bpfdomain: attribute for domain which can use BPF

Require all domains which can be used for BPF to be marked as
bpfdomain, and add a restriction for these domains to not
be able to use net_raw or net_admin. We want to make sure the
network stack has exclusive access to certain BPF attach
points.

Bug: 140330870
Bug: 162057235
Test: build (compile-time neverallows)
Change-Id: I29100e48a757fdcf600931d5eb42988101275325

private/bpfdomain.te

@@ -0,0 +1,13 @@
+# platform should have ownership of network attachpoints for BPF
+neverallow {
+  bpfdomain
+  -bpfloader
+  -netd
+  -netutils_wrapper
+  -network_stack
+  -system_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# any domain which uses bpf is a bpfdomain
+neverallow { domain -bpfdomain } *:bpf *;
+

private/bpfloader.te

@@ -1,5 +1,7 @@
 type bpfloader_exec, system_file_type, exec_type, file_type;
 
+typeattribute bpfloader bpfdomain;
+
 # allow bpfloader to write to the kernel log (starts early)
 allow bpfloader kmsg_device:chr_file w_file_perms;
 

private/gpuservice.te

@@ -1,5 +1,7 @@
 # gpuservice - server for gpu stats and other gpu related services
 typeattribute gpuservice coredomain;
+typeattribute gpuservice bpfdomain;
+
 type gpuservice_exec, system_file_type, exec_type, file_type;
 
 init_daemon_domain(gpuservice)

private/lmkd.te

@@ -1,4 +1,5 @@
 typeattribute lmkd coredomain;
+typeattribute lmkd bpfdomain;
 
 init_daemon_domain(lmkd)
 

private/mediaprovider_app.te

@@ -1,7 +1,7 @@
 ###
 ### A domain for further sandboxing the MediaProvider mainline module.
 ###
-type mediaprovider_app, domain, coredomain;
+type mediaprovider_app, domain, coredomain, bpfdomain;
 
 app_domain(mediaprovider_app)
 

private/netd.te

@@ -1,4 +1,5 @@
 typeattribute netd coredomain;
+typeattribute netd bpfdomain;
 
 init_daemon_domain(netd)
 

private/netutils_wrapper.te

@@ -1,4 +1,5 @@
 typeattribute netutils_wrapper coredomain;
+typeattribute netutils_wrapper bpfdomain;
 
 r_dir_file(netutils_wrapper, system_file);
 

private/network_stack.te

@@ -1,5 +1,7 @@
 # Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
+typeattribute network_stack coredomain;
+typeattribute network_stack mlstrustedsubject;
+typeattribute network_stack bpfdomain;
 
 app_domain(network_stack);
 net_domain(network_stack);

private/system_server.te

@@ -8,6 +8,7 @@ typeattribute system_server mlstrustedsubject;
 typeattribute system_server scheduler_service_server;
 typeattribute system_server sensor_service_server;
 typeattribute system_server stats_service_server;
+typeattribute system_server bpfdomain;
 
 # Define a type for tmpfs-backed ashmem regions.
 tmpfs_domain(system_server)

public/attributes

@@ -219,6 +219,10 @@ attribute bluetoothdomain;
 # All domains used for binder service domains.
 attribute binderservicedomain;
 
+# All domains which have BPF access.
+attribute bpfdomain;
+expandattribute bpfdomain false;
+
 # update_engine related domains that need to apply an update and run
 # postinstall. This includes the background daemon and the sideload tool from
 # recovery for A/B devices.