NULL } },
 	{ "netlink_route_socket",
 	  { COMMON_SOCK_PERMS,
-	    "nlmsg_read", "nlmsg_write", "nlmsg_readpriv", "nlmsg_getneigh",
-	    NULL } },
+	    "nlmsg_read", "nlmsg_write", "nlmsg_readpriv", NULL } },
 	{ "netlink_tcpdiag_socket",
 	  { COMMON_SOCK_PERMS,
 	    "nlmsg_read", "nlmsg_write", NULL } },

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
@@ -75,7 +75,6 @@ enum {
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
 
 extern int selinux_android_netlink_route;
-extern int selinux_android_netlink_getneigh;
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
 extern int selinux_policycap_alwaysnetwork;

diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
@@ -194,12 +194,12 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
 	return err;
 }
 
-static void nlmsg_set_perm_for_type(u32 perm, u16 type)
+static void nlmsg_set_getlink_perm(u32 perm)
 {
 	int i;
 
 	for (i = 0; i < ARRAY_SIZE(nlmsg_route_perms); i++) {
-		if (nlmsg_route_perms[i].nlmsg_type == type) {
+		if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {
 			nlmsg_route_perms[i].perm = perm;
 			break;
 		}
@@ -209,27 +209,11 @@ static void nlmsg_set_perm_for_type(u32 perm, u16 type)
 /**
  * Use nlmsg_readpriv as the permission for RTM_GETLINK messages if the
  * netlink_route_getlink policy capability is set. Otherwise use nlmsg_read.
- * Similarly, use nlmsg_getneigh for RTM_GETNEIGH and RTM_GETNEIGHTBL if the
- * netlink_route_getneigh policy capability is set. Otherwise use nlmsg_read.
  */
 void selinux_nlmsg_init(void)
 {
 	if (selinux_android_netlink_route)
-		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV,
-					RTM_GETLINK);
+		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
 	else
-		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,
-					RTM_GETLINK);
-
-	if (selinux_android_netlink_getneigh) {
-		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH,
-					RTM_GETNEIGH);
-		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH,
-					RTM_GETNEIGHTBL);
-	} else {
-		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,
-					RTM_GETNEIGH);
-		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,
-					RTM_GETNEIGHTBL);
-	}
+		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ);
 }
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
@@ -2336,10 +2336,6 @@ int policydb_read(struct policydb *p, void *fp)
 		p->android_netlink_route = 1;
 	}
 
-	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH)) {
-		p->android_netlink_getneigh = 1;
-	}
-
 	if (p->policyvers >= POLICYDB_VERSION_POLCAP) {
 		rc = ebitmap_read(&p->policycaps, fp);
 		if (rc)

diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
@@ -228,7 +228,6 @@ struct genfs {
 struct policydb {
 	int mls_enabled;
 	int android_netlink_route;
-	int android_netlink_getneigh;
 
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
@@ -316,7 +315,6 @@ extern int policydb_write(struct policydb *p, void *fp);
 
 #define POLICYDB_CONFIG_MLS    1
 #define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE    (1 << 31)
-#define POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH (1 << 30)
 
 /* the config flags related to unknown classes/perms are bits 2 and 3 */
 #define REJECT_UNKNOWN	0x00000002

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
@@ -71,7 +71,6 @@
 #include "audit.h"
 
 int selinux_android_netlink_route;
-int selinux_android_netlink_getneigh;
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 int selinux_policycap_alwaysnetwork;
@@ -1995,7 +1994,6 @@ static void security_load_policycaps(void)
 						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
 
 	selinux_android_netlink_route = policydb.android_netlink_route;
-	selinux_android_netlink_getneigh = policydb.android_netlink_getneigh;
 	selinux_nlmsg_init();
 }