mediaprovider_app can access BPF resources The FUSE daemon in MediaProvider needs to access the file descriptor of its pinned BPF program and the maps used to commuicate with the kernel. Bug: 202785178 Test: adb logcat FuseDaemon:V \*:S (in git_master) Ignore-AOSP-First: mirroring AOSP for prototyping Signed-off-by: Alessio Balsini <balsini@google.com> Change-Id: I99d641658d37fb765ecc5d5c0113962f134ee1ae

commit: fd3e9d838e729cb15aba38c2a69f32b61af040e5 [log] [tgz]
author: Alessio Balsini <balsini@google.com> Thu Nov 11 18:42:11 2021 +0000
committer: Paul Lawrence <paullawrence@google.com> Mon Dec 06 19:12:55 2021 +0000
tree: c17efcc77e720dc3e40448751f221ef3c6b2ee1c
parent: eb424f43f2052ea462896b74176937e1ee326c0a [diff]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 2be2a4e..78cd37e 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -29,13 +29,14 @@
 # TODO: get rid of init & vendor_init
 neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
 neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
 neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
 neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
 
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 

diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index f370025..0e1b1a0 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te

@@ -62,3 +62,8 @@
 allow mediaprovider_app gpu_device:dir search;
 
 dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
+
+# bpfprog access for FUSE BPF
+allow mediaprovider_app fs_bpf:dir search;
+allow mediaprovider_app fs_bpf:file read;
+allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
commit	fd3e9d838e729cb15aba38c2a69f32b61af040e5	[log] [tgz]
author	Alessio Balsini <balsini@google.com>	Thu Nov 11 18:42:11 2021 +0000
committer	Paul Lawrence <paullawrence@google.com>	Mon Dec 06 19:12:55 2021 +0000
tree	c17efcc77e720dc3e40448751f221ef3c6b2ee1c
parent	eb424f43f2052ea462896b74176937e1ee326c0a [diff]