b13921c3f0
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
118 lines
6.7 KiB
Text
118 lines
6.7 KiB
Text
# Networking service app
|
|
typeattribute network_stack coredomain;
|
|
typeattribute network_stack mlstrustedsubject;
|
|
typeattribute network_stack bpfdomain;
|
|
|
|
app_domain(network_stack);
|
|
net_domain(network_stack);
|
|
|
|
allow network_stack self:global_capability_class_set {
|
|
net_admin
|
|
net_bind_service
|
|
net_broadcast
|
|
net_raw
|
|
};
|
|
|
|
# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
|
|
allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
# The DhcpClient uses packet_sockets
|
|
allow network_stack self:packet_socket create_socket_perms_no_ioctl;
|
|
|
|
# Monitor neighbors via netlink.
|
|
allow network_stack self:netlink_route_socket nlmsg_write;
|
|
|
|
# Use netlink uevent sockets.
|
|
allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
|
|
# give network_stack the same netlink permissions as netd
|
|
allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
|
|
allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
|
|
allow network_stack app_api_service:service_manager find;
|
|
allow network_stack dnsresolver_service:service_manager find;
|
|
allow network_stack mdns_service:service_manager find;
|
|
allow network_stack netd_service:service_manager find;
|
|
allow network_stack network_watchlist_service:service_manager find;
|
|
allow network_stack radio_service:service_manager find;
|
|
allow network_stack system_config_service:service_manager find;
|
|
allow network_stack radio_data_file:dir create_dir_perms;
|
|
allow network_stack radio_data_file:file create_file_perms;
|
|
|
|
binder_call(network_stack, netd);
|
|
|
|
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
|
# TODO: Remove this permission when 4.9 kernel is deprecated.
|
|
allow network_stack self:key_socket create;
|
|
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
|
|
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
|
|
dontaudit network_stack self:key_socket getopt;
|
|
|
|
# Grant read permission of connectivity namespace system property prefix.
|
|
get_prop(network_stack, device_config_connectivity_prop)
|
|
|
|
# Create/use netlink_tcpdiag_socket to get tcp info
|
|
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
|
|
############### Tethering Service app - Tethering.apk ##############
|
|
hal_client_domain(network_stack, hal_tetheroffload)
|
|
# Create and share netlink_netfilter_sockets for tetheroffload.
|
|
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
|
|
allow network_stack network_stack_service:service_manager find;
|
|
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
|
|
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
|
|
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
|
|
allow network_stack bpfloader:bpf { map_read map_write prog_run };
|
|
|
|
# Use XFRM (IPsec) netlink sockets
|
|
allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
|
|
|
|
# tun device used for 3rd party vpn apps and test network manager
|
|
allow network_stack tun_device:chr_file rw_file_perms;
|
|
allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
|
|
|
|
############### NEVER ALLOW RULES
|
|
# This place is as good as any for these rules,
|
|
# and it is probably the most appropriate because
|
|
# network_stack itself is entirely mainline code.
|
|
#
|
|
# Unfortunately init/vendor_init have all sorts of extra privs
|
|
|
|
# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
|
|
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
|
|
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
|
|
|
|
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
|
|
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
|
|
|
|
# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
|
|
neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
|
|
neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
|
|
|
|
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
|
|
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
|
|
|
|
# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
|
|
# netd's access should be readonly
|
|
neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
|
|
neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
|
|
neverallow netd fs_bpf_netd_readonly:file write;
|
|
|
|
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
|
|
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
|
|
|
|
# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
|
|
# netutils_wrapper requires access to be able to run iptables and only needs readonly access
|
|
neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
|
|
neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
|
|
neverallow netutils_wrapper fs_bpf_netd_shared:file write;
|
|
|
|
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
|
|
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
|
|
|
|
# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
|
|
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
|
|
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
|
|
|
|
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
|
|
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
|