tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "allow non bpfloader creation of bpf maps" into main am: 6e95ee78e3

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2751710

Change-Id: I7166f37d3638241147982db316e44c271506ab6f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Maciej Żenczykowski 2024-05-15 07:54:23 +00:00 committed by Automerger Merge Worker
commit 0c4f5d4745
4 changed files with 16 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
private/bpfloader.te
View file

@ -47,8 +47,8 @@ neverallow { domain -bpfloader -gpuservice -lmkd -netd -netut
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfdomain } *:bpf { map_create map_read map_write prog_run };
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;

10
private/netd.te
View file

@ -10,12 +10,14 @@ allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup,
# create maps, and read/write maps created by bpfloader, itself and NS/SS mainline networking
allow netd bpfloader:bpf prog_run;
allow netd self:bpf map_create;
allow netd { bpfloader netd network_stack system_server }:bpf { map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;

6
private/network_stack.te
View file

@ -45,6 +45,7 @@ allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
allow network_stack self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
@ -63,7 +64,10 @@ allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
allow network_stack bpfloader:bpf prog_run;
allow network_stack self:bpf map_create;
allow network_stack { bpfloader netd network_stack system_server }:bpf { map_read map_write };
# allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
get_prop(network_stack, device_config_tethering_u_or_later_native_prop)

4
private/system_server.te
View file

@ -1224,7 +1224,9 @@ with_asan(`
# time in state accounting
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
allow system_server bpfloader:bpf prog_run;
allow system_server self:bpf map_create;
allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100