netd/netutils_wrapper/network_stack/system_server - allow getattr on bpf progs/maps
This is so that we can potentially verify that things
are setup right.
Test: TreeHugger
Bug: 275209284
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I59a49cbece2710345fff0b2fb98e32f4e5f3af44
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 6bdc259..eecda30 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -33,14 +33,14 @@
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
-neverallow { domain -bpfloader } fs_bpf_loader:file read;
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file read;
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read };
+neverallow { domain -bpfloader } fs_bpf_loader:file { getattr read };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read };
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
diff --git a/private/netd.te b/private/netd.te
index ae43e47..8be8212 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -7,7 +7,7 @@
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 900b35c..01f1915 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -26,7 +26,7 @@
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
diff --git a/private/network_stack.te b/private/network_stack.te
index dfee019..d9135a1 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -61,7 +61,7 @@
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
# Use XFRM (IPsec) netlink sockets
diff --git a/private/system_server.te b/private/system_server.te
index 27e5594..8d7057c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1175,7 +1175,7 @@
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;