Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
AndroidSystemSEPolicy
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container Registry
Model registry
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Werner Sembach
AndroidSystemSEPolicy
Commits
16d28d0f
Commit
16d28d0f
authored
7 years ago
by
TreeHugger Robot
Committed by
Android (Google) Code Review
7 years ago
Browse files
Options
Downloads
Plain Diff
Merge "Allow netd to setup xt_bpf iptable rules" into pi-dev
parents
bfee6901
68ef8c07
No related branches found
Branches containing commit
No related tags found
Tags containing commit
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
private/bpfloader.te
+2
-1
2 additions, 1 deletion
private/bpfloader.te
private/netd.te
+3
-0
3 additions, 0 deletions
private/netd.te
with
5 additions
and
1 deletion
private/bpfloader.te
+
2
−
1
View file @
16d28d0f
...
@@ -20,7 +20,8 @@ allow bpfloader netd:bpf { map_read map_write };
...
@@ -20,7 +20,8 @@ allow bpfloader netd:bpf { map_read map_write };
allow bpfloader self:bpf { prog_load prog_run };
allow bpfloader self:bpf { prog_load prog_run };
# Neverallow rules
# Neverallow rules
neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd } *:bpf prog_run;
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
# only system_server, netd and bpfloader can read/write the bpf maps
...
...
This diff is collapsed.
Click to expand it.
private/netd.te
+
3
−
0
View file @
16d28d0f
...
@@ -10,3 +10,6 @@ domain_auto_trans(netd, clatd_exec, clatd)
...
@@ -10,3 +10,6 @@ domain_auto_trans(netd, clatd_exec, clatd)
# Allow netd to start bpfloader_exec in its own domain
# Allow netd to start bpfloader_exec in its own domain
domain_auto_trans(netd, bpfloader_exec, bpfloader)
domain_auto_trans(netd, bpfloader_exec, bpfloader)
# give netd permission to setup iptables rule with xt_bpf
allow netd bpfloader:bpf prog_run;
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
