Merge "Allow BPF programs from vendor."

private/bpfloader.te

@@ -1,15 +1,12 @@
-# bpf program loader
-type bpfloader, domain;
 type bpfloader_exec, system_file_type, exec_type, file_type;
-typeattribute bpfloader coredomain;
 
 # allow bpfloader to write to the kernel log (starts early)
 allow bpfloader kmsg_device:chr_file w_file_perms;
 
 # These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
+allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
 
 # Allow bpfloader to create bpf maps and programs.
 allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -27,24 +24,26 @@ allow bpfloader bpfloader_exec:file execute_no_trans;
 ###
 
 # TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
 
 # TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
 neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
 neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
 neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
 neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+
 neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
-
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
+neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+
 neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
 
 # No domain should be allowed to ptrace bpfloader

private/compat/32.0/32.0.ignore.cil

@@ -21,6 +21,7 @@
     fwk_automotive_display_service
     extra_free_kbytes
     extra_free_kbytes_exec
+    fs_bpf_vendor
     gesture_prop
     hal_contexthub_service
     hal_camera_service

private/genfs_contexts

@@ -393,3 +393,4 @@ genfscon usbfs / u:object_r:usbfs:s0
 genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
 genfscon bpf / u:object_r:fs_bpf:s0
 genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
+genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0

private/property_contexts

@@ -269,7 +269,7 @@ persist.apexd.          u:object_r:apexd_prop:s0
 persist.vendor.apex.    u:object_r:apexd_select_prop:s0
 ro.boot.vendor.apex.    u:object_r:apexd_select_prop:s0
 
-bpf.progs_loaded        u:object_r:bpf_progs_loaded_prop:s0
+bpf.progs_loaded        u:object_r:bpf_progs_loaded_prop:s0 exact bool
 
 gsid.                   u:object_r:gsid_prop:s0
 ro.gsid.                u:object_r:gsid_prop:s0

public/bpfloader.te

@@ -0,0 +1 @@
+type bpfloader, domain, coredomain;

public/file.te

@@ -128,6 +128,7 @@ userdebug_or_eng(`
 ')
 type fs_bpf, fs_type;
 type fs_bpf_tethering, fs_type;
+type fs_bpf_vendor, fs_type;
 type configfs, fs_type;
 # /sys/devices/cs_etm
 type sysfs_devices_cs_etm, fs_type, sysfs_type;

public/property.te

@@ -16,7 +16,6 @@ system_internal_prop(firstboot_prop)
 compatible_property_only(`
     # DO NOT ADD ANY PROPERTIES HERE
     system_internal_prop(boottime_prop)
-    system_internal_prop(bpf_progs_loaded_prop)
     system_internal_prop(charger_prop)
     system_internal_prop(cold_boot_done_prop)
     system_internal_prop(ctl_adbd_prop)
@@ -182,6 +181,7 @@ system_public_prop(audio_prop)
 system_public_prop(bluetooth_a2dp_offload_prop)
 system_public_prop(bluetooth_audio_hal_prop)
 system_public_prop(bluetooth_prop)
+system_public_prop(bpf_progs_loaded_prop)
 system_public_prop(charger_status_prop)
 system_public_prop(ctl_default_prop)
 system_public_prop(ctl_interface_start_prop)
@@ -236,7 +236,6 @@ vendor_public_prop(persist_vendor_debug_wifi_prop)
 not_compatible_property(`
     # DO NOT ADD ANY PROPERTIES HERE
     system_public_prop(boottime_prop)
-    system_public_prop(bpf_progs_loaded_prop)
     system_public_prop(charger_prop)
     system_public_prop(cold_boot_done_prop)
     system_public_prop(ctl_adbd_prop)