Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 874e97492d7c7696a724a4c5f2f02cac8aba822c / . / private / bpfloader.te
blob: 4fe38432d90c3620076874d4431f1a8664ad0aed [file] [log] [blame]
Nick Kralevich5e372712018-09-27 10:21:37 -0700[diff] [blame]1type bpfloader_exec, system_file_type, exec_type, file_type;
Chenbo Feng566411e2018-01-02 15:31:18 -0800[diff] [blame]2
Steven Moreland65981752022-02-10 00:32:44 +0000[diff] [blame]3typeattribute bpfloader bpfdomain;
4
Steven Moreland233d4aa2022-02-07 23:15:00 +0000[diff] [blame]5# allow bpfloader to write to the kernel log (starts early)
6allow bpfloader kmsg_device:chr_file w_file_perms;
7
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]8# These permissions are required to pin ebpf maps & programs.
Neill Kapron23871ea2024-11-26 18:12:40 +0000[diff] [blame]9allow bpfloader bpffs_type:dir { add_name create open read remove_name search setattr write };
Maciej Żenczykowski1fcf7c82022-07-01 18:20:01 -0700[diff] [blame]10allow bpfloader bpffs_type:file { create getattr read rename setattr };
Maciej Żenczykowskid5098f92022-07-18 03:34:30 -0700[diff] [blame]11allow bpfloader bpffs_type:lnk_file { create getattr read };
Maciej Żenczykowskib13921c2022-05-21 05:03:29 -0700[diff] [blame]12allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
Chenbo Feng566411e2018-01-02 15:31:18 -0800[diff] [blame]13
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]14# Allow bpfloader to create bpf maps and programs.
15allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
Chenbo Feng566411e2018-01-02 15:31:18 -0800[diff] [blame]16
Maciej Żenczykowski94c30682021-03-01 23:16:46 -0800[diff] [blame]17allow bpfloader self:capability { chown sys_admin net_admin };
Nick Kralevich095fbea2018-09-13 11:07:14 -0700[diff] [blame]18
Paul Lawrencee3e26b72021-11-12 00:53:26 +0000[diff] [blame]19allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
20
Maciej Żenczykowski446c8c02024-03-14 10:47:30 +0000[diff] [blame]21allow bpfloader proc_bpf:file rw_file_perms;
Maciej Żenczykowski4a960862022-12-03 12:19:31 +0000[diff] [blame]22
Maciej Żenczykowskid68cb482021-01-29 14:36:32 -0800[diff] [blame]23set_prop(bpfloader, bpf_progs_loaded_prop)
24
Connor O'Briendbe26842022-01-18 22:57:41 -0800[diff] [blame]25allow bpfloader bpfloader_exec:file execute_no_trans;
26
Nick Kralevich095fbea2018-09-13 11:07:14 -0700[diff] [blame]27###
28### Neverallow rules
29###
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]30
Maciej Żenczykowskiebb45f92022-12-01 14:45:35 +0000[diff] [blame]31# Note: we don't care about getattr/mounton/search
Neill Kapron23871ea2024-11-26 18:12:40 +0000[diff] [blame]32neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
33neverallow { domain -bpfloader } bpffs_type:dir { add_name create open read remove_name setattr write };
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]34
Maciej Żenczykowski9a768052022-12-03 09:13:05 +0000[diff] [blame]35neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
Maciej Żenczykowski52c8a2e2023-03-27 18:14:40 -0700[diff] [blame]36neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
37neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read };
38neverallow { domain -bpfloader } fs_bpf_loader:file { getattr read };
39neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read };
40neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read };
41neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
42neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
43neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
Yu-Ting Tsengbaea6412024-01-16 14:02:59 -0800[diff] [blame]44neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
Carlos Galoea1bd5d2024-03-12 20:04:41 +0000[diff] [blame]45neverallow { domain -bpfloader -gpuservice -lmkd -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]46
Maciej Żenczykowskid5098f92022-07-18 03:34:30 -0700[diff] [blame]47neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
48neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
49
Maciej Żenczykowski28960d32023-06-13 20:44:48 -0700[diff] [blame]50neverallow { domain -bpfloader } *:bpf prog_load;
51neverallow { domain -bpfdomain } *:bpf { map_create map_read map_write prog_run };
Maciej Żenczykowski9a768052022-12-03 09:13:05 +0000[diff] [blame]52
53# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
Maciej Żenczykowskie14e69a2022-12-01 14:45:35 +0000[diff] [blame]54neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
Maciej Żenczykowski9a768052022-12-03 09:13:05 +0000[diff] [blame]55neverallow { domain -bpfloader } fs_bpf_loader:file *;
Steven Morelandc27d24c2019-12-13 15:18:32 -0800[diff] [blame]56
Paul Lawrence874e9742025-01-27 13:29:30 -0800[diff] [blame^]57neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]58
Maciej Żenczykowski37ca69e2023-11-18 03:36:05 +0000[diff] [blame]59neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
Steven Morelandc27d24c2019-12-13 15:18:32 -0800[diff] [blame]60
Maciej Żenczykowskid68cb482021-01-29 14:36:32 -0800[diff] [blame]61neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
Joel Galensond65f26f2018-05-23 08:36:40 -0700[diff] [blame]62
Nick Kralevich095fbea2018-09-13 11:07:14 -0700[diff] [blame]63# No domain should be allowed to ptrace bpfloader
64neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
Maciej Żenczykowski3702f332021-11-11 01:51:15 -0800[diff] [blame]65
Maciej Żenczykowski4a960862022-12-03 12:19:31 +0000[diff] [blame]66neverallow { domain -bpfloader } proc_bpf:file write;