commit 8c11cc3db5b5229e0bf65bbbc346dc8d3200cd95
author Maciej Żenczykowski <maze@google.com> Fri Jan 15 20:42:20 2021 -0800
committer Maciej Żenczykowski <maze@google.com> Fri Jan 15 20:50:00 2021 -0800
tree f4dedbcb0a611de149d394e980a2c2e767b1a256
parent 1c343047e9107332c44a38d74a6a6353ff467cd6

bpfloader.te - allow creation of subdirectories of /sys/fs/bpf

(and while we're at it make sure noone else creates subdirs)

Resolves:
  avc: denied { create } for comm="bpfloader" name="tethering" scontext=u:r:bpfloader:s0 tcontext=u:object_r:fs_bpf:s0 tclass=dir

Test: builds and boots with bpfloader changes
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I27a4e0793ed039feab84ac5658e36b68dcca2631

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 954f863..b2e5992 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -4,7 +4,7 @@
 typeattribute bpfloader coredomain;
 
 # These permissions are required to pin ebpf maps & programs.
-allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:dir { create search write add_name };
 allow bpfloader fs_bpf:file { create setattr read };
 
 # Allow bpfloader to create bpf maps and programs.
@@ -18,7 +18,7 @@
 
 # TODO: get rid of init & vendor_init
 neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
-neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow { domain -bpfloader } fs_bpf:dir { create write add_name };
 neverallow domain fs_bpf:dir { reparent rename rmdir };
 
 # TODO: get rid of init & vendor_init