Merge "Allow network_stack to update eBPF map"

This commit is contained in:
Treehugger Robot 2020-12-02 08:35:20 +00:00 committed by Gerrit Code Review
commit 77dd325871
3 changed files with 8 additions and 4 deletions

View file

@ -27,8 +27,8 @@ neverallow { domain -bpfloader } fs_bpf:file create;
neverallow domain fs_bpf:file { rename unlink };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -netd -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };

View file

@ -1,5 +1,5 @@
# Networking service app
typeattribute network_stack coredomain;
typeattribute network_stack coredomain, mlstrustedsubject;
app_domain(network_stack);
net_domain(network_stack);
@ -36,3 +36,7 @@ hal_client_domain(network_stack, hal_tetheroffload)
# Create and share netlink_netfilter_sockets for tetheroffload.
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
allow network_stack fs_bpf:dir search;
allow network_stack fs_bpf:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };

View file

@ -145,7 +145,7 @@ isSystemServer=true domain=system_server_startup
user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file