Add sepolicy to lock down bpf access
Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.
Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746
Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
diff --git a/private/bpfloader.te b/private/bpfloader.te
new file mode 100644
index 0000000..1caf952
--- /dev/null
+++ b/private/bpfloader.te
@@ -0,0 +1,28 @@
+# bpf program loader
+type bpfloader, domain;
+type bpfloader_exec, exec_type, file_type;
+typeattribute bpfloader coredomain;
+
+# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
+allow bpfloader self:global_capability_class_set net_admin;
+
+r_dir_file(bpfloader, cgroup_bpf)
+
+# These permission is required for pin bpf program for netd.
+allow bpfloader fs_bpf:dir create_dir_perms;
+allow bpfloader fs_bpf:file create_file_perms;
+allow bpfloader devpts:chr_file { read write };
+
+# TODO: unknown fd pass denials, need further investigation.
+dontaudit bpfloader netd:fd use;
+
+# Use pinned bpf map files from netd.
+allow bpfloader netd:bpf { map_read map_write };
+allow bpfloader self:bpf { prog_load prog_run };
+
+# Neverallow rules
+neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
+neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+# only system_server, netd and bpfloader can read/write the bpf maps
+neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 34db6fa..56b0cf5 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -5,6 +5,8 @@
(typeattributeset new_objects
( adbd_exec
bootloader_boot_reason_prop
+ bpfloader
+ bpfloader_exec
broadcastradio_service
cgroup_bpf
crossprofileapps_service
diff --git a/private/file_contexts b/private/file_contexts
index 52003d6..bebced6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -283,6 +283,7 @@
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
+/system/bin/bpfloader u:object_r:bpfloader_exec:s0
#############################
# Vendor files
diff --git a/private/netd.te b/private/netd.te
index f501f25..461d59b 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -7,3 +7,6 @@
# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
+
+# Allow netd to start bpfloader_exec in its own domain
+domain_auto_trans(netd, bpfloader_exec, bpfloader)
diff --git a/public/netd.te b/public/netd.te
index d5d90a7..0e9e08c 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,7 +7,7 @@
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
-r_dir_file(netd, cgroup_bpf)
+
allow netd system_server:fd use;
allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -105,7 +105,7 @@
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
# give netd permission to use eBPF functionalities
-allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+allow netd self:bpf { map_create map_read map_write };
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
@@ -132,6 +132,9 @@
# only system_server and dumpstate may find netd service
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only netd can create the bpf maps
+neverallow { domain -netd } netd:bpf { map_create };
+
# apps may not interact with netd over binder.
neverallow appdomain netd:binder call;
neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;