add fs_bpf_loader selinux type
To be used for things that only the bpfloader should be access.
Expected use case is for programs that the bpfloader should load,
pin into the filesystem, *and* attach.
[ie. no need for anything else to attach the programs]
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I035d3fcbf6cee523e41cdde23b8edc13311a45e8
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 5f8cfa3..28c1464 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -34,6 +34,7 @@
neverallow { domain -bpfloader } bpffs_type:file { map open setattr };
neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
+neverallow { domain -bpfloader } fs_bpf_loader:file read;
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
@@ -46,6 +47,8 @@
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
+neverallow { domain -bpfloader } fs_bpf_loader:file open;
neverallow {
domain