tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

mediaprovider_app can access BPF resources

Browse source 
The FUSE daemon in MediaProvider needs to access the file descriptor of
its pinned BPF program and the maps used to commuicate with the kernel.

Bug: 202785178
Test: adb logcat FuseDaemon:V \*:S (in git_master)
Ignore-AOSP-First: mirroring AOSP for prototyping
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I99d641658d37fb765ecc5d5c0113962f134ee1ae
This commit is contained in:
Alessio Balsini 2021-11-11 18:42:11 +00:00 committed by Paul Lawrence
parent eb424f43f2
commit fd3e9d838e
2 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
private/bpfloader.te
View file

@ -29,13 +29,14 @@ neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mou
# TODO: get rid of init & vendor_init
neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };

5
private/mediaprovider_app.te
View file

@ -62,3 +62,8 @@ get_prop(mediaprovider_app, drm_service_config_prop)
allow mediaprovider_app gpu_device:dir search;
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
# bpfprog access for FUSE BPF
allow mediaprovider_app fs_bpf:dir search;
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };