Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results

netutils_wrapper.te

  • Chenbo Feng's avatar
    2623ebcf
    Allow netutils_wrapper to use pinned bpf program · 2623ebcf
    Chenbo Feng authored
    The netutils_wrapper is a process used by vendor code to update the
    iptable rules on devices. When it update the rules for a specific chain.
    The iptable module will reload the whole chain with the new rule. So
    even the netutils_wrapper do not need to add any rules related to xt_bpf
    module, it will still reloading the existing iptables rules about xt_bpf
    module and need pass through the selinux check again when the rules are
    reloading. So we have to grant it the permission to reuse the pinned
    program in fs_bpf when it modifies the corresponding iptables chain so
    the vendor module will not crash anymore.
    
    Test: device boot and no more denials from netutils_wrapper
    Bug: 72111305
    Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be
    2623ebcf
    History
    Allow netutils_wrapper to use pinned bpf program
    Chenbo Feng authored
    The netutils_wrapper is a process used by vendor code to update the
    iptable rules on devices. When it update the rules for a specific chain.
    The iptable module will reload the whole chain with the new rule. So
    even the netutils_wrapper do not need to add any rules related to xt_bpf
    module, it will still reloading the existing iptables rules about xt_bpf
    module and need pass through the selinux check again when the rules are
    reloading. So we have to grant it the permission to reuse the pinned
    program in fs_bpf when it modifies the corresponding iptables chain so
    the vendor module will not crash anymore.
    
    Test: device boot and no more denials from netutils_wrapper
    Bug: 72111305
    Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be