selinux - netd - tighten down bpf policy
bpf programs/maps are now loaded by the bpfloader, not netd
Test: built/installed on crosshatch which uses eBPF - no avc denials
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
diff --git a/private/bpfloader.te b/private/bpfloader.te
index d9b29ce..00d4c79 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -17,8 +17,8 @@
###
### Neverallow rules
###
-neverallow { domain -bpfloader } *:bpf prog_load;
-neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
+neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/public/netd.te b/public/netd.te
index c4a9136..1a2163d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -57,8 +57,8 @@
r_dir_file(netd, cgroup_bpf)
-allow netd fs_bpf:dir create_dir_perms;
-allow netd fs_bpf:file create_file_perms;
+allow netd fs_bpf:dir search;
+allow netd fs_bpf:file { read write setattr };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
@@ -151,9 +151,6 @@
-netutils_wrapper
} dnsresolver_service:service_manager find;
-# only netd can create the bpf maps
-neverallow { domain -netd } netd:bpf { map_create };
-
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;