bpfdomain: attribute for domain which can use BPF
Require all domains which can be used for BPF to be marked as bpfdomain, and add a restriction for these domains to not be able to use net_raw or net_admin. We want to make sure the network stack has exclusive access to certain BPF attach points. Bug: 140330870 Bug: 162057235 Test: build (compile-time neverallows) Change-Id: I29100e48a757fdcf600931d5eb42988101275325
This commit is contained in:
parent
c30b45e242
commit
6598175e06
10 changed files with 29 additions and 2 deletions
13
private/bpfdomain.te
Normal file
13
private/bpfdomain.te
Normal file
|
@ -0,0 +1,13 @@
|
|||
# platform should have ownership of network attachpoints for BPF
|
||||
neverallow {
|
||||
bpfdomain
|
||||
-bpfloader
|
||||
-netd
|
||||
-netutils_wrapper
|
||||
-network_stack
|
||||
-system_server
|
||||
} self:global_capability_class_set { net_admin net_raw };
|
||||
|
||||
# any domain which uses bpf is a bpfdomain
|
||||
neverallow { domain -bpfdomain } *:bpf *;
|
||||
|
|
@ -1,5 +1,7 @@
|
|||
type bpfloader_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
typeattribute bpfloader bpfdomain;
|
||||
|
||||
# allow bpfloader to write to the kernel log (starts early)
|
||||
allow bpfloader kmsg_device:chr_file w_file_perms;
|
||||
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
# gpuservice - server for gpu stats and other gpu related services
|
||||
typeattribute gpuservice coredomain;
|
||||
typeattribute gpuservice bpfdomain;
|
||||
|
||||
type gpuservice_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(gpuservice)
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
typeattribute lmkd coredomain;
|
||||
typeattribute lmkd bpfdomain;
|
||||
|
||||
init_daemon_domain(lmkd)
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
###
|
||||
### A domain for further sandboxing the MediaProvider mainline module.
|
||||
###
|
||||
type mediaprovider_app, domain, coredomain;
|
||||
type mediaprovider_app, domain, coredomain, bpfdomain;
|
||||
|
||||
app_domain(mediaprovider_app)
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
typeattribute netd coredomain;
|
||||
typeattribute netd bpfdomain;
|
||||
|
||||
init_daemon_domain(netd)
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
typeattribute netutils_wrapper coredomain;
|
||||
typeattribute netutils_wrapper bpfdomain;
|
||||
|
||||
r_dir_file(netutils_wrapper, system_file);
|
||||
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
# Networking service app
|
||||
typeattribute network_stack coredomain, mlstrustedsubject;
|
||||
typeattribute network_stack coredomain;
|
||||
typeattribute network_stack mlstrustedsubject;
|
||||
typeattribute network_stack bpfdomain;
|
||||
|
||||
app_domain(network_stack);
|
||||
net_domain(network_stack);
|
||||
|
|
|
@ -8,6 +8,7 @@ typeattribute system_server mlstrustedsubject;
|
|||
typeattribute system_server scheduler_service_server;
|
||||
typeattribute system_server sensor_service_server;
|
||||
typeattribute system_server stats_service_server;
|
||||
typeattribute system_server bpfdomain;
|
||||
|
||||
# Define a type for tmpfs-backed ashmem regions.
|
||||
tmpfs_domain(system_server)
|
||||
|
|
|
@ -219,6 +219,10 @@ attribute bluetoothdomain;
|
|||
# All domains used for binder service domains.
|
||||
attribute binderservicedomain;
|
||||
|
||||
# All domains which have BPF access.
|
||||
attribute bpfdomain;
|
||||
expandattribute bpfdomain false;
|
||||
|
||||
# update_engine related domains that need to apply an update and run
|
||||
# postinstall. This includes the background daemon and the sideload tool from
|
||||
# recovery for A/B devices.
|
||||
|
|
Loading…
Reference in a new issue