Allow dumpstate to access netlink_generic_socket

avc: denied { create } for scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0 avc: denied { create } for comm="iotop" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0 Bug: 68040531 Change-Id: I24a8a094d1b5c493cc695e332c927972f99ae49c

Allow dumpstate to access netlink_generic_socket
avc: denied { create } for scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0 avc: denied { create } for comm="iotop" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0 Bug: 68040531 Change-Id: I24a8a094d1b5c493cc695e332c927972f99ae49c
98e99fb4 · Jin Qian · Nick Kralevich · 61dc5fb2 · 98e99fb4
Commit 98e99fb4 authored 7 years ago by Jin Qian Committed by Nick Kralevich 7 years ago
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -263,6 +263,8 @@ allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_re

 # Allow dumpstate to run iotop
 allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;

 ###
 ### neverallow rules