Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 52862a32c16d8088a82b4373724365c4c7da5143^! / .
commit52862a32c16d8088a82b4373724365c4c7da5143[log] [tgz]
authorStephane Lee <stayfan@google.com>Tue Mar 08 14:56:27 2022 -0800
committerStephane Lee <stayfan@google.com>Mon Mar 21 12:54:49 2022 -0700
treee25fe55aae279910af171c5c57661f09fbe7dc57
parentb93f26fd899ba19d77af9444c9f60e4a4478070d [diff]
Add sepolicies to allow hal_health_default to load BPFs.

Bug: 203462310
Test: Ensure that the BPF filter can be loaded
Change-Id: Ib507d4c1718dd56fb336501ed7598de7b44a687b

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7644cac..d7b27b5 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -40,7 +40,17 @@
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 
-neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow {
+  domain
+  -bpfloader
+  -gpuservice
+  -hal_health_server
+  -mediaprovider_app
+  -netd
+  -netutils_wrapper
+  -network_stack
+  -system_server
+} *:bpf prog_run;
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 

diff --git a/public/charger_vendor.te b/public/charger_vendor.te
index 2dd106f..d8f3bb2 100644
--- a/public/charger_vendor.te
+++ b/public/charger_vendor.te

@@ -2,3 +2,5 @@
 
 type charger_vendor, charger_type, domain;
 hal_server_domain(charger_vendor, hal_health)
+
+typeattribute charger_vendor bpfdomain;

diff --git a/public/hal_health.te b/public/hal_health.te
index e2a6a60..a31da4d 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te

@@ -26,3 +26,9 @@
 
 # Allow to use timerfd to wake itself up periodically to send health info.
 allow hal_health_server self:capability2 wake_alarm;
+
+# Use bpf programs
+allow hal_health_server fs_bpf:dir search;
+allow hal_health_server fs_bpf_vendor:dir search;
+allow hal_health_server fs_bpf_vendor:file read;
+allow hal_health_server bpfloader:bpf prog_run;

diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index a48c7b8..8e118e9 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te

@@ -1,5 +1,8 @@
 # health info abstraction
 type hal_health_default, domain;
+
+typeattribute hal_health_default bpfdomain;
+
 hal_server_domain(hal_health_default, hal_health)
 
 type hal_health_default_exec, exec_type, vendor_file_type, file_type;