commit d5098f99a92e22ce20ec60437cc31be5cc44b74f
author Maciej Żenczykowski <maze@google.com> Mon Jul 18 03:34:30 2022 -0700
committer Maciej Żenczykowski <maze@google.com> Mon Jul 18 05:14:44 2022 -0700
tree f46a86449090f1a3555ece04bcda79044f48cdb6
parent 8fe0b28bf13f3bdf0119ec084cfcb020fd9b4cbd

allow bpfloader to create symbolic links in /sys/fs/bpf

(this is to allow /sys/fs/bpf/tethering -> net_shared/tethering
 for InProcessTethering, ie. Android Go devices)

Bug: 190523685
Bug: 236925089
Test: TreeHugger, manually on aosp_cf_x86_go_phone-userdebug
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifa52429f958b0af80f91af6bfb064c1cdf9cd070

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index ffb80c5..7c009ec 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -8,6 +8,7 @@
 # These permissions are required to pin ebpf maps & programs.
 allow bpfloader bpffs_type:dir { add_name create remove_name search write };
 allow bpfloader bpffs_type:file { create getattr read rename setattr };
+allow bpfloader bpffs_type:lnk_file { create getattr read };
 allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
 
 # Allow bpfloader to create bpf maps and programs.
@@ -42,6 +43,9 @@
 neverallow { domain -bpfloader -gpuservice                                -netd -netutils_wrapper -network_stack -system_server              } { bpffs_type -fs_bpf_vendor }:file write;
 neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
 
+neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
+neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
+
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 
 neverallow {