7ed266c678
commit 9b2e0cbeea added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns. Apply the new macro to various self:capability
references that have cropped up since then.
Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
30 lines
1.1 KiB
Text
30 lines
1.1 KiB
Text
# bpf program loader
|
|
type bpfloader, domain;
|
|
type bpfloader_exec, exec_type, file_type;
|
|
typeattribute bpfloader coredomain;
|
|
|
|
# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
|
|
allow bpfloader self:global_capability_class_set net_admin;
|
|
|
|
r_dir_file(bpfloader, cgroup_bpf)
|
|
|
|
# These permission is required for pin bpf program for netd.
|
|
allow bpfloader fs_bpf:dir create_dir_perms;
|
|
allow bpfloader fs_bpf:file create_file_perms;
|
|
allow bpfloader devpts:chr_file { read write };
|
|
|
|
allow bpfloader netd:fd use;
|
|
|
|
# Use pinned bpf map files from netd.
|
|
allow bpfloader netd:bpf { map_read map_write };
|
|
allow bpfloader self:bpf { prog_load prog_run };
|
|
|
|
# Neverallow rules
|
|
neverallow { domain -bpfloader } *:bpf prog_load;
|
|
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
|
|
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
|
|
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
|
|
# only system_server, netd and bpfloader can read/write the bpf maps
|
|
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
|
|
|
|
dontaudit bpfloader self:global_capability_class_set sys_admin;
|