bpfdomain: attribute for domain which can use BPF Require all domains which can be used for BPF to be marked as bpfdomain, and add a restriction for these domains to not be able to use net_raw or net_admin. We want to make sure the network stack has exclusive access to certain BPF attach points. Bug: 140330870 Bug: 162057235 Test: build (compile-time neverallows) Change-Id: I29100e48a757fdcf600931d5eb42988101275325

commit: 6598175e066439aa2e40b170902e1c65813892f4 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Thu Feb 10 00:32:44 2022 +0000
committer: Steven Moreland <smoreland@google.com> Thu Feb 10 00:34:50 2022 +0000
tree: a339a2cb2f9c4d09b0bce5b93f1cf6df69b945a6
parent: c30b45e2423a56fc44e4aa3931a28e98679a4c29 [diff] [blame]
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
new file mode 100644
index 0000000..f0888a7
--- /dev/null
+++ b/private/bpfdomain.te

@@ -0,0 +1,13 @@
+# platform should have ownership of network attachpoints for BPF
+neverallow {
+  bpfdomain
+  -bpfloader
+  -netd
+  -netutils_wrapper
+  -network_stack
+  -system_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# any domain which uses bpf is a bpfdomain
+neverallow { domain -bpfdomain } *:bpf *;
+
commit	6598175e066439aa2e40b170902e1c65813892f4	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Thu Feb 10 00:32:44 2022 +0000
committer	Steven Moreland <smoreland@google.com>	Thu Feb 10 00:34:50 2022 +0000
tree	a339a2cb2f9c4d09b0bce5b93f1cf6df69b945a6
parent	c30b45e2423a56fc44e4aa3931a28e98679a4c29 [diff] [blame]