Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Blame Permalink
  • Chenbo Feng's avatar
    566411ed
    Add sepolicy to lock down bpf access · 566411ed
    Chenbo Feng authored 
    Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
    566411ed
    History
    Add sepolicy to lock down bpf access
    Chenbo Feng authored 
    Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
bpfloader.te 1.09 KiB 
# bpf program loader
type bpfloader, domain;
type bpfloader_exec, exec_type, file_type;
typeattribute bpfloader coredomain;

# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
allow bpfloader self:global_capability_class_set net_admin;

r_dir_file(bpfloader, cgroup_bpf)

# These permission is required for pin bpf program for netd.
allow bpfloader fs_bpf:dir  create_dir_perms;
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };

# TODO: unknown fd pass denials, need further investigation.
dontaudit bpfloader netd:fd use;

# Use pinned bpf map files from netd.
allow bpfloader netd:bpf { map_read map_write };
allow bpfloader self:bpf { prog_load prog_run };

# Neverallow rules
neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };