libsepol: trigger new RTM_GETNEIGH{TBL} behavior

Use one of the policy config bits to tell the kernel to start using the nlmsg_readneigh on RTM_GETNEIGH and RTM_GETNEIGHTBL messages instead of the previous behavior of using nlmsg_read. Bug: 171572148 Test: atest NetworkInterfaceTest Test: atest bionic-unit-tests-static Test: atest CtsSelinuxTargetSdkCurrentTestCases Test: On Cuttlefish, run combinations of: - Policy bit set or omitted - App having nlmsg_readneigh permission or not Verify that only the combination of the policy bit being set + the app not having the nlmsg_readneigh permission prevents the app from sending RTM_GETNEIGH messages. Change-Id: I8598662b795feaeaeb8b0a7e676b684022861c37
2025-03-01 07:55:42 +00:00 · 2021-05-11 12:33:24 +02:00 · 2021-05-11 12:33:24 +02:00 · d3f2ab97e2
commit d3f2ab97e2
parent 130aa3e3a5
2 changed files with 3 additions and 1 deletions
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@ -791,7 +791,8 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);

 #define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)

-#define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE  1 << 31;
+#define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE  (1 << 31)
+#define POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH (1 << 30)

 #define OBJECT_R "object_r"
 #define OBJECT_R_VAL 1
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@ -2138,6 +2138,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
 	config |= (POLICYDB_CONFIG_UNKNOWN_MASK & p->handle_unknown);

 	config |= POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE;
+	config |= POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH;

 	/* Write the magic number and string identifiers. */
 	items = 0;