selinux - netd - tighten down bpf policy bpf programs/maps are now loaded by the bpfloader, not netd Test: built/installed on crosshatch which uses eBPF - no avc denials Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543

commit: 487fcb87c0af63e469b0835ba730715a34897f8f [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Mon Apr 08 21:34:53 2019 -0700
committer: Maciej Żenczykowski <maze@google.com> Fri May 03 19:39:46 2019 +0000
tree: 25661561fb368f3ec22e252537434a758a560953
parent: 3db3b1148b9cf65d95a7513422662f6bafaba3cc [diff] [blame]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index d9b29ce..00d4c79 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -17,8 +17,8 @@
 ###
 ### Neverallow rules
 ###
-neverallow { domain -bpfloader } *:bpf prog_load;
-neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
+neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
commit	487fcb87c0af63e469b0835ba730715a34897f8f	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Mon Apr 08 21:34:53 2019 -0700
committer	Maciej Żenczykowski <maze@google.com>	Fri May 03 19:39:46 2019 +0000
tree	25661561fb368f3ec22e252537434a758a560953
parent	3db3b1148b9cf65d95a7513422662f6bafaba3cc [diff] [blame]