bfa95fcdf0
With the new patches backported to 4.9 kernels, the bpf file system now take the same file open flag as bpf_obj_get. So system server now need read permission only for both bpf map and fs_bpf since we do not need system server to edit the map. Also, the netd will always pass stdin stdout fd to the process forked by it and do allow it will cause the fork and execev fail. We just allow it pass the fd to bpfloader for now until we have a better option. Test: bpfloader start successful on devices with 4.9 kernel. run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest Bug: 74096311 Bug: 30950746 Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d
27 lines
1 KiB
Text
27 lines
1 KiB
Text
# bpf program loader
|
|
type bpfloader, domain;
|
|
type bpfloader_exec, exec_type, file_type;
|
|
typeattribute bpfloader coredomain;
|
|
|
|
# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
|
|
allow bpfloader self:global_capability_class_set net_admin;
|
|
|
|
r_dir_file(bpfloader, cgroup_bpf)
|
|
|
|
# These permission is required for pin bpf program for netd.
|
|
allow bpfloader fs_bpf:dir create_dir_perms;
|
|
allow bpfloader fs_bpf:file create_file_perms;
|
|
allow bpfloader devpts:chr_file { read write };
|
|
|
|
allow bpfloader netd:fd use;
|
|
|
|
# Use pinned bpf map files from netd.
|
|
allow bpfloader netd:bpf { map_read map_write };
|
|
allow bpfloader self:bpf { prog_load prog_run };
|
|
|
|
# Neverallow rules
|
|
neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
|
|
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
|
|
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
|
|
# only system_server, netd and bpfloader can read/write the bpf maps
|
|
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
|