commit e14e69a947a473ce81f220bae3caea122f5bca97
author Maciej Żenczykowski <maze@google.com> Thu Dec 01 14:45:35 2022 +0000
committer Maciej Żenczykowski <maze@google.com> Fri Dec 02 12:26:49 2022 +0000
tree 35563857c068a876a1d852dbaaeb0b4fd12c8be1
parent ebb45f9deab3a8ae3ecfac06204797b28a6856cd

add fs_bpf_loader selinux type

To be used for things that only the bpfloader should be access.

Expected use case is for programs that the bpfloader should load,
pin into the filesystem, *and* attach.

[ie. no need for anything else to attach the programs]

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I035d3fcbf6cee523e41cdde23b8edc13311a45e8

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 5f8cfa3..28c1464 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -34,6 +34,7 @@
 neverallow { domain -bpfloader } bpffs_type:file { map open setattr };
 neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               read;
+neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        read;
 neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   read;
 neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    read;
 neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file read;
@@ -46,6 +47,8 @@
 neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
+neverallow { domain -bpfloader } fs_bpf_loader:file open;
 
 neverallow {
   domain

private/file.te

diff --git a/private/file.te b/private/file.te
index 60e2274..134b377 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,7 @@
 type fs_bpf_net_shared, fs_type, bpffs_type;
 type fs_bpf_netd_readonly, fs_type, bpffs_type;
 type fs_bpf_netd_shared, fs_type, bpffs_type;
+type fs_bpf_loader, fs_type, bpffs_type;
 
 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 29d8561..d0af186 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -395,7 +395,9 @@
 genfscon functionfs / u:object_r:functionfs:s0
 genfscon usbfs / u:object_r:usbfs:s0
 genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+
 genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /loader u:object_r:fs_bpf_loader:s0
 genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
 genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
 genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0