sepolicy: New sepolicy classes and rules about bpf object

Add the new classes for eBPF map and program to limit the access to eBPF
object. Add corresponding rules to allow netd module initialize bpf
programs and maps, use the program and read/wirte to eBPF maps.

Test: no bpf sepolicy violations when device boot
Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
diff --git a/private/access_vectors b/private/access_vectors
index 14e1712..898c884 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,6 +282,15 @@
 class unix_dgram_socket
 inherits socket
 
+class bpf
+{
+	map_create
+	map_read
+	map_write
+	prog_load
+	prog_run
+}
+
 #
 # Define the access vector interpretation for process-related objects
 #
diff --git a/private/security_classes b/private/security_classes
index 2cfc768..251b721 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -35,6 +35,7 @@
 class key_socket
 class unix_stream_socket
 class unix_dgram_socket
+class bpf
 
 # sysv-ipc-related classes
 class sem
diff --git a/public/netd.te b/public/netd.te
index ec18113..225ada9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -107,6 +107,9 @@
 # give netd permission to read and write netlink xfrm
 allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
 
+# give netd permission to use eBPF functionalities
+allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+
 # Allow netd to register as hal server.
 add_hwservice(netd, system_net_netd_hwservice)
 hwbinder_use(netd)