platform_system_sepolicy/private/bpfloader.te
Chenbo Feng 5c95c16841 Allow netd to setup xt_bpf iptable rules
To better record the network traffic stats for each network interface.
We use xt_bpf netfilter module to do the iface stats accounting instead
of the cgroup bpf filter we currently use for per uid stats accounting.
The xt_bpf module will take pinned eBPF program as iptables rule and run
the program when packet pass through the netfilter hook. To setup the
iptables rules. netd need to be able to access bpf filesystem and run the
bpf program at boot time. The program used will still be created and
pinned by the bpfloader process.

Test: With selinux enforced, run "iptables -L -t raw" should show the
xt_bpf related rule present in bw_raw_PREROUTING chain.
Bug: 72111305

Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04
2018-03-21 11:06:03 -07:00

28 lines
1.1 KiB
Text

# bpf program loader
type bpfloader, domain;
type bpfloader_exec, exec_type, file_type;
typeattribute bpfloader coredomain;
# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
allow bpfloader self:global_capability_class_set net_admin;
r_dir_file(bpfloader, cgroup_bpf)
# These permission is required for pin bpf program for netd.
allow bpfloader fs_bpf:dir create_dir_perms;
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
allow bpfloader netd:fd use;
# Use pinned bpf map files from netd.
allow bpfloader netd:bpf { map_read map_write };
allow bpfloader self:bpf { prog_load prog_run };
# Neverallow rules
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd } *:bpf prog_run;
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };