platform_system_sepolicy/private/bpfloader.te
Maciej Żenczykowski e14e69a947 add fs_bpf_loader selinux type
To be used for things that only the bpfloader should be access.

Expected use case is for programs that the bpfloader should load,
pin into the filesystem, *and* attach.

[ie. no need for anything else to attach the programs]

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I035d3fcbf6cee523e41cdde23b8edc13311a45e8
2022-12-02 12:26:49 +00:00

76 lines
3.8 KiB
Text

type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader bpfdomain;
# allow bpfloader to write to the kernel log (starts early)
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
allow bpfloader bpffs_type:dir { add_name create remove_name search write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin net_admin };
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
set_prop(bpfloader, bpf_progs_loaded_prop)
allow bpfloader bpfloader_exec:file execute_no_trans;
###
### Neverallow rules
###
# Note: we don't care about getattr/mounton/search
neverallow { domain } bpffs_type:dir { open read setattr };
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
neverallow { domain -bpfloader } bpffs_type:file { map open setattr };
neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
neverallow { domain -bpfloader } fs_bpf_loader:file read;
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file read;
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
neverallow { domain -bpfloader } fs_bpf_loader:file open;
neverallow {
domain
-bpfloader
-gpuservice
-hal_health_server
-mediaprovider_app
-netd
-netutils_wrapper
-network_stack
-system_server
} *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
# this should perhaps be moved to the bpfloader binary itself. Allow both.
neverallow { domain -bpfloader -init } proc_bpf:file write;