commit dbe26843220849e7d647fdb538fa343341983355
author Connor O'Brien <connoro@google.com> Tue Jan 18 22:57:41 2022 -0800
committer Connor O'Brien <connoro@google.com> Tue Jan 18 23:02:47 2022 -0800
tree dc65251510336b82a3055b6b2584528be0b384bb
parent 30aace3ebecda4f581e5c86af989402a01e07b21

Allow bpfloader to execute btfloader

btfloader is a standalone binary that receives a path to a bpf .o file
from bpfloader, parses & loads the BTF type info from the file, passes
BTF info back to bpfloader & exits. Include it in bpfloader's domain &
grant bpfloader permission to run it.

Bug: 203823368
Test: build & boot, bpfloader successfully executes btfloader
Signed-off-by: Connor O'Brien <connoro@google.com>
Change-Id: Ia08776a90763a8477d9f3e393d5d723b88a3176f

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 78cd37e..650117e 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -17,6 +17,8 @@
 
 set_prop(bpfloader, bpf_progs_loaded_prop)
 
+allow bpfloader bpfloader_exec:file execute_no_trans;
+
 ###
 ### Neverallow rules
 ###

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 4a04532..f339055 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -365,6 +365,7 @@
 /system/bin/stats                u:object_r:stats_exec:s0
 /system/bin/statsd               u:object_r:statsd_exec:s0
 /system/bin/bpfloader            u:object_r:bpfloader_exec:s0
+/system/bin/btfloader            u:object_r:bpfloader_exec:s0
 /system/bin/watchdogd            u:object_r:watchdogd_exec:s0
 /system/bin/apexd                u:object_r:apexd_exec:s0
 /system/bin/gsid                 u:object_r:gsid_exec:s0