Blame - private/bpfloader.te - android_system_sepolicy

blob: 02337a0b85a6497c9c5c5d2fa6041aad39035fc4 [file] [log] [blame]

Chenbo Feng	566411e	2018-01-02 15:31:18 -0800	[diff] [blame]	1	# bpf program loader
				2	type bpfloader, domain;
Nick Kralevich	5e37271	2018-09-27 10:21:37 -0700	[diff] [blame]	3	type bpfloader_exec, system_file_type, exec_type, file_type;
Chenbo Feng	566411e	2018-01-02 15:31:18 -0800	[diff] [blame]	4	typeattribute bpfloader coredomain;
				5
Steven Moreland	233d4aa	2022-02-07 23:15:00 +0000	[diff] [blame]	6	# allow bpfloader to write to the kernel log (starts early)
				7	allow bpfloader kmsg_device:chr_file w_file_perms;
				8
Maciej Żenczykowski	49c73b0	2020-01-30 22:08:43 -0800	[diff] [blame]	9	# These permissions are required to pin ebpf maps & programs.
Maciej Żenczykowski	d68cb48	2021-01-29 14:36:32 -0800	[diff] [blame]	10	allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
				11	allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
				12	allow fs_bpf_tethering fs_bpf:filesystem associate;
Chenbo Feng	566411e	2018-01-02 15:31:18 -0800	[diff] [blame]	13
Maciej Żenczykowski	49c73b0	2020-01-30 22:08:43 -0800	[diff] [blame]	14	# Allow bpfloader to create bpf maps and programs.
				15	allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
Chenbo Feng	566411e	2018-01-02 15:31:18 -0800	[diff] [blame]	16
Maciej Żenczykowski	94c3068	2021-03-01 23:16:46 -0800	[diff] [blame]	17	allow bpfloader self:capability { chown sys_admin net_admin };
Nick Kralevich	095fbea	2018-09-13 11:07:14 -0700	[diff] [blame]	18
Paul Lawrence	e3e26b7	2021-11-12 00:53:26 +0000	[diff] [blame]	19	allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
				20
Maciej Żenczykowski	d68cb48	2021-01-29 14:36:32 -0800	[diff] [blame]	21	set_prop(bpfloader, bpf_progs_loaded_prop)
				22
Connor O'Brien	dbe2684	2022-01-18 22:57:41 -0800	[diff] [blame]	23	allow bpfloader bpfloader_exec:file execute_no_trans;
				24
Nick Kralevich	095fbea	2018-09-13 11:07:14 -0700	[diff] [blame]	25	###
				26	### Neverallow rules
				27	###
Maciej Żenczykowski	49c73b0	2020-01-30 22:08:43 -0800	[diff] [blame]	28
Maciej Żenczykowski	d68cb48	2021-01-29 14:36:32 -0800	[diff] [blame]	29	# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
				30	neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
				31	neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
				32	neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
Maciej Żenczykowski	49c73b0	2020-01-30 22:08:43 -0800	[diff] [blame]	33
				34	# TODO: get rid of init & vendor_init
Maciej Żenczykowski	d68cb48	2021-01-29 14:36:32 -0800	[diff] [blame]	35	neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
				36	neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
Alessio Balsini	fd3e9d8	2021-11-11 18:42:11 +0000	[diff] [blame]	37	neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
				38	neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
Maciej Żenczykowski	d68cb48	2021-01-29 14:36:32 -0800	[diff] [blame]	39	neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
				40	neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
Maciej Żenczykowski	49c73b0	2020-01-30 22:08:43 -0800	[diff] [blame]	41
Maciej Żenczykowski	487fcb8	2019-04-08 21:34:53 -0700	[diff] [blame]	42	neverallow { domain -bpfloader } *:bpf { map_create prog_load };
Alessio Balsini	fd3e9d8	2021-11-11 18:42:11 +0000	[diff] [blame]	43	neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
				44	neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
Maciej Żenczykowski	49c73b0	2020-01-30 22:08:43 -0800	[diff] [blame]	45
Joel Fernandes	147cf64	2018-11-29 13:07:40 -0800	[diff] [blame]	46	neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
Maciej Żenczykowski	49c73b0	2020-01-30 22:08:43 -0800	[diff] [blame]	47
Maciej Żenczykowski	d68cb48	2021-01-29 14:36:32 -0800	[diff] [blame]	48	neverallow bpfloader :{ tcp_socket udp_socket rawip_socket } ;
Joel Galenson	d65f26f	2018-05-23 08:36:40 -0700	[diff] [blame]	49
Nick Kralevich	095fbea	2018-09-13 11:07:14 -0700	[diff] [blame]	50	# No domain should be allowed to ptrace bpfloader
				51	neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
Maciej Żenczykowski	3702f33	2021-11-11 01:51:15 -0800	[diff] [blame]	52
				53	# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
				54	# this should perhaps be moved to the bpfloader binary itself. Allow both.
				55	neverallow { domain -bpfloader -init } proc_bpf:file write;