bpfdomain: attribute for domain which can use BPF Require all domains which can be used for BPF to be marked as bpfdomain, and add a restriction for these domains to not be able to use net_raw or net_admin. We want to make sure the network stack has exclusive access to certain BPF attach points. Bug: 140330870 Bug: 162057235 Test: build (compile-time neverallows) Change-Id: I29100e48a757fdcf600931d5eb42988101275325

commit: 6598175e066439aa2e40b170902e1c65813892f4 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Thu Feb 10 00:32:44 2022 +0000
committer: Steven Moreland <smoreland@google.com> Thu Feb 10 00:34:50 2022 +0000
tree: a339a2cb2f9c4d09b0bce5b93f1cf6df69b945a6
parent: c30b45e2423a56fc44e4aa3931a28e98679a4c29 [diff] [blame]
diff --git a/private/gpuservice.te b/private/gpuservice.te
index f20d932..35167d5 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te

@@ -1,5 +1,7 @@
 # gpuservice - server for gpu stats and other gpu related services
 typeattribute gpuservice coredomain;
+typeattribute gpuservice bpfdomain;
+
 type gpuservice_exec, system_file_type, exec_type, file_type;
 
 init_daemon_domain(gpuservice)
commit	6598175e066439aa2e40b170902e1c65813892f4	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Thu Feb 10 00:32:44 2022 +0000
committer	Steven Moreland <smoreland@google.com>	Thu Feb 10 00:34:50 2022 +0000
tree	a339a2cb2f9c4d09b0bce5b93f1cf6df69b945a6
parent	c30b45e2423a56fc44e4aa3931a28e98679a4c29 [diff] [blame]