cut down bpf related privileges This is driven by 3 things: - netd no longer needs setattr, since this is now done by bpfloader - nothing should ever unpin maps or programs - generic cleanups and additional neverallows Test: build, atest Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I881cc8bf9fe062aaff709727406c5a51fc363c8e

commit: 49c73b06a21f8cd41b37dc6fb79160ef5969c360 [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Thu Jan 30 22:08:43 2020 -0800
committer: Maciej Żenczykowski <maze@google.com> Sat Feb 22 02:14:58 2020 +0000
tree: 68e185ff6405e928a3ff8e549e7f264948288d72
parent: 281afd81faa789a80227d050d14ddeaa2c6e6956 [diff]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 8271add..249f3df 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -3,26 +3,36 @@
 type bpfloader_exec, system_file_type, exec_type, file_type;
 typeattribute bpfloader coredomain;
 
-# These permission is required for pin bpf program for netd.
-allow bpfloader fs_bpf:dir  create_dir_perms;
-allow bpfloader fs_bpf:file create_file_perms;
-allow bpfloader devpts:chr_file { read write };
+# These permissions are required to pin ebpf maps & programs.
+allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:file { create setattr };
 
-# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
-# for retrieving a pinned map when bpfloader do a run time restart.
-allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
+# Allow bpfloader to create bpf maps and programs.
+allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
 
 allow bpfloader self:capability { chown sys_admin };
 
 ###
 ### Neverallow rules
 ###
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
+neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow domain fs_bpf:dir { reparent rename rmdir };
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
+neverallow { domain -bpfloader } fs_bpf:file create;
+neverallow domain fs_bpf:file { rename unlink };
+
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write };
+
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
-# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
 
 # No domain should be allowed to ptrace bpfloader
 neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
commit	49c73b06a21f8cd41b37dc6fb79160ef5969c360	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Thu Jan 30 22:08:43 2020 -0800
committer	Maciej Żenczykowski <maze@google.com>	Sat Feb 22 02:14:58 2020 +0000
tree	68e185ff6405e928a3ff8e549e7f264948288d72
parent	281afd81faa789a80227d050d14ddeaa2c6e6956 [diff]