From aba7015f875f43aa46174ed9ac092a253710bcb4 Mon Sep 17 00:00:00 2001 From: Chenyang Zhong Date: Wed, 28 Jul 2021 08:38:29 -0400 Subject: [PATCH] Revert "ANDROID: selinux: modify RTM_GETNEIGH{TBL}" Some of the changes in this commit are no longer suitable as we have selinux backports from upstream kernel. Revert it first so relevant fixes can be ported later. This reverts commit 90da9cd13d9b666842f2beb40c1ec60d2ef7ec9d. --- security/selinux/include/classmap.h | 3 +-- security/selinux/include/security.h | 1 - security/selinux/nlmsgtab.c | 24 ++++-------------------- security/selinux/ss/policydb.c | 4 ---- security/selinux/ss/policydb.h | 2 -- security/selinux/ss/services.c | 2 -- 6 files changed, 5 insertions(+), 31 deletions(-) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index e117d108134e..0debbdc155a4 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -105,8 +105,7 @@ struct security_class_mapping secclass_map[] = { { COMMON_IPC_PERMS, NULL } }, { "netlink_route_socket", { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", "nlmsg_readpriv", "nlmsg_getneigh", - NULL } }, + "nlmsg_read", "nlmsg_write", "nlmsg_readpriv", NULL } }, { "netlink_tcpdiag_socket", { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index e5bd50cf517f..576d5a8c9238 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -75,7 +75,6 @@ enum { #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) extern int selinux_android_netlink_route; -extern int selinux_android_netlink_getneigh; extern int selinux_policycap_netpeer; extern int selinux_policycap_openperm; extern int selinux_policycap_alwaysnetwork; diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index cce66276250c..697785cec7f6 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -194,12 +194,12 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) return err; } -static void nlmsg_set_perm_for_type(u32 perm, u16 type) +static void nlmsg_set_getlink_perm(u32 perm) { int i; for (i = 0; i < ARRAY_SIZE(nlmsg_route_perms); i++) { - if (nlmsg_route_perms[i].nlmsg_type == type) { + if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) { nlmsg_route_perms[i].perm = perm; break; } @@ -209,27 +209,11 @@ static void nlmsg_set_perm_for_type(u32 perm, u16 type) /** * Use nlmsg_readpriv as the permission for RTM_GETLINK messages if the * netlink_route_getlink policy capability is set. Otherwise use nlmsg_read. - * Similarly, use nlmsg_getneigh for RTM_GETNEIGH and RTM_GETNEIGHTBL if the - * netlink_route_getneigh policy capability is set. Otherwise use nlmsg_read. */ void selinux_nlmsg_init(void) { if (selinux_android_netlink_route) - nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV, - RTM_GETLINK); + nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV); else - nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ, - RTM_GETLINK); - - if (selinux_android_netlink_getneigh) { - nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH, - RTM_GETNEIGH); - nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH, - RTM_GETNEIGHTBL); - } else { - nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ, - RTM_GETNEIGH); - nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ, - RTM_GETNEIGHTBL); - } + nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ); } diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index bddc8d363cb8..62518b031e5e 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -2336,10 +2336,6 @@ int policydb_read(struct policydb *p, void *fp) p->android_netlink_route = 1; } - if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH)) { - p->android_netlink_getneigh = 1; - } - if (p->policyvers >= POLICYDB_VERSION_POLCAP) { rc = ebitmap_read(&p->policycaps, fp); if (rc) diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 45698f754766..0d511cf3c1e9 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -228,7 +228,6 @@ struct genfs { struct policydb { int mls_enabled; int android_netlink_route; - int android_netlink_getneigh; /* symbol tables */ struct symtab symtab[SYM_NUM]; @@ -316,7 +315,6 @@ extern int policydb_write(struct policydb *p, void *fp); #define POLICYDB_CONFIG_MLS 1 #define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE (1 << 31) -#define POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH (1 << 30) /* the config flags related to unknown classes/perms are bits 2 and 3 */ #define REJECT_UNKNOWN 0x00000002 diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 4635b8661168..a5de9c49d48a 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -71,7 +71,6 @@ #include "audit.h" int selinux_android_netlink_route; -int selinux_android_netlink_getneigh; int selinux_policycap_netpeer; int selinux_policycap_openperm; int selinux_policycap_alwaysnetwork; @@ -1995,7 +1994,6 @@ static void security_load_policycaps(void) POLICYDB_CAPABILITY_ALWAYSNETWORK); selinux_android_netlink_route = policydb.android_netlink_route; - selinux_android_netlink_getneigh = policydb.android_netlink_getneigh; selinux_nlmsg_init(); }