Merge "webview_zygote: allow listing dirs in /system"
diff --git a/private/access_vectors b/private/access_vectors
index 14e1712..898c884 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,6 +282,15 @@
class unix_dgram_socket
inherits socket
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
#
# Define the access vector interpretation for process-related objects
#
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 50d4ee7..ab4a49a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -6,9 +6,11 @@
( adbd_exec
bootloader_boot_reason_prop
broadcastradio_service
+ cgroup_bpf
crossprofileapps_service
e2fs
e2fs_exec
+ fs_bpf
hal_broadcastradio_hwservice
hal_cas_hwservice
hal_lowpan_hwservice
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e0cafa4..c07cd4c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -84,6 +84,7 @@
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_bpf:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
@@ -173,3 +174,4 @@
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
diff --git a/private/security_classes b/private/security_classes
index 2cfc768..251b721 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -35,6 +35,7 @@
class key_socket
class unix_stream_socket
class unix_dgram_socket
+class bpf
# sysv-ipc-related classes
class sem
diff --git a/private/system_server.te b/private/system_server.te
index eff8e8f..df24104 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -725,6 +725,11 @@
allow system_server zygote_exec:file rx_file_perms;
')
+# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# the map after snapshot is recorded
+allow system_server fs_bpf:file write;
+allow system_server netd:bpf { map_read map_write };
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
diff --git a/public/file.te b/public/file.te
index e3ffa34..cdaaf22 100644
--- a/public/file.te
+++ b/public/file.te
@@ -60,6 +60,7 @@
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
+type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
@@ -81,6 +82,7 @@
type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type fs_bpf, fs_type, sysfs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
@@ -364,6 +366,7 @@
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
+allow cgroup_bpf tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
allow file_type labeledfs:filesystem associate;
diff --git a/public/init.te b/public/init.te
index 450afd8..80e9e77 100644
--- a/public/init.te
+++ b/public/init.te
@@ -69,6 +69,10 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init cgroup_bpf:dir { create mounton };
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
diff --git a/public/netd.te b/public/netd.te
index fa03dbd..225ada9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,6 +7,7 @@
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
+r_dir_file(netd, cgroup_bpf)
allow netd system_server:fd use;
allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -57,6 +58,9 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
+allow netd fs_bpf:dir create_dir_perms;
+allow netd fs_bpf:file create_file_perms;
+
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
@@ -103,6 +107,9 @@
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+# give netd permission to use eBPF functionalities
+allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)