Add sepolicy to lock down bpf access Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f

commit: 566411edf27276e616113b82e3c9b1f617cd4d14 [log] [tgz]
author: Chenbo Feng <fengc@google.com> Tue Jan 02 15:31:18 2018 -0800
committer: Chenbo Feng <fengc@google.com> Wed Jan 17 23:19:30 2018 +0000
tree: 1a5a3a17136bb3ee34f226a5efda823099c145d0
parent: 8b049d5b6f44f7e51109814bc3bdd9d2ee7faf2a [diff] [blame]
diff --git a/private/netd.te b/private/netd.te
index f501f25..461d59b 100644
--- a/private/netd.te
+++ b/private/netd.te

@@ -7,3 +7,6 @@
 
 # Allow netd to start clatd in its own domain
 domain_auto_trans(netd, clatd_exec, clatd)
+
+# Allow netd to start bpfloader_exec in its own domain
+domain_auto_trans(netd, bpfloader_exec, bpfloader)
commit	566411edf27276e616113b82e3c9b1f617cd4d14	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Tue Jan 02 15:31:18 2018 -0800
committer	Chenbo Feng <fengc@google.com>	Wed Jan 17 23:19:30 2018 +0000
tree	1a5a3a17136bb3ee34f226a5efda823099c145d0
parent	8b049d5b6f44f7e51109814bc3bdd9d2ee7faf2a [diff] [blame]