allow bpfloader to create symbolic links in /sys/fs/bpf

(this is to allow /sys/fs/bpf/tethering -> net_shared/tethering
 for InProcessTethering, ie. Android Go devices)

Bug: 190523685
Bug: 236925089
Test: TreeHugger, manually on aosp_cf_x86_go_phone-userdebug
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifa52429f958b0af80f91af6bfb064c1cdf9cd070

private/bpfdomain.te

@@ -12,3 +12,10 @@ neverallow {
 neverallow { domain -bpfdomain } *:bpf *;
 
 allow bpfdomain fs_bpf:dir search;
+
+# genfscon doesn't seem to trigger during symlink creation,
+# and thus any created symlinks end up as 'fs_bpf:lnk_type',
+# however this feels like a kernel bug / missing feature,
+# so let's allow all bpffs_type's instead,
+# this will keep things working even if this is fixed.
+allow bpfdomain bpffs_type:lnk_file read;

private/bpfloader.te

@@ -8,6 +8,7 @@ allow bpfloader kmsg_device:chr_file w_file_perms;
 # These permissions are required to pin ebpf maps & programs.
 allow bpfloader bpffs_type:dir { add_name create remove_name search write };
 allow bpfloader bpffs_type:file { create getattr read rename setattr };
+allow bpfloader bpffs_type:lnk_file { create getattr read };
 allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
 
 # Allow bpfloader to create bpf maps and programs.
@@ -42,6 +43,9 @@ neverallow { domain -bpfloader             -init
 neverallow { domain -bpfloader -gpuservice                                -netd -netutils_wrapper -network_stack -system_server              } { bpffs_type -fs_bpf_vendor }:file write;
 neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
 
+neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
+neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
+
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 
 neverallow {