From 3b4b99af604bc1021d54c12f03fb997fa51f86c1 Mon Sep 17 00:00:00 2001 From: Subash Abhinov Kasiviswanathan Date: Wed, 17 Aug 2016 19:55:39 -0600 Subject: netmgrd: Enable support for destroying TCP sockets through diag This enables the SOCK_DESTROY feature for TCP sockets. When changing networks, this is needed to close all blocking calls on existing sockets and return ECONNABORTED and close the socket gracefully. The other end of the connection is sent a RST to notify this event. This feature was earlier implemented using IOCTL SIOCKILLADDR and called a custom function tcp_nuke_addr internally. This functionality will be deprecated going forward in favor of SOCK_DESTROY. Add support for netmgrd to use this method of destroying sockets. Fix the following denial - [ 26.041163] type=1400 audit(1471467994.893:67): avc: denied { create } for pid=1548 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_tcpdiag_socket permissive=0 CRs-Fixed: 1056052 Change-Id: Ic2ff9b497d7a0b0dca91b72c328b3eb5cda17cce --- common/netmgrd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/netmgrd.te b/common/netmgrd.te index 052b464e..48e78568 100644 --- a/common/netmgrd.te +++ b/common/netmgrd.te @@ -33,6 +33,7 @@ allow netmgrd netmgrd:socket { create ioctl }; allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write }; unix_socket_connect(netmgrd, property, init) allow netmgrd self:netlink_generic_socket create_socket_perms; +allow netmgrd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write }; unix_socket_connect(netmgrd, cnd, cnd); -- cgit v1.2.3