[REVERT 1/2] "ANDROID: selinux: modify RTM_GETLINK permission"

This commit causing a page handling failure if the kernel
compiled with LLD, and as the commit message says, this is
just a temporary Android-only patch that will deprecated in
newer kernel, new fix will be backported after it arrives
on upstream (or if Google backported that before I do)

This reverts commit 2c434f6.

Bug: SELinux Breaks in LLD

Signed-off-by: Rapherion Rollerscaperers <rapherion@raphielgang.org>

security/selinux/include/classmap.h

@@ -105,7 +105,7 @@ struct security_class_mapping secclass_map[] = {
 	  { COMMON_IPC_PERMS, NULL } },
 	{ "netlink_route_socket",
 	  { COMMON_SOCK_PERMS,
-	    "nlmsg_read", "nlmsg_write", "nlmsg_readpriv", NULL } },
+	    "nlmsg_read", "nlmsg_write", NULL } },
 	{ "netlink_tcpdiag_socket",
 	  { COMMON_SOCK_PERMS,
 	    "nlmsg_read", "nlmsg_write", NULL } },

security/selinux/include/security.h

@@ -74,7 +74,6 @@ enum {
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
 
-extern int selinux_android_netlink_route;
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
 extern int selinux_policycap_alwaysnetwork;
@@ -263,7 +262,6 @@ extern struct vfsmount *selinuxfs_mount;
 extern void selnl_notify_setenforce(int val);
 extern void selnl_notify_policyload(u32 seqno);
 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
-extern void selinux_nlmsg_init(void);
 
 #endif /* _SELINUX_SECURITY_H_ */
 

security/selinux/nlmsgtab.c

@@ -193,27 +193,3 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
 
 	return err;
 }
-
-static void nlmsg_set_getlink_perm(u32 perm)
-{
-	int i;
-
-	for (i = 0; i < ARRAY_SIZE(nlmsg_route_perms); i++) {
-		if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {
-			nlmsg_route_perms[i].perm = perm;
-			break;
-		}
-	}
-}
-
-/**
- * Use nlmsg_readpriv as the permission for RTM_GETLINK messages if the
- * netlink_route_getlink policy capability is set. Otherwise use nlmsg_read.
- */
-void selinux_nlmsg_init(void)
-{
-	if (selinux_android_netlink_route)
-		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
-	else
-		nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ);
-}

security/selinux/ss/policydb.c

@@ -2332,10 +2332,6 @@ int policydb_read(struct policydb *p, void *fp)
 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
 
-	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE)) {
-		p->android_netlink_route = 1;
-	}
-
 	if (p->policyvers >= POLICYDB_VERSION_POLCAP) {
 		rc = ebitmap_read(&p->policycaps, fp);
 		if (rc)

security/selinux/ss/policydb.h

@@ -227,7 +227,6 @@ struct genfs {
 /* The policy database */
 struct policydb {
 	int mls_enabled;
-	int android_netlink_route;
 
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
@@ -314,7 +313,6 @@ extern int policydb_write(struct policydb *p, void *fp);
 #define PERM_SYMTAB_SIZE 32
 
 #define POLICYDB_CONFIG_MLS    1
-#define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE    (1 << 31)
 
 /* the config flags related to unknown classes/perms are bits 2 and 3 */
 #define REJECT_UNKNOWN	0x00000002

security/selinux/ss/services.c

@@ -70,7 +70,6 @@
 #include "ebitmap.h"
 #include "audit.h"
 
-int selinux_android_netlink_route;
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 int selinux_policycap_alwaysnetwork;
@@ -1991,9 +1990,6 @@ static void security_load_policycaps(void)
 						  POLICYDB_CAPABILITY_OPENPERM);
 	selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
 						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
-
-	selinux_android_netlink_route = policydb.android_netlink_route;
-	selinux_nlmsg_init();
 }
 
 static int security_preserve_bools(struct policydb *p);