Merge "bpfdomain: attribute for domain which can use BPF" am: 337e6b1e1c
am: 960f03e7e6
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978573 Change-Id: I16c24227e09796344bbe634829503e78464fca20
This commit is contained in:
commit
03fdb25b24
10 changed files with 29 additions and 2 deletions
13
private/bpfdomain.te
Normal file
13
private/bpfdomain.te
Normal file
|
@ -0,0 +1,13 @@
|
|||
# platform should have ownership of network attachpoints for BPF
|
||||
neverallow {
|
||||
bpfdomain
|
||||
-bpfloader
|
||||
-netd
|
||||
-netutils_wrapper
|
||||
-network_stack
|
||||
-system_server
|
||||
} self:global_capability_class_set { net_admin net_raw };
|
||||
|
||||
# any domain which uses bpf is a bpfdomain
|
||||
neverallow { domain -bpfdomain } *:bpf *;
|
||||
|
|
@ -1,5 +1,7 @@
|
|||
type bpfloader_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
typeattribute bpfloader bpfdomain;
|
||||
|
||||
# allow bpfloader to write to the kernel log (starts early)
|
||||
allow bpfloader kmsg_device:chr_file w_file_perms;
|
||||
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
# gpuservice - server for gpu stats and other gpu related services
|
||||
typeattribute gpuservice coredomain;
|
||||
typeattribute gpuservice bpfdomain;
|
||||
|
||||
type gpuservice_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(gpuservice)
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
typeattribute lmkd coredomain;
|
||||
typeattribute lmkd bpfdomain;
|
||||
|
||||
init_daemon_domain(lmkd)
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
###
|
||||
### A domain for further sandboxing the MediaProvider mainline module.
|
||||
###
|
||||
type mediaprovider_app, domain, coredomain;
|
||||
type mediaprovider_app, domain, coredomain, bpfdomain;
|
||||
|
||||
app_domain(mediaprovider_app)
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
typeattribute netd coredomain;
|
||||
typeattribute netd bpfdomain;
|
||||
|
||||
init_daemon_domain(netd)
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
typeattribute netutils_wrapper coredomain;
|
||||
typeattribute netutils_wrapper bpfdomain;
|
||||
|
||||
r_dir_file(netutils_wrapper, system_file);
|
||||
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
# Networking service app
|
||||
typeattribute network_stack coredomain, mlstrustedsubject;
|
||||
typeattribute network_stack coredomain;
|
||||
typeattribute network_stack mlstrustedsubject;
|
||||
typeattribute network_stack bpfdomain;
|
||||
|
||||
app_domain(network_stack);
|
||||
net_domain(network_stack);
|
||||
|
|
|
@ -8,6 +8,7 @@ typeattribute system_server mlstrustedsubject;
|
|||
typeattribute system_server scheduler_service_server;
|
||||
typeattribute system_server sensor_service_server;
|
||||
typeattribute system_server stats_service_server;
|
||||
typeattribute system_server bpfdomain;
|
||||
|
||||
# Define a type for tmpfs-backed ashmem regions.
|
||||
tmpfs_domain(system_server)
|
||||
|
|
|
@ -219,6 +219,10 @@ attribute bluetoothdomain;
|
|||
# All domains used for binder service domains.
|
||||
attribute binderservicedomain;
|
||||
|
||||
# All domains which have BPF access.
|
||||
attribute bpfdomain;
|
||||
expandattribute bpfdomain false;
|
||||
|
||||
# update_engine related domains that need to apply an update and run
|
||||
# postinstall. This includes the background daemon and the sideload tool from
|
||||
# recovery for A/B devices.
|
||||
|
|
Loading…
Reference in a new issue