tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sepolicy: allow netutils_wrapper access to fs_bpf_vendor

Browse source 
This is needed to allow vendor xt_bpf programs.

Bug: 325709490
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7ff8a0319bec2f3a57c7ce48939b13b2fca182de
(cherry picked from commit 37ca69e5c8)
Merged-In: I7ff8a0319bec2f3a57c7ce48939b13b2fca182de
This commit is contained in:
Maciej Żenczykowski 2023-11-18 03:36:05 +00:00 committed by Thiébaud Weksteen
parent c3052c9ab0
commit a4208e9f10
3 changed files with 7 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
private/bpfloader.te
View file

@ -68,7 +68,7 @@ neverallow {
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;

6
private/netd.te
View file

@ -6,9 +6,9 @@ init_daemon_domain(netd)
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader

6
private/netutils_wrapper.te
View file

@ -25,9 +25,9 @@ binder_call(netutils_wrapper, netd);
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip