Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8c11cc3db5b5229e0bf65bbbc346dc8d3200cd95 / . / private / bpfloader.te
blob: b2e5992f8c27a0f33d8acc1e0c2d120fe088f63e [file] [log] [blame]
Chenbo Feng566411e2018-01-02 15:31:18 -0800[diff] [blame]1# bpf program loader
2type bpfloader, domain;
Nick Kralevich5e372712018-09-27 10:21:37 -0700[diff] [blame]3type bpfloader_exec, system_file_type, exec_type, file_type;
Chenbo Feng566411e2018-01-02 15:31:18 -0800[diff] [blame]4typeattribute bpfloader coredomain;
5
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]6# These permissions are required to pin ebpf maps & programs.
Maciej Żenczykowski8c11cc32021-01-15 20:42:20 -0800[diff] [blame^]7allow bpfloader fs_bpf:dir { create search write add_name };
Maciej Żenczykowskief76c532020-06-16 21:50:44 -0700[diff] [blame]8allow bpfloader fs_bpf:file { create setattr read };
Chenbo Feng566411e2018-01-02 15:31:18 -0800[diff] [blame]9
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]10# Allow bpfloader to create bpf maps and programs.
11allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
Chenbo Feng566411e2018-01-02 15:31:18 -0800[diff] [blame]12
Maciej Żenczykowski1189fac2020-01-27 07:10:40 -0800[diff] [blame]13allow bpfloader self:capability { chown sys_admin };
Nick Kralevich095fbea2018-09-13 11:07:14 -0700[diff] [blame]14
15###
16### Neverallow rules
17###
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]18
19# TODO: get rid of init & vendor_init
20neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
Maciej Żenczykowski8c11cc32021-01-15 20:42:20 -0800[diff] [blame^]21neverallow { domain -bpfloader } fs_bpf:dir { create write add_name };
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]22neverallow domain fs_bpf:dir { reparent rename rmdir };
23
24# TODO: get rid of init & vendor_init
25neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
26neverallow { domain -bpfloader } fs_bpf:file create;
27neverallow domain fs_bpf:file { rename unlink };
28
Maciej Żenczykowski487fcb82019-04-08 21:34:53 -0700[diff] [blame]29neverallow { domain -bpfloader } *:bpf { map_create prog_load };
markchien48c600f2020-11-26 09:55:56 +0800[diff] [blame]30neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
31neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]32
Joel Fernandes147cf642018-11-29 13:07:40 -0800[diff] [blame]33neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -0800[diff] [blame]34
Chenbo Feng566411e2018-01-02 15:31:18 -0800[diff] [blame]35neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
Joel Galensond65f26f2018-05-23 08:36:40 -0700[diff] [blame]36
Nick Kralevich095fbea2018-09-13 11:07:14 -0700[diff] [blame]37# No domain should be allowed to ptrace bpfloader
38neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
Joel Fernandesb76a6392019-01-11 08:32:45 -0500[diff] [blame]39
40set_prop(bpfloader, bpf_progs_loaded_prop)