68ef8c070e
To better record the network traffic stats for each network interface.
We use xt_bpf netfilter module to do the iface stats accounting instead
of the cgroup bpf filter we currently use for per uid stats accounting.
The xt_bpf module will take pinned eBPF program as iptables rule and run
the program when packet pass through the netfilter hook. To setup the
iptables rules. netd need to be able to access bpf filesystem and run the
bpf program at boot time. The program used will still be created and
pinned by the bpfloader process.
Test: With selinux enforced, run "iptables -L -t raw" should show the
xt_bpf related rule present in bw_raw_PREROUTING chain.
Bug: 72111305
Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04
(cherry picked from aosp commit 5c95c16841)
28 lines
1.1 KiB
Text
28 lines
1.1 KiB
Text
# bpf program loader
|
|
type bpfloader, domain;
|
|
type bpfloader_exec, exec_type, file_type;
|
|
typeattribute bpfloader coredomain;
|
|
|
|
# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
|
|
allow bpfloader self:global_capability_class_set net_admin;
|
|
|
|
r_dir_file(bpfloader, cgroup_bpf)
|
|
|
|
# These permission is required for pin bpf program for netd.
|
|
allow bpfloader fs_bpf:dir create_dir_perms;
|
|
allow bpfloader fs_bpf:file create_file_perms;
|
|
allow bpfloader devpts:chr_file { read write };
|
|
|
|
allow bpfloader netd:fd use;
|
|
|
|
# Use pinned bpf map files from netd.
|
|
allow bpfloader netd:bpf { map_read map_write };
|
|
allow bpfloader self:bpf { prog_load prog_run };
|
|
|
|
# Neverallow rules
|
|
neverallow { domain -bpfloader } *:bpf prog_load;
|
|
neverallow { domain -bpfloader -netd } *:bpf prog_run;
|
|
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
|
|
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
|
|
# only system_server, netd and bpfloader can read/write the bpf maps
|
|
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
|