5c95c16841
To better record the network traffic stats for each network interface. We use xt_bpf netfilter module to do the iface stats accounting instead of the cgroup bpf filter we currently use for per uid stats accounting. The xt_bpf module will take pinned eBPF program as iptables rule and run the program when packet pass through the netfilter hook. To setup the iptables rules. netd need to be able to access bpf filesystem and run the bpf program at boot time. The program used will still be created and pinned by the bpfloader process. Test: With selinux enforced, run "iptables -L -t raw" should show the xt_bpf related rule present in bw_raw_PREROUTING chain. Bug: 72111305 Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04
28 lines
1.1 KiB
Text
28 lines
1.1 KiB
Text
# bpf program loader
|
|
type bpfloader, domain;
|
|
type bpfloader_exec, exec_type, file_type;
|
|
typeattribute bpfloader coredomain;
|
|
|
|
# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
|
|
allow bpfloader self:global_capability_class_set net_admin;
|
|
|
|
r_dir_file(bpfloader, cgroup_bpf)
|
|
|
|
# These permission is required for pin bpf program for netd.
|
|
allow bpfloader fs_bpf:dir create_dir_perms;
|
|
allow bpfloader fs_bpf:file create_file_perms;
|
|
allow bpfloader devpts:chr_file { read write };
|
|
|
|
allow bpfloader netd:fd use;
|
|
|
|
# Use pinned bpf map files from netd.
|
|
allow bpfloader netd:bpf { map_read map_write };
|
|
allow bpfloader self:bpf { prog_load prog_run };
|
|
|
|
# Neverallow rules
|
|
neverallow { domain -bpfloader } *:bpf prog_load;
|
|
neverallow { domain -bpfloader -netd } *:bpf prog_run;
|
|
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
|
|
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
|
|
# only system_server, netd and bpfloader can read/write the bpf maps
|
|
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
|