From 08f92f9c01fc5b86d620024573c46ff9e6ec173b Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Tue, 22 Aug 2017 18:33:46 -0700
Subject: [PATCH] sepolicy: New sepolicy classes and rules about bpf object

Add the new classes for eBPF map and program to limit the access to eBPF
object. Add corresponding rules to allow netd module initialize bpf
programs and maps, use the program and read/wirte to eBPF maps.

Test: no bpf sepolicy violations when device boot
Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
---
 private/access_vectors   | 9 +++++++++
 private/security_classes | 1 +
 public/netd.te           | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/private/access_vectors b/private/access_vectors
index 14e171207..898c884cd 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,6 +282,15 @@ inherits socket
 class unix_dgram_socket
 inherits socket
 
+class bpf
+{
+	map_create
+	map_read
+	map_write
+	prog_load
+	prog_run
+}
+
 #
 # Define the access vector interpretation for process-related objects
 #
diff --git a/private/security_classes b/private/security_classes
index 2cfc768b5..251b72168 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -35,6 +35,7 @@ class packet_socket
 class key_socket
 class unix_stream_socket
 class unix_dgram_socket
+class bpf
 
 # sysv-ipc-related classes
 class sem
diff --git a/public/netd.te b/public/netd.te
index ec18113d4..225ada9f5 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -107,6 +107,9 @@ allow netd netdomain:fd use;
 # give netd permission to read and write netlink xfrm
 allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
 
+# give netd permission to use eBPF functionalities
+allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+
 # Allow netd to register as hal server.
 add_hwservice(netd, system_net_netd_hwservice)
 hwbinder_use(netd)
-- 
GitLab