commit 147cf6482e64b61c29de11d76a618fbbaa530bb3
author Joel Fernandes <joelaf@google.com> Thu Nov 29 13:07:40 2018 -0800
committer Joel Fernandes <joelaf@google.com> Mon Jan 14 10:59:10 2019 -0500
tree 3dc984c1076d9e0bfc5edda82766fbb2bbfb4785
parent 4bf478828f25850b9a9341a702e6e1d4f4b20660

Allow executing bpfloader from init and modify rules

init needs to execute bpfloader as a one-shot service. Add sepolicy for
the same. Also update old rules allowing init to fork/exec bpfloader and
remove rules allowing netd to do so.

Bug: 112334572
Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37
Signed-off-by: Joel Fernandes <joelaf@google.com>

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 802fd51..1ae5430 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -8,8 +8,6 @@
 allow bpfloader fs_bpf:file create_file_perms;
 allow bpfloader devpts:chr_file { read write };
 
-allow bpfloader netd:fd use;
-
 # Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
 # for retrieving a pinned map when bpfloader do a run time restart.
 allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
@@ -21,7 +19,7 @@
 ###
 neverallow { domain -bpfloader } *:bpf prog_load;
 neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
-neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
 neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };

private/init.te

diff --git a/private/init.te b/private/init.te
index b8b0066..5b1ebc8 100644
--- a/private/init.te
+++ b/private/init.te
@@ -7,6 +7,8 @@
 domain_trans(init, rootfs, healthd)
 domain_trans(init, rootfs, slideshow)
 domain_auto_trans(init, e2fs_exec, e2fs)
+domain_auto_trans(init, bpfloader_exec, bpfloader)
+
 recovery_only(`
   domain_trans(init, rootfs, adbd)
   domain_trans(init, rootfs, fastbootd)

private/netd.te

diff --git a/private/netd.te b/private/netd.te
index 711d569..67c2e9e 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -8,9 +8,6 @@
 # Allow netd to start clatd in its own domain
 domain_auto_trans(netd, clatd_exec, clatd)
 
-# Allow netd to start bpfloader_exec in its own domain
-domain_auto_trans(netd, bpfloader_exec, bpfloader)
-
 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
 # the map created by bpfloader
 allow netd bpfloader:bpf { prog_run map_read map_write };