6598175e06
Require all domains which can be used for BPF to be marked as bpfdomain, and add a restriction for these domains to not be able to use net_raw or net_admin. We want to make sure the network stack has exclusive access to certain BPF attach points. Bug: 140330870 Bug: 162057235 Test: build (compile-time neverallows) Change-Id: I29100e48a757fdcf600931d5eb42988101275325
56 lines
3 KiB
Text
56 lines
3 KiB
Text
type bpfloader_exec, system_file_type, exec_type, file_type;
|
|
|
|
typeattribute bpfloader bpfdomain;
|
|
|
|
# allow bpfloader to write to the kernel log (starts early)
|
|
allow bpfloader kmsg_device:chr_file w_file_perms;
|
|
|
|
# These permissions are required to pin ebpf maps & programs.
|
|
allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
|
|
allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
|
|
allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
|
|
|
|
# Allow bpfloader to create bpf maps and programs.
|
|
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
|
|
|
|
allow bpfloader self:capability { chown sys_admin net_admin };
|
|
|
|
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
|
|
|
|
set_prop(bpfloader, bpf_progs_loaded_prop)
|
|
|
|
allow bpfloader bpfloader_exec:file execute_no_trans;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
|
|
neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
|
|
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
|
|
neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
|
|
|
|
# TODO: get rid of init & vendor_init
|
|
neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
|
|
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
|
|
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
|
|
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
|
|
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
|
|
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
|
|
|
|
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
|
|
|
|
neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
|
|
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
|
|
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
|
|
|
|
neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
|
|
|
|
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
|
|
|
|
# No domain should be allowed to ptrace bpfloader
|
|
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
|
|
|
|
# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
|
|
# this should perhaps be moved to the bpfloader binary itself. Allow both.
|
|
neverallow { domain -bpfloader -init } proc_bpf:file write;
|