From fd3e9d838e729cb15aba38c2a69f32b61af040e5 Mon Sep 17 00:00:00 2001
From: Alessio Balsini <balsini@google.com>
Date: Thu, 11 Nov 2021 18:42:11 +0000
Subject: [PATCH] mediaprovider_app can access BPF resources

The FUSE daemon in MediaProvider needs to access the file descriptor of
its pinned BPF program and the maps used to commuicate with the kernel.

Bug: 202785178
Test: adb logcat FuseDaemon:V \*:S (in git_master)
Ignore-AOSP-First: mirroring AOSP for prototyping
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I99d641658d37fb765ecc5d5c0113962f134ee1ae
---
 private/bpfloader.te         | 7 ++++---
 private/mediaprovider_app.te | 5 +++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 2be2a4e82..78cd37ea6 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -29,13 +29,14 @@ neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mou
 # TODO: get rid of init & vendor_init
 neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
 neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
 neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
 neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
 
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index f37002576..0e1b1a067 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -62,3 +62,8 @@ get_prop(mediaprovider_app, drm_service_config_prop)
 allow mediaprovider_app gpu_device:dir search;
 
 dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
+
+# bpfprog access for FUSE BPF
+allow mediaprovider_app fs_bpf:dir search;
+allow mediaprovider_app fs_bpf:file read;
+allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };