Allow executing bpfloader from init and modify rules
init needs to execute bpfloader as a one-shot service. Add sepolicy for
the same. Also update old rules allowing init to fork/exec bpfloader and
remove rules allowing netd to do so.
Bug: 112334572
Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37
Signed-off-by: Joel Fernandes <joelaf@google.com>
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 802fd51..1ae5430 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -8,8 +8,6 @@
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
-allow bpfloader netd:fd use;
-
# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
# for retrieving a pinned map when bpfloader do a run time restart.
allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
@@ -21,7 +19,7 @@
###
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
-neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };