Revert "Update netlink_audit_socket for nlmsg xperm"
Revert submission 3316655
Reason for revert: emulator does not boot
[ 6.468328] selinux: SELinux: Could not stat /data/dalvik-cache/arm: No such file or directory.
[ 6.468892] ------------[ cut here ]------------
[ 6.469241] selinux: SELinux: Could not stat /data/dalvik-cache/arm64: No such file or directory.
[ 6.469648] kernel BUG at security/selinux/ss/services.c:961!
[ 6.470549] selinux: SELinux: Could not stat /data/dalvik-cache/riscv64: No such file or directory.
[ 6.471166] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 6.471928] selinux: SELinux: Could not stat /data/dalvik-cache/x86: No such file or directory.
[ 6.472389] CPU: 1 PID: 403 Comm: dhcpclient Tainted: G OE 6.6.56-android15-8-gb713239b1f7f-ab12714926 #1 1400000003000000474e5500b8d4777a75d64646
[ 6.473207] selinux: SELinux: Could not stat /data/dalvik-cache/x86_64: No such file or directory.
[ 6.474476] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
[ 6.474478] RIP: 0010:services_compute_xperms_decision+0x19f/0x1b0
[ 6.474483] Code: 8b 4e 08 8b 49 18 09 48 14 48 8b 07 48 8b 4e 08 8b 49 1c 09 48 18 48 8b 07 48 8b 4e 08 8b 49 20 09 48 1c 5d c3 cc cc cc cc cc <0f> 0b 0f 0b 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 b8 00 00 00 00
[ 6.474485] RSP: 0018:ffffaa1601553bf8 EFLAGS: 00010202
[ 6.474486] RAX: ffff8b5401052578 RBX: ffffaa1601553ca8 RCX: 0000000000000003
[ 6.475300] init: Service 'ranchu-net' (pid 392) exited with status 0 oneshot service took 0.050000 seconds in background
[ 6.476348] RDX: 00000000000008a4 RSI: ffff8b540104fba0 RDI: ffffaa1601553ca8
[ 6.476912] init: Sending signal 9 to service 'ranchu-net' (pid 392) process group...
[ 6.478581] RBP: ffffaa1601553bf8 R08: 00000000000008a4 R09: 000000000000001f
[ 6.478582] R10: 00000000c7f20000 R11: ffff8b540c82a000 R12: ffff8b5402eae680
[ 6.478583] R13: ffff8b5402eae680 R14: 00000000000008a3 R15: ffff8b540104fba0
[ 6.478585] FS: 00007acc4a076fd8(0000) GS:ffff8b547da80000(0000) knlGS:0000000000000000
[ 6.478587] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.478588] CR2: 000063c8ffb69960 CR3: 000000000c9ea000 CR4: 00000000000006a0
[ 6.478590] Call Trace:
[ 6.479124] libprocessgroup: Removed cgroup /sys/fs/cgroup/uid_0/pid_392
[ 6.479709] <TASK>
[ 6.480943] init: processing action (post-fs-data) from (/system/etc/init/perfetto.rc:76)
[ 6.481403] ? __die_body+0x67/0xb0
[ 6.482141] init: Command 'rm /data/misc/perfetto-traces/.guardraildata' action=post-fs-data (/system/etc/init/perfetto.rc:77) took 0ms and failed: unlink() failed: No such file or directory
[ 6.482764] ? die+0xa9/0xd0
[ 6.483423] init: processing action (post-fs-data) from (/system/etc/init/profcollectd.rc:9)
[ 6.484069] ? do_trap+0x88/0x160
[ 6.485330] init: processing action (post-fs-data) from (/system/etc/init/recovery-persist.rc:1)
[ 6.485397] ? services_compute_xperms_decision+0x19f/0x1b0
[ 6.486136] init: starting service 'exec 13 (/system/bin/recovery-persist)'...
[ 6.486273] ? handle_invalid_op+0x69/0x90
[ 6.487943] init: ... started service 'exec 13 (/system/bin/recovery-persist)' has pid 405
[ 6.488173] ? services_compute_xperms_decision+0x19f/0x1b0
[ 6.489818] init: processing action (post-fs-data) from (/system/etc/init/wifi.rc:18)
[ 6.490068] ? exc_invalid_op+0x36/0x60
[ 6.490071] ? asm_exc_invalid_op+0x1f/0x30
[ 6.490073] ? services_compute_xperms_decision+0x19f/0x1b0
[ 6.490075] security_compute_xperms_decision+0x2b7/0x460
[ 6.490077] avc_has_extended_perms+0x2f6/0x610
[ 6.490080] ioctl_has_perm+0x12a/0x180
[ 6.491055] selinux: SELinux: Skipping restorecon on directory(/data/misc/apexdata/com.android.wifi)
[ 6.491154] selinux_file_ioctl+0x1af/0x210
[ 6.491957] init: processing action (post-fs-data) from (/system_ext/etc/init/init.system_ext.radio.rc:1)
[ 6.492462] ? alloc_file_pseudo+0xa6/0x110
[ 6.500532] security_file_ioctl+0x4a/0x60
[ 6.500917] __se_sys_ioctl+0x39/0xe0
[ 6.501263] __x64_sys_ioctl+0x1c/0x40
[ 6.501612] x64_sys_call+0x15b1/0x2e10
[ 6.501995] do_syscall_64+0x4a/0xa0
[ 6.502335] ? exc_page_fault+0x65/0xc0
[ 6.502680] entry_SYSCALL_64_after_hwframe+0x78/0xe2
[ 6.503128] RIP: 0033:0x7acc47fad527
[ 6.503462] Code: 00 00 00 b8 1b 00 00 00 0f 05 48 3d 01 f0 ff ff 72 09 f7 d8 89 c7 e8 e8 f7 ff ff c3 0f 1f 80 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 72 09 f7 d8 89 c7 e8 c8 f7 ff ff c3 0f 1f 80 00
[ 6.505170] RSP: 002b:00007fff9386e268 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 6.505869] RAX: ffffffffffffffda RBX: 00007fff9386e420 RCX: 00007acc47fad527
[ 6.506521] RDX: 00007fff9386e390 RSI: 0000000000008933 RDI: 0000000000000003
[ 6.507157] RBP: 00007fff9386e340 R08: 000000000000000a R09: 000000000000000b
[ 6.507798] R10: 00000000fffff800 R11: 0000000000000206 R12: 0000000000000003
[ 6.508460] R13: 00007fff9386e390 R14: 00007fff9386f898 R15: 00007fff9386f899
[ 6.509121] </TASK>
[ 6.509331] Modules linked in: virtio_snd(E) virtio_pmem(E) virtio_net(E) virtio_input(E) virtio_media(OE) virtio_gpu(E) virt_wifi(E) vhci_hcd(E) v4l2loopback(OE) usbip_core(E) test_meminit(E) system_heap(E) snd_aloop(E) rtc_test(E) pulse8_cec(E) net_failover(E) nd_virtio(E) mt76x2u(E) mt76x2_common(E) mt76x0u(E) mt76x02_usb(E) mt76x0_common(E) mt76x02_lib(E) mt76_usb(E) mt76(E) mac80211_hwsim(E) mac80211(E) libarc4 hci_vhci(E) gs_usb(E) can_dev goldfish_sync(OE) goldfish_pipe(OE) goldfish_battery(E) goldfish_address_space(OE) failover(E) dummy_hcd(E) dummy_cpufreq(E) cfg80211(E) btusb(E) btbcm btrtl(E) btintel(E) bluetooth zram rfkill zsmalloc vmw_vsock_virtio_transport(E) virtio_pci(E) virtio_pci_modern_dev(E) virtio_console(E) virtio_blk(E) virtio_rng(E) virtio_pci_legacy_dev(E) virtio_dma_buf(E)
[ 6.515674] ---[ end trace 0000000000000000 ]---
[ 6.515799] init: Service 'exec 13 (/system/bin/recovery-persist)' (pid 405) exited with status 0 oneshot service took 0.028000 seconds in background
[ 6.517623] init: Sending signal 9 to service 'exec 13 (/system/bin/recovery-persist)' (pid 405) process group...
[ 6.518721] li
Reverted changes: /q/submissionid:3316655
Change-Id: I9b3ad2ae4eb587fd903a3d285c09ec4cd4036246
diff --git a/private/access_vectors b/private/access_vectors
index 6bfe5d9..f91c1a4 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -428,7 +428,6 @@
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
- nlmsg
}
class netlink_dnrt_socket
diff --git a/private/auditctl.te b/private/auditctl.te
index b6d191a..f634d3d 100644
--- a/private/auditctl.te
+++ b/private/auditctl.te
@@ -15,10 +15,4 @@
init_daemon_domain(auditctl)
allow auditctl self:global_capability_class_set audit_control;
-allow auditctl self:netlink_audit_socket create_socket_perms_no_ioctl;
-
-# For kernel < 6.13
-allow auditctl self:netlink_audit_socket nlmsg_write;
-# For kernel >= 6.13
-allow auditctl self:netlink_audit_socket nlmsg;
-allowxperm auditctl self:netlink_audit_socket nlmsg AUDIT_SET;
+allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
diff --git a/private/init.te b/private/init.te
index cdcf0b9..15f79e3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -706,14 +706,7 @@
# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket create_socket_perms_no_ioctl;
-
-# For kernel < 6.13
-allow init self:netlink_audit_socket nlmsg_relay;
-# For kernel >= 6.13
-allow init self:netlink_audit_socket nlmsg;
-allowxperm init self:netlink_audit_socket nlmsg AUDIT_USER_AVC;
-
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
allow init self:global_capability_class_set audit_write;
# Run "ifup lo" to bring up the localhost interface
diff --git a/private/logd.te b/private/logd.te
index 8f97e10..b6e8b27 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -58,14 +58,7 @@
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
-allow logd self:netlink_audit_socket create_socket_perms_no_ioctl;
-
-# For kernel < 6.13
-allow logd self:netlink_audit_socket nlmsg_write;
-# For kernel >= 6.13
-allow logd self:netlink_audit_socket nlmsg;
-allowxperm logd self:netlink_audit_socket nlmsg { AUDIT_SET AUDIT_USER_AVC };
-
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file { getattr w_file_perms };
allow logd system_data_file:{ file lnk_file } r_file_perms;
