commit 52c8a2ebd5bb2403b86823b12aedebd62c2ab32b
author Maciej Żenczykowski <maze@google.com> Mon Mar 27 18:14:40 2023 -0700
committer Maciej Żenczykowski <maze@google.com> Tue Mar 28 03:11:42 2023 +0000
tree 6a1511cdb243e20d67193a941d5f023a29abbce0
parent c9ff8d010bfd3d4bf8bbc3ca204f92e8c398468d

netd/netutils_wrapper/network_stack/system_server - allow getattr on bpf progs/maps

This is so that we can potentially verify that things
are setup right.

Test: TreeHugger
Bug: 275209284
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I59a49cbece2710345fff0b2fb98e32f4e5f3af44

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 6bdc259..eecda30 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -33,14 +33,14 @@
 neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
 
 neverallow { domain            } bpffs_type:file ~{ create getattr map open read rename setattr write };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               read;
-neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        read;
-neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   read;
-neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    read;
-neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   read;
-neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     read;
+neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               { getattr read };
+neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        { getattr read };
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   { getattr read };
+neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    { getattr read };
+neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
+neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   { getattr read };
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     { getattr read };
 neverallow { domain -bpfloader -gpuservice                          -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
 
 neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;