platform_system_sepolicy/private/bpfloader.te
Steven Moreland c27d24c37c Allow BPF programs from vendor.
Who needs all those context switches?

bpfloader controls which types of vendor programs can be used.

Bug: 140330870
Bug: 162057235
Test: successfully load bpf programs from vendor
Change-Id: I36e4f6550da33fea5bad509470dfd39f301f13c8
2022-02-08 22:46:54 +00:00

54 lines
2.9 KiB
Text

type bpfloader_exec, system_file_type, exec_type, file_type;
# allow bpfloader to write to the kernel log (starts early)
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin net_admin };
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
set_prop(bpfloader, bpf_progs_loaded_prop)
allow bpfloader bpfloader_exec:file execute_no_trans;
###
### Neverallow rules
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
# TODO: get rid of init & vendor_init
neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
# this should perhaps be moved to the bpfloader binary itself. Allow both.
neverallow { domain -bpfloader -init } proc_bpf:file write;