diff --git a/private/bpfloader.te b/private/bpfloader.te index 6bdc25963..eecda30d6 100644 --- a/private/bpfloader.te +++ b/private/bpfloader.te @@ -33,14 +33,14 @@ neverallow { domain } bpffs_type:dir ~{ add_name create getattr mount neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write }; neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write }; -neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr }; -neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read; -neverallow { domain -bpfloader } fs_bpf_loader:file read; -neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read; -neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read; -neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read; -neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file read; -neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file read; +neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr }; +neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read }; +neverallow { domain -bpfloader } fs_bpf_loader:file { getattr read }; +neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read }; +neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read }; +neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read }; +neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read }; +neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read }; neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write; neverallow { domain -bpfloader } bpffs_type:lnk_file ~read; diff --git a/private/netd.te b/private/netd.te index ae43e47ff..8be8212a8 100644 --- a/private/netd.te +++ b/private/netd.te @@ -7,7 +7,7 @@ init_daemon_domain(netd) domain_auto_trans(netd, dnsmasq_exec, dnsmasq) allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; -allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read; +allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read }; allow netd { fs_bpf fs_bpf_netd_shared }:file write; # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te index 900b35c63..01f191561 100644 --- a/private/netutils_wrapper.te +++ b/private/netutils_wrapper.te @@ -26,7 +26,7 @@ binder_call(netutils_wrapper, netd); # the whole chain including the xt_bpf rules. They need to access to the pinned # program when reloading the rule. allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search; -allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read; +allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read }; allow netutils_wrapper { fs_bpf }:file write; allow netutils_wrapper bpfloader:bpf prog_run; diff --git a/private/network_stack.te b/private/network_stack.te index dfee01983..d9135a1ea 100644 --- a/private/network_stack.te +++ b/private/network_stack.te @@ -61,7 +61,7 @@ allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl; allow network_stack network_stack_service:service_manager find; # allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF. allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search; -allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write }; +allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write }; allow network_stack bpfloader:bpf { map_read map_write prog_run }; # Use XFRM (IPsec) netlink sockets diff --git a/private/system_server.te b/private/system_server.te index 27e55943c..8d7057c2a 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1175,7 +1175,7 @@ with_asan(` # the map after snapshot is recorded, and to read, update and run the maps and programs used for # time in state accounting allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; -allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write }; +allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write }; allow system_server bpfloader:bpf { map_read map_write prog_run }; # in order to invoke side effect of close() on such a socket calling synchronize_rcu() allow system_server self:key_socket create;