allow non bpfloader creation of bpf maps
In practice only bpf programs are critical to device security... Normally there is basically no use for creating bpf maps outside of the bpfloader, since they have to be tied directly into the bpf programs (which is only ever done by the bpfloader during the boot process) to be of any use. This means that bpf maps created after the bpfloader is done, can't actually be used by any bpf code... Hence we had this restriction. However, map-in-map support changes this: It becomes possible to define a boot-time (bpfloader loaded) bpf program which accesses an (initially empty) outer map (created by the bpfloader). This outer map can be populated with inner maps at run time by various bpf using userspace code. While it can be populated with bpfloader created 'static' maps, it also makes sense to be able to create/destroy these inner maps on demand 'dynamically'. This allows bpf map memory utilization to be driven by actual runtime device needs. For example scaling with the number of users, apps, or connected networks. Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I93223c660463596c9e50065be819e2fd865da923
This commit is contained in:
Maciej Żenczykowski
parent
18eb855a0f
commit
28960d319a
4 changed files with 16 additions and 8 deletions
|
|
@ -47,8 +47,8 @@ neverallow { domain -bpfloader -gpuservice -lmkd -netd -netut
|
|||
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
|
||||
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
|
||||
|
||||
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
|
||||
neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
|
||||
neverallow { domain -bpfloader } *:bpf prog_load;
|
||||
neverallow { domain -bpfdomain } *:bpf { map_create map_read map_write prog_run };
|
||||
|
||||
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
|
||||
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
|
||||
|
|
|
|||
|
|
@ -10,12 +10,14 @@ allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir
|
|||
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
|
||||
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
|
||||
|
||||
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
|
||||
# the map created by bpfloader
|
||||
allow netd bpfloader:bpf { prog_run map_read map_write };
|
||||
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup,
|
||||
# create maps, and read/write maps created by bpfloader, itself and NS/SS mainline networking
|
||||
allow netd bpfloader:bpf prog_run;
|
||||
allow netd self:bpf map_create;
|
||||
allow netd { bpfloader netd network_stack system_server }:bpf { map_read map_write };
|
||||
|
||||
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
||||
# TODO: Remove this permission when 4.9 kernel is deprecated.
|
||||
# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
|
||||
# TODO: Remove this after we remove all bpf interactions from netd.
|
||||
allow netd self:key_socket create;
|
||||
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ allow network_stack radio_data_file:file create_file_perms;
|
|||
binder_call(network_stack, netd);
|
||||
|
||||
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
||||
# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
|
||||
allow network_stack self:key_socket create;
|
||||
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
|
||||
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
|
||||
|
|
@ -63,7 +64,10 @@ allow network_stack network_stack_service:service_manager find;
|
|||
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
|
||||
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
|
||||
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
|
||||
allow network_stack bpfloader:bpf { map_read map_write prog_run };
|
||||
allow network_stack bpfloader:bpf prog_run;
|
||||
allow network_stack self:bpf map_create;
|
||||
allow network_stack { bpfloader netd network_stack system_server }:bpf { map_read map_write };
|
||||
|
||||
# allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
|
||||
get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
|
||||
|
||||
|
|
|
|||
|
|
@ -1224,7 +1224,9 @@ with_asan(`
|
|||
# time in state accounting
|
||||
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
|
||||
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
|
||||
allow system_server bpfloader:bpf { map_read map_write prog_run };
|
||||
allow system_server bpfloader:bpf prog_run;
|
||||
allow system_server self:bpf map_create;
|
||||
allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write };
|
||||
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
||||
allow system_server self:key_socket create;
|
||||
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
|
||||
|
|
|
|||
Loading…
Reference in a new issue