commit c23fb986cbbf65529c3a25f0b7fd1896673963ec
author Maciej Żenczykowski <maze@google.com> Tue Mar 16 03:03:53 2021 -0700
committer Maciej Żenczykowski <maze@google.com> Tue Mar 16 04:10:09 2021 -0700
tree e8414b35498898230069979388cf4ae8fc646cc4
parent 619e4a7a82c32a0891f00e4fec4341881e1d6d64

update post bpf tethering mainline module split from netd

FYI: running networking tests needs extra privs:
  #============= su ==============
  allow su self:capability2 bpf;

  #============= untrusted_app ==============
  allow untrusted_app self:key_socket create;
  allow untrusted_app self:netlink_route_socket { bind nlmsg_readpriv };
  allow untrusted_app self:packet_socket create;

But obviously we can't add the last three, and not even sure about the first.

Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I778ccaf5d100cb26f167a0c690e0125594d477c3

private/network_stack.te

diff --git a/private/network_stack.te b/private/network_stack.te
index 9598fa5..6fa3055 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -49,10 +49,9 @@
 allow network_stack bpfloader:bpf { map_read map_write prog_run };
 
 # Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-# TODO: remove netd once netd/tethering mainline module split is complete
 # Unfortunately init/vendor_init have all sorts of extra privs
-neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:file *;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
 
-neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index 4472938..ff0bff6 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,9 +64,8 @@
 
 r_dir_file(netd, cgroup_v2)
 
-# TODO: remove 'fs_bpf_tethering' once netd/tethering mainline module split is completed.
-allow netd { fs_bpf fs_bpf_tethering }:dir search;
-allow netd { fs_bpf fs_bpf_tethering }:file { read write };
+allow netd fs_bpf:dir search;
+allow netd fs_bpf:file { read write };
 
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.