commit 48c600fce14861b727d6c48236362fc57cbdb640
author markchien <markchien@google.com> Thu Nov 26 09:55:56 2020 +0800
committer Maciej Żenczykowski <maze@google.com> Wed Dec 02 00:38:25 2020 +0000
tree b4904fa15724e13e5c1a21bf39d837d3247a2b91
parent 476ef10ed8925b08c5733dd66e899d1d35f4d7bc

Allow network_stack to update eBPF map

Bug: 173167302
Test: m
Change-Id: I7e7fcbcada905601cf08bf99fcdeb7e61c6effae

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7c88be2..954f863 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,8 +27,8 @@
 neverallow domain fs_bpf:file { rename unlink };
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -netd -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
 
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 

private/network_stack.te

diff --git a/private/network_stack.te b/private/network_stack.te
index 1295a07..4768538 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,5 @@
 # Networking service app
-typeattribute network_stack coredomain;
+typeattribute network_stack coredomain, mlstrustedsubject;
 
 app_domain(network_stack);
 net_domain(network_stack);
@@ -36,3 +36,7 @@
 # Create and share netlink_netfilter_sockets for tetheroffload.
 allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 allow network_stack network_stack_service:service_manager find;
+# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
+allow network_stack fs_bpf:dir search;
+allow network_stack fs_bpf:file { read write };
+allow network_stack bpfloader:bpf { map_read map_write prog_run };

private/seapp_contexts

diff --git a/private/seapp_contexts b/private/seapp_contexts
index dedc315..929f073 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -145,7 +145,7 @@
 user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file