tequilaOS/platform_system_sepolicy

Fork 0

Commit graph

Author	SHA1	Message	Date
Chenbo Feng	6cd70c2f00	Fix sepolicy for bpf object With the new patches backported to 4.9 kernels, the bpf file system now take the same file open flag as bpf_obj_get. So system server now need read permission only for both bpf map and fs_bpf since we do not need system server to edit the map. Also, the netd will always pass stdin stdout fd to the process forked by it and do allow it will cause the fork and execev fail. We just allow it pass the fd to bpfloader for now until we have a better option. Test: bpfloader start successful on devices with 4.9 kernel. run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest Bug: 74096311 Bug: 30950746 Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d	2018-03-07 14:51:18 +09:00
Chenbo Feng	566411edf2	Add sepolicy to lock down bpf access Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f	2018-01-17 23:19:30 +00:00

Author

SHA1

Message

Date

Chenbo Feng

6cd70c2f00

Fix sepolicy for bpf object

With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d

2018-03-07 14:51:18 +09:00

Chenbo Feng

566411edf2

Add sepolicy to lock down bpf access

Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f

2018-01-17 23:19:30 +00:00

2 commits