sepolicy: New sepolicy classes and rules about bpf object

Add the new classes for eBPF map and program to limit the access to eBPF object. Add corresponding rules to allow netd module initialize bpf programs and maps, use the program and read/wirte to eBPF maps. Test: no bpf sepolicy violations when device boot Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd

sepolicy: New sepolicy classes and rules about bpf object
08f92f9c · Chenbo Feng · 254ad0da · 08f92f9c · 08f92f9c · 08f92f9c
Commit 08f92f9c authored 7 years ago by Chenbo Feng
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,6 +282,15 @@ inherits socket
 class unix_dgram_socket
 inherits socket
+class bpf
+{
+	map_create
+	map_read
+	map_write
+	prog_load
+	prog_run
+}
 #
 # Define the access vector interpretation for process-related objects
 #

--- a/private/security_classes
+++ b/private/security_classes
@@ -35,6 +35,7 @@ class packet_socket
 class key_socket
 class unix_stream_socket
 class unix_dgram_socket
+class bpf
 # sysv-ipc-related classes
 class sem

--- a/public/netd.te
+++ b/public/netd.te
@@ -107,6 +107,9 @@ allow netd netdomain:fd use;
 # give netd permission to read and write netlink xfrm
 allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+# give netd permission to use eBPF functionalities
+allow netd self:bpf { map_create map_read map_write prog_load prog_run };
 # Allow netd to register as hal server.
 add_hwservice(netd, system_net_netd_hwservice)
 hwbinder_use(netd)