tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

mediaprovider_app can access BPF resources am: fd3e9d838e am: 27b2b6d8f5

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1907857

Change-Id: I58915b13356f9d94503dd9c02fda3def2b3362b5
This commit is contained in:
Alessio Balsini 2021-12-07 00:54:00 +00:00 committed by Automerger Merge Worker
commit 42216b5975
2 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
private/bpfloader.te
View file

@ -29,13 +29,14 @@ neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mou
# TODO: get rid of init & vendor_init
neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };

5
private/mediaprovider_app.te
View file

@ -62,3 +62,8 @@ get_prop(mediaprovider_app, drm_service_config_prop)
allow mediaprovider_app gpu_device:dir search;
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
# bpfprog access for FUSE BPF
allow mediaprovider_app fs_bpf:dir search;
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };