platform_system_sepolicy/prebuilts/api/28.0/private/bpfloader.te
Joel Galenson d65f26f1b0 Hide bpfloader sys_admin denials.
Bug: 79524845
Test: Boot device and see no denials.
Change-Id: I9316bfd0e3718818a7613a421aedff7da8c87108
2018-05-23 08:36:40 -07:00

30 lines
1.1 KiB
Text

# bpf program loader
type bpfloader, domain;
type bpfloader_exec, exec_type, file_type;
typeattribute bpfloader coredomain;
# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
allow bpfloader self:global_capability_class_set net_admin;
r_dir_file(bpfloader, cgroup_bpf)
# These permission is required for pin bpf program for netd.
allow bpfloader fs_bpf:dir create_dir_perms;
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
allow bpfloader netd:fd use;
# Use pinned bpf map files from netd.
allow bpfloader netd:bpf { map_read map_write };
allow bpfloader self:bpf { prog_load prog_run };
# Neverallow rules
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
dontaudit bpfloader self:capability sys_admin;