lmkd: Add sepolicy rules around bpf for lmkd

LMKD needs to be able to attach BPF tracepoints. It needs to be able to
access tracefs, attach and run bpf programs.

Test: m
Test: Verified no denials with lmkd and libmemevents integration
Bug: 244232958
Change-Id: I57248b729c0f011937bec139930ca9d24ba91c3b
Signed-off-by: Carlos Galo <carlosgalo@google.com>

private/bpfloader.te

@@ -42,7 +42,7 @@ neverallow { domain -bpfloader                                      -netd
 neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   { getattr read };
 neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     { getattr read };
 neverallow { domain -bpfloader                                                                                            -uprobestats } fs_bpf_uprobestats:file   { getattr read };
-neverallow { domain -bpfloader -gpuservice                          -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow { domain -bpfloader -gpuservice -lmkd                    -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
 
 neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
 neverallow { domain -bpfdomain } bpffs_type:lnk_file read;

private/compat/202404/202404.ignore.cil

@@ -6,4 +6,6 @@
 (typeattributeset new_objects
   ( new_objects
     profcollectd_etr_prop
+    fs_bpf_lmkd_memevents_rb
+    fs_bpf_lmkd_memevents_prog
   ))

private/coredomain.te

@@ -181,6 +181,7 @@ full_treble_only(`
     -dumpstate
     -gpuservice
     -init
+    -lmkd
     -traced_perf
     -traced_probes
     -shell

private/genfs_contexts

@@ -324,10 +324,13 @@ genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
 
 genfscon bpf / u:object_r:fs_bpf:s0
 genfscon bpf /loader u:object_r:fs_bpf_loader:s0
+genfscon bpf /map_bpfMemEvents_lmkd_rb u:object_r:fs_bpf_lmkd_memevents_rb:s0
 genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
 genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
 genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
 genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
+genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_begin_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
+genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_end_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
 genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
 genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
 genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0

private/lmkd.te

@@ -12,7 +12,16 @@ set_prop(lmkd, lmkd_prop)
 # Get persist.device_config.lmk_native.* properties.
 get_prop(lmkd, device_config_lmkd_native_prop)
 
+# Needed for reading tracepoint ids in order to attach bpf programs.
+allow lmkd debugfs_tracing:file r_file_perms;
+allow lmkd self:perf_event { cpu kernel open write };
+
 allow lmkd fs_bpf:file read;
-allow lmkd bpfloader:bpf map_read;
+allow lmkd bpfloader:bpf { map_read map_write prog_run };
+
+# Needed for polling directly from the bpf ring buffer's fd
+allow lmkd fs_bpf_lmkd_memevents_rb:file { read write };
+allow lmkd fs_bpf_lmkd_memevents_prog:file read;
 
 neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow lmkd self:perf_event ~{ cpu kernel open write };

public/file.te

@@ -137,6 +137,8 @@ type fs_bpf, fs_type, bpffs_type;
 # TODO: S+ fs_bpf_tethering (used by mainline) should be private
 type fs_bpf_tethering, fs_type, bpffs_type;
 type fs_bpf_vendor, fs_type, bpffs_type;
+type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
+type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
 type configfs, fs_type;
 # /sys/devices/cs_etm
 type sysfs_devices_cs_etm, fs_type, sysfs_type;