platform_system_sepolicy/private/bpfloader.te

79 lines
4 KiB
Text
Raw Normal View History

type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader bpfdomain;
# allow bpfloader to write to the kernel log (starts early)
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
much more finegrained bpf selinux privs for networking mainline Goal is to gain a better handle on who has access to which maps and to allow (with bpfloader changes to create in one directory and move into the target directory) per-map selection of selinux context, while still having reasonable defaults for stuff pinned directly into the target location. BPFFS (ie. /sys/fs/bpf) labelling is as follows: subdirectory selinux context mainline usecase / usable by / fs_bpf no (*) core operating system (ie. platform) /net_private fs_bpf_net_private yes, T+ network_stack /net_shared fs_bpf_net_shared yes, T+ network_stack & system_server /netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd /netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**] /tethering fs_bpf_tethering yes, S+ network_stack /vendor fs_bpf_vendor no, T+ vendor * initial support for bpf was added back in P, but things worked differently back then with no bpfloader, and instead netd doing stuff by hand, bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q (and was definitely there in R) ** additionally bpf programs are accesible to netutils_wrapper for use by iptables xt_bpf extensions 'mainline yes' currently means shipped by the com.android.tethering apex, but this is really another case of bad naming, as it's really the 'networking/connectivity/tethering' apex / mainline module. Long term the plan is to merge a few other networking mainline modules into it (and maybe give it a saner name...). The reason for splitting net_private vs tethering is that: S+ must support 4.9+ kernels and S era bpfloader v0.2+ T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+ The kernel affects the intelligence of the in-kernel bpf verifier and the available bpf helper functions. Older kernels have a tendency to reject programs that newer kernels allow. / && /vendor are not shipped via mainline, so only need to work with the bpfloader that's part of the core os. Bug: 218408035 Test: TreeHugger, manually on cuttlefish Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4 (cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
allow bpfloader bpffs_type:dir { add_name create remove_name search write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
allow bpfloader bpffs_type:lnk_file { create getattr read };
much more finegrained bpf selinux privs for networking mainline Goal is to gain a better handle on who has access to which maps and to allow (with bpfloader changes to create in one directory and move into the target directory) per-map selection of selinux context, while still having reasonable defaults for stuff pinned directly into the target location. BPFFS (ie. /sys/fs/bpf) labelling is as follows: subdirectory selinux context mainline usecase / usable by / fs_bpf no (*) core operating system (ie. platform) /net_private fs_bpf_net_private yes, T+ network_stack /net_shared fs_bpf_net_shared yes, T+ network_stack & system_server /netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd /netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**] /tethering fs_bpf_tethering yes, S+ network_stack /vendor fs_bpf_vendor no, T+ vendor * initial support for bpf was added back in P, but things worked differently back then with no bpfloader, and instead netd doing stuff by hand, bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q (and was definitely there in R) ** additionally bpf programs are accesible to netutils_wrapper for use by iptables xt_bpf extensions 'mainline yes' currently means shipped by the com.android.tethering apex, but this is really another case of bad naming, as it's really the 'networking/connectivity/tethering' apex / mainline module. Long term the plan is to merge a few other networking mainline modules into it (and maybe give it a saner name...). The reason for splitting net_private vs tethering is that: S+ must support 4.9+ kernels and S era bpfloader v0.2+ T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+ The kernel affects the intelligence of the in-kernel bpf verifier and the available bpf helper functions. Older kernels have a tendency to reject programs that newer kernels allow. / && /vendor are not shipped via mainline, so only need to work with the bpfloader that's part of the core os. Bug: 218408035 Test: TreeHugger, manually on cuttlefish Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4 (cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin net_admin };
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
allow bpfloader proc_bpf:file w_file_perms;
set_prop(bpfloader, bpf_progs_loaded_prop)
allow bpfloader bpfloader_exec:file execute_no_trans;
###
### Neverallow rules
###
# Note: we don't care about getattr/mounton/search
neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write };
much more finegrained bpf selinux privs for networking mainline Goal is to gain a better handle on who has access to which maps and to allow (with bpfloader changes to create in one directory and move into the target directory) per-map selection of selinux context, while still having reasonable defaults for stuff pinned directly into the target location. BPFFS (ie. /sys/fs/bpf) labelling is as follows: subdirectory selinux context mainline usecase / usable by / fs_bpf no (*) core operating system (ie. platform) /net_private fs_bpf_net_private yes, T+ network_stack /net_shared fs_bpf_net_shared yes, T+ network_stack & system_server /netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd /netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**] /tethering fs_bpf_tethering yes, S+ network_stack /vendor fs_bpf_vendor no, T+ vendor * initial support for bpf was added back in P, but things worked differently back then with no bpfloader, and instead netd doing stuff by hand, bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q (and was definitely there in R) ** additionally bpf programs are accesible to netutils_wrapper for use by iptables xt_bpf extensions 'mainline yes' currently means shipped by the com.android.tethering apex, but this is really another case of bad naming, as it's really the 'networking/connectivity/tethering' apex / mainline module. Long term the plan is to merge a few other networking mainline modules into it (and maybe give it a saner name...). The reason for splitting net_private vs tethering is that: S+ must support 4.9+ kernels and S era bpfloader v0.2+ T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+ The kernel affects the intelligence of the in-kernel bpf verifier and the available bpf helper functions. Older kernels have a tendency to reject programs that newer kernels allow. / && /vendor are not shipped via mainline, so only need to work with the bpfloader that's part of the core os. Bug: 218408035 Test: TreeHugger, manually on cuttlefish Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4 (cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read };
neverallow { domain -bpfloader } fs_bpf_loader:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read };
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read };
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobe_private:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
neverallow { domain -bpfloader } fs_bpf_loader:file *;
neverallow {
domain
-bpfloader
-gpuservice
-hal_health_server
-mediaprovider_app
-netd
-netutils_wrapper
-network_stack
-system_server
-uprobestats
} *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
introduce new 'proc_bpf' for bpf related sysctls What to tag chosen based on output of: find /proc 2>/dev/null | egrep bpf on a 5.10 kernel. Tagged with prefixes to be more likely not require changes in the future $ adb root $ adb shell 'ls -lZ /proc/sys/net/core/bpf_* /proc/sys/kernel/*bpf*' Before: -rw-r--r-- 1 root root u:object_r:proc:s0 0 2021-11-11 02:11 /proc/sys/kernel/bpf_stats_enabled -rw-r--r-- 1 root root u:object_r:proc:s0 0 2021-11-11 02:11 /proc/sys/kernel/unprivileged_bpf_disabled -rw-r--r-- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_enable -rw------- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_harden -rw------- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_kallsyms -rw------- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_limit After: -rw-r--r-- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/kernel/bpf_stats_enabled -rw-r--r-- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/kernel/unprivileged_bpf_disabled -rw-r--r-- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_enable -rw------- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_harden -rw------- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_kallsyms -rw------- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_limit Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I46ea81ff42d3b915cf7a96735dc2636d9808ead6
2021-11-11 10:51:15 +01:00
neverallow { domain -bpfloader } proc_bpf:file write;