6598175e06
Require all domains which can be used for BPF to be marked as bpfdomain, and add a restriction for these domains to not be able to use net_raw or net_admin. We want to make sure the network stack has exclusive access to certain BPF attach points. Bug: 140330870 Bug: 162057235 Test: build (compile-time neverallows) Change-Id: I29100e48a757fdcf600931d5eb42988101275325
13 lines
310 B
Text
13 lines
310 B
Text
# platform should have ownership of network attachpoints for BPF
|
|
neverallow {
|
|
bpfdomain
|
|
-bpfloader
|
|
-netd
|
|
-netutils_wrapper
|
|
-network_stack
|
|
-system_server
|
|
} self:global_capability_class_set { net_admin net_raw };
|
|
|
|
# any domain which uses bpf is a bpfdomain
|
|
neverallow { domain -bpfdomain } *:bpf *;
|
|
|