Merge "bpfdomain: attribute for domain which can use BPF" am: 337e6b1e1c am: 960f03e7e6 am: 03fdb25b24 am: cefda06338

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978573

Change-Id: Ie478be8bae6218b7b06c5df549acb9e780171818
This commit is contained in:
Maciej Żenczykowski 2022-02-10 08:06:16 +00:00 committed by Automerger Merge Worker
commit cd95bce516
10 changed files with 29 additions and 2 deletions

13
private/bpfdomain.te Normal file
View file

@ -0,0 +1,13 @@
# platform should have ownership of network attachpoints for BPF
neverallow {
bpfdomain
-bpfloader
-netd
-netutils_wrapper
-network_stack
-system_server
} self:global_capability_class_set { net_admin net_raw };
# any domain which uses bpf is a bpfdomain
neverallow { domain -bpfdomain } *:bpf *;

View file

@ -1,5 +1,7 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader bpfdomain;
# allow bpfloader to write to the kernel log (starts early)
allow bpfloader kmsg_device:chr_file w_file_perms;

View file

@ -1,5 +1,7 @@
# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
typeattribute gpuservice bpfdomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)

View file

@ -1,4 +1,5 @@
typeattribute lmkd coredomain;
typeattribute lmkd bpfdomain;
init_daemon_domain(lmkd)

View file

@ -1,7 +1,7 @@
###
### A domain for further sandboxing the MediaProvider mainline module.
###
type mediaprovider_app, domain, coredomain;
type mediaprovider_app, domain, coredomain, bpfdomain;
app_domain(mediaprovider_app)

View file

@ -1,4 +1,5 @@
typeattribute netd coredomain;
typeattribute netd bpfdomain;
init_daemon_domain(netd)

View file

@ -1,4 +1,5 @@
typeattribute netutils_wrapper coredomain;
typeattribute netutils_wrapper bpfdomain;
r_dir_file(netutils_wrapper, system_file);

View file

@ -1,5 +1,7 @@
# Networking service app
typeattribute network_stack coredomain, mlstrustedsubject;
typeattribute network_stack coredomain;
typeattribute network_stack mlstrustedsubject;
typeattribute network_stack bpfdomain;
app_domain(network_stack);
net_domain(network_stack);

View file

@ -8,6 +8,7 @@ typeattribute system_server mlstrustedsubject;
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
typeattribute system_server bpfdomain;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)

View file

@ -219,6 +219,10 @@ attribute bluetoothdomain;
# All domains used for binder service domains.
attribute binderservicedomain;
# All domains which have BPF access.
attribute bpfdomain;
expandattribute bpfdomain false;
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.