fd3e9d838e
The FUSE daemon in MediaProvider needs to access the file descriptor of its pinned BPF program and the maps used to commuicate with the kernel. Bug: 202785178 Test: adb logcat FuseDaemon:V \*:S (in git_master) Ignore-AOSP-First: mirroring AOSP for prototyping Signed-off-by: Alessio Balsini <balsini@google.com> Change-Id: I99d641658d37fb765ecc5d5c0113962f134ee1ae
50 lines
2.7 KiB
Text
50 lines
2.7 KiB
Text
# bpf program loader
|
|
type bpfloader, domain;
|
|
type bpfloader_exec, system_file_type, exec_type, file_type;
|
|
typeattribute bpfloader coredomain;
|
|
|
|
# These permissions are required to pin ebpf maps & programs.
|
|
allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
|
|
allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
|
|
allow fs_bpf_tethering fs_bpf:filesystem associate;
|
|
|
|
# Allow bpfloader to create bpf maps and programs.
|
|
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
|
|
|
|
allow bpfloader self:capability { chown sys_admin net_admin };
|
|
|
|
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
|
|
|
|
set_prop(bpfloader, bpf_progs_loaded_prop)
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
|
|
neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
|
|
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
|
|
neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
|
|
|
|
# TODO: get rid of init & vendor_init
|
|
neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
|
|
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
|
|
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
|
|
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
|
|
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
|
|
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
|
|
|
|
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
|
|
neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
|
|
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
|
|
|
|
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
|
|
|
|
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
|
|
|
|
# No domain should be allowed to ptrace bpfloader
|
|
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
|
|
|
|
# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
|
|
# this should perhaps be moved to the bpfloader binary itself. Allow both.
|
|
neverallow { domain -bpfloader -init } proc_bpf:file write;
|