lmkd: Add sepolicy rules around bpf for lmkd
LMKD needs to be able to attach BPF tracepoints. It needs to be able to
access tracefs, attach and run bpf programs.
Test: m
Test: Verified no denials with lmkd and libmemevents integration
Bug: 244232958
Change-Id: I57248b729c0f011937bec139930ca9d24ba91c3b
Signed-off-by: Carlos Galo <carlosgalo@google.com>
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 2a0bb9d..de7e8a4 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -42,7 +42,7 @@
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow { domain -bpfloader -gpuservice -lmkd -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 54d5356..d08e935 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -6,4 +6,6 @@
(typeattributeset new_objects
( new_objects
profcollectd_etr_prop
+ fs_bpf_lmkd_memevents_rb
+ fs_bpf_lmkd_memevents_prog
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 5442ea3..d89e9ca 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -181,6 +181,7 @@
-dumpstate
-gpuservice
-init
+ -lmkd
-traced_perf
-traced_probes
-shell
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 5dfec4b..6bcd617 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -324,10 +324,13 @@
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /loader u:object_r:fs_bpf_loader:s0
+genfscon bpf /map_bpfMemEvents_lmkd_rb u:object_r:fs_bpf_lmkd_memevents_rb:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
+genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_begin_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
+genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_end_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/lmkd.te b/private/lmkd.te
index 51d6204..6a38c58 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -12,7 +12,16 @@
# Get persist.device_config.lmk_native.* properties.
get_prop(lmkd, device_config_lmkd_native_prop)
+# Needed for reading tracepoint ids in order to attach bpf programs.
+allow lmkd debugfs_tracing:file r_file_perms;
+allow lmkd self:perf_event { cpu kernel open write };
+
allow lmkd fs_bpf:file read;
-allow lmkd bpfloader:bpf map_read;
+allow lmkd bpfloader:bpf { map_read map_write prog_run };
+
+# Needed for polling directly from the bpf ring buffer's fd
+allow lmkd fs_bpf_lmkd_memevents_rb:file { read write };
+allow lmkd fs_bpf_lmkd_memevents_prog:file read;
neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow lmkd self:perf_event ~{ cpu kernel open write };
diff --git a/public/file.te b/public/file.te
index 209fdb1..9464fb3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -137,6 +137,8 @@
# TODO: S+ fs_bpf_tethering (used by mainline) should be private
type fs_bpf_tethering, fs_type, bpffs_type;
type fs_bpf_vendor, fs_type, bpffs_type;
+type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
+type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;