introduce new 'proc_bpf' for bpf related sysctls What to tag chosen based on output of: find /proc 2>/dev/null | egrep bpf on a 5.10 kernel. Tagged with prefixes to be more likely not require changes in the future $ adb root $ adb shell 'ls -lZ /proc/sys/net/core/bpf_* /proc/sys/kernel/*bpf*' Before: -rw-r--r-- 1 root root u:object_r:proc:s0 0 2021-11-11 02:11 /proc/sys/kernel/bpf_stats_enabled -rw-r--r-- 1 root root u:object_r:proc:s0 0 2021-11-11 02:11 /proc/sys/kernel/unprivileged_bpf_disabled -rw-r--r-- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_enable -rw------- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_harden -rw------- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_kallsyms -rw------- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_limit After: -rw-r--r-- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/kernel/bpf_stats_enabled -rw-r--r-- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/kernel/unprivileged_bpf_disabled -rw-r--r-- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_enable -rw------- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_harden -rw------- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_kallsyms -rw------- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_limit Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I46ea81ff42d3b915cf7a96735dc2636d9808ead6

commit: 3702f3385e570e11422633da2c7a2136f222bfb7 [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Thu Nov 11 01:51:15 2021 -0800
committer: Maciej Żenczykowski <maze@google.com> Thu Nov 11 02:54:21 2021 -0800
tree: 9616f9fa338457d13c330b03a6ee0d95a769ba78
parent: f7d7c221154b3b0ff40019cbfd2306b7e0c34b35 [diff]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 343ec7a..25cfda4 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -41,3 +41,7 @@
 
 # No domain should be allowed to ptrace bpfloader
 neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
+# this should perhaps be moved to the bpfloader binary itself.  Allow both.
+neverallow { domain -bpfloader -init } proc_bpf:file write;

diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 061edca..eaf971b 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil

@@ -1964,6 +1964,7 @@
 (typeattributeset privapp_data_file_31_0 (privapp_data_file))
 (typeattributeset proc_31_0
   ( proc
+    proc_bpf
     proc_cpu_alignment
 ))
 (typeattributeset proc_abi_31_0 (proc_abi))
@@ -1996,7 +1997,10 @@
 (typeattributeset proc_misc_31_0 (proc_misc))
 (typeattributeset proc_modules_31_0 (proc_modules))
 (typeattributeset proc_mounts_31_0 (proc_mounts))
-(typeattributeset proc_net_31_0 (proc_net))
+(typeattributeset proc_net_31_0
+  ( proc_bpf
+    proc_net
+))
 (typeattributeset proc_net_tcp_udp_31_0 (proc_net_tcp_udp))
 (typeattributeset proc_overcommit_memory_31_0 (proc_overcommit_memory))
 (typeattributeset proc_page_cluster_31_0 (proc_page_cluster))

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 812ced9..39b04f3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -44,6 +44,7 @@
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
 genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
@@ -74,8 +75,10 @@
 genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
 genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
 genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
 genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
 genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0

diff --git a/public/file.te b/public/file.te
index bfc20d4..b8b9899 100644
--- a/public/file.te
+++ b/public/file.te

@@ -23,6 +23,7 @@
 type proc_abi, fs_type, proc_type;
 type proc_asound, fs_type, proc_type;
 type proc_bootconfig, fs_type, proc_type;
+type proc_bpf, fs_type, proc_type;
 type proc_buddyinfo, fs_type, proc_type;
 type proc_cmdline, fs_type, proc_type;
 type proc_cpu_alignment, fs_type, proc_type;

diff --git a/public/init.te b/public/init.te
index 8799134..5c3e4e7 100644
--- a/public/init.te
+++ b/public/init.te

@@ -371,6 +371,7 @@
 
 allow init {
   proc_abi
+  proc_bpf
   proc_cpu_alignment
   proc_dirty
   proc_hostname
commit	3702f3385e570e11422633da2c7a2136f222bfb7	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Thu Nov 11 01:51:15 2021 -0800
committer	Maciej Żenczykowski <maze@google.com>	Thu Nov 11 02:54:21 2021 -0800
tree	9616f9fa338457d13c330b03a6ee0d95a769ba78
parent	f7d7c221154b3b0ff40019cbfd2306b7e0c34b35 [diff]