Merge "Add search in bpf directory for bpfdomains"
This commit is contained in:
commit
d796c9eb6c
8 changed files with 1 additions and 7 deletions
|
@ -11,3 +11,4 @@ neverallow {
|
|||
# any domain which uses bpf is a bpfdomain
|
||||
neverallow { domain -bpfdomain } *:bpf *;
|
||||
|
||||
allow bpfdomain fs_bpf:dir search;
|
||||
|
|
|
@ -54,7 +54,6 @@ neverallow gpuservice self:perf_event ~{ cpu kernel open write };
|
|||
|
||||
# Needed for interact with bpf fs.
|
||||
# Write is needed to open read/write bpf maps.
|
||||
allow gpuservice fs_bpf:dir search;
|
||||
allow gpuservice fs_bpf:file { read write };
|
||||
|
||||
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
|
||||
|
|
|
@ -12,7 +12,6 @@ set_prop(lmkd, lmkd_prop)
|
|||
# Get persist.device_config.lmk_native.* properties.
|
||||
get_prop(lmkd, device_config_lmkd_native_prop)
|
||||
|
||||
allow lmkd fs_bpf:dir search;
|
||||
allow lmkd fs_bpf:file read;
|
||||
allow lmkd bpfloader:bpf map_read;
|
||||
|
||||
|
|
|
@ -65,6 +65,5 @@ dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
|
|||
dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
|
||||
|
||||
# bpfprog access for FUSE BPF
|
||||
allow mediaprovider_app fs_bpf:dir search;
|
||||
allow mediaprovider_app fs_bpf:file read;
|
||||
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
|
||||
|
|
|
@ -25,7 +25,6 @@ binder_call(netutils_wrapper, netd);
|
|||
# For vendor code that update the iptables rules at runtime. They need to reload
|
||||
# the whole chain including the xt_bpf rules. They need to access to the pinned
|
||||
# program when reloading the rule.
|
||||
allow netutils_wrapper fs_bpf:dir search;
|
||||
allow netutils_wrapper fs_bpf:file { read write };
|
||||
allow netutils_wrapper bpfloader:bpf prog_run;
|
||||
|
||||
|
|
|
@ -1134,7 +1134,6 @@ with_asan(`
|
|||
# allow system_server to read the eBPF maps that stores the traffic stats information and update
|
||||
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
|
||||
# time in state accounting
|
||||
allow system_server fs_bpf:dir search;
|
||||
allow system_server fs_bpf:file { read write };
|
||||
allow system_server bpfloader:bpf { map_read map_write prog_run };
|
||||
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
||||
|
|
|
@ -28,7 +28,6 @@ allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
|
|||
allow hal_health_server self:capability2 wake_alarm;
|
||||
|
||||
# Use bpf programs
|
||||
allow hal_health_server fs_bpf:dir search;
|
||||
allow hal_health_server fs_bpf_vendor:dir search;
|
||||
allow hal_health_server fs_bpf_vendor:file read;
|
||||
allow hal_health_server bpfloader:bpf prog_run;
|
||||
|
|
|
@ -64,7 +64,6 @@ allow netd sysfs_usb:file write;
|
|||
|
||||
r_dir_file(netd, cgroup_v2)
|
||||
|
||||
allow netd fs_bpf:dir search;
|
||||
allow netd fs_bpf:file { read write };
|
||||
|
||||
# TODO: netd previously thought it needed these permissions to do WiFi related
|
||||
|
|
Loading…
Reference in a new issue