Merge "netd/netutils_wrapper/network_stack/system_server - allow getattr on bpf progs/maps" am: 8cd6e1569e am: 3ef679de95

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2509787

Change-Id: I62ad7b3be28ec04bca16e264749fdd0dbdf08978
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

private/bpfloader.te

@@ -33,14 +33,14 @@ neverallow { domain            } bpffs_type:dir ~{ add_name create getattr mount
 neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
 
 neverallow { domain            } bpffs_type:file ~{ create getattr map open read rename setattr write };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               read;
-neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        read;
-neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   read;
-neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    read;
-neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   read;
-neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     read;
+neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               { getattr read };
+neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        { getattr read };
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   { getattr read };
+neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    { getattr read };
+neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
+neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   { getattr read };
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     { getattr read };
 neverallow { domain -bpfloader -gpuservice                          -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
 
 neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;

private/netd.te

@@ -7,7 +7,7 @@ init_daemon_domain(netd)
 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 
 allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
 allow netd { fs_bpf                      fs_bpf_netd_shared }:file write;
 
 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write

private/netutils_wrapper.te

@@ -26,7 +26,7 @@ binder_call(netutils_wrapper, netd);
 # the whole chain including the xt_bpf rules. They need to access to the pinned
 # program when reloading the rule.
 allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
 allow netutils_wrapper { fs_bpf                    }:file write;
 allow netutils_wrapper bpfloader:bpf prog_run;
 

private/network_stack.te

@@ -61,7 +61,7 @@ allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 allow network_stack network_stack_service:service_manager find;
 # allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
 allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
 allow network_stack bpfloader:bpf { map_read map_write prog_run };
 
 # Use XFRM (IPsec) netlink sockets

private/system_server.te

@@ -1175,7 +1175,7 @@ with_asan(`
 # the map after snapshot is recorded, and to read, update and run the maps and programs used for
 # time in state accounting
 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
 allow system_server bpfloader:bpf { map_read map_write prog_run };
 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()
 allow system_server self:key_socket create;