sepolicy - move proc bpf writes from bpfloader.rc to bpfloader binary
As a reminder, per:
https://source.corp.google.com/search?q=p:aosp-master%20file:sepolicy%20-file:prebuilts%20proc_bpf%20file:genfs
we currently have:
aosp-master system/sepolicy/private/genfs_contexts
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
So the above are the files which will no longer be writable by init.
A cs/ search for p:android$ (/sys/kernel/bpf_|/sys/kernel/unprivileged_bpf_|/sys/net/core/bpf_) file:[.]rc
only finds bpfloader.rc init script as actually doing these writes.
Those writes are removed in:
https://android-review.git.corp.google.com/c/platform/system/bpf/+/2325617
'bpfloader - move sysctl setting from rc to binary'
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I19ccdf293966dd982e1d36836b0b962d99ed7275
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 28c1464..b5865bd 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -18,6 +18,8 @@
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
+allow bpfloader proc_bpf:file w_file_perms;
+
set_prop(bpfloader, bpf_progs_loaded_prop)
allow bpfloader bpfloader_exec:file execute_no_trans;
@@ -71,6 +73,4 @@
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
-# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
-# this should perhaps be moved to the bpfloader binary itself. Allow both.
-neverallow { domain -bpfloader -init } proc_bpf:file write;
+neverallow { domain -bpfloader } proc_bpf:file write;
diff --git a/public/init.te b/public/init.te
index d74d1a8..fa51ef5 100644
--- a/public/init.te
+++ b/public/init.te
@@ -397,7 +397,6 @@
allow init {
proc_abi
- proc_bpf
proc_cpu_alignment
proc_dirty
proc_hostname