bpfdomain: attribute for domain which can use BPF
Require all domains which can be used for BPF to be marked as
bpfdomain, and add a restriction for these domains to not
be able to use net_raw or net_admin. We want to make sure the
network stack has exclusive access to certain BPF attach
points.
Bug: 140330870
Bug: 162057235
Test: build (compile-time neverallows)
Change-Id: I29100e48a757fdcf600931d5eb42988101275325
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
new file mode 100644
index 0000000..f0888a7
--- /dev/null
+++ b/private/bpfdomain.te
@@ -0,0 +1,13 @@
+# platform should have ownership of network attachpoints for BPF
+neverallow {
+ bpfdomain
+ -bpfloader
+ -netd
+ -netutils_wrapper
+ -network_stack
+ -system_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# any domain which uses bpf is a bpfdomain
+neverallow { domain -bpfdomain } *:bpf *;
+
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 3fbc8dc..7644cac 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,5 +1,7 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
+typeattribute bpfloader bpfdomain;
+
# allow bpfloader to write to the kernel log (starts early)
allow bpfloader kmsg_device:chr_file w_file_perms;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index f20d932..35167d5 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,7 @@
# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
+typeattribute gpuservice bpfdomain;
+
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
diff --git a/private/lmkd.te b/private/lmkd.te
index aee1b7f..13828a4 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,4 +1,5 @@
typeattribute lmkd coredomain;
+typeattribute lmkd bpfdomain;
init_daemon_domain(lmkd)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 82dcdb2..bcbbfcc 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -1,7 +1,7 @@
###
### A domain for further sandboxing the MediaProvider mainline module.
###
-type mediaprovider_app, domain, coredomain;
+type mediaprovider_app, domain, coredomain, bpfdomain;
app_domain(mediaprovider_app)
diff --git a/private/netd.te b/private/netd.te
index a0c8f8f..10ba20e 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,4 +1,5 @@
typeattribute netd coredomain;
+typeattribute netd bpfdomain;
init_daemon_domain(netd)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index cdc342d..06aadc2 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -1,4 +1,5 @@
typeattribute netutils_wrapper coredomain;
+typeattribute netutils_wrapper bpfdomain;
r_dir_file(netutils_wrapper, system_file);
diff --git a/private/network_stack.te b/private/network_stack.te
index 2546888..b105938 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,7 @@
# Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
+typeattribute network_stack coredomain;
+typeattribute network_stack mlstrustedsubject;
+typeattribute network_stack bpfdomain;
app_domain(network_stack);
net_domain(network_stack);
diff --git a/private/system_server.te b/private/system_server.te
index 79817ef..9de6cae 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -8,6 +8,7 @@
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
+typeattribute system_server bpfdomain;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)