| Steven Moreland | 6598175 | 2022-02-10 00:32:44 +0000 | [diff] [blame] | 1 | # platform should have ownership of network attachpoints for BPF |
| 2 | neverallow { |
| 3 | bpfdomain |
| 4 | -bpfloader |
| 5 | -netd |
| 6 | -netutils_wrapper |
| 7 | -network_stack |
| 8 | -system_server |
| 9 | } self:global_capability_class_set { net_admin net_raw }; |
| 10 | |
| 11 | # any domain which uses bpf is a bpfdomain |
| 12 | neverallow { domain -bpfdomain } *:bpf *; |
| 13 | |
| Stephane Lee | b30e888 | 2022-03-21 17:31:14 -0700 | [diff] [blame] | 14 | allow bpfdomain fs_bpf:dir search; |
| Maciej Żenczykowski | d5098f9 | 2022-07-18 03:34:30 -0700 | [diff] [blame] | 15 | |
| 16 | # genfscon doesn't seem to trigger during symlink creation, |
| 17 | # and thus any created symlinks end up as 'fs_bpf:lnk_type', |
| 18 | # however this feels like a kernel bug / missing feature, |
| 19 | # so let's allow all bpffs_type's instead, |
| 20 | # this will keep things working even if this is fixed. |
| 21 | allow bpfdomain bpffs_type:lnk_file read; |
| Maciej Żenczykowski | 60f4a34 | 2023-01-06 10:07:02 +0000 | [diff] [blame^] | 22 | |
| 23 | # Needed for //frameworks/libs/net: |
| 24 | # common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h |
| 25 | get_prop(bpfdomain, bpf_progs_loaded_prop) |