blob: ffb80c5d41f13adfdb6f8014e5deeabca90409f5 [file] [log] [blame]
Nick Kralevich5e372712018-09-27 10:21:37 -07001type bpfloader_exec, system_file_type, exec_type, file_type;
Chenbo Feng566411e2018-01-02 15:31:18 -08002
Steven Moreland65981752022-02-10 00:32:44 +00003typeattribute bpfloader bpfdomain;
4
Steven Moreland233d4aa2022-02-07 23:15:00 +00005# allow bpfloader to write to the kernel log (starts early)
6allow bpfloader kmsg_device:chr_file w_file_perms;
7
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -08008# These permissions are required to pin ebpf maps & programs.
Maciej Żenczykowskib13921c2022-05-21 05:03:29 -07009allow bpfloader bpffs_type:dir { add_name create remove_name search write };
Maciej Żenczykowski1fcf7c82022-07-01 18:20:01 -070010allow bpfloader bpffs_type:file { create getattr read rename setattr };
Maciej Żenczykowskib13921c2022-05-21 05:03:29 -070011allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
Chenbo Feng566411e2018-01-02 15:31:18 -080012
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -080013# Allow bpfloader to create bpf maps and programs.
14allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
Chenbo Feng566411e2018-01-02 15:31:18 -080015
Maciej Żenczykowski94c30682021-03-01 23:16:46 -080016allow bpfloader self:capability { chown sys_admin net_admin };
Nick Kralevich095fbea2018-09-13 11:07:14 -070017
Paul Lawrencee3e26b72021-11-12 00:53:26 +000018allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
19
Maciej Żenczykowskid68cb482021-01-29 14:36:32 -080020set_prop(bpfloader, bpf_progs_loaded_prop)
21
Connor O'Briendbe26842022-01-18 22:57:41 -080022allow bpfloader bpfloader_exec:file execute_no_trans;
23
Nick Kralevich095fbea2018-09-13 11:07:14 -070024###
25### Neverallow rules
26###
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -080027
Maciej Żenczykowskid68cb482021-01-29 14:36:32 -080028# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
Maciej Żenczykowskib13921c2022-05-21 05:03:29 -070029neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
30neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
31neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -080032
33# TODO: get rid of init & vendor_init
Maciej Żenczykowskib13921c2022-05-21 05:03:29 -070034neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
Maciej Żenczykowski1fcf7c82022-07-01 18:20:01 -070035neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
Maciej Żenczykowskib13921c2022-05-21 05:03:29 -070036neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
37neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
38neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
39neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
40neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
41neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
42neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
Maciej Żenczykowski1fcf7c82022-07-01 18:20:01 -070043neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -080044
Maciej Żenczykowski487fcb82019-04-08 21:34:53 -070045neverallow { domain -bpfloader } *:bpf { map_create prog_load };
Steven Morelandc27d24c2019-12-13 15:18:32 -080046
Stephane Lee52862a32022-03-08 14:56:27 -080047neverallow {
48 domain
49 -bpfloader
50 -gpuservice
51 -hal_health_server
52 -mediaprovider_app
53 -netd
54 -netutils_wrapper
55 -network_stack
56 -system_server
57} *:bpf prog_run;
Alessio Balsinifd3e9d82021-11-11 18:42:11 +000058neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
Joel Fernandes147cf642018-11-29 13:07:40 -080059neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -080060
Steven Morelandc27d24c2019-12-13 15:18:32 -080061neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
62
Maciej Żenczykowskid68cb482021-01-29 14:36:32 -080063neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
Joel Galensond65f26f2018-05-23 08:36:40 -070064
Nick Kralevich095fbea2018-09-13 11:07:14 -070065# No domain should be allowed to ptrace bpfloader
66neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
Maciej Żenczykowski3702f332021-11-11 01:51:15 -080067
68# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
69# this should perhaps be moved to the bpfloader binary itself. Allow both.
70neverallow { domain -bpfloader -init } proc_bpf:file write;