introduce new 'proc_bpf' for bpf related sysctls am: 3702f3385e am: 127f77ff8c am: aed3c394e8
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1888379 Change-Id: I01caa9c3917e716caee32ce9ccb17e6175e96590
This commit is contained in:
Maciej Żenczykowski
Automerger Merge Worker
commit
0b4cec93d8
5 changed files with 14 additions and 1 deletions
|
|
@ -41,3 +41,7 @@ neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
|
|||
|
||||
# No domain should be allowed to ptrace bpfloader
|
||||
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
|
||||
|
||||
# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
|
||||
# this should perhaps be moved to the bpfloader binary itself. Allow both.
|
||||
neverallow { domain -bpfloader -init } proc_bpf:file write;
|
||||
|
|
|
|||
|
|
@ -1964,6 +1964,7 @@
|
|||
(typeattributeset privapp_data_file_31_0 (privapp_data_file))
|
||||
(typeattributeset proc_31_0
|
||||
( proc
|
||||
proc_bpf
|
||||
proc_cpu_alignment
|
||||
))
|
||||
(typeattributeset proc_abi_31_0 (proc_abi))
|
||||
|
|
@ -1996,7 +1997,10 @@
|
|||
(typeattributeset proc_misc_31_0 (proc_misc))
|
||||
(typeattributeset proc_modules_31_0 (proc_modules))
|
||||
(typeattributeset proc_mounts_31_0 (proc_mounts))
|
||||
(typeattributeset proc_net_31_0 (proc_net))
|
||||
(typeattributeset proc_net_31_0
|
||||
( proc_bpf
|
||||
proc_net
|
||||
))
|
||||
(typeattributeset proc_net_tcp_udp_31_0 (proc_net_tcp_udp))
|
||||
(typeattributeset proc_overcommit_memory_31_0 (proc_overcommit_memory))
|
||||
(typeattributeset proc_page_cluster_31_0 (proc_page_cluster))
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
|
|||
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
|
||||
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
|
||||
genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
|
||||
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
|
||||
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
|
||||
|
|
@ -74,8 +75,10 @@ genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
|
|||
genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
|
||||
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
|
||||
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
|
||||
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
|
||||
genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ type proc_bluetooth_writable, fs_type, proc_type;
|
|||
type proc_abi, fs_type, proc_type;
|
||||
type proc_asound, fs_type, proc_type;
|
||||
type proc_bootconfig, fs_type, proc_type;
|
||||
type proc_bpf, fs_type, proc_type;
|
||||
type proc_buddyinfo, fs_type, proc_type;
|
||||
type proc_cmdline, fs_type, proc_type;
|
||||
type proc_cpu_alignment, fs_type, proc_type;
|
||||
|
|
|
|||
|
|
@ -371,6 +371,7 @@ allow init {
|
|||
|
||||
allow init {
|
||||
proc_abi
|
||||
proc_bpf
|
||||
proc_cpu_alignment
|
||||
proc_dirty
|
||||
proc_hostname
|
||||
|
|
|
|||
Loading…
Reference in a new issue