commit c27d24c37cdaa6335d5f85913877ee92e8440690
author Steven Moreland <smoreland@google.com> Fri Dec 13 15:18:32 2019 -0800
committer Steven Moreland <smoreland@google.com> Tue Feb 08 22:46:54 2022 +0000
tree d82ca9606e8a987cc67aae01a717fa85713cf21e
parent c3ae0ceaeed2f7679d8edeb1b1c15b5939141f23

Allow BPF programs from vendor.

Who needs all those context switches?

bpfloader controls which types of vendor programs can be used.

Bug: 140330870
Bug: 162057235
Test: successfully load bpf programs from vendor
Change-Id: I36e4f6550da33fea5bad509470dfd39f301f13c8

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 02337a0..3fbc8dc 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,15 +1,12 @@
-# bpf program loader
-type bpfloader, domain;
 type bpfloader_exec, system_file_type, exec_type, file_type;
-typeattribute bpfloader coredomain;
 
 # allow bpfloader to write to the kernel log (starts early)
 allow bpfloader kmsg_device:chr_file w_file_perms;
 
 # These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
+allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
 
 # Allow bpfloader to create bpf maps and programs.
 allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -27,24 +24,26 @@
 ###
 
 # TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
 
 # TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
 neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
 neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
 neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
 neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+
 neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
-
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
+neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+
 neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
 
 # No domain should be allowed to ptrace bpfloader